Mirrors/linux-baseline
2
0
Fork 0
mirror of https://github.com/dev-sec/linux-baseline synced 2024-11-23 03:33:02 +00:00
Code Issues Projects Releases Packages Wiki Activity
323 commits 17 branches 31 tags 478 KiB
Commit graph

81 commits

Author SHA1 Message Date
Farid Joubbi
39591a223e Disable source routing for IPv6. See c3b5a3afd01eb06d184e9cac6c1df6b85a36e13b 
Signed-off-by: Farid Joubbi <farid@joubbi.se>
 2021-03-24 07:33:19 +01:00
Sebastian Gumprich
559b16752f Add empty line after guard clause 
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
 2021-02-22 09:53:12 +01:00
Sebastian Gumprich
06acbe35b8 add cron permissions hardening 2021-02-22 09:47:05 +01:00
schurzi
4dddfaa89a
update code to conform to new linting rules (#145) 
* update code to conform to new linting rules

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* disable unneeded linting rule

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-01-29 11:27:31 +01:00
Danny
bc7d6483ab
Fix tiny typo (#143) 
rigths -> rights

Signed-off-by: Danny <1330413+danwit@users.noreply.github.com>
 2021-01-25 10:06:25 +01:00
Michael Geiger
8f028d0386 Setting net.ipv4.conf.all.arp_ignore = 2 is used as a secure default in 
many places now and should be a valid option

Signed-off-by: Michael Geiger <info@mgeiger.de>
 2020-12-26 11:37:06 +01:00
Martin Schurz
beb89ca8f1 only check cpu vulnerabilities if not in container 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2020-12-16 21:22:48 +01:00
imjoseangel
f0873c7613
Add both vuln and Vuln 
Signed-off-by: imjoseangel <josea.munoz@gmail.com>
 2020-11-05 09:33:37 +01:00
imjoseangel
b03f36e508
Easiest solution for vuln string 
Signed-off-by: imjoseangel <josea.munoz@gmail.com>
 2020-11-05 09:11:52 +01:00
imjoseangel
a936317204
feat(osbaseline): support validation for cpu vulnerabilities 
Detects if vulnerabilities directory exists. If so checks all the files inside if any.

Signed-off-by: imjoseangel <josea.munoz@gmail.com>
 2020-11-05 09:11:27 +01:00
Sebastian Gumprich
6908002ab1 add archlinux-support for audit-check 
Signed-off-by: Sebastian Gumprich <github@gumpri.ch>
 2020-08-22 14:05:24 +02:00
imjoseangel
e20da94418 Removing exclamation as it is only for shadowi 
Signed-off-by: imjoseangel <josea.munoz@gmail.com>
 2020-06-30 14:14:55 +02:00
imjoseangel
748cfb26c8 Adds exclamation and asterisk as requested 
Signed-off-by: imjoseangel <josea.munoz@gmail.com>
 2020-06-29 23:13:21 +02:00
imjoseangel
3645c40723 Adds /etc/passwd format check 
Signed-off-by: imjoseangel <josea.munoz@gmail.com>
 2020-06-28 20:57:32 +02:00
Ben Dean
295683c617
skip the sysctl-19 control when sysctl_forwarding is true 
fixes #124

Signed-off-by: Ben Dean <ben.dean@ontariosystems.com>
 2019-12-02 18:41:31 -05:00
Christoph Hartmann
2ea93b2d09 add documentation for missing package-04 control 
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
 2019-09-19 09:58:51 +02:00
Christoph Hartmann
fe0ac1c450
Merge pull request #119 from jjasghar/jjasghar/deprication 
Fixing some deprecation notices
 2019-09-19 09:54:08 +02:00
Artem Sidorenko
74df8a2d5a
Merge pull request #121 from foundulabs/samjmarshall/core_pattern 
Allow core dumps to be piped into a program with an absolute path.
 2019-07-19 15:06:37 +02:00
Sam Marshall
11ef401187 Allow for lowercase auditd config flush value. 
Signed-off-by: Sam Marshall <sam@foundu.com.au>
 2019-07-18 09:49:50 +10:00
Sam Marshall
f7ce8028ee Allow core dumps to be piped into a program with an absolute path. 
Signed-off-by: Sam Marshall <sam@foundu.com.au>
 2019-07-18 09:43:53 +10:00
JJ Asghar
99c2ddd408 Fixing some deprecation notices 
`default` is being replaced by `value`

Signed-off-by: JJ Asghar <awesome@ibm.com>
Signed-off-by: JJ Asghar <jjasghar@gmail.com>
 2019-07-16 18:09:13 -05:00
Christophe van de Kerchove
601d1a4361 Add compatibility for alpine based images (#111) 
Adding compatibility for alpine based images on shadow file

Signed-off-by: Christophe van de Kerchove <christophe.vkerchove@fxinnovation.com>
 2019-03-07 21:14:24 +01:00
IceBear2k
723838f365 Signed-off-by: IceBear2k <ib-github@myrl.net> 
Fix os-11 for Ubuntu 16.04 and newer
 2018-10-12 22:20:57 +02:00
Sebastian Gumprich
f4c39c8021 efi-check should run on remote host, not locally (#103) 2018-09-04 18:13:10 +02:00
Julian C. Dunn
c5b995a432
update grammar in desc 2018-08-13 20:52:11 -07:00
Albert Avetisian
b301e7317a Update to test for rsh-server instead of duplicate telnetd (#98) 2018-07-19 16:01:07 +02:00
Sebastian Gumprich
cc989d80a7 Do not disable vfat by default 
On UEFI-systems the boot-partition is FAT by default (see [here](https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/System_partition)).

