linux-baseline

mirror of https://github.com/dev-sec/linux-baseline synced 2024-11-22 19:23:02 +00:00

Author	SHA1	Message	Date
imjoseangel	3645c40723	Adds /etc/passwd format check Signed-off-by: imjoseangel <josea.munoz@gmail.com>	2020-06-28 20:57:32 +02:00
Ben Dean	295683c617	skip the sysctl-19 control when sysctl_forwarding is true fixes #124 Signed-off-by: Ben Dean <ben.dean@ontariosystems.com>	2019-12-02 18:41:31 -05:00
Christoph Hartmann	2ea93b2d09	add documentation for missing package-04 control Signed-off-by: Christoph Hartmann <chris@lollyrock.com>	2019-09-19 09:58:51 +02:00
Christoph Hartmann	fe0ac1c450	Merge pull request #119 from jjasghar/jjasghar/deprication Fixing some deprecation notices	2019-09-19 09:54:08 +02:00
Artem Sidorenko	74df8a2d5a	Merge pull request #121 from foundulabs/samjmarshall/core_pattern Allow core dumps to be piped into a program with an absolute path.	2019-07-19 15:06:37 +02:00
Sam Marshall	11ef401187	Allow for lowercase auditd config flush value. Signed-off-by: Sam Marshall <sam@foundu.com.au>	2019-07-18 09:49:50 +10:00
Sam Marshall	f7ce8028ee	Allow core dumps to be piped into a program with an absolute path. Signed-off-by: Sam Marshall <sam@foundu.com.au>	2019-07-18 09:43:53 +10:00
JJ Asghar	99c2ddd408	Fixing some deprecation notices `default` is being replaced by `value` Signed-off-by: JJ Asghar <awesome@ibm.com> Signed-off-by: JJ Asghar <jjasghar@gmail.com>	2019-07-16 18:09:13 -05:00
Christophe van de Kerchove	601d1a4361	Add compatibility for alpine based images (#111 ) Adding compatibility for alpine based images on shadow file Signed-off-by: Christophe van de Kerchove <christophe.vkerchove@fxinnovation.com>	2019-03-07 21:14:24 +01:00
IceBear2k	723838f365	Signed-off-by: IceBear2k <ib-github@myrl.net> Fix os-11 for Ubuntu 16.04 and newer	2018-10-12 22:20:57 +02:00
Sebastian Gumprich	f4c39c8021	efi-check should run on remote host, not locally (#103 )	2018-09-04 18:13:10 +02:00
Julian C. Dunn	c5b995a432	update grammar in desc	2018-08-13 20:52:11 -07:00
Albert Avetisian	b301e7317a	Update to test for rsh-server instead of duplicate telnetd (#98 )	2018-07-19 16:01:07 +02:00
Sebastian Gumprich	cc989d80a7	Do not disable vfat by default On UEFI-systems the boot-partition is FAT by default (see [here](https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/System_partition)). If we disable vfat, these systems become unbootable. This has already bitten some users using ansible-os-hardening (https://github.com/dev-sec/ansible-os-hardening/issues/162, https://github.com/dev-sec/ansible-os-hardening/issues/145). Therefore I propose we do not check for a disabled vfat filesystem, if efi is used on these systems	2018-07-10 12:56:32 +02:00
Matt Kulka	2768ba0af5	fix virtualization usage in older inspec versions (#95 ) This profile throws an exception when using InSpec < 2.0.30 on non-virtualized systems because this fix (https://github.com/inspec/inspec/pull/2603) was not included in prior versions. This pull simply catches the exception where virtualization.* is called in pure Ruby.	2018-06-05 05:23:42 -07:00
Artem Sidorenko	0c2bb8da7d	Skip auditd and sysctl tests for containers See https://github.com/dev-sec/chef-os-hardening/pull/199 for reference Signed-off-by: Artem Sidorenko <artem@posteo.de>	2018-02-28 15:56:50 +01:00
Marcel	47f158d739	Fixes #89 false positive /etc/shadow on Fedora Signed-off-by: Marcel <marcel.huth111@gmail.com>	2017-12-27 21:05:44 +01:00
Patrick Münch	146285585f	Merge pull request #87 from dev-sec/chris-rock/fix-86 deferring the execution of permissions to profile execution	2017-11-23 23:02:02 +01:00
Artem Sidorenko	df64f6c92c	Merge pull request #84 from shoekstra/fix_fedora_controls Update Fedora controls	2017-11-20 12:29:44 +01:00
Stephen Hoekstra	46acd83cf0	Update Fedora controls	2017-11-20 09:31:07 +01:00
Christoph Hartmann	3d77a3a8d7	Fixes #86 by deferring the execution of permissions to profile execution instead of profile initialisation Signed-off-by: Christoph Hartmann <chris@lollyrock.com>	2017-11-19 11:48:07 +01:00
