cis-dil-benchmark icon indicating copy to clipboard operation
cis-dil-benchmark copied to clipboard

Published 20 hours ago verified publisher icon dev-sec

Update file controls to support more restrictive modes allowed by certain CIS criteria

Open jrbeilke opened this issue 6 years ago • 2 comments

Certain CIS criteria note that file permissions should be "### or more restrictive", but the InSpec controls only support the listed mode, for example:

  • CIS 6.1.3 "verify Access is 640 or more restrictive", InSpec control requires exactly 0640 or fails
  • CIS 6.1.7 "verify Access is 600 or more restrictive", InSpec control requires exactly 0600 or fails

These are just two examples but I'm sure there are other CIS criteria that are also affected.

Seems like this would be a matter of updating these controls to remove the should be_X conditions, right?

ie. for CIS 6.1.7

  describe file('/etc/shadow-') do
    it { should exist }
    #it { should be_readable.by 'owner' }
    #it { should be_writable.by 'owner' }
    it { should_not be_executable.by 'owner' }
    it { should_not be_readable.by 'group' }
    it { should_not be_writable.by 'group' }
    it { should_not be_executable.by 'group' }
    it { should_not be_readable.by 'other' }
    it { should_not be_writable.by 'other' }
    it { should_not be_executable.by 'other' }
    its(:uid) { should cmp 0 }
    its(:gid) { should cmp 0 }
    its(:sticky) { should equal false }
    its(:suid) { should equal false }
    its(:sgid) { should equal false }
  end

jrbeilke avatar Jun 27 '18 20:06 jrbeilke

6.1.5 as well.

veetow avatar Jul 05 '18 15:07 veetow

I think you're right about this and I will accept PRs for this change. At the moment I'm a bit limited in time to pick this up myself.

rarenerd avatar Sep 26 '18 08:09 rarenerd