|
 |
dac76a |
From d97c8749052a095771eb48621f39530f46603acd Mon Sep 17 00:00:00 2001
|
|
|
dac76a |
From: Vojtech Polasek <vpolasek@redhat.com>
|
|
|
dac76a |
Date: Tue, 24 Mar 2020 10:02:19 +0100
|
|
|
dac76a |
Subject: [PATCH] add rule for passwd add rule for /etc/group add rule for
|
|
|
dac76a |
/etc/shadow add rules to rhel7 and rhel8 cis profiles
|
|
|
dac76a |
|
|
|
dac76a |
---
|
|
|
dac76a |
.../ansible/shared.yml | 17 ++++++++++
|
|
|
dac76a |
.../bash/shared.sh | 7 +++++
|
|
|
dac76a |
.../oval/shared.xml | 26 ++++++++++++++++
|
|
|
dac76a |
.../no_legacy_plus_entries_etc_group/rule.yml | 31 +++++++++++++++++++
|
|
|
dac76a |
.../tests/correct.pass.sh | 3 ++
|
|
|
dac76a |
.../tests/include_everything.fail.sh | 4 +++
|
|
|
dac76a |
.../tests/include_group.fail.sh | 3 ++
|
|
|
dac76a |
.../tests/include_name.fail.sh | 3 ++
|
|
|
dac76a |
.../tests/multiple.fail.sh | 5 +++
|
|
|
dac76a |
.../ansible/shared.yml | 17 ++++++++++
|
|
|
dac76a |
.../bash/shared.sh | 7 +++++
|
|
|
dac76a |
.../oval/shared.xml | 26 ++++++++++++++++
|
|
|
dac76a |
.../rule.yml | 31 +++++++++++++++++++
|
|
|
dac76a |
.../tests/correct.pass.sh | 3 ++
|
|
|
dac76a |
.../tests/include_everything.fail.sh | 4 +++
|
|
|
dac76a |
.../tests/include_group.fail.sh | 3 ++
|
|
|
dac76a |
.../tests/include_name.fail.sh | 3 ++
|
|
|
dac76a |
.../tests/multiple.fail.sh | 5 +++
|
|
|
dac76a |
.../ansible/shared.yml | 17 ++++++++++
|
|
|
dac76a |
.../bash/shared.sh | 7 +++++
|
|
|
dac76a |
.../oval/shared.xml | 26 ++++++++++++++++
|
|
|
dac76a |
.../rule.yml | 31 +++++++++++++++++++
|
|
|
dac76a |
.../tests/correct.pass.sh | 3 ++
|
|
|
dac76a |
.../tests/include_everything.fail.sh | 4 +++
|
|
|
dac76a |
.../tests/include_group.fail.sh | 3 ++
|
|
|
dac76a |
.../tests/include_name.fail.sh | 3 ++
|
|
|
dac76a |
.../tests/multiple.fail.sh | 5 +++
|
|
|
dac76a |
rhel7/profiles/cis.profile | 6 ++++
|
|
|
dac76a |
30 files changed, 314 insertions(+), 6 deletions(-)
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh
|
|
|
dac76a |
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh
|
|
|
dac76a |
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..acf0496e1
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml
|
|
|
dac76a |
@@ -0,0 +1,17 @@
|
|
|
dac76a |
+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4
|
|
|
dac76a |
+# reboot = false
|
|
|
dac76a |
+# strategy = restrict
|
|
|
dac76a |
+# complexity = low
|
|
|
dac76a |
+# disruption = medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: "Backup the old /etc/group file"
|
|
|
dac76a |
+ copy:
|
|
|
dac76a |
+ src: /etc/group
|
|
|
dac76a |
+ dest: /etc/group-
|
|
|
dac76a |
+ remote_src: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: "Remove lines starting with + from /etc/group"
|
|
|
dac76a |
+ lineinfile:
|
|
|
dac76a |
+ regexp: '^\+.*$'
|
|
|
dac76a |
+ state: absent
|
|
|
dac76a |
+ path: /etc/group
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..524cf10d5
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh
|
|
|
dac76a |
@@ -0,0 +1,7 @@
|
|
|
dac76a |
+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4
|
|
|
dac76a |
+
|
|
|
dac76a |
+if grep -q '^\+' /etc/group; then
