From 63d6ce6069cd22928dadc96507aa2580b46314d3 Mon Sep 17 00:00:00 2001 From: Patrick Meier Date: Thu, 11 Sep 2014 22:10:12 +0200 Subject: [PATCH] changed GIS to DTAG SEC Signed-off-by: Patrick Meier --- default/serverspec/os_spec.rb | 20 ++++++++++---------- default/serverspec/sysctl_spec.rb | 26 +++++++++++++------------- lockdown/serverspec/os_spec.rb | 20 ++++++++++---------- lockdown/serverspec/sysctl_spec.rb | 26 +++++++++++++------------- 4 files changed, 46 insertions(+), 46 deletions(-) diff --git a/default/serverspec/os_spec.rb b/default/serverspec/os_spec.rb index 6f41d8b..59ccea3 100644 --- a/default/serverspec/os_spec.rb +++ b/default/serverspec/os_spec.rb @@ -21,47 +21,47 @@ RSpec.configure do |c| c.filter_run_excluding skipOn: backend(Serverspec::Commands::Base).check_os[:family] end -# GIS: Req 3.21-4 + describe command('find / -name \'.rhosts\' | wc -l ') do its(:stdout) { should match(/^0/) } end -# GIS: Req 3.21-4 + describe command('find / -name \'hosts.equiv\' | wc -l ') do its(:stdout) { should match(/^0/) } end -# GIS: Req 3.21-7 + describe file('/etc/shadow') do it { should be_owned_by 'root' } end -# GIS: Req 3.21-7 + describe file('/etc/shadow') do it { should be_mode 600 } end -# GIS: Req 3.21-8 + describe command('echo $PATH | grep -ci \'\.\'') do its(:stdout) { should match(/^0/) } end -# GIS: Req 3.21-8 + describe file('/etc/login.defs') do its(:content) { should match(%r{^ENV_SUPATH\s+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin}) } end -# GIS: Req 3.21-8 + describe file('/etc/login.defs') do its(:content) { should match(%r{^ENV_PATH\s+PATH=/usr/local/bin:/usr/bin:/bin}) } end -# GIS: Req 3.21-10 + describe file('/etc/login.defs') do its(:content) { should match(/^UMASK +027/) } end -# GIS: Req 3.21-12 + describe 'SUID/ SGID blacklist check' do it 'found no blacklisted suid/sgid' do blacklist = [ @@ -97,7 +97,7 @@ describe 'SUID/ SGID blacklist check' do end end -# GIS: Req 3.21-16 + describe 'Unique uid' do it 'check for unique uids' do actual = command('cat /etc/passwd | cut -d \':\' -f 3').stdout.split(/\r?\n/) diff --git a/default/serverspec/sysctl_spec.rb b/default/serverspec/sysctl_spec.rb index f35a9ad..a90fa03 100644 --- a/default/serverspec/sysctl_spec.rb +++ b/default/serverspec/sysctl_spec.rb @@ -23,27 +23,27 @@ end describe 'IP V4 networking' do - # GIS: Req 3.21-1 + context linux_kernel_parameter('net.ipv4.ip_forward') do its(:value) { should eq 0 } end - # GIS: Req 3.21-1 + context linux_kernel_parameter('net.ipv4.conf.all.forwarding') do its(:value) { should eq 0 } end - # GIS: Req 3.21-3 + context linux_kernel_parameter('net.ipv4.conf.all.rp_filter') do its(:value) { should eq 1 } end - # GIS: Req 3.21-3 ; GIS: Req 3.37-10 + context linux_kernel_parameter('net.ipv4.conf.default.rp_filter') do its(:value) { should eq 1 } end - # GIS: Req 3.21-1 + context linux_kernel_parameter('net.ipv4.icmp_echo_ignore_broadcasts') do its(:value) { should eq 1 } end @@ -52,7 +52,7 @@ describe 'IP V4 networking' do its(:value) { should eq 1 } end - # GIS: Req 3.01-9 + context linux_kernel_parameter('net.ipv4.icmp_ratelimit') do its(:value) { should eq 100 } end @@ -65,12 +65,12 @@ describe 'IP V4 networking' do its(:value) { should eq 0 } end - # GIS: Req 3.21-3 + context linux_kernel_parameter('net.ipv4.conf.all.arp_ignore') do its(:value) { should eq 1 } end - # GIS: Req 3.21-3 + context linux_kernel_parameter('net.ipv4.conf.all.arp_announce') do its(:value) { should eq 2 } end @@ -91,12 +91,12 @@ describe 'IP V4 networking' do its(:value) { should eq 1 } end - # GIS: Req 3.37-12 + context linux_kernel_parameter('net.ipv4.conf.all.accept_source_route') do its(:value) { should eq 0 } end - # GIS: Req 3.37-12 + context linux_kernel_parameter('net.ipv4.conf.default.accept_source_route') do its(:value) { should eq 0 } end @@ -138,7 +138,7 @@ describe 'IP V6 Networking' do its(:value) { should eq 1 } end - # GIS: Req 3.21-1 + context linux_kernel_parameter('net.ipv6.conf.all.forwarding') do its(:value) { should eq 0 } end @@ -202,7 +202,7 @@ end describe 'ExecShield' do - # GIS: Req 3.21-5 + # check if we find the nx flag if command('cat /proc/cpuinfo').return_stdout?