Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add checks for other shadow and passwd/group files into os-02 and os-03 rules #162

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

cmhe
Copy link
Contributor

@cmhe cmhe commented Oct 25, 2021

This adds the checks for the other shadow and passwd files into the existing rules os-02 and os-03.

An alternative solution would be to create additional rule ids, in order to prevent changing the existing ones. However it does make sense to me to handle all similar files in one rule, instead of creating additional one.

It should lessen the maintenance overhead.

If changing existing rules it not possible, then I would be willing to create additional rules for those other files.

Closes: #161

@cmhe cmhe force-pushed the ISSUE-161 branch 2 times, most recently from 0bd9bca to 81489d9 Compare October 25, 2021 08:14
@cmhe
Copy link
Contributor Author

cmhe commented Oct 25, 2021

I shorted the control documentation in order to pass the Metrics/BlockLength: Block has too many lines. [36/35] style check.

Not sure how much good such an arbitrary check will do :/

controls/os_spec.rb Outdated Show resolved Hide resolved
controls/os_spec.rb Outdated Show resolved Hide resolved
controls/os_spec.rb Outdated Show resolved Hide resolved
controls/os_spec.rb Outdated Show resolved Hide resolved
controls/os_spec.rb Outdated Show resolved Hide resolved
cmhe added 2 commits November 3, 2021 10:53
Currently only `/etc/shadow` is checked to have the right permissions,
but there are other files that can/could contain password hashes as
well, which are not checked yet:

 - /etc/shadow- (a backup file for /etc/shadow)
 - /etc/gshadow (contains group password hashes)
 - /etc/gshadow- (a backup file for /etc/gshadow-)

While the control requires `/etc/shadow` and `/etc/gshadow` to exist,
the rules for their backup counterparts are a bit more relaxed. The
checks will be skipped, if those files do not exist.

Signed-off-by: Claudius Heine <[email protected]>
Currently only `/etc/passwd` is checked to have the right permissions,
but there are other files that contain unix account related configuration:

 - /etc/passwd- (a backup file for /etc/passwd)
 - /etc/group (contains group configuration and membership)
 - /etc/group- (a backup file for /etc/group-)

While the control requires `/etc/passwd` and `/etc/group` to exist,
the rules for their backup counterparts are a bit more relaxed. The
checks will be skipped, if those files do not exist.

Signed-off-by: Claudius Heine <[email protected]>
@schurzi
Copy link
Contributor

schurzi commented Nov 7, 2021

I shorted the control documentation in order to pass the Metrics/BlockLength: Block has too many lines. [36/35] style check.

Not sure how much good such an arbitrary check will do :/

We already had a discussion on this. https://github.com/orgs/dev-sec/teams/contributors/discussions/3
I think I will have some time to update our linting to cookstyle in the coming week. Currently we have a kind of arbitrary/default rubocop style set, that is not entirely optimal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add file system checks for other shadow and passwd/group files
3 participants