diff --git a/controls/os_spec.rb b/controls/os_spec.rb index ec2bbf9..904a99f 100644 --- a/controls/os_spec.rb +++ b/controls/os_spec.rb @@ -282,3 +282,115 @@ end end end + +control 'os-14' do + impact 1.0 + title 'Check owner and permissions for /etc/gshadow' + desc 'Check periodically the owner and permissions for /etc/gshadow' + describe file('/etc/gshadow') do + it { should exist } + it { should be_file } + it { should be_owned_by 'root' } + its('group') { should eq shadow_group } + it { should_not be_executable } + it { should_not be_writable.by('group') } + it { should_not be_writable.by('other') } + it { should_not be_readable.by('other') } + end +end + +control 'os-15' do + impact 1.0 + title 'Check owner and permissions for /etc/shadow-' + desc 'Check periodically the owner and permissions for /etc/shadow-' + only_if('/etc/shadow- exists') do + file('/etc/shadow-').exist? + end + describe file('/etc/shadow-') do + it { should be_file } + it { should be_owned_by 'root' } + its('group') { should eq shadow_group } + it { should_not be_executable } + it { should_not be_writable.by('group') } + it { should_not be_writable.by('other') } + it { should_not be_readable.by('other') } + end +end + +control 'os-16' do + impact 1.0 + title 'Check owner and permissions for /etc/gshadow-' + desc 'Check periodically the owner and permissions for /etc/gshadow-' + only_if('/etc/gshadow- exists') do + file('/etc/gshadow-').exist? + end + describe file('/etc/gshadow-') do + it { should be_file } + it { should be_owned_by 'root' } + its('group') { should eq shadow_group } + it { should_not be_executable } + it { should_not be_writable.by('group') } + it { should_not be_writable.by('other') } + it { should_not be_readable.by('other') } + end +end + +control 'os-17' do + impact 1.0 + title 'Check owner and permissions for /etc/group' + desc 'Check periodically the owner and permissions for /etc/group' + describe file('/etc/group') do + it { should exist } + it { should be_file } + it { should be_owned_by 'root' } + its('group') { should eq 'root' } + it { should_not be_executable } + it { should be_writable.by('owner') } + it { should be_readable.by('owner') } + it { should_not be_writable.by('group') } + it { should be_readable.by('group') } + it { should_not be_writable.by('other') } + it { should be_readable.by('other') } + end +end + +control 'os-18' do + impact 1.0 + title 'Check owner and permissions for /etc/passwd-' + desc 'Check periodically the owner and permissions for /etc/passwd-' + only_if('/etc/passwd- exists') do + file('/etc/passwd-').exist? + end + describe file('/etc/passwd-') do + it { should be_file } + it { should be_owned_by 'root' } + its('group') { should eq 'root' } + it { should_not be_executable } + it { should be_writable.by('owner') } + it { should be_readable.by('owner') } + it { should_not be_writable.by('group') } + it { should be_readable.by('group') } + it { should_not be_writable.by('other') } + it { should be_readable.by('other') } + end +end + +control 'os-19' do + impact 1.0 + title 'Check owner and permissions for /etc/group-' + desc 'Check periodically the owner and permissions for /etc/group-' + only_if('/etc/group- exists') do + file('/etc/group-').exist? + end + describe file('/etc/group-') do + it { should be_owned_by 'root' } + its('group') { should eq 'root' } + it { should_not be_executable } + it { should be_writable.by('owner') } + it { should be_readable.by('owner') } + it { should_not be_writable.by('group') } + it { should be_readable.by('group') } + it { should_not be_writable.by('other') } + it { should be_readable.by('other') } + end +end