Commit graph

60 commits

Author SHA1 Message Date
Dominik Richter
de8b8f15fb default profile checks SUID/SGID blacklist
Instead of going for the whitelist and expecting all other SUID/SGID bits to be removed, go for the blacklist in the default profile. This behavior is preferred, since we don't want to enable a search through all nodes on a system for any SUID/SGID bits by default. This search is desired and reasonable in all cases, but many new users will be turned away if we activate it by default. It causes issues with any regularly mounted network filesystems (which take very long) or very large (amount of entries on the filesystem) storage nodes.

We will add this point to the documentation, as it's the user's task to mount these components with a nosuid configuration.

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2014-07-23 15:59:08 +02:00
Dominik Richter
69546f61ff add all current requirements from default -> lockdown
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2014-07-23 15:50:17 +02:00
Dominik Richter
9436c28ca4 rename modules_disabled -> lockdown
I.e. create tests for a special hardening profile whose configuration is to lock down all settings. This will include scanning for all unkown SUID-bits as well as kernel configuration with module lockdown.

Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2014-07-23 15:46:04 +02:00
Dominik Richter
9f03078ee1 fixed puppet license-headers
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2014-07-23 15:20:08 +02:00
Dominik Richter
8ba4f64725 add missing license headers
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2014-07-23 00:10:30 +02:00
Dominik Richter
f2f8d295e4 Merge pull request #18 from atomic111/master
split sysctl_spec.rb, added suid whitliste and uid unique search
2014-07-22 17:44:05 +02:00
Patrick Meier
0138222d43 FIX linting
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-07-22 17:36:02 +02:00
Patrick Meier
5d91f454b0 added test to check unique UID's
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-07-22 16:54:02 +02:00
Patrick Meier
84dff35803 split sysctl parameter and added suid whitelist search
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-07-22 15:08:49 +02:00
Dominik Richter
e3bdd66605 Merge pull request #17 from atomic111/master
added additional test
2014-07-15 12:15:40 +02:00
Patrick Meier
2de4db352a FIX: reqular expression in PATH variable
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-07-10 12:25:50 +02:00
Patrick Meier
998370b205 FIX: Use %r for regular expressions matching
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-07-10 10:55:04 +02:00
Patrick Meier
8a6c0eb52d Fix: Syntax warrings
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-07-10 10:41:18 +02:00
Patrick Meier
ef40878dcf Fix: ENV_PATH in login.defs test not correct
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-07-10 10:35:46 +02:00
Patrick Meier
fb8e4a7d18 Fixed rubocop issues, Travis run failed
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-07-10 10:31:13 +02:00
Patrick Meier
0b7986100b added additional test (find rhosts-files, check /etc/shadow owner and rights, check PATH variable, check umask)
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-07-09 10:22:48 +02:00
Dominik Richter
ebe8e86604 Merge pull request #16 from ehaselwanter/travis-updates
add travis config, add default task to rakefile
2014-06-23 14:38:53 +02:00
Edmund Haselwanter
d9fe210802 add travis config, add default task to rakefile 2014-06-23 12:03:15 +02:00
Dominik Richter
62c5bd4247 Merge pull request #15 from ehaselwanter/rubocop
update rubocop, add common linter task, fix rubocop issues
2014-06-23 11:19:35 +02:00
Edmund Haselwanter
