Mirrors/linux-baseline
2
0
Fork 0
mirror of https://github.com/dev-sec/linux-baseline synced 2024-11-23 03:33:02 +00:00
Code Issues Projects Releases Packages Wiki Activity

fix rubocop Conventions

Browse source
This commit is contained in:
juju4 2016-12-22 04:27:09 -05:00
parent 4b029d7e99
commit e62cb3f0ef
2 changed files with 45 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

84
controls/os_spec.rb
View file

@ -27,49 +27,47 @@ elsif os.debian?
shadow_group = 'shadow'
end
blacklist = attribute('blacklist', default: [
# blacklist as provided by NSA
'/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh',
# sshd must not use host-based authentication (see ssh cookbook)
'/usr/libexec/openssh/ssh-keysign',
'/usr/lib/openssh/ssh-keysign',
# misc others
'/sbin/netreport', # not normally required for user
'/usr/sbin/usernetctl', # modify interfaces via functional accounts
# connecting to ...
'/usr/sbin/userisdnctl', # no isdn...
'/usr/sbin/pppd', # no ppp / dsl ...
# lockfile
'/usr/bin/lockfile',
'/usr/bin/mail-lock',
'/usr/bin/mail-unlock',
'/usr/bin/mail-touchlock',
'/usr/bin/dotlockfile',
# need more investigation, blacklist for now
'/usr/bin/arping',
'/usr/sbin/arping',
'/usr/sbin/uuidd',
'/usr/bin/mtr', # investigate current state...
'/usr/lib/evolution/camel-lock-helper-1.2', # investigate current state...
'/usr/lib/pt_chown', # pseudo-tty, needed?
'/usr/lib/eject/dmcrypt-get-device',
'/usr/lib/mc/cons.saver', # midnight commander screensaver
# from Ubuntu xenial, need to investigate
# '/sbin/unix_chkpwd',
# '/sbin/pam_extrausers_chkpwd',
# '/usr/lib/x86_64-linux-gnu/utempter/utempter',
# '/usr/sbin/postdrop',
# '/usr/sbin/postqueue',
# '/usr/bin/ssh-agent',
# '/usr/bin/mlocate',
# '/usr/bin/crontab',
# '/usr/bin/screen',
# '/usr/bin/expiry',
# '/usr/bin/wall',
# '/usr/bin/chage',
# '/usr/bin/bsd-write',
],
description: 'blacklist of suid/sgid program on system')
# blacklist as provided by NSA
'/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh',
# sshd must not use host-based authentication (see ssh cookbook)
'/usr/libexec/openssh/ssh-keysign',
'/usr/lib/openssh/ssh-keysign',
# misc others
'/sbin/netreport', # not normally required for user
'/usr/sbin/usernetctl', # modify interfaces via functional accounts
# connecting to ...
'/usr/sbin/userisdnctl', # no isdn...
'/usr/sbin/pppd', # no ppp / dsl ...
# lockfile
'/usr/bin/lockfile',
'/usr/bin/mail-lock',
'/usr/bin/mail-unlock',
'/usr/bin/mail-touchlock',
'/usr/bin/dotlockfile',
# need more investigation, blacklist for now
'/usr/bin/arping',
'/usr/sbin/arping',
'/usr/sbin/uuidd',
'/usr/bin/mtr', # investigate current state...
'/usr/lib/evolution/camel-lock-helper-1.2', # investigate current state...
'/usr/lib/pt_chown', # pseudo-tty, needed?
'/usr/lib/eject/dmcrypt-get-device',
'/usr/lib/mc/cons.saver', # midnight commander screensaver
# from Ubuntu xenial, need to investigate
# '/sbin/unix_chkpwd',
# '/sbin/pam_extrausers_chkpwd',
# '/usr/lib/x86_64-linux-gnu/utempter/utempter',
# '/usr/sbin/postdrop',
# '/usr/sbin/postqueue',
# '/usr/bin/ssh-agent',
# '/usr/bin/mlocate',
# '/usr/bin/crontab',
# '/usr/bin/screen',
# '/usr/bin/expiry',
# '/usr/bin/wall',
# '/usr/bin/chage',
# '/usr/bin/bsd-write',
], description: 'blacklist of suid/sgid program on system')
control 'os-01' do
impact 1.0

8
controls/sysctl_spec.rb
View file

@ -329,10 +329,10 @@ control 'sysctl-31' do
# its(:value) { should match /0|2/ }
its(:value) { should eq 2 }
end
# unless kernel_parameter('fs.suid_dumpable') == 2
# describe kernel_parameter('fs.suid_dumpable') do
# its(:value) { should eq 2 }
# end
# unless kernel_parameter('fs.suid_dumpable') == 2
# describe kernel_parameter('fs.suid_dumpable') do
# its(:value) { should eq 2 }
# end
describe kernel_parameter('kernel.core_pattern') do
its(:value) { should match %r{^/.*} }
end