From d2529b4bc93aa4b9c802e1ec5405aecea0131384 Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Sat, 14 Dec 2024 12:53:27 +0100 Subject: [PATCH 1/2] Implement rule groups_no_zero_gid_except_root - checks that no group other than root has GID of 0 - manual remediation - satisfies Ubuntu CIS 24.04 v1 5.4.2.3 --- components/pam.yml | 1 + .../oval/shared.xml | 20 ++++++++++++ .../groups_no_zero_gid_except_root/rule.yml | 31 +++++++++++++++++++ .../tests/only_root.pass.sh | 5 +++ .../tests/other_user_uid_0.fail.sh | 4 +++ 5 files changed, 61 insertions(+) create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/oval/shared.xml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/rule.yml create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/tests/only_root.pass.sh create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/tests/other_user_uid_0.fail.sh diff --git a/components/pam.yml b/components/pam.yml index 577d57e6682..d4d3f1e9714 100644 --- a/components/pam.yml +++ b/components/pam.yml @@ -162,6 +162,7 @@ rules: - gid_passwd_group_same - group_unique_id - group_unique_name +- groups_no_zero_gid_except_root - grub2_disable_interactive_boot - gui_login_dod_acknowledgement - install_smartcard_packages diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/oval/shared.xml new file mode 100644 index 00000000000..6c1ae253606 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/oval/shared.xml @@ -0,0 +1,20 @@ + + + {{{ oval_metadata("Only the root group should be assigned a GID of 0.") }}} + + + + + + + + + + + /etc/group + ^(?!root:)[^:]*:[^:]*:0 + 1 + + diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/rule.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/rule.yml new file mode 100644 index 00000000000..37068b0f40d --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/rule.yml @@ -0,0 +1,31 @@ +documentation_complete: true + +title: 'Verify Only Group Root Has GID 0' + +description: |- + If any group other than root has a GID of 0, this misconfiguration should + be investigated and the groups other than root should be removed or have + their GID changed. + +rationale: |- + Ensuring that only the root group has a GID of 0 helps prevent + root group owned files from becoming accidentally accessible to + non-privileged users. + +severity: high + +ocil_clause: 'any groups other than "root" have a GID of "0"' + +ocil: |- + Verify that only the "root" group has a GID "0" assignment with the + following command: +
$ awk -F: '$3 == 0 {print $1}' /etc/group
+
root
+ +fixtext: |- + Change the GID of any group on the system, other than root, that has a GID of "0". + +warnings: + - general: |- + This rule doesn't come with a remediation. The removal of groups from a system + or reassigning the GID is considered too disruptive. diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/tests/only_root.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/tests/only_root.pass.sh new file mode 100644 index 00000000000..2adf4bdb5cf --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/tests/only_root.pass.sh @@ -0,0 +1,5 @@ +#!/bin/bash +# remediation = none + +# Delete all groups with gid 0 except root. +awk -F: '$3 == 0 && $1 != "root" { print $1 }' /etc/group | xargs -I '{}' groupdel -f '{}' diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/tests/other_user_uid_0.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/tests/other_user_uid_0.fail.sh new file mode 100644 index 00000000000..5798ae85b88 --- /dev/null +++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/groups_no_zero_gid_except_root/tests/other_user_uid_0.fail.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# remediation = none + +groupadd --non-unique --gid 0 root2 From 470b1a8a0cca1059bf1be3c381cea56b6cef3d9d Mon Sep 17 00:00:00 2001 From: Miha Purg Date: Sat, 14 Dec 2024 12:55:25 +0100 Subject: [PATCH 2/2] Add rules to ubuntu2404 CIS control 5.4.2.3 --- controls/cis_ubuntu2404.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index c72af22cb84..69081859462 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -2136,8 +2136,12 @@ controls: levels: - l1_server - l1_workstation - status: planned - notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile. + rules: + - groups_no_zero_gid_except_root + status: automated + notes: | + The remediation is not automated as the removal or modification + of group IDs from a system is too disruptive. - id: 5.4.2.4 title: Ensure root account access is controlled (Automated)