mirrors/linux-bench
1
0
Fork 1
mirror of https://github.com/aquasecurity/linux-bench.git synced 2025-02-22 22:25:33 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge whitespace changes

Browse source
This commit is contained in:
Liz Rice 2020-12-22 12:18:25 +00:00
parent b494df8909
commit 9fc95ff756
1 changed files with 8887 additions and 8939 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

162
cfg/2.0.0/definitions.yaml
View file

@ -372,7 +372,6 @@ groups:
# mount -o remount,nodev /tmp
scored: true
- id: 1.1.4
description: "Ensure nosuid option set on /tmp partition"
audit: "mount | grep -E '\\s/tmp\\s' | grep -v nosuid"
@ -396,7 +395,6 @@ groups:
# mount -o remount,nosuid /tmp
scored: true
- id: 1.1.5
description: "Ensure noexec option set on /tmp partition"
audit: "mount | grep -E '\\s/tmp\\s' | grep -v noexec"
@ -455,7 +453,6 @@ groups:
scored: true
- id: 1.1.9
description: "Ensure nosuid option set on /var/tmp partition"
audit: "mount | grep -E '\\s/var/tmp\\s' | grep -v nosuid"
@ -559,7 +556,6 @@ groups:
scored: true
- id: 1.1.16
description: "Ensure nosuid option set on /dev/shm partition"
audit: "mount | grep -E '\\s/dev/shm\\s' | grep -v nosuid"
@ -1032,7 +1028,7 @@ groups:
description: "Ensure interactive boot is not enabled"
sub_checks:
- check:
audit: "grep \"^PROMPT_FOR_CONFIRM=\" /etc/sysconfig/boot"
audit: 'grep "^PROMPT_FOR_CONFIRM=" /etc/sysconfig/boot'
constraints:
boot:
- grub
@ -1040,7 +1036,7 @@ groups:
- rhel7
tests:
test_items:
- flag: "PROMPT_FOR_CONFIRM=\"no\""
- flag: 'PROMPT_FOR_CONFIRM="no"'
set: true
remediation: |
If interactive boot is available disable it.
@ -1062,7 +1058,6 @@ groups:
If interactive boot is available disable it.
scored: false
- id: 1.5
description: "Additional Process Hardening"
checks:
@ -1587,7 +1582,6 @@ groups:
SELINUXTYPE=targeted
scored: true
- id: 1.6.2.4
description: "Ensure SETroubleshoot is not installed"
sub_checks:
@ -1718,7 +1712,7 @@ groups:
scored: true
- id: 1.6.2.6
description: "Ensure no unconfined daemons exist"
audit: "ps -eZ | egrep \"initrc\" | grep -E -v -w \"tr|ps|egrep|bash|awk \" | tr ':' ' ' | awk '{ print $NF }'"
audit: 'ps -eZ | egrep "initrc" | grep -E -v -w "tr|ps|egrep|bash|awk " | tr '':'' '' '' | awk ''{ print $NF }'''
tests:
test_items:
- flag: ""
@ -1802,7 +1796,6 @@ groups:
Any unconfined processes may need to have a profile created or activated for them and then be restarted.
