Skip to content

Commit

Permalink
feat: expand security control to check for other shadow files
Browse files Browse the repository at this point in the history 
Currently only `/etc/shadow` is checked to have the right permissions,
but there are other files that can/could contain password hashes as
well, which are not checked yet:

 - /etc/shadow- (a backup file for /etc/shadow)
 - /etc/gshadow (contains group password hashes)
 - /etc/gshadow- (a backup file for /etc/gshadow-)

While the control requires `/etc/shadow` and `/etc/gshadow` to exist,
the rules for their backup counterparts are a bit more relaxed. The
checks will be skipped, if those files do not exist.

Signed-off-by: Claudius Heine <[email protected]>
  • Loading branch information
@cmhe
cmhe committed Nov 3, 2021
1 parent e503f97 commit 5d29e31
Showing 1 changed file with 52 additions and 0 deletions.
52 changes: 52 additions & 0 deletions controls/os_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -282,3 +282,55 @@
end
end
end

control 'os-14' do
impact 1.0
title 'Check owner and permissions for /etc/gshadow'
desc 'Check periodically the owner and permissions for /etc/gshadow'
describe file('/etc/gshadow') do
it { should exist }
it { should be_file }
it { should be_owned_by 'root' }
its('group') { should eq shadow_group }
it { should_not be_executable }
it { should_not be_writable.by('group') }
it { should_not be_writable.by('other') }
it { should_not be_readable.by('other') }
end
end

control 'os-15' do
impact 1.0
title 'Check owner and permissions for /etc/shadow-'
desc 'Check periodically the owner and permissions for /etc/shadow-'
only_if('/etc/shadow- exists') do
file('/etc/shadow-').exist?
end
describe file('/etc/shadow-') do
it { should be_file }
it { should be_owned_by 'root' }
its('group') { should eq shadow_group }
it { should_not be_executable }
it { should_not be_writable.by('group') }
it { should_not be_writable.by('other') }
it { should_not be_readable.by('other') }
end
end

control 'os-16' do
impact 1.0
title 'Check owner and permissions for /etc/gshadow-'
desc 'Check periodically the owner and permissions for /etc/gshadow-'
only_if('/etc/gshadow- exists') do
file('/etc/gshadow-').exist?
end
describe file('/etc/gshadow-') do
it { should be_file }
it { should be_owned_by 'root' }
its('group') { should eq shadow_group }
it { should_not be_executable }
it { should_not be_writable.by('group') }
it { should_not be_writable.by('other') }
it { should_not be_readable.by('other') }
end
end

0 comments on commit 5d29e31

Please sign in to comment.