From f657a1b61509c591a9b1c031865b520bd2c8bbbe Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 19 Mar 2020 15:23:05 +0100
Subject: [PATCH 1/8] Add rules for /etc/passwd- permissions and owner
---
.../rule.yml | 31 +++++++++++++++++
.../file_owner_backup_etc_passwd/rule.yml | 31 +++++++++++++++++
.../rule.yml | 33 +++++++++++++++++++
4 files changed, 95 insertions(+), 6 deletions(-)
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml
new file mode 100644
index 0000000000..b4ece4eda7
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns Backup passwd File'
+
+description: '{{{ describe_file_group_owner(file="/etc/passwd-", group="root") }}}'
+
+rationale: |-
+ The <tt>/etc/passwd-</tt> file is a backup file of the <tt>/etc/passwd</tt> file and as such
+ it also contains information about the users that are configured on the system.
+ Protection of this file is critical for system security.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: 83323-6
+ cce@rhel8: 83324-4
+
+references:
+ cis@rhel7: 6.1.6
+ cis@rhel8: 6.1.6
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/passwd-", group="root") }}}'
+
+ocil: '{{{ ocil_file_group_owner(file="/etc/passwd-", group="root") }}}'
+
+template:
+ name: file_groupowner
+ vars:
+ filepath: /etc/passwd-
+ filegid: '0'
+ missing_file_pass: 'true'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml
new file mode 100644
index 0000000000..28ceaf57e2
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+title: 'Verify User Who Owns Backup passwd File'
+
+description: '{{{ describe_file_owner(file="/etc/passwd-", owner="root") }}}'
+
+rationale: |-
+ The <tt>/etc/passwd-</tt> file is a backup file of the <tt>/etc/passwd</tt> file and as such
+ it also contains information about the users that are configured on the system.
+ Protection of this file is critical for system security.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: 83325-1
+ cce@rhel8: 83326-9
+
+references:
+ cis@rhel7: 6.1.6
+ cis@rhel8: 6.1.6
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/passwd-", owner="root") }}}'
+
+ocil: '{{{ ocil_file_owner(file="/etc/passwd-", owner="root") }}}'
+
+template:
+ name: file_owner
+ vars:
+ filepath: /etc/passwd-
+ fileuid: '0'
+ missing_file_pass: 'true'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
new file mode 100644
index 0000000000..3620e8d0d8
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+title: 'Verify Permissions on Backup passwd File'
+
+description: |-
+ {{{ describe_file_permissions(file="/etc/passwd-", perms="0600") }}}
+
+rationale: |-
+ The <tt>/etc/passwd-</tt> file is a backup file of the <tt>/etc/passwd</tt> file and as such
+ it also contains information about the users that are configured on the system.
+ Protection of this file is critical for system security.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: 83331-9
+ cce@rhel8: 83332-7
+
+references:
+ cis@rhel7: 6.1.6
+ cis@rhel8: 6.1.6
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/passwd-", perms="-rw-------") }}}'
+
+ocil: |-
+ {{{ ocil_file_permissions(file="/etc/passwd-", perms="-rw-------") }}}
+
+template:
+ name: file_permissions
+ vars:
+ filepath: /etc/passwd-
+ filemode: '0600'
+ missing_file_pass: 'true'
From 5e641c50c9cb21cc664f2b6fe2ea820b96d3bde4 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 19 Mar 2020 15:44:25 +0100
Subject: [PATCH 2/8] Add rules for /etc/shadow- permissions and owner
---
.../rule.yml | 37 ++++++++++++++++++
.../file_owner_backup_etc_shadow/rule.yml | 31 +++++++++++++++
.../rule.yml | 39 +++++++++++++++++++
4 files changed, 107 insertions(+), 6 deletions(-)
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
new file mode 100644
index 0000000000..6f4744e6cc
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
@@ -0,0 +1,37 @@
+documentation_complete: true
+
+title: 'Verify User Who Owns Backup shadow File'
+
+description: '{{{ describe_file_group_owner(file="/etc/shadow-", group="root") }}}'
+
+rationale: |-
+ The <tt>/etc/shadow-</tt> file is a backup file of the <tt>/etc/shadow</tt> file, and as such
+ it also contains the list of local system accounts and password hashes.
