Mirrors/linux-baseline
2
0
Fork 0
mirror of https://github.com/dev-sec/linux-baseline synced 2024-11-22 19:23:02 +00:00
Code Issues Projects Releases Packages Wiki Activity
132 commits 17 branches 31 tags 478 KiB
Commit graph

132 commits

This branch
This branch
All branches
Author SHA1 Message Date
Dominik Richter
4187449039 updating common files 
updating files: [".rubocop.yml"]
 2014-12-12 01:25:27 +01:00
Patrick Meier
f0014053ce Merge pull request #24 from TelekomLabs/schroot 
feature: add schroot to suid/sgid whitelist
 2014-12-02 18:24:35 +01:00
Dominik Richter
a9c6ef152c feature: add schroot to suid/sgid whitelist 
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
 2014-12-01 13:42:51 +01:00
Patrick Meier
8b6a416684 Merge pull request #23 from TelekomLabs/update-common 
thank you
 2014-10-28 09:30:06 +01:00
Dominik Richter
347e022aa0 updating common files 
updating files: [".rubocop.yml"]
 2014-10-28 00:04:52 +01:00
Dominik Richter
1f60a3ca9e updating common files 
updating files: [".rubocop.yml"]
 2014-10-27 23:30:25 +01:00
Dominik Richter
9da1d9fdfe updating common files 
updating files: ["lockdown/serverspec/spec_helper.rb", "default/serverspec/spec_helper.rb", ".rubocop.yml"]
 2014-10-27 18:41:56 +01:00
Christoph Hartmann
8b140c47c5 Merge pull request #22 from TelekomLabs/update-common 
updating common files
 2014-10-20 10:54:41 +02:00
Dominik Richter
56d8d06603 updating common files 
updating files: ["Gemfile"]
 2014-10-20 10:58:08 +02:00
Dominik Richter
0fe462c08b updating common files 
updating files: ["lockdown/serverspec/spec_helper.rb", "default/serverspec/spec_helper.rb"]
 2014-10-20 10:14:47 +02:00
Dominik Richter
2e4f659523 update syntax for command.stdout check 
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
 2014-10-20 10:14:42 +02:00
Dominik Richter
db185e55a2 remove backend checks from each test (move to common) 
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
 2014-10-20 10:03:08 +02:00
Dominik Richter
84b56e4822 updating common files 
updating files: ["lockdown/serverspec/spec_helper.rb", "default/serverspec/spec_helper.rb"]
 2014-10-20 10:01:50 +02:00
Dominik Richter
2019279a6f add highline 
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
 2014-10-20 09:56:30 +02:00
Dominik Richter
59ed9633c9 updating common files 2014-10-16 02:46:52 +02:00
Dominik Richter
f8ae22d115 updating common files 2014-10-16 02:14:10 +02:00
Dominik Richter
f81fd221a4 Merge pull request #21 from atomic111/master 
changed GIS to DTAG SEC
 2014-09-14 19:22:54 +02:00
Patrick Meier
63d6ce6069 changed GIS to DTAG SEC 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-09-11 22:10:12 +02:00
Dominik Richter
8b5dffd2b1 Merge pull request #20 from TelekomLabs/lint 
bugfix: lint error
 2014-08-15 19:00:25 +02:00
Christoph Hartmann
ba563593c1 bugfix: lint error 2014-08-15 18:57:18 +02:00
Dominik Richter
40d41efa9f 1.0.0 
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
 2014-08-13 11:11:08 +02:00
Patrick Meier
d2f57f2ecf Merge pull request #19 from TelekomLabs/lockdown-mode 
Lockdown mode
 2014-07-23 20:48:54 +02:00
Dominik Richter
de8b8f15fb default profile checks SUID/SGID blacklist 
Instead of going for the whitelist and expecting all other SUID/SGID bits to be removed, go for the blacklist in the default profile. This behavior is preferred, since we don't want to enable a search through all nodes on a system for any SUID/SGID bits by default. This search is desired and reasonable in all cases, but many new users will be turned away if we activate it by default. It causes issues with any regularly mounted network filesystems (which take very long) or very large (amount of entries on the filesystem) storage nodes.

We will add this point to the documentation, as it's the user's task to mount these components with a nosuid configuration.

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
 2014-07-23 15:59:08 +02:00
Dominik Richter
69546f61ff add all current requirements from default -> lockdown 
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
 2014-07-23 15:50:17 +02:00
Dominik Richter
9436c28ca4 rename modules_disabled -> lockdown 
I.e. create tests for a special hardening profile whose configuration is to lock down all settings. This will include scanning for all unkown SUID-bits as well as kernel configuration with module lockdown.

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
 2014-07-23 15:46:04 +02:00
Dominik Richter
9f03078ee1 fixed puppet license-headers 
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
 2014-07-23 15:20:08 +02:00
Dominik Richter
8ba4f64725 add missing license headers 
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
 2014-07-23 00:10:30 +02:00
Dominik Richter
f2f8d295e4 Merge pull request #18 from atomic111/master 
split sysctl_spec.rb, added suid whitliste and uid unique search
 2014-07-22 17:44:05 +02:00
Patrick Meier
0138222d43 FIX linting 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-07-22 17:36:02 +02:00
Patrick Meier
5d91f454b0 added test to check unique UID's 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-07-22 16:54:02 +02:00
Patrick Meier
84dff35803 split sysctl parameter and added suid whitelist search 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-07-22 15:08:49 +02:00
Dominik Richter
e3bdd66605 Merge pull request #17 from atomic111/master 
added additional test
 2014-07-15 12:15:40 +02:00
Patrick Meier
2de4db352a FIX: reqular expression in PATH variable 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-07-10 12:25:50 +02:00
Patrick Meier
998370b205 FIX: Use %r for regular expressions matching 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-07-10 10:55:04 +02:00
Patrick Meier
8a6c0eb52d Fix: Syntax warrings 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-07-10 10:41:18 +02:00
Patrick Meier
ef40878dcf Fix: ENV_PATH in login.defs test not correct 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-07-10 10:35:46 +02:00
Patrick Meier
fb8e4a7d18 Fixed rubocop issues, Travis run failed 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-07-10 10:31:13 +02:00
Patrick Meier
0b7986100b added additional test (find rhosts-files, check /etc/shadow owner and rights, check PATH variable, check umask) 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-07-09 10:22:48 +02:00
Dominik Richter
ebe8e86604 Merge pull request #16 from ehaselwanter/travis-updates 
add travis config, add default task to rakefile
 2014-06-23 14:38:53 +02:00
Edmund Haselwanter
d9fe210802 add travis config, add default task to rakefile 2014-06-23 12:03:15 +02:00
Dominik Richter
62c5bd4247 Merge pull request #15 from ehaselwanter/rubocop 
update rubocop, add common linter task, fix rubocop issues
 2014-06-23 11:19:35 +02:00
Edmund Haselwanter
8e6f01f9f7 add missing encoding 2014-06-22 15:00:34 +02:00
Edmund Haselwanter
c980b4b70f update rubocop, add common linter task, fix rubocop issues 2014-06-22 12:57:10 +02:00
Patrick Meier
2bd0000199 Merge pull request #14 from TelekomLabs/exec-shield 
fix exec-shield test
 2014-06-17 09:23:19 +02:00
Christoph Hartmann
ecf1f8745f fix exec-shield test 2014-06-17 09:21:35 +02:00
Patrick Meier
3d6eee9aef Merge pull request #13 from TelekomLabs/lint 
add lint rake task with robocop and fix issues
 2014-06-17 08:26:22 +02:00
Christoph Hartmann
71cb61987e Merge pull request #12 from atomic111/master 
added Telekom Security Requirement numbers to the corresponding kitchen test
 2014-06-16 16:22:33 +02:00
Christoph Hartmann
ae8d37b81d add lint rake task with robocop and fix issues 2014-06-16 16:20:21 +02:00
Patrick Meier
746b796331 added more Telekom Security Requirementnumber 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-06-16 14:22:21 +02:00
Dominik Richter
ce048c7324 Merge pull request #11 from TelekomLabs/rubygem 
add ruby gem source
 2014-06-11 16:25:11 +02:00