Merge "Configure /etc/login.defs"
diff --git a/linux/system/user.sls b/linux/system/user.sls
index 7ffdae6..7a0c98b 100644
--- a/linux/system/user.sls
+++ b/linux/system/user.sls
@@ -43,6 +43,7 @@
   {%- endif %}
   {%- if user.system is defined and user.system %}
   - system: True
+  - shell: {{ user.get('shell', '/bin/false') }}
   {%- else %}
   - shell: {{ user.get('shell', '/bin/bash') }}
   {%- endif %}
diff --git a/metadata/service/system/cis/cis-6-1-2.yml b/metadata/service/system/cis/cis-6-1-2.yml
new file mode 100644
index 0000000..481c2df
--- /dev/null
+++ b/metadata/service/system/cis/cis-6-1-2.yml
@@ -0,0 +1,38 @@
+# CIS 6.1.2 Ensure permissions on /etc/passwd are configured
+#
+# Description
+# ===========
+# The /etc/passwd file contains user account information that is used by
+# many system utilities and therefore must be readable for these utilities
+# to operate.
+#
+# Rationale
+# =========
+# It is critical to ensure that the /etc/passwd file is protected from
+# unauthorized write access. Although it is protected by default, the file
+# permissions could be changed either inadvertently or through malicious actions.
+#
+# Audit
+# =====
+# Run the following command and verify Uid and Gid are both 0/root and
+# Access is 644 :
+#
+#   # stat /etc/passwd
+#   Access: (0644/-rw-r--r--) Uid: (0/root) Gid: (0/root)
+#
+# Remediation
+# ===========
+# Run the following command to set permissions on /etc/passwd :
+#
+#   # chown root:root /etc/passwd
+#   # chmod 644 /etc/passwd
+#
+parameters:
+  linux:
+    system:
+      file:
+        /etc/passwd:
+          user: 'root'
+          group: 'root'
+          mode: '0644'
+
diff --git a/metadata/service/system/cis/cis-6-1-3.yml b/metadata/service/system/cis/cis-6-1-3.yml
new file mode 100644
index 0000000..7bcd373
--- /dev/null
+++ b/metadata/service/system/cis/cis-6-1-3.yml
@@ -0,0 +1,39 @@
+# CIS 6.1.3 Ensure permissions on /etc/shadow are configured
+#
+# Description
+# ===========
+# The /etc/shadow file is used to store the information about user accounts
+# that is critical to the security of those accounts, such as the hashed
+# password and other security information.
+#
+# Rationale
+# =========
+# If attackers can gain read access to the /etc/shadow file, they can easily
+# run a password cracking program against the hashed password to break it.
+# Other security information that is stored in the /etc/shadow file (such
+# as expiration) could also be useful to subvert the user accounts.
+#
+# Audit
+# =====
+# Run the following command and verify Uid is 0/root , Gid is <gid>/shadow ,
+# and Access is 640 or more restrictive:
+#
+#   # stat /etc/shadow
+#   Access: (0640/-rw-r-----) Uid: (0/root) Gid: (42/shadow)
+#
+# Remediation
+# ===========
+# Run the one following commands to set permissions on /etc/shadow :
+#
+#   # chown root:shadow /etc/shadow
+#   # chmod o-rwx,g-wx /etc/shadow
+#
+parameters:
+  linux:
+    system:
+      file:
+        /etc/shadow:
+          user: 'root'
+          group: 'shadow'
+          mode: '0640'
+
diff --git a/metadata/service/system/cis/cis-6-1-4.yml b/metadata/service/system/cis/cis-6-1-4.yml
new file mode 100644
index 0000000..d5b2ffd
--- /dev/null
+++ b/metadata/service/system/cis/cis-6-1-4.yml
@@ -0,0 +1,38 @@
+# CIS 6.1.4 Ensure permissions on /etc/group are configured
+#
+# Description
+# ===========
+# The /etc/group file contains a list of all the valid groups defined in the
+# system. The command below allows read/write access for root and read access
+# for everyone else.
+#
+# Rationale
+# =========
+# The /etc/group file needs to be protected from unauthorized changes by
+# non-privileged users, but needs to be readable as this information is used
+# with many non-privileged programs.