+ Protection of this file is critical for system security.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: 83414-3
+ cce@rhel8: 83415-0
+
+references:
+ cis@rhel7: 6.1.7
+ cis@rhel8: 6.1.7
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow-", group="root") }}}'
+
+ocil: '{{{ ocil_file_group_owner(file="/etc/shadow-", group="root") }}}'
+
+template:
+ name: file_groupowner
+ vars:
+ filepath: /etc/shadow-
+ filegid: '0'
+ filegid@debian8: '42'
+ filegid@debian9: '42'
+ filegid@debian10: '42'
+ filegid@ubuntu1404: '42'
+ filegid@ubuntu1604: '42'
+ filegid@ubuntu1804: '42'
+ missing_file_pass: 'true'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml
new file mode 100644
index 0000000000..2b5a17d6bf
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns Backup shadow File'
+
+description: '{{{ describe_file_owner(file="/etc/shadow-", owner="root") }}}'
+
+rationale: |-
+ The <tt>/etc/shadow-</tt> file is a backup file of the <tt>/etc/shadow</tt> file, and as such
+ it also contains the list of local system accounts and password hashes.
+ Protection of this file is critical for system security.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: 83412-7
+ cce@rhel8: 83413-5
+
+references:
+ cis@rhel7: 6.1.7
+ cis@rhel8: 6.1.7
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/shadow-", owner="root") }}}'
+
+ocil: '{{{ ocil_file_owner(file="/etc/shadow-", owner="root") }}}'
+
+template:
+ name: file_owner
+ vars:
+ filepath: /etc/shadow-
+ fileuid: '0'
+ missing_file_pass: 'true'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
new file mode 100644
index 0000000000..6090201c11
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
@@ -0,0 +1,39 @@
+documentation_complete: true
+
+title: 'Verify Permissions on Backup shadow File'
+
+description: |-
+ {{{ describe_file_permissions(file="/etc/shadow-", perms="0000") }}}
+
+rationale: |-
+ The <tt>/etc/shadow-</tt> file is a backup file of the <tt>/etc/shadow</tt> file, and as such
+ it also contains the list of local system accounts and password hashes.
+ Protection of this file is critical for system security.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: 83416-8
+ cce@rhel8: 83417-6
+
+references:
+ cis@rhel7: 6.1.7
+ cis@rhel8: 6.1.7
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/shadow-", perms="----------") }}}'
+
+ocil: |-
+ {{{ ocil_file_permissions(file="/etc/shadow-", perms="----------") }}}
+
+template:
+ name: file_permissions
+ vars:
+ filepath: /etc/shadow-
+ filemode: '0000'
+ filemode@debian8: '0640'
+ filemode@debian9: '0640'
+ filemode@debian10: '0640'
+ filemode@ubuntu1404: '0640'
+ filemode@ubuntu1604: '0640'
+ filemode@ubuntu1804: '0640'
+ missing_file_pass: 'true'
From 9f206c3dede1f1fe41288559f8b465dcfe252b9e Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 19 Mar 2020 16:07:26 +0100
Subject: [PATCH 3/8] Add rules for /etc/group- permissions and owner
---
.../file_groupowner_backup_etc_group/rule.yml | 31 +++++++++++++++++
.../file_owner_backup_etc_group/rule.yml | 31 +++++++++++++++++
.../rule.yml | 33 +++++++++++++++++++
4 files changed, 95 insertions(+), 6 deletions(-)
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml
new file mode 100644
index 0000000000..6663d25ee6
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns Backup group File'
+
+description: '{{{ describe_file_group_owner(file="/etc/group-", group="root") }}}'
+
+rationale: |-
+ The <tt>/etc/group-</tt> file is a backup file of the <tt>/etc/group</tt>, and as such
+ it also contains information regarding groups that are configured on the system.
+ Protection of this file is important for system security.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: 83474-7
+ cce@rhel8: 83475-4
+
+references:
+ cis@rhel7: 6.1.8
+ cis@rhel8: 6.1.8
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/group-", group="root") }}}'
+
+ocil: '{{{ ocil_file_group_owner(file="/etc/group", group="root") }}}'
+
+template:
+ name: file_groupowner
+ vars:
+ filepath: /etc/group-
+ filegid: '0'
+ missing_file_pass: 'true'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml
new file mode 100644
index 0000000000..43f508a788
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+title: 'Verify User Who Owns Backup group File'
+
+description: '{{{ describe_file_owner(file="/etc/group-", owner="root") }}}'
+
+rationale: |-
+ The <tt>/etc/group-</tt> file is a backup file of the <tt>/etc/group</tt>, and as such
+ it also contains information regarding groups that are configured on the system.
