From b5429ffbd521cd577ac81438f7397602ebc1a8f9 Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Wed, 21 Dec 2016 11:40:56 +0100 Subject: [PATCH] update profile metadata & tooling --- .rubocop.yml | 7 +++-- .travis.yml | 6 ++-- CHANGELOG.md | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++-- Gemfile | 13 ++------- Rakefile | 16 +++++++++++ inspec.yml | 6 ++-- 6 files changed, 107 insertions(+), 22 deletions(-) diff --git a/.rubocop.yml b/.rubocop.yml index 18a5eec..27c17f3 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -4,12 +4,11 @@ AllCops: - vendor/**/* - "*/puppet/Puppetfile" - "*/puppet/.tmp/**/*" + TargetRubyVersion: 1.9 Documentation: Enabled: false AlignParameters: Enabled: true -Encoding: - Enabled: true HashSyntax: Enabled: true LineLength: @@ -20,9 +19,11 @@ MethodLength: Max: 40 NumericLiterals: MinDigits: 10 +Metrics/BlockLength: + Max: 35 Metrics/CyclomaticComplexity: Max: 10 Metrics/PerceivedComplexity: Max: 10 Metrics/AbcSize: - Max: 29 + Max: 30 diff --git a/.travis.yml b/.travis.yml index 01d24dc..07f842f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,9 +3,9 @@ language: ruby cache: bundler rvm: - - 1.9.3 - - 2.0.0 - - 2.2.0 + - 2.0 + - 2.2 + - 2.3.1 bundler_args: --without integration script: bundle exec rake diff --git a/CHANGELOG.md b/CHANGELOG.md index cb69896..8cb8b24 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,80 @@ -# Changelog +# Change Log -## 1.0.0 +## [2.0.1](https://github.com/dev-sec/linux-baseline/tree/2.0.1) (2016-12-21) +[Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.0.0...2.0.1) -* initial release with Deutsche Telekom compliance merged with many improvements on top +**Closed issues:** + +- permissions /etc/shadow [\#41](https://github.com/dev-sec/linux-baseline/issues/41) +- False positives in control os-06 [\#40](https://github.com/dev-sec/linux-baseline/issues/40) + +**Merged pull requests:** + +- update Gemfile [\#43](https://github.com/dev-sec/linux-baseline/pull/43) ([atomic111](https://github.com/atomic111)) +- Update links in README file [\#42](https://github.com/dev-sec/linux-baseline/pull/42) ([netflash](https://github.com/netflash)) +- Fix cpu flags and change default for net.ipv4.conf.all.log\_martians [\#39](https://github.com/dev-sec/linux-baseline/pull/39) ([chris-rock](https://github.com/chris-rock)) + +## [2.0.0](https://github.com/dev-sec/linux-baseline/tree/2.0.0) (2016-04-29) +[Full Changelog](https://github.com/dev-sec/linux-baseline/compare/1.3.0...2.0.0) + +**Merged pull requests:** + +- inspec profile [\#38](https://github.com/dev-sec/linux-baseline/pull/38) ([chris-rock](https://github.com/chris-rock)) + +## [1.3.0](https://github.com/dev-sec/linux-baseline/tree/1.3.0) (2016-04-25) +[Full Changelog](https://github.com/dev-sec/linux-baseline/compare/1.1.0...1.3.0) + +**Fixed bugs:** + +- update identifier [\#37](https://github.com/dev-sec/linux-baseline/pull/37) ([chris-rock](https://github.com/chris-rock)) + +**Merged pull requests:** + +- prevent nil in flags [\#36](https://github.com/dev-sec/linux-baseline/pull/36) ([arlimus](https://github.com/arlimus)) +- removed serverspec support and created all inspec tests [\#35](https://github.com/dev-sec/linux-baseline/pull/35) ([atomic111](https://github.com/atomic111)) + +## [1.1.0](https://github.com/dev-sec/linux-baseline/tree/1.1.0) (2015-10-15) +[Full