.File permissions of `/etc/passwd-` are not aligned with the CIS RHEL 8 Benchmark 1.0.0
Because of an issue with the CIS Benchmark, the remediation of the SCAP rule that ensures permissions on the `/etc/passwd-` backup file configures permissions to `0644`. However, the `CIS Red Hat Enterprise Linux 8 Benchmark 1.0.0` requires file permissions `0600` for that file. As a consequence, the file permissions of `/etc/passwd-` are not aligned with the benchmark after remediation.
Created attachment 1701783[details]
CIS rule for /etc/passwd-
Description of problem:
Hi,
I loaded the CIS rules for RHEL8 without any tailoring. Looking at this one: xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd
The description says:
To properly set the permissions of /etc/passwd-, run the command: $ sudo chmod 0644 /etc/passwd-
Looking at the CIS benchmark for RHEL8 V1.0.0, the rule actually says:
6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
# chown root:root /etc/passwd-
# chmod u-x,go-rwx /etc/passwd-
(it's a chmod 0600).
Version-Release number of selected component (if applicable):
scap-security-guide.noarch 0.1.50-7.el8
How reproducible:
Load the CIS rule, remediate using ansible, run another auditing tool like tripwire checking compliance with CIS 1.0.0 for RHEL8. It will fail because the /etc/passwd- (backup file) has chmod 0644 and not 0600.
Steps to Reproduce:
1.
2.
3.
Actual results:
/etc/passwd- is 0644
Expected results:
CIS says in 6.1.6 it should be 0600.
Additional info:
We have no variable we can modify, to manually change to 0600 instead of 0640.
Since I loaded only the rules for CIS for RHEL8, it should be matching. If that rule is required by another standard, then it should have a variable, allowing the user to fix it for CIS.
Comment 1Gabriel Gaspar Becker
2020-07-20 16:59:07 UTC
This is a known issue on CIS benchmarks for RHEL8. If you look the same equivalent requirement for RHEL7 you will see permissions 0644 or stricter there. We have opened a ticket on CIS system to track this issue already.
The issue here is that the package responsible for creating the backup file /etc/passwd- always creates with 0644 which is the same permissions of the actual configuration file /etc/passwd.
Created attachment 1701783 [details] CIS rule for /etc/passwd- Description of problem: Hi, I loaded the CIS rules for RHEL8 without any tailoring. Looking at this one: xccdf_org.ssgproject.content_rule_file_permissions_backup_etc_passwd The description says: To properly set the permissions of /etc/passwd-, run the command: $ sudo chmod 0644 /etc/passwd- Looking at the CIS benchmark for RHEL8 V1.0.0, the rule actually says: 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored) # chown root:root /etc/passwd- # chmod u-x,go-rwx /etc/passwd- (it's a chmod 0600). Version-Release number of selected component (if applicable): scap-security-guide.noarch 0.1.50-7.el8 How reproducible: Load the CIS rule, remediate using ansible, run another auditing tool like tripwire checking compliance with CIS 1.0.0 for RHEL8. It will fail because the /etc/passwd- (backup file) has chmod 0644 and not 0600. Steps to Reproduce: 1. 2. 3. Actual results: /etc/passwd- is 0644 Expected results: CIS says in 6.1.6 it should be 0600. Additional info: We have no variable we can modify, to manually change to 0600 instead of 0640. Since I loaded only the rules for CIS for RHEL8, it should be matching. If that rule is required by another standard, then it should have a variable, allowing the user to fix it for CIS.