CIS 6.1.2-6.1.9
CIS items copied from cisbench:
* CIS 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
* CIS 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)
* CIS 6.1.4 Ensure permissions on /etc/group are configured (Scored)
* CIS 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored)
* CIS 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
* CIS 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
* CIS 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
* CIS 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)
Change-Id: I195d08a98c2401a9b0fa8f146ee4b365f933fa1f
diff --git a/metadata/service/system/cis/cis-6-1-7.yml b/metadata/service/system/cis/cis-6-1-7.yml
new file mode 100644
index 0000000..4918e6b
--- /dev/null
+++ b/metadata/service/system/cis/cis-6-1-7.yml
@@ -0,0 +1,38 @@
+# CIS 6.1.7 Ensure permissions on /etc/shadow- are configured
+#
+# Description
+# ===========
+# The /etc/shadow- file is used to store backup information about user
+# accounts that is critical to the security of those accounts, such as the
+# hashed password and other security information.
+#
+# Rationale
+# =========
+# It is critical to ensure that the /etc/shadow- file is protected from
+# unauthorized access. Although it is protected by default, the file
+# permissions could be changed either inadvertently or through malicious actions.
+#
+# Audit
+# =====
+# Run the following command and verify Uid and Gid are both 0/root and
+# Access is 600 or more restrictive:
+#
+# # stat /etc/shadow-
+# Access: (0600/-rw-------) Uid: (0/root) Gid: (0/root)
+#
+# Remediation
+# ===========
+# Run the following command to set permissions on /etc/shadow- :
+#
+# # chown root:root /etc/shadow-
+# # chmod 600 /etc/shadow-
+#
+parameters:
+ linux:
+ system:
+ file:
+ /etc/shadow-:
+ user: 'root'
+ group: 'root'
+ mode: '0600'
+