Commit graph

98 commits

Author SHA1 Message Date
Martin Schurz
ba94b91d38 add all inputs
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-19 01:12:44 +01:00
Martin Schurz
d079b4a57f use only metadata
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-19 01:08:45 +01:00
Martin Schurz
b850f351b6 ensure compatibility with new inspec version
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-18 21:35:28 +01:00
Martin Schurz
11471d5507 ensure compatibility with new inspec version
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-18 21:27:23 +01:00
Martin Schurz
6cfbd386f0 fix spelling errors
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-30 19:11:41 +02:00
Sebastian Gumprich
7a6e7162fe fix wrong sysctl
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-12-12 09:13:26 +01:00
Sebastian Gumprich
c15739b961 extend sysctls for ipv6
see https://docs.vmware.com/en/vRealize-Operations/8.6/com.vmware.vcom.core.doc/GUID-16BDA67D-914A-484C-97CA-8624F4881605.html and https://docs.vmware.com/en/vRealize-Operations/8.6/com.vmware.vcom.core.doc/GUID-37B91C4A-5E1E-4F8E-BC59-B3552BA7CDFA.html

also see https://github.com/dev-sec/ansible-collection-hardening/pull/607/

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-11-30 15:21:55 +01:00
Sebastian Gumprich
a04baec3b3 remove entropy-test
see https://github.com/dev-sec/linux-baseline/issues/176

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-09-23 13:10:32 +02:00
Martin Schurz
92cedeb529 only disable SquashFS if it's not needed
Ubuntu Snaps need SquashFS so we cannot disable it easily. Instead we
check for running Snap Service.

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-08-06 15:08:28 +02:00
Martin Schurz
5247b07871 fix handling of sysctl fs.protected_fifos and fs.protected_regular
our solution with cmp for fs.protected_fifos did not work. Checking for
all possible values combined with an `or` seems more reasonable here.

Also both sysctl parameters are not available in RHEL7. The chosen
solution seems to be the least complex, that also works on all systems.

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-11 12:05:53 +02:00
Martin Schurz
e646854c33 apply cookstyle fixes
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-03-18 20:41:09 +01:00
Michée lengronne
e679f92128 missing inputs changed
Leftover inputs changed.

Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>
2022-01-12 18:16:37 +01:00
Michée lengronne
b5284b923e
use input instead of attribute (#166)
* use input instead of attribute

In the last versions of Inspec and cinc-auditor, attribute is deprecated and input should be used.

https://docs.chef.io/workstation/cookstyle/inspec_deprecations_attributehelper/
Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>

* Update sysctl_spec.rb

Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>

* Update inspec.yml

Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>

* Update Rakefile

Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>
2022-01-12 17:17:16 +01:00
Claudius Heine
1840dbb624
feat: add rules to check noexec, nosuid and nodev mount options (#164)
Setting the `noexec`, `nosuid` and `nodev` mount options for mount
points where those features are not required, limits possible attack
vectors.

Closes: #163

Signed-off-by: Claudius Heine <ch@denx.de>
2021-11-23 12:04:53 +01:00
Claudius Heine
00d24baa66
added sysctl-34 for checking link protection settings (#160)
Common and long-standing exploits regard unprotected links, fifos and
regular files, which are created or controlled by an attacker to gain
access to other files or control over other programs.

Signed-off-by: Claudius Heine <ch@denx.de>
2021-10-19 15:11:46 +02:00
Martin Schurz
c017b3ae5b remove sysctl-18 - ipv6 no longer needs to be disabled
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-05-05 23:39:44 +02:00
Sebastian Gumprich
24a0c85b05 remove control package-07
As per https://github.com/dev-sec/linux-baseline/issues/149

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2021-04-29 07:42:31 +02:00
Farid Joubbi
39591a223e Disable source routing for IPv6. See c3b5a3afd01eb06d184e9cac6c1df6b85a36e13b
Signed-off-by: Farid Joubbi <farid@joubbi.se>
2021-03-24 07:33:19 +01:00
Sebastian Gumprich
559b16752f Add empty line after guard clause
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2021-02-22 09:53:12 +01:00
Sebastian Gumprich
06acbe35b8 add cron permissions hardening 2021-02-22 09:47:05 +01:00
schurzi
4dddfaa89a
update code to conform to new linting rules (#145)
* update code to conform to new linting rules

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* disable unneeded linting rule

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2021-01-29 11:27:31 +01:00
Danny
bc7d6483ab
Fix tiny typo (#143)
rigths -> rights

Signed-off-by: Danny <1330413+danwit@users.noreply.github.com>
2021-01-25 10:06:25 +01:00
Michael Geiger
8f028d0386 Setting net.ipv4.conf.all.arp_ignore = 2 is used as a secure default in
many places now and should be a valid option

Signed-off-by: Michael Geiger <info@mgeiger.de>
2020-12-26 11:37:06 +01:00
Martin Schurz
beb89ca8f1 only check cpu vulnerabilities if not in container
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2020-12-16 21:22:48 +01:00
imjoseangel
f0873c7613
Add both vuln and Vuln
Signed-off-by: imjoseangel <josea.munoz@gmail.com>
2020-11-05 09:33:37 +01:00
imjoseangel
b03f36e508
Easiest solution for vuln string
Signed-off-by: imjoseangel <josea.munoz@gmail.com>
2020-11-05 09:11:52 +01:00
imjoseangel
a936317204
feat(osbaseline): support validation for cpu vulnerabilities
Detects if vulnerabilities directory exists. If so checks all the files inside if any.

