From ad5c71c3ce1c1fb477c0a16516d5300996522bb3 Mon Sep 17 00:00:00 2001
From: GoldenKiwi <thibault.dewailly@corp.ovh.com>
Date: Fri, 18 Mar 2022 16:41:49 +0100
Subject: [PATCH] fix: allow passwd-, group- and shadow- debian default
 permissions (#149)

---
 bin/hardening/6.1.6_etc_passwd-_permissions.sh   | 3 ++-
 bin/hardening/6.1.7_etc_shadow-_permissions.sh   | 3 ++-
 bin/hardening/6.1.8_etc_group-_permissions.sh    | 3 ++-
 tests/hardening/6.1.6_etc_passwd-_permissions.sh | 7 +++++++
 tests/hardening/6.1.7_etc_shadow-_permissions.sh | 7 +++++++
 tests/hardening/6.1.8_etc_group-_permissions.sh  | 7 +++++++
 6 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/bin/hardening/6.1.6_etc_passwd-_permissions.sh b/bin/hardening/6.1.6_etc_passwd-_permissions.sh
index bc1d21e..4019b50 100755
--- a/bin/hardening/6.1.6_etc_passwd-_permissions.sh
+++ b/bin/hardening/6.1.6_etc_passwd-_permissions.sh
@@ -19,6 +19,7 @@ DESCRIPTION="Check 600 permissions and root:root ownership on /etc/passwd-"
 
 FILE='/etc/passwd-'
 PERMISSIONS='600'
+PERMISSIONSOK='644 640 600'
 USER='root'
 GROUP='root'
 
@@ -28,7 +29,7 @@ audit() {
     if [ "$FNRET" != 0 ]; then
         ok "$FILE does not exist"
     else
-        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
         if [ "$FNRET" = 0 ]; then
             ok "$FILE has correct permissions"
         else
diff --git a/bin/hardening/6.1.7_etc_shadow-_permissions.sh b/bin/hardening/6.1.7_etc_shadow-_permissions.sh
index 48551ed..6adea07 100755
--- a/bin/hardening/6.1.7_etc_shadow-_permissions.sh
+++ b/bin/hardening/6.1.7_etc_shadow-_permissions.sh
@@ -19,6 +19,7 @@ DESCRIPTION="Check 600 permissions and root:shadow ownership on /etc/shadow-"
 
 FILE='/etc/shadow-'
 PERMISSIONS='600'
+PERMISSIONSOK='640 600'
 USER='root'
 GROUP='shadow'
 
@@ -28,7 +29,7 @@ audit() {
     if [ "$FNRET" != 0 ]; then
         ok "$FILE does not exist"
     else
-        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
         if [ "$FNRET" = 0 ]; then
             ok "$FILE has correct permissions"
         else
diff --git a/bin/hardening/6.1.8_etc_group-_permissions.sh b/bin/hardening/6.1.8_etc_group-_permissions.sh
index 3d08dd4..eed99d5 100755
--- a/bin/hardening/6.1.8_etc_group-_permissions.sh
+++ b/bin/hardening/6.1.8_etc_group-_permissions.sh
@@ -19,6 +19,7 @@ DESCRIPTION="Check 600 permissions and root:root ownership on /etc/group-"
 
 FILE='/etc/group-'
 PERMISSIONS='600'
+PERMISSIONSOK='644 640 600'
 USER='root'
 GROUP='root'
 
@@ -28,7 +29,7 @@ audit() {
     if [ "$FNRET" != 0 ]; then
         ok "$FILE does not exist"
     else
-        has_file_correct_permissions "$FILE" "$PERMISSIONS"
+        has_file_one_of_permissions "$FILE" "$PERMISSIONSOK"
         if [ "$FNRET" = 0 ]; then
             ok "$FILE has correct permissions"
         else
diff --git a/tests/hardening/6.1.6_etc_passwd-_permissions.sh b/tests/hardening/6.1.6_etc_passwd-_permissions.sh
index d1061d6..d613e63 100644
--- a/tests/hardening/6.1.6_etc_passwd-_permissions.sh
+++ b/tests/hardening/6.1.6_etc_passwd-_permissions.sh
@@ -10,6 +10,13 @@ test_audit() {
     local test_user="testetcpasswd-user"
     local test_file="/etc/passwd-"
 
+    describe Debian default right shall be accepted
+    chmod 644 "$test_file"
+    chown root:root "$test_file"
+    register_test retvalshouldbe 0
+    register_test contain "has correct permissions"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe Tests purposely failing
     chmod 777 "$test_file"
     register_test retvalshouldbe 1
diff --git a/tests/hardening/6.1.7_etc_shadow-_permissions.sh b/tests/hardening/6.1.7_etc_shadow-_permissions.sh
index adbde07..04cf193 100644
--- a/tests/hardening/6.1.7_etc_shadow-_permissions.sh
+++ b/tests/hardening/6.1.7_etc_shadow-_permissions.sh
@@ -10,6 +10,13 @@ test_audit() {
     local test_user="testetcshadow-user"
     local test_file="/etc/shadow-"
 
+    describe Debian default right shall be accepted
+    chmod 640 "$test_file"
+    chown root:shadow "$test_file"
+    register_test retvalshouldbe 0
+    register_test contain "has correct permissions"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe Tests purposely failing
     chmod 777 "$test_file"
     register_test retvalshouldbe 1
diff --git a/tests/hardening/6.1.8_etc_group-_permissions.sh b/tests/hardening/6.1.8_etc_group-_permissions.sh
index 1c2dc39..1d4ea8d 100644
--- a/tests/hardening/6.1.8_etc_group-_permissions.sh
+++ b/tests/hardening/6.1.8_etc_group-_permissions.sh
@@ -10,6 +10,13 @@ test_audit() {
     local test_user="testetcgroup--user"
     local test_file="/etc/group-"
 
+    describe Debian default right shall be accepted
+    chmod 644 "$test_file"
+    chown root:root "$test_file"
+    register_test retvalshouldbe 0
+    register_test contain "has correct permissions"
+    run resolved /opt/debian-cis/bin/hardening/"${script}".sh --audit-all
+
     describe Tests purposely failing
     chmod 777 "$test_file"
     register_test retvalshouldbe 1