+ Protection of this file is important for system security.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: 83472-1
+ cce@rhel8: 83473-9
+
+references:
+ cis@rhel7: 6.1.8
+ cis@rhel8: 6.1.8
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/group-", owner="root") }}}'
+
+ocil: '{{{ ocil_file_owner(file="/etc/group-", owner="root") }}}'
+
+template:
+ name: file_owner
+ vars:
+ filepath: /etc/group-
+ fileuid: '0'
+ missing_file_pass: 'true'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml
new file mode 100644
index 0000000000..d8e4ed220b
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml
@@ -0,0 +1,33 @@
+documentation_complete: true
+
+title: 'Verify Permissions on Backup group File'
+
+description: |-
+ {{{ describe_file_permissions(file="/etc/group-", perms="0644") }}}
+
+rationale: |-
+ The <tt>/etc/group-</tt> file is a backup file of the <tt>/etc/group</tt>, and as such
+ it also contains information regarding groups that are configured on the system.
+ Protection of this file is important for system security.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: 83482-0
+ cce@rhel8: 83483-8
+
+references:
+ cis@rhel7: 6.1.8
+ cis@rhel8: 6.1.8
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/group-", perms="-rw-r--r--") }}}'
+
+ocil: |-
+ {{{ ocil_file_permissions(file="/etc/passwd", perms="-rw-r--r--") }}}
+
+template:
+ name: file_permissions
+ vars:
+ filepath: /etc/group-
+ filemode: '0644'
+ missing_file_pass: 'true'
From 8be59a951380245f9c163731d40a0fdbbddb2ccd Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 19 Mar 2020 16:18:25 +0100
Subject: [PATCH 4/8] Add rules for /etc/gshadow- permissions and owner
---
.../rule.yml | 36 ++++++++++++++++++
.../file_owner_backup_etc_gshadow/rule.yml | 30 +++++++++++++++
.../rule.yml | 38 +++++++++++++++++++
4 files changed, 104 insertions(+), 6 deletions(-)
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
new file mode 100644
index 0000000000..d27abdad03
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns Backup gshadow File'
+
+description: '{{{ describe_file_group_owner(file="/etc/gshadow-", group="root") }}}'
+
+rationale: |-
+ The <tt>/etc/gshadow-</tt> file is a backup of the <tt>/etc/gshadow</tt>, and as such it
+ contains group password hashes. Protection of this file is critical for system security.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: 83534-8
+ cce@rhel8: 83535-5
+
+references:
+ cis@rhel7: 6.1.9
+ cis@rhel8: 6.1.9
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow-", group="root") }}}'
+
+ocil: '{{{ ocil_file_group_owner(file="/etc/gshadow-", group="root") }}}'
+
+template:
+ name: file_groupowner
+ vars:
+ filepath: /etc/gshadow-
+ filegid: '0'
+ filegid@debian8: '42'
+ filegid@debian9: '42'
+ filegid@debian10: '42'
+ filegid@ubuntu1404: '42'
+ filegid@ubuntu1604: '42'
+ filegid@ubuntu1804: '42'
+ missing_file_pass: 'true'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml
new file mode 100644
index 0000000000..a840f6ef55
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml
@@ -0,0 +1,30 @@
+documentation_complete: true
+
+title: 'Verify User Who Owns Backup gshadow File'
+
+description: '{{{ describe_file_owner(file="/etc/gshadow-", owner="root") }}}'
+
+rationale: |-
+ The <tt>/etc/gshadow-</tt> file is a backup of the <tt>/etc/gshadow</tt>, and as such it
+ contains group password hashes. Protection of this file is critical for system security.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: 83532-2
+ cce@rhel8: 83533-0
+
+references:
+ cis@rhel7: 6.1.9
+ cis@rhel8: 6.1.9
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/gshadow-", owner="root") }}}'
+
+ocil: '{{{ ocil_file_owner(file="/etc/gshadow-", owner="root") }}}'
+
+template:
+ name: file_owner
+ vars:
+ filepath: /etc/gshadow-
+ fileuid: '0'
+ missing_file_pass: 'true'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
