Skip to content

Add checks for other shadow and passwd/group files into os-02 and os-03 rules#162

Open
cmhe wants to merge 2 commits intodev-sec:masterfrom
siemens:ISSUE-161
Open

Add checks for other shadow and passwd/group files into os-02 and os-03 rules#162
cmhe wants to merge 2 commits intodev-sec:masterfrom
siemens:ISSUE-161

Conversation

@cmhe
Copy link
Contributor

@cmhe cmhe commented Oct 25, 2021
edited
Loading

This adds the checks for the other shadow and passwd files into the existing rules os-02 and os-03.

An alternative solution would be to create additional rule ids, in order to prevent changing the existing ones. However it does make sense to me to handle all similar files in one rule, instead of creating additional one.

It should lessen the maintenance overhead.

If changing existing rules it not possible, then I would be willing to create additional rules for those other files.

Closes: #161

@cmhe cmhe force-pushed the ISSUE-161 branch 2 times, most recently from 0bd9bca to 81489d9 Compare October 25, 2021 08:14
@cmhe
Copy link
Contributor Author

cmhe commented Oct 25, 2021
edited
Loading

I shorted the control documentation in order to pass the Metrics/BlockLength: Block has too many lines. [36/35] style check.

Not sure how much good such an arbitrary check will do :/

chris-rock
chris-rock requested changes Oct 26, 2021
View reviewed changes
chris-rock
chris-rock reviewed Oct 28, 2021
View reviewed changes
cmhe added 2 commits November 3, 2021 10:53
@cmhe
feat: expand security control to check for other shadow files
5d29e31 
Currently only `/etc/shadow` is checked to have the right permissions,
but there are other files that can/could contain password hashes as
well, which are not checked yet:

 - /etc/shadow- (a backup file for /etc/shadow)
 - /etc/gshadow (contains group password hashes)
 - /etc/gshadow- (a backup file for /etc/gshadow-)

While the control requires `/etc/shadow` and `/etc/gshadow` to exist,
the rules for their backup counterparts are a bit more relaxed. The
checks will be skipped, if those files do not exist.

Signed-off-by: Claudius Heine <ch@denx.de>
@cmhe
feat: expand security check: add other passwd and group files
4b67c2d 
Currently only `/etc/passwd` is checked to have the right permissions,
but there are other files that contain unix account related configuration:

 - /etc/passwd- (a backup file for /etc/passwd)
 - /etc/group (contains group configuration and membership)
 - /etc/group- (a backup file for /etc/group-)

While the control requires `/etc/passwd` and `/etc/group` to exist,
the rules for their backup counterparts are a bit more relaxed. The
checks will be skipped, if those files do not exist.

Signed-off-by: Claudius Heine <ch@denx.de>
@schurzi
Copy link
Contributor

schurzi commented Nov 7, 2021

I shorted the control documentation in order to pass the Metrics/BlockLength: Block has too many lines. [36/35] style check.

Not sure how much good such an arbitrary check will do :/

We already had a discussion on this. https://github.com/orgs/dev-sec/teams/contributors/discussions/3
I think I will have some time to update our linting to cookstyle in the coming week. Currently we have a kind of arbitrary/default rubocop style set, that is not entirely optimal.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chris-rock chris-rock chris-rock requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add file system checks for other shadow and passwd/group files

3 participants

@cmhe @schurzi @chris-rock