Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend os_hardening minimize_access task to cover additional passwd/group/shadow/gshadow paths #488

Closed
cmhe opened this issue Oct 18, 2021 · 0 comments · Fixed by #489
Closed

Extend os_hardening minimize_access task to cover additional passwd/group/shadow/gshadow paths #488

cmhe opened this issue Oct 18, 2021 · 0 comments · Fixed by #489

Comments

@cmhe
Copy link
Contributor

cmhe commented Oct 18, 2021

Is your feature request related to a problem? Please describe.
The current tasks Change shadow ownership to root and mode to 0600 and Change passwd ownership to root and mode to 0644 only handle /etc/shadow and /etc/passwd respectively. But there multiple adjacent files that should be handled with these rules as well:

  • /etc/gshadow
  • /etc/shadow-
  • /etc/gshadow-
  • /etc/group
  • /etc/shadow-
  • /etc/group-

Describe the solution you'd like
Extend those tasks to also assign the permissions to those files
cmhe added a commit to siemens/ansible-collection-hardening that referenced this issue Oct 18, 2021
@cmhe
feat(os_hardening): extend file permission tasks to cover more files
cce9d2c 
The tasks `Change shadow ownership to root and mode to 0600` and `Change
passwd ownership to root and mode to 0644` only handle
`/etc/shadow` and `/etc/passwd` respectively. But there multiple
adjacent files that should be handled with these rules as well:

- `/etc/gshadow`
- `/etc/shadow-`
- `/etc/gshadow-`
- `/etc/group`
- `/etc/shadow-`
- `/etc/group-`

This change adds those files to the rules, so that permissions are
handled in the same way.

Closes: dev-sec#488

Signed-off-by: Claudius Heine <ch@denx.de>
@cmhe cmhe mentioned this issue Oct 18, 2021
Merged
cmhe added a commit to siemens/ansible-collection-hardening that referenced this issue Oct 18, 2021
@cmhe
feat(os_hardening): extend file permission tasks to cover more files
688dc56 
The tasks `Change shadow ownership to root and mode to 0600` and `Change
passwd ownership to root and mode to 0644` only handle
`/etc/shadow` and `/etc/passwd` respectively. But there multiple
adjacent files that should be handled with these rules as well:

- `/etc/gshadow`
- `/etc/shadow-`
- `/etc/gshadow-`
- `/etc/group`
- `/etc/shadow-`
- `/etc/group-`

This change adds those files to the rules, so that permissions are
handled in the same way.

Closes: dev-sec#488

Signed-off-by: Claudius Heine <ch@denx.de>
cmhe added a commit to siemens/ansible-collection-hardening that referenced this issue Oct 18, 2021
@cmhe
feat(os_hardening): extend file permission tasks to cover more files
72f0774 
The tasks `Change shadow ownership to root and mode to 0600` and `Change
passwd ownership to root and mode to 0644` only handle
`/etc/shadow` and `/etc/passwd` respectively. But there multiple
adjacent files that should be handled with these rules as well:

- `/etc/gshadow`
- `/etc/shadow-`
- `/etc/gshadow-`
- `/etc/group`
- `/etc/shadow-`
- `/etc/group-`

This change adds those files to the rules, so that permissions are
handled in the same way.

Closes: dev-sec#488

Signed-off-by: Claudius Heine <ch@denx.de>
cmhe added a commit to siemens/ansible-collection-hardening that referenced this issue Oct 19, 2021
@cmhe
feat(os_hardening): extend file permission tasks to cover more files
74cb508 
The tasks `Change shadow ownership to root and mode to 0600` and `Change
passwd ownership to root and mode to 0644` only handle
`/etc/shadow` and `/etc/passwd` respectively. But there multiple
adjacent files that should be handled with these rules as well:

- `/etc/gshadow`
- `/etc/shadow-`
- `/etc/gshadow-`
- `/etc/group`
- `/etc/shadow-`
- `/etc/group-`

This change adds those files to the rules, so that permissions are
handled in the same way.

Closes: dev-sec#488

Signed-off-by: Claudius Heine <ch@denx.de>
rndmh3ro pushed a commit that referenced this issue Oct 21, 2021
@cmhe
feat(os_hardening): extend file permission tasks to cover more files (#…
384c097 
…489)

The tasks `Change shadow ownership to root and mode to 0600` and `Change
passwd ownership to root and mode to 0644` only handle
`/etc/shadow` and `/etc/passwd` respectively. But there multiple
adjacent files that should be handled with these rules as well:

- `/etc/gshadow`
- `/etc/shadow-`
- `/etc/gshadow-`
- `/etc/group`
- `/etc/shadow-`
- `/etc/group-`

This change adds those files to the rules, so that permissions are
handled in the same way.

Closes: #488

Signed-off-by: Claudius Heine <ch@denx.de>
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this issue Aug 3, 2022
@cmhe
feat(os_hardening): extend file permission tasks to cover more files (d…
231ee1c 
…ev-sec#489)

The tasks `Change shadow ownership to root and mode to 0600` and `Change
passwd ownership to root and mode to 0644` only handle
`/etc/shadow` and `/etc/passwd` respectively. But there multiple
adjacent files that should be handled with these rules as well:

- `/etc/gshadow`
- `/etc/shadow-`
- `/etc/gshadow-`
- `/etc/group`
- `/etc/shadow-`
- `/etc/group-`

This change adds those files to the rules, so that permissions are
handled in the same way.

Closes: dev-sec#488

Signed-off-by: Claudius Heine <ch@denx.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@cmhe