From b5b96f3f1c20ba75e6af9bdcf2729a6513db8e48 Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Thu, 16 Apr 2020 15:01:16 +0200
Subject: [PATCH] Change permissions to 644 for passwd- file from rule
file_permissions_backup_etc_passwd.
---
.../file_permissions_backup_etc_passwd/rule.yml | 8 ++++----
.../tests/adduser.pass.sh | 10 ++++++++++
.../tests/correct_value.pass.sh | 4 ++++
.../tests/wrong_value.fail.sh | 5 +++++
5 files changed, 24 insertions(+), 5 deletions(-)
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/adduser.pass.sh
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/correct_value.pass.sh
create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/wrong_value.fail.sh
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
index cd1dded6f7..c5106b0cda 100644
--- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml
@@ -3,7 +3,7 @@ documentation_complete: true
title: 'Verify Permissions on Backup passwd File'
description: |-
- {{{ describe_file_permissions(file="/etc/passwd-", perms="0600") }}}
+ {{{ describe_file_permissions(file="/etc/passwd-", perms="0644") }}}
rationale: |-
The <tt>/etc/passwd-</tt> file is a backup file of <tt>/etc/passwd</tt>, and as such,
@@ -21,14 +21,14 @@ references:
cis@rhel7: 6.1.6
cis@rhel8: 6.1.6
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/passwd-", perms="-rw-------") }}}'
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/passwd-", perms="-rw-r--r--") }}}'
ocil: |-
- {{{ ocil_file_permissions(file="/etc/passwd-", perms="-rw-------") }}}
+ {{{ ocil_file_permissions(file="/etc/passwd-", perms="-rw-r--r--") }}}
template:
name: file_permissions
vars:
filepath: /etc/passwd-
- filemode: '0600'
+ filemode: '0644'
missing_file_pass: 'true'
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/adduser.pass.sh b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/adduser.pass.sh
new file mode 100644
index 0000000000..e053a5a87b
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/adduser.pass.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+USER=ssgttuser
+
+# set wrong permissions
+chmod 600 /etc/passwd-
+
+# useradd will copy the backup file with permissions from the
+# actual /etc/passwd file containing correct permissions
+useradd ${USER}
+
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/correct_value.pass.sh b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/correct_value.pass.sh
new file mode 100644
index 0000000000..223ece7df2
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/correct_value.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+chmod 644 /etc/passwd-
+
diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/wrong_value.fail.sh b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/wrong_value.fail.sh
new file mode 100644
index 0000000000..d0030f9b5e
--- /dev/null
+++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/wrong_value.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+# the expected is 644
+chmod 660 /etc/passwd-
+