If we disable vfat, these systems become unbootable. This has already bitten some users using ansible-os-hardening (https://github.com/dev-sec/ansible-os-hardening/issues/162, https://github.com/dev-sec/ansible-os-hardening/issues/145).

Therefore I propose we do not check for a disabled vfat filesystem, if efi is used on these systems
 2018-07-10 12:56:32 +02:00
Matt Kulka
2768ba0af5 fix virtualization usage in older inspec versions (#95) 
This profile throws an exception when using InSpec < 2.0.30 on non-virtualized systems because this fix (https://github.com/inspec/inspec/pull/2603) was not included in prior versions. This pull simply catches the exception where virtualization.* is called in pure Ruby.
 2018-06-05 05:23:42 -07:00
Artem Sidorenko
0c2bb8da7d Skip auditd and sysctl tests for containers 
See https://github.com/dev-sec/chef-os-hardening/pull/199 for reference

Signed-off-by: Artem Sidorenko <artem@posteo.de>
 2018-02-28 15:56:50 +01:00
Marcel
47f158d739 Fixes #89 false positive /etc/shadow on Fedora 
Signed-off-by: Marcel <marcel.huth111@gmail.com>
 2017-12-27 21:05:44 +01:00
Patrick Münch
146285585f
Merge pull request #87 from dev-sec/chris-rock/fix-86 
deferring the execution of permissions to profile execution
 2017-11-23 23:02:02 +01:00
Artem Sidorenko
df64f6c92c
Merge pull request #84 from shoekstra/fix_fedora_controls 
Update Fedora controls
 2017-11-20 12:29:44 +01:00
Stephen Hoekstra
46acd83cf0 Update Fedora controls 2017-11-20 09:31:07 +01:00
Christoph Hartmann
3d77a3a8d7 Fixes #86 by deferring the execution of permissions to profile execution instead of profile initialisation 
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
 2017-11-19 11:48:07 +01:00
Tom Haynes
c68102a5a5
CIS 4.1.1.3 2017-11-13 16:27:42 +00:00
Stephen Hoekstra
1bfc31a885 Fix log dir group for Ubuntu 14.04+ (#83) 2017-11-10 11:18:52 +01:00
Anton Markelov
a5fb285c48 Use more strict defaults for redhat 2017-11-07 17:58:32 +10:00
Sebastian Gumprich
9c138b8c54 add logdir-check 2017-10-24 10:12:07 +02:00
Patrick Münch
c72d8adad0 Merge pull request #76 from HenryTheHamster/master 
Check for Amazon Linux when determining audit package.
 2017-08-10 09:22:55 +02:00
Patrick Münch
8b33eab5c3 Merge pull request #73 from bitvijays/cis_prelink_disable 
CIS 1.5.4 Ensure prelink is disabled
 2017-07-14 13:27:42 +02:00
andy shaw
4f518580a7 Use od name over family. 
Signed-off-by: andy shaw <shawry@shawry.com>
 2017-07-14 09:54:00 +10:00
Michael Geiger
c5dc86b78a Optimize file search routines 
- Remove redundant search for .rhosts files from os-01 (see os-09)
- Direct lookup of /etc/hosts.equiv instead of recursive search (os-01)
- Limit find to 3 sublevels in os-09

Signed-off-by: Michael Geiger <info@mgeiger.de>
 2017-07-13 20:23:20 +02:00
andy shaw
0a753a2dd7 Update package_spec.rb 2017-07-12 16:42:04 +10:00
andy shaw
83b49d0e82 Update package_spec.rb 2017-07-12 16:39:08 +10:00
andy shaw
15315c5dd4 Update package_spec.rb 2017-07-12 16:17:03 +10:00
Patrick Münch
f8ac0dd4a5 Merge pull request #74 from lnxchk/patch-1 
Update package_spec.rb
 2017-07-07 07:16:29 +02:00
Patrick Münch
38573dda17 Merge pull request #71 from bitvijays/cis_disable_unused_filesystem 
1.1.1 CIS Disable unused filesystem
 2017-07-07 07:12:17 +02:00
Mandi Walls
2369b63ede Update package_spec.rb 
Fix the spelling of "password"
 2017-07-06 14:10:19 +01:00
bitvijays
56784530de Added net.ipv4.conf.default.log_martians for Martian Packets in Sysctl-17 
Signed-off-by: bitvijays <bitvijays@gmail.com>
 2017-07-04 14:03:56 +05:30
bitvijays
98bf7b9f49 CIS 1.1.1 Disable unused filesystems 
Removed extra line

Signed-off-by: bitvijays <bitvijays@gmail.com>
 2017-07-04 02:12:43 +05:30