Browse Source

CIS 6.1.2-6.1.9

CIS items copied from cisbench:
* CIS 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
* CIS 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)
* CIS 6.1.4 Ensure permissions on /etc/group are configured (Scored)
* CIS 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored)
* CIS 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
* CIS 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
* CIS 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
* CIS 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)

Change-Id: I195d08a98c2401a9b0fa8f146ee4b365f933fa1f
master
Dmitry Teselkin 6 years ago
parent
commit
11ef3737d2
9 changed files with 311 additions and 0 deletions
  1. +38
    -0
      metadata/service/system/cis/cis-6-1-2.yml
  2. +39
    -0
      metadata/service/system/cis/cis-6-1-3.yml
  3. +38
    -0
      metadata/service/system/cis/cis-6-1-4.yml
  4. +39
    -0
      metadata/service/system/cis/cis-6-1-5.yml
  5. +36
    -0
      metadata/service/system/cis/cis-6-1-6.yml
  6. +38
    -0
      metadata/service/system/cis/cis-6-1-7.yml
  7. +37
    -0
      metadata/service/system/cis/cis-6-1-8.yml
  8. +38
    -0
      metadata/service/system/cis/cis-6-1-9.yml
  9. +8
    -0
      metadata/service/system/cis/init.yml

+ 38
- 0
metadata/service/system/cis/cis-6-1-2.yml View File

@@ -0,0 +1,38 @@
# CIS 6.1.2 Ensure permissions on /etc/passwd are configured
#
# Description
# ===========
# The /etc/passwd file contains user account information that is used by
# many system utilities and therefore must be readable for these utilities
# to operate.
#
# Rationale
# =========
# It is critical to ensure that the /etc/passwd file is protected from
# unauthorized write access. Although it is protected by default, the file
# permissions could be changed either inadvertently or through malicious actions.
#
# Audit
# =====
# Run the following command and verify Uid and Gid are both 0/root and
# Access is 644 :
#
# # stat /etc/passwd
# Access: (0644/-rw-r--r--) Uid: (0/root) Gid: (0/root)
#
# Remediation
# ===========
# Run the following command to set permissions on /etc/passwd :
#
# # chown root:root /etc/passwd
# # chmod 644 /etc/passwd
#
parameters:
linux:
system:
file:
/etc/passwd:
user: 'root'
group: 'root'
mode: '0644'


+ 39
- 0
metadata/service/system/cis/cis-6-1-3.yml View File

@@ -0,0 +1,39 @@
# CIS 6.1.3 Ensure permissions on /etc/shadow are configured
#
# Description
# ===========
# The /etc/shadow file is used to store the information about user accounts
# that is critical to the security of those accounts, such as the hashed
# password and other security information.
#
# Rationale
# =========
# If attackers can gain read access to the /etc/shadow file, they can easily
# run a password cracking program against the hashed password to break it.
# Other security information that is stored in the /etc/shadow file (such
# as expiration) could also be useful to subvert the user accounts.
#
# Audit
# =====
# Run the following command and verify Uid is 0/root , Gid is <gid>/shadow ,
# and Access is 640 or more restrictive:
#
# # stat /etc/shadow
# Access: (0640/-rw-r-----) Uid: (0/root) Gid: (42/shadow)
#
# Remediation
# ===========
# Run the one following commands to set permissions on /etc/shadow :
#
# # chown root:shadow /etc/shadow
# # chmod o-rwx,g-wx /etc/shadow
#
parameters:
linux:
system:
file:
/etc/shadow:
user: 'root'
group: 'shadow'
mode: '0640'


+ 38
- 0
metadata/service/system/cis/cis-6-1-4.yml View File

@@ -0,0 +1,38 @@
# CIS 6.1.4 Ensure permissions on /etc/group are configured
#
# Description
# ===========
# The /etc/group file contains a list of all the valid groups defined in the
# system. The command below allows read/write access for root and read access
# for everyone else.
#
# Rationale
# =========
# The /etc/group file needs to be protected from unauthorized changes by
# non-privileged users, but needs to be readable as this information is used
# with many non-privileged programs.
#
# Audit
# =====
# Run the following command and verify Uid and Gid are both 0/root and
# Access is 644 :
#
# # stat /etc/group
# Access: (0644/-rw-r--r--) Uid: (0/root) Gid: (0/root)
#
# Remediation
# ===========
# Run the following command to set permissions on /etc/group :
#
# # chown root:root /etc/group
# # chmod 644 /etc/group
#
parameters:
linux:
system:
file:
/etc/group:
user: 'root'
group: 'root'
mode: '0644'


+ 39
- 0
metadata/service/system/cis/cis-6-1-5.yml View File

@@ -0,0 +1,39 @@
# CIS 6.1.5 Ensure permissions on /etc/gshadow are configured
#
# Description
# ===========
# The /etc/gshadow file is used to store the information about groups that
# is critical to the security of those accounts, such as the hashed password
# and other security information.
#
# Rationale
# =========
# If attackers can gain read access to the /etc/gshadow file, they can easily
# run a password cracking program against the hashed password to break it.
# Other security information that is stored in the /etc/gshadow file (such as
# group administrators) could also be useful to subvert the group.
#
# Audit
# =====
# Run the following command and verify verify Uid is 0/root ,
# Gid is <gid>/shadow , and Access is 640 or more restrictive:
#
# # stat /etc/gshadow
# Access: (0640/-rw-r-----) Uid: (0/root) Gid: (42/shadow)
#
# Remediation
# ===========
# Run the following commands to set permissions on /etc/gshadow :
#
# # chown root:shadow /etc/gshadow
# # chmod o-rwx,g-rw /etc/gshadow
#
parameters:
linux:
system:
file:
/etc/gshadow:
user: 'root'
group: 'shadow'
mode: '0640'