scored: true
- id: 1.7
description: "Warning Banners"
checks:
@ -1895,7 +1888,6 @@ groups:
# chmod 644 /etc/motd
scored: true
- id: 1.7.1.5
description: "Ensure permissions on /etc/issue are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/issue"
@ -1977,7 +1969,7 @@ groups:
checks:
- id: 2.1.1.a
description: "Ensure chargen services are not enabled"
audit: "grep -R \"^chargen\" /etc/inetd.*"
audit: 'grep -R "^chargen" /etc/inetd.*'
tests:
test_items:
- flag: ""
@ -1992,7 +1984,7 @@ groups:
- id: 2.1.1.b
description: "Ensure chargen services are not enabled"
audit: "grep -R \"^chargen\" /etc/xinetd.conf /etc/xinetd.* "
audit: 'grep -R "^chargen" /etc/xinetd.conf /etc/xinetd.* '
tests:
test_items:
- flag: "disable"
@ -2007,7 +1999,7 @@ groups:
- id: 2.1.2.a
description: "Ensure daytime services are not enabled"
audit: "grep -R \"^daytime\" /etc/inetd.*"
audit: 'grep -R "^daytime" /etc/inetd.*'
tests:
test_items:
- flag: ""
@ -2022,7 +2014,7 @@ groups:
- id: 2.1.2.b
description: "Ensure daytime services are not enabled"
audit: "grep -R \"^daytime\" /etc/xinetd.conf /etc/xinetd.*"
audit: 'grep -R "^daytime" /etc/xinetd.conf /etc/xinetd.*'
tests:
test_items:
- flag: "disable"
@ -2037,7 +2029,7 @@ groups:
- id: 2.1.3.a
description: "Ensure discard services are not enabled"
audit: "grep -R \"^discard\" /etc/inetd.*"
audit: 'grep -R "^discard" /etc/inetd.*'
tests:
test_items:
- flag: ""
@ -2052,7 +2044,7 @@ groups:
- id: 2.1.3.b
description: "Ensure discard services are not enabled"
audit: "grep -R \"^discard\" /etc/xinetd.conf /etc/xinetd.*"
audit: 'grep -R "^discard" /etc/xinetd.conf /etc/xinetd.*'
tests:
test_items:
- flag: "disable"
@ -2067,7 +2059,7 @@ groups:
- id: 2.1.4.a
description: "Ensure echo services are not enabled"
audit: "grep -R \"^echo\" /etc/inetd.*"
audit: 'grep -R "^echo" /etc/inetd.*'
tests:
test_items:
- flag: ""
@ -2082,7 +2074,7 @@ groups:
- id: 2.1.4.b
description: "Ensure echo services are not enabled"
audit: "grep -R \"^echo\" /etc/xinetd.conf /etc/xinetd.*"
audit: 'grep -R "^echo" /etc/xinetd.conf /etc/xinetd.*'
tests:
test_items:
- flag: "disable"
@ -2097,7 +2089,7 @@ groups:
- id: 2.1.5.a
description: "Ensure time services are not enabled"
audit: "grep -R \"^time\" /etc/inetd.*"
audit: 'grep -R "^time" /etc/inetd.*'
tests:
test_items:
- flag: ""
@ -2112,7 +2104,7 @@ groups:
- id: 2.1.5.b
description: "Ensure time services are not enabled"
audit: "grep -R \"^time\" /etc/xinetd.conf /etc/xinetd.*"
audit: 'grep -R "^time" /etc/xinetd.conf /etc/xinetd.*'
tests:
test_items:
- flag: "disable"
@ -2127,7 +2119,7 @@ groups:
- id: 2.1.6.a
description: "Ensure rsh server is not enabled"
audit: "grep -R \"^shell\" /etc/inetd.*; grep -R \"^login\" /etc/inetd.*; grep -R \"^exec\" /etc/inetd.*"
audit: 'grep -R "^shell" /etc/inetd.*; grep -R "^login" /etc/inetd.*; grep -R "^exec" /etc/inetd.*'
tests:
test_items:
- flag: ""
@ -2142,7 +2134,7 @@ groups:
- id: 2.1.6.b
description: "Ensure rsh server is not enabled"
audit: "grep -R \"^shell\" /etc/xinetd.*; grep -R \"^login\" /etc/xinetd.*; grep -R \"^exec\" /etc/xinetd.*"
audit: 'grep -R "^shell" /etc/xinetd.*; grep -R "^login" /etc/xinetd.*; grep -R "^exec" /etc/xinetd.*'
tests:
test_items:
