From d97c8749052a095771eb48621f39530f46603acd Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Tue, 24 Mar 2020 10:02:19 +0100
Subject: [PATCH] add rule for passwd add rule for /etc/group add rule for
/etc/shadow add rules to rhel7 and rhel8 cis profiles
---
.../ansible/shared.yml | 17 ++++++++++
.../bash/shared.sh | 7 +++++
.../oval/shared.xml | 26 ++++++++++++++++
.../no_legacy_plus_entries_etc_group/rule.yml | 31 +++++++++++++++++++
.../tests/correct.pass.sh | 3 ++
.../tests/include_everything.fail.sh | 4 +++
.../tests/include_group.fail.sh | 3 ++
.../tests/include_name.fail.sh | 3 ++
.../tests/multiple.fail.sh | 5 +++
.../ansible/shared.yml | 17 ++++++++++
.../bash/shared.sh | 7 +++++
.../oval/shared.xml | 26 ++++++++++++++++
.../rule.yml | 31 +++++++++++++++++++
.../tests/correct.pass.sh | 3 ++
.../tests/include_everything.fail.sh | 4 +++
.../tests/include_group.fail.sh | 3 ++
.../tests/include_name.fail.sh | 3 ++
.../tests/multiple.fail.sh | 5 +++
.../ansible/shared.yml | 17 ++++++++++
.../bash/shared.sh | 7 +++++
.../oval/shared.xml | 26 ++++++++++++++++
.../rule.yml | 31 +++++++++++++++++++
.../tests/correct.pass.sh | 3 ++
.../tests/include_everything.fail.sh | 4 +++
.../tests/include_group.fail.sh | 3 ++
.../tests/include_name.fail.sh | 3 ++
.../tests/multiple.fail.sh | 5 +++
rhel7/profiles/cis.profile | 6 ++++
30 files changed, 314 insertions(+), 6 deletions(-)
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh
create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml
new file mode 100644
index 000000000..acf0496e1
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/ansible/shared.yml
@@ -0,0 +1,17 @@
+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = medium
+
+- name: "Backup the old /etc/group file"
+ copy:
+ src: /etc/group
+ dest: /etc/group-
+ remote_src: true
+
+- name: "Remove lines starting with + from /etc/group"
+ lineinfile:
+ regexp: '^\+.*$'
+ state: absent
+ path: /etc/group
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh
new file mode 100644
index 000000000..524cf10d5
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4
+
+if grep -q '^\+' /etc/group; then
+# backup old file to /etc/group-
+ cp /etc/group /etc/group-
+ sed -i '/^\+.*$/d' /etc/group
+fi
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml
new file mode 100644
index 000000000..01ddaa125
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/oval/shared.xml
@@ -0,0 +1,26 @@
+<def-group>
+ <definition class="compliance" id="no_legacy_plus_entries_etc_group" version="1">
+ <metadata>
+ <title>Ensure there are no legacy + NIS entries in /etc/group</title>
+ {{{- oval_affected(products) }}}
+ <description>No lines starting with + are in /etc/group</description>
+ </metadata>
+ <criteria comment="no lines starting with + are in /etc/group">
+ <criterion test_ref="test_no_legacy_plus_entries_etc_group" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
+ comment="check for existence of lines starting with +" id="test_no_legacy_plus_entries_etc_group"
+ version="1">
+ <ind:object object_ref="object_no_legacy_plus_entries_etc_group" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object comment="lines starting with +"
+ id="object_no_legacy_plus_entries_etc_group" version="1">
+ <ind:filepath>/etc/group</ind:filepath>
+ <ind:pattern operation="pattern match">^\+.*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml
new file mode 100644
index 000000000..a47fd1089
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4
+
+title: 'Ensure there are no legacy + NIS entries in /etc/group'
+
+description: |-
+ The <tt>+</tt> character in <tt>/etc/group</tt> file marks a place where
+ entries from a network information service (NIS) should be directly inserted.
+
+rationale: |-
+ Using this method to include entries into <tt>/etc/group</tt> is considered legacy
+ and should be avoided. These entries may provide a way for an attacker
+ to gain access to the system.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: 83388-9
+ cce@rhel8: 83389-7
+
+references:
+ cis@rhel7: 6.2.4
+ cis@rhel8: 6.2.5
+
+ocil_clause: 'the file contains legacy lines'
+
+ocil: |-
+ To check for legacy lines in <tt>/etc/group</tt>, run the following command:
+ <pre> grep '^\+' /etc/group</pre>
+ The command should not return any output.