new file mode 100644
index 0000000000..29c9556298
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
@@ -0,0 +1,38 @@
+documentation_complete: true
+
+title: 'Verify Permissions on Backup gshadow File'
+
+description: |-
+ {{{ describe_file_permissions(file="/etc/gshadow-", perms="0000") }}}
+
+rationale: |-
+ The <tt>/etc/gshadow-</tt> file is a backup of the <tt>/etc/gshadow</tt>, and as such it
+ contains group password hashes. Protection of this file is critical for system security.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: 83572-8
+ cce@rhel8: 83573-6
+
+references:
+ cis@rhel7: 6.1.9
+ cis@rhel8: 6.1.9
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow-", perms="----------") }}}'
+
+ocil: |-
+ {{{ ocil_file_permissions(file="/etc/gshadow-", perms="----------") }}}
+
+template:
+ name: file_permissions
+ vars:
+ filepath: /etc/gshadow-
+ filemode: '0000'
+ filemode@debian8: '0640'
+ filemode@debian9: '0640'
+ filemode@debian10: '0640'
+ filemode@ubuntu1404: '0640'
+ filemode@ubuntu1604: '0640'
+ filemode@ubuntu1804: '0640'
+ missing_file_pass: 'true'
From 7957bfd07621000047e0784a717ffc0e3e0cf769 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Thu, 19 Mar 2020 17:28:03 +0100
Subject: [PATCH 6/8] Fix language and inconsistencies in rationale
---
.../file_groupowner_backup_etc_group/rule.yml | 4 ++--
.../file_groupowner_backup_etc_gshadow/rule.yml | 4 ++--
.../file_groupowner_backup_etc_passwd/rule.yml | 4 ++--
.../file_groupowner_backup_etc_shadow/rule.yml | 4 ++--
.../file_owner_backup_etc_group/rule.yml | 4 ++--
.../file_owner_backup_etc_gshadow/rule.yml | 4 ++--
.../file_owner_backup_etc_passwd/rule.yml | 4 ++--
.../file_owner_backup_etc_shadow/rule.yml | 4 ++--
.../file_permissions_backup_etc_group/rule.yml | 4 ++--
.../file_permissions_backup_etc_gshadow/rule.yml | 4 ++--
.../file_permissions_backup_etc_passwd/rule.yml | 4 ++--
.../file_permissions_backup_etc_shadow/rule.yml | 4 ++--
12 files changed, 24 insertions(+), 24 deletions(-)
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml
index 6663d25ee6..00bbfd8615 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_group/rule.yml
@@ -5,8 +5,8 @@ title: 'Verify Group Who Owns Backup group File'
description: '{{{ describe_file_group_owner(file="/etc/group-", group="root") }}}'
rationale: |-
- The <tt>/etc/group-</tt> file is a backup file of the <tt>/etc/group</tt>, and as such
- it also contains information regarding groups that are configured on the system.
+ The <tt>/etc/group-</tt> file is a backup file of <tt>/etc/group</tt>, and as such,
+ it contains information regarding groups that are configured on the system.
Protection of this file is important for system security.
severity: medium
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
index d27abdad03..fcd4dfc0cb 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
@@ -5,8 +5,8 @@ title: 'Verify Group Who Owns Backup gshadow File'
description: '{{{ describe_file_group_owner(file="/etc/gshadow-", group="root") }}}'
rationale: |-
- The <tt>/etc/gshadow-</tt> file is a backup of the <tt>/etc/gshadow</tt>, and as such it
- contains group password hashes. Protection of this file is critical for system security.
+ The <tt>/etc/gshadow-</tt> file is a backup of <tt>/etc/gshadow</tt>, and as such,
+ it contains group password hashes. Protection of this file is critical for system security.
severity: medium
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml
index b4ece4eda7..0855e37012 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_passwd/rule.yml
@@ -5,8 +5,8 @@ title: 'Verify Group Who Owns Backup passwd File'
description: '{{{ describe_file_group_owner(file="/etc/passwd-", group="root") }}}'
rationale: |-
- The <tt>/etc/passwd-</tt> file is a backup file of the <tt>/etc/passwd</tt> file and as such
- it also contains information about the users that are configured on the system.
