feat(os-03): expand security check: add other passwd and group files

Currently only `/etc/passwd` is checked to have the right permissions, but there are other files that contain unix account related configuration: - /etc/passwd- (a backup file for /etc/passwd) - /etc/group (contains group configuration and membership) - /etc/group- (a backup file for /etc/group-) While the control requires `/etc/passwd` and `/etc/group` to exist, the rules for their backup counterparts are a bit more relaxed. The checks will be skipped, if those files do not exist. Signed-off-by: Claudius Heine <[email protected]>
dev-sec · Oct 25, 2021 · 81489d9 · 81489d9
1 parent e43b135
commit 81489d9
Showing 1 changed file with 21 additions and 14 deletions.
diff --git a/controls/os_spec.rb b/controls/os_spec.rb
@@ -92,20 +92,27 @@
 
 control 'os-03' do
   impact 1.0
-  title 'Check owner and permissions for /etc/passwd'
-  desc 'Check periodically the owner and permissions for /etc/passwd'
-  describe file('/etc/passwd') do
-    it { should exist }
-    it { should be_file }
-    it { should be_owned_by 'root' }
-    its('group') { should eq 'root' }
-    it { should_not be_executable }
-    it { should be_writable.by('owner') }
-    it { should_not be_writable.by('group') }
-    it { should_not be_writable.by('other') }
-    it { should be_readable.by('owner') }
-    it { should be_readable.by('group') }
-    it { should be_readable.by('other') }
+  title 'Check owner and permissions for passwd files'
+  desc 'Check periodically the owner and permissions for passwd files '\
+    '(/etc/passwd, /etc/passwd-, /etc/group, /etc/group-)'
+
+  passwd_files = ['/etc/passwd', '/etc/passwd-', '/etc/group', '/etc/group-']
+  passwd_files.each do |passwd_file|
+    next if passwd_file[-1] == '-' && !file(passwd_file).exist?
+
+    describe file(passwd_file) do
+      it { should exist }
+      it { should be_file }
+      it { should be_owned_by 'root' }
+      its('group') { should eq 'root' }
+      it { should_not be_executable }
+      it { should be_writable.by('owner') }
+      it { should_not be_writable.by('group') }
+      it { should_not be_writable.by('other') }
+      it { should be_readable.by('owner') }
+      it { should be_readable.by('group') }
+      it { should be_readable.by('other') }
+    end
   end
 end