-
Notifications
You must be signed in to change notification settings - Fork 729
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extend os_hardening minimize_access task to cover additional passwd/group/shadow/gshadow paths #488
Comments
cmhe
added a commit
to siemens/ansible-collection-hardening
that referenced
this issue
Oct 18, 2021
The tasks `Change shadow ownership to root and mode to 0600` and `Change passwd ownership to root and mode to 0644` only handle `/etc/shadow` and `/etc/passwd` respectively. But there multiple adjacent files that should be handled with these rules as well: - `/etc/gshadow` - `/etc/shadow-` - `/etc/gshadow-` - `/etc/group` - `/etc/shadow-` - `/etc/group-` This change adds those files to the rules, so that permissions are handled in the same way. Closes: dev-sec#488 Signed-off-by: Claudius Heine <ch@denx.de>
cmhe
added a commit
to siemens/ansible-collection-hardening
that referenced
this issue
Oct 18, 2021
The tasks `Change shadow ownership to root and mode to 0600` and `Change passwd ownership to root and mode to 0644` only handle `/etc/shadow` and `/etc/passwd` respectively. But there multiple adjacent files that should be handled with these rules as well: - `/etc/gshadow` - `/etc/shadow-` - `/etc/gshadow-` - `/etc/group` - `/etc/shadow-` - `/etc/group-` This change adds those files to the rules, so that permissions are handled in the same way. Closes: dev-sec#488 Signed-off-by: Claudius Heine <ch@denx.de>
cmhe
added a commit
to siemens/ansible-collection-hardening
that referenced
this issue
Oct 18, 2021
The tasks `Change shadow ownership to root and mode to 0600` and `Change passwd ownership to root and mode to 0644` only handle `/etc/shadow` and `/etc/passwd` respectively. But there multiple adjacent files that should be handled with these rules as well: - `/etc/gshadow` - `/etc/shadow-` - `/etc/gshadow-` - `/etc/group` - `/etc/shadow-` - `/etc/group-` This change adds those files to the rules, so that permissions are handled in the same way. Closes: dev-sec#488 Signed-off-by: Claudius Heine <ch@denx.de>
cmhe
added a commit
to siemens/ansible-collection-hardening
that referenced
this issue
Oct 19, 2021
The tasks `Change shadow ownership to root and mode to 0600` and `Change passwd ownership to root and mode to 0644` only handle `/etc/shadow` and `/etc/passwd` respectively. But there multiple adjacent files that should be handled with these rules as well: - `/etc/gshadow` - `/etc/shadow-` - `/etc/gshadow-` - `/etc/group` - `/etc/shadow-` - `/etc/group-` This change adds those files to the rules, so that permissions are handled in the same way. Closes: dev-sec#488 Signed-off-by: Claudius Heine <ch@denx.de>
rndmh3ro
pushed a commit
that referenced
this issue
Oct 21, 2021
…489) The tasks `Change shadow ownership to root and mode to 0600` and `Change passwd ownership to root and mode to 0644` only handle `/etc/shadow` and `/etc/passwd` respectively. But there multiple adjacent files that should be handled with these rules as well: - `/etc/gshadow` - `/etc/shadow-` - `/etc/gshadow-` - `/etc/group` - `/etc/shadow-` - `/etc/group-` This change adds those files to the rules, so that permissions are handled in the same way. Closes: #488 Signed-off-by: Claudius Heine <ch@denx.de>
divialth
pushed a commit
to divialth/ansible-collection-hardening
that referenced
this issue
Aug 3, 2022
…ev-sec#489) The tasks `Change shadow ownership to root and mode to 0600` and `Change passwd ownership to root and mode to 0644` only handle `/etc/shadow` and `/etc/passwd` respectively. But there multiple adjacent files that should be handled with these rules as well: - `/etc/gshadow` - `/etc/shadow-` - `/etc/gshadow-` - `/etc/group` - `/etc/shadow-` - `/etc/group-` This change adds those files to the rules, so that permissions are handled in the same way. Closes: dev-sec#488 Signed-off-by: Claudius Heine <ch@denx.de>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
The current tasks
Change shadow ownership to root and mode to 0600
andChange passwd ownership to root and mode to 0644
only handle/etc/shadow
and/etc/passwd
respectively. But there multiple adjacent files that should be handled with these rules as well:/etc/gshadow
/etc/shadow-
/etc/gshadow-
/etc/group
/etc/shadow-
/etc/group-
Describe the solution you'd like
Extend those tasks to also assign the permissions to those files
The text was updated successfully, but these errors were encountered: