feat(os-02): expand security control to check for other shadow files

cmhe · cmhe · commit 8c8d8ec7989d · 2021-10-25T10:07:51.000+02:00
Currently only `/etc/shadow` is checked to have the right permissions,
but there are other files that can/could contain password hashes as
well, which are not checked yet:

 - /etc/shadow- (a backup file for /etc/shadow)
 - /etc/gshadow (contains group password hashes)
 - /etc/gshadow- (a backup file for /etc/gshadow-)

While the control requires `/etc/shadow` and `/etc/gshadow` to exist,
the rules for their backup counterparts are a bit more relaxed. The
checks will be skipped, if those files do not exist.

Signed-off-by: Claudius Heine &lt;ch@denx.de&gt;
diff --git a/controls/os_spec.rb b/controls/os_spec.rb
@@ -52,34 +52,41 @@
 
 control 'os-02' do
   impact 1.0
-  title 'Check owner and permissions for /etc/shadow'
-  desc 'Check periodically the owner and permissions for /etc/shadow'
-  describe file('/etc/shadow') do
-    it { should exist }
-    it { should be_file }
-    it { should be_owned_by 'root' }
-    its('group') { should eq shadow_group }
-    it { should_not be_executable }
-    it { should_not be_readable.by('other') }
-  end
-  if os.redhat? || os.name == 'fedora'
-    describe file('/etc/shadow') do
-      it { should_not be_writable.by('owner') }
-      it { should_not be_readable.by('owner') }
-    end
-  else
-    describe file('/etc/shadow') do
-      it { should be_writable.by('owner') }
-      it { should be_readable.by('owner') }
+  title 'Check owner and permissions for shadow files'
+  desc 'Check periodically the owner and permissions for shadow files '\
+    '(/etc/shadow, /etc/shadow-, /etc/gshadow, /etc/gshadow-)'
+
+  shadow_files = ['/etc/shadow', '/etc/shadow-', '/etc/gshadow', '/etc/gshadow-']
+  shadow_files.each do |shadow_file|
+    next if shadow_file[-1] == '-' && !file(shadow_file).exist?
+
+    describe file(shadow_file) do
+      it { should exist }
+      it { should be_file }
+      it { should be_owned_by 'root' }
+      its('group') { should eq shadow_group }
+      it { should_not be_executable }
+      it { should_not be_readable.by('other') }
     end
-  end
-  if os.debian? || os.suse?
-    describe file('/etc/shadow') do
-      it { should be_readable.by('group') }
+    if os.redhat? || os.name == 'fedora'
+      describe file(shadow_file) do
+        it { should_not be_writable.by('owner') }
+        it { should_not be_readable.by('owner') }
+      end
+    else
+      describe file(shadow_file) do
+        it { should be_writable.by('owner') }
+        it { should be_readable.by('owner') }
+      end
     end
-  else
-    describe file('/etc/shadow') do
-      it { should_not be_readable.by('group') }
+    if os.debian? || os.suse?
+      describe file(shadow_file) do
+        it { should be_readable.by('group') }
+      end
+    else
+      describe file(shadow_file) do
+        it { should_not be_readable.by('group') }
+      end
     end
   end
 end