|
|
|
dac76a |
+# backup old file to /etc/group-
|
|
|
dac76a |
+ cp /etc/group /etc/group-
|
|
|
dac76a |
+ sed -i '/^\+.*$/d' /etc/group
|
|
|
dac76a |
+fi
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..01ddaa125
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml
|
|
|
dac76a |
@@ -0,0 +1,26 @@
|
|
|
dac76a |
+<def-group>
|
|
|
dac76a |
+ <definition class="compliance" id="no_legacy_plus_entries_etc_group" version="1">
|
|
|
dac76a |
+ <metadata>
|
|
|
dac76a |
+ <title>Ensure there are no legacy + NIS entries in /etc/group</title>
|
|
|
dac76a |
+ {{{- oval_affected(products) }}}
|
|
|
dac76a |
+ <description>No lines starting with + are in /etc/group</description>
|
|
|
dac76a |
+ </metadata>
|
|
|
dac76a |
+ <criteria comment="no lines starting with + are in /etc/group">
|
|
|
dac76a |
+ <criterion test_ref="test_no_legacy_plus_entries_etc_group" />
|
|
|
dac76a |
+ </criteria>
|
|
|
dac76a |
+ </definition>
|
|
|
dac76a |
+
|
|
|
dac76a |
+
|
|
|
dac76a |
+ comment="check for existence of lines starting with +" id="test_no_legacy_plus_entries_etc_group"
|
|
|
dac76a |
+ version="1">
|
|
|
dac76a |
+ <ind:object object_ref="object_no_legacy_plus_entries_etc_group" />
|
|
|
dac76a |
+ </ind:textfilecontent54_test>
|
|
|
dac76a |
+
|
|
|
dac76a |
+
|
|
|
dac76a |
+ id="object_no_legacy_plus_entries_etc_group" version="1">
|
|
|
dac76a |
+ <ind:filepath>/etc/group</ind:filepath>
|
|
|
dac76a |
+ <ind:pattern operation="pattern match">^\+.*$</ind:pattern>
|
|
|
dac76a |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
dac76a |
+ </ind:textfilecontent54_object>
|
|
|
dac76a |
+
|
|
|
dac76a |
+</def-group>
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..a47fd1089
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml
|
|
|
dac76a |
@@ -0,0 +1,31 @@
|
|
|
dac76a |
+documentation_complete: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4
|
|
|
dac76a |
+
|
|
|
dac76a |
+title: 'Ensure there are no legacy + NIS entries in /etc/group'
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: |-
|
|
|
dac76a |
+ The <tt>+</tt> character in <tt>/etc/group</tt> file marks a place where
|
|
|
dac76a |
+ entries from a network information service (NIS) should be directly inserted.
|
|
|
dac76a |
+
|
|
|
dac76a |
+rationale: |-
|
|
|
dac76a |
+ Using this method to include entries into <tt>/etc/group</tt> is considered legacy
|
|
|
dac76a |
+ and should be avoided. These entries may provide a way for an attacker
|
|
|
dac76a |
+ to gain access to the system.
|
|
|
dac76a |
+
|
|
|
dac76a |
+severity: medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+identifiers:
|
|
|
dac76a |
+ cce@rhel7: 83388-9
|
|
|
dac76a |
+ cce@rhel8: 83389-7
|
|
|
dac76a |
+
|
|
|
dac76a |
+references:
|
|
|
dac76a |
+ cis@rhel7: 6.2.4
|
|
|
dac76a |
+ cis@rhel8: 6.2.5
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil_clause: 'the file contains legacy lines'
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil: |-
|
|
|
dac76a |
+ To check for legacy lines in <tt>/etc/group</tt>, run the following command:
|
|
|
dac76a |
+ grep '^\+' /etc/group
|
|
|
dac76a |
+ The command should not return any output.
