Rule 35770 (Ensure permissions on /etc/security/opasswd are configured) fails when `/etc/security/opasswd.old` does not exist (CIS Ubuntu 24.04)

[sjinks]

Rule: https://github.com/wazuh/wazuh/blob/73a6d75d54e67062a9b087452dcc286d978e8e8c/ruleset/sca/ubuntu/cis_ubuntu24-04.yml#L6521-L6543

The check is currently implemented this way:

    condition: all
    rules:
      - 'c:stat -c "%a %U %G" /etc/security/opasswd -> r:^600\s+root\s+root$'
      - 'c:stat -c "%a %U %G" /etc/security/opasswd.old -> r:^600\s+root\s+root$'

# stat -c "%a %U %G" /etc/security/opasswd
600 root root
# stat -c "%a %U %G" /etc/security/opasswd.old
stat: cannot statx '/etc/security/opasswd.old': No such file or directory

and the check fails.

The "7.1.10 Ensure permissions on /etc/security/opasswd are configured (Automated)" rule of the CIS Ubuntu Linux 24.04 LTS Benchmark v1.0.0 - 08-26-2024 (page 952) says:

Run the following commands to verify /etc/security/opasswd and /etc/security/opasswd.old are mode 600 or more restrictive, Uid is 0/root and Gid is 0/root if they exist

Therefore, it is OK if the file does not exist. Indeed, opasswd.old is only created when old passwords are rotated. If the system has never rotated passwords or the file was cleaned, its absence is normal and not a security issue.

Quick fix (it depends on the system locale):

     rules:
-      - 'c:stat -c "%a %U %G" /etc/security/opasswd -> r:^600\s+root\s+root$'
-      - 'c:stat -c "%a %U %G" /etc/security/opasswd.old -> r:^600\s+root\s+root$'
+      - 'c:stat -c "%a %U %G" /etc/security/opasswd -> r:^600\s+root\s+root$|No such file or directory'
+      - 'c:stat -c "%a %U %G" /etc/security/opasswd.old -> r:^600\s+root\s+root$|No such file or directory'

Or this:

- 'c:sh -c "[ -f /etc/security/opasswd ] && stat -c \"%a %U %G\" /etc/security/opasswd | grep -Fqx \"600 root root\""'
- 'c:sh -c "[ -f /etc/security/opasswd.old ] && stat -c \"%a %U %G\" /etc/security/opasswd.old | grep -Fqx \"600 root root\""'