├── Anchore-Engine ├── README.md ├── config │ └── config.yaml └── docker-compose.yaml ├── Archerysec-ZeD ├── README.md ├── archery_script.py ├── docker-compose.yml └── zapscan.sh ├── Inspec ├── README.md └── hardening-test │ ├── README.md │ ├── controls │ ├── example.rb │ └── hardening.rb │ ├── inspec.lock │ ├── inspec.yml │ └── vendor │ ├── 1e596626f2305160dffad6f3c3a2c03b853a03f0b773d6d8ae957b6046b64146 │ └── linux-baseline-master │ │ ├── CHANGELOG.md │ │ ├── Gemfile │ │ ├── LICENSE │ │ ├── README.md │ │ ├── Rakefile │ │ ├── controls │ │ ├── os_spec.rb │ │ ├── package_spec.rb │ │ └── sysctl_spec.rb │ │ ├── inspec.yml │ │ └── libraries │ │ ├── suid_blacklist.rb │ │ └── suid_check.rb │ └── cb0da29499dc5d27497ce906abfd3111970710fd0021ed0a013eb7cb2cc22c5b │ └── ssh-baseline-master │ ├── CHANGELOG.md │ ├── Gemfile │ ├── LICENSE │ ├── README.md │ ├── Rakefile │ ├── controls │ ├── ssh_spec.rb │ └── sshd_spec.rb │ ├── inspec.yml │ └── libraries │ └── ssh_crypto.rb ├── Jenkinsfile ├── README.md ├── Snyk └── README.md ├── Sonarqube ├── README.md └── sonar.yml └── Trufflehog └── README.md /Anchore-Engine/README.md: -------------------------------------------------------------------------------- 1 | # Anchore Engine 2 | 3 | The Anchore Engine is an open source project that provides a centralized service for performing detailed analysis on container images, running queries, producing reports and defining ploicies that can be used in CI/CD pipelines. This guide helps set up anchore engine container so that it can be integrated with the jenkins using anchore engine plugin. 4 | 5 | # Pre-requisite 6 | 7 | - Must have docker and docker-compose installed on the host. 8 | 9 | # Getting Started 10 | 11 | - Clone this repository and move to the Anchore-Engine directory. 12 | ``` 13 | git clone https://github.com/Devops-Accelerators/DevSecOps.git && cd DevSecOps/Anchore-Engine 14 | ``` 15 | - Create a directory to persist data. 16 | ``` 17 | mkdir -p db 18 | ``` 19 | - ***Do ensure to change the password in the config.yaml*** 20 | ``` 21 | credentials: 22 | users: 23 | admin: 24 | password: 'your_password_here' 25 | email: 'admin@myemail.com' 26 | external_service_auths: 27 | # anchoreio: 28 | # anchorecli: 29 | # auth: 'myanchoreiouser:myanchoreiopass' 30 | #auto_policy_sync: True 31 | ``` 32 | 33 | - Finally, run the docker image. 34 | ``` 35 | docker-compose up -d 36 | ``` 37 | - Follow the below link to understand how anchore engine can be integrated with jenkins. 38 | [Integrate Anchore engine with Jenkins](https://wiki.jenkins.io/display/JENKINS/Anchore+Container+Image+Scanner+Plugin) 39 | 40 | -------------------------------------------------------------------------------- /Anchore-Engine/config/config.yaml: -------------------------------------------------------------------------------- 1 | # Anchore Service Configuration File 2 | # 3 | 4 | # General system-wide configuration options, these should not need to 5 | # be altered for basic operation 6 | # 7 | service_dir: '/home/anchore/.anchore_engine' 8 | # tmp_dir: '/tmp' 9 | # log_level: 'DEBUG' 10 | log_level: 'INFO' 11 | cleanup_images: True 12 | # allow_awsecr_iam_auto: False 13 | # docker_conn: 'unix://var/run/docker.sock' 14 | # docker_conn_timeout: 600 15 | host_id: '${ANCHORE_HOST_ID}' 16 | internal_ssl_verify: False 17 | auto_restart_services: True 18 | #catalog_endpoint: 'http://${ANCHORE_ENDPOINT_HOSTNAME}:8082/v1' 19 | # 20 | 21 | # Uncomment if you would like to enable prometheus metrics routes in 22 | # anchore-engine (enables metric gathering and /metrics route for all 23 | # services) 24 | # 25 | #metrics: 26 | # enabled: True 27 | # 28 | 29 | # Uncomment if you have a local endpoint that can accept 30 | # notifications from the anchore-engine, as configured below 31 | # 32 | #webhooks: 33 | # webhook_user: 'user' 34 | # webhook_pass: 'pass' 35 | # ssl_verify: False 36 | # general: 37 | # url: 'http://localhost:9090/general//' 38 | # policy_eval: 39 | # url: 'http://localhost:9090/policy_eval/' 40 | # webhook_user: 'mehuser' 41 | # webhook_pass: 'mehpass' 42 | # event_log: 43 | # # Uncomment the event_log section in addition to configuring this webhook to receive event log notifications 44 | # url: 'http://localhost:9090/event_log/' 45 | 46 | # A feeds section is available for override, but shouldn't be 47 | # needed. By default, the 'admin' credentials are used if present, 48 | # otherwise anonymous access for feed sync is used 49 | 50 | feeds: 51 | # If set to False, instruct anchore-engine to skip (all) feed sync operations 52 | sync_enabled: True 53 | ssl_verify: True 54 | selective_sync: 55 | # If enabled only sync specific feeds instead of all. 56 | enabled: True 57 | feeds: 58 | vulnerabilities: True 59 | # Warning: enabling the packages and nvd sync causes the service to require much 60 | # more memory to do process the significant data volume. We recommend at least 4GB available for the container 61 | packages: False 62 | nvd: False 63 | # Enabling snyk syncs snyk vulnerability data from an on-premise anchore enterprise feeds service. Please contact 64 | # anchore support for finding out more about this service 65 | snyk: False 66 | anonymous_user_username: anon@ancho.re 67 | anonymous_user_password: pbiU2RYZ2XrmYQ 68 | url: 'https://ancho.re/v1/service/feeds' 69 | client_url: 'https://ancho.re/v1/account/users' 70 | token_url: 'https://ancho.re/oauth/token' 71 | connection_timeout_seconds: 3 72 | read_timeout_seconds: 60 73 | 74 | 75 | # As of 0.3.0dev0 this section is used instead of the credentials.users section 76 | # Can be omitted and will default to 'foobar' on db initialization 77 | default_admin_password: 'foobar' 78 | 79 | # Can be ommitted and will default to 'admin@myanchore' 80 | default_admin_email: 'admin@myanchore' 81 | 82 | credentials: 83 | users: 84 | admin: 85 | password: 'foobar' 86 | email: 'admin@myemail.com' 87 | external_service_auths: 88 | # anchoreio: 89 | # anchorecli: 90 | # auth: 'myanchoreiouser:myanchoreiopass' 91 | #auto_policy_sync: True 92 | 93 | database: 94 | db_connect: 'postgresql+pg8000://postgres:mysecretpassword@anchore-db:5432/postgres' 95 | db_connect_args: 96 | timeout: 120 97 | ssl: False 98 | db_pool_size: 30 99 | db_pool_max_overflow: 100 100 | services: 101 | apiext: 102 | enabled: True 103 | require_auth: True 104 | endpoint_hostname: '${ANCHORE_ENDPOINT_HOSTNAME}' 105 | listen: '0.0.0.0' 106 | port: 8228 107 | authorization_handler: native 108 | kubernetes_webhook: 109 | enabled: True 110 | require_auth: False 111 | endpoint_hostname: '${ANCHORE_ENDPOINT_HOSTNAME}' 112 | listen: '0.0.0.0' 113 | port: 8338 114 | catalog: 115 | enabled: True 116 | require_auth: True 117 | endpoint_hostname: '${ANCHORE_ENDPOINT_HOSTNAME}' 118 | listen: '0.0.0.0' 119 | port: 8082 120 | # NOTE: use the below external_* parameters to define the port/tls 121 | # setting that will allow other internal services to access this 122 | # service - if left unset services will use the above, 123 | # e.g. http://: 124 | # external_port: 8082 125 | # external_tls: False 126 | archive: 127 | compression: 128 | enabled: False 129 | min_size_kbytes: 100 130 | storage_driver: 131 | name: db 132 | config: {} 133 | cycle_timer_seconds: '1' 134 | cycle_timers: 135 | image_watcher: 3600 136 | policy_eval: 3600 137 | vulnerability_scan: 14400 138 | analyzer_queue: 5 139 | notifications: 30 140 | service_watcher: 15 141 | policy_bundle_sync: 300 142 