rpms / scap-security-guide

Clone
Source Code
GIT

Files

  1.   dac76ab332cb6f7ca5cdbec311d2754a26f6d91e
  2.   SOURCES
  3.   scap-security-guide-0.1.50-add_rules_legacy_plus_in_passwd_PR_5339.patch
Blob Blame History Raw 
From d97c8749052a095771eb48621f39530f46603acd Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 24 Mar 2020 10:02:19 +0100
Subject: [PATCH] add rule for passwd add rule for /etc/group add rule for
 /etc/shadow add rules to rhel7 and rhel8 cis profiles

---
 .../ansible/shared.yml                        | 17 ++++++++++
 .../bash/shared.sh                            |  7 +++++
 .../oval/shared.xml                           | 26 ++++++++++++++++
 .../no_legacy_plus_entries_etc_group/rule.yml | 31 +++++++++++++++++++
 .../tests/correct.pass.sh                     |  3 ++
 .../tests/include_everything.fail.sh          |  4 +++
 .../tests/include_group.fail.sh               |  3 ++
 .../tests/include_name.fail.sh                |  3 ++
 .../tests/multiple.fail.sh                    |  5 +++
 .../ansible/shared.yml                        | 17 ++++++++++
 .../bash/shared.sh                            |  7 +++++
 .../oval/shared.xml                           | 26 ++++++++++++++++
 .../rule.yml                                  | 31 +++++++++++++++++++
 .../tests/correct.pass.sh                     |  3 ++
 .../tests/include_everything.fail.sh          |  4 +++
 .../tests/include_group.fail.sh               |  3 ++
 .../tests/include_name.fail.sh                |  3 ++
 .../tests/multiple.fail.sh                    |  5 +++
 .../ansible/shared.yml                        | 17 ++++++++++
 .../bash/shared.sh                            |  7 +++++
 .../oval/shared.xml                           | 26 ++++++++++++++++
 .../rule.yml                                  | 31 +++++++++++++++++++
 .../tests/correct.pass.sh                     |  3 ++
 .../tests/include_everything.fail.sh          |  4 +++
 .../tests/include_group.fail.sh               |  3 ++
 .../tests/include_name.fail.sh                |  3 ++
 .../tests/multiple.fail.sh                    |  5 +++
 rhel7/profiles/cis.profile                    |  6 ++++
 30 files changed, 314 insertions(+), 6 deletions(-)
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml
new file mode 100644
index 000000000..acf0496e1
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml
@@ -0,0 +1,17 @@
+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = medium
+
+- name: "Backup the old /etc/group file"
+  copy:
+    src: /etc/group
+    dest: /etc/group-
+    remote_src: true
+
+- name: "Remove lines starting with + from /etc/group"
+  lineinfile:
+    regexp: '^\+.*$'
+    state: absent
+    path: /etc/group
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh
new file mode 100644
index 000000000..524cf10d5
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4
+
+if grep -q '^\+' /etc/group; then
+# backup old file to /etc/group-
+	cp /etc/group /etc/group-
+	sed -i '/^\+.*$/d' /etc/group
+fi
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml
new file mode 100644
index 000000000..01ddaa125
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml
@@ -0,0 +1,26 @@
+<def-group>
+  <definition class="compliance" id="no_legacy_plus_entries_etc_group" version="1">
+    <metadata>
+      <title>Ensure there are no legacy + NIS entries in /etc/group</title>
+      {{{- oval_affected(products) }}}
+      <description>No lines starting with + are in /etc/group</description>
+    </metadata>
+    <criteria comment="no lines starting with + are in /etc/group">
+      <criterion test_ref="test_no_legacy_plus_entries_etc_group" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="none_exist"
+  comment="check for existence of lines starting with +" id="test_no_legacy_plus_entries_etc_group"
+  version="1">
+    <ind:object object_ref="object_no_legacy_plus_entries_etc_group" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object comment="lines starting with +"
+  id="object_no_legacy_plus_entries_etc_group" version="1">
+    <ind:filepath>/etc/group</ind:filepath>
+    <ind:pattern operation="pattern match">^\+.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml
new file mode 100644
index 000000000..a47fd1089
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4
+
+title: 'Ensure there are no legacy + NIS entries in /etc/group'
+
+description: |-
+    The <tt>+</tt> character in <tt>/etc/group</tt> file marks a place where
+    entries from a network information service (NIS) should be directly inserted.
+
+rationale: |-
+    Using this method to include entries into <tt>/etc/group</tt> is considered legacy
+    and should be avoided. These entries may provide a way for an attacker
+    to gain access to the system.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: 83388-9
+    cce@rhel8: 83389-7
+
+references:
+    cis@rhel7: 6.2.4
+    cis@rhel8: 6.2.5
+
