From af42925709b8cd1512fea9e4c532fb22ada45fe3 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Fri, 20 Mar 2020 14:33:53 +0100

Subject: [PATCH 1/4] Rules for /etc/hosts.allow permissions and owner

---

 .../file_groupowner_etc_hosts_allow/rule.yml  | 34 +++++++++++++++++++

 .../file_owner_etc_hosts_allow/rule.yml       | 34 +++++++++++++++++++

 .../file_permissions_etc_hosts_allow/rule.yml | 34 +++++++++++++++++++

 rhel7/profiles/cis.profile                    |  4 +++

 shared/references/cce-redhat-avail.txt        |  6 ----

 5 files changed, 106 insertions(+), 6 deletions(-)

 create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml

 create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml

 create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml

new file mode 100644

index 0000000000..7d43f93c42

--- /dev/null

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml

@@ -0,0 +1,34 @@

+documentation_complete: true

+

+prodtype: ol7,rhel6,rhel7

+

+title: 'Verify Group Who Owns /etc/hosts.allow'

+

+description: |-

+    {{{ describe_file_group_owner(file="/etc/hosts.allow", group="root") }}}

+

+rationale: |-

+    The <tt>/etc/hosts.allow</tt> file is used to control access of clients to daemons in the

+    server. Insecure groupownership of this file could allow users to grant clients unrestricted

+    access or no access at all to services in the server.

+

+severity: medium

+

+identifiers:

+    cce@rhel7: 83823-5

+    cce@rhel8: 83824-3

+

+references:

+    cis@rhel7: 3.4.4

+

+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/hosts.allow", group="root") }}}'

+

+ocil: |-

+    {{{ ocil_file_group_owner(file="/etc/hosts.allow", group="root") }}}

+

+template:

+    name: file_groupowner

+    vars:

+        filepath: /etc/hosts.allow

+        filegid: '0'

+        missing_file_pass: 'true'

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml

new file mode 100644

index 0000000000..a301406b45

--- /dev/null

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml

@@ -0,0 +1,34 @@

+documentation_complete: true

+

+prodtype: ol7,rhel6,rhel7

+

+title: 'Verify User Who Owns /etc/hosts.allow'

+

+description: |-

+    {{{ describe_file_owner(file="/etc/hosts.allow", owner="root") }}}

+

+rationale: |-

+    The <tt>/etc/hosts.allow</tt> file is used to control access of clients to daemons in the

+    server. Insecure groupownership of this file could allow users to grant clients unrestricted

+    access or no access at all to services in the server.

+

+severity: medium

+

+identifiers:

+    cce@rhel7: 83825-0

+    cce@rhel8: 83826-8

+

+references:

+    cis@rhel7: 3.4.4

+

+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/hosts.allow", owner="root") }}}'

+

+ocil: |-

+    {{{ ocil_file_owner(file="/etc/hosts.allow", owner="root") }}}

+

+template:

+    name: file_owner

+    vars:

+        filepath: /etc/hosts.allow

+        fileuid: '0'

+        missing_file_pass: 'true'

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml

new file mode 100644

index 0000000000..0a35cbf57e

--- /dev/null

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml

@@ -0,0 +1,34 @@

+documentation_complete: true

+

+prodtype: ol7,rhel6,rhel7

+

+title: 'Verify Permissions on /etc/hosts.allow'

+

+description: |-

+    {{{ describe_file_permissions(file="/etc/hosts.allow", perms="0644") }}}

+

+rationale: |-

+    The <tt>/etc/hosts.allow</tt> file is used to control access of clients to daemons in the

+    server. Insecure groupownership of this file could allow users to grant clients unrestricted

+    access or no access at all to services in the server.