Signed-off-by: imjoseangel <josea.munoz@gmail.com>
2020-11-05 09:11:27 +01:00
Sebastian Gumprich
6908002ab1 add archlinux-support for audit-check
Signed-off-by: Sebastian Gumprich <github@gumpri.ch>
2020-08-22 14:05:24 +02:00
imjoseangel
e20da94418 Removing exclamation as it is only for shadowi
Signed-off-by: imjoseangel <josea.munoz@gmail.com>
2020-06-30 14:14:55 +02:00
imjoseangel
748cfb26c8 Adds exclamation and asterisk as requested
Signed-off-by: imjoseangel <josea.munoz@gmail.com>
2020-06-29 23:13:21 +02:00
imjoseangel
3645c40723 Adds /etc/passwd format check
Signed-off-by: imjoseangel <josea.munoz@gmail.com>
2020-06-28 20:57:32 +02:00
Ben Dean
295683c617
skip the sysctl-19 control when sysctl_forwarding is true
fixes #124

Signed-off-by: Ben Dean <ben.dean@ontariosystems.com>
2019-12-02 18:41:31 -05:00
Christoph Hartmann
2ea93b2d09 add documentation for missing package-04 control
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
2019-09-19 09:58:51 +02:00
Christoph Hartmann
fe0ac1c450
Merge pull request #119 from jjasghar/jjasghar/deprication
Fixing some deprecation notices
2019-09-19 09:54:08 +02:00
Artem Sidorenko
74df8a2d5a
Merge pull request #121 from foundulabs/samjmarshall/core_pattern
Allow core dumps to be piped into a program with an absolute path.
2019-07-19 15:06:37 +02:00
Sam Marshall
11ef401187 Allow for lowercase auditd config flush value.
Signed-off-by: Sam Marshall <sam@foundu.com.au>
2019-07-18 09:49:50 +10:00
Sam Marshall
f7ce8028ee Allow core dumps to be piped into a program with an absolute path.
Signed-off-by: Sam Marshall <sam@foundu.com.au>
2019-07-18 09:43:53 +10:00
JJ Asghar
99c2ddd408 Fixing some deprecation notices
`default` is being replaced by `value`

Signed-off-by: JJ Asghar <awesome@ibm.com>
Signed-off-by: JJ Asghar <jjasghar@gmail.com>
2019-07-16 18:09:13 -05:00
Christophe van de Kerchove
601d1a4361 Add compatibility for alpine based images (#111)
Adding compatibility for alpine based images on shadow file

Signed-off-by: Christophe van de Kerchove <christophe.vkerchove@fxinnovation.com>
2019-03-07 21:14:24 +01:00
IceBear2k
723838f365 Signed-off-by: IceBear2k <ib-github@myrl.net>
Fix os-11 for Ubuntu 16.04 and newer
2018-10-12 22:20:57 +02:00
Sebastian Gumprich
f4c39c8021 efi-check should run on remote host, not locally (#103) 2018-09-04 18:13:10 +02:00
Julian C. Dunn
c5b995a432
update grammar in desc 2018-08-13 20:52:11 -07:00
Albert Avetisian
b301e7317a Update to test for rsh-server instead of duplicate telnetd (#98) 2018-07-19 16:01:07 +02:00
Sebastian Gumprich
cc989d80a7 Do not disable vfat by default
On UEFI-systems the boot-partition is FAT by default (see [here](https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/System_partition)).

If we disable vfat, these systems become unbootable. This has already bitten some users using ansible-os-hardening (https://github.com/dev-sec/ansible-os-hardening/issues/162, https://github.com/dev-sec/ansible-os-hardening/issues/145).

Therefore I propose we do not check for a disabled vfat filesystem, if efi is used on these systems
2018-07-10 12:56:32 +02:00
Matt Kulka
2768ba0af5 fix virtualization usage in older inspec versions (#95)
This profile throws an exception when using InSpec < 2.0.30 on non-virtualized systems because this fix (https://github.com/inspec/inspec/pull/2603) was not included in prior versions. This pull simply catches the exception where virtualization.* is called in pure Ruby.
2018-06-05 05:23:42 -07:00
Artem Sidorenko
0c2bb8da7d Skip auditd and sysctl tests for containers
See https://github.com/dev-sec/chef-os-hardening/pull/199 for reference

Signed-off-by: Artem Sidorenko <artem@posteo.de>
2018-02-28 15:56:50 +01:00
Marcel
47f158d739 Fixes #89 false positive /etc/shadow on Fedora
Signed-off-by: Marcel <marcel.huth111@gmail.com>
2017-12-27 21:05:44 +01:00
Patrick Münch
146285585f
Merge pull request #87 from dev-sec/chris-rock/fix-86
deferring the execution of permissions to profile execution
2017-11-23 23:02:02 +01:00
Artem Sidorenko
df64f6c92c
Merge pull request #84 from shoekstra/fix_fedora_controls
Update Fedora controls
2017-11-20 12:29:44 +01:00
Stephen Hoekstra
46acd83cf0 Update Fedora controls 2017-11-20 09:31:07 +01:00