+ocil_clause: 'the file contains legacy lines'
+
+ocil: |-
+    To check for legacy lines in <tt>/etc/group</tt>, run the following command:
+    <pre> grep '^\+' /etc/group</pre>
+    The command should not return any output.
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh
new file mode 100644
index 000000000..1adc7ac56
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sed -i '/^\+.*$/d' /etc/group
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh
new file mode 100644
index 000000000..1ef667771
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+
+echo "+" >> /etc/group
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh
new file mode 100644
index 000000000..9192157bd
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "+@group" >> /etc/group
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh
new file mode 100644
index 000000000..709937f75
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "+name" >> /etc/group
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh
new file mode 100644
index 000000000..79cbd5456
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+echo "+name" >> /etc/group
+echo "+" >> /etc/group
+echo "+@group" >> /etc/group
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml
new file mode 100644
index 000000000..5baef2580
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml
@@ -0,0 +1,17 @@
+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = medium
+
+- name: "Backup the old /etc/passwd file"
+  copy:
+    src: /etc/passwd
+    dest: /etc/passwd-
+    remote_src: true
+
+- name: "Remove lines starting with + from /etc/passwd"
+  lineinfile:
+    regexp: '^\+.*$'
+    state: absent
+    path: /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh
new file mode 100644
index 000000000..4bb73e017
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4
+
+if grep -q '^\+' /etc/passwd; then
+# backup old file to /etc/passwd-
+	cp /etc/passwd /etc/passwd-
+	sed -i '/^\+.*$/d' /etc/passwd
+fi
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml
new file mode 100644
index 000000000..210437adb
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml
@@ -0,0 +1,26 @@
+<def-group>
+  <definition class="compliance" id="no_legacy_plus_entries_etc_passwd" version="1">
+    <metadata>
+      <title>Ensure there are no legacy + NIS entries in /etc/passwd</title>
+      {{{- oval_affected(products) }}}
+      <description>No lines starting with + are in /etc/passwd</description>
+    </metadata>
+    <criteria comment="no lines starting with + are in /etc/passwd">
+      <criterion test_ref="test_no_legacy_plus_entries_etc_passwd" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="none_exist"
+  comment="check for existence of lines starting with +" id="test_no_legacy_plus_entries_etc_passwd"
+  version="1">
+    <ind:object object_ref="object_no_legacy_plus_entries_etc_passwd" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object comment="lines starting with +"
+  id="object_no_legacy_plus_entries_etc_passwd" version="1">
+    <ind:filepath>/etc/passwd</ind:filepath>
+    <ind:pattern operation="pattern match">^\+.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml
new file mode 100644
index 000000000..e7c5f9832
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4
+
+title: 'Ensure there are no legacy + NIS entries in /etc/passwd'
+
+description: |-
+    The <tt>+</tt> character in <tt>/etc/passwd</tt> file marks a place where
+    entries from a network information service (NIS) should be directly inserted.
+
+rationale: |-
+    Using this method to include entries into <tt>/etc/passwd</tt> is considered legacy
+    and should be avoided. These entries may provide a way for an attacker
+    to gain access to the system.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: 82889-7
+    cce@rhel8: 82890-5
+
+references:
+    cis@rhel7: 6.2.2
+    cis@rhel8: 6.2.2
+
+ocil_clause: 'the file contains legacy lines'
+
+ocil: |-
+    To check for legacy lines in <tt>/etc/passwd</tt>, run the following command:
+    <pre> grep '^\+' /etc/passwd</pre>
+    The command should not return any output.
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh
new file mode 100644
index 000000000..ac0b47f7a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sed -i '/^\+.*$/d' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh
new file mode 100644
index 000000000..94a980029
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+
+echo "+" >> /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh
new file mode 100644
index 000000000..90b717cc1
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "+@group" >> /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh
new file mode 100644
index 000000000..0c036c3e2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "+name" >> /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh
new file mode 100644
index 000000000..cf16444d7
