Mirrors/linux-baseline
2
0
Fork 0
mirror of https://github.com/dev-sec/linux-baseline synced 2024-11-29 14:30:23 +00:00
Code Issues Projects Releases Packages Wiki Activity
342 commits 17 branches 31 tags 478 KiB
Commit graph

43 commits

Author SHA1 Message Date
Michée lengronne
e679f92128 missing inputs changed 
Leftover inputs changed.

Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>
 2022-01-12 18:16:37 +01:00
Michée lengronne
b5284b923e
use input instead of attribute (#166) 
* use input instead of attribute

In the last versions of Inspec and cinc-auditor, attribute is deprecated and input should be used.

https://docs.chef.io/workstation/cookstyle/inspec_deprecations_attributehelper/
Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>

* Update sysctl_spec.rb

Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>

* Update inspec.yml

Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>

* Update Rakefile

Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>
 2022-01-12 17:17:16 +01:00
Claudius Heine
1840dbb624
feat: add rules to check noexec, nosuid and nodev mount options (#164) 
Setting the `noexec`, `nosuid` and `nodev` mount options for mount
points where those features are not required, limits possible attack
vectors.

Closes: #163

Signed-off-by: Claudius Heine <ch@denx.de>
 2021-11-23 12:04:53 +01:00
Sebastian Gumprich
559b16752f Add empty line after guard clause 
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
 2021-02-22 09:53:12 +01:00
Sebastian Gumprich
06acbe35b8 add cron permissions hardening 2021-02-22 09:47:05 +01:00
schurzi
4dddfaa89a
update code to conform to new linting rules (#145) 
* update code to conform to new linting rules

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>

* disable unneeded linting rule

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2021-01-29 11:27:31 +01:00
Danny
bc7d6483ab
Fix tiny typo (#143) 
rigths -> rights

Signed-off-by: Danny <1330413+danwit@users.noreply.github.com>
 2021-01-25 10:06:25 +01:00
Martin Schurz
beb89ca8f1 only check cpu vulnerabilities if not in container 
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
 2020-12-16 21:22:48 +01:00
imjoseangel
f0873c7613
Add both vuln and Vuln 
Signed-off-by: imjoseangel <josea.munoz@gmail.com>
 2020-11-05 09:33:37 +01:00
imjoseangel
b03f36e508
Easiest solution for vuln string 
Signed-off-by: imjoseangel <josea.munoz@gmail.com>
 2020-11-05 09:11:52 +01:00
imjoseangel
a936317204
feat(osbaseline): support validation for cpu vulnerabilities 
Detects if vulnerabilities directory exists. If so checks all the files inside if any.

Signed-off-by: imjoseangel <josea.munoz@gmail.com>
 2020-11-05 09:11:27 +01:00
imjoseangel
e20da94418 Removing exclamation as it is only for shadowi 
Signed-off-by: imjoseangel <josea.munoz@gmail.com>
 2020-06-30 14:14:55 +02:00
imjoseangel
748cfb26c8 Adds exclamation and asterisk as requested 
Signed-off-by: imjoseangel <josea.munoz@gmail.com>
 2020-06-29 23:13:21 +02:00
imjoseangel
3645c40723 Adds /etc/passwd format check 
Signed-off-by: imjoseangel <josea.munoz@gmail.com>
 2020-06-28 20:57:32 +02:00
JJ Asghar
99c2ddd408 Fixing some deprecation notices 
`default` is being replaced by `value`

Signed-off-by: JJ Asghar <awesome@ibm.com>
Signed-off-by: JJ Asghar <jjasghar@gmail.com>
 2019-07-16 18:09:13 -05:00
Christophe van de Kerchove
601d1a4361 Add compatibility for alpine based images (#111) 
Adding compatibility for alpine based images on shadow file

Signed-off-by: Christophe van de Kerchove <christophe.vkerchove@fxinnovation.com>
 2019-03-07 21:14:24 +01:00
IceBear2k
723838f365 Signed-off-by: IceBear2k <ib-github@myrl.net> 
Fix os-11 for Ubuntu 16.04 and newer
 2018-10-12 22:20:57 +02:00
Sebastian Gumprich
f4c39c8021 efi-check should run on remote host, not locally (#103) 2018-09-04 18:13:10 +02:00
Sebastian Gumprich
cc989d80a7 Do not disable vfat by default 
On UEFI-systems the boot-partition is FAT by default (see [here](https://wiki.archlinux.org/index.php/Unified_Extensible_Firmware_Interface/System_partition)).

