linux-baseline/controls/package_spec.rb

# frozen_string_literal: true

#
# Copyright:: 2015, Patrick Muench
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# author: Christoph Hartmann
# author: Dominik Richter
# author: Patrick Muench

container_execution = begin
  virtualization.role == 'guest' && virtualization.system =~ /^(lxc|docker)$/
                      rescue NoMethodError
                        false
end

control 'package-01' do
  impact 1.0
  title 'Do not run deprecated inetd or xinetd'
  desc 'http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.1'
  describe package('inetd') do
    it { should_not be_installed }
  end
  describe package('xinetd') do
    it { should_not be_installed }
  end
end

control 'package-02' do
  impact 1.0
  title 'Do not install Telnet server'
  desc 'Telnet protocol uses unencrypted communication, that means the password and other sensitive data are unencrypted. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.2'
  describe package('telnetd') do
    it { should_not be_installed }
  end
end

control 'package-03' do
  impact 1.0
  title 'Do not install rsh server'
  desc 'The r-commands suffers same problem as telnet. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.3'
  describe package('rsh-server') do
    it { should_not be_installed }
  end
end

# package-04 is reserved, because we forgot to use it in the first-place :-)

control 'package-05' do
  impact 1.0
  title 'Do not install ypserv server (NIS)'
  desc 'Network Information Service (NIS) has some security design weaknesses like inadequate protection of important authentication information. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.4'
  describe package('ypserv') do
    it { should_not be_installed }
  end
end

control 'package-06' do
  impact 1.0
  title 'Do not install tftp server'
  desc 'tftp-server provides little security http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.5'
  describe package('tftp-server') do
    it { should_not be_installed }
  end
end

control 'package-08' do
  impact 1.0
  title 'Install auditd'
  desc 'auditd provides extended logging capabilities on recent distributions'
  only_if { !container_execution }
  audit_pkg = os.redhat? || os.suse? || os.name == 'amazon' || os.name == 'fedora' || os.name == 'arch' ? 'audit' : 'auditd'
  describe package(audit_pkg) do
    it { should be_installed }
  end
  describe auditd_conf do
    its('log_file') { should cmp '/var/log/audit/audit.log' }
    its('log_format') { should cmp 'raw' }
    its('flush') { should match(/^incremental|INCREMENTAL|incremental_async|INCREMENTAL_ASYNC$/) }
    its('max_log_file_action') { should cmp 'keep_logs' }
    its('space_left') { should cmp 75 }
    its('action_mail_acct') { should cmp 'root' }
    its('space_left_action') { should cmp 'SYSLOG' }
    its('admin_space_left') { should cmp 50 }
    its('admin_space_left_action') { should cmp 'SUSPEND' }
    its('disk_full_action') { should cmp 'SUSPEND' }
    its('disk_error_action') { should cmp 'SUSPEND' }
  end
end

control 'package-09' do
  impact 1.0
  title 'CIS: Additional process hardening'
  desc '1.5.4 Ensure prelink is disabled'
  describe package('prelink') do
    it { should_not be_installed }
  end
end
update code to conform to new linting rules (#145) * update code to conform to new linting rules Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * disable unneeded linting rule Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2021-01-29 10:27:31 +00:00			`# frozen_string_literal: true`

some more rubocop fixing Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com> 2015-11-26 19:26:38 +00:00			`#`
apply cookstyle fixes Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2022-03-18 19:41:09 +00:00			`# Copyright:: 2015, Patrick Muench`
some more rubocop fixing Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com> 2015-11-26 19:26:38 +00:00			`#`
			`# Licensed under the Apache License, Version 2.0 (the "License");`
			`# you may not use this file except in compliance with the License.`
			`# You may obtain a copy of the License at`
			`#`
			`# http://www.apache.org/licenses/LICENSE-2.0`
			`#`
			`# Unless required by applicable law or agreed to in writing, software`
			`# distributed under the License is distributed on an "AS IS" BASIS,`
			`# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`# See the License for the specific language governing permissions and`
			`# limitations under the License.`
			`#`
			`# author: Christoph Hartmann`
			`# author: Dominik Richter`
			`# author: Patrick Muench`

fix virtualization usage in older inspec versions (#95) This profile throws an exception when using InSpec < 2.0.30 on non-virtualized systems because this fix (https://github.com/inspec/inspec/pull/2603) was not included in prior versions. This pull simply catches the exception where virtualization.* is called in pure Ruby. 2018-06-05 12:23:42 +00:00			`container_execution = begin`
update code to conform to new linting rules (#145) * update code to conform to new linting rules Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * disable unneeded linting rule Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2021-01-29 10:27:31 +00:00			`virtualization.role == 'guest' && virtualization.system =~ /^(lxc\|docker)$/`
apply cookstyle fixes Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2022-03-18 19:41:09 +00:00			`rescue NoMethodError`
			`false`
update code to conform to new linting rules (#145) * update code to conform to new linting rules Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * disable unneeded linting rule Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> 2021-01-29 10:27:31 +00:00			`end`
use attributes, include PR feedback 2016-12-21 18:53:32 +00:00
update identifier 2016-02-28 15:14:23 +00:00			`control 'package-01' do`
some more rubocop fixing Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com> 2015-11-26 19:26:38 +00:00			`impact 1.0`
			`title 'Do not run deprecated inetd or xinetd'`
			`desc 'http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.1'`
			`describe package('inetd') do`
			`it { should_not be_installed }`
			`end`
			`describe package('xinetd') do`
			`it { should_not be_installed }`
			`end`
			`end`

