Commit graph

379 commits

Author SHA1 Message Date
schurzi
d06e065952
Use current source for CINC packages 2024-08-21 09:37:12 +02:00
dev-sec CI
0adb7a2c57 update inspec.yml and changelog 2023-11-19 15:51:11 +00:00
schurzi
1b2026ff42
Merge pull request #184 from dev-sec/inspec6
ensure compatibility with new inspec version
2023-11-19 16:50:04 +01:00
Martin Schurz
19825b5565 fix formating
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-19 16:49:11 +01:00
Martin Schurz
ba94b91d38 add all inputs
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-19 01:12:44 +01:00
Martin Schurz
d079b4a57f use only metadata
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-19 01:08:45 +01:00
Martin Schurz
b850f351b6 ensure compatibility with new inspec version
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-18 21:35:28 +01:00
Martin Schurz
11471d5507 ensure compatibility with new inspec version
Signed-off-by: Martin Schurz <Martin.Schurz@telekom.de>
2023-11-18 21:27:23 +01:00
dev-sec CI
fe9081f632 update inspec.yml and changelog 2023-05-02 12:53:14 +00:00
schurzi
9d57fead33
Merge pull request #183 from dev-sec/codespell
add spellchecking with codespell
2023-05-02 14:51:35 +02:00
Martin Schurz
6cfbd386f0 fix spelling errors
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-30 19:11:41 +02:00
Martin Schurz
fe8a9eff9f add codespell action
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-04-30 19:01:33 +02:00
dev-sec CI
ce0e4c6a31 update inspec.yml and changelog 2023-03-31 08:43:53 +00:00
schurzi
7b4d99ac85
Merge pull request #182 from dev-sec/renovate/configure
Configure Renovate
2023-03-31 10:42:08 +02:00
Martin Schurz
23c1c028a3 configure renovate
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2023-03-31 10:41:46 +02:00
renovate[bot]
641ad36898
Add renovate.json 2023-03-29 21:44:26 +00:00
dev-sec CI
d962a5de64 update inspec.yml and changelog 2022-12-12 08:42:57 +00:00
schurzi
823e2b9dce
Merge pull request #180 from dev-sec/fix_sysctl_ipv6
fix wrong sysctl
2022-12-12 09:41:06 +01:00
Sebastian Gumprich
7a6e7162fe fix wrong sysctl
Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-12-12 09:13:26 +01:00
dev-sec CI
fcd64d719c update inspec.yml and changelog 2022-11-30 15:18:51 +00:00
schurzi
7075e76ed9
Merge pull request #179 from dev-sec/extend_sysctls
extend sysctls for ipv6
2022-11-30 16:17:04 +01:00
Sebastian Gumprich
c15739b961 extend sysctls for ipv6
see https://docs.vmware.com/en/vRealize-Operations/8.6/com.vmware.vcom.core.doc/GUID-16BDA67D-914A-484C-97CA-8624F4881605.html and https://docs.vmware.com/en/vRealize-Operations/8.6/com.vmware.vcom.core.doc/GUID-37B91C4A-5E1E-4F8E-BC59-B3552BA7CDFA.html

also see https://github.com/dev-sec/ansible-collection-hardening/pull/607/

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-11-30 15:21:55 +01:00
dev-sec CI
666e709253 update inspec.yml and changelog 2022-10-28 05:18:33 +00:00
Sebastian Gumprich
ecf5ab6563
Merge pull request #178 from dev-sec/central_workflow
use centralised issue templates and workflows
2022-10-28 07:16:53 +02:00
Martin Schurz
4b7d398376 use centralised issue templates and workflows
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-10-26 20:18:18 +02:00
dev-sec CI
faa71996fb update inspec.yml and changelog 2022-09-29 07:24:47 +00:00
Sebastian Gumprich
48f72d8c10
Update release.yml 2022-09-29 09:23:02 +02:00
Sebastian Gumprich
7d75f2a0c1
Update release.yml 2022-09-29 09:21:18 +02:00
schurzi
7ce5a1d218
Merge pull request #177 from dev-sec/rndmh3ro-patch-1
remove entropy-test
2022-09-24 15:46:05 +02:00
Sebastian Gumprich
a04baec3b3 remove entropy-test
see https://github.com/dev-sec/linux-baseline/issues/176

Signed-off-by: Sebastian Gumprich <sebastian.gumprich@t-systems.com>
2022-09-23 13:10:32 +02:00
schurzi
436bf2f4ae
Merge pull request #175 from dev-sec/ubuntu22
only disable SquashFS if it's not needed
2022-08-06 15:55:57 +02:00
Martin Schurz
92cedeb529 only disable SquashFS if it's not needed
Ubuntu Snaps need SquashFS so we cannot disable it easily. Instead we
check for running Snap Service.

