Skip to content

Commit 5d29e31

Browse files
cmhecmhe
committed
feat: expand security control to check for other shadow files
Currently only `/etc/shadow` is checked to have the right permissions, but there are other files that can/could contain password hashes as well, which are not checked yet: - /etc/shadow- (a backup file for /etc/shadow) - /etc/gshadow (contains group password hashes) - /etc/gshadow- (a backup file for /etc/gshadow-) While the control requires `/etc/shadow` and `/etc/gshadow` to exist, the rules for their backup counterparts are a bit more relaxed. The checks will be skipped, if those files do not exist. Signed-off-by: Claudius Heine <[email protected]>
1 parent e503f97 commit 5d29e31

File tree

1 file changed

+52
-0
lines changed

1 file changed

+52
-0
lines changed

controls/os_spec.rb

+52
Original file line numberDiff line numberDiff line change
@@ -282,3 +282,55 @@
282282
end
283283
end
284284
end
285+
286+
control 'os-14' do
287+
impact 1.0
288+
title 'Check owner and permissions for /etc/gshadow'
289+
desc 'Check periodically the owner and permissions for /etc/gshadow'
290+
describe file('/etc/gshadow') do
291+
it { should exist }
292+
it { should be_file }
293+
it { should be_owned_by 'root' }
294+
its('group') { should eq shadow_group }
295+
it { should_not be_executable }
296+
it { should_not be_writable.by('group') }
297+
it { should_not be_writable.by('other') }
298+
it { should_not be_readable.by('other') }
299+
end
300+
end
301+
302+
control 'os-15' do
303+
impact 1.0
304+
title 'Check owner and permissions for /etc/shadow-'
305+
desc 'Check periodically the owner and permissions for /etc/shadow-'
306+
only_if('/etc/shadow- exists') do
307+
file('/etc/shadow-').exist?
308+
end
309+
describe file('/etc/shadow-') do
310+
it { should be_file }
311+
it { should be_owned_by 'root' }
312+
its('group') { should eq shadow_group }
313+
it { should_not be_executable }
314+
it { should_not be_writable.by('group') }
315+
it { should_not be_writable.by('other') }
316+
it { should_not be_readable.by('other') }
317+
end
318+
end
319+
320+
control 'os-16' do
321+
impact 1.0
322+
title 'Check owner and permissions for /etc/gshadow-'
323+
desc 'Check periodically the owner and permissions for /etc/gshadow-'
324+
only_if('/etc/gshadow- exists') do
325+
file('/etc/gshadow-').exist?
326+
end
327+
describe file('/etc/gshadow-') do
328+
it { should be_file }
329+
it { should be_owned_by 'root' }
330+
its('group') { should eq shadow_group }
331+
it { should_not be_executable }
332+
it { should_not be_writable.by('group') }
333+
it { should_not be_writable.by('other') }
334+
it { should_not be_readable.by('other') }
335+
end
336+
end

0 commit comments

Comments
 (0)