+ 36
- 0
metadata/service/system/cis/cis-6-1-6.yml View File

@@ -0,0 +1,36 @@
# CIS 6.1.6 Ensure permissions on /etc/passwd- are configured
#
# Description
# ===========
# The /etc/passwd- file contains backup user account information.
#
# Rationale
# =========
# It is critical to ensure that the /etc/passwd- file is protected from
# unauthorized access. Although it is protected by default, the file
# permissions could be changed either inadvertently or through malicious actions.
#
# Audit
# =====
# Run the following command and verify Uid and Gid are both 0/root and
# Access is 600 or more restrictive:
#
# # stat /etc/passwd-
# Access: (0600/-rw-------) Uid: (0/root) Gid: (0/root)
#
# Remediation
# ===========
# Run the following command to set permissions on /etc/passwd- :
#
# # chown root:root /etc/passwd-
# # chmod 600 /etc/passwd-
#
parameters:
linux:
system:
file:
/etc/passwd-:
user: 'root'
group: 'root'
mode: '0600'


+ 38
- 0
metadata/service/system/cis/cis-6-1-7.yml View File

@@ -0,0 +1,38 @@
# CIS 6.1.7 Ensure permissions on /etc/shadow- are configured
#
# Description
# ===========
# The /etc/shadow- file is used to store backup information about user
# accounts that is critical to the security of those accounts, such as the
# hashed password and other security information.
#
# Rationale
# =========
# It is critical to ensure that the /etc/shadow- file is protected from
# unauthorized access. Although it is protected by default, the file
# permissions could be changed either inadvertently or through malicious actions.
#
# Audit
# =====
# Run the following command and verify Uid and Gid are both 0/root and
# Access is 600 or more restrictive:
#
# # stat /etc/shadow-
# Access: (0600/-rw-------) Uid: (0/root) Gid: (0/root)
#
# Remediation
# ===========
# Run the following command to set permissions on /etc/shadow- :
#
# # chown root:root /etc/shadow-
# # chmod 600 /etc/shadow-
#
parameters:
linux:
system:
file:
/etc/shadow-:
user: 'root'
group: 'root'
mode: '0600'


+ 37
- 0
metadata/service/system/cis/cis-6-1-8.yml View File

@@ -0,0 +1,37 @@
# CIS 6.1.8 Ensure permissions on /etc/group- are configured
#
# Description
# ===========
# The /etc/group- file contains a backup list of all the valid groups defined
# in the system.
#
# Rationale
# =========
# It is critical to ensure that the /etc/group- file is protected from
# unauthorized access. Although it is protected by default, the file
# permissions could be changed either inadvertently or through malicious actions.
#
# Audit
# =====
# Run the following command and verify Uid and Gid are both 0/root and
# Access is 600 or more restrictive:
#
# # stat /etc/group-
# Access: (0600/-rw-------) Uid: (0/root) Gid: (0/root)
#
# Remediation
# ===========
# Run the following command to set permissions on /etc/group- :
#
# # chown root:root /etc/group-
# # chmod 600 /etc/group-
#
parameters:
linux:
system:
file:
/etc/group-:
user: 'root'
group: 'root'
mode: '0600'


+ 38
- 0
metadata/service/system/cis/cis-6-1-9.yml View File

@@ -0,0 +1,38 @@
# CIS 6.1.9 Ensure permissions on /etc/gshadow- are configured
#
# Description
# ===========
# The /etc/gshadow- file is used to store backup information about groups
# that is critical to the security of those accounts, such as the hashed
# password and other security information.
#
# Rationale
# =========
# It is critical to ensure that the /etc/gshadow- file is protected from
# unauthorized access. Although it is protected by default, the file
# permissions could be changed either inadvertently or through malicious actions.
#
# Audit
# =====
# Run the following command and verify Uid and Gid are both 0/root and
# Access is 600 or more restrictive:
#
# # stat /etc/gshadow-
# Access: (0600/-rw-------) Uid: (0/root) Gid: (0/root)
#
# Remediation
# ===========
# Run the following command to set permissions on /etc/gshadow- :
#
# # chown root:root /etc/gshadow-
# # chmod 600 /etc/gshadow-
#
parameters:
linux:
system:
file:
/etc/gshadow-:
user: 'root'
group: 'root'
mode: '0600'


+ 8
- 0
metadata/service/system/cis/init.yml View File

@@ -12,3 +12,11 @@ classes:
- service.linux.system.cis.cis-3-2-8
# Temp. disable PROD-22520
#- service.linux.system.cis.cis-3-3-3
- service.linux.system.cis.cis-6-1-2
- service.linux.system.cis.cis-6-1-3
- service.linux.system.cis.cis-6-1-4
- service.linux.system.cis.cis-6-1-5
- service.linux.system.cis.cis-6-1-6
- service.linux.system.cis.cis-6-1-7
- service.linux.system.cis.cis-6-1-8
- service.linux.system.cis.cis-6-1-9

Loading…
Cancel
Save