CIS 6.1.2-6.1.9
CIS items copied from cisbench:
* CIS 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
* CIS 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)
* CIS 6.1.4 Ensure permissions on /etc/group are configured (Scored)
* CIS 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored)
* CIS 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
* CIS 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
* CIS 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
* CIS 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)
Change-Id: I195d08a98c2401a9b0fa8f146ee4b365f933fa1f
diff --git a/metadata/service/system/cis/cis-6-1-5.yml b/metadata/service/system/cis/cis-6-1-5.yml
new file mode 100644
index 0000000..87ef05a
--- /dev/null
+++ b/metadata/service/system/cis/cis-6-1-5.yml
@@ -0,0 +1,39 @@
+# CIS 6.1.5 Ensure permissions on /etc/gshadow are configured
+#
+# Description
+# ===========
+# The /etc/gshadow file is used to store the information about groups that
+# is critical to the security of those accounts, such as the hashed password
+# and other security information.
+#
+# Rationale
+# =========
+# If attackers can gain read access to the /etc/gshadow file, they can easily
+# run a password cracking program against the hashed password to break it.
+# Other security information that is stored in the /etc/gshadow file (such as
+# group administrators) could also be useful to subvert the group.
+#
+# Audit
+# =====
+# Run the following command and verify verify Uid is 0/root ,
+# Gid is <gid>/shadow , and Access is 640 or more restrictive:
+#
+# # stat /etc/gshadow
+# Access: (0640/-rw-r-----) Uid: (0/root) Gid: (42/shadow)
+#
+# Remediation
+# ===========
+# Run the following commands to set permissions on /etc/gshadow :
+#
+# # chown root:shadow /etc/gshadow
+# # chmod o-rwx,g-rw /etc/gshadow
+#
+parameters:
+ linux:
+ system:
+ file:
+ /etc/gshadow:
+ user: 'root'
+ group: 'shadow'
+ mode: '0640'
+