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh
new file mode 100644
index 000000000..1adc7ac56
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/correct.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sed -i '/^\+.*$/d' /etc/group
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh
new file mode 100644
index 000000000..1ef667771
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_everything.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+
+echo "+" >> /etc/group
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh
new file mode 100644
index 000000000..9192157bd
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_group.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "+@group" >> /etc/group
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh
new file mode 100644
index 000000000..709937f75
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/include_name.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "+name" >> /etc/group
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh
new file mode 100644
index 000000000..79cbd5456
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_group/tests/multiple.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+echo "+name" >> /etc/group
+echo "+" >> /etc/group
+echo "+@group" >> /etc/group
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml
new file mode 100644
index 000000000..5baef2580
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/ansible/shared.yml
@@ -0,0 +1,17 @@
+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = medium
+
+- name: "Backup the old /etc/passwd file"
+ copy:
+ src: /etc/passwd
+ dest: /etc/passwd-
+ remote_src: true
+
+- name: "Remove lines starting with + from /etc/passwd"
+ lineinfile:
+ regexp: '^\+.*$'
+ state: absent
+ path: /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh
new file mode 100644
index 000000000..4bb73e017
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4
+
+if grep -q '^\+' /etc/passwd; then
+# backup old file to /etc/passwd-
+ cp /etc/passwd /etc/passwd-
+ sed -i '/^\+.*$/d' /etc/passwd
+fi
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml
new file mode 100644
index 000000000..210437adb
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/oval/shared.xml
@@ -0,0 +1,26 @@
+<def-group>
+ <definition class="compliance" id="no_legacy_plus_entries_etc_passwd" version="1">
+ <metadata>
+ <title>Ensure there are no legacy + NIS entries in /etc/passwd</title>
+ {{{- oval_affected(products) }}}
+ <description>No lines starting with + are in /etc/passwd</description>
+ </metadata>
+ <criteria comment="no lines starting with + are in /etc/passwd">
+ <criterion test_ref="test_no_legacy_plus_entries_etc_passwd" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
+ comment="check for existence of lines starting with +" id="test_no_legacy_plus_entries_etc_passwd"
+ version="1">
+ <ind:object object_ref="object_no_legacy_plus_entries_etc_passwd" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object comment="lines starting with +"
+ id="object_no_legacy_plus_entries_etc_passwd" version="1">
+ <ind:filepath>/etc/passwd</ind:filepath>
+ <ind:pattern operation="pattern match">^\+.*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml
new file mode 100644
index 000000000..e7c5f9832
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4
+
+title: 'Ensure there are no legacy + NIS entries in /etc/passwd'
+
+description: |-
+ The <tt>+</tt> character in <tt>/etc/passwd</tt> file marks a place where
+ entries from a network information service (NIS) should be directly inserted.
+
+rationale: |-
+ Using this method to include entries into <tt>/etc/passwd</tt> is considered legacy
+ and should be avoided. These entries may provide a way for an attacker
+ to gain access to the system.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: 82889-7
+ cce@rhel8: 82890-5
+
+references:
+ cis@rhel7: 6.2.2
+ cis@rhel8: 6.2.2
+
+ocil_clause: 'the file contains legacy lines'
+
+ocil: |-
+ To check for legacy lines in <tt>/etc/passwd</tt>, run the following command:
+ <pre> grep '^\+' /etc/passwd</pre>
+ The command should not return any output.