update identifier 2016-02-28 15:14:23 +00:00			`control 'package-02' do`
some more rubocop fixing Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com> 2015-11-26 19:26:38 +00:00			`impact 1.0`
			`title 'Do not install Telnet server'`
Update package_spec.rb Fix the spelling of "password" 2017-07-06 13:10:19 +00:00			`desc 'Telnet protocol uses unencrypted communication, that means the password and other sensitive data are unencrypted. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.2'`
some more rubocop fixing Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com> 2015-11-26 19:26:38 +00:00			`describe package('telnetd') do`
			`it { should_not be_installed }`
			`end`
			`end`

update identifier 2016-02-28 15:14:23 +00:00			`control 'package-03' do`
some more rubocop fixing Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com> 2015-11-26 19:26:38 +00:00			`impact 1.0`
			`title 'Do not install rsh server'`
			`desc 'The r-commands suffers same problem as telnet. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.3'`
Update to test for rsh-server instead of duplicate telnetd (#98) 2018-07-19 14:01:07 +00:00			`describe package('rsh-server') do`
some more rubocop fixing Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com> 2015-11-26 19:26:38 +00:00			`it { should_not be_installed }`
			`end`
			`end`

add documentation for missing package-04 control Signed-off-by: Christoph Hartmann <chris@lollyrock.com> 2019-09-19 07:58:51 +00:00			`# package-04 is reserved, because we forgot to use it in the first-place :-)`

update identifier 2016-02-28 15:14:23 +00:00			`control 'package-05' do`
some more rubocop fixing Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com> 2015-11-26 19:26:38 +00:00			`impact 1.0`
			`title 'Do not install ypserv server (NIS)'`
			`desc 'Network Information Service (NIS) has some security design weaknesses like inadequate protection of important authentication information. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.4'`
			`describe package('ypserv') do`
			`it { should_not be_installed }`
			`end`
			`end`

update identifier 2016-02-28 15:14:23 +00:00			`control 'package-06' do`
some more rubocop fixing Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com> 2015-11-26 19:26:38 +00:00			`impact 1.0`
			`title 'Do not install tftp server'`
			`desc 'tftp-server provides little security http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.5'`
			`describe package('tftp-server') do`
			`it { should_not be_installed }`
			`end`
			`end`
differentiate redhat/debian test, add extra conditions like entropy or ENV dependent test 2016-09-18 20:38:55 +00:00
			`control 'package-08' do`
			`impact 1.0`
			`title 'Install auditd'`
update grammar in desc 2018-08-14 03:52:11 +00:00			`desc 'auditd provides extended logging capabilities on recent distributions'`
Skip auditd and sysctl tests for containers See https://github.com/dev-sec/chef-os-hardening/pull/199 for reference Signed-off-by: Artem Sidorenko <artem@posteo.de> 2018-02-27 15:59:07 +00:00			`only_if { !container_execution }`
add archlinux-support for audit-check Signed-off-by: Sebastian Gumprich <github@gumpri.ch> 2020-08-22 12:03:57 +00:00			`audit_pkg = os.redhat? \|\| os.suse? \|\| os.name == 'amazon' \|\| os.name == 'fedora' \|\| os.name == 'arch' ? 'audit' : 'auditd'`
Use one block 2017-02-16 16:27:32 +00:00			`describe package(audit_pkg) do`
			`it { should be_installed }`
differentiate redhat/debian test, add extra conditions like entropy or ENV dependent test 2016-09-18 20:38:55 +00:00			`end`
			`describe auditd_conf do`
			`its('log_file') { should cmp '/var/log/audit/audit.log' }`
			`its('log_format') { should cmp 'raw' }`
Allow for lowercase auditd config flush value. Signed-off-by: Sam Marshall <sam@foundu.com.au> 2019-07-16 02:07:07 +00:00			`its('flush') { should match(/^incremental\|INCREMENTAL\|incremental_async\|INCREMENTAL_ASYNC$/) }`
CIS 4.1.1.3 2017-11-13 16:27:42 +00:00			`its('max_log_file_action') { should cmp 'keep_logs' }`
differentiate redhat/debian test, add extra conditions like entropy or ENV dependent test 2016-09-18 20:38:55 +00:00			`its('space_left') { should cmp 75 }`
			`its('action_mail_acct') { should cmp 'root' }`
			`its('space_left_action') { should cmp 'SYSLOG' }`
			`its('admin_space_left') { should cmp 50 }`
			`its('admin_space_left_action') { should cmp 'SUSPEND' }`
			`its('disk_full_action') { should cmp 'SUSPEND' }`
			`its('disk_error_action') { should cmp 'SUSPEND' }`
			`end`
			`end`
CIS 1.5.4 Ensure prelink is disabled Signed-off-by: bitvijays <bitvijays@gmail.com> 2017-07-02 21:24:31 +00:00
			`control 'package-09' do`
			`impact 1.0`
			`title 'CIS: Additional process hardening'`
			`desc '1.5.4 Ensure prelink is disabled'`
			`describe package('prelink') do`
			`it { should_not be_installed }`
			`end`
			`end`