(/^flags.*?:.*? nx( .*?)?$/) true @@ -217,7 +217,7 @@ describe 'ExecShield' do end end - # GIS: Req 3.21-5 + context linux_kernel_parameter('kernel.randomize_va_space') do its(:value) { should eq 2 } end diff --git a/lockdown/serverspec/os_spec.rb b/lockdown/serverspec/os_spec.rb index b5753b1..bd3b4e9 100644 --- a/lockdown/serverspec/os_spec.rb +++ b/lockdown/serverspec/os_spec.rb @@ -21,47 +21,47 @@ RSpec.configure do |c| c.filter_run_excluding skipOn: backend(Serverspec::Commands::Base).check_os[:family] end -# GIS: Req 3.21-4 + describe command('find / -name \'.rhosts\' | wc -l ') do its(:stdout) { should match(/^0/) } end -# GIS: Req 3.21-4 + describe command('find / -name \'hosts.equiv\' | wc -l ') do its(:stdout) { should match(/^0/) } end -# GIS: Req 3.21-7 + describe file('/etc/shadow') do it { should be_owned_by 'root' } end -# GIS: Req 3.21-7 + describe file('/etc/shadow') do it { should be_mode 600 } end -# GIS: Req 3.21-8 + describe command('echo $PATH | grep -ci \'\.\'') do its(:stdout) { should match(/^0/) } end -# GIS: Req 3.21-8 + describe file('/etc/login.defs') do its(:content) { should match(%r{^ENV_SUPATH\s+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin}) } end -# GIS: Req 3.21-8 + describe file('/etc/login.defs') do its(:content) { should match(%r{^ENV_PATH\s+PATH=/usr/local/bin:/usr/bin:/bin}) } end -# GIS: Req 3.21-10 + describe file('/etc/login.defs') do its(:content) { should match(/^UMASK +027/) } end -# GIS: Req 3.21-12 + describe 'SUID/ SGID whitelist check' do it 'found only whitelist suid/sgid' do whitelist = [ @@ -116,7 +116,7 @@ describe 'SUID/ SGID whitelist check' do end end -# GIS: Req 3.21-16 + describe 'Unique uid' do it 'check for unique uids' do actual = command('cat /etc/passwd | cut -d \':\' -f 3').stdout.split(/\r?\n/) diff --git a/lockdown/serverspec/sysctl_spec.rb b/lockdown/serverspec/sysctl_spec.rb index cb1cd30..ef9c4ee 100644 --- a/lockdown/serverspec/sysctl_spec.rb +++ b/lockdown/serverspec/sysctl_spec.rb @@ -23,27 +23,27 @@ end describe 'IP V4 networking' do - # GIS: Req 3.21-1 + context linux_kernel_parameter('net.ipv4.ip_forward') do its(:value) { should eq 0 } end - # GIS: Req 3.21-1 + context linux_kernel_parameter('net.ipv4.conf.all.forwarding') do its(:value) { should eq 0 } end - # GIS: Req 3.21-3 + context linux_kernel_parameter('net.ipv4.conf.all.rp_filter') do its(:value) { should eq 1 } end - # GIS: Req 3.21-3 ; GIS: Req 3.37-10 + context linux_kernel_parameter('net.ipv4.conf.default.rp_filter') do its(:value) { should eq 1 } end - # GIS: Req 3.21-1 + context linux_kernel_parameter('net.ipv4.icmp_echo_ignore_broadcasts') do its(:value) { should eq 1 } end @@ -52,7 +52,7 @@ describe 'IP V4 networking' do its(:value) { should eq 1 } end - # GIS: Req 3.01-9 + context linux_kernel_parameter('net.ipv4.icmp_ratelimit') do its(:value) { should eq 100 } end @@ -65,12 +65,12 @@ describe 'IP V4 networking' do its(:value) { should eq 0 } end - # GIS: Req 3.21-3 + context linux_kernel_parameter('net.ipv4.conf.all.arp_ignore') do its(:value) { should eq 1 } end - # GIS: Req 3.21-3 + context linux_kernel_parameter('net.ipv4.conf.all.arp_announce') do its(:value) { should eq 2 } end @@ -91,12 +91,12 @@ describe 'IP V4 networking' do its(:value) { should eq 1 } end - # GIS: Req 3.37-12 + context linux_kernel_parameter('net.ipv4.conf.all.accept_source_route') do its(:value) { should eq 0 } end - # GIS: Req 3.37-12 + context linux_kernel_parameter('net.ipv4.conf.default.accept_source_route') do its(:value) { should eq 0 } end @@ -138,7 +138,7 @@ describe 'IP V6 Networking' do its(:value) { should eq 1 } end - # GIS: Req 3.21-1 + context linux_kernel_parameter('net.ipv6.conf.all.forwarding') do its(:value) { should eq 0 } end @@ -202,7 +202,7 @@ end describe 'ExecShield' do - # GIS: Req 3.21-5 + # check if we find the nx flag if command('cat /proc/cpuinfo').return_stdout?(/^flags.*?:.*? nx( .*?)?$/) true @@ -217,7 +217,7 @@ describe 'ExecShield' do end end - # GIS: Req 3.21-5 + context linux_kernel_parameter('kernel.randomize_va_space') do its(:value) { should eq 2 } end