From b5b96f3f1c20ba75e6af9bdcf2729a6513db8e48 Mon Sep 17 00:00:00 2001 From: Gabriel Becker Date: Thu, 16 Apr 2020 15:01:16 +0200 Subject: [PATCH] Change permissions to 644 for passwd- file from rule file_permissions_backup_etc_passwd. --- .../file_permissions_backup_etc_passwd/rule.yml | 8 ++++---- .../tests/adduser.pass.sh | 10 ++++++++++ .../tests/correct_value.pass.sh | 4 ++++ .../tests/wrong_value.fail.sh | 5 +++++ 5 files changed, 24 insertions(+), 5 deletions(-) create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/adduser.pass.sh create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/correct_value.pass.sh create mode 100644 linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/wrong_value.fail.sh diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml index cd1dded6f7..c5106b0cda 100644 --- a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/rule.yml @@ -3,7 +3,7 @@ documentation_complete: true title: 'Verify Permissions on Backup passwd File' description: |- - {{{ describe_file_permissions(file="/etc/passwd-", perms="0600") }}} + {{{ describe_file_permissions(file="/etc/passwd-", perms="0644") }}} rationale: |- The /etc/passwd- file is a backup file of /etc/passwd, and as such, @@ -21,14 +21,14 @@ references: cis@rhel7: 6.1.6 cis@rhel8: 6.1.6 -ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/passwd-", perms="-rw-------") }}}' +ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/passwd-", perms="-rw-r--r--") }}}' ocil: |- - {{{ ocil_file_permissions(file="/etc/passwd-", perms="-rw-------") }}} + {{{ ocil_file_permissions(file="/etc/passwd-", perms="-rw-r--r--") }}} template: name: file_permissions vars: filepath: /etc/passwd- - filemode: '0600' + filemode: '0644' missing_file_pass: 'true' diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/adduser.pass.sh b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/adduser.pass.sh new file mode 100644 index 0000000000..e053a5a87b --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/adduser.pass.sh @@ -0,0 +1,10 @@ +#!/bin/bash +USER=ssgttuser + +# set wrong permissions +chmod 600 /etc/passwd- + +# useradd will copy the backup file with permissions from the +# actual /etc/passwd file containing correct permissions +useradd ${USER} + diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/correct_value.pass.sh b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/correct_value.pass.sh new file mode 100644 index 0000000000..223ece7df2 --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/correct_value.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash + +chmod 644 /etc/passwd- + diff --git a/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/wrong_value.fail.sh b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/wrong_value.fail.sh new file mode 100644 index 0000000000..d0030f9b5e --- /dev/null +++ b/linux_os/guide/system/permissions/files/permissions_important_account_files/file_permissions_backup_etc_passwd/tests/wrong_value.fail.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +# the expected is 644 +chmod 660 /etc/passwd- +