linux-baseline

mirror of https://github.com/dev-sec/linux-baseline synced 2024-11-22 19:23:02 +00:00

Author	SHA1	Message	Date
Martin Schurz	6cfbd386f0	fix spelling errors Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2023-04-30 19:11:41 +02:00
Sebastian Gumprich	7a6e7162fe	fix wrong sysctl Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2022-12-12 09:13:26 +01:00
Sebastian Gumprich	c15739b961	extend sysctls for ipv6 see https://docs.vmware.com/en/vRealize-Operations/8.6/com.vmware.vcom.core.doc/GUID-16BDA67D-914A-484C-97CA-8624F4881605.html and https://docs.vmware.com/en/vRealize-Operations/8.6/com.vmware.vcom.core.doc/GUID-37B91C4A-5E1E-4F8E-BC59-B3552BA7CDFA.html also see https://github.com/dev-sec/ansible-collection-hardening/pull/607/ Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2022-11-30 15:21:55 +01:00
Sebastian Gumprich	a04baec3b3	remove entropy-test see https://github.com/dev-sec/linux-baseline/issues/176 Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2022-09-23 13:10:32 +02:00
Martin Schurz	92cedeb529	only disable SquashFS if it's not needed Ubuntu Snaps need SquashFS so we cannot disable it easily. Instead we check for running Snap Service. Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2022-08-06 15:08:28 +02:00
Martin Schurz	5247b07871	fix handling of sysctl fs.protected_fifos and fs.protected_regular our solution with cmp for fs.protected_fifos did not work. Checking for all possible values combined with an `or` seems more reasonable here. Also both sysctl parameters are not available in RHEL7. The chosen solution seems to be the least complex, that also works on all systems. Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2022-07-11 12:05:53 +02:00
Martin Schurz	e646854c33	apply cookstyle fixes Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2022-03-18 20:41:09 +01:00
Michée lengronne	e679f92128	missing inputs changed Leftover inputs changed. Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>	2022-01-12 18:16:37 +01:00
Michée lengronne	b5284b923e	use input instead of attribute (#166 ) * use input instead of attribute In the last versions of Inspec and cinc-auditor, attribute is deprecated and input should be used. https://docs.chef.io/workstation/cookstyle/inspec_deprecations_attributehelper/ Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com> * Update sysctl_spec.rb Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com> * Update inspec.yml Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com> * Update Rakefile Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>	2022-01-12 17:17:16 +01:00
Claudius Heine	1840dbb624	feat: add rules to check noexec, nosuid and nodev mount options (#164 ) Setting the `noexec`, `nosuid` and `nodev` mount options for mount points where those features are not required, limits possible attack vectors. Closes: #163 Signed-off-by: Claudius Heine <ch@denx.de>	2021-11-23 12:04:53 +01:00
Claudius Heine	00d24baa66	added sysctl-34 for checking link protection settings (#160 ) Common and long-standing exploits regard unprotected links, fifos and regular files, which are created or controlled by an attacker to gain access to other files or control over other programs. Signed-off-by: Claudius Heine <ch@denx.de>	2021-10-19 15:11:46 +02:00
Martin Schurz	c017b3ae5b	remove sysctl-18 - ipv6 no longer needs to be disabled Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2021-05-05 23:39:44 +02:00
Sebastian Gumprich	24a0c85b05	remove control package-07 As per https://github.com/dev-sec/linux-baseline/issues/149 Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2021-04-29 07:42:31 +02:00
Farid Joubbi	39591a223e	Disable source routing for IPv6. See c3b5a3afd01eb06d184e9cac6c1df6b85a36e13b Signed-off-by: Farid Joubbi <farid@joubbi.se>	2021-03-24 07:33:19 +01:00
Sebastian Gumprich	559b16752f	Add empty line after guard clause Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>	2021-02-22 09:53:12 +01:00
Sebastian Gumprich	06acbe35b8	add cron permissions hardening	2021-02-22 09:47:05 +01:00
schurzi	4dddfaa89a	update code to conform to new linting rules (#145 ) * update code to conform to new linting rules Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com> * disable unneeded linting rule Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2021-01-29 11:27:31 +01:00
Danny	bc7d6483ab	Fix tiny typo (#143 ) rigths -> rights Signed-off-by: Danny <1330413+danwit@users.noreply.github.com>	2021-01-25 10:06:25 +01:00
Michael Geiger	8f028d0386	Setting net.ipv4.conf.all.arp_ignore = 2 is used as a secure default in many places now and should be a valid option Signed-off-by: Michael Geiger <info@mgeiger.de>	2020-12-26 11:37:06 +01:00
Martin Schurz	beb89ca8f1	only check cpu vulnerabilities if not in container Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>	2020-12-16 21:22:48 +01:00
imjoseangel	f0873c7613	Add both vuln and Vuln Signed-off-by: imjoseangel <josea.munoz@gmail.com>	2020-11-05 09:33:37 +01:00