8e6f01f9f7 add missing encoding 2014-06-22 15:00:34 +02:00
Edmund Haselwanter
c980b4b70f update rubocop, add common linter task, fix rubocop issues 2014-06-22 12:57:10 +02:00
Patrick Meier
2bd0000199 Merge pull request #14 from TelekomLabs/exec-shield
fix exec-shield test
2014-06-17 09:23:19 +02:00
Christoph Hartmann
ecf1f8745f fix exec-shield test 2014-06-17 09:21:35 +02:00
Patrick Meier
3d6eee9aef Merge pull request #13 from TelekomLabs/lint
add lint rake task with robocop and fix issues
2014-06-17 08:26:22 +02:00
Christoph Hartmann
71cb61987e Merge pull request #12 from atomic111/master
added Telekom Security Requirement numbers to the corresponding kitchen test
2014-06-16 16:22:33 +02:00
Christoph Hartmann
ae8d37b81d add lint rake task with robocop and fix issues 2014-06-16 16:20:21 +02:00
Patrick Meier
746b796331 added more Telekom Security Requirementnumber
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-06-16 14:22:21 +02:00
Dominik Richter
ce048c7324 Merge pull request #11 from TelekomLabs/rubygem
add ruby gem source
2014-06-11 16:25:11 +02:00
Christoph Hartmann
ba1a9c1112 add ruby gem source 2014-06-11 12:29:17 +02:00
Patrick Meier
b50e510aaf added Telekom Security Reqs to the rp filter test
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-06-11 10:17:13 +02:00
Patrick Meier
923c33d1bb added Telekom Security Requirement numbers to the corresponding kitchen tests
Signed-off-by: Patrick Meier <patrick.meier111@googlemail.com>
2014-06-11 10:05:20 +02:00
Dominik Richter
d53a3dd602 Merge pull request #10 from ehaselwanter/master
add standalone usage feature
2014-06-05 11:33:13 +02:00
Edmund Haselwanter
1f155b2e17 add standalone usage feature 2014-06-05 11:22:05 +02:00
Dominik Richter
d3ac41bd0c Merge pull request #9 from ehaselwanter/master
serverspec has a contract on running commands remote. this fixes the local
2014-06-05 11:21:33 +02:00
Edmund Haselwanter
8d8d8b8389 fix trailing space 2014-06-05 10:42:43 +02:00
Edmund Haselwanter
9ae49f3b6b fix regexp to match nx at the beginning and at the end of the flags 2014-06-05 10:42:23 +02:00
Edmund Haselwanter
2e7dfc229a serverspec has a contract on running commands remote. this fixes the local execution and adds a conditional context depending on the presence of the nx flag 2014-06-05 10:15:06 +02:00
Dominik Richter
f944aaab35 Merge pull request #8 from ehaselwanter/master
add lockfiles and delete them from tree
2014-06-02 13:06:45 +02:00
Edmund Haselwanter
0e0fe703e2 add lockfiles and delete them from tree 2014-06-02 13:05:57 +02:00
Dominik Richter
7224b06758 Merge pull request #7 from ehaselwanter/master
rubocop fixes
2014-05-27 20:05:14 +02:00
Edmund Haselwanter
488a19cc97 streamline .rubocop config 2014-05-27 14:50:45 +02:00
Edmund Haselwanter
962e6ee41a remove newline 2014-05-27 09:40:34 +02:00
Edmund Haselwanter
017fe87ae9 parenthesis around regexp 2014-05-27 09:40:34 +02:00
Edmund Haselwanter
742a544754 fix intendation 2014-05-27 09:40:34 +02:00
Edmund Haselwanter
15a15678ee remove newline 2014-05-27 09:40:34 +02:00
Edmund Haselwanter
70097d1b0a add rubocop file 2014-05-27 09:40:34 +02:00
Dominik Richter
9891e32259 Merge pull request #6 from ehaselwanter/master
moved site.pp to the shared test, were it belongs
2014-05-26 14:04:29 +02:00
Edmund Haselwanter
0d95a084e8 moved site.pp to the shared test, were it belongs 2014-05-26 12:29:49 +02:00
Patrick Meier
c5ebd41577 Merge pull request #5 from TelekomLabs/bugfix/arp
bugfix: arp restrictions should apply to all, not just eth0
2014-05-23 12:46:40 +02:00
Dominik Richter
fa3ab37df2 bugfix: arp restrictions should apply to all, not just eth0
Signed-off-by: Dominik Richter <dominik.richter@gmail.com>
2014-05-23 12:47:14 +02:00