Martin Schurz
ba94b91d38
add all inputs
...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-19 01:12:44 +01:00
Martin Schurz
d079b4a57f
use only metadata
...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-19 01:08:45 +01:00
Martin Schurz
b850f351b6
ensure compatibility with new inspec version
...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-18 21:35:28 +01:00
Martin Schurz
11471d5507
ensure compatibility with new inspec version
...
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-18 21:27:23 +01:00
Martin Schurz
6cfbd386f0
fix spelling errors
...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-30 19:11:41 +02:00
Sebastian Gumprich
7a6e7162fe
fix wrong sysctl
...
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-12-12 09:13:26 +01:00
Sebastian Gumprich
c15739b961
extend sysctls for ipv6
...
see https://docs.vmware.com/en/vRealize-Operations/8.6/com.vmware.vcom.core.doc/GUID-16BDA67D-914A-484C-97CA-8624F4881605.html and https://docs.vmware.com/en/vRealize-Operations/8.6/com.vmware.vcom.core.doc/GUID-37B91C4A-5E1E-4F8E-BC59-B3552BA7CDFA.html
also see https://github.com/dev-sec/ansible-collection-hardening/pull/607/
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-11-30 15:21:55 +01:00
Sebastian Gumprich
a04baec3b3
remove entropy-test
...
see https://github.com/dev-sec/linux-baseline/issues/176
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-09-23 13:10:32 +02:00
Martin Schurz
92cedeb529
only disable SquashFS if it's not needed
...
Ubuntu Snaps need SquashFS so we cannot disable it easily. Instead we
check for running Snap Service.
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-08-06 15:08:28 +02:00
Martin Schurz
5247b07871
fix handling of sysctl fs.protected_fifos and fs.protected_regular
...
our solution with cmp for fs.protected_fifos did not work. Checking for
all possible values combined with an `or` seems more reasonable here.
Also both sysctl parameters are not available in RHEL7. The chosen
solution seems to be the least complex, that also works on all systems.
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-11 12:05:53 +02:00
Martin Schurz
e646854c33
apply cookstyle fixes
...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-03-18 20:41:09 +01:00
Michée lengronne
e679f92128
missing inputs changed
...
Leftover inputs changed.
Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>
2022-01-12 18:16:37 +01:00
Michée lengronne
b5284b923e
use input instead of attribute ( #166 )
...
* use input instead of attribute
In the last versions of Inspec and cinc-auditor, attribute is deprecated and input should be used.
https://docs.chef.io/workstation/cookstyle/inspec_deprecations_attributehelper/
Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>
* Update sysctl_spec.rb
Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>
* Update inspec.yml
Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>
* Update Rakefile
Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>
2022-01-12 17:17:16 +01:00
Claudius Heine
1840dbb624
feat: add rules to check noexec, nosuid and nodev mount options ( #164 )
...
Setting the `noexec`, `nosuid` and `nodev` mount options for mount
points where those features are not required, limits possible attack
vectors.
Closes : #163
Signed-off-by: Claudius Heine <ch@denx.de>
2021-11-23 12:04:53 +01:00
Claudius Heine
00d24baa66
added sysctl-34 for checking link protection settings ( #160 )
...
Common and long-standing exploits regard unprotected links, fifos and
regular files, which are created or controlled by an attacker to gain
access to other files or control over other programs.
Signed-off-by: Claudius Heine <ch@denx.de>
2021-10-19 15:11:46 +02:00
Martin Schurz
c017b3ae5b
remove sysctl-18 - ipv6 no longer needs to be disabled
...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-05-05 23:39:44 +02:00
Sebastian Gumprich
24a0c85b05
remove control package-07
...
As per https://github.com/dev-sec/linux-baseline/issues/149
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2021-04-29 07:42:31 +02:00
Farid Joubbi
39591a223e
Disable source routing for IPv6. See c3b5a3afd01eb06d184e9cac6c1df6b85a36e13b
...
Signed-off-by: Farid Joubbi <farid@joubbi.se>
2021-03-24 07:33:19 +01:00
Sebastian Gumprich
559b16752f
Add empty line after guard clause
...
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2021-02-22 09:53:12 +01:00
Sebastian Gumprich
06acbe35b8
add cron permissions hardening
2021-02-22 09:47:05 +01:00
schurzi
4dddfaa89a
update code to conform to new linting rules ( #145 )
...
* update code to conform to new linting rules
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
* disable unneeded linting rule
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-01-29 11:27:31 +01:00
Danny
bc7d6483ab
Fix tiny typo ( #143 )
...
rigths -> rights
Signed-off-by: Danny <1330413+danwit@users.noreply.github.com>
2021-01-25 10:06:25 +01:00
Michael Geiger
8f028d0386
Setting net.ipv4.conf.all.arp_ignore = 2 is used as a secure default in
...
many places now and should be a valid option
Signed-off-by: Michael Geiger <info@mgeiger.de>
2020-12-26 11:37:06 +01:00
Martin Schurz
beb89ca8f1
only check cpu vulnerabilities if not in container
...
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2020-12-16 21:22:48 +01:00
imjoseangel
f0873c7613
Add both vuln and Vuln
...
Signed-off-by: imjoseangel <josea.munoz@gmail.com>
2020-11-05 09:33:37 +01:00
imjoseangel
b03f36e508
Easiest solution for vuln string
...
