Skip to content

Commit 81489d9

Browse files
cmhecmhe
committed
feat(os-03): expand security check: add other passwd and group files
Currently only `/etc/passwd` is checked to have the right permissions, but there are other files that contain unix account related configuration: - /etc/passwd- (a backup file for /etc/passwd) - /etc/group (contains group configuration and membership) - /etc/group- (a backup file for /etc/group-) While the control requires `/etc/passwd` and `/etc/group` to exist, the rules for their backup counterparts are a bit more relaxed. The checks will be skipped, if those files do not exist. Signed-off-by: Claudius Heine <[email protected]>
1 parent e43b135 commit 81489d9

File tree

1 file changed

+21
-14
lines changed

1 file changed

+21
-14
lines changed

controls/os_spec.rb

Lines changed: 21 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -92,20 +92,27 @@
9292

9393
control 'os-03' do
9494
impact 1.0
95-
title 'Check owner and permissions for /etc/passwd'
96-
desc 'Check periodically the owner and permissions for /etc/passwd'
97-
describe file('/etc/passwd') do
98-
it { should exist }
99-
it { should be_file }
100-
it { should be_owned_by 'root' }
101-
its('group') { should eq 'root' }
102-
it { should_not be_executable }
103-
it { should be_writable.by('owner') }
104-
it { should_not be_writable.by('group') }
105-
it { should_not be_writable.by('other') }
106-
it { should be_readable.by('owner') }
107-
it { should be_readable.by('group') }
108-
it { should be_readable.by('other') }
95+
title 'Check owner and permissions for passwd files'
96+
desc 'Check periodically the owner and permissions for passwd files '\
97+
'(/etc/passwd, /etc/passwd-, /etc/group, /etc/group-)'
98+
99+
passwd_files = ['/etc/passwd', '/etc/passwd-', '/etc/group', '/etc/group-']
100+
passwd_files.each do |passwd_file|
101+
next if passwd_file[-1] == '-' && !file(passwd_file).exist?
102+
103+
describe file(passwd_file) do
104+
it { should exist }
105+
it { should be_file }
106+
it { should be_owned_by 'root' }
107+
its('group') { should eq 'root' }
108+
it { should_not be_executable }
109+
it { should be_writable.by('owner') }
110+
it { should_not be_writable.by('group') }
111+
it { should_not be_writable.by('other') }
112+
it { should be_readable.by('owner') }
113+
it { should be_readable.by('group') }
114+
it { should be_readable.by('other') }
115+
end
109116
end
110117
end
111118

0 commit comments

Comments
 (0)