Changelog](https://github.com/dev-sec/linux-baseline/compare/1.0.0...1.1.0) + +**Merged pull requests:** + +- Remove whitespace [\#34](https://github.com/dev-sec/linux-baseline/pull/34) ([rndmh3ro](https://github.com/rndmh3ro)) +- Improve Ansible tests [\#33](https://github.com/dev-sec/linux-baseline/pull/33) ([rndmh3ro](https://github.com/rndmh3ro)) +- Fix typos [\#31](https://github.com/dev-sec/linux-baseline/pull/31) ([rndmh3ro](https://github.com/rndmh3ro)) +- update urls [\#30](https://github.com/dev-sec/linux-baseline/pull/30) ([chris-rock](https://github.com/chris-rock)) +- bugfix: add missing: ipv6 accept\_ra = 0 [\#29](https://github.com/dev-sec/linux-baseline/pull/29) ([arlimus](https://github.com/arlimus)) +- Ansible support [\#28](https://github.com/dev-sec/linux-baseline/pull/28) ([rndmh3ro](https://github.com/rndmh3ro)) +- add json format option [\#26](https://github.com/dev-sec/linux-baseline/pull/26) ([atomic111](https://github.com/atomic111)) +- Update common [\#25](https://github.com/dev-sec/linux-baseline/pull/25) ([arlimus](https://github.com/arlimus)) +- feature: add schroot to suid/sgid whitelist [\#24](https://github.com/dev-sec/linux-baseline/pull/24) ([arlimus](https://github.com/arlimus)) +- Update common [\#23](https://github.com/dev-sec/linux-baseline/pull/23) ([arlimus](https://github.com/arlimus)) +- updating common files [\#22](https://github.com/dev-sec/linux-baseline/pull/22) ([arlimus](https://github.com/arlimus)) +- changed GIS to DTAG SEC [\#21](https://github.com/dev-sec/linux-baseline/pull/21) ([atomic111](https://github.com/atomic111)) +- bugfix: lint error [\#20](https://github.com/dev-sec/linux-baseline/pull/20) ([chris-rock](https://github.com/chris-rock)) + +## [1.0.0](https://github.com/dev-sec/linux-baseline/tree/1.0.0) (2014-08-13) +**Merged pull requests:** + +- Lockdown mode [\#19](https://github.com/dev-sec/linux-baseline/pull/19) ([arlimus](https://github.com/arlimus)) +- split sysctl\_spec.rb, added suid whitliste and uid unique search [\#18](https://github.com/dev-sec/linux-baseline/pull/18) ([atomic111](https://github.com/atomic111)) +- added additional test [\#17](https://github.com/dev-sec/linux-baseline/pull/17) ([atomic111](https://github.com/atomic111)) +- add travis config, add default task to rakefile [\#16](https://github.com/dev-sec/linux-baseline/pull/16) ([ehaselwanter](https://github.com/ehaselwanter)) +- update rubocop, add common linter task, fix rubocop issues [\#15](https://github.com/dev-sec/linux-baseline/pull/15) ([ehaselwanter](https://github.com/ehaselwanter)) +- fix exec-shield test [\#14](https://github.com/dev-sec/linux-baseline/pull/14) ([chris-rock](https://github.com/chris-rock)) +- add lint rake task with robocop and fix issues [\#13](https://github.com/dev-sec/linux-baseline/pull/13) ([chris-rock](https://github.com/chris-rock)) +- added Telekom Security Requirement numbers to the corresponding kitchen test [\#12](https://github.com/dev-sec/linux-baseline/pull/12) ([atomic111](https://github.com/atomic111)) +- add ruby gem source [\#11](https://github.com/dev-sec/linux-baseline/pull/11) ([chris-rock](https://github.com/chris-rock)) +- add standalone usage feature [\#10](https://github.com/dev-sec/linux-baseline/pull/10) ([ehaselwanter](https://github.com/ehaselwanter)) +- serverspec