Merge pull request #184 from dev-sec/inspec6

ensure compatibility with new inspec version
2025-02-16 09:48:25 +00:00 · 2023-11-19 16:50:04 +01:00 · 2023-11-19 16:50:04 +01:00 · 1b2026ff42
commit 1b2026ff42
parent fe9081f632 19825b5565
3 changed files with 31 additions and 14 deletions
--- a/controls/os_spec.rb
+++ b/controls/os_spec.rb
@ -19,11 +19,11 @@
 # author: Dominik Richter
 # author: Patrick Muench

-login_defs_umask = input('login_defs_umask', value: os.redhat? ? '077' : '027', description: 'Default umask to set in login.defs')
+login_defs_umask = input('login_defs_umask', value: os.redhat? ? '077' : '027')

-login_defs_passmaxdays = input('login_defs_passmaxdays', value: '60', description: 'Default password maxdays to set in login.defs')
-login_defs_passmindays = input('login_defs_passmindays', value: '7', description: 'Default password mindays to set in login.defs')
-login_defs_passwarnage = input('login_defs_passwarnage', value: '7', description: 'Default password warnage (days) to set in login.defs')
+login_defs_passmaxdays = input('login_defs_passmaxdays', value: '60')
+login_defs_passmindays = input('login_defs_passmindays', value: '7')
+login_defs_passwarnage = input('login_defs_passwarnage', value: '7')

 shadow_group = 'root'
 shadow_group = 'shadow' if os.debian? || os.suse? || os.name == 'alpine'
@ -35,8 +35,7 @@ end

 blacklist = input(
  'blacklist',
-  value: suid_blacklist.default,
-  description: 'blacklist of suid/sgid program on system'
+  value: suid_blacklist.default
 )

 cpuvulndir = '/sys/devices/system/cpu/vulnerabilities/'
@ -59,20 +58,17 @@ cpuvulndir = '/sys/devices/system/cpu/vulnerabilities/'

 mount_exec_blocklist = input(
  'mount_exec_blocklist',
-  value: ['/boot', '/dev', '/dev/shm', '/tmp', '/var/log', '/var/log/audit', '/var/tmp'],
-  description: 'List of mountpoints where \'noexec\' mount option should be set'
+  value: ['/boot', '/dev', '/dev/shm', '/tmp', '/var/log', '/var/log/audit', '/var/tmp']
 )

 mount_suid_blocklist = input(
  'mount_suid_blocklist',
-  value: ['/boot', '/dev', '/dev/shm', '/home', '/run', '/tmp', '/var', '/var/log', '/var/log/audit', '/var/tmp'],
-  description: 'List of mountpoints where \'nosuid\' mount option should be set'
+  value: ['/boot', '/dev', '/dev/shm', '/home', '/run', '/tmp', '/var', '/var/log', '/var/log/audit', '/var/tmp']
 )

 mount_dev_blocklist = input(
  'mount_dev_blocklist',
-  value: ['/boot', '/dev/shm', '/home', '/run', '/tmp', '/var', '/var/log', '/var/log/audit', '/var/tmp'],
-  description: 'List of mountpoints where \'nodev\' mount option should be set'
+  value: ['/boot', '/dev/shm', '/home', '/run', '/tmp', '/var', '/var/log', '/var/log/audit', '/var/tmp']
 )

 control 'os-01' do
--- a/controls/sysctl_spec.rb
+++ b/controls/sysctl_spec.rb
@ -19,8 +19,8 @@
 # author: Dominik Richter
 # author: Patrick Muench

-sysctl_forwarding = input('sysctl_forwarding', value: false, description: 'Is network forwarding needed?')
-kernel_modules_disabled = input('kernel_modules_disabled', value: 0, description: 'Should loading of kernel modules be disabled?')
+sysctl_forwarding = input('sysctl_forwarding', value: false)
+kernel_modules_disabled = input('kernel_modules_disabled', value: 0)
 container_execution = begin
  virtualization.role == 'guest' && virtualization.system =~ /^(lxc|docker)$/
                      rescue NoMethodError
--- a/inspec.yml
+++ b/inspec.yml
@ -10,3 +10,24 @@ inspec_version: '>= 4.6.3'
 version: 2.9.0
 supports:
    - os-family: linux
+inputs:
+    - name: login_defs_umask
+      description: Default umask to set in login.defs
+    - name: login_defs_passmaxdays
+      description: Default password maxdays to set in login.defs
+    - name: login_defs_passmindays
+      description: Default password mindays to set in login.defs
+    - name: login_defs_passwarnage
+      description: Default password warnage (days) to set in login.defs
+    - name: blacklist
+      description: blacklist of suid/sgid program on system
+    - name: mount_exec_blocklist
+      description: List of mountpoints where 'noexec' mount option should be set
+    - name: mount_suid_blocklist
+      description: List of mountpoints where 'nosuid' mount option should be set
+    - name: mount_dev_blocklist
+      description: List of mountpoints where 'nodev' mount option should be set
+    - name: sysctl_forwarding
+      description: Is network forwarding needed?
+    - name: kernel_modules_disabled
+      description: Should loading of kernel modules be disabled?