adjust permissions on shadow file on suse

[rndmh3ro]

this brings the task in line with the baseline.

Signed-off-by: Sebastian Gumprich [email protected]

[schurzi]

I don't understand, the baseline reports:

     ×  File /etc/shadow group is expected to eq "root"
     expected: "root"
          got: "shadow"
     (compared using ==)
     ×  File /etc/shadow is expected not to be readable by group
     expected File /etc/shadow not to be readable by group```

[rndmh3ro]

Funny, when I run this locally I get:

            "     ×  File /etc/shadow group is expected to eq \"shadow\"",
            "     ",
            "     expected: \"shadow\"",
            "          got: \"root\"",
            "     ",
            "     (compared using ==)",

Here it says that it should be shadow: https://github.com/dev-sec/linux-baseline/blob/master/controls/os_spec.rb#L27

But the cinc-auditor does not think that this is a suse system:

You are currently running on:

    Name:      linux
    Families:  linux, unix, os
    Release:   unknown
    Arch:      x86_64

When running this with our collection, we do this:

    - name: install fake SuSE-release for cinc compatibility
      copy:
        content: |
          openSUSE Faked Enterprise 2020 (x86_64)
          VERSION = 2020
          CODENAME = Faked Feature
        dest: /etc/SuSE-release
        owner: root
        group: root
        mode: '0444'
      when: ansible_facts.os_family == 'Suse'

So then cinc-auditor thinks its suse.