feat(cis_baseline): implement 1.4.3 to verify root password

karras · Sep 7, 2023 · ed36420 · ed36420
1 parent 12c4568
commit ed36420
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 0 deletions.
diff --git a/roles/cis_baseline/README.md b/roles/cis_baseline/README.md
@@ -8,6 +8,7 @@ Due to missing packages or capabilities related to Arch Linux, the following
 chapters and controls have not yet been implemented:
 
 * 1.3 Filesystem Integrity Checking (missing and broken AIDE packages)
+* 1.4.4 Interactive Boot Disabling (not supported for systemd-boot)
 
 ## Example Playbook
 

diff --git a/roles/cis_baseline/molecule/default/tests/1_4_boot_settings.yml b/roles/cis_baseline/molecule/default/tests/1_4_boot_settings.yml
@@ -22,6 +22,12 @@
   when: ansible_connection not in ["container", "docker", "community.docker.docker"]
 
 # 1.4.3 Ensure authentication required for single user mode (Scored)
+- name: 1.4.3 test if root password is set
+  ansible.builtin.command:
+    cmd: grep '^root:[*\!]:' /etc/shadow
+  register: out
+  changed_when: false
+  failed_when: out.stdout_lines | length > 0
 
 # 1.4.4 Ensure interactive boot is not enabled (Not Scored)
 #

diff --git a/roles/cis_baseline/tasks/1_4_boot_settings.yml b/roles/cis_baseline/tasks/1_4_boot_settings.yml
@@ -24,6 +24,14 @@
         ansible_connection not in ["container", "docker", "community.docker.docker"]
 
 # 1.4.3 Ensure authentication required for single user mode (Scored)
+- name: 1.4.3 ensure root password is set
+  ansible.builtin.command:
+    cmd: grep '^root:[*\!]:' /etc/shadow
+  register: out
+  changed_when: false
+  failed_when: out.stdout_lines | length > 0
+  when: not '1.4.3' in cis_baseline_ignored_rules
 
 # 1.4.4 Ensure interactive boot is not enabled (Not Scored)
+#
 # Not available for systemd-boot