2015-11-26 09:57:53 +00:00
#
2015-11-26 19:26:38 +00:00
# Copyright 2015, Patrick Muench
2015-11-26 09:57:53 +00:00
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# author: Christoph Hartmann
# author: Dominik Richter
2015-11-26 19:26:38 +00:00
# author: Patrick Muench
2015-11-26 09:57:53 +00:00
2016-12-21 18:53:32 +00:00
login_defs_umask = attribute ( 'login_defs_umask' , default : '027' , description : 'Default umask to set in login.defs' )
login_defs_passmaxdays = attribute ( 'login_defs_passmaxdays' , default : '60' , description : 'Default password maxdays to set in login.defs' )
login_defs_passmindays = attribute ( 'login_defs_passmindays' , default : '7' , description : 'Default password mindays to set in login.defs' )
login_defs_passwarnage = attribute ( 'login_defs_passwarnage' , default : '7' , description : 'Default password warnage (days) to set in login.defs' )
2017-06-26 10:17:12 +00:00
shadow_group = 'root'
shadow_group = 'shadow' if os . debian? || os . suse?
2016-12-22 09:50:09 +00:00
blacklist = attribute (
2016-12-22 09:55:31 +00:00
'blacklist' ,
2016-12-22 09:58:26 +00:00
default : [
# blacklist as provided by NSA
'/usr/bin/rcp' , '/usr/bin/rlogin' , '/usr/bin/rsh' ,
# sshd must not use host-based authentication (see ssh cookbook)
'/usr/libexec/openssh/ssh-keysign' ,
'/usr/lib/openssh/ssh-keysign' ,
# misc others
'/sbin/netreport' , # not normally required for user
'/usr/sbin/usernetctl' , # modify interfaces via functional accounts
# connecting to ...
'/usr/sbin/userisdnctl' , # no isdn...
'/usr/sbin/pppd' , # no ppp / dsl ...
# lockfile
'/usr/bin/lockfile' ,
'/usr/bin/mail-lock' ,
'/usr/bin/mail-unlock' ,
'/usr/bin/mail-touchlock' ,
'/usr/bin/dotlockfile' ,
# need more investigation, blacklist for now
'/usr/bin/arping' ,
'/usr/sbin/arping' ,
'/usr/sbin/uuidd' ,
'/usr/bin/mtr' , # investigate current state...
'/usr/lib/evolution/camel-lock-helper-1.2' , # investigate current state...
'/usr/lib/pt_chown' , # pseudo-tty, needed?
'/usr/lib/eject/dmcrypt-get-device' ,
'/usr/lib/mc/cons.saver' # midnight commander screensaver
# from Ubuntu xenial, need to investigate
# '/sbin/unix_chkpwd',
# '/sbin/pam_extrausers_chkpwd',
# '/usr/lib/x86_64-linux-gnu/utempter/utempter',
# '/usr/sbin/postdrop',
# '/usr/sbin/postqueue',
# '/usr/bin/ssh-agent',
# '/usr/bin/mlocate',
# '/usr/bin/crontab',
# '/usr/bin/screen',
# '/usr/bin/expiry',
# '/usr/bin/wall',
# '/usr/bin/chage',
# '/usr/bin/bsd-write'
] ,
description : 'blacklist of suid/sgid program on system'
)
2016-09-18 20:38:55 +00:00
2016-02-28 15:14:23 +00:00
control 'os-01' do
2015-11-26 09:57:53 +00:00
impact 1 . 0
2015-11-26 19:26:38 +00:00
title 'Trusted hosts login'
2015-11-26 09:57:53 +00:00
desc " Rhosts/hosts.equiv files are a weak implemenation of authentication. Disabling the .rhosts and hosts.equiv support helps to prevent users from subverting the system's normal access control mechanisms of the system. "
describe command ( 'find / -name \'.rhosts\'' ) do
its ( 'stdout' ) { should be_empty }
end
describe command ( 'find / -name \'hosts.equiv\' ' ) do
its ( 'stdout' ) { should be_empty }
end
end
2016-02-28 15:14:23 +00:00
control 'os-02' do
2015-11-26 09:57:53 +00:00
impact 1 . 0
2015-11-26 19:26:38 +00:00
title 'Check owner and permissions for /etc/shadow'
desc 'Check periodically the owner and permissions for /etc/shadow'
2015-11-26 09:57:53 +00:00
describe file ( '/etc/shadow' ) do
it { should exist }
it { should be_file }
it { should be_owned_by 'root' }
2016-12-21 18:53:32 +00:00
its ( 'group' ) { should eq shadow_group }
2015-11-26 09:57:53 +00:00
it { should_not be_executable }
it { should be_writable . by ( 'owner' ) }
it { should be_readable . by ( 'owner' ) }
it { should_not be_readable . by ( 'other' ) }
end
2017-06-26 10:17:12 +00:00
if os . debian? || os . suse?