- flag: "disable"
@ -2157,7 +2149,7 @@ groups:
- id: 2.1.7.a
description: "Ensure talk server is not enabled"
audit: "grep -R \"^talk\" /etc/inetd.*; grep -R \"^ntalk\" /etc/inetd.*"
audit: 'grep -R "^talk" /etc/inetd.*; grep -R "^ntalk" /etc/inetd.*'
tests:
test_items:
- flag: ""
@ -2172,7 +2164,7 @@ groups:
- id: 2.1.7.b
description: "Ensure talk server is not enabled"
audit: "grep -R \"^talk\" /etc/xinetd.*; grep -R \"^ntalk\" /etc/xinetd.*"
audit: 'grep -R "^talk" /etc/xinetd.*; grep -R "^ntalk" /etc/xinetd.*'
tests:
test_items:
- flag: "disable"
@ -2187,7 +2179,7 @@ groups:
- id: 2.1.8.a
description: "Ensure telnet server is not enabled"
audit: "grep -R \"^telnet\" /etc/inetd.*"
audit: 'grep -R "^telnet" /etc/inetd.*'
tests:
test_items:
- flag: ""
@ -2202,7 +2194,7 @@ groups:
- id: 2.1.8.b
description: "Ensure telnet server is not enabled"
audit: "grep -R \"^telnet\" /etc/xinetd.*"
audit: 'grep -R "^telnet" /etc/xinetd.*'
tests:
test_items:
- flag: "disable"
@ -2217,7 +2209,7 @@ groups:
- id: 2.1.9.a
description: "Ensure tftp server is not enabled"
audit: "grep -R \"^tftp\" /etc/inetd.*"
audit: 'grep -R "^tftp" /etc/inetd.*'
tests:
test_items:
- flag: ""
@ -2232,7 +2224,7 @@ groups:
- id: 2.1.9.b
description: "Ensure tftp server is not enabled"
audit: "grep -R \"^tftp\" /etc/xinetd.*"
audit: 'grep -R "^tftp" /etc/xinetd.*'
tests:
test_items:
- flag: "disable"
@ -2484,7 +2476,7 @@ groups:
- id: 2.2.1.2.b
description: "Ensure ntp is configured"
audit: "grep -E \"^(server|pool)\" /etc/ntp.conf"
audit: 'grep -E "^(server|pool)" /etc/ntp.conf'
type: manual
tests:
test_items:
@ -2525,7 +2517,7 @@ groups:
- rhel7
tests:
test_items:
- flag: "OPTIONS=\"-u ntp:ntp\""
- flag: 'OPTIONS="-u ntp:ntp"'
set: true
remediation: |
Add or edit restrict lines in `/etc/ntp.conf` to match the following:
@ -2557,7 +2549,7 @@ groups:
- ubuntu18
tests:
test_items:
- flag: "OPTIONS=\"-u ntp:ntp\""
- flag: 'OPTIONS="-u ntp:ntp"'
set: true
remediation: |
Add or edit restrict lines in `/etc/ntp.conf` to match the following:
@ -2593,7 +2585,7 @@ groups:
- rhel7
tests:
test_items:
- flag: "NTPD_OPTIONS=\"-u ntp:ntp\""
- flag: 'NTPD_OPTIONS="-u ntp:ntp"'
set: true
remediation: |
Add or edit restrict lines in `/etc/ntp.conf` to match the following:
@ -2625,7 +2617,7 @@ groups:
- ubuntu18
tests:
test_items:
- flag: "NTPD_OPTIONS=\"-u ntp:ntp\""
- flag: 'NTPD_OPTIONS="-u ntp:ntp"'
set: true
remediation: |
Add or edit restrict lines in `/etc/ntp.conf` to match the following:
@ -2688,7 +2680,7 @@ groups:
- id: 2.2.1.3.a
description: "Ensure chrony is configured"
audit: "grep -E \"^(server|pool)\" /etc/chrony.conf"
audit: 'grep -E "^(server|pool)" /etc/chrony.conf'
type: manual
tests:
test_items:
@ -2748,7 +2740,6 @@ groups:
# timedatectl set-ntp true
scored: true
- id: 2.2.2
description: "Ensure X Window System is not installed"
sub_checks:
@ -4785,7 +4776,6 @@ groups:
scored: true
- id: 3.2.3.a
description: "Ensure secure ICMP redirects are not accepted"
audit: "sysctl net.ipv4.conf.all.secure_redirects"
@ -5385,7 +5375,6 @@ groups:
where each `/` combination (for example, "192.168.1.0/255.255.255.0") represents one network block in use by your organization that requires access to this system.