+ The <tt>/etc/passwd-</tt> file is a backup file of <tt>/etc/passwd</tt>, and as such,
+ it contains information about the users that are configured on the system.
Protection of this file is critical for system security.
severity: medium
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
index 6f4744e6cc..bbcf2deb48 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
@@ -5,8 +5,8 @@ title: 'Verify User Who Owns Backup shadow File'
description: '{{{ describe_file_group_owner(file="/etc/shadow-", group="root") }}}'
rationale: |-
- The <tt>/etc/shadow-</tt> file is a backup file of the <tt>/etc/shadow</tt> file, and as such
- it also contains the list of local system accounts and password hashes.
+ The <tt>/etc/shadow-</tt> file is a backup file of <tt>/etc/shadow</tt>, and as such,
+ it contains the list of local system accounts and password hashes.
Protection of this file is critical for system security.
severity: medium
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml
index 43f508a788..1e2cf1ae1a 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_group/rule.yml
@@ -5,8 +5,8 @@ title: 'Verify User Who Owns Backup group File'
description: '{{{ describe_file_owner(file="/etc/group-", owner="root") }}}'
rationale: |-
- The <tt>/etc/group-</tt> file is a backup file of the <tt>/etc/group</tt>, and as such
- it also contains information regarding groups that are configured on the system.
+ The <tt>/etc/group-</tt> file is a backup file of <tt>/etc/group</tt>, and as such,
+ it contains information regarding groups that are configured on the system.
Protection of this file is important for system security.
severity: medium
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml
index a840f6ef55..d90826e407 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_gshadow/rule.yml
@@ -5,8 +5,8 @@ title: 'Verify User Who Owns Backup gshadow File'
description: '{{{ describe_file_owner(file="/etc/gshadow-", owner="root") }}}'
rationale: |-
- The <tt>/etc/gshadow-</tt> file is a backup of the <tt>/etc/gshadow</tt>, and as such it
- contains group password hashes. Protection of this file is critical for system security.
+ The <tt>/etc/gshadow-</tt> file is a backup of <tt>/etc/gshadow</tt>, and as such,
+ it contains group password hashes. Protection of this file is critical for system security.
severity: medium
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml
index 28ceaf57e2..180f474d96 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_passwd/rule.yml
@@ -5,8 +5,8 @@ title: 'Verify User Who Owns Backup passwd File'
description: '{{{ describe_file_owner(file="/etc/passwd-", owner="root") }}}'
rationale: |-
- The <tt>/etc/passwd-</tt> file is a backup file of the <tt>/etc/passwd</tt> file and as such
- it also contains information about the users that are configured on the system.
+ The <tt>/etc/passwd-</tt> file is a backup file of <tt>/etc/passwd</tt>, and as such,
+ it contains information about the users that are configured on the system.
Protection of this file is critical for system security.
severity: medium
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml
index 2b5a17d6bf..260810b94f 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_owner_backup_etc_shadow/rule.yml
@@ -5,8 +5,8 @@ title: 'Verify Group Who Owns Backup shadow File'
description: '{{{ describe_file_owner(file="/etc/shadow-", owner="root") }}}'
rationale: |-
- The <tt>/etc/shadow-</tt> file is a backup file of the <tt>/etc/shadow</tt> file, and as such
- it also contains the list of local system accounts and password hashes.
+ The <tt>/etc/shadow-</tt> file is a backup file of <tt>/etc/shadow</tt>, and as such,
+ it contains the list of local system accounts and password hashes.
Protection of this file is critical for system security.
severity: medium
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml
index d8e4ed220b..68782db132 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_group/rule.yml
@@ -6,8 +6,8 @@ description: |-
{{{ describe_file_permissions(file="/etc/group-", perms="0644") }}}
rationale: |-
- The <tt>/etc/group-</tt> file is a backup file of the <tt>/etc/group</tt>, and as such
- it also contains information regarding groups that are configured on the system.
+ The <tt>/etc/group-</tt> file is a backup file of <tt>/etc/group</tt>, and as such,
+ it contains information regarding groups that are configured on the system.
Protection of this file is important for system security.
severity: medium
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
index 29c9556298..8dc2ca59dc 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
@@ -6,8 +6,8 @@ description: |-
{{{ describe_file_permissions(file="/etc/gshadow-", perms="0000") }}}
rationale: |-
- The <tt>/etc/gshadow-</tt> file is a backup of the <tt>/etc/gshadow</tt>, and as such it
- contains group password hashes. Protection of this file is critical for system security.