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..1adc7ac56
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh
|
|
|
dac76a |
@@ -0,0 +1,3 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+sed -i '/^\+.*$/d' /etc/group
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..1ef667771
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,4 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "+" >> /etc/group
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..9192157bd
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,3 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "+@group" >> /etc/group
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..709937f75
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,3 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "+name" >> /etc/group
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..79cbd5456
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,5 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "+name" >> /etc/group
|
|
|
dac76a |
+echo "+" >> /etc/group
|
|
|
dac76a |
+echo "+@group" >> /etc/group
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..5baef2580
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml
|
|
|
dac76a |
@@ -0,0 +1,17 @@
|
|
|
dac76a |
+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4
|
|
|
dac76a |
+# reboot = false
|
|
|
dac76a |
+# strategy = restrict
|
|
|
dac76a |
+# complexity = low
|
|
|
dac76a |
+# disruption = medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: "Backup the old /etc/passwd file"
|
|
|
dac76a |
+ copy:
|
|
|
dac76a |
+ src: /etc/passwd
|
|
|
dac76a |
+ dest: /etc/passwd-
|
|
|
dac76a |
+ remote_src: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: "Remove lines starting with + from /etc/passwd"
|
|
|
dac76a |
+ lineinfile:
|
|
|
dac76a |
+ regexp: '^\+.*$'
|
|
|
dac76a |
+ state: absent
|
|
|
dac76a |
+ path: /etc/passwd
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..4bb73e017
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh
|
|
|
dac76a |
@@ -0,0 +1,7 @@
|
|
|
dac76a |
+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4
|
|
|
dac76a |
+
|
|
|
dac76a |
+if grep -q '^\+' /etc/passwd; then
|
|
|
dac76a |
+# backup old file to /etc/passwd-
|
|
|
dac76a |
+ cp /etc/passwd /etc/passwd-
|
|
|
dac76a |
+ sed -i '/^\+.*$/d' /etc/passwd
|
|
|
dac76a |
+fi
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..210437adb
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml
|
|
|
dac76a |
@@ -0,0 +1,26 @@
|
|
|
dac76a |
+<def-group>
|
|
|
dac76a |
+ <definition class="compliance" id="no_legacy_plus_entries_etc_passwd" version="1">
|
|
|
dac76a |
+ <metadata>
|
|
|
dac76a |
+ <title>Ensure there are no legacy + NIS entries in /etc/passwd</title>
|
|
|
dac76a |
+ {{{- oval_affected(products) }}}
|
|
|
dac76a |
+ <description>No lines starting with + are in /etc/passwd</description>
|
|
|
dac76a |
+ </metadata>
|
|
|
dac76a |
+ <criteria comment="no lines starting with + are in /etc/passwd">
|
|
|
dac76a |
+ <criterion test_ref="test_no_legacy_plus_entries_etc_passwd" />
|
|
|
dac76a |
+ </criteria>
|
|
|
dac76a |
+ </definition>
|
|
|
dac76a |
+
|
|
|
dac76a |
+
|
|
|
dac76a |
+ comment="check for existence of lines starting with +" id="test_no_legacy_plus_entries_etc_passwd"
|
|
|
dac76a |
+ version="1">
|
|
|
dac76a |
+ <ind:object object_ref="object_no_legacy_plus_entries_etc_passwd" />
|
|
|
dac76a |
+ </ind:textfilecontent54_test>
|
|
|
dac76a |
+
|
|
|
dac76a |
+
|
|
|
dac76a |
+ id="object_no_legacy_plus_entries_etc_passwd" version="1">
|
|
|
dac76a |
+ <ind:filepath>/etc/passwd</ind:filepath>
|
|
|
dac76a |
+ <ind:pattern operation="pattern match">^\+.*$</ind:pattern>
|
|
|
dac76a |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
dac76a |
+ </ind:textfilecontent54_object>
|
|
|
dac76a |
+
|
|
|
dac76a |
+</def-group>
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..e7c5f9832
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml
|
|
|
dac76a |
@@ -0,0 +1,31 @@
|
|
|
dac76a |
+documentation_complete: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4
|
|
|
dac76a |
+
|
|
|
dac76a |
+title: 'Ensure there are no legacy + NIS entries in /etc/passwd'
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: |-
|
|
|
dac76a |
+ The <tt>+</tt> character in <tt>/etc/passwd</tt> file marks a place where
|
|
|
dac76a |
+ entries from a network information service (NIS) should be directly inserted.
|
|
|
dac76a |
+
|
|
|
dac76a |
+rationale: |-
|
|
|
dac76a |
+ Using this method to include entries into <tt>/etc/passwd</tt> is considered legacy
|
|
|
dac76a |
+ and should be avoided. These entries may provide a way for an attacker
|
|
|
dac76a |
+ to gain access to the system.
|
|
|
dac76a |
+
|
|
|
dac76a |
+severity: medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+identifiers:
|
|
|
dac76a |
+ cce@rhel7: 82889-7
|
|
|
dac76a |
+ cce@rhel8: 82890-5
|
|
|
dac76a |
+
|
|
|
dac76a |
+references:
|
|
|
dac76a |
+ cis@rhel7: 6.2.2
|
|
|
dac76a |
+ cis@rhel8: 6.2.2
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil_clause: 'the file contains legacy lines'
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil: |-
|
|
|
dac76a |
+ To check for legacy lines in <tt>/etc/passwd</tt>, run the following command:
|
|
|
dac76a |
+ grep '^\+' /etc/passwd
|
|
|
dac76a |
+ The command should not return any output.