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+echo "+name" >> /etc/passwd
+echo "+" >> /etc/passwd
+echo "+@group" >> /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml
new file mode 100644
index 000000000..c969414d2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml
@@ -0,0 +1,17 @@
+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = medium
+
+- name: "Backup the old /etc/shadow file"
+  copy:
+    src: /etc/shadow
+    dest: /etc/shadow-
+    remote_src: true
+
+- name: "Remove lines starting with + from /etc/shadow"
+  lineinfile:
+    regexp: '^\+.*$'
+    state: absent
+    path: /etc/shadow
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh
new file mode 100644
index 000000000..f8874c9f0
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4
+
+if grep -q '^\+' /etc/shadow; then
+# backup old file to /etc/shadow-
+	cp /etc/shadow /etc/shadow-
+	sed -i '/^\+.*$/d' /etc/shadow
+fi
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml
new file mode 100644
index 000000000..8fad2c384
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml
@@ -0,0 +1,26 @@
+<def-group>
+  <definition class="compliance" id="no_legacy_plus_entries_etc_shadow" version="1">
+    <metadata>
+      <title>Ensure there are no legacy + NIS entries in /etc/shadow</title>
+      {{{- oval_affected(products) }}}
+      <description>No lines starting with + are in /etc/shadow</description>
+    </metadata>
+    <criteria comment="no lines starting with + are in /etc/shadow">
+      <criterion test_ref="test_no_legacy_plus_entries_etc_shadow" />
+    </criteria>
+  </definition>
+
+  <ind:textfilecontent54_test check="all" check_existence="none_exist"
+  comment="check for existence of lines starting with +" id="test_no_legacy_plus_entries_etc_shadow"
+  version="1">
+    <ind:object object_ref="object_no_legacy_plus_entries_etc_shadow" />
+  </ind:textfilecontent54_test>
+
+  <ind:textfilecontent54_object comment="lines starting with +"
+  id="object_no_legacy_plus_entries_etc_shadow" version="1">
+    <ind:filepath>/etc/shadow</ind:filepath>
+    <ind:pattern operation="pattern match">^\+.*$</ind:pattern>
+    <ind:instance datatype="int">1</ind:instance>
+  </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml
new file mode 100644
index 000000000..beb3772b2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4
+
+title: 'Ensure there are no legacy + NIS entries in /etc/shadow'
+
+description: |-
+    The <tt>+</tt> character in <tt>/etc/shadow</tt> file marks a place where
+    entries from a network information service (NIS) should be directly inserted.
+
+rationale: |-
+    Using this method to include entries into <tt>/etc/shadow</tt> is considered legacy
+    and should be avoided. These entries may provide a way for an attacker
+    to gain access to the system.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: 83390-5
+    cce@rhel8: 84290-6
+
+references:
+    cis@rhel7: 6.2.3
+    cis@rhel8: 6.2.4
+
+ocil_clause: 'the file contains legacy lines'
+
+ocil: |-
+    To check for legacy lines in <tt>/etc/shadow</tt>, run the following command:
+    <pre> grep '^\+' /etc/shadow</pre>
+    The command should not return any output.
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh
new file mode 100644
index 000000000..4647b544e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sed -i '/^\+.*$/d' /etc/shadow
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh
new file mode 100644
index 000000000..881e23676
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+
+echo "+" >> /etc/shadow
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh
new file mode 100644
index 000000000..39076bdcc
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "+@group" >> /etc/shadow
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh
new file mode 100644
index 000000000..6cbc6e885
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "+name" >> /etc/shadow
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh
new file mode 100644
index 000000000..b2daf1bc2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+echo "+name" >> /etc/shadow
+echo "+" >> /etc/shadow
+echo "+@group" >> /etc/shadow
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index b66594f59..bfb1508b6 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -735,8 +735,14 @@ selections:
     ## 6.2 User and Group Settings
     ### 6.2.1 Ensure password fields are not empty (Scored)
     ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored)
+    - no_legacy_plus_entries_etc_passwd
+
     ### 6.2.3 Ensure no legacy "+" entries exist in /etc/shadow (Scored)
+    - no_legacy_plus_entries_etc_shadow
+
     ### 6.2.4 Ensure no legacy "+" entries exist in /etc/group (Scored)
+    - no_legacy_plus_entries_etc_group
+
     ### 6.2.5 Ensure root is the only UID 0 account (Scored)
     - accounts_no_uid_except_zero
 
-- 
2.21.1

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation