search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.19k stars 696 forks source link

Permissions of file remediated by file_permissions_backup_etc_passwd are reverted when a user is added #5611

Closed ggbecker closed 4 years ago

ggbecker commented 4 years ago

Description of problem:

file_permissions_backup_etc_passwd

This rule sets the permission 600 for the file /etc/passwd-, but as soon as a user is added to the system, the permissions are reverted back to 644. It's either a misalignment on CIS or a bug in the component which takes care of this file.

rpm -qf /etc/passwd
setup-2.12.2-1.el8.noarch

Opening issue for awareness

SCAP Security Guide Version:

0.1.49

Operating System Version:

RHEL8

Steps to Reproduce:

  1. chmod 600 /etc/passwd-
  2. adduser user1
  3. ls -la /etc/passwd-

Actual Results:

Permissions are reverted to 644

Expected Results:

Permissions are 600

Addition Information/Debugging Steps:

Report generated during RHEL8 installation phase selecting CIS profile eval_remediate_report.txt Report generated by a scan after installation of RHEL8 finished: xccdf_org.ssgproject.content_profile_cis.txt Note: change the extension back to html to be able to open the report in a browser.

KB for RHEL7 created in 2017: https://access.redhat.com/solutions/3190922

yuumasato commented 4 years ago

@ggbecker also noticed that RHEL7CIS Benchmark had a similar issue and the Benchmark was fixed. See following entry in changelog:

Dec 27, 2017 | 2.2.0 | 6.1.6-6.1.9 - Aligned recommendations to match non-backup files (Ticket 5218)