Description
Secstate is a tool that attempts to streamline the Certification and Accreditation process of Linux systems by providing a mechanism to verify, validate, and provide remediation to security relevant configuration items.
This test modifies core system files. Nothing should go wrong, but still it is not recommended for Linux beginners.
Setup
- Install the most recent version of secstate from https://fedorahosted.org/secstate/wiki/RecentBuilds
- Download and extract the file available at https://fedorahosted.org/secstate/attachment/wiki/TestContent/etcpasswd.tar.gz?format=raw
- Backup your /etc/passwd
- Have another root session open in case something goes wrong with /etc/passwd and the user is unable to authenticate
How to test
- Change the owner, group, and permissions on /etc/passwd.
# sudo chown 500:500 /etc/passwd # sudo chmod 777 /etc/passwd # ls -ln /etc/passwd
The user should see that the owner and group owner of /etc/passwd is UID and GID 500 and the permissions should be like -rwxrwxrwx.
- Import the downloaded content using secstate.
# sudo secstate import etcpasswd/Passwd.xccdf.xml # sudo secstate list -a -r
The user should see a listing like:
[X]Benchmark - ID: Passwd, Title: 'PasswordFilePermissions', Profile: None [X]Rule - ID: Passwd-R-2-1, Title: 'Passwd_Ownership' [X]Rule - ID: Passwd-R-2-2, Title: 'Passwd_Group_Ownership' [X]Rule - ID: Passwd-R-2-3, Title: 'Passwd_Mode' - Deselect the group ownership rule.
# sudo secstate deselect Passwd Passwd-R-2-2 # sudo secstate list -a -r
The user should see the same listing as above, except the group ownership rule should not have an X.
- Audit before remediation.
# sudo secstate audit
The user should see output like:
--Results for 'Passwd' (Profile: 'Custom')-- Passed: 0 Failed: 2 Fixed: 0 Not Selected: 1 Not Checked: 0 Not Applicable: 0 Error: 0 Informational: 0 Unknown: 0
- Remediate everything except group ownership.
# sudo secstate remediate -r etcpasswd/passwd.pp
The user should see output similar to:
notice: //passwd/File_perms[/etc/passwd]/uexec: uexec changed 'true' to 'false' notice: //passwd/File_perms[/etc/passwd]/gwrite: gwrite changed 'true' to 'false' notice: //passwd/File_perms[/etc/passwd]/gexec: gexec changed 'true' to 'false' notice: //passwd/File_perms[/etc/passwd]/owrite: owrite changed 'true' to 'false' notice: //passwd/File_perms[/etc/passwd]/oexec: oexec changed 'true' to 'false' notice: //passwd/File_perms[/etc/passwd]/owner: owner changed '500' to '0'
- Select the group ownership rule.
# sudo secstate select Passwd Passwd-R-2-2 # sudo secstate list -a -r
The user should see the original listing with all rules selected.
- Remediate everything.
# sudo secstate remediate -r etcpasswd/passwd.pp
The user should see output like:
notice: //passwd/File_perms[/etc/passwd]/group: group changed '500' to '0'
- Final audit.
# sudo secstate audit
The user should see output like:
--Results for 'Passwd' (Profile: 'Custom')-- Passed: 3 Failed: 0 Fixed: 0 Not Selected: 0 Not Checked: 0 Not Applicable: 0 Error: 0 Informational: 0 Unknown: 0
- Manually verify permissions of /etc/passwd.
# ls -ln /etc/passwd
The user should see that the owner and group UID and GID have been reset to 0 and the permissions on the file are now -rw-r--r--.
Expected Results
All the commands from previous section get expected results.