Currently the plugin only checks owner and group, but not file permissions. CIS benchmarks always check both together. A --permissions extension or a separate file-permissions plugin would close this gap.
Additional points to consider:
- Files that do not exist are silently skipped, both for default and user-supplied paths. When a user explicitly passes
--filename, a missing file could be reported as WARN instead of being silently ignored.
- For directories like
/etc/cron.d or /etc/sudoers.d, only the directory itself is checked, not its contents. A recursive mode could catch ownership issues on files within those directories.
Currently the plugin only checks owner and group, but not file permissions. CIS benchmarks always check both together. A
--permissionsextension or a separatefile-permissionsplugin would close this gap.Additional points to consider:
--filename, a missing file could be reported as WARN instead of being silently ignored./etc/cron.dor/etc/sudoers.d, only the directory itself is checked, not its contents. A recursive mode could catch ownership issues on files within those directories.