From: Kenneth Stailey kstailey.lists@gmail.com
By using mode 0 for the /etc/gshadow file we avoid switching to a less restrictive protection mode and avoid having the file permissions to deviate from the permissions recorded in the RPM database.
Signed-off-by: Kenneth Stailey kstailey.lists@gmail.com --- .../input/checks/file_permissions_etc_gshadow.xml | 57 ++++++++++++---------- .../checks/templates/file_dir_permissions.csv | 1 + 2 files changed, 33 insertions(+), 25 deletions(-)
diff --git a/RHEL6/input/checks/file_permissions_etc_gshadow.xml b/RHEL6/input/checks/file_permissions_etc_gshadow.xml index d86a582..17c3e0c 100644 --- a/RHEL6/input/checks/file_permissions_etc_gshadow.xml +++ b/RHEL6/input/checks/file_permissions_etc_gshadow.xml @@ -1,39 +1,46 @@ <def-group> - <definition class="compliance" - id="file_permissions_etc_gshadow" version="1"> + <!-- THIS FILE IS GENERATED by create_permission_checks.py. DO NOT EDIT. --> + <definition class="compliance" id="file_permissions_etc_gshadow" version="1"> <metadata> - <title>Verify permissions on 'gshadow' file</title> + <title>Verify /etc/gshadow Permissions</title> <affected family="unix"> <platform>Red Hat Enterprise Linux 6</platform> </affected> - <description>File permissions for /etc/gshadow should be set - correctly.</description> + <description>This test makes sure that /etc/gshadow is owned by 0, group owned by 0, and has mode 0000. If + the target file or directory has an extended ACL then it will fail the mode check.</description> </metadata> <criteria> - <criterion test_ref="test_20044" /> + <criterion test_ref="test_etc_gshadow" /> </criteria> </definition> - <unix:file_test check="all" check_existence="all_exist" - comment="Testing gshadow permissions" - id="test_20044" version="1"> - <unix:object object_ref="obj_20038" /> - <unix:state state_ref="state_1000400" /> + <unix:file_test check="all" check_existence="all_exist" comment="/etc/gshadow mode and ownership" id="test_etc_gshadow" version="1"> + <unix:object object_ref="object_etc_gshadow" /> + <unix:state state_ref="state_uid_0" /> + <unix:state state_ref="state_gid_0" /> + <unix:state state_ref="state_mode_0000" /> </unix:file_test> - <unix:file_state id="state_1000400" - version="1"> - <unix:uread datatype="boolean">true</unix:uread> - <unix:uwrite datatype="boolean">false</unix:uwrite> - <unix:uexec datatype="boolean">false</unix:uexec> - <unix:gread datatype="boolean">false</unix:gread> - <unix:gwrite datatype="boolean">false</unix:gwrite> - <unix:gexec datatype="boolean">false</unix:gexec> - <unix:oread datatype="boolean">false</unix:oread> - <unix:owrite datatype="boolean">false</unix:owrite> - <unix:oexec datatype="boolean">false</unix:oexec> - </unix:file_state> - <unix:file_object comment="/etc/gshadow" - id="obj_20038" version="1"> + <unix:file_object comment="/etc/gshadow" id="object_etc_gshadow" version="1"> unix:path/etc</unix:path> unix:filenamegshadow</unix:filename> </unix:file_object> + <unix:file_state id="state_uid_0" version="1"> + <unix:user_id datatype="int" operation="equals">0</unix:user_id> + </unix:file_state> + <unix:file_state id="state_gid_0" version="1"> + <unix:group_id datatype="int" operation="equals">0</unix:group_id> + </unix:file_state> + <unix:file_state id="state_mode_0000" version="1"> + <unix:suid datatype="boolean">false</unix:suid> + <unix:sgid datatype="boolean">false</unix:sgid> + <unix:sticky datatype="boolean">false</unix:sticky> + <unix:uread datatype="boolean">false</unix:uread> + <unix:uwrite datatype="boolean">false</unix:uwrite> + <unix:uexec datatype="boolean">false</unix:uexec> + <unix:gread datatype="boolean">false</unix:gread> + <unix:gwrite datatype="boolean">false</unix:gwrite> + <unix:gexec datatype="boolean">false</unix:gexec> + <unix:oread datatype="boolean">false</unix:oread> + <unix:owrite datatype="boolean">false</unix:owrite> + <unix:oexec datatype="boolean">false</unix:oexec> + </unix:file_state> </def-group> diff --git a/RHEL6/input/checks/templates/file_dir_permissions.csv b/RHEL6/input/checks/templates/file_dir_permissions.csv index 781f413..1e0164e 100644 --- a/RHEL6/input/checks/templates/file_dir_permissions.csv +++ b/RHEL6/input/checks/templates/file_dir_permissions.csv @@ -1,3 +1,4 @@ /etc,shadow,0,0,0000 +/etc,gshadow,0,0,0000 /etc,passwd,0,0,0644 /boot/grub,grub.conf,0,0,0600