Merge pull request #10416 from marcusburghardt/cis_ensure_shadow_grou…

…p_empty

Enable ensure_shadow_group_empty for RHEL7

controls/cis_rhel7.yml

@@ -2291,7 +2291,9 @@ controls:
     levels:
     - l1_server
     - l1_workstation
-    automated: no # rule missing
+    status: automated
+    rules:
+      - ensure_shadow_group_empty
 
   - id: 6.2.5
     title: Ensure no duplicate user names exist (Automated)

linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/bash/shared.sh

@@ -1,3 +1,3 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_all
 
 sed -ri 's/(^shadow:[^:]*:[^:]*:)([^:]+$)/\1/' /etc/group

linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/rule.yml

@@ -1,8 +1,8 @@
 documentation_complete: true
 
-prodtype: sle12,sle15,ubuntu2004,ubuntu2204
+prodtype: rhel7,sle12,sle15,ubuntu2004,ubuntu2204
 
-title: 'Ensure shadow group is empty'
+title: 'Ensure shadow Group is Empty'
 
 description: |-
     The shadow group allows system programs which require access the ability
@@ -19,10 +19,12 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel7: CCE-86818-2
     cce@sle12: CCE-92213-8
     cce@sle15: CCE-91344-2
 
 references:
+    cis@rhel7: 6.2.4
     cis@sle12: 6.2.18
     cis@sle15: 6.2.18
     cis@ubuntu2004: 6.2.17
@@ -34,8 +36,13 @@ ocil_clause: 'shadow group is not empty'
 
 ocil: |-
     Run the following commands and verify no results are returned:
-    <per>
+    <pre>
     grep ^shadow:[^:]*:[^:]*:[^:]+ /etc/group
     awk -F: '($4 == "<shadow-gid>") { print }' /etc/passwd
-    </per>
+    </pre>
 
+warnings:
+    - general: |-
+       This rule remediation will ensure the group membership is empty in /etc/group. To avoid any
+       disruption the remediation won't change the primary group of users in /etc/passwd if any
+       user has the shadow GID as primary group.

linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/tests/correct.pass.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_all
 
 if ! grep -q "^shadow" /etc/group; then
     groupadd shadow

linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/tests/no_shadow_group.pass.sh

@@ -1,4 +1,4 @@
 #!/bin/bash
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_all
 
 sed -i '/^shadow:[^:]*:[^:]*:.*/d' /etc/group

linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/tests/shadow_not_empty.fail.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_all
 
 if ! grep -q "^shadow" /etc/group; then
     groupadd shadow

linux_os/guide/system/accounts/accounts-restrictions/account_expiration/ensure_shadow_group_empty/tests/shadow_user_member.fail.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_all
 # remediation = none
 
 if ! grep -q "^shadow" /etc/group; then

shared/references/cce-redhat-avail.txt

@@ -524,7 +524,6 @@ CCE-86811-7
 CCE-86812-5
 CCE-86816-6
 CCE-86817-4
-CCE-86818-2
 CCE-86820-8
 CCE-86821-6
 CCE-86822-4