2015-11-26 19:26:38 +00:00
#
# Copyright 2015, Patrick Muench
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# author: Christoph Hartmann
# author: Dominik Richter
# author: Patrick Muench
2016-12-21 18:53:32 +00:00
val_syslog_pkg = attribute ( 'syslog_pkg' , default : 'rsyslog' , description : 'syslog package to ensure present (default: rsyslog, alternative: syslog-ng...' )
2018-02-27 15:59:07 +00:00
container_execution = virtualization . role == 'guest' && virtualization . system =~ / ^(lxc|docker)$ /
2016-12-21 18:53:32 +00:00
2016-02-28 15:14:23 +00:00
control 'package-01' do
2015-11-26 19:26:38 +00:00
impact 1 . 0
title 'Do not run deprecated inetd or xinetd'
desc 'http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.1'
describe package ( 'inetd' ) do
it { should_not be_installed }
end
describe package ( 'xinetd' ) do
it { should_not be_installed }
end
end
2016-02-28 15:14:23 +00:00
control 'package-02' do
2015-11-26 19:26:38 +00:00
impact 1 . 0
title 'Do not install Telnet server'
2017-07-06 13:10:19 +00:00
desc 'Telnet protocol uses unencrypted communication, that means the password and other sensitive data are unencrypted. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.2'
2015-11-26 19:26:38 +00:00
describe package ( 'telnetd' ) do
it { should_not be_installed }
end
end
2016-02-28 15:14:23 +00:00
control 'package-03' do
2015-11-26 19:26:38 +00:00
impact 1 . 0
title 'Do not install rsh server'
desc 'The r-commands suffers same problem as telnet. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.3'
describe package ( 'telnetd' ) do
it { should_not be_installed }
end
end
2016-02-28 15:14:23 +00:00
control 'package-05' do
2015-11-26 19:26:38 +00:00
impact 1 . 0
title 'Do not install ypserv server (NIS)'
desc 'Network Information Service (NIS) has some security design weaknesses like inadequate protection of important authentication information. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.4'
describe package ( 'ypserv' ) do
it { should_not be_installed }
end
end
2016-02-28 15:14:23 +00:00
control 'package-06' do
2015-11-26 19:26:38 +00:00
impact 1 . 0
title 'Do not install tftp server'
desc 'tftp-server provides little security http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.5'
describe package ( 'tftp-server' ) do
it { should_not be_installed }
end
end
2016-09-18 20:38:55 +00:00
control 'package-07' do
impact 1 . 0
2016-12-21 18:53:32 +00:00
title 'Install syslog server package'
2016-09-18 20:38:55 +00:00
desc 'Syslog server is required to receive system and applications logs'
2017-11-09 20:44:18 +00:00
# Fedora doesn't install with a syslogger out of the box and instead uses
# systemd journal; as there is there is no affinity towards either rsyslog
# or syslog-ng, we'll skip this check on Fedora hosts.
2018-02-27 15:59:07 +00:00
only_if { os . name != 'fedora' && ! container_execution }
describe package ( val_syslog_pkg ) do
it { should be_installed }
end
2016-09-18 20:38:55 +00:00
end
control 'package-08' do
impact 1 . 0
title 'Install auditd'
desc 'auditd provides extended logging capacities on recent distribution'
2018-02-27 15:59:07 +00:00
only_if { ! container_execution }
2017-11-09 20:44:18 +00:00
audit_pkg = os . redhat? || os . suse? || os . name == 'amazon' || os . name == 'fedora' ? 'audit' : 'auditd'
2017-02-16 16:27:32 +00:00
describe package ( audit_pkg ) do
it { should be_installed }
2016-09-18 20:38:55 +00:00
end
describe auditd_conf do
its ( 'log_file' ) { should cmp '/var/log/audit/audit.log' }
its ( 'log_format' ) { should cmp 'raw' }
2017-05-10 21:23:18 +00:00
its ( 'flush' ) { should match ( / ^INCREMENTAL|INCREMENTAL_ASYNC$ / ) }
2017-11-13 16:27:42 +00:00
its ( 'max_log_file_action' ) { should cmp 'keep_logs' }
2016-09-18 20:38:55 +00:00
its ( 'space_left' ) { should cmp 75 }
its ( 'action_mail_acct' ) { should cmp 'root' }
its ( 'space_left_action' ) { should cmp 'SYSLOG' }
its ( 'admin_space_left' ) { should cmp 50 }
its ( 'admin_space_left_action' ) { should cmp 'SUSPEND' }
its ( 'disk_full_action' ) { should cmp 'SUSPEND' }
its ( 'disk_error_action' ) { should cmp 'SUSPEND' }
end
end
2017-07-02 21:24:31 +00:00
control 'package-09' do
impact 1 . 0
title 'CIS: Additional process hardening'
desc '1.5.4 Ensure prelink is disabled'
describe package ( 'prelink' ) do
it { should_not be_installed }
end
end