has a contract on running commands remote. this fixes the local [\#9](https://github.com/dev-sec/linux-baseline/pull/9) ([ehaselwanter](https://github.com/ehaselwanter)) +- add lockfiles and delete them from tree [\#8](https://github.com/dev-sec/linux-baseline/pull/8) ([ehaselwanter](https://github.com/ehaselwanter)) +- rubocop fixes [\#7](https://github.com/dev-sec/linux-baseline/pull/7) ([ehaselwanter](https://github.com/ehaselwanter)) +- moved site.pp to the shared test, were it belongs [\#6](https://github.com/dev-sec/linux-baseline/pull/6) ([ehaselwanter](https://github.com/ehaselwanter)) +- bugfix: arp restrictions should apply to all, not just eth0 [\#5](https://github.com/dev-sec/linux-baseline/pull/5) ([arlimus](https://github.com/arlimus)) +- one folder level up [\#4](https://github.com/dev-sec/linux-baseline/pull/4) ([ehaselwanter](https://github.com/ehaselwanter)) +- Fix: change value of log\_martians to the cookbook default [\#3](https://github.com/dev-sec/linux-baseline/pull/3) ([atomic111](https://github.com/atomic111)) +- discard one level to be able to use the defaults in test-kitchen by just [\#2](https://github.com/dev-sec/linux-baseline/pull/2) ([ehaselwanter](https://github.com/ehaselwanter)) +- added tests from chef-os-hardening [\#1](https://github.com/dev-sec/linux-baseline/pull/1) ([ehaselwanter](https://github.com/ehaselwanter)) + + + +\* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* \ No newline at end of file diff --git a/Gemfile b/Gemfile index 587005b..fc82503 100644 --- a/Gemfile +++ b/Gemfile @@ -1,16 +1,9 @@ -# encoding: utf-8 - source 'https://rubygems.org' -# pin dependency for Ruby 1.9.3 since bundler is not -# detecting that net-ssh 3 does not work with 1.9.3 -if Gem::Version.new(RUBY_VERSION) <= Gem::Version.new('1.9.3') - gem 'net-ssh', '~> 2.9' -end - gem 'rake' -gem 'inspec', '~> 0' -gem 'rubocop', '~> 0.36.0' +gem 'rack', '1.6.4' +gem 'inspec', '~> 1' +gem 'rubocop', '~> 0.44.0' gem 'highline', '~> 1.6.0' group :tools do diff --git a/Rakefile b/Rakefile index 40d79a8..3b2f68c 100644 --- a/Rakefile +++ b/Rakefile @@ -24,3 +24,19 @@ namespace :test do sh("bundle exec inspec check #{dir}") end end + +# Automatically generate a changelog for this project. Only loaded if +# the necessary gem is installed. By default its picking up the version from +# inspec.yml. You can override that behavior with s`rake changelog to=1.2.0` +begin + require 'yaml' + metadata = YAML.load_file('inspec.yml') + v = ENV['to'] || metadata['version'] + puts "Generate changelog for version #{v}" + require 'github_changelog_generator/task' + GitHubChangelogGenerator::RakeTask.new :changelog do |config| + config.future_release = v + end +rescue LoadError + puts '>>>>> GitHub Changelog Generator not loaded, omitting tasks' +end diff --git a/inspec.yml b/inspec.yml index 82e09cd..b9c3b3f 100644 --- a/inspec.yml +++ b/inspec.yml @@ -1,10 +1,10 @@ -name: os-hardening -title: Hardening Framework OS Hardening Test Suite +name: linux-baseline +title: DevSec Linux Security Baseline maintainer: Hardening Framework Team copyright: Hardening Framework Team copyright_email: hello@hardening.io license: Apache 2 license summary: Test-suite for best-preactice os hardening -version: 1.0.0 +version: 2.0.1 supports: - os-family: linux