CIS 6.1.2-6.1.9
CIS items copied from cisbench:
* CIS 6.1.2 Ensure permissions on /etc/passwd are configured (Scored)
* CIS 6.1.3 Ensure permissions on /etc/shadow are configured (Scored)
* CIS 6.1.4 Ensure permissions on /etc/group are configured (Scored)
* CIS 6.1.5 Ensure permissions on /etc/gshadow are configured (Scored)
* CIS 6.1.6 Ensure permissions on /etc/passwd- are configured (Scored)
* CIS 6.1.7 Ensure permissions on /etc/shadow- are configured (Scored)
* CIS 6.1.8 Ensure permissions on /etc/group- are configured (Scored)
* CIS 6.1.9 Ensure permissions on /etc/gshadow- are configured (Scored)
Change-Id: I195d08a98c2401a9b0fa8f146ee4b365f933fa1f
diff --git a/metadata/service/system/cis/cis-6-1-8.yml b/metadata/service/system/cis/cis-6-1-8.yml
new file mode 100644
index 0000000..eb7bb16
--- /dev/null
+++ b/metadata/service/system/cis/cis-6-1-8.yml
@@ -0,0 +1,37 @@
+# CIS 6.1.8 Ensure permissions on /etc/group- are configured
+#
+# Description
+# ===========
+# The /etc/group- file contains a backup list of all the valid groups defined
+# in the system.
+#
+# Rationale
+# =========
+# It is critical to ensure that the /etc/group- file is protected from
+# unauthorized access. Although it is protected by default, the file
+# permissions could be changed either inadvertently or through malicious actions.
+#
+# Audit
+# =====
+# Run the following command and verify Uid and Gid are both 0/root and
+# Access is 600 or more restrictive:
+#
+# # stat /etc/group-
+# Access: (0600/-rw-------) Uid: (0/root) Gid: (0/root)
+#
+# Remediation
+# ===========
+# Run the following command to set permissions on /etc/group- :
+#
+# # chown root:root /etc/group-
+# # chmod 600 /etc/group-
+#
+parameters:
+ linux:
+ system:
+ file:
+ /etc/group-:
+ user: 'root'
+ group: 'root'
+ mode: '0600'
+