feat(os-02): expand security control to check for other shadow files

Currently only `/etc/shadow` is checked to have the right permissions, but there are other files that can/could contain password hashes as well, which are not checked yet: - /etc/shadow- (a backup file for /etc/shadow) - /etc/gshadow (contains group password hashes) - /etc/gshadow- (a backup file for /etc/gshadow-) While the control requires `/etc/shadow` and `/etc/gshadow` to exist, the rules for their backup counterparts are a bit more relaxed. The checks will be skipped, if those files do not exist. Signed-off-by: Claudius Heine <[email protected]>
dev-sec · Oct 25, 2021 · e43b135 · e43b135
1 parent e503f97
commit e43b135
Showing 1 changed file with 32 additions and 26 deletions.
diff --git a/controls/os_spec.rb b/controls/os_spec.rb
@@ -52,34 +52,40 @@
 
 control 'os-02' do
   impact 1.0
-  title 'Check owner and permissions for /etc/shadow'
-  desc 'Check periodically the owner and permissions for /etc/shadow'
-  describe file('/etc/shadow') do
-    it { should exist }
-    it { should be_file }
-    it { should be_owned_by 'root' }
-    its('group') { should eq shadow_group }
-    it { should_not be_executable }
-    it { should_not be_readable.by('other') }
-  end
-  if os.redhat? || os.name == 'fedora'
-    describe file('/etc/shadow') do
-      it { should_not be_writable.by('owner') }
-      it { should_not be_readable.by('owner') }
-    end
-  else
-    describe file('/etc/shadow') do
-      it { should be_writable.by('owner') }
-      it { should be_readable.by('owner') }
+  title 'Check owner and permissions for shadow files'
+  desc 'Check periodically the owner and permissions for shadow files'
+
+  shadow_files = ['/etc/shadow', '/etc/shadow-', '/etc/gshadow', '/etc/gshadow-']
+  shadow_files.each do |shadow_file|
+    next if shadow_file[-1] == '-' && !file(shadow_file).exist?
+
+    describe file(shadow_file) do
+      it { should exist }
+      it { should be_file }
+      it { should be_owned_by 'root' }
+      its('group') { should eq shadow_group }
+      it { should_not be_executable }
+      it { should_not be_readable.by('other') }
     end
-  end
-  if os.debian? || os.suse?
-    describe file('/etc/shadow') do
-      it { should be_readable.by('group') }
+    if os.redhat? || os.name == 'fedora'
+      describe file(shadow_file) do
+        it { should_not be_writable.by('owner') }
+        it { should_not be_readable.by('owner') }
+      end
+    else
+      describe file(shadow_file) do
+        it { should be_writable.by('owner') }
+        it { should be_readable.by('owner') }
+      end
     end
-  else
-    describe file('/etc/shadow') do
-      it { should_not be_readable.by('group') }
+    if os.debian? || os.suse?
+      describe file(shadow_file) do
+        it { should be_readable.by('group') }
+      end
+    else
+      describe file(shadow_file) do
+        it { should_not be_readable.by('group') }
+      end
     end
   end
 end