feat: add rule to ensure shadow group does not have any members

Members of the shadow group could have access to password hashes and other content of the shadow files. Signed-off-by: Claudius Heine <[email protected]>
dev-sec · Nov 4, 2021 · e6671b4 · e6671b4
1 parent 82c676d
commit e6671b4
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/controls/os_spec.rb b/controls/os_spec.rb
@@ -355,3 +355,18 @@
     its('gids') { should_not contain_duplicates }
   end
 end
+
+control 'os-19' do
+  impact 1.0
+  title 'Shadow group should not have any users'
+  desc 'Members of the shadow group could have access to password hashes, so no user should be a member of that group'
+  shadow_group_entry = etc_group.where(name: shadow_group)
+
+  describe passwd.gids(shadow_group_entry.gids) do
+    its('count') { should eq 0 }
+  end
+
+  describe shadow_group_entry do
+    its('users') { should be_empty }
+  end
+end