Skip to content

Commit 0bd9bca

Browse files
cmhecmhe
committed
feat(os-03): expand security check: add other passwd and group files
Currently only `/etc/passwd` is checked to have the right permissions, but there are other files that contain unix account related configuration: - /etc/passwd- (a backup file for /etc/passwd) - /etc/group (contains group configuration and membership) - /etc/group- (a backup file for /etc/group-) While the control requires `/etc/passwd` and `/etc/group` to exist, the rules for their backup counterparts are a bit more relaxed. The checks will be skipped, if those files do not exist. Signed-off-by: Claudius Heine <[email protected]>
1 parent 8c8d8ec commit 0bd9bca

File tree

1 file changed

+21
-14
lines changed

1 file changed

+21
-14
lines changed

controls/os_spec.rb

Lines changed: 21 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -93,20 +93,27 @@
9393

9494
control 'os-03' do
9595
impact 1.0
96-
title 'Check owner and permissions for /etc/passwd'
97-
desc 'Check periodically the owner and permissions for /etc/passwd'
98-
describe file('/etc/passwd') do
99-
it { should exist }
100-
it { should be_file }
101-
it { should be_owned_by 'root' }
102-
its('group') { should eq 'root' }
103-
it { should_not be_executable }
104-
it { should be_writable.by('owner') }
105-
it { should_not be_writable.by('group') }
106-
it { should_not be_writable.by('other') }
107-
it { should be_readable.by('owner') }
108-
it { should be_readable.by('group') }
109-
it { should be_readable.by('other') }
96+
title 'Check owner and permissions for passwd files'
97+
desc 'Check periodically the owner and permissions for passwd files '\
98+
'(/etc/passwd, /etc/passwd-, /etc/group, /etc/group-)'
99+
100+
passwd_files = ['/etc/passwd', '/etc/passwd-', '/etc/group', '/etc/group-']
101+
passwd_files.each do |passwd_file|
102+
next if passwd_file[-1] == '-' && !file(passwd_file).exist?
103+
104+
describe file(passwd_file) do
105+
it { should exist }
106+
it { should be_file }
107+
it { should be_owned_by 'root' }
108+
its('group') { should eq 'root' }
109+
it { should_not be_executable }
110+
it { should be_writable.by('owner') }
111+
it { should_not be_writable.by('group') }
112+
it { should_not be_writable.by('other') }
113+
it { should be_readable.by('owner') }
114+
it { should be_readable.by('group') }
115+
it { should be_readable.by('other') }
116+
end
110117
end
111118
end
112119

0 commit comments

Comments
 (0)