mirror of
https://github.com/dev-sec/linux-baseline
synced 2025-02-16 17:58:24 +00:00
fix rubocop Conventions
This commit is contained in:
juju4
parent
ed00917131
commit
1ec817fe20
1 changed files with 44 additions and 44 deletions
|
|
@ -28,50 +28,50 @@ elsif os.debian?
|
|||
end
|
||||
blacklist = attribute(
|
||||
'blacklist',
|
||||
default: [
|
||||
# blacklist as provided by NSA
|
||||
'/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh',
|
||||
# sshd must not use host-based authentication (see ssh cookbook)
|
||||
'/usr/libexec/openssh/ssh-keysign',
|
||||
'/usr/lib/openssh/ssh-keysign',
|
||||
# misc others
|
||||
'/sbin/netreport', # not normally required for user
|
||||
'/usr/sbin/usernetctl', # modify interfaces via functional accounts
|
||||
# connecting to ...
|
||||
'/usr/sbin/userisdnctl', # no isdn...
|
||||
'/usr/sbin/pppd', # no ppp / dsl ...
|
||||
# lockfile
|
||||
'/usr/bin/lockfile',
|
||||
'/usr/bin/mail-lock',
|
||||
'/usr/bin/mail-unlock',
|
||||
'/usr/bin/mail-touchlock',
|
||||
'/usr/bin/dotlockfile',
|
||||
# need more investigation, blacklist for now
|
||||
'/usr/bin/arping',
|
||||
'/usr/sbin/arping',
|
||||
'/usr/sbin/uuidd',
|
||||
'/usr/bin/mtr', # investigate current state...
|
||||
'/usr/lib/evolution/camel-lock-helper-1.2', # investigate current state...
|
||||
'/usr/lib/pt_chown', # pseudo-tty, needed?
|
||||
'/usr/lib/eject/dmcrypt-get-device',
|
||||
'/usr/lib/mc/cons.saver' # midnight commander screensaver
|
||||
# from Ubuntu xenial, need to investigate
|
||||
# '/sbin/unix_chkpwd',
|
||||
# '/sbin/pam_extrausers_chkpwd',
|
||||
# '/usr/lib/x86_64-linux-gnu/utempter/utempter',
|
||||
# '/usr/sbin/postdrop',
|
||||
# '/usr/sbin/postqueue',
|
||||
# '/usr/bin/ssh-agent',
|
||||
# '/usr/bin/mlocate',
|
||||
# '/usr/bin/crontab',
|
||||
# '/usr/bin/screen',
|
||||
# '/usr/bin/expiry',
|
||||
# '/usr/bin/wall',
|
||||
# '/usr/bin/chage',
|
||||
# '/usr/bin/bsd-write'
|
||||
],
|
||||
description: 'blacklist of suid/sgid program on system'
|
||||
)
|
||||
default: [
|
||||
# blacklist as provided by NSA
|
||||
'/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh',
|
||||
# sshd must not use host-based authentication (see ssh cookbook)
|
||||
'/usr/libexec/openssh/ssh-keysign',
|
||||
'/usr/lib/openssh/ssh-keysign',
|
||||
# misc others
|
||||
'/sbin/netreport', # not normally required for user
|
||||
'/usr/sbin/usernetctl', # modify interfaces via functional accounts
|
||||
# connecting to ...
|
||||
'/usr/sbin/userisdnctl', # no isdn...
|
||||
'/usr/sbin/pppd', # no ppp / dsl ...
|
||||
# lockfile
|
||||
'/usr/bin/lockfile',
|
||||
'/usr/bin/mail-lock',
|
||||
'/usr/bin/mail-unlock',
|
||||
'/usr/bin/mail-touchlock',
|
||||
'/usr/bin/dotlockfile',
|
||||
# need more investigation, blacklist for now
|
||||
'/usr/bin/arping',
|
||||
'/usr/sbin/arping',
|
||||
'/usr/sbin/uuidd',
|
||||
'/usr/bin/mtr', # investigate current state...
|
||||
'/usr/lib/evolution/camel-lock-helper-1.2', # investigate current state...
|
||||
'/usr/lib/pt_chown', # pseudo-tty, needed?
|
||||
'/usr/lib/eject/dmcrypt-get-device',
|
||||
'/usr/lib/mc/cons.saver' # midnight commander screensaver
|
||||
# from Ubuntu xenial, need to investigate
|
||||
# '/sbin/unix_chkpwd',
|
||||
# '/sbin/pam_extrausers_chkpwd',
|
||||
# '/usr/lib/x86_64-linux-gnu/utempter/utempter',
|
||||
# '/usr/sbin/postdrop',
|
||||
# '/usr/sbin/postqueue',
|
||||
# '/usr/bin/ssh-agent',
|
||||
# '/usr/bin/mlocate',
|
||||
# '/usr/bin/crontab',
|
||||
# '/usr/bin/screen',
|
||||
# '/usr/bin/expiry',
|
||||
# '/usr/bin/wall',
|
||||
# '/usr/bin/chage',
|
||||
# '/usr/bin/bsd-write'
|
||||
],
|
||||
description: 'blacklist of suid/sgid program on system'
|
||||
)
|
||||
|
||||
control 'os-01' do
|
||||
impact 1.0
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue