Hello,
For CIS policy "CIS Red Hat Enterprise Linux 7 Benchmark Level 1 - Server v4.0.0, policy rule “6.2.3. Ensure all groups in /etc/passwd exist in /etc/group” if I want to edit it the command is
passing=“”;output=“”;EPG=“”;EGG=“”;EPG=$(cut -d: -f4 /etc/passwd | uniq);EGG=$(cut -d: -f3 /etc/group | uniq);for group in $EPG; do if [ -z “$(echo “$EGG” | grep -E “(^|\s)$group\b”)” ]; then [ -n “$output” ] && output=“$output $group” || output=$group;fi;done;[ -z “$output” ] && passing=true;if [ “$passing” = true ] ; then echo “All groups in /etc/passwd exist in /etc/group”;echo “XCCDF_RESULT:PASS”;else echo “The group(s) "$output" exist in /etc/passwd but don’t exist in /etc/group”;echo “XCCDF_RESULT:FAIL”;fi;
the command is not covering network/group providers like LDAP or AD.
I tried to update it to
passing=“”; output=“”; EPG=$(getent passwd | cut -d: -f4 | sort -u) EGG=$(getent group | cut -d: -f3 | sort -u) for group in $EPG; do if ! echo “$EGG” | grep -qw “$group”; then [ -n “$output” ] && output=“$output $group” || output=$group fi done [ -z “$output” ] && passing=true if [ “$passing” = true ]; then echo “All groups in getent passwd exist in getent group” echo “XCCDF_RESULT:PASS” else echo “The group(s) "$output" exist in passwd but don’t exist in group” echo “XCCDF_RESULT:FAIL” fi
but I got failed result.
Has someone tried editing commands like these?