Mirrors/linux-baseline
2
0
Fork 0
mirror of https://github.com/dev-sec/linux-baseline synced 2024-11-23 03:33:02 +00:00
Code Issues Projects Releases Packages Wiki Activity
98 commits 17 branches 31 tags 478 KiB
Commit graph

34 commits

Author SHA1 Message Date
Dominik Richter
e829dfb662 bugfix: add missing: ipv6 accept_ra = 0 
This was uncovered by @igoraj at https://github.com/hardening-io/puppet-os-hardening/issues/56 .
 2015-05-28 02:03:12 +02:00
Dominik Richter
9da1d9fdfe updating common files 
updating files: ["lockdown/serverspec/spec_helper.rb", "default/serverspec/spec_helper.rb", ".rubocop.yml"]
 2014-10-27 18:41:56 +01:00
Dominik Richter
0fe462c08b updating common files 
updating files: ["lockdown/serverspec/spec_helper.rb", "default/serverspec/spec_helper.rb"]
 2014-10-20 10:14:47 +02:00
Dominik Richter
2e4f659523 update syntax for command.stdout check 
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
 2014-10-20 10:14:42 +02:00
Dominik Richter
db185e55a2 remove backend checks from each test (move to common) 
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
 2014-10-20 10:03:08 +02:00
Dominik Richter
84b56e4822 updating common files 
updating files: ["lockdown/serverspec/spec_helper.rb", "default/serverspec/spec_helper.rb"]
 2014-10-20 10:01:50 +02:00
Dominik Richter
f8ae22d115 updating common files 2014-10-16 02:14:10 +02:00
Patrick Meier
63d6ce6069 changed GIS to DTAG SEC 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-09-11 22:10:12 +02:00
Dominik Richter
de8b8f15fb default profile checks SUID/SGID blacklist 
Instead of going for the whitelist and expecting all other SUID/SGID bits to be removed, go for the blacklist in the default profile. This behavior is preferred, since we don't want to enable a search through all nodes on a system for any SUID/SGID bits by default. This search is desired and reasonable in all cases, but many new users will be turned away if we activate it by default. It causes issues with any regularly mounted network filesystems (which take very long) or very large (amount of entries on the filesystem) storage nodes.

We will add this point to the documentation, as it's the user's task to mount these components with a nosuid configuration.

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
 2014-07-23 15:59:08 +02:00
Dominik Richter
8ba4f64725 add missing license headers 
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
 2014-07-23 00:10:30 +02:00
Patrick Meier
0138222d43 FIX linting 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-07-22 17:36:02 +02:00
Patrick Meier
5d91f454b0 added test to check unique UID's 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-07-22 16:54:02 +02:00
Patrick Meier
84dff35803 split sysctl parameter and added suid whitelist search 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-07-22 15:08:49 +02:00
Patrick Meier
2de4db352a FIX: reqular expression in PATH variable 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-07-10 12:25:50 +02:00
Patrick Meier
998370b205 FIX: Use %r for regular expressions matching 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-07-10 10:55:04 +02:00
Patrick Meier
8a6c0eb52d Fix: Syntax warrings 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-07-10 10:41:18 +02:00
Patrick Meier
ef40878dcf Fix: ENV_PATH in login.defs test not correct 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-07-10 10:35:46 +02:00
Patrick Meier
fb8e4a7d18 Fixed rubocop issues, Travis run failed 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-07-10 10:31:13 +02:00
Patrick Meier
0b7986100b added additional test (find rhosts-files, check /etc/shadow owner and rights, check PATH variable, check umask) 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-07-09 10:22:48 +02:00
Edmund Haselwanter
c980b4b70f update rubocop, add common linter task, fix rubocop issues 2014-06-22 12:57:10 +02:00
Christoph Hartmann
ecf1f8745f fix exec-shield test 2014-06-17 09:21:35 +02:00
Patrick Meier
3d6eee9aef Merge pull request #13 from TelekomLabs/lint 
add lint rake task with robocop and fix issues
 2014-06-17 08:26:22 +02:00
Christoph Hartmann
ae8d37b81d add lint rake task with robocop and fix issues 2014-06-16 16:20:21 +02:00
Patrick Meier
746b796331 added more Telekom Security Requirementnumber 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-06-16 14:22:21 +02:00
Patrick Meier
b50e510aaf added Telekom Security Reqs to the rp filter test 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-06-11 10:17:13 +02:00
Patrick Meier
923c33d1bb added Telekom Security Requirement numbers to the corresponding kitchen tests 
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
 2014-06-11 10:05:20 +02:00
Edmund Haselwanter
1f155b2e17 add standalone usage feature 2014-06-05 11:22:05 +02:00
Edmund Haselwanter
8d8d8b8389 fix trailing space 2014-06-05 10:42:43 +02:00
Edmund Haselwanter
9ae49f3b6b fix regexp to match nx at the beginning and at the end of the flags 2014-06-05 10:42:23 +02:00
Edmund Haselwanter
2e7dfc229a serverspec has a contract on running commands remote. this fixes the local execution and adds a conditional context depending on the presence of the nx flag 2014-06-05 10:15:06 +02:00
Edmund Haselwanter
742a544754 fix intendation 2014-05-27 09:40:34 +02:00
Edmund Haselwanter
15a15678ee remove newline 2014-05-27 09:40:34 +02:00
Dominik Richter
fa3ab37df2 bugfix: arp restrictions should apply to all, not just eth0 
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
 2014-05-23 12:47:14 +02:00
Edmund Haselwanter
fd1b4bd7e0 only share the integration directory contents, see readme 2014-05-15 20:59:29 +02:00