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-08-06 15:08:28 +02:00
schurzi
81ce2ab60c
Merge pull request #172 from dev-sec/protected_fifos
fix handling of sysctl fs.protected_fifos and fs.protected_regular
2022-07-11 12:17:52 +02:00
Martin Schurz
5247b07871 fix handling of sysctl fs.protected_fifos and fs.protected_regular
our solution with cmp for fs.protected_fifos did not work. Checking for
all possible values combined with an `or` seems more reasonable here.

Also both sysctl parameters are not available in RHEL7. The chosen
solution seems to be the least complex, that also works on all systems.

Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-07-11 12:05:53 +02:00
dev-sec CI
34b215b87c update inspec.yml and changelog 2022-03-18 19:46:30 +00:00
schurzi
07929ea2d1
Merge pull request #169 from dev-sec/newlint
Change linting to Cookstyle
2022-03-18 20:44:54 +01:00
Martin Schurz
e646854c33 apply cookstyle fixes
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-03-18 20:41:09 +01:00
Martin Schurz
b06edb2adc use cookstyle for linting
Signed-off-by: Martin Schurz <Martin.Schurz@t-systems.com>
2022-03-18 20:39:51 +01:00
dev-sec CI
f0084b869f update inspec.yml and changelog 2022-02-14 10:02:12 +00:00
Michée lengronne
f1bff02e51
Merge pull request #168 from magmax/master
Improve SUID find
2022-02-14 11:00:03 +01:00
Miguel Angel Garcia
10657ca958 Improve SUID find
Signed-off-by: Miguel Angel Garcia <miguelangel.garcia@gmail.com>
2022-02-12 17:38:33 +01:00
dev-sec CI
99a7016135 update inspec.yml and changelog 2022-01-12 17:22:46 +00:00
Michée lengronne
8e3a25a606
Merge pull request #167 from dev-sec/micheelengronne-patch-1
missing inputs changed
2022-01-12 18:20:45 +01:00
Michée lengronne
e679f92128 missing inputs changed
Leftover inputs changed.

Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>
2022-01-12 18:16:37 +01:00
dev-sec CI
4b079b3489 update inspec.yml and changelog 2022-01-12 16:19:03 +00:00
Michée lengronne
b5284b923e
use input instead of attribute (#166)
* use input instead of attribute

In the last versions of Inspec and cinc-auditor, attribute is deprecated and input should be used.

https://docs.chef.io/workstation/cookstyle/inspec_deprecations_attributehelper/
Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>

* Update sysctl_spec.rb

Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>

* Update inspec.yml

Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>

* Update Rakefile

Signed-off-by: Michée Lengronne <michee.lengronne@coppint.com>
2022-01-12 17:17:16 +01:00
dev-sec CI
fd9581afec update inspec.yml and changelog 2021-11-23 11:07:35 +00:00
Claudius Heine
1840dbb624
feat: add rules to check noexec, nosuid and nodev mount options (#164)
Setting the `noexec`, `nosuid` and `nodev` mount options for mount
points where those features are not required, limits possible attack
vectors.

Closes: #163

Signed-off-by: Claudius Heine <ch@denx.de>
2021-11-23 12:04:53 +01:00
dev-sec CI
e503f97a9d update inspec.yml and changelog 2021-10-19 13:13:33 +00:00
Claudius Heine
00d24baa66
added sysctl-34 for checking link protection settings (#160)
Common and long-standing exploits regard unprotected links, fifos and
regular files, which are created or controlled by an attacker to gain
access to other files or control over other programs.

Signed-off-by: Claudius Heine <ch@denx.de>
2021-10-19 15:11:46 +02:00