+ The <tt>/etc/gshadow-</tt> file is a backup of <tt>/etc/gshadow</tt>, and as such,
+ it contains group password hashes. Protection of this file is critical for system security.
severity: medium
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
index 3620e8d0d8..b2c524d879 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
@@ -6,8 +6,8 @@ description: |-
{{{ describe_file_permissions(file="/etc/passwd-", perms="0600") }}}
rationale: |-
- The <tt>/etc/passwd-</tt> file is a backup file of the <tt>/etc/passwd</tt> file and as such
- it also contains information about the users that are configured on the system.
+ The <tt>/etc/passwd-</tt> file is a backup file of <tt>/etc/passwd</tt>, and as such,
+ it contains information about the users that are configured on the system.
Protection of this file is critical for system security.
severity: medium
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
index 6090201c11..05a7bd867f 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
@@ -6,8 +6,8 @@ description: |-
{{{ describe_file_permissions(file="/etc/shadow-", perms="0000") }}}
rationale: |-
- The <tt>/etc/shadow-</tt> file is a backup file of the <tt>/etc/shadow</tt> file, and as such
- it also contains the list of local system accounts and password hashes.
+ The <tt>/etc/shadow-</tt> file is a backup file of <tt>/etc/shadow</tt>, and as such,
+ it contains the list of local system accounts and password hashes.
Protection of this file is critical for system security.
severity: medium
From 96e63d853d7e5ec42924a7ce5a06463dfc85b4b6 Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 24 Mar 2020 11:32:09 +0100
Subject: [PATCH 7/8] Describe different group owners of shadow files
The group owner of shadow files in debian based distros should
be the shadow group.
---
.../file_groupowner_backup_etc_gshadow/rule.yml | 12 +++++++++---
.../file_groupowner_backup_etc_shadow/rule.yml | 12 +++++++++---
.../file_groupowner_etc_gshadow/rule.yml | 12 +++++++++---
.../file_groupowner_etc_shadow/rule.yml | 12 +++++++++---
4 files changed, 36 insertions(+), 12 deletions(-)
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
index fcd4dfc0cb..6ad814ea96 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_gshadow/rule.yml
@@ -2,7 +2,13 @@ documentation_complete: true
title: 'Verify Group Who Owns Backup gshadow File'
-description: '{{{ describe_file_group_owner(file="/etc/gshadow-", group="root") }}}'
+{{% if "ubuntu" in product or "debian" in product %}}
+ {{% set target_group="shadow" %}}
+{{% else %}}
+ {{% set target_group="root" %}}
+{{% endif %}}
+
+description: '{{{ describe_file_group_owner(file="/etc/gshadow-", group=target_group) }}}'
rationale: |-
The <tt>/etc/gshadow-</tt> file is a backup of <tt>/etc/gshadow</tt>, and as such,
@@ -18,9 +24,9 @@ references:
cis@rhel7: 6.1.9
cis@rhel8: 6.1.9
-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow-", group="root") }}}'
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow-", group=target_group) }}}'
-ocil: '{{{ ocil_file_group_owner(file="/etc/gshadow-", group="root") }}}'
+ocil: '{{{ ocil_file_group_owner(file="/etc/gshadow-", group=target_group) }}}'
template:
name: file_groupowner
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
index bbcf2deb48..51f6076c0a 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_backup_etc_shadow/rule.yml
@@ -2,7 +2,13 @@ documentation_complete: true
title: 'Verify User Who Owns Backup shadow File'
-description: '{{{ describe_file_group_owner(file="/etc/shadow-", group="root") }}}'
+{{% if "ubuntu" in product or "debian" in product %}}
+ {{% set target_group="shadow" %}}
+{{% else %}}
+ {{% set target_group="root" %}}
+{{% endif %}}
+
+description: '{{{ describe_file_group_owner(file="/etc/shadow-", group=target_group) }}}'
rationale: |-
The <tt>/etc/shadow-</tt> file is a backup file of <tt>/etc/shadow</tt>, and as such,
@@ -19,9 +25,9 @@ references:
cis@rhel7: 6.1.7
cis@rhel8: 6.1.7