+

+severity: medium

+

+identifiers:

+    cce@rhel7: 83827-6

+    cce@rhel8: 83828-4

+

+references:

+    cis@rhel7: 3.4.4

+

+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/hosts.allow", perms="-rw-r--r--") }}}'

+

+ocil: |-

+    {{{ ocil_file_permissions(file="/etc/hosts.allow", perms="-rw-r--r--") }}}

+

+template:

+    name: file_permissions

+    vars:

+        filepath: /etc/hosts.allow

+        filemode: '0644'

+        missing_file_pass: 'true'

diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile

index 486fcf9a33..e50d8ddb43 100644

--- a/rhel7/profiles/cis.profile

+++ b/rhel7/profiles/cis.profile

@@ -353,6 +353,10 @@ selections:

     - configure_etc_hosts_deny

     ### 3.4.4 Ensure permissions on /etc/hosts.allow are configured (Scored)

+    - file_owner_etc_hosts_allow

+    - file_groupowner_etc_hosts_allow

+    - file_permissions_etc_hosts_allow

+

     ### 3.4.5 Ensure permissions on /etc/hosts.deny are configured (Scored)

     ## 3.5 Uncommon Network Protocols

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index a0b117a964..e67f56f9aa 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -528,12 +528,6 @@ CCE-83819-3

 CCE-83820-1

 CCE-83821-9

 CCE-83822-7

-CCE-83823-5

-CCE-83824-3

-CCE-83825-0

-CCE-83826-8

-CCE-83827-6

-CCE-83828-4

 CCE-83829-2

 CCE-83830-0

 CCE-83831-8

From 0f43573a6c193e70e1ff02f92a0c2bf9957d2e1c Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Fri, 20 Mar 2020 15:01:58 +0100

Subject: [PATCH 2/4] Rules for /etc/hosts.deny permissions and owner

---

 .../file_groupowner_etc_hosts_deny/rule.yml   | 34 +++++++++++++++++++

 .../file_owner_etc_hosts_deny/rule.yml        | 34 +++++++++++++++++++

 .../file_permissions_etc_hosts_deny/rule.yml  | 34 +++++++++++++++++++

 rhel7/profiles/cis.profile                    |  3 ++

 shared/references/cce-redhat-avail.txt        |  6 ----

 5 files changed, 105 insertions(+), 6 deletions(-)

 create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml

 create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml

 create mode 100644 linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml

new file mode 100644

index 0000000000..db3105eb71

--- /dev/null

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml

@@ -0,0 +1,34 @@

+documentation_complete: true

+

+prodtype: ol7,rhel6,rhel7

+

+title: 'Verify Group Who Owns /etc/hosts.deny'

+

+description: |-

+    {{{ describe_file_group_owner(file="/etc/hosts.deny", group="root") }}}

+

+rationale: |-

+    The <tt>/etc/hosts.deny</tt> file is used to control access of clients to daemons in the

+    server. Insecure groupownership of this file could allow users to grant clients unrestricted

+    access or no access at all to services in the server.

+

+severity: medium

+

+identifiers:

+    cce@rhel7: 84030-6

+    cce@rhel8: 84031-4

+

+references:

+    cis@rhel7: 3.4.4

+

+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/hosts.deny", group="root") }}}'

+

+ocil: |-

+    {{{ ocil_file_group_owner(file="/etc/hosts.deny", group="root") }}}

+

+template:

+    name: file_groupowner

+    vars:

+        filepath: /etc/hosts.deny

+        filegid: '0'

+        missing_file_pass: 'true'

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml

new file mode 100644

index 0000000000..75380c7311

--- /dev/null

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml

@@ -0,0 +1,34 @@

+documentation_complete: true

+

+prodtype: ol7,rhel6,rhel7

+

+title: 'Verify User Who Owns /etc/hosts.deny'

+

+description: |-

+    {{{ describe_file_owner(file="/etc/hosts.deny", owner="root") }}}

+

+rationale: |-

+    The <tt>/etc/hosts.deny</tt> file is used to control access of clients to daemons in the

+    server. Insecure groupownership of this file could allow users to grant clients unrestricted

+    access or no access at all to services in the server.