scored: false
- id: 3.3.3
description: "Ensure /etc/hosts.deny is configured"
audit: "cat /etc/hosts.deny"
@ -5400,7 +5389,6 @@ groups:
scored: false
- id: 3.3.4
description: "Ensure permissions on /etc/hosts.allow are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/hosts.allow"
@ -5416,7 +5404,6 @@ groups:
scored: true
- id: 3.3.5
description: "Ensure permissions on /etc/hosts.deny are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/hosts.deny"
@ -5432,7 +5419,6 @@ groups:
scored: true
- id: 3.4
description: "Uncommon Network Protocols"
checks:
@ -5595,8 +5581,7 @@ groups:
type: manual
tests:
test_items:
-
flag: |
- flag: |
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
@ -5617,8 +5602,7 @@ groups:
type: manual
tests:
test_items:
-
flag: |
- flag: |
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
@ -5699,8 +5683,7 @@ groups:
type: manual
tests:
test_items:
-
flag: |
- flag: |
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
@ -5721,8 +5704,7 @@ groups:
type: manual
tests:
test_items:
-
flag: |
- flag: |
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
@ -5756,8 +5738,7 @@ groups:
type: manual
tests:
test_items:
-
flag: |
- flag: |
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
@ -5775,8 +5756,7 @@ groups:
type: manual
tests:
test_items:
-
flag: |
- flag: |
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
@ -5929,7 +5909,6 @@ groups:
# update-grub
scored: false
- id: 4
description: "Logging and Auditing"
- id: 4.1
@ -6446,7 +6425,6 @@ groups:
scored: true
- id: 4.1.9.b
description: "Ensure login and logout events are collected"
audit: "auditctl -l | grep logins"
@ -6642,7 +6620,6 @@ groups:
And add all resulting lines to the file.
scored: true
- id: 4.1.14.a
description: "Ensure successful file system mounts are collected"
audit: "grep mounts /etc/audit/rules.d/*.rules"
@ -6735,6 +6712,7 @@ groups:
and add the following lines:
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
scored: true
- id: 4.1.16.b
@ -6753,6 +6731,7 @@ groups:
and add the following lines:
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
scored: true
- id: 4.1.17.a
@ -6770,6 +6749,7 @@ groups:
Example: vi /etc/audit/rules.d/audit.rules
and add the following lines:
-w /var/log/sudo.log -p wa -k actions
scored: true
- id: 4.1.17.b
@ -6784,6 +6764,7 @@ groups:
Example: vi /etc/audit/rules.d/audit.rules
and add the following lines:
-w /var/log/sudo.log -p wa -k actions
scored: true
- id: 4.1.18.a
@ -6808,6 +6789,7 @@ groups:
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
scored: true
- id: 4.1.18.b
@ -7250,7 +7232,6 @@ groups:
scored: true
- id: 5.1.3
description: "Ensure permissions on /etc/cron.hourly are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.hourly"
@ -7266,7 +7247,6 @@ groups:
scored: true
- id: 5.1.4
description: "Ensure permissions on /etc/cron.daily are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.daily"
@ -7282,7 +7262,6 @@ groups:
scored: true
- id: 5.1.5
description: "Ensure permissions on /etc/cron.weekly are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.weekly"
@ -7298,7 +7277,6 @@ groups:
scored: true
- id: 5.1.6
description: "Ensure permissions on /etc/cron.monthly are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.monthly"
@ -7314,7 +7292,6 @@ groups:
scored: true
- id: 5.1.7
description: "Ensure permissions on /etc/cron.d are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.d"
@ -7330,7 +7307,6 @@ groups:
scored: true
- id: 5.1.8.a
description: "Ensure at/cron is restricted to authorized users"
audit: "stat /etc/cron.deny"
@ -7433,7 +7409,6 @@ groups:
scored: true
- id: 5.2.2
