commit 11ef3737d2ca10ee5bedbbb716bee5360ed3087c
author Dmitry Teselkin <dteselkin@mirantis.com> Mon Sep 03 15:32:07 2018 +0300
committer Dmitry Teselkin <dteselkin@mirantis.com> Mon Sep 03 15:32:07 2018 +0300
tree e2ad4f8c35239aaad97f45b7d055c450aa4bb9c0
parent 0f084a01cee47a299fb2f60791a3296728000e55

CIS 6.1.2-6.1.9

CIS items copied from cisbench:
* CIS 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
* CIS 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)
* CIS 6.1.4 Ensure permissions on /etc/group are configured (Scored)
* CIS 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored)
* CIS 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
* CIS 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
* CIS 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
* CIS 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)

Change-Id: I195d08a98c2401a9b0fa8f146ee4b365f933fa1f

metadata/service/system/cis/cis-6-1-4.yml

diff --git a/metadata/service/system/cis/cis-6-1-4.yml b/metadata/service/system/cis/cis-6-1-4.yml
new file mode 100644
index 0000000..d5b2ffd
--- /dev/null
+++ b/metadata/service/system/cis/cis-6-1-4.yml
@@ -0,0 +1,38 @@
+# CIS 6.1.4 Ensure permissions on /etc/group are configured
+#
+# Description
+# ===========
+# The /etc/group file contains a list of all the valid groups defined in the
+# system. The command below allows read/write access for root and read access
+# for everyone else.
+#
+# Rationale
+# =========
+# The /etc/group file needs to be protected from unauthorized changes by
+# non-privileged users, but needs to be readable as this information is used
+# with many non-privileged programs.
+#
+# Audit
+# =====
+# Run the following command and verify Uid and Gid are both 0/root and
+# Access is 644 :
+#
+#   # stat /etc/group
+#   Access: (0644/-rw-r--r--) Uid: (0/root) Gid: (0/root)
+#
+# Remediation
+# ===========
+# Run the following command to set permissions on /etc/group :
+#
+#   # chown root:root /etc/group
+#   # chmod 644 /etc/group
+#
+parameters:
+  linux:
+    system:
+      file:
+        /etc/group:
+          user: 'root'
+          group: 'root'
+          mode: '0644'
+