From d97c8749052a095771eb48621f39530f46603acd Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Tue, 24 Mar 2020 10:02:19 +0100 Subject: [PATCH] add rule for passwd add rule for /etc/group add rule for /etc/shadow add rules to rhel7 and rhel8 cis profiles --- .../ansible/shared.yml | 17 ++++++++++ .../bash/shared.sh | 7 +++++ .../oval/shared.xml | 26 ++++++++++++++++ .../no_legacy_plus_entries_etc_group/rule.yml | 31 +++++++++++++++++++ .../tests/correct.pass.sh | 3 ++ .../tests/include_everything.fail.sh | 4 +++ .../tests/include_group.fail.sh | 3 ++ .../tests/include_name.fail.sh | 3 ++ .../tests/multiple.fail.sh | 5 +++ .../ansible/shared.yml | 17 ++++++++++ .../bash/shared.sh | 7 +++++ .../oval/shared.xml | 26 ++++++++++++++++ .../rule.yml | 31 +++++++++++++++++++ .../tests/correct.pass.sh | 3 ++ .../tests/include_everything.fail.sh | 4 +++ .../tests/include_group.fail.sh | 3 ++ .../tests/include_name.fail.sh | 3 ++ .../tests/multiple.fail.sh | 5 +++ .../ansible/shared.yml | 17 ++++++++++ .../bash/shared.sh | 7 +++++ .../oval/shared.xml | 26 ++++++++++++++++ .../rule.yml | 31 +++++++++++++++++++ .../tests/correct.pass.sh | 3 ++ .../tests/include_everything.fail.sh | 4 +++ .../tests/include_group.fail.sh | 3 ++ .../tests/include_name.fail.sh | 3 ++ .../tests/multiple.fail.sh | 5 +++ rhel7/profiles/cis.profile | 6 ++++ 30 files changed, 314 insertions(+), 6 deletions(-) create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml new file mode 100644 index 000000000..acf0496e1 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml @@ -0,0 +1,17 @@ +# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4 +# reboot = false +# strategy = restrict +# complexity = low +# disruption = medium + +- name: "Backup the old /etc/group file" + copy: + src: /etc/group + dest: /etc/group- + remote_src: true + +- name: "Remove lines starting with + from /etc/group" + lineinfile: + regexp: '^\+.*$' + state: absent + path: /etc/group diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh new file mode 100644 index 000000000..524cf10d5 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh @@ -0,0 +1,7 @@ +# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4 + +if grep -q '^\+' /etc/group; then +# backup old file to /etc/group- + cp /etc/group /etc/group- + sed -i '/^\+.*$/d' /etc/group +fi diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml new file mode 100644 index 000000000..01ddaa125 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml @@ -0,0 +1,26 @@ + + + + Ensure there are no legacy + NIS entries in /etc/group + {{{- oval_affected(products) }}} + No lines starting with + are in /etc/group + + + + + + + + + + + + /etc/group + ^\+.*$ + 1 + + + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml new file mode 100644 index 000000000..a47fd1089 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml @@ -0,0 +1,31 @@ +documentation_complete: true + +prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 + +title: 'Ensure there are no legacy + NIS entries in /etc/group' + +description: |- + The + character in /etc/group file marks a place where + entries from a network information service (NIS) should be directly inserted. + +rationale: |- + Using this method to include entries into /etc/group is considered legacy + and should be avoided. These entries may provide a way for an attacker + to gain access to the system. + +severity: medium + +identifiers: + cce@rhel7: 83388-9 + cce@rhel8: 83389-7 + +references: + cis@rhel7: 6.2.4 + cis@rhel8: 6.2.5 + +ocil_clause: 'the file contains legacy lines' + +ocil: |- + To check for legacy lines in /etc/group, run the following command: + 
 grep '^\+' /etc/group
+ The command should not return any output. diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh new file mode 100644 index 000000000..1adc7ac56 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +sed -i '/^\+.*$/d' /etc/group diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh new file mode 100644 index 000000000..1ef667771 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash + + +echo "+" >> /etc/group diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh new file mode 100644 index 000000000..9192157bd --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +echo "+@group" >> /etc/group diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh new file mode 100644 index 000000000..709937f75 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +echo "+name" >> /etc/group diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh new file mode 100644 index 000000000..79cbd5456 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +echo "+name" >> /etc/group +echo "+" >> /etc/group +echo "+@group" >> /etc/group diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml new file mode 100644 index 000000000..5baef2580 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml @@ -0,0 +1,17 @@ +# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4 +# reboot = false +# strategy = restrict +# complexity = low +# disruption = medium + +- name: "Backup the old /etc/passwd file" + copy: + src: /etc/passwd + dest: /etc/passwd- + remote_src: true + +- name: "Remove lines starting with + from /etc/passwd" + lineinfile: + regexp: '^\+.*$' + state: absent + path: /etc/passwd diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh new file mode 100644 index 000000000..4bb73e017 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh @@ -0,0 +1,7 @@ +# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4 + +if grep -q '^\+' /etc/passwd; then +# backup old file to /etc/passwd- + cp /etc/passwd /etc/passwd- + sed -i '/^\+.*$/d' /etc/passwd +fi diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml new file mode 100644 index 000000000..210437adb --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml @@ -0,0 +1,26 @@ + + + + Ensure there are no legacy + NIS entries in /etc/passwd + {{{- oval_affected(products) }}} + No lines starting with + are in /etc/passwd + + + + + + + + + + + + /etc/passwd + ^\+.