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..ac0b47f7a
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh
|
|
|
dac76a |
@@ -0,0 +1,3 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+sed -i '/^\+.*$/d' /etc/passwd
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..94a980029
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,4 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "+" >> /etc/passwd
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..90b717cc1
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,3 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "+@group" >> /etc/passwd
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..0c036c3e2
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,3 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "+name" >> /etc/passwd
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..cf16444d7
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,5 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "+name" >> /etc/passwd
|
|
|
dac76a |
+echo "+" >> /etc/passwd
|
|
|
dac76a |
+echo "+@group" >> /etc/passwd
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..c969414d2
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml
|
|
|
dac76a |
@@ -0,0 +1,17 @@
|
|
|
dac76a |
+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4
|
|
|
dac76a |
+# reboot = false
|
|
|
dac76a |
+# strategy = restrict
|
|
|
dac76a |
+# complexity = low
|
|
|
dac76a |
+# disruption = medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: "Backup the old /etc/shadow file"
|
|
|
dac76a |
+ copy:
|
|
|
dac76a |
+ src: /etc/shadow
|
|
|
dac76a |
+ dest: /etc/shadow-
|
|
|
dac76a |
+ remote_src: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+- name: "Remove lines starting with + from /etc/shadow"
|
|
|
dac76a |
+ lineinfile:
|
|
|
dac76a |
+ regexp: '^\+.*$'
|
|
|
dac76a |
+ state: absent
|
|
|
dac76a |
+ path: /etc/shadow
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..f8874c9f0
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh
|
|
|
dac76a |
@@ -0,0 +1,7 @@
|
|
|
dac76a |
+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4
|
|
|
dac76a |
+
|
|
|
dac76a |
+if grep -q '^\+' /etc/shadow; then
|
|
|
dac76a |
+# backup old file to /etc/shadow-
|
|
|
dac76a |
+ cp /etc/shadow /etc/shadow-
|
|
|
dac76a |
+ sed -i '/^\+.*$/d' /etc/shadow
|
|
|
dac76a |
+fi
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..8fad2c384
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml
|
|
|
dac76a |
@@ -0,0 +1,26 @@
|
|
|
dac76a |
+<def-group>
|
|
|
dac76a |
+ <definition class="compliance" id="no_legacy_plus_entries_etc_shadow" version="1">
|
|
|
dac76a |
+ <metadata>
|
|
|
dac76a |
+ <title>Ensure there are no legacy + NIS entries in /etc/shadow</title>
|
|
|
dac76a |
+ {{{- oval_affected(products) }}}
|
|
|
dac76a |
+ <description>No lines starting with + are in /etc/shadow</description>
|
|
|
dac76a |
+ </metadata>
|
|
|
dac76a |
+ <criteria comment="no lines starting with + are in /etc/shadow">
|
|
|
dac76a |
+ <criterion test_ref="test_no_legacy_plus_entries_etc_shadow" />
|
|
|
dac76a |
+ </criteria>
|
|
|
dac76a |
+ </definition>
|
|
|
dac76a |
+
|
|
|
dac76a |
+
|
|
|
dac76a |
+ comment="check for existence of lines starting with +" id="test_no_legacy_plus_entries_etc_shadow"
|
|
|
dac76a |
+ version="1">
|
|
|
dac76a |
+ <ind:object object_ref="object_no_legacy_plus_entries_etc_shadow" />
|
|
|
dac76a |
+ </ind:textfilecontent54_test>
|
|
|
dac76a |
+
|
|
|
dac76a |
+
|
|
|
dac76a |
+ id="object_no_legacy_plus_entries_etc_shadow" version="1">
|
|
|
dac76a |
+ <ind:filepath>/etc/shadow</ind:filepath>
|
|
|
dac76a |
+ <ind:pattern operation="pattern match">^\+.*$</ind:pattern>
|
|
|
dac76a |
+ <ind:instance datatype="int">1</ind:instance>
|
|
|
dac76a |
+ </ind:textfilecontent54_object>
|
|
|
dac76a |
+
|
|
|
dac76a |
+</def-group>
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..beb3772b2
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml
|
|
|
dac76a |
@@ -0,0 +1,31 @@
|
|
|
dac76a |
+documentation_complete: true
|
|
|
dac76a |
+
|
|
|
dac76a |
+prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4
|
|
|
dac76a |
+
|
|
|
dac76a |
+title: 'Ensure there are no legacy + NIS entries in /etc/shadow'
|
|
|
dac76a |
+
|
|
|
dac76a |
+description: |-
|
|
|
dac76a |
+ The <tt>+</tt> character in <tt>/etc/shadow</tt> file marks a place where
|
|
|
dac76a |
+ entries from a network information service (NIS) should be directly inserted.
|
|
|
dac76a |
+
|
|
|
dac76a |
+rationale: |-
|
|
|
dac76a |
+ Using this method to include entries into <tt>/etc/shadow</tt> is considered legacy
|
|
|
dac76a |
+ and should be avoided. These entries may provide a way for an attacker
|
|
|
dac76a |
+ to gain access to the system.
|
|
|
dac76a |
+
|
|
|
dac76a |
+severity: medium
|
|
|
dac76a |
+
|
|
|
dac76a |
+identifiers:
|
|
|
dac76a |
+ cce@rhel7: 83390-5
|
|
|
dac76a |
+ cce@rhel8: 84290-6
|
|
|
dac76a |
+
|
|
|
dac76a |
+references:
|
|
|
dac76a |
+ cis@rhel7: 6.2.3
|
|
|
dac76a |
+ cis@rhel8: 6.2.4
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil_clause: 'the file contains legacy lines'
|
|
|
dac76a |
+
|
|
|
dac76a |
+ocil: |-
|
|
|
dac76a |
+ To check for legacy lines in <tt>/etc/shadow</tt>, run the following command:
|
|
|
dac76a |
+ grep '^\+' /etc/shadow
|
|
|
dac76a |
+ The command should not return any output.
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..4647b544e
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh
|
|
|
dac76a |
@@ -0,0 +1,3 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+sed -i '/^\+.*$/d' /etc/shadow
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..881e23676
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,4 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "+" >> /etc/shadow
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..39076bdcc
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,3 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "+@group" >> /etc/shadow
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..6cbc6e885
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,3 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "+name" >> /etc/shadow
|
|
|
dac76a |
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh
|
|
|
dac76a |
new file mode 100644
|
|
|
dac76a |
index 000000000..b2daf1bc2
|
|
|
dac76a |
--- /dev/null
|
|
|
dac76a |
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh
|
|
|
dac76a |
@@ -0,0 +1,5 @@
|
|
|
dac76a |
+#!/bin/bash
|
|
|
dac76a |
+
|
|
|
dac76a |
+echo "+name" >> /etc/shadow
|
|
|
dac76a |
+echo "+" >> /etc/shadow
|
|
|
dac76a |
+echo "+@group" >> /etc/shadow
|
|
|
dac76a |
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
|
|
|
dac76a |
index b66594f59..bfb1508b6 100644
|
|
|
dac76a |
--- a/rhel7/profiles/cis.profile
|
|
|
dac76a |
+++ b/rhel7/profiles/cis.profile
|
|
|
dac76a |
@@ -735,8 +735,14 @@ selections:
|
|
|
dac76a |
## 6.2 User and Group Settings
|
|
|
dac76a |
### 6.2.1 Ensure password fields are not empty (Scored)
|
|
|
dac76a |
### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored)
|
|
|
dac76a |
+ - no_legacy_plus_entries_etc_passwd
|
|
|
dac76a |
+
|
|
|
dac76a |
### 6.2.3 Ensure no legacy "+" entries exist in /etc/shadow (Scored)
|
|
|
dac76a |
+ - no_legacy_plus_entries_etc_shadow
|
|
|
dac76a |
+
|
|
|
dac76a |
### 6.2.4 Ensure no legacy "+" entries exist in /etc/group (Scored)
|
|
|
dac76a |
+ - no_legacy_plus_entries_etc_group
|
|
|
dac76a |
+
|
|
|
dac76a |
### 6.2.5 Ensure root is the only UID 0 account (Scored)
|
|
|
dac76a |
- accounts_no_uid_except_zero
|
|
|
dac76a |
|
|
|
dac76a |
--
|
|
|
dac76a |
2.21.1
|
|
|
dac76a |
|