+#
+# Audit
+# =====
+# Run the following command and verify Uid and Gid are both 0/root and
+# Access is 644 :
+#
+#   # stat /etc/group
+#   Access: (0644/-rw-r--r--) Uid: (0/root) Gid: (0/root)
+#
+# Remediation
+# ===========
+# Run the following command to set permissions on /etc/group :
+#
+#   # chown root:root /etc/group
+#   # chmod 644 /etc/group
+#
+parameters:
+  linux:
+    system:
+      file:
+        /etc/group:
+          user: 'root'
+          group: 'root'
+          mode: '0644'
+
diff --git a/metadata/service/system/cis/cis-6-1-5.yml b/metadata/service/system/cis/cis-6-1-5.yml
new file mode 100644
index 0000000..87ef05a
--- /dev/null
+++ b/metadata/service/system/cis/cis-6-1-5.yml
@@ -0,0 +1,39 @@
+# CIS 6.1.5 Ensure permissions on /etc/gshadow are configured
+#
+# Description
+# ===========
+# The /etc/gshadow file is used to store the information about groups that
+# is critical to the security of those accounts, such as the hashed password
+# and other security information.
+#
+# Rationale
+# =========
+# If attackers can gain read access to the /etc/gshadow file, they can easily
+# run a password cracking program against the hashed password to break it.
+# Other security information that is stored in the /etc/gshadow file (such as
+# group administrators) could also be useful to subvert the group.
+#
+# Audit
+# =====
+# Run the following command and verify verify Uid is 0/root ,
+# Gid is <gid>/shadow , and Access is 640 or more restrictive:
+#
+#   # stat /etc/gshadow
+#   Access: (0640/-rw-r-----) Uid: (0/root) Gid: (42/shadow)
+#
+# Remediation
+# ===========
+# Run the following commands to set permissions on /etc/gshadow :
+#
+#   # chown root:shadow /etc/gshadow
+#   # chmod o-rwx,g-rw /etc/gshadow
+#
+parameters:
+  linux:
+    system:
+      file:
+        /etc/gshadow:
+          user: 'root'
+          group: 'shadow'
+          mode: '0640'
+
diff --git a/metadata/service/system/cis/cis-6-1-6.yml b/metadata/service/system/cis/cis-6-1-6.yml
new file mode 100644
index 0000000..0cd4b9f
--- /dev/null
+++ b/metadata/service/system/cis/cis-6-1-6.yml
@@ -0,0 +1,36 @@
+# CIS 6.1.6 Ensure permissions on /etc/passwd- are configured
+#
+# Description
+# ===========
+# The /etc/passwd- file contains backup user account information.
+#
+# Rationale
+# =========
+# It is critical to ensure that the /etc/passwd- file is protected from
+# unauthorized access. Although it is protected by default, the file
+# permissions could be changed either inadvertently or through malicious actions.
+#
+# Audit
+# =====
+# Run the following command and verify Uid and Gid are both 0/root and
+# Access is 600 or more restrictive:
+#
+#   # stat /etc/passwd-
+#   Access: (0600/-rw-------) Uid: (0/root) Gid: (0/root)
+#
+# Remediation
+# ===========
+# Run the following command to set permissions on /etc/passwd- :
+#
+#   # chown root:root /etc/passwd-
+#   # chmod 600 /etc/passwd-
+#
+parameters:
+  linux:
+    system:
+      file:
+        /etc/passwd-:
+          user: 'root'
+          group: 'root'
+          mode: '0600'
+
diff --git a/metadata/service/system/cis/cis-6-1-7.yml b/metadata/service/system/cis/cis-6-1-7.yml
new file mode 100644
index 0000000..4918e6b
--- /dev/null
+++ b/metadata/service/system/cis/cis-6-1-7.yml
@@ -0,0 +1,38 @@
+# CIS 6.1.7 Ensure permissions on /etc/shadow- are configured
+#
+# Description
+# ===========
+# The /etc/shadow- file is used to store backup information about user
+# accounts that is critical to the security of those accounts, such as the
+# hashed password and other security information.
+#
+# Rationale
+# =========
+# It is critical to ensure that the /etc/shadow- file is protected from
+# unauthorized access. Although it is protected by default, the file
+# permissions could be changed either inadvertently or through malicious actions.
