Mirrors/linux-baseline
2
0
Fork 0
mirror of https://github.com/dev-sec/linux-baseline synced 2025-02-17 02:08:23 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fixes #86 by deferring the execution of permissions to profile execution instead of profile initialisation

Browse source 
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
This commit is contained in:
Christoph Hartmann 2017-11-19 11:48:07 +01:00
parent 83d031e08b
commit 3d77a3a8d7
3 changed files with 86 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
controls/os_spec.rb
View file

@ -20,55 +20,17 @@
log_dir_group = 'root' log_dir_group = 'root'
log_dir_group = 'syslog' if os.name == 'ubuntu' && os[:release].to_i >= 14 log_dir_group = 'syslog' if os.name == 'ubuntu' && os[:release].to_i >= 14
login_defs_umask = attribute('login_defs_umask', default: os.redhat? ? '077' : '027', description: 'Default umask to set in login.defs') login_defs_umask = attribute('login_defs_umask', default: os.redhat? ? '077' : '027', description: 'Default umask to set in login.defs')
login_defs_passmaxdays = attribute('login_defs_passmaxdays', default: '60', description: 'Default password maxdays to set in login.defs') login_defs_passmaxdays = attribute('login_defs_passmaxdays', default: '60', description: 'Default password maxdays to set in login.defs')
login_defs_passmindays = attribute('login_defs_passmindays', default: '7', description: 'Default password mindays to set in login.defs') login_defs_passmindays = attribute('login_defs_passmindays', default: '7', description: 'Default password mindays to set in login.defs')
login_defs_passwarnage = attribute('login_defs_passwarnage', default: '7', description: 'Default password warnage (days) to set in login.defs') login_defs_passwarnage = attribute('login_defs_passwarnage', default: '7', description: 'Default password warnage (days) to set in login.defs')
shadow_group = 'root' shadow_group = 'root'
shadow_group = 'shadow' if os.debian? || os.suse? shadow_group = 'shadow' if os.debian? || os.suse?
blacklist = attribute( blacklist = attribute(
'blacklist', 'blacklist',
default: [ default: suid_blacklist.default,
# blacklist as provided by NSA
'/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh',
# sshd must not use host-based authentication (see ssh cookbook)
'/usr/libexec/openssh/ssh-keysign',
'/usr/lib/openssh/ssh-keysign',
# misc others
'/sbin/netreport', # not normally required for user
'/usr/sbin/usernetctl', # modify interfaces via functional accounts
# connecting to ...
'/usr/sbin/userisdnctl', # no isdn...
'/usr/sbin/pppd', # no ppp / dsl ...
# lockfile
'/usr/bin/lockfile',
'/usr/bin/mail-lock',
'/usr/bin/mail-unlock',
'/usr/bin/mail-touchlock',
'/usr/bin/dotlockfile',
# need more investigation, blacklist for now
'/usr/bin/arping',
'/usr/sbin/arping',
'/usr/sbin/uuidd',
'/usr/bin/mtr', # investigate current state...
'/usr/lib/evolution/camel-lock-helper-1.2', # investigate current state...
'/usr/lib/pt_chown', # pseudo-tty, needed?
'/usr/lib/eject/dmcrypt-get-device',
'/usr/lib/mc/cons.saver' # midnight commander screensaver
# from Ubuntu xenial, need to investigate
# '/sbin/unix_chkpwd',
# '/sbin/pam_extrausers_chkpwd',
# '/usr/lib/x86_64-linux-gnu/utempter/utempter',
# '/usr/sbin/postdrop',
# '/usr/sbin/postqueue',
# '/usr/bin/ssh-agent',
# '/usr/bin/mlocate',
# '/usr/bin/crontab',
# '/usr/bin/screen',
# '/usr/bin/expiry',
# '/usr/bin/wall',
# '/usr/bin/chage',
# '/usr/bin/bsd-write'
],
description: 'blacklist of suid/sgid program on system' description: 'blacklist of suid/sgid program on system'
) )
@ -193,10 +155,8 @@ control 'os-06' do
title 'Check for SUID/ SGID blacklist' title 'Check for SUID/ SGID blacklist'
desc 'Find blacklisted SUID and SGID files to ensure that no rogue SUID and SGID files have been introduced into the system' desc 'Find blacklisted SUID and SGID files to ensure that no rogue SUID and SGID files have been introduced into the system'
output = command('find / -perm -4000 -o -perm -2000 -type f ! -path \'/proc/*\' ! -path \'/var/lib/lxd/containers/*\' -print 2>/dev/null | grep -v \'^find:\'') describe suid_check(blacklist) do
diff = output.stdout.split(/\r?\n/) & blacklist its('diff') { should be_empty }
describe diff do
it { should be_empty }
end end
end end

53
libraries/suid_blacklist.rb Normal file
View file

@ -0,0 +1,53 @@
# encoding: utf-8
# author: Christoph Hartmann
class SUIDBlacklist < Inspec.resource(1)
name 'suid_blacklist'
desc 'The suid_blacklist resoruce returns the default suid blacklist'
def default
[
# blacklist as provided by NSA
'/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh',
# sshd must not use host-based authentication (see ssh cookbook)
'/usr/libexec/openssh/ssh-keysign',
'/usr/lib/openssh/ssh-keysign',
# misc others
'/sbin/netreport', # not normally required for user
'/usr/sbin/usernetctl', # modify interfaces via functional accounts
# connecting to ...
'/usr/sbin/userisdnctl', # no isdn...
'/usr/sbin/pppd', # no ppp / dsl ...
# lockfile
'/usr/bin/lockfile',
'/usr/bin/mail-lock',
'/usr/bin/mail-unlock',
'/usr/bin/mail-touchlock',
'/usr/bin/dotlockfile',
# need more investigation, blacklist for now
'/usr/bin/arping',
'/usr/sbin/arping',
'/usr/sbin/uuidd',
'/usr/bin/mtr', # investigate current state...
'/usr/lib/evolution/camel-lock-helper-1.2', # investigate current state...
'/usr/lib/pt_chown', # pseudo-tty, needed?
'/usr/lib/eject/dmcrypt-get-device',
'/usr/lib/mc/cons.saver' # midnight commander screensaver
# from Ubuntu xenial, need to investigate
# '/sbin/unix_chkpwd',
# '/sbin/pam_extrausers_chkpwd',
# '/usr/lib/x86_64-linux-gnu/utempter/utempter',
# '/usr/sbin/postdrop',
# '/usr/sbin/postqueue',
# '/usr/bin/ssh-agent',
# '/usr/bin/mlocate',
# '/usr/bin/crontab',
# '/usr/bin/screen',
# '/usr/bin/expiry',
# '/usr/bin/wall',
# '/usr/bin/chage',
# '/usr/bin/bsd-write'
]
end
end

27
libraries/suid_check.rb Normal file
View file

@ -0,0 +1,27 @@
# encoding: utf-8
# author: Christoph Hartmann
class SUIDCheck < Inspec.resource(1)
name 'suid_check'
desc 'Use the suid_check resource to verify the current SUID/SGID against a blacklist'
example "
describe suid_check(blacklist) do
its('diff') { should be_empty }
end
"
def initialize(blacklist = nil)
blacklist = default if blacklist.nil?
@blacklist = blacklist
end
def permissions
output = inspec.command('find / -perm -4000 -o -perm -2000 -type f ! -path \'/proc/*\' ! -path \'/var/lib/lxd/containers/*\' -print 2>/dev/null | grep -v \'^find:\'')
output.stdout.split(/\r?\n/)
end
def diff
permissions & @blacklist
end
end