-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow-", group="root") }}}'
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow-", group=target_group) }}}'
-ocil: '{{{ ocil_file_group_owner(file="/etc/shadow-", group="root") }}}'
+ocil: '{{{ ocil_file_group_owner(file="/etc/shadow-", group=target_group) }}}'
template:
name: file_groupowner
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
index c2e12377ef..2720754282 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_gshadow/rule.yml
@@ -2,7 +2,13 @@ documentation_complete: true
title: 'Verify Group Who Owns gshadow File'
-description: '{{{ describe_file_group_owner(file="/etc/gshadow", group="root") }}}'
+{{% if "ubuntu" in product or "debian" in product %}}
+ {{% set target_group="shadow" %}}
+{{% else %}}
+ {{% set target_group="root" %}}
+{{% endif %}}
+
+description: '{{{ describe_file_group_owner(file="/etc/gshadow", group=target_group) }}}'
rationale: |-
The <tt>/etc/gshadow</tt> file contains group password hashes. Protection of this file
@@ -29,9 +35,9 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow", group="root") }}}'
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/gshadow", group=target_group) }}}'
-ocil: '{{{ ocil_file_group_owner(file="/etc/gshadow", group="root") }}}'
+ocil: '{{{ ocil_file_group_owner(file="/etc/gshadow", group=target_group) }}}'
template:
name: file_groupowner
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml
index d8a9d04142..b86a219e40 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_groupowner_etc_shadow/rule.yml
@@ -2,7 +2,13 @@ documentation_complete: true
title: 'Verify Group Who Owns shadow File'
-description: '{{{ describe_file_group_owner(file="/etc/shadow", group="root") }}}'
+{{% if "ubuntu" in product or "debian" in product %}}
+ {{% set target_group="shadow" %}}
+{{% else %}}
+ {{% set target_group="root" %}}
+{{% endif %}}
+
+description: '{{{ describe_file_group_owner(file="/etc/shadow", group=target_group) }}}'
rationale: |-
The <tt>/etc/shadow</tt> file stores password hashes. Protection of this file is
@@ -31,9 +37,9 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow", group="root") }}}'
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/shadow", group=target_group) }}}'
-ocil: '{{{ ocil_file_group_owner(file="/etc/shadow", group="root") }}}'
+ocil: '{{{ ocil_file_group_owner(file="/etc/shadow", group=target_group) }}}'
template:
name: file_groupowner
From 3896f75e95d902c865b8738c4a3988daa5e3091b Mon Sep 17 00:00:00 2001
From: Watson Sato <wsato@redhat.com>
Date: Tue, 24 Mar 2020 12:11:58 +0100
Subject: [PATCH 8/8] Describe different permissions of shadow files
The permissions of shadow files in debian based distros are expected to
be different.
---
.../file_permissions_backup_etc_gshadow/rule.yml | 16 ++++++++++++----
.../file_permissions_backup_etc_shadow/rule.yml | 14 +++++++++++---
.../file_permissions_etc_gshadow/rule.yml | 14 +++++++++++---
.../file_permissions_etc_shadow/rule.yml | 14 +++++++++++---
4 files changed, 45 insertions(+), 13 deletions(-)
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
index 8dc2ca59dc..6e6857027f 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_gshadow/rule.yml
@@ -2,8 +2,16 @@ documentation_complete: true
title: 'Verify Permissions on Backup gshadow File'
+{{% if "ubuntu" in product or "debian" in product %}}
+ {{% set target_perms_octal="0640" %}}
+ {{% set target_perms="-rw-r-----" %}}
+{{% else %}}
+ {{% set target_perms_octal="0000" %}}
+ {{% set target_perms="----------" %}}
+{{% endif %}}
+
description: |-
- {{{ describe_file_permissions(file="/etc/gshadow-", perms="0000") }}}
+ {{{ describe_file_permissions(file="/etc/gshadow-", perms=target_perms_octal) }}}
rationale: |-
The <tt>/etc/gshadow-</tt> file is a backup of <tt>/etc/gshadow</tt>, and as such,
@@ -19,10 +27,10 @@ references:
cis@rhel7: 6.1.9
cis@rhel8: 6.1.9
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow-", perms="----------") }}}'
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow-", perms=target_perms) }}}'
-ocil: |-
- {{{ ocil_file_permissions(file="/etc/gshadow-", perms="----------") }}}
+ocil: -
+ {{{ ocil_file_permissions(file="/etc/gshadow-", perms=target_perms) }}}
template:
name: file_permissions
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
index 05a7bd867f..bba9f3de6c 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_shadow/rule.yml
@@ -1,9 +1,17 @@
documentation_complete: true
+{{% if "ubuntu" in product or "debian" in product %}}
+ {{% set target_perms_octal="0640" %}}
+ {{% set target_perms="-rw-r-----" %}}
+{{% else %}}
+ {{% set target_perms_octal="0000" %}}
+ {{% set target_perms="----------" %}}
+{{% endif %}}
+
title: 'Verify Permissions on Backup shadow File'
description: |-
- {{{ describe_file_permissions(file="/etc/shadow-", perms="0000") }}}
+ {{{ describe_file_permissions(file="/etc/shadow-", perms=target_perms_octal) }}}
rationale: |-
The <tt>/etc/shadow-</tt> file is a backup file of <tt>/etc/shadow</tt>, and as such,
@@ -20,10 +28,10 @@ references:
cis@rhel7: 6.1.7
cis@rhel8: 6.1.7
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/shadow-", perms="----------") }}}'
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/shadow-", perms=target_perms) }}}'
ocil: |-
- {{{ ocil_file_permissions(file="/etc/shadow-", perms="----------") }}}
+ {{{ ocil_file_permissions(file="/etc/shadow-", perms=target_perms) }}}
template:
name: file_permissions
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
index d1ed4475fb..7e226951ce 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_gshadow/rule.yml
@@ -2,8 +2,16 @@ documentation_complete: true
title: 'Verify Permissions on gshadow File'
+{{% if "ubuntu" in product or "debian" in product %}}
+ {{% set target_perms_octal="0640" %}}
+ {{% set target_perms="-rw-r-----" %}}
+{{% else %}}
+ {{% set target_perms_octal="0000" %}}
+ {{% set target_perms="----------" %}}
+{{% endif %}}
+
description: |-
- {{{ describe_file_permissions(file="/etc/gshadow", perms="0000") }}}
+ {{{ describe_file_permissions(file="/etc/gshadow", perms=target_perms_octal) }}}
rationale: |-
The <tt>/etc/gshadow</tt> file contains group password hashes. Protection of this file
@@ -31,10 +39,10 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow", perms="----------") }}}'
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/gshadow", perms=target_perms) }}}'
ocil: |-
- {{{ ocil_file_permissions(file="/etc/gshadow", perms="----------") }}}
+ {{{ ocil_file_permissions(file="/etc/gshadow", perms=target_perms) }}}
template:
name: file_permissions
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
index 61f4fb6cce..e66583627d 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_etc_shadow/rule.yml
@@ -2,8 +2,16 @@ documentation_complete: true
title: 'Verify Permissions on shadow File'
+{{% if "ubuntu" in product or "debian" in product %}}
+ {{% set target_perms_octal="0640" %}}
+ {{% set target_perms="-rw-r-----" %}}
+{{% else %}}
+ {{% set target_perms_octal="0000" %}}
+ {{% set target_perms="----------" %}}
+{{% endif %}}
+
description: |-
- {{{ describe_file_permissions(file="/etc/shadow", perms="0000") }}}
+ {{{ describe_file_permissions(file="/etc/shadow", perms=target_perms_octal) }}}
rationale: |-
The <tt>/etc/shadow</tt> file contains the list of local
@@ -36,10 +44,10 @@ references:
iso27001-2013: A.10.1.1,A.11.1.4,A.11.1.5,A.11.2.1,A.13.1.1,A.13.1.3,A.13.2.1,A.13.2.3,A.13.2.4,A.14.1.2,A.14.1.3,A.6.1.2,A.7.1.1,A.7.1.2,A.7.3.1,A.8.2.2,A.8.2.3,A.9.1.1,A.9.1.2,A.9.2.3,A.9.4.1,A.9.4.4,A.9.4.5
cis-csc: 12,13,14,15,16,18,3,5
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/shadow", perms="----------") }}}'
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/shadow", perms=target_perms) }}}'
ocil: |-
- {{{ ocil_file_permissions(file="/etc/shadow", perms="----------") }}}
+ {{{ ocil_file_permissions(file="/etc/shadow", perms=target_perms) }}}
template:
name: file_permissions