feat: expand security check: add other passwd and group files

cmhe · cmhe · commit f5418ba7b604 · 2021-10-26T14:27:09.000+02:00
Currently only `/etc/passwd` is checked to have the right permissions,
but there are other files that contain unix account related configuration:

 - /etc/passwd- (a backup file for /etc/passwd)
 - /etc/group (contains group configuration and membership)
 - /etc/group- (a backup file for /etc/group-)

While the control requires `/etc/passwd` and `/etc/group` to exist,
the rules for their backup counterparts are a bit more relaxed. The
checks will be skipped, if those files do not exist.

Signed-off-by: Claudius Heine &lt;ch@denx.de&gt;
diff --git a/controls/os_spec.rb b/controls/os_spec.rb
@@ -218,6 +218,66 @@
   end
 end
 
+control 'os-03c' do
+  impact 1.0
+  title 'Check owner and permissions for /etc/group'
+  desc 'Check periodically the owner and permissions for /etc/group'
+  describe file('/etc/group') do
+    it { should exist }
+    it { should be_file }
+    it { should be_owned_by 'root' }
+    its('group') { should eq 'root' }
+    it { should_not be_executable }
+    it { should be_writable.by('owner') }
+    it { should_not be_writable.by('group') }
+    it { should_not be_writable.by('other') }
+    it { should be_readable.by('owner') }
+    it { should be_readable.by('group') }
+    it { should be_readable.by('other') }
+  end
+end
+
+control 'os-03d' do
+  impact 1.0
+  title 'Check owner and permissions for /etc/passwd-'
+  desc 'Check periodically the owner and permissions for /etc/passwd-'
+  only_if('/etc/passwd- exists') do
+    file('/etc/passwd-').exist?
+  end
+  describe file('/etc/passwd-') do
+    it { should be_file }
+    it { should be_owned_by 'root' }
+    its('group') { should eq 'root' }
+    it { should_not be_executable }
+    it { should be_writable.by('owner') }
+    it { should_not be_writable.by('group') }
+    it { should_not be_writable.by('other') }
+    it { should be_readable.by('owner') }
+    it { should be_readable.by('group') }
+    it { should be_readable.by('other') }
+  end
+end
+
+control 'os-03e' do
+  impact 1.0
+  title 'Check owner and permissions for /etc/group-'
+  desc 'Check periodically the owner and permissions for /etc/group-'
+  only_if('/etc/group- exists') do
+    file('/etc/group-').exist?
+  end
+  describe file('/etc/group-') do
+    it { should be_owned_by 'root' }
+    its('group') { should eq 'root' }
+    it { should_not be_executable }
+    it { should be_writable.by('owner') }
+    it { should_not be_writable.by('group') }
+    it { should_not be_writable.by('other') }
+    it { should be_readable.by('owner') }
+    it { should be_readable.by('group') }
+    it { should be_readable.by('other') }
+  end
+end
+
 control 'os-04' do
   impact 1.0
   title 'Dot in PATH variable'