+

+severity: medium

+

+identifiers:

+    cce@rhel7: 84032-2

+    cce@rhel8: 84033-0

+

+references:

+    cis@rhel7: 3.4.5

+

+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/hosts.deny", owner="root") }}}'

+

+ocil: |-

+    {{{ ocil_file_owner(file="/etc/hosts.deny", owner="root") }}}

+

+template:

+    name: file_owner

+    vars:

+        filepath: /etc/hosts.deny

+        fileuid: '0'

+        missing_file_pass: 'true'

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml

new file mode 100644

index 0000000000..ea73fe48cd

--- /dev/null

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml

@@ -0,0 +1,34 @@

+documentation_complete: true

+

+prodtype: ol7,rhel6,rhel7

+

+title: 'Verify Permissions on /etc/hosts.deny'

+

+description: |-

+    {{{ describe_file_permissions(file="/etc/hosts.deny", perms="0644") }}}

+

+rationale: |-

+    The <tt>/etc/hosts.deny</tt> file is used to control access of clients to daemons in the

+    server. Insecure groupownership of this file could allow users to grant clients unrestricted

+    access or no access at all to services in the server.

+

+severity: medium

+

+identifiers:

+    cce@rhel7: 84034-8

+    cce@rhel8: 84035-5

+

+references:

+    cis@rhel7: 3.4.5

+

+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/hosts.deny", perms="-rw-r--r--") }}}'

+

+ocil: |-

+    {{{ ocil_file_permissions(file="/etc/hosts.deny", perms="-rw-r--r--") }}}

+

+template:

+    name: file_permissions

+    vars:

+        filepath: /etc/hosts.deny

+        filemode: '0644'

+        missing_file_pass: 'true'

diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile

index e50d8ddb43..5ac119768f 100644

--- a/rhel7/profiles/cis.profile

+++ b/rhel7/profiles/cis.profile

@@ -358,6 +358,9 @@ selections:

     - file_permissions_etc_hosts_allow

     ### 3.4.5 Ensure permissions on /etc/hosts.deny are configured (Scored)

+    - file_owner_etc_hosts_deny

+    - file_groupowner_etc_hosts_deny

+    - file_permissions_etc_hosts_deny

     ## 3.5 Uncommon Network Protocols

     ### 3.5.1 Ensure DCCP is disabled (Not Scored)

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt

index e67f56f9aa..bb234a3131 100644

--- a/shared/references/cce-redhat-avail.txt

+++ b/shared/references/cce-redhat-avail.txt

@@ -729,12 +729,6 @@ CCE-84026-4

 CCE-84027-2

 CCE-84028-0

 CCE-84029-8

-CCE-84030-6

-CCE-84031-4

-CCE-84032-2

-CCE-84033-0

-CCE-84034-8

-CCE-84035-5

 CCE-84036-3

 CCE-84037-1

 CCE-84038-9

From d53500477288c69027127257802bb42355ca7848 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Fri, 20 Mar 2020 16:08:57 +0100

Subject: [PATCH 3/4] Fix cce assignmetns and references

Rules for /etc/hosts.allow and /etc/hosts.deny apply to rhel6 and rhel7

---

 .../file_groupowner_etc_hosts_allow/rule.yml                | 4 ++--

 .../file_groupowner_etc_hosts_deny/rule.yml                 | 6 +++---

 .../inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml    | 4 ++--

 .../inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml     | 4 ++--

 .../file_permissions_etc_hosts_allow/rule.yml               | 4 ++--

 .../file_permissions_etc_hosts_deny/rule.yml                | 4 ++--

 6 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml

index 7d43f93c42..aa531e6ace 100644

--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml

@@ -15,8 +15,8 @@ rationale: |-

 severity: medium

 identifiers:

-    cce@rhel7: 83823-5

-    cce@rhel8: 83824-3

+    cce@rhel6: 83823-5

+    cce@rhel7: 83824-3

 references:

     cis@rhel7: 3.4.4

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml

index db3105eb71..fa024f1c27 100644

--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml

@@ -15,11 +15,11 @@ rationale: |-

 severity: medium

 identifiers:

-    cce@rhel7: 84030-6

-    cce@rhel8: 84031-4

+    cce@rhel6: 84030-6

+    cce@rhel7: 84031-4

 references:

-    cis@rhel7: 3.4.4

+    cis@rhel7: 3.4.5

 ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/hosts.deny", group="root") }}}'