If we disable vfat, these systems become unbootable. This has already bitten some users using ansible-os-hardening (https://github.com/dev-sec/ansible-os-hardening/issues/162, https://github.com/dev-sec/ansible-os-hardening/issues/145).

Therefore I propose we do not check for a disabled vfat filesystem, if efi is used on these systems
 2018-07-10 12:56:32 +02:00
Matt Kulka
2768ba0af5 fix virtualization usage in older inspec versions (#95) 
This profile throws an exception when using InSpec < 2.0.30 on non-virtualized systems because this fix (https://github.com/inspec/inspec/pull/2603) was not included in prior versions. This pull simply catches the exception where virtualization.* is called in pure Ruby.
 2018-06-05 05:23:42 -07:00
Artem Sidorenko
0c2bb8da7d Skip auditd and sysctl tests for containers 
See https://github.com/dev-sec/chef-os-hardening/pull/199 for reference

Signed-off-by: Artem Sidorenko <artem@posteo.de>
 2018-02-28 15:56:50 +01:00
Marcel
47f158d739 Fixes #89 false positive /etc/shadow on Fedora 
Signed-off-by: Marcel <marcel.huth111@gmail.com>
 2017-12-27 21:05:44 +01:00
Christoph Hartmann
3d77a3a8d7 Fixes #86 by deferring the execution of permissions to profile execution instead of profile initialisation 
Signed-off-by: Christoph Hartmann <chris@lollyrock.com>
 2017-11-19 11:48:07 +01:00
Stephen Hoekstra
1bfc31a885 Fix log dir group for Ubuntu 14.04+ (#83) 2017-11-10 11:18:52 +01:00
Anton Markelov
a5fb285c48 Use more strict defaults for redhat 2017-11-07 17:58:32 +10:00
Sebastian Gumprich
9c138b8c54 add logdir-check 2017-10-24 10:12:07 +02:00
Michael Geiger
c5dc86b78a Optimize file search routines 
- Remove redundant search for .rhosts files from os-01 (see os-09)
- Direct lookup of /etc/hosts.equiv instead of recursive search (os-01)
- Limit find to 3 sublevels in os-09

Signed-off-by: Michael Geiger <info@mgeiger.de>
 2017-07-13 20:23:20 +02:00
bitvijays
98bf7b9f49 CIS 1.1.1 Disable unused filesystems 
Removed extra line

Signed-off-by: bitvijays <bitvijays@gmail.com>
 2017-07-04 02:12:43 +05:30
Michael Geiger
c310414967 os-02: Fix for SUSE environments 
Signed-off-by: Michael Geiger <michael.geiger@telekom.de>
 2017-06-27 09:51:39 +02:00
Alex Pop
4f5fc943dd Use only_if to avoid upload warning 2017-05-30 11:37:27 +01:00
juju4
1ec817fe20 fix rubocop Conventions 2016-12-22 04:58:26 -05:00
juju4
ed00917131 fix rubocop Conventions 2016-12-22 04:55:31 -05:00
juju4
c27fc05aee fix rubocop Conventions 2016-12-22 04:50:09 -05:00
juju4
50abb79577 fix rubocop Conventions 2016-12-22 04:45:40 -05:00
juju4
1726723827 fix rubocop Conventions 2016-12-22 04:39:14 -05:00
juju4
f207161143 fix rubocop Conventions 2016-12-22 04:34:49 -05:00
juju4
e62cb3f0ef fix rubocop Conventions 2016-12-22 04:27:09 -05:00
juju4
4b029d7e99 fix rubocop Conventions 2016-12-22 04:23:07 -05:00
juju4
b2cd7ee312 fix rubocop Conventions 2016-12-22 04:17:32 -05:00
juju4
e297ff2b1e fix rubocop Warning and most Conventions 2016-12-22 04:09:07 -05:00
juju4
cdcc9f7721 use attributes, include PR feedback 2016-12-21 13:53:32 -05:00
juju4
790371c5fd differentiate redhat/debian test, add extra conditions like entropy or ENV dependent test 2016-09-18 16:38:55 -04:00
Christoph Hartmann
dd9706cb45 migrate to inspec profile 2016-04-29 13:02:05 +02:00
Renamed from lockdown/inspec/os_spec.rb (Browse further)