|
92 | 92 |
|
93 | 93 | control 'os-03' do |
94 | 94 | impact 1.0 |
95 | | - title 'Check owner and permissions for /etc/passwd' |
96 | | - desc 'Check periodically the owner and permissions for /etc/passwd' |
97 | | - describe file('/etc/passwd') do |
98 | | - it { should exist } |
99 | | - it { should be_file } |
100 | | - it { should be_owned_by 'root' } |
101 | | - its('group') { should eq 'root' } |
102 | | - it { should_not be_executable } |
103 | | - it { should be_writable.by('owner') } |
104 | | - it { should_not be_writable.by('group') } |
105 | | - it { should_not be_writable.by('other') } |
106 | | - it { should be_readable.by('owner') } |
107 | | - it { should be_readable.by('group') } |
108 | | - it { should be_readable.by('other') } |
| 95 | + title 'Check owner and permissions for passwd files' |
| 96 | + desc 'Check periodically the owner and permissions for passwd files '\ |
| 97 | + '(/etc/passwd, /etc/passwd-, /etc/group, /etc/group-)' |
| 98 | + |
| 99 | + passwd_files = ['/etc/passwd', '/etc/passwd-', '/etc/group', '/etc/group-'] |
| 100 | + passwd_files.each do |passwd_file| |
| 101 | + next if passwd_file[-1] == '-' && !file(passwd_file).exist? |
| 102 | + |
| 103 | + describe file(passwd_file) do |
| 104 | + it { should exist } |
| 105 | + it { should be_file } |
| 106 | + it { should be_owned_by 'root' } |
| 107 | + its('group') { should eq 'root' } |
| 108 | + it { should_not be_executable } |
| 109 | + it { should be_writable.by('owner') } |
| 110 | + it { should_not be_writable.by('group') } |
| 111 | + it { should_not be_writable.by('other') } |
| 112 | + it { should be_readable.by('owner') } |
| 113 | + it { should be_readable.by('group') } |
| 114 | + it { should be_readable.by('other') } |
| 115 | + end |
109 | 116 | end |
110 | 117 | end |
111 | 118 |
|
|
0 commit comments