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml

index a301406b45..80d5630c48 100644

--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml

@@ -15,8 +15,8 @@ rationale: |-

 severity: medium

 identifiers:

-    cce@rhel7: 83825-0

-    cce@rhel8: 83826-8

+    cce@rhel6: 83825-0

+    cce@rhel7: 83826-0

 references:

     cis@rhel7: 3.4.4

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml

index 75380c7311..2fc5f74355 100644

--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml

@@ -15,8 +15,8 @@ rationale: |-

 severity: medium

 identifiers:

-    cce@rhel7: 84032-2

-    cce@rhel8: 84033-0

+    cce@rhel6: 84032-2

+    cce@rhel7: 84033-0

 references:

     cis@rhel7: 3.4.5

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml

index 0a35cbf57e..dc1560852a 100644

--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_allow/rule.yml

@@ -15,8 +15,8 @@ rationale: |-

 severity: medium

 identifiers:

-    cce@rhel7: 83827-6

-    cce@rhel8: 83828-4

+    cce@rhel6: 83827-6

+    cce@rhel7: 83828-4

 references:

     cis@rhel7: 3.4.4

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml

index ea73fe48cd..da806139ec 100644

--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_permissions_etc_hosts_deny/rule.yml

@@ -15,8 +15,8 @@ rationale: |-

 severity: medium

 identifiers:

-    cce@rhel7: 84034-8

-    cce@rhel8: 84035-5

+    cce@rhel6: 84034-8

+    cce@rhel7: 84035-5

 references:

     cis@rhel7: 3.4.5

From b7dc44d2feb734ed89736d1dea813b051e83cfb7 Mon Sep 17 00:00:00 2001

From: Watson Sato <wsato@redhat.com>

Date: Mon, 23 Mar 2020 14:18:24 +0100

Subject: [PATCH 4/4] Rewrite title of ownership rules

Rewrite title of rules for ownerhip and group ownership of of

/etc/hosts.allow and /etc/hosts.deny

---

 .../inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml   | 2 +-

 .../inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml    | 2 +-

 .../inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml        | 2 +-

 .../inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml         | 2 +-

 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml

index aa531e6ace..cee37ed9c6 100644

--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_allow/rule.yml

@@ -2,7 +2,7 @@ documentation_complete: true

 prodtype: ol7,rhel6,rhel7

-title: 'Verify Group Who Owns /etc/hosts.allow'

+title: 'Verify Group Ownership of /etc/hosts.allow'

 description: |-

     {{{ describe_file_group_owner(file="/etc/hosts.allow", group="root") }}}

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml

index fa024f1c27..403e99908b 100644

--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_groupowner_etc_hosts_deny/rule.yml

@@ -2,7 +2,7 @@ documentation_complete: true

 prodtype: ol7,rhel6,rhel7

-title: 'Verify Group Who Owns /etc/hosts.deny'

+title: 'Verify Group Ownership of /etc/hosts.deny'

 description: |-

     {{{ describe_file_group_owner(file="/etc/hosts.deny", group="root") }}}

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml

index 80d5630c48..b34be48968 100644

--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_allow/rule.yml

@@ -2,7 +2,7 @@ documentation_complete: true

 prodtype: ol7,rhel6,rhel7

-title: 'Verify User Who Owns /etc/hosts.allow'

+title: 'Verify Ownership of /etc/hosts.allow'

 description: |-

     {{{ describe_file_owner(file="/etc/hosts.allow", owner="root") }}}

diff --git a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml

index 2fc5f74355..e53ee5bc12 100644

--- a/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml

+++ b/linux_os/guide/services/obsolete/inetd_and_xinetd/file_owner_etc_hosts_deny/rule.yml

@@ -2,7 +2,7 @@ documentation_complete: true

 prodtype: ol7,rhel6,rhel7

-title: 'Verify User Who Owns /etc/hosts.deny'

+title: 'Verify Ownership of /etc/hosts.deny'

 description: |-

     {{{ describe_file_owner(file="/etc/hosts.deny", owner="root") }}}