2016-12-21 18:53:32 +00:00
describe file ( '/etc/shadow' ) do
2017-06-26 10:17:12 +00:00
it { should be_readable . by ( 'group' ) }
2016-12-21 18:53:32 +00:00
end
2017-06-26 10:17:12 +00:00
else
2016-12-21 18:53:32 +00:00
describe file ( '/etc/shadow' ) do
2017-06-26 10:17:12 +00:00
it { should_not be_readable . by ( 'group' ) }
2016-12-21 18:53:32 +00:00
end
2016-09-18 20:38:55 +00:00
end
2015-11-26 09:57:53 +00:00
end
2016-02-28 15:14:23 +00:00
control 'os-03' do
2015-11-26 09:57:53 +00:00
impact 1 . 0
2015-11-26 19:26:38 +00:00
title 'Check owner and permissions for /etc/passwd'
desc 'Check periodically the owner and permissions for /etc/passwd'
2015-11-26 09:57:53 +00:00
describe file ( '/etc/passwd' ) do
it { should exist }
it { should be_file }
it { should be_owned_by 'root' }
its ( 'group' ) { should eq 'root' }
it { should_not be_executable }
it { should be_writable . by ( 'owner' ) }
it { should_not be_writable . by ( 'group' ) }
it { should_not be_writable . by ( 'other' ) }
it { should be_readable . by ( 'owner' ) }
it { should be_readable . by ( 'group' ) }
it { should be_readable . by ( 'other' ) }
end
end
2016-02-28 15:14:23 +00:00
control 'os-04' do
2015-11-26 09:57:53 +00:00
impact 1 . 0
2015-11-26 19:26:38 +00:00
title 'Dot in PATH variable'
desc 'Do not include the current working directory in PATH variable. This makes it easier for an attacker to gain extensive rigths by executing a Trojan program'
2015-11-26 09:57:53 +00:00
describe os_env ( 'PATH' ) do
its ( 'split' ) { should_not include ( '' ) }
its ( 'split' ) { should_not include ( '.' ) }
end
end
2016-02-28 15:14:23 +00:00
control 'os-05' do
2015-11-26 09:57:53 +00:00
impact 1 . 0
2015-11-26 19:26:38 +00:00
title 'Check login.defs'
desc 'Check owner and permissions for login.defs. Also check the configured PATH variable and umask in login.defs'
2015-11-26 09:57:53 +00:00
describe file ( '/etc/login.defs' ) do
it { should exist }
it { should be_file }
it { should be_owned_by 'root' }
its ( 'group' ) { should eq 'root' }
it { should_not be_executable }
it { should be_readable . by ( 'owner' ) }
it { should be_readable . by ( 'group' ) }
it { should be_readable . by ( 'other' ) }
end
describe login_defs do
its ( 'ENV_SUPATH' ) { should include ( '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' ) }
its ( 'ENV_PATH' ) { should include ( '/usr/local/bin:/usr/bin:/bin' ) }
2016-09-18 20:38:55 +00:00
its ( 'UMASK' ) { should include ( login_defs_umask ) }
its ( 'PASS_MAX_DAYS' ) { should eq login_defs_passmaxdays }
its ( 'PASS_MIN_DAYS' ) { should eq login_defs_passmindays }
its ( 'PASS_WARN_AGE' ) { should eq login_defs_passwarnage }
2015-11-26 09:57:53 +00:00
its ( 'LOGIN_RETRIES' ) { should eq '5' }
its ( 'LOGIN_TIMEOUT' ) { should eq '60' }
its ( 'UID_MIN' ) { should eq '1000' }
its ( 'GID_MIN' ) { should eq '1000' }
2016-09-18 20:38:55 +00:00
end
2016-12-22 09:17:32 +00:00
end
control 'os-05b' do
impact 1 . 0
title 'Check login.defs - RedHat specific'
desc 'Check owner and permissions for login.defs. Also check the configured PATH variable and umask in login.defs'
2017-05-30 10:37:27 +00:00
describe file ( '/etc/login.defs' ) do
it { should_not be_writable }
end
describe login_defs do
its ( 'SYS_UID_MIN' ) { should eq '100' }
its ( 'SYS_UID_MAX' ) { should eq '999' }
its ( 'SYS_GID_MIN' ) { should eq '100' }
its ( 'SYS_GID_MAX' ) { should eq '999' }
2015-11-26 09:57:53 +00:00
end
2017-05-30 10:37:27 +00:00
only_if { os . redhat? }
2015-11-26 09:57:53 +00:00
end
2016-02-28 15:14:23 +00:00
control 'os-06' do
2015-11-26 09:57:53 +00:00
impact 1 . 0
2015-11-26 19:26:38 +00:00
title 'Check for SUID/ SGID blacklist'
desc 'Find blacklisted SUID and SGID files to ensure that no rogue SUID and SGID files have been introduced into the system'
2015-11-26 09:57:53 +00:00
2016-09-18 20:38:55 +00:00
output = command ( 'find / -perm -4000 -o -perm -2000 -type f ! -path \'/proc/*\' ! -path \'/var/lib/lxd/containers/*\' -print 2>/dev/null | grep -v \'^find:\'' )
2015-11-26 09:57:53 +00:00
diff = output . stdout . split ( / \ r? \ n / ) & blacklist
describe diff do
2015-11-26 19:26:38 +00:00
it { should be_empty }
2015-11-26 09:57:53 +00:00
end
end
2016-02-28 15:14:23 +00:00
control 'os-07' do
2015-11-26 09:57:53 +00:00
impact 1 . 0
2015-11-26 19:26:38 +00:00
title 'Unique uid and gid'
desc 'Check for unique uids gids'
2015-11-26 09:57:53 +00:00
describe passwd do
its ( 'uids' ) { should_not contain_duplicates }
end
describe etc_group do
its ( 'gids' ) { should_not contain_duplicates }
end
end
2016-09-18 20:38:55 +00:00
control 'os-08' do
impact 1 . 0
title 'Entropy'
desc 'Check system has enough entropy - greater than 1000'
describe file ( '/proc/sys/kernel/random/entropy_avail' ) . content . to_i do
it { should > = 1000 }
end
end
control 'os-09' do
impact 1 . 0
title 'Check for .rhosts and .netrc file'
desc 'Find .rhosts and .netrc files - CIS Benchmark 9.2.9-10'
output = command ( 'find / \( -iname .rhosts -o -iname .netrc \) -print 2>/dev/null | grep -v \'^find:\'' )
out = output . stdout . split ( / \ r? \ n / )
describe out do
it { should be_empty }
end
end
