Dominik Richter
de8b8f15fb
default profile checks SUID/SGID blacklist
...
Instead of going for the whitelist and expecting all other SUID/SGID bits to be removed, go for the blacklist in the default profile. This behavior is preferred, since we don't want to enable a search through all nodes on a system for any SUID/SGID bits by default. This search is desired and reasonable in all cases, but many new users will be turned away if we activate it by default. It causes issues with any regularly mounted network filesystems (which take very long) or very large (amount of entries on the filesystem) storage nodes.
We will add this point to the documentation, as it's the user's task to mount these components with a nosuid configuration.
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2014-07-23 15:59:08 +02:00
Dominik Richter
69546f61ff
add all current requirements from default -> lockdown
...
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2014-07-23 15:50:17 +02:00
Dominik Richter
9436c28ca4
rename modules_disabled -> lockdown
...
I.e. create tests for a special hardening profile whose configuration is to lock down all settings. This will include scanning for all unkown SUID-bits as well as kernel configuration with module lockdown.
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2014-07-23 15:46:04 +02:00
Dominik Richter
9f03078ee1
fixed puppet license-headers
...
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2014-07-23 15:20:08 +02:00
Dominik Richter
8ba4f64725
add missing license headers
...
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2014-07-23 00:10:30 +02:00
Dominik Richter
f2f8d295e4
Merge pull request #18 from atomic111/master
...
split sysctl_spec.rb, added suid whitliste and uid unique search
2014-07-22 17:44:05 +02:00
Patrick Meier
0138222d43
FIX linting
...
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-07-22 17:36:02 +02:00
Patrick Meier
5d91f454b0
added test to check unique UID's
...
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-07-22 16:54:02 +02:00
Patrick Meier
84dff35803
split sysctl parameter and added suid whitelist search
...
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-07-22 15:08:49 +02:00
Dominik Richter
e3bdd66605
Merge pull request #17 from atomic111/master
...
added additional test
2014-07-15 12:15:40 +02:00
Patrick Meier
2de4db352a
FIX: reqular expression in PATH variable
...
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-07-10 12:25:50 +02:00
Patrick Meier
998370b205
FIX: Use %r for regular expressions matching
...
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-07-10 10:55:04 +02:00
Patrick Meier
8a6c0eb52d
Fix: Syntax warrings
...
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-07-10 10:41:18 +02:00
Patrick Meier
ef40878dcf
Fix: ENV_PATH in login.defs test not correct
...
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-07-10 10:35:46 +02:00
Patrick Meier
fb8e4a7d18
Fixed rubocop issues, Travis run failed
...
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-07-10 10:31:13 +02:00
Patrick Meier
0b7986100b
added additional test (find rhosts-files, check /etc/shadow owner and rights, check PATH variable, check umask)
...
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-07-09 10:22:48 +02:00
Dominik Richter
ebe8e86604
Merge pull request #16 from ehaselwanter/travis-updates
...
add travis config, add default task to rakefile
2014-06-23 14:38:53 +02:00
Edmund Haselwanter
d9fe210802
add travis config, add default task to rakefile
2014-06-23 12:03:15 +02:00
Dominik Richter
62c5bd4247
Merge pull request #15 from ehaselwanter/rubocop
...
update rubocop, add common linter task, fix rubocop issues
2014-06-23 11:19:35 +02:00
Edmund Haselwanter
8e6f01f9f7
add missing encoding
2014-06-22 15:00:34 +02:00
Edmund Haselwanter
c980b4b70f
update rubocop, add common linter task, fix rubocop issues
2014-06-22 12:57:10 +02:00
Patrick Meier
2bd0000199
Merge pull request #14 from TelekomLabs/exec-shield
...
fix exec-shield test
2014-06-17 09:23:19 +02:00
Christoph Hartmann
ecf1f8745f
fix exec-shield test
2014-06-17 09:21:35 +02:00
Patrick Meier
3d6eee9aef
Merge pull request #13 from TelekomLabs/lint
...
add lint rake task with robocop and fix issues
2014-06-17 08:26:22 +02:00
Christoph Hartmann
71cb61987e
Merge pull request #12 from atomic111/master
...
added Telekom Security Requirement numbers to the corresponding kitchen test
2014-06-16 16:22:33 +02:00
Christoph Hartmann
ae8d37b81d
add lint rake task with robocop and fix issues
2014-06-16 16:20:21 +02:00
Patrick Meier
746b796331
added more Telekom Security Requirementnumber
...