Tom Haynes	c68102a5a5	CIS 4.1.1.3	2017-11-13 16:27:42 +00:00
Stephen Hoekstra	1bfc31a885	Fix log dir group for Ubuntu 14.04+ (#83 )	2017-11-10 11:18:52 +01:00
Anton Markelov	a5fb285c48	Use more strict defaults for redhat	2017-11-07 17:58:32 +10:00
Sebastian Gumprich	9c138b8c54	add logdir-check	2017-10-24 10:12:07 +02:00
Patrick Münch	c72d8adad0	Merge pull request #76 from HenryTheHamster/master Check for Amazon Linux when determining audit package.	2017-08-10 09:22:55 +02:00
Patrick Münch	8b33eab5c3	Merge pull request #73 from bitvijays/cis_prelink_disable CIS 1.5.4 Ensure prelink is disabled	2017-07-14 13:27:42 +02:00
andy shaw	4f518580a7	Use od name over family. Signed-off-by: andy shaw <shawry@shawry.com>	2017-07-14 09:54:00 +10:00
Michael Geiger	c5dc86b78a	Optimize file search routines - Remove redundant search for .rhosts files from os-01 (see os-09) - Direct lookup of /etc/hosts.equiv instead of recursive search (os-01) - Limit find to 3 sublevels in os-09 Signed-off-by: Michael Geiger <info@mgeiger.de>	2017-07-13 20:23:20 +02:00
andy shaw	0a753a2dd7	Update package_spec.rb	2017-07-12 16:42:04 +10:00
andy shaw	83b49d0e82	Update package_spec.rb	2017-07-12 16:39:08 +10:00
andy shaw	15315c5dd4	Update package_spec.rb	2017-07-12 16:17:03 +10:00
Patrick Münch	f8ac0dd4a5	Merge pull request #74 from lnxchk/patch-1 Update package_spec.rb	2017-07-07 07:16:29 +02:00
Patrick Münch	38573dda17	Merge pull request #71 from bitvijays/cis_disable_unused_filesystem 1.1.1 CIS Disable unused filesystem	2017-07-07 07:12:17 +02:00
Mandi Walls	2369b63ede	Update package_spec.rb Fix the spelling of "password"	2017-07-06 14:10:19 +01:00
bitvijays	56784530de	Added net.ipv4.conf.default.log_martians for Martian Packets in Sysctl-17 Signed-off-by: bitvijays <bitvijays@gmail.com>	2017-07-04 14:03:56 +05:30
bitvijays	98bf7b9f49	CIS 1.1.1 Disable unused filesystems Removed extra line Signed-off-by: bitvijays <bitvijays@gmail.com>	2017-07-04 02:12:43 +05:30
bitvijays	3303c00721	CIS 1.5.4 Ensure prelink is disabled Signed-off-by: bitvijays <bitvijays@gmail.com>	2017-07-04 02:04:40 +05:30
Christoph Hartmann	e192b1e766	Merge pull request #70 from mcgege/os-02 os-02: Fix for SUSE environments	2017-06-27 04:51:21 -07:00
Michael Geiger	c310414967	os-02: Fix for SUSE environments Signed-off-by: Michael Geiger <michael.geiger@telekom.de>	2017-06-27 09:51:39 +02:00
Michael Geiger	c439a23d3b	On SUSE environments 'auditd' is part of package 'audit'	2017-06-26 11:59:23 +02:00
Patrick Münch	105ec0fc99	Merge pull request #63 from artem-forks/num_logs num_logs has different values on different distros	2017-05-31 11:56:23 +02:00
Alex Pop	4f5fc943dd	Use only_if to avoid upload warning	2017-05-30 11:37:27 +01:00
Alex Pop	085b42857e	Use assignment_regex and bump profile version	2017-05-30 11:27:37 +01:00
Artem Sidorenko	4d63500d9a	num_logs has different values on different distros on debian 7 its 4, on everything else its 5 Lets remove this as it looks related only to logrotation	2017-05-27 21:53:57 +02:00
Artem Sidorenko	deb96a624e	Allow verification if kernel modules loading is disabled Signed-off-by: Artem Sidorenko <artem@posteo.de>	2017-05-22 19:53:35 +02:00
Artem Sidorenko	97c7be99d2	Fix: more generic auditd settings in order to match the defaults of all mainstream distros Some of settings are removed, as the defaults of distros are different, based on the intention of author [1] they are also not really important here [1]: https://github.com/dev-sec/linux-baseline/pull/44#commitcomment-21381289 Signed-off-by: Artem Sidorenko <artem@posteo.de>	2017-05-10 23:53:43 +02:00
Artem Sidorenko	e3df2dbb13	Verify the dump path only if dumpable is set to suidsafe See this discussion `790371c5fd (commitcomment-21277650)`	2017-03-13 19:56:44 +01:00
Artem Sidorenko	8f763e51b4	Properly verify the kernel dump setting 0 and 2 are the allowed options	2017-03-12 17:48:32 +01:00
iamthemuffinman	50f719d9f6	Use one block	2017-02-16 11:27:32 -05:00

1 2

68 commits