CIS 6.1.2-6.1.9
CIS items copied from cisbench:
* CIS 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
* CIS 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)
* CIS 6.1.4 Ensure permissions on /etc/group are configured (Scored)
* CIS 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored)
* CIS 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
* CIS 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
* CIS 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
* CIS 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)
Change-Id: I195d08a98c2401a9b0fa8f146ee4b365f933fa1f
diff --git a/metadata/service/system/cis/cis-6-1-3.yml b/metadata/service/system/cis/cis-6-1-3.yml
new file mode 100644
index 0000000..7bcd373
--- /dev/null
+++ b/metadata/service/system/cis/cis-6-1-3.yml
@@ -0,0 +1,39 @@
+# CIS 6.1.3 Ensure permissions on /etc/shadow are configured
+#
+# Description
+# ===========
+# The /etc/shadow file is used to store the information about user accounts
+# that is critical to the security of those accounts, such as the hashed
+# password and other security information.
+#
+# Rationale
+# =========
+# If attackers can gain read access to the /etc/shadow file, they can easily
+# run a password cracking program against the hashed password to break it.
+# Other security information that is stored in the /etc/shadow file (such
+# as expiration) could also be useful to subvert the user accounts.
+#
+# Audit
+# =====
+# Run the following command and verify Uid is 0/root , Gid is <gid>/shadow ,
+# and Access is 640 or more restrictive:
+#
+# # stat /etc/shadow
+# Access: (0640/-rw-r-----) Uid: (0/root) Gid: (42/shadow)
+#
+# Remediation
+# ===========
+# Run the one following commands to set permissions on /etc/shadow :
+#
+# # chown root:shadow /etc/shadow
+# # chmod o-rwx,g-wx /etc/shadow
+#
+parameters:
+ linux:
+ system:
+ file:
+ /etc/shadow:
+ user: 'root'
+ group: 'shadow'
+ mode: '0640'
+