-
Notifications
You must be signed in to change notification settings - Fork 191
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add checks for other shadow and passwd/group files into os-02 and os-03 rules #162
base: master
Are you sure you want to change the base?
Conversation
0bd9bca
to
81489d9
Compare
I shorted the control documentation in order to pass the Not sure how much good such an arbitrary check will do :/ |
Currently only `/etc/shadow` is checked to have the right permissions, but there are other files that can/could contain password hashes as well, which are not checked yet: - /etc/shadow- (a backup file for /etc/shadow) - /etc/gshadow (contains group password hashes) - /etc/gshadow- (a backup file for /etc/gshadow-) While the control requires `/etc/shadow` and `/etc/gshadow` to exist, the rules for their backup counterparts are a bit more relaxed. The checks will be skipped, if those files do not exist. Signed-off-by: Claudius Heine <[email protected]>
Currently only `/etc/passwd` is checked to have the right permissions, but there are other files that contain unix account related configuration: - /etc/passwd- (a backup file for /etc/passwd) - /etc/group (contains group configuration and membership) - /etc/group- (a backup file for /etc/group-) While the control requires `/etc/passwd` and `/etc/group` to exist, the rules for their backup counterparts are a bit more relaxed. The checks will be skipped, if those files do not exist. Signed-off-by: Claudius Heine <[email protected]>
We already had a discussion on this. https://github.com/orgs/dev-sec/teams/contributors/discussions/3 |
This adds the checks for the other shadow and passwd files into the existing rules os-02 and os-03.
An alternative solution would be to create additional rule ids, in order to prevent changing the existing ones. However it does make sense to me to handle all similar files in one rule, instead of creating additional one.
It should lessen the maintenance overhead.
If changing existing rules it not possible, then I would be willing to create additional rules for those other files.
Closes: #161