From 5e6afd3f5dadc4224febd9c9f060f0c52f1c934f Mon Sep 17 00:00:00 2001 From: bryaend Date: Thu, 23 Jun 2022 19:17:59 -0500 Subject: [PATCH 1/2] motd may be configured under /etc/update-motd.d/ --- controls/1_7_warning_banners.rb | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/controls/1_7_warning_banners.rb b/controls/1_7_warning_banners.rb index c756a21..2db49d9 100644 --- a/controls/1_7_warning_banners.rb +++ b/controls/1_7_warning_banners.rb @@ -59,17 +59,28 @@ end control 'cis-dil-benchmark-1.7.1.4' do - title 'Ensure permissions on /etc/motd are configured' - desc "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users.\n\nRationale: If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information." + title 'Ensure permissions on /etc/motd and /etc/update-motd.d/* are configured' + desc "The contents of the /etc/motd and /etc/update-motd.d/* files are displayed to users after login and function as a message of the day for authenticated users.\n\nRationale: If the files do not have the correct ownership, they could be modified by unauthorized users with incorrect or misleading information." impact 0.0 tag cis: 'distribution-independent-linux:1.7.1.4' tag level: 1 - describe file('/etc/motd') do - its('group') { should eq 'root' } - its('owner') { should eq 'root' } - its('mode') { should cmp '0644' } + motd_file = '/etc/motd' + + if File.exists?(motd_file) + describe file(motd_file) do + its('group') { should eq 'root' } + its('owner') { should eq 'root' } + its('mode') { should cmp '0644' } + end + end + command('find /etc/update-motd.d/ -type f').stdout.split.each do |f| + describe file(f) do + its('group') { should eq 'root' } + its('owner') { should eq 'root' } + its('mode') { should cmp '0755' } + end end end From 990f63da173289faeca96eb38d07cfcdd7d2e3b0 Mon Sep 17 00:00:00 2001 From: bryaend Date: Thu, 23 Jun 2022 19:17:59 -0500 Subject: [PATCH 2/2] motd may be configured under /etc/update-motd.d/ Signed-off-by: bryaend --- controls/1_7_warning_banners.rb | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/controls/1_7_warning_banners.rb b/controls/1_7_warning_banners.rb index c756a21..2db49d9 100644 --- a/controls/1_7_warning_banners.rb +++ b/controls/1_7_warning_banners.rb @@ -59,17 +59,28 @@ end control 'cis-dil-benchmark-1.7.1.4' do - title 'Ensure permissions on /etc/motd are configured' - desc "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users.\n\nRationale: If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information." + title 'Ensure permissions on /etc/motd and /etc/update-motd.d/* are configured' + desc "The contents of the /etc/motd and /etc/update-motd.d/* files are displayed to users after login and function as a message of the day for authenticated users.\n\nRationale: If the files do not have the correct ownership, they could be modified by unauthorized users with incorrect or misleading information." impact 0.0 tag cis: 'distribution-independent-linux:1.7.1.4' tag level: 1 - describe file('/etc/motd') do - its('group') { should eq 'root' } - its('owner') { should eq 'root' } - its('mode') { should cmp '0644' } + motd_file = '/etc/motd' + + if File.exists?(motd_file) + describe file(motd_file) do + its('group') { should eq 'root' } + its('owner') { should eq 'root' } + its('mode') { should cmp '0644' } + end + end + command('find /etc/update-motd.d/ -type f').stdout.split.each do |f| + describe file(f) do + its('group') { should eq 'root' } + its('owner') { should eq 'root' } + its('mode') { should cmp '0755' } + end end end