imjoseangel	b03f36e508	Easiest solution for vuln string Signed-off-by: imjoseangel <josea.munoz@gmail.com>	2020-11-05 09:11:52 +01:00
imjoseangel	a936317204	feat(osbaseline): support validation for cpu vulnerabilities Detects if vulnerabilities directory exists. If so checks all the files inside if any. Signed-off-by: imjoseangel <josea.munoz@gmail.com>	2020-11-05 09:11:27 +01:00
Sebastian Gumprich	6908002ab1	add archlinux-support for audit-check Signed-off-by: Sebastian Gumprich <github@gumpri.ch>	2020-08-22 14:05:24 +02:00
imjoseangel	e20da94418	Removing exclamation as it is only for shadowi Signed-off-by: imjoseangel <josea.munoz@gmail.com>	2020-06-30 14:14:55 +02:00
imjoseangel	748cfb26c8	Adds exclamation and asterisk as requested Signed-off-by: imjoseangel <josea.munoz@gmail.com>	2020-06-29 23:13:21 +02:00
imjoseangel	3645c40723	Adds /etc/passwd format check Signed-off-by: imjoseangel <josea.munoz@gmail.com>	2020-06-28 20:57:32 +02:00
Ben Dean	295683c617	skip the sysctl-19 control when sysctl_forwarding is true fixes #124 Signed-off-by: Ben Dean <ben.dean@ontariosystems.com>	2019-12-02 18:41:31 -05:00
Christoph Hartmann	2ea93b2d09	add documentation for missing package-04 control Signed-off-by: Christoph Hartmann <chris@lollyrock.com>	2019-09-19 09:58:51 +02:00
Christoph Hartmann	fe0ac1c450	Merge pull request #119 from jjasghar/jjasghar/deprication Fixing some deprecation notices	2019-09-19 09:54:08 +02:00
Artem Sidorenko	74df8a2d5a	Merge pull request #121 from foundulabs/samjmarshall/core_pattern Allow core dumps to be piped into a program with an absolute path.	2019-07-19 15:06:37 +02:00
Sam Marshall	11ef401187	Allow for lowercase auditd config flush value. Signed-off-by: Sam Marshall <sam@foundu.com.au>	2019-07-18 09:49:50 +10:00
Sam Marshall	f7ce8028ee	Allow core dumps to be piped into a program with an absolute path. Signed-off-by: Sam Marshall <sam@foundu.com.au>	2019-07-18 09:43:53 +10:00
JJ Asghar	99c2ddd408	Fixing some deprecation notices `default` is being replaced by `value` Signed-off-by: JJ Asghar <awesome@ibm.com> Signed-off-by: JJ Asghar <jjasghar@gmail.com>	2019-07-16 18:09:13 -05:00
Christophe van de Kerchove	601d1a4361	Add compatibility for alpine based images (#111 ) Adding compatibility for alpine based images on shadow file Signed-off-by: Christophe van de Kerchove <christophe.vkerchove@fxinnovation.com>	2019-03-07 21:14:24 +01:00
IceBear2k	723838f365	Signed-off-by: IceBear2k <ib-github@myrl.net> Fix os-11 for Ubuntu 16.04 and newer	2018-10-12 22:20:57 +02:00
Sebastian Gumprich	f4c39c8021	efi-check should run on remote host, not locally (#103 )	2018-09-04 18:13:10 +02:00
Julian C. Dunn	c5b995a432	update grammar in desc	2018-08-13 20:52:11 -07:00
Albert Avetisian	b301e7317a	Update to test for rsh-server instead of duplicate telnetd (#98 )	2018-07-19 16:01:07 +02:00
Sebastian Gumprich	cc989d80a7	Do not disable vfat by default On UEFI-systems the boot-partition is FAT by default (see [here](https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/System_partition)). If we disable vfat, these systems become unbootable. This has already bitten some users using ansible-os-hardening (https://github.com/dev-sec/ansible-os-hardening/issues/162, https://github.com/dev-sec/ansible-os-hardening/issues/145). Therefore I propose we do not check for a disabled vfat filesystem, if efi is used on these systems	2018-07-10 12:56:32 +02:00
Matt Kulka	2768ba0af5	fix virtualization usage in older inspec versions (#95 ) This profile throws an exception when using InSpec < 2.0.30 on non-virtualized systems because this fix (https://github.com/inspec/inspec/pull/2603) was not included in prior versions. This pull simply catches the exception where virtualization.* is called in pure Ruby.	2018-06-05 05:23:42 -07:00
Artem Sidorenko	0c2bb8da7d	Skip auditd and sysctl tests for containers See https://github.com/dev-sec/chef-os-hardening/pull/199 for reference Signed-off-by: Artem Sidorenko <artem@posteo.de>	2018-02-28 15:56:50 +01:00
Marcel	47f158d739	Fixes #89 false positive /etc/shadow on Fedora Signed-off-by: Marcel <marcel.huth111@gmail.com>	2017-12-27 21:05:44 +01:00
Patrick Münch	146285585f	Merge pull request #87 from dev-sec/chris-rock/fix-86 deferring the execution of permissions to profile execution	2017-11-23 23:02:02 +01:00
Artem Sidorenko	df64f6c92c	Merge pull request #84 from shoekstra/fix_fedora_controls Update Fedora controls	2017-11-20 12:29:44 +01:00
Stephen Hoekstra	46acd83cf0	Update Fedora controls	2017-11-20 09:31:07 +01:00
Christoph Hartmann	3d77a3a8d7	Fixes #86 by deferring the execution of permissions to profile execution instead of profile initialisation Signed-off-by: Christoph Hartmann <chris@lollyrock.com>	2017-11-19 11:48:07 +01:00
Tom Haynes	c68102a5a5	CIS 4.1.1.3	2017-11-13 16:27:42 +00:00
Stephen Hoekstra	1bfc31a885	Fix log dir group for Ubuntu 14.04+ (#83 )	2017-11-10 11:18:52 +01:00
Anton Markelov	a5fb285c48	Use more strict defaults for redhat	2017-11-07 17:58:32 +10:00

1 2

94 commits