Mirrors/linux-baseline
2
0
Fork 0
mirror of https://github.com/dev-sec/linux-baseline synced 2024-11-22 19:23:02 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fixes #86 by deferring the execution of permissions to profile execution instead of profile initialisation

Browse source 
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
This commit is contained in:
Christoph Hartmann 2017-11-19 11:48:07 +01:00
parent 83d031e08b
commit 3d77a3a8d7
3 changed files with 86 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
controls/os_spec.rb
View file

@ -20,55 +20,17 @@
log_dir_group = 'root'
log_dir_group = 'syslog' if os.name == 'ubuntu' && os[:release].to_i >= 14
login_defs_umask = attribute('login_defs_umask', default: os.redhat? ? '077' : '027', description: 'Default umask to set in login.defs')
login_defs_passmaxdays = attribute('login_defs_passmaxdays', default: '60', description: 'Default password maxdays to set in login.defs')
login_defs_passmindays = attribute('login_defs_passmindays', default: '7', description: 'Default password mindays to set in login.defs')
login_defs_passwarnage = attribute('login_defs_passwarnage', default: '7', description: 'Default password warnage (days) to set in login.defs')
shadow_group = 'root'
shadow_group = 'shadow' if os.debian? || os.suse?
blacklist = attribute(
'blacklist',
default: [
# blacklist as provided by NSA
'/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh',
# sshd must not use host-based authentication (see ssh cookbook)
'/usr/libexec/openssh/ssh-keysign',
'/usr/lib/openssh/ssh-keysign',
# misc others
'/sbin/netreport', # not normally required for user
'/usr/sbin/usernetctl', # modify interfaces via functional accounts
# connecting to ...
'/usr/sbin/userisdnctl', # no isdn...
'/usr/sbin/pppd', # no ppp / dsl ...
# lockfile
'/usr/bin/lockfile',
'/usr/bin/mail-lock',
'/usr/bin/mail-unlock',
'/usr/bin/mail-touchlock',
'/usr/bin/dotlockfile',
# need more investigation, blacklist for now
'/usr/bin/arping',
'/usr/sbin/arping',
'/usr/sbin/uuidd',
'/usr/bin/mtr', # investigate current state...
'/usr/lib/evolution/camel-lock-helper-1.2', # investigate current state...
'/usr/lib/pt_chown', # pseudo-tty, needed?
'/usr/lib/eject/dmcrypt-get-device',
'/usr/lib/mc/cons.saver' # midnight commander screensaver
# from Ubuntu xenial, need to investigate
# '/sbin/unix_chkpwd',
# '/sbin/pam_extrausers_chkpwd',
# '/usr/lib/x86_64-linux-gnu/utempter/utempter',
# '/usr/sbin/postdrop',
# '/usr/sbin/postqueue',
# '/usr/bin/ssh-agent',
# '/usr/bin/mlocate',
# '/usr/bin/crontab',
# '/usr/bin/screen',
# '/usr/bin/expiry',
# '/usr/bin/wall',
# '/usr/bin/chage',
# '/usr/bin/bsd-write'
],
default: suid_blacklist.default,
description: 'blacklist of suid/sgid program on system'
)
@ -193,10 +155,8 @@ control 'os-06' do
title 'Check for SUID/ SGID blacklist'
desc 'Find blacklisted SUID and SGID files to ensure that no rogue SUID and SGID files have been introduced into the system'
output = command('find / -perm -4000 -o -perm -2000 -type f ! -path \'/proc/*\' ! -path \'/var/lib/lxd/containers/*\' -print 2>/dev/null | grep -v \'^find:\'')
diff = output.stdout.split(/\r?\n/) & blacklist
describe diff do
it { should be_empty }
describe suid_check(blacklist) do
its('diff') { should be_empty }
end
end

53
libraries/suid_blacklist.rb Normal file
View file

@ -0,0 +1,53 @@
# encoding: utf-8
# author: Christoph Hartmann
class SUIDBlacklist < Inspec.resource(1)
name 'suid_blacklist'
desc 'The suid_blacklist resoruce returns the default suid blacklist'
def default
[
# blacklist as provided by NSA
'/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh',
# sshd must not use host-based authentication (see ssh cookbook)
'/usr/libexec/openssh/ssh-keysign',
'/usr/lib/openssh/ssh-keysign',
# misc others
'/sbin/netreport', # not normally required for user
'/usr/sbin/usernetctl', # modify interfaces via functional accounts
# connecting to ...
'/usr/sbin/userisdnctl', # no isdn...
'/usr/sbin/pppd', # no ppp / dsl ...
# lockfile
'/usr/bin/lockfile',
'/usr/bin/mail-lock',
'/usr/bin/mail-unlock',
'/usr/bin/mail-touchlock',
'/usr/bin/dotlockfile',
# need more investigation, blacklist for now
'/usr/bin/arping',
'/usr/sbin/arping',
'/usr/sbin/uuidd',
'/usr/bin/mtr', # investigate current state...
'/usr/lib/evolution/camel-lock-helper-1.2', # investigate current state...
'/usr/lib/pt_chown', # pseudo-tty, needed?
'/usr/lib/eject/dmcrypt-get-device',
'/usr/lib/mc/cons.saver' # midnight commander screensaver
# from Ubuntu xenial, need to investigate
# '/sbin/unix_chkpwd',
# '/sbin/pam_extrausers_chkpwd',
# '/usr/lib/x86_64-linux-gnu/utempter/utempter',
# '/usr/sbin/postdrop',
# '/usr/sbin/postqueue',
# '/usr/bin/ssh-agent',
# '/usr/bin/mlocate',
# '/usr/bin/crontab',
# '/usr/bin/screen',
# '/usr/bin/expiry',
# '/usr/bin/wall',
# '/usr/bin/chage',
# '/usr/bin/bsd-write'
]
end
end

27
libraries/suid_check.rb Normal file
View file

@ -0,0 +1,27 @@
# encoding: utf-8
# author: Christoph Hartmann
class SUIDCheck < Inspec.resource(1)
name 'suid_check'
desc 'Use the suid_check resource to verify the current SUID/SGID against a blacklist'
example "
describe suid_check(blacklist) do
its('diff') { should be_empty }
end
"
def initialize(blacklist = nil)
blacklist = default if blacklist.nil?
@blacklist = blacklist
end
def permissions
output = inspec.command('find / -perm -4000 -o -perm -2000 -type f ! -path \'/proc/*\' ! -path \'/var/lib/lxd/containers/*\' -print 2>/dev/null | grep -v \'^find:\'')
output.stdout.split(/\r?\n/)
end
def diff
permissions & @blacklist
end
end