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh
new file mode 100644
index 000000000..ac0b47f7a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/correct.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sed -i '/^\+.*$/d' /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh
new file mode 100644
index 000000000..94a980029
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_everything.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+
+echo "+" >> /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh
new file mode 100644
index 000000000..90b717cc1
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_group.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "+@group" >> /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh
new file mode 100644
index 000000000..0c036c3e2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/include_name.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "+name" >> /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh
new file mode 100644
index 000000000..cf16444d7
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_passwd/tests/multiple.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+echo "+name" >> /etc/passwd
+echo "+" >> /etc/passwd
+echo "+@group" >> /etc/passwd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml
new file mode 100644
index 000000000..c969414d2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/ansible/shared.yml
@@ -0,0 +1,17 @@
+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = medium
+
+- name: "Backup the old /etc/shadow file"
+ copy:
+ src: /etc/shadow
+ dest: /etc/shadow-
+ remote_src: true
+
+- name: "Remove lines starting with + from /etc/shadow"
+ lineinfile:
+ regexp: '^\+.*$'
+ state: absent
+ path: /etc/shadow
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh
new file mode 100644
index 000000000..f8874c9f0
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/bash/shared.sh
@@ -0,0 +1,7 @@
+# platform = multi_platform_fedora,Red Hat OpenShift Container Platform 4,Oracle Linux 7,Oracle Linux 8,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Virtualization 4
+
+if grep -q '^\+' /etc/shadow; then
+# backup old file to /etc/shadow-
+ cp /etc/shadow /etc/shadow-
+ sed -i '/^\+.*$/d' /etc/shadow
+fi
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml
new file mode 100644
index 000000000..8fad2c384
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/oval/shared.xml
@@ -0,0 +1,26 @@
+<def-group>
+ <definition class="compliance" id="no_legacy_plus_entries_etc_shadow" version="1">
+ <metadata>
+ <title>Ensure there are no legacy + NIS entries in /etc/shadow</title>
+ {{{- oval_affected(products) }}}
+ <description>No lines starting with + are in /etc/shadow</description>
+ </metadata>
+ <criteria comment="no lines starting with + are in /etc/shadow">
+ <criterion test_ref="test_no_legacy_plus_entries_etc_shadow" />
+ </criteria>
+ </definition>
+
+ <ind:textfilecontent54_test check="all" check_existence="none_exist"
+ comment="check for existence of lines starting with +" id="test_no_legacy_plus_entries_etc_shadow"
+ version="1">
+ <ind:object object_ref="object_no_legacy_plus_entries_etc_shadow" />
+ </ind:textfilecontent54_test>
+
+ <ind:textfilecontent54_object comment="lines starting with +"
+ id="object_no_legacy_plus_entries_etc_shadow" version="1">
+ <ind:filepath>/etc/shadow</ind:filepath>
+ <ind:pattern operation="pattern match">^\+.*$</ind:pattern>
+ <ind:instance datatype="int">1</ind:instance>
+ </ind:textfilecontent54_object>
+
+</def-group>
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml
new file mode 100644
index 000000000..beb3772b2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+prodtype: fedora,ocp4,ol7,ol8,rhel7,rhel8,rhv4
+
+title: 'Ensure there are no legacy + NIS entries in /etc/shadow'
+
+description: |-
+ The <tt>+</tt> character in <tt>/etc/shadow</tt> file marks a place where
+ entries from a network information service (NIS) should be directly inserted.
+
+rationale: |-
+ Using this method to include entries into <tt>/etc/shadow</tt> is considered legacy
+ and should be avoided. These entries may provide a way for an attacker
+ to gain access to the system.
+
+severity: medium
+
+identifiers:
+ cce@rhel7: 83390-5
+ cce@rhel8: 84290-6
+
+references:
+ cis@rhel7: 6.2.3
+ cis@rhel8: 6.2.4
+
+ocil_clause: 'the file contains legacy lines'
+
+ocil: |-
+ To check for legacy lines in <tt>/etc/shadow</tt>, run the following command:
+ <pre> grep '^\+' /etc/shadow</pre>
+ The command should not return any output.
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh
new file mode 100644
index 000000000..4647b544e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/correct.pass.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sed -i '/^\+.*$/d' /etc/shadow
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh
new file mode 100644
index 000000000..881e23676
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_everything.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+
+echo "+" >> /etc/shadow
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh
new file mode 100644
index 000000000..39076bdcc
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_group.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "+@group" >> /etc/shadow
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh
new file mode 100644
index 000000000..6cbc6e885
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/include_name.fail.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+echo "+name" >> /etc/shadow
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh
new file mode 100644
index 000000000..b2daf1bc2
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_storage/no_legacy_plus_entries_etc_shadow/tests/multiple.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+echo "+name" >> /etc/shadow
+echo "+" >> /etc/shadow
+echo "+@group" >> /etc/shadow
diff --git a/rhel7/profiles/cis.profile b/rhel7/profiles/cis.profile
index b66594f59..bfb1508b6 100644
--- a/rhel7/profiles/cis.profile
+++ b/rhel7/profiles/cis.profile
@@ -735,8 +735,14 @@ selections:
## 6.2 User and Group Settings
### 6.2.1 Ensure password fields are not empty (Scored)
### 6.2.2 Ensure no legacy "+" entries exist in /etc/passwd (Scored)
+ - no_legacy_plus_entries_etc_passwd
+
### 6.2.3 Ensure no legacy "+" entries exist in /etc/shadow (Scored)
+ - no_legacy_plus_entries_etc_shadow
+
### 6.2.4 Ensure no legacy "+" entries exist in /etc/group (Scored)
+ - no_legacy_plus_entries_etc_group
+
### 6.2.5 Ensure root is the only UID 0 account (Scored)
- accounts_no_uid_except_zero
--
2.21.1