Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding multiple passwd/group/shadow controls #165

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Adding multiple passwd/group/shadow controls #165

wants to merge 7 commits into from

Conversation

cmhe
Copy link
Contributor

@cmhe cmhe commented Nov 4, 2021

This MR bundles some additional checks related to account setting.

I can split those up into multiple MRs with an issue each, but might be easier and simpler to just discuss these changes directly.

cmhe added 7 commits November 4, 2021 13:24
@cmhe
feat: add rule to check for password change dates in the past
b1fa8c1 
A password changed date in the future could be used to circumvent
password expiration dates. This rule checks that any password change
dates are in the past.

Signed-off-by: Claudius Heine <[email protected]>
@cmhe
feat: add control to check if system user are non-login
458a6e7 
System users should be prevented from login with exceptions for
applications that are non-interactive.

Signed-off-by: Claudius Heine <[email protected]>
@cmhe
feat: add rule to check root user is member of group root
49b94e6 
This rule makes sure that the assumptions of user `root` being uid=0 is
the sole member of group `root` with gid=0 are true. This prevents
access to any root-owned files by non-privileged users.

Signed-off-by: Claudius Heine <[email protected]>
@cmhe
feat: add control to check for legacy NIS entries in account files
18a5383 
'+' and '-' where prepended to lines in account files (/etc/passwd,
/etc/group, /etc/shadow) to signify if fields should be overwritten or
inserted from a NIS server. Since NIS is a insecure and legacy
technology, that is replaced by other software, this check makes sure
that no such entries exist anymore.

Signed-off-by: Claudius Heine <[email protected]>
@cmhe
feat: add rule to check users and groups are unique
29211f2 
Signed-off-by: Claudius Heine <[email protected]>
@cmhe
feat: add rule to ensure shadow group does not have any members
137b573 
Members of the shadow group could have access to password hashes and
other content of the shadow files.

Signed-off-by: Claudius Heine <[email protected]>
@cmhe
feat: add rules to ensure that all referred users and gids exist
4c607b0 
Signed-off-by: Claudius Heine <[email protected]>
@cmhe cmhe force-pushed the ch/passwd-group-controls branch from 56928ba to 4c607b0 Compare November 4, 2021 14:13
chris-rock
chris-rock reviewed Nov 23, 2021
View reviewed changes
Copy link
Member

@chris-rock chris-rock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great improvement @cmhe I added a few questions

controls/os_spec.rb
@@ -25,6 +25,14 @@
login_defs_passmindays = attribute('login_defs_passmindays', value: '7', description: 'Default password mindays to set in login.defs')
login_defs_passwarnage = attribute('login_defs_passwarnage', value: '7', description: 'Default password warnage (days) to set in login.defs')

system_users = passwd.params ? passwd.params.select { |x| x['uid'].to_i < login_defs.UID_MIN.to_i && x['uid'].to_i.positive? } : []
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This logic should be part of the control

controls/os_spec.rb
control 'os-14' do
impact 1.0
title 'All password change dates are in the past'
desc 'The password change date is used to detect expired passwords. Entering future dates might circumvent that.'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be great to add a reference to read more about the reasoning

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The internal document I have doesn't state much more information about this rule, that I wrote here. It is based on CIS, linking to it is sadly to so easy. I could drop this rule if the other rules are ok for you?

controls/os_spec.rb
control 'os-17' do
impact 1.0
title 'Prevent + or - fields in passwd an related files used by NIS'
desc 'NIS is insecure and should not be used'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A reference to the rule and reasoning for be beneficial

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This rule is also based on CIS, but expanded upon. Cis only mentions that passwd entries should not include +, but NIS allow allows - entries. This rule tests for both. So I don't have any reference to the exact rule. I could drop this rule as well if required.

@chris-rock chris-rock requested a review from atomic111 November 23, 2021 11:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chris-rock chris-rock chris-rock left review comments

@atomic111 atomic111 Awaiting requested review from atomic111

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cmhe @chris-rock