Signed-off-by: imjoseangel <josea.munoz@gmail.com>
2020-11-05 09:11:52 +01:00
imjoseangel
a936317204
feat(osbaseline): support validation for cpu vulnerabilities
...
Detects if vulnerabilities directory exists. If so checks all the files inside if any.
Signed-off-by: imjoseangel <josea.munoz@gmail.com>
2020-11-05 09:11:27 +01:00
Sebastian Gumprich
6908002ab1
add archlinux-support for audit-check
...
Signed-off-by: Sebastian Gumprich <github@gumpri.ch>
2020-08-22 14:05:24 +02:00
imjoseangel
e20da94418
Removing exclamation as it is only for shadowi
...
Signed-off-by: imjoseangel <josea.munoz@gmail.com>
2020-06-30 14:14:55 +02:00
imjoseangel
748cfb26c8
Adds exclamation and asterisk as requested
...
Signed-off-by: imjoseangel <josea.munoz@gmail.com>
2020-06-29 23:13:21 +02:00
imjoseangel
3645c40723
Adds /etc/passwd format check
...
Signed-off-by: imjoseangel <josea.munoz@gmail.com>
2020-06-28 20:57:32 +02:00
Ben Dean
295683c617
skip the sysctl-19 control when sysctl_forwarding is true
...
fixes #124
Signed-off-by: Ben Dean <ben.dean@ontariosystems.com>
2019-12-02 18:41:31 -05:00
Christoph Hartmann
2ea93b2d09
add documentation for missing package-04 control
...
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2019-09-19 09:58:51 +02:00
Christoph Hartmann
fe0ac1c450
Merge pull request #119 from jjasghar/jjasghar/deprication
...
Fixing some deprecation notices
2019-09-19 09:54:08 +02:00
Artem Sidorenko
74df8a2d5a
Merge pull request #121 from foundulabs/samjmarshall/core_pattern
...
Allow core dumps to be piped into a program with an absolute path.
2019-07-19 15:06:37 +02:00
Sam Marshall
11ef401187
Allow for lowercase auditd config flush value.
...
Signed-off-by: Sam Marshall <sam@foundu.com.au>
2019-07-18 09:49:50 +10:00
Sam Marshall
f7ce8028ee
Allow core dumps to be piped into a program with an absolute path.
...
Signed-off-by: Sam Marshall <sam@foundu.com.au>
2019-07-18 09:43:53 +10:00
JJ Asghar
99c2ddd408
Fixing some deprecation notices
...
`default` is being replaced by `value`
Signed-off-by: JJ Asghar <awesome@ibm.com>
Signed-off-by: JJ Asghar <jjasghar@gmail.com>
2019-07-16 18:09:13 -05:00
Christophe van de Kerchove
601d1a4361
Add compatibility for alpine based images ( #111 )
...
Adding compatibility for alpine based images on shadow file
Signed-off-by: Christophe van de Kerchove <christophe.vkerchove@fxinnovation.com>
2019-03-07 21:14:24 +01:00
IceBear2k
723838f365
Signed-off-by: IceBear2k <ib-github@myrl.net>
...
Fix os-11 for Ubuntu 16.04 and newer
2018-10-12 22:20:57 +02:00
Sebastian Gumprich
f4c39c8021
efi-check should run on remote host, not locally ( #103 )
2018-09-04 18:13:10 +02:00
Julian C. Dunn
c5b995a432
update grammar in desc
2018-08-13 20:52:11 -07:00
Albert Avetisian
b301e7317a
Update to test for rsh-server instead of duplicate telnetd ( #98 )
2018-07-19 16:01:07 +02:00
Sebastian Gumprich
cc989d80a7
Do not disable vfat by default
...
On UEFI-systems the boot-partition is FAT by default (see [here](https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/System_partition )).
If we disable vfat, these systems become unbootable. This has already bitten some users using ansible-os-hardening (https://github.com/dev-sec/ansible-os-hardening/issues/162 , https://github.com/dev-sec/ansible-os-hardening/issues/145 ).
Therefore I propose we do not check for a disabled vfat filesystem, if efi is used on these systems
2018-07-10 12:56:32 +02:00
Matt Kulka
2768ba0af5
fix virtualization usage in older inspec versions ( #95 )
...
This profile throws an exception when using InSpec < 2.0.30 on non-virtualized systems because this fix (https://github.com/inspec/inspec/pull/2603 ) was not included in prior versions. This pull simply catches the exception where virtualization.* is called in pure Ruby.
2018-06-05 05:23:42 -07:00
Artem Sidorenko
0c2bb8da7d
Skip auditd and sysctl tests for containers
...
See https://github.com/dev-sec/chef-os-hardening/pull/199 for reference
Signed-off-by: Artem Sidorenko <artem@posteo.de>
2018-02-28 15:56:50 +01:00
Marcel
47f158d739
Fixes #89 false positive /etc/shadow on Fedora
...
Signed-off-by: Marcel <marcel.huth111@gmail.com>
2017-12-27 21:05:44 +01:00
Patrick Münch
146285585f
Merge pull request #87 from dev-sec/chris-rock/fix-86
...
deferring the execution of permissions to profile execution
2017-11-23 23:02:02 +01:00
Artem Sidorenko
df64f6c92c
Merge pull request #84 from shoekstra/fix_fedora_controls
...
Update Fedora controls
2017-11-20 12:29:44 +01:00
Stephen Hoekstra
46acd83cf0
Update Fedora controls
2017-11-20 09:31:07 +01:00