harbian-audit
harbian-audit copied to clipboard
hardenedlinux
Shadow utils checks are not possible to maintain with current requirements.
Hi there.
I'm currently fighting the harbian-audit checks for the following files:
- /etc/shadow
- /etc/shadow-
- /etc/gshadow
- /etc/gshadow-
harbian-audit expects the main files to be 640, while the backups with - at the end must be 600 - but this isn't possible to maintain. The shadow backup tools do not have a configurable UMASK, so they will always clobber the permissions of the main files. The only way for the - to maintain a 600 mode is for the main files to also have a 600 mode set. Other wise every change to the primary file will result in the backup being clobbered to 640. There is no negative impact on these files being set to 600 from what I can tell, so both the primary check and the secondary checks should be set to 600.
Additionally, the same issue affects /etc/passwd and /etc/group and their backups - however you cannot set the main files to 600 or it breaks the systems ability to resolve the username and group names when a user logs in. I can see no way to reconcile this with the 640/600 requirements for main file/backup - these audits need to be adjusted.
