Description
Secstate is a tool that attempts to streamline the Certification and Accreditation process of Linux systems by providing a mechanism to verify, validate, and provide remediation to security relevant configuration items.
Setup
- Install the most recent version of secstate from https://fedorahosted.org/secstate/wiki/RecentBuilds
- Download and extract the file available at https://fedorahosted.org/secstate/attachment/wiki/TestContent/etcpasswd.tar.gz?format=raw
- Backup of /etc/passwd
- Have another root session open in case something goes wrong with /etc/passwd and the user is unable to authenticate
How to test
- Change the owner, group, and permissions on /etc/passwd.
# sudo chown 500:500 /etc/passwd # sudo chmod 777 /etc/passwd # ls -ln /etc/passwd
The user should see that the owner and group owner of /etc/passwd is UID and GID 500 and the permissions should be like -rwxrwxrwx.
- Import the downloaded content using secstate.
# sudo secstate import etcpasswd/Passwd.xccdf.xml # sudo
The user should see a listing like:
[X]Benchmark - ID: Passwd, Title: 'PasswordFilePermissions', Profile: None [X]Rule - ID: Passwd-R-2-1, Title: 'Passwd_Ownership' [X]Rule - ID: Passwd-R-2-2, Title: 'Passwd_Group_Ownership' [X]Rule - ID: Passwd-R-2-3, Title: 'Passwd_Mode'
- Deselect the group ownership rule.
# sudo secstate deselect Passwd Passwd-R-2-2 # sudo secstate list -a -r
The user should see the same listing as above, except the group ownership rule should not have an X.
- Audit before remediation.
# sudo secstate audit
The user should see output like:
--Results for 'Passwd' (Profile: 'Custom')-- Passed: 0 Failed: 2 Fixed: 0 Not Selected: 1 Not Checked: 0 Not Applicable: 0 Error: 0 Informational: 0 Unknown: 0
- Remediate everything except group ownership.
# sudo secstate remediate -r etcpasswd/passwd.pp
The user should see output similar to:
notice: //passwd/File_perms[/etc/passwd]/uexec: uexec changed 'true' to 'false' notice: //passwd/File_perms[/etc/passwd]/gwrite: gwrite changed 'true' to 'false' notice: //passwd/File_perms[/etc/passwd]/gexec: gexec changed 'true' to 'false' notice: //passwd/File_perms[/etc/passwd]/owrite: owrite changed 'true' to 'false' notice: //passwd/File_perms[/etc/passwd]/oexec: oexec changed 'true' to 'false' notice: //passwd/File_perms[/etc/passwd]/owner: owner changed '500' to '0'
- Select the group ownership rule.
# sudo secstate select Passwd Passwd-R-2-2 # sudo secstate list -a -r
The user should see the original listing with all rules selected.
- Remediate everything.
# sudo secstate remediate -r etcpasswd/passwd.pp
The user should see output like:
notice: //passwd/File_perms[/etc/passwd]/group: group changed '500' to '0'
- Final audit.
# sudo secstate audit
The user should see output like:
--Results for 'Passwd' (Profile: 'Custom')-- Passed: 3 Failed: 0 Fixed: 0 Not Selected: 0 Not Checked: 0 Not Applicable: 0 Error: 0 Informational: 0 Unknown: 0
- Manually verify permissions of /etc/passwd.
# ls -ln /etc/passwd
The user should see that the owner and group UID and GID have been reset to 0 and the permissions on the file are now -rw-r--r--.
Expected Results
All the commands from previous section get expected results.