mirror of
https://github.com/dev-sec/linux-baseline
synced 2024-11-26 13:00:21 +00:00
use attributes, include PR feedback
This commit is contained in:
parent
e7b6c36edb
commit
cdcc9f7721
3 changed files with 41 additions and 45 deletions
|
@ -18,25 +18,14 @@
|
|||
# author: Dominik Richter
|
||||
# author: Patrick Muench
|
||||
|
||||
if ENV['login_defs_umask']
|
||||
login_defs_umask = ENV['login_defs_umask']
|
||||
else
|
||||
login_defs_umask = '027'
|
||||
end
|
||||
if ENV['login_defs_passmaxdays']
|
||||
login_defs_passmaxdays = ENV['login_defs_passmaxdays']
|
||||
else
|
||||
login_defs_passmaxdays = 60
|
||||
end
|
||||
if ENV['login_defs_passmindays']
|
||||
login_defs_passmindays = ENV['login_defs_passmindays']
|
||||
else
|
||||
login_defs_passmindays = 7
|
||||
end
|
||||
if ENV['login_defs_passwarnage']
|
||||
login_defs_passwarnage = ENV['login_defs_passwarnage']
|
||||
else
|
||||
login_defs_passwarnage = 7
|
||||
login_defs_umask = attribute('login_defs_umask', default: '027', description: 'Default umask to set in login.defs')
|
||||
login_defs_passmaxdays = attribute('login_defs_passmaxdays', default: '60', description: 'Default password maxdays to set in login.defs')
|
||||
login_defs_passmindays = attribute('login_defs_passmindays', default: '7', description: 'Default password mindays to set in login.defs')
|
||||
login_defs_passwarnage = attribute('login_defs_passwarnage', default: '7', description: 'Default password warnage (days) to set in login.defs')
|
||||
if os.redhat?
|
||||
shadow_group = 'root'
|
||||
elsif os.debian?
|
||||
shadow_group = 'shadow'
|
||||
end
|
||||
|
||||
control 'os-01' do
|
||||
|
@ -59,18 +48,20 @@ control 'os-02' do
|
|||
it { should exist }
|
||||
it { should be_file }
|
||||
it { should be_owned_by 'root' }
|
||||
its('group') { should eq shadow_group }
|
||||
it { should_not be_executable }
|
||||
it { should be_writable.by('owner') }
|
||||
it { should be_readable.by('owner') }
|
||||
it { should_not be_readable.by('other') }
|
||||
end
|
||||
describe file('/etc/shadow'), :if => os.family == 'redhat' do
|
||||
its('group') { should eq 'root' }
|
||||
it { should_not be_readable.by('group') }
|
||||
end
|
||||
describe file('/etc/shadow'), :if => os.family == 'debian' do
|
||||
its('group') { should eq 'shadow' }
|
||||
it { should be_readable.by('group') }
|
||||
if os.redhat?
|
||||
describe file('/etc/shadow') do
|
||||
it { should_not be_readable.by('group') }
|
||||
end
|
||||
elsif os.debian?
|
||||
describe file('/etc/shadow') do
|
||||
it { should be_readable.by('group') }
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -117,8 +108,10 @@ control 'os-05' do
|
|||
it { should be_readable.by('group') }
|
||||
it { should be_readable.by('other') }
|
||||
end
|
||||
describe file('/etc/login.defs'), :if => os.family == 'redhat' do
|
||||
it { should_not be_writable }
|
||||
if os.redhat?
|
||||
describe file('/etc/login.defs') do
|
||||
it { should_not be_writable }
|
||||
end
|
||||
end
|
||||
describe login_defs do
|
||||
its('ENV_SUPATH') { should include('/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin') }
|
||||
|
@ -132,11 +125,13 @@ control 'os-05' do
|
|||
its('UID_MIN') { should eq '1000' }
|
||||
its('GID_MIN') { should eq '1000' }
|
||||
end
|
||||
describe login_defs, :if => os.family == 'redhat' do
|
||||
its('SYS_UID_MIN') { should eq '100' }
|
||||
its('SYS_UID_MAX') { should eq '999' }
|
||||
its('SYS_GID_MIN') { should eq '100' }
|
||||
its('SYS_GID_MAX') { should eq '999' }
|
||||
if os.redhat?
|
||||
describe login_defs do
|
||||
its('SYS_UID_MIN') { should eq '100' }
|
||||
its('SYS_UID_MAX') { should eq '999' }
|
||||
its('SYS_GID_MIN') { should eq '100' }
|
||||
its('SYS_GID_MAX') { should eq '999' }
|
||||
end
|
||||
end
|
||||
# describe login_defs, :if => os.family == 'debian' do
|
||||
## Those are commented on debian/ubuntu
|
||||
|
@ -188,7 +183,6 @@ control 'os-06' do
|
|||
# '/usr/bin/ssh-agent',
|
||||
# '/usr/bin/mlocate',
|
||||
# '/usr/bin/crontab',
|
||||
# '/usr/bin/dotlockfile',
|
||||
# '/usr/bin/screen',
|
||||
# '/usr/bin/expiry',
|
||||
# '/usr/bin/wall',
|
||||
|
|
|
@ -18,6 +18,8 @@
|
|||
# author: Dominik Richter
|
||||
# author: Patrick Muench
|
||||
|
||||
val_syslog_pkg = attribute('syslog_pkg', default: 'rsyslog', description: 'syslog package to ensure present (default: rsyslog, alternative: syslog-ng...')
|
||||
|
||||
control 'package-01' do
|
||||
impact 1.0
|
||||
title 'Do not run deprecated inetd or xinetd'
|
||||
|
@ -66,12 +68,11 @@ control 'package-06' do
|
|||
end
|
||||
end
|
||||
|
||||
## can also be syslog-ng...
|
||||
control 'package-07' do
|
||||
impact 1.0
|
||||
title 'Install rsyslog server'
|
||||
title 'Install syslog server package'
|
||||
desc 'Syslog server is required to receive system and applications logs'
|
||||
describe package('rsyslog') do
|
||||
describe package(val_syslog_pkg) do
|
||||
it { should be_installed }
|
||||
end
|
||||
end
|
||||
|
|
|
@ -18,18 +18,19 @@
|
|||
# author: Dominik Richter
|
||||
# author: Patrick Muench
|
||||
|
||||
sysctl_forwarding = attribute('sysctl_forwarding', default: false, description: 'Is network forwarding needed?')
|
||||
|
||||
control 'sysctl-01' do
|
||||
impact 1.0
|
||||
title 'IPv4 Forwarding'
|
||||
desc "If you're not intending for your system to forward traffic between interfaces, or if you only have a single interface, the forwarding function must be disable."
|
||||
# unless defined? ENV['sysctl_forwarding']
|
||||
describe kernel_parameter('net.ipv4.ip_forward') do
|
||||
its(:value) { should eq 0 }
|
||||
end
|
||||
describe kernel_parameter('net.ipv4.conf.all.forwarding') do
|
||||
its(:value) { should eq 0 }
|
||||
end
|
||||
# end
|
||||
describe kernel_parameter('net.ipv4.ip_forward') do
|
||||
its(:value) { should eq 0 }
|
||||
end
|
||||
describe kernel_parameter('net.ipv4.conf.all.forwarding') do
|
||||
its(:value) { should eq 0 }
|
||||
end
|
||||
only_if { sysctl_forwarding == false }
|
||||
end
|
||||
|
||||
control 'sysctl-02' do
|
||||
|
|
Loading…
Reference in a new issue