rpms / scap-security-guide

Clone
Source Code
GIT

Files

  1.   dac76ab332cb6f7ca5cdbec311d2754a26f6d91e
  2.   SOURCES
  3.   scap-security-guide-0.1.50-fix_permissions_backup_etc_passwd_PR_5619.patch
Blob Blame History Raw 
From b5b96f3f1c20ba75e6af9bdcf2729a6513db8e48 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 16 Apr 2020 15:01:16 +0200
Subject: [PATCH] Change permissions to 644 for passwd- file from rule
 file_permissions_backup_etc_passwd.

---
 .../file_permissions_backup_etc_passwd/rule.yml        |  8 ++++----
 .../tests/adduser.pass.sh                              | 10 ++++++++++
 .../tests/correct_value.pass.sh                        |  4 ++++
 .../tests/wrong_value.fail.sh                          |  5 +++++
 5 files changed, 24 insertions(+), 5 deletions(-)
 create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/adduser.pass.sh
 create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/correct_value.pass.sh
 create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/wrong_value.fail.sh

diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
index cd1dded6f7..c5106b0cda 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
@@ -3,7 +3,7 @@ documentation_complete: true
 title: 'Verify Permissions on Backup passwd File'
 
 description: |-
-    {{{ describe_file_permissions(file="/etc/passwd-", perms="0600") }}}
+    {{{ describe_file_permissions(file="/etc/passwd-", perms="0644") }}}
 
 rationale: |-
     The <tt>/etc/passwd-</tt> file is a backup file of <tt>/etc/passwd</tt>, and as such,
@@ -21,14 +21,14 @@ references:
     cis@rhel7: 6.1.6
     cis@rhel8: 6.1.6
 
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/passwd-", perms="-rw-------") }}}'
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/passwd-", perms="-rw-r--r--") }}}'
 
 ocil: |-
-    {{{ ocil_file_permissions(file="/etc/passwd-", perms="-rw-------") }}}
+    {{{ ocil_file_permissions(file="/etc/passwd-", perms="-rw-r--r--") }}}
 
 template:
     name: file_permissions
     vars:
         filepath: /etc/passwd-
-        filemode: '0600'
+        filemode: '0644'
         missing_file_pass: 'true'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/adduser.pass.sh b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/adduser.pass.sh
new file mode 100644
index 0000000000..e053a5a87b
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/adduser.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+USER=ssgttuser
+
+# set wrong permissions
+chmod 600 /etc/passwd-
+
+# useradd will copy the backup file with permissions from the
+# actual /etc/passwd file containing correct permissions
+useradd ${USER}
+
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/correct_value.pass.sh b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/correct_value.pass.sh
new file mode 100644
index 0000000000..223ece7df2
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/correct_value.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+chmod 644 /etc/passwd-
+
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/wrong_value.fail.sh b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/wrong_value.fail.sh
new file mode 100644
index 0000000000..d0030f9b5e
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/wrong_value.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+# the expected is 644
+chmod 660 /etc/passwd-
+

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation