From 0bd9bca9dfd86be8e3ab85a7e141a89b7213d8d2 Mon Sep 17 00:00:00 2001 From: Claudius Heine Date: Mon, 25 Oct 2021 09:22:51 +0200 Subject: [PATCH] feat(os-03): expand security check: add other passwd and group files Currently only `/etc/passwd` is checked to have the right permissions, but there are other files that contain unix account related configuration: - /etc/passwd- (a backup file for /etc/passwd) - /etc/group (contains group configuration and membership) - /etc/group- (a backup file for /etc/group-) While the control requires `/etc/passwd` and `/etc/group` to exist, the rules for their backup counterparts are a bit more relaxed. The checks will be skipped, if those files do not exist. Signed-off-by: Claudius Heine --- controls/os_spec.rb | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/controls/os_spec.rb b/controls/os_spec.rb index 625929e..8e80c14 100644 --- a/controls/os_spec.rb +++ b/controls/os_spec.rb @@ -93,20 +93,27 @@ control 'os-03' do impact 1.0 - title 'Check owner and permissions for /etc/passwd' - desc 'Check periodically the owner and permissions for /etc/passwd' - describe file('/etc/passwd') do - it { should exist } - it { should be_file } - it { should be_owned_by 'root' } - its('group') { should eq 'root' } - it { should_not be_executable } - it { should be_writable.by('owner') } - it { should_not be_writable.by('group') } - it { should_not be_writable.by('other') } - it { should be_readable.by('owner') } - it { should be_readable.by('group') } - it { should be_readable.by('other') } + title 'Check owner and permissions for passwd files' + desc 'Check periodically the owner and permissions for passwd files '\ + '(/etc/passwd, /etc/passwd-, /etc/group, /etc/group-)' + + passwd_files = ['/etc/passwd', '/etc/passwd-', '/etc/group', '/etc/group-'] + passwd_files.each do |passwd_file| + next if passwd_file[-1] == '-' && !file(passwd_file).exist? + + describe file(passwd_file) do + it { should exist } + it { should be_file } + it { should be_owned_by 'root' } + its('group') { should eq 'root' } + it { should_not be_executable } + it { should be_writable.by('owner') } + it { should_not be_writable.by('group') } + it { should_not be_writable.by('other') } + it { should be_readable.by('owner') } + it { should be_readable.by('group') } + it { should be_readable.by('other') } + end end end