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-06-16 14:22:21 +02:00
Dominik Richter
ce048c7324
Merge pull request #11 from TelekomLabs/rubygem
...
add ruby gem source
2014-06-11 16:25:11 +02:00
Christoph Hartmann
ba1a9c1112
add ruby gem source
2014-06-11 12:29:17 +02:00
Patrick Meier
b50e510aaf
added Telekom Security Reqs to the rp filter test
...
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-06-11 10:17:13 +02:00
Patrick Meier
923c33d1bb
added Telekom Security Requirement numbers to the corresponding kitchen tests
...
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-06-11 10:05:20 +02:00
Dominik Richter
d53a3dd602
Merge pull request #10 from ehaselwanter/master
...
add standalone usage feature
2014-06-05 11:33:13 +02:00
Edmund Haselwanter
1f155b2e17
add standalone usage feature
2014-06-05 11:22:05 +02:00
Dominik Richter
d3ac41bd0c
Merge pull request #9 from ehaselwanter/master
...
serverspec has a contract on running commands remote. this fixes the local
2014-06-05 11:21:33 +02:00
Edmund Haselwanter
8d8d8b8389
fix trailing space
2014-06-05 10:42:43 +02:00
Edmund Haselwanter
9ae49f3b6b
fix regexp to match nx at the beginning and at the end of the flags
2014-06-05 10:42:23 +02:00
Edmund Haselwanter
2e7dfc229a
serverspec has a contract on running commands remote. this fixes the local execution and adds a conditional context depending on the presence of the nx flag
2014-06-05 10:15:06 +02:00
Dominik Richter
f944aaab35
Merge pull request #8 from ehaselwanter/master
...
add lockfiles and delete them from tree
2014-06-02 13:06:45 +02:00
Edmund Haselwanter
0e0fe703e2
add lockfiles and delete them from tree
2014-06-02 13:05:57 +02:00
Dominik Richter
7224b06758
Merge pull request #7 from ehaselwanter/master
...
rubocop fixes
2014-05-27 20:05:14 +02:00
Edmund Haselwanter
488a19cc97
streamline .rubocop config
2014-05-27 14:50:45 +02:00
Edmund Haselwanter
962e6ee41a
remove newline
2014-05-27 09:40:34 +02:00
Edmund Haselwanter
017fe87ae9
parenthesis around regexp
2014-05-27 09:40:34 +02:00
Edmund Haselwanter
742a544754
fix intendation
2014-05-27 09:40:34 +02:00
Edmund Haselwanter
15a15678ee
remove newline
2014-05-27 09:40:34 +02:00
Edmund Haselwanter
70097d1b0a
add rubocop file
2014-05-27 09:40:34 +02:00
Dominik Richter
9891e32259
Merge pull request #6 from ehaselwanter/master
...
moved site.pp to the shared test, were it belongs
2014-05-26 14:04:29 +02:00
Edmund Haselwanter
0d95a084e8
moved site.pp to the shared test, were it belongs
2014-05-26 12:29:49 +02:00
Patrick Meier
c5ebd41577
Merge pull request #5 from TelekomLabs/bugfix/arp
...
bugfix: arp restrictions should apply to all, not just eth0
2014-05-23 12:46:40 +02:00
Dominik Richter
fa3ab37df2
bugfix: arp restrictions should apply to all, not just eth0
...
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2014-05-23 12:47:14 +02:00