description: "Ensure permissions on SSH private host key files are configured"
audit: "find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat {} \\;"
@ -7484,7 +7459,6 @@ groups:
LogLevel INFO
scored: true
- id: 5.2.6
description: "Ensure SSH X11 forwarding is disabled"
audit: "grep ^X11Forwarding /etc/ssh/sshd_config"
@ -7499,8 +7473,6 @@ groups:
scored: true
- id: 5.2.7
description: "Ensure SSH MaxAuthTries is set to 4 or less"
audit: "sshd -T | grep maxauthtries"
@ -7532,7 +7504,6 @@ groups:
scored: true
- id: 5.2.9
description: "Ensure SSH HostbasedAuthentication is disabled"
audit: "sshd -T | grep hostbasedauthentication"
@ -7547,7 +7518,6 @@ groups:
scored: true
- id: 5.2.10
description: "Ensure SSH root login is disabled"
audit: "sshd -T | grep permitrootlogin"
@ -7562,8 +7532,6 @@ groups:
scored: true
- id: 5.2.11
description: "Ensure SSH PermitEmptyPasswords is disabled"
audit: "sshd -T | grep permitemptypasswords"
@ -7592,7 +7560,6 @@ groups:
scored: true
- id: 5.2.13
description: "Ensure only approved MAC algorithms are used"
audit: "sshd -T | grep ciphers"
@ -7626,10 +7593,9 @@ groups:
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
scored: true
- id: 5.2.14
description: "Ensure only strong MAC algorithms are used"
audit: "sshd -T | grep -i \"MACs\""
audit: 'sshd -T | grep -i "MACs"'
tests:
bin_op: and
test_items:
@ -7749,7 +7715,6 @@ groups:
scored: true
- id: 5.2.18.a
description: "Ensure SSH access is limited"
audit: "sshd -T | grep allowusers"
@ -7880,7 +7845,6 @@ groups:
MaxSessions 4
scored: true
- id: 5.3
description: "Configure PAM"
checks:
@ -8199,7 +8163,6 @@ groups:
scored: true
- id: 5.4.4.a
description: "Ensure default user umask is 027 or more restrictive"
sub_checks:
@ -8402,10 +8365,9 @@ groups:
scored: true
- id: 6.1.3
description: "Ensure permissions on /etc/shadow are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G permissions=%a\" /etc/shadow"
audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/shadow'
tests:
bin_op: and
test_items:
@ -8414,7 +8376,7 @@ groups:
- flag: "Gid"
compare:
op: regex
value: 'shadow|root'
value: "shadow|root"
set: true
- flag: "permissions"
compare:
@ -8430,10 +8392,9 @@ groups:
scored: true
- id: 6.1.4
description: "Ensure permissions on /etc/group are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G/%g permissions=%a\" /etc/group"
audit: 'stat -c "Uid:%U/%u Gid:%G/%g permissions=%a" /etc/group'
tests:
test_items:
- flag: "Uid:root/0 Gid:root/0 permissions=644"
@ -8446,10 +8407,9 @@ groups:
scored: true
- id: 6.1.5
description: "Ensure permissions on /etc/gshadow are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G permissions=%a\" /etc/gshadow"
audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/gshadow'
tests:
bin_op: and
test_items:
@ -8458,7 +8418,7 @@ groups:
- flag: "Gid"
compare:
op: regex
value: 'shadow|root'
value: "shadow|root"
set: true
- flag: "permissions"
compare:
@ -8476,7 +8436,7 @@ groups:
- id: 6.1.6
description: "Ensure permissions on /etc/passwd- are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G/%g permissions=%a\" /etc/passwd-"
audit: 'stat -c "Uid:%U/%u Gid:%G/%g permissions=%a" /etc/passwd-'
tests:
bin_op: and
test_items:
@ -8495,10 +8455,9 @@ groups:
scored: true
- id: 6.1.7
description: "Ensure permissions on /etc/shadow- are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G permissions=%a\" /etc/shadow-"
audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/shadow-'
tests:
bin_op: and
test_items:
@ -8507,7 +8466,7 @@ groups:
- flag: "Gid"
compare:
op: regex
value: 'shadow|root'
value: "shadow|root"
set: true
