Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding multiple passwd/group/shadow controls #165

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Adding multiple passwd/group/shadow controls #165

wants to merge 7 commits into from

Commits on Nov 4, 2021

  1. feat: add rule to check for password change dates in the past 

    A password changed date in the future could be used to circumvent
password expiration dates. This rule checks that any password change
dates are in the past.

Signed-off-by: Claudius Heine <[email protected]>
    @cmhe
    cmhe committed Nov 4, 2021
    Configuration menu
    Copy the full SHA
    b1fa8c1 View commit details
    Browse the repository at this point in the history

  2. feat: add control to check if system user are non-login 

    System users should be prevented from login with exceptions for
applications that are non-interactive.

Signed-off-by: Claudius Heine <[email protected]>
    @cmhe
    cmhe committed Nov 4, 2021
    Configuration menu
    Copy the full SHA
    458a6e7 View commit details
    Browse the repository at this point in the history

  3. feat: add rule to check root user is member of group root 

    This rule makes sure that the assumptions of user `root` being uid=0 is
the sole member of group `root` with gid=0 are true. This prevents
access to any root-owned files by non-privileged users.

Signed-off-by: Claudius Heine <[email protected]>
    @cmhe
    cmhe committed Nov 4, 2021
    Configuration menu
    Copy the full SHA
    49b94e6 View commit details
    Browse the repository at this point in the history

  4. feat: add control to check for legacy NIS entries in account files 

    '+' and '-' where prepended to lines in account files (/etc/passwd,
/etc/group, /etc/shadow) to signify if fields should be overwritten or
inserted from a NIS server. Since NIS is a insecure and legacy
technology, that is replaced by other software, this check makes sure
that no such entries exist anymore.

Signed-off-by: Claudius Heine <[email protected]>
    @cmhe
    cmhe committed Nov 4, 2021
    Configuration menu
    Copy the full SHA
    18a5383 View commit details
    Browse the repository at this point in the history

  5. feat: add rule to check users and groups are unique 

    Signed-off-by: Claudius Heine <[email protected]>
    @cmhe
    cmhe committed Nov 4, 2021
    Configuration menu
    Copy the full SHA
    29211f2 View commit details
    Browse the repository at this point in the history

  6. feat: add rule to ensure shadow group does not have any members 

    Members of the shadow group could have access to password hashes and
other content of the shadow files.

Signed-off-by: Claudius Heine <[email protected]>
    @cmhe
    cmhe committed Nov 4, 2021
    Configuration menu
    Copy the full SHA
    137b573 View commit details
    Browse the repository at this point in the history

  7. feat: add rules to ensure that all referred users and gids exist 

    Signed-off-by: Claudius Heine <[email protected]>
    @cmhe
    cmhe committed Nov 4, 2021
    Configuration menu
    Copy the full SHA
    4c607b0 View commit details
    Browse the repository at this point in the history