*$ + 1 + + + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml new file mode 100644 index 000000000..e7c5f9832 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml @@ -0,0 +1,31 @@ +documentation_complete: true + +prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 + +title: 'Ensure there are no legacy + NIS entries in /etc/passwd' + +description: |- + The + character in /etc/passwd file marks a place where + entries from a network information service (NIS) should be directly inserted. + +rationale: |- + Using this method to include entries into /etc/passwd is considered legacy + and should be avoided. These entries may provide a way for an attacker + to gain access to the system. + +severity: medium + +identifiers: + cce@rhel7: 82889-7 + cce@rhel8: 82890-5 + +references: + cis@rhel7: 6.2.2 + cis@rhel8: 6.2.2 + +ocil_clause: 'the file contains legacy lines' + +ocil: |- + To check for legacy lines in /etc/passwd, run the following command: + 
 grep '^\+' /etc/passwd
+ The command should not return any output. diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh new file mode 100644 index 000000000..ac0b47f7a --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +sed -i '/^\+.*$/d' /etc/passwd diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh new file mode 100644 index 000000000..94a980029 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash + + +echo "+" >> /etc/passwd diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh new file mode 100644 index 000000000..90b717cc1 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +echo "+@group" >> /etc/passwd diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh new file mode 100644 index 000000000..0c036c3e2 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +echo "+name" >> /etc/passwd diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh new file mode 100644 index 000000000..cf16444d7 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +echo "+name" >> /etc/passwd +echo "+" >> /etc/passwd +echo "+@group" >> /etc/passwd diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml new file mode 100644 index 000000000..c969414d2 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml @@ -0,0 +1,17 @@ +# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4 +# reboot = false +# strategy = restrict +# complexity = low +# disruption = medium + +- name: "Backup the old /etc/shadow file" + copy: + src: /etc/shadow + dest: /etc/shadow- + remote_src: true + +- name: "Remove lines starting with + from /etc/shadow" + lineinfile: + regexp: '^\+.*$' + state: absent + path: /etc/shadow diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh new file mode 100644 index 000000000..f8874c9f0 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh @@ -0,0 +1,7 @@ +# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4 + +if grep -q '^\+' /etc/shadow; then +# backup old file to /etc/shadow- + cp /etc/shadow /etc/shadow- + sed -i '/^\+.*$/d' /etc/shadow +fi diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml new file mode 100644 index 000000000..8fad2c384 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml @@ -0,0 +1,26 @@ + + + + Ensure there are no legacy + NIS entries in /etc/shadow + {{{- oval_affected(products) }}} + No lines starting with + are in /etc/shadow + + + + + + + + + + + + /etc/shadow + ^\+.*$ + 1 + + + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml new file mode 100644 index 000000000..beb3772b2 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml @@ -0,0 +1,31 @@ +documentation_complete: true + +prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4 + +title: 'Ensure there are no legacy + NIS entries in /etc/shadow' + +description: |- + The + character in /etc/shadow file marks a place where + entries from a network information service (NIS) should be directly inserted. + +rationale: |- + Using this method to include entries into /etc/shadow is considered legacy + and should be avoided. These entries may provide a way for an attacker + to gain access to the system. + +severity: medium + +identifiers: + cce@rhel7: 83390-5 + cce@rhel8: 84290-6 + +references: + cis@rhel7: 6.2.3 + cis@rhel8: 6.2.4 + +ocil_clause: 'the file contains legacy lines' + +ocil: |- + To check for legacy lines in /etc/shadow, run the following command: + 
 grep '^\+' /etc/shadow
+ The command should not return any output. diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh new file mode 100644 index 000000000..4647b544e --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +sed -i '/^\+.*$/d' /etc/shadow diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh new file mode 100644 index 000000000..881e23676 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash + + +echo "+" >> /etc/shadow diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh new file mode 100644 index 000000000..39076bdcc --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +echo "+@group" >> /etc/shadow diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh new file mode 100644 index 000000000..6cbc6e885 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +echo "+name" >> /etc/shadow diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh new file mode 100644 index 000000000..b2daf1bc2 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +echo "+name" >> /etc/shadow +echo "+" >> /etc/shadow +echo "+@group" >> /etc/shadow diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile index b66594f59..bfb1508b6 100644 --- a/rhel7/profiles/cis.profile +++ b/rhel7/profiles/cis.profile @@ -735,8 +735,14 @@ selections: ## 6.2 User and Group Settings ### 6.2.1 Ensure password fields are not empty (Scored) ### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored) + - no_legacy_plus_entries_etc_passwd + ### 6.2.3 Ensure no legacy "+" entries exist in /etc/shadow (Scored) + - no_legacy_plus_entries_etc_shadow + ### 6.2.4 Ensure no legacy "+" entries exist in /etc/group (Scored) + - no_legacy_plus_entries_etc_group + ### 6.2.5 Ensure root is the only UID 0 account (Scored) - accounts_no_uid_except_zero -- 2.21.1