From e62cb3f0ef9ce46ca82f22b0ff5f0ff0a37f8083 Mon Sep 17 00:00:00 2001 From: juju4 Date: Thu, 22 Dec 2016 04:27:09 -0500 Subject: [PATCH] fix rubocop Conventions --- controls/os_spec.rb | 84 ++++++++++++++++++++--------------------- controls/sysctl_spec.rb | 8 ++-- 2 files changed, 45 insertions(+), 47 deletions(-) diff --git a/controls/os_spec.rb b/controls/os_spec.rb index 1a2ce41..3ed4e3a 100644 --- a/controls/os_spec.rb +++ b/controls/os_spec.rb @@ -27,49 +27,47 @@ elsif os.debian? shadow_group = 'shadow' end blacklist = attribute('blacklist', default: [ - # blacklist as provided by NSA - '/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh', - # sshd must not use host-based authentication (see ssh cookbook) - '/usr/libexec/openssh/ssh-keysign', - '/usr/lib/openssh/ssh-keysign', - # misc others - '/sbin/netreport', # not normally required for user - '/usr/sbin/usernetctl', # modify interfaces via functional accounts - # connecting to ... - '/usr/sbin/userisdnctl', # no isdn... - '/usr/sbin/pppd', # no ppp / dsl ... - # lockfile - '/usr/bin/lockfile', - '/usr/bin/mail-lock', - '/usr/bin/mail-unlock', - '/usr/bin/mail-touchlock', - '/usr/bin/dotlockfile', - # need more investigation, blacklist for now - '/usr/bin/arping', - '/usr/sbin/arping', - '/usr/sbin/uuidd', - '/usr/bin/mtr', # investigate current state... - '/usr/lib/evolution/camel-lock-helper-1.2', # investigate current state... - '/usr/lib/pt_chown', # pseudo-tty, needed? - '/usr/lib/eject/dmcrypt-get-device', - '/usr/lib/mc/cons.saver', # midnight commander screensaver - # from Ubuntu xenial, need to investigate - # '/sbin/unix_chkpwd', - # '/sbin/pam_extrausers_chkpwd', - # '/usr/lib/x86_64-linux-gnu/utempter/utempter', - # '/usr/sbin/postdrop', - # '/usr/sbin/postqueue', - # '/usr/bin/ssh-agent', - # '/usr/bin/mlocate', - # '/usr/bin/crontab', - # '/usr/bin/screen', - # '/usr/bin/expiry', - # '/usr/bin/wall', - # '/usr/bin/chage', - # '/usr/bin/bsd-write', - ], - description: 'blacklist of suid/sgid program on system') - + # blacklist as provided by NSA + '/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh', + # sshd must not use host-based authentication (see ssh cookbook) + '/usr/libexec/openssh/ssh-keysign', + '/usr/lib/openssh/ssh-keysign', + # misc others + '/sbin/netreport', # not normally required for user + '/usr/sbin/usernetctl', # modify interfaces via functional accounts + # connecting to ... + '/usr/sbin/userisdnctl', # no isdn... + '/usr/sbin/pppd', # no ppp / dsl ... + # lockfile + '/usr/bin/lockfile', + '/usr/bin/mail-lock', + '/usr/bin/mail-unlock', + '/usr/bin/mail-touchlock', + '/usr/bin/dotlockfile', + # need more investigation, blacklist for now + '/usr/bin/arping', + '/usr/sbin/arping', + '/usr/sbin/uuidd', + '/usr/bin/mtr', # investigate current state... + '/usr/lib/evolution/camel-lock-helper-1.2', # investigate current state... + '/usr/lib/pt_chown', # pseudo-tty, needed? + '/usr/lib/eject/dmcrypt-get-device', + '/usr/lib/mc/cons.saver', # midnight commander screensaver + # from Ubuntu xenial, need to investigate + # '/sbin/unix_chkpwd', + # '/sbin/pam_extrausers_chkpwd', + # '/usr/lib/x86_64-linux-gnu/utempter/utempter', + # '/usr/sbin/postdrop', + # '/usr/sbin/postqueue', + # '/usr/bin/ssh-agent', + # '/usr/bin/mlocate', + # '/usr/bin/crontab', + # '/usr/bin/screen', + # '/usr/bin/expiry', + # '/usr/bin/wall', + # '/usr/bin/chage', + # '/usr/bin/bsd-write', + ], description: 'blacklist of suid/sgid program on system') control 'os-01' do impact 1.0 diff --git a/controls/sysctl_spec.rb b/controls/sysctl_spec.rb index 0a3c10f..3e917b3 100644 --- a/controls/sysctl_spec.rb +++ b/controls/sysctl_spec.rb @@ -329,10 +329,10 @@ control 'sysctl-31' do # its(:value) { should match /0|2/ } its(:value) { should eq 2 } end - # unless kernel_parameter('fs.suid_dumpable') == 2 - # describe kernel_parameter('fs.suid_dumpable') do - # its(:value) { should eq 2 } - # end + # unless kernel_parameter('fs.suid_dumpable') == 2 + # describe kernel_parameter('fs.suid_dumpable') do + # its(:value) { should eq 2 } + # end describe kernel_parameter('kernel.core_pattern') do its(:value) { should match %r{^/.*} } end