Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(os_hardening): extend file permission tasks to cover more files #489

Merged
merged 1 commit into from Oct 21, 2021
Merged

feat(os_hardening): extend file permission tasks to cover more files #489

merged 1 commit into from Oct 21, 2021

Conversation

cmhe
Copy link
Contributor

@cmhe cmhe commented Oct 18, 2021

The tasks Change shadow ownership to root and mode to 0600 and Change passwd ownership to root and mode to 0644 only handle
/etc/shadow and /etc/passwd respectively. But there multiple
adjacent files that should be handled with these rules as well:

  • /etc/gshadow
  • /etc/shadow-
  • /etc/gshadow-
  • /etc/group
  • /etc/shadow-
  • /etc/group-

This change adds those files to the rules, so that permissions are
handled in the same way.

Closes: #488

Signed-off-by: Claudius Heine ch@denx.de

@cmhe cmhe force-pushed the ISSUE-488 branch 2 times, most recently from 688dc56 to 72f0774 Compare October 18, 2021 13:28
@rndmh3ro
Copy link
Member

Hey @cmhe, can you please rebase your PR on top of master?

@cmhe
feat(os_hardening): extend file permission tasks to cover more files
74cb508 
The tasks `Change shadow ownership to root and mode to 0600` and `Change
passwd ownership to root and mode to 0644` only handle
`/etc/shadow` and `/etc/passwd` respectively. But there multiple
adjacent files that should be handled with these rules as well:

- `/etc/gshadow`
- `/etc/shadow-`
- `/etc/gshadow-`
- `/etc/group`
- `/etc/shadow-`
- `/etc/group-`

This change adds those files to the rules, so that permissions are
handled in the same way.

Closes: dev-sec#488

Signed-off-by: Claudius Heine <ch@denx.de>
@rndmh3ro rndmh3ro merged commit 384c097 into dev-sec:master Oct 21, 2021
@rndmh3ro
Copy link
Member

Thank you!

divialth pushed a commit to divialth/ansible-collection-hardening that referenced this pull request Aug 3, 2022
@cmhe
feat(os_hardening): extend file permission tasks to cover more files (d…
231ee1c 
…ev-sec#489)

The tasks `Change shadow ownership to root and mode to 0600` and `Change
passwd ownership to root and mode to 0644` only handle
`/etc/shadow` and `/etc/passwd` respectively. But there multiple
adjacent files that should be handled with these rules as well:

- `/etc/gshadow`
- `/etc/shadow-`
- `/etc/gshadow-`
- `/etc/group`
- `/etc/shadow-`
- `/etc/group-`

This change adds those files to the rules, so that permissions are
handled in the same way.

Closes: dev-sec#488

Signed-off-by: Claudius Heine <ch@denx.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement minor os_hardening
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Extend os_hardening minimize_access task to cover additional passwd/group/shadow/gshadow paths
2 participants
@cmhe @rndmh3ro