+#
+# Audit
+# =====
+# Run the following command and verify Uid and Gid are both 0/root and
+# Access is 600 or more restrictive:
+#
+#   # stat /etc/shadow-
+#   Access: (0600/-rw-------) Uid: (0/root) Gid: (0/root)
+#
+# Remediation
+# ===========
+# Run the following command to set permissions on /etc/shadow- :
+#
+#   # chown root:root /etc/shadow-
+#   # chmod 600 /etc/shadow-
+#
+parameters:
+  linux:
+    system:
+      file:
+        /etc/shadow-:
+          user: 'root'
+          group: 'root'
+          mode: '0600'
+
diff --git a/metadata/service/system/cis/cis-6-1-8.yml b/metadata/service/system/cis/cis-6-1-8.yml
new file mode 100644
index 0000000..eb7bb16
--- /dev/null
+++ b/metadata/service/system/cis/cis-6-1-8.yml
@@ -0,0 +1,37 @@
+# CIS 6.1.8 Ensure permissions on /etc/group- are configured
+#
+# Description
+# ===========
+# The /etc/group- file contains a backup list of all the valid groups defined
+# in the system.
+#
+# Rationale
+# =========
+# It is critical to ensure that the /etc/group- file is protected from
+# unauthorized access. Although it is protected by default, the file
+# permissions could be changed either inadvertently or through malicious actions.
+#
+# Audit
+# =====
+# Run the following command and verify Uid and Gid are both 0/root and
+# Access is 600 or more restrictive:
+#
+#   # stat /etc/group-
+#   Access: (0600/-rw-------) Uid: (0/root) Gid: (0/root)
+#
+# Remediation
+# ===========
+# Run the following command to set permissions on /etc/group- :
+#
+#   # chown root:root /etc/group-
+#   # chmod 600 /etc/group-
+#
+parameters:
+  linux:
+    system:
+      file:
+        /etc/group-:
+          user: 'root'
+          group: 'root'
+          mode: '0600'
+
diff --git a/metadata/service/system/cis/cis-6-1-9.yml b/metadata/service/system/cis/cis-6-1-9.yml
new file mode 100644
index 0000000..7acba2f
--- /dev/null
+++ b/metadata/service/system/cis/cis-6-1-9.yml
@@ -0,0 +1,38 @@
+# CIS 6.1.9 Ensure permissions on /etc/gshadow- are configured
+#
+# Description
+# ===========
+# The /etc/gshadow- file is used to store backup information about groups
+# that is critical to the security of those accounts, such as the hashed
+# password and other security information.
+#
+# Rationale
+# =========
+# It is critical to ensure that the /etc/gshadow- file is protected from
+# unauthorized access. Although it is protected by default, the file
+# permissions could be changed either inadvertently or through malicious actions.
+#
+# Audit
+# =====
+# Run the following command and verify Uid and Gid are both 0/root and
+# Access is 600 or more restrictive:
+#
+#   # stat /etc/gshadow-
+#   Access: (0600/-rw-------) Uid: (0/root) Gid: (0/root)
+#
+# Remediation
+# ===========
+# Run the following command to set permissions on /etc/gshadow- :
+#
+#   # chown root:root /etc/gshadow-
+#   # chmod 600 /etc/gshadow-
+#
+parameters:
+  linux:
+    system:
+      file:
+        /etc/gshadow-:
+          user: 'root'
+          group: 'root'
+          mode: '0600'
+
diff --git a/metadata/service/system/cis/init.yml b/metadata/service/system/cis/init.yml
index a6664f1..5c91125 100644
--- a/metadata/service/system/cis/init.yml
+++ b/metadata/service/system/cis/init.yml
@@ -12,3 +12,11 @@
 - service.linux.system.cis.cis-3-2-8
 # Temp. disable PROD-22520
 #- service.linux.system.cis.cis-3-3-3
+- service.linux.system.cis.cis-6-1-2
+- service.linux.system.cis.cis-6-1-3
+- service.linux.system.cis.cis-6-1-4
+- service.linux.system.cis.cis-6-1-5
+- service.linux.system.cis.cis-6-1-6
+- service.linux.system.cis.cis-6-1-7
+- service.linux.system.cis.cis-6-1-8
+- service.linux.system.cis.cis-6-1-9