feat: expand security control to check for other shadow files

Currently only `/etc/shadow` is checked to have the right permissions,
but there are other files that can/could contain password hashes as
well, which are not checked yet:

 - /etc/shadow- (a backup file for /etc/shadow)
 - /etc/gshadow (contains group password hashes)
 - /etc/gshadow- (a backup file for /etc/gshadow-)

While the control requires `/etc/shadow` and `/etc/gshadow` to exist,
the rules for their backup counterparts are a bit more relaxed. The
checks will be skipped, if those files do not exist.

Signed-off-by: Claudius Heine <[email protected]>

Author: cmhe

controls/os_spec.rb

@@ -84,6 +84,112 @@
   end
 end
 
+control 'os-02b' do
+  impact 1.0
+  title 'Check owner and permissions for /etc/gshadow'
+  desc 'Check periodically the owner and permissions for /etc/gshadow'
+  describe file('/etc/gshadow') do
+    it { should exist }
+    it { should be_file }
+    it { should be_owned_by 'root' }
+    its('group') { should eq shadow_group }
+    it { should_not be_executable }
+    it { should_not be_readable.by('other') }
+  end
+  if os.redhat? || os.name == 'fedora'
+    describe file('/etc/gshadow') do
+      it { should_not be_writable.by('owner') }
+      it { should_not be_readable.by('owner') }
+    end
+  else
+    describe file('/etc/gshadow') do
+      it { should be_writable.by('owner') }
+      it { should be_readable.by('owner') }
+    end
+  end
+  if os.debian? || os.suse?
+    describe file('/etc/gshadow') do
+      it { should be_readable.by('group') }
+    end
+  else
+    describe file('/etc/gshadow') do
+      it { should_not be_readable.by('group') }
+    end
+  end
+end
+
+control 'os-02c' do
+  impact 1.0
+  title 'Check owner and permissions for /etc/shadow-'
+  desc 'Check periodically the owner and permissions for /etc/shadow-'
+  only_if('/etc/shadow- exists') do
+    file('/etc/shadow-').exist?
+  end
+  describe file('/etc/shadow-') do
+    it { should be_file }
+    it { should be_owned_by 'root' }
+    its('group') { should eq shadow_group }
+    it { should_not be_executable }
+    it { should_not be_readable.by('other') }
+  end
+  if os.redhat? || os.name == 'fedora'
+    describe file('/etc/shadow-') do
+      it { should_not be_writable.by('owner') }
+      it { should_not be_readable.by('owner') }
+    end
+  else
+    describe file('/etc/shadow-') do
+      it { should be_writable.by('owner') }
+      it { should be_readable.by('owner') }
+    end
+  end
+  if os.debian? || os.suse?
+    describe file('/etc/shadow-') do
+      it { should be_readable.by('group') }
+    end
+  else
+    describe file('/etc/shadow-') do
+      it { should_not be_readable.by('group') }
+    end
+  end
+end
+
+control 'os-02d' do
+  impact 1.0
+  title 'Check owner and permissions for /etc/gshadow-'
+  desc 'Check periodically the owner and permissions for /etc/gshadow-'
+  only_if('/etc/gshadow- exists') do
+    file('/etc/gshadow-').exist?
+  end
+  describe file('/etc/gshadow-') do
+    it { should be_file }
+    it { should be_owned_by 'root' }
+    its('group') { should eq shadow_group }
+    it { should_not be_executable }
+    it { should_not be_readable.by('other') }
+  end
+  if os.redhat? || os.name == 'fedora'
+    describe file('/etc/shadow-') do
+      it { should_not be_writable.by('owner') }
+      it { should_not be_readable.by('owner') }
+    end
+  else
+    describe file('/etc/gshadow-') do
+      it { should be_writable.by('owner') }
+      it { should be_readable.by('owner') }
+    end
+  end
+  if os.debian? || os.suse?
+    describe file('/etc/gshadow-') do
+      it { should be_readable.by('group') }
+    end
+  else
+    describe file('/etc/gshadow-') do
+      it { should_not be_readable.by('group') }
+    end
+  end
+end
+
 control 'os-03' do
   impact 1.0
   title 'Check owner and permissions for /etc/passwd'