- flag: "permissions"
compare:
@ -8523,10 +8482,9 @@ groups:
scored: true
- id: 6.1.8
description: "Ensure permissions on /etc/group- are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G/%g permissions=%a\" /etc/group-"
audit: 'stat -c "Uid:%U/%u Gid:%G/%g permissions=%a" /etc/group-'
tests:
bin_op: and
test_items:
@ -8545,10 +8503,9 @@ groups:
scored: true
- id: 6.1.9
description: "Ensure permissions on /etc/gshadow- are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G permissions=%a\" /etc/gshadow-"
audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/gshadow-'
tests:
bin_op: and
test_items:
@ -8557,7 +8514,7 @@ groups:
- flag: "Gid"
compare:
op: regex
value: 'shadow|root'
value: "shadow|root"
set: true
- flag: "permissions"
compare:
@ -8573,7 +8530,6 @@ groups:
scored: true
- id: 6.1.10.a
description: "Ensure no world writable files exist"
audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 | head -n 100"
@ -8691,7 +8647,7 @@ groups:
checks:
- id: 6.2.1
description: "Ensure password fields are not empty"
audit: "awk -F: '($2 == \"\" ) { print $1 \" does not have a password \"}' /etc/shadow"
audit: 'awk -F: ''($2 == "" ) { print $1 " does not have a password "}'' /etc/shadow'
tests:
test_items:
- flag: ""
@ -8708,7 +8664,7 @@ groups:
scored: true
- id: 6.2.2
description: "Ensure no legacy \"+\" entries exist in /etc/passwd"
description: 'Ensure no legacy "+" entries exist in /etc/passwd'
audit: "grep '^\\+:' /etc/passwd"
tests:
test_items:
@ -8721,9 +8677,8 @@ groups:
Remove any legacy '+' entries from `/etc/passwd` if they exist.
scored: true
- id: 6.2.3
description: "Ensure no legacy \"+\" entries exist in /etc/shadow"
description: 'Ensure no legacy "+" entries exist in /etc/shadow'
audit: "grep '^\\+:' /etc/shadow"
tests:
test_items:
@ -8736,9 +8691,8 @@ groups:
Remove any legacy '+' entries from `/etc/shadow` if they exist.
scored: true
- id: 6.2.4
description: "Ensure no legacy \"+\" entries exist in /etc/group"
description: 'Ensure no legacy "+" entries exist in /etc/group'
audit: "grep '^\\+:' /etc/group"
tests:
test_items:
@ -8751,7 +8705,6 @@ groups:
Remove any legacy '+' entries from `/etc/group` if they exist.
scored: true
- id: 6.2.5
description: "Ensure root is the only UID 0 account"
audit: "awk -F: '($3 == 0) { print $1 }' /etc/passwd"
@ -8810,7 +8763,6 @@ groups:
Correct or justify any items discovered in the Audit step.
scored: true
- id: 6.2.7
description: "Ensure all users' home directories exist"
audit: |
@ -8892,7 +8844,6 @@ groups:
Change the ownership of any home directories that are not owned by the defined user to the correct user.
scored: true
- id: 6.2.10
description: "Ensure users' dot files are not group or world writable"
audit: |
@ -8949,7 +8900,6 @@ groups:
Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user `.forward` files and determine the action to be taken in accordance with site policy.
scored: true
- id: 6.2.12
description: "Ensure no users have .netrc files"
audit: |
@ -9137,7 +9087,6 @@ groups:
Based on the results of the audit script, establish unique user names for the users. File ownerships will automatically reflect the change as long as the users have unique UIDs.
scored: true
- id: 6.2.19
description: "Ensure no duplicate group names exist"
audit: |
@ -9177,7 +9126,7 @@ groups:
- id: 6.2.20.b
description: "Ensure shadow group is empty"
audit: "awk -F: '($4 == \"\") { print }' /etc/passwd"
audit: 'awk -F: ''($4 == "") { print }'' /etc/passwd'
tests:
test_items:
- flag: ""
@ -9188,4 +9137,3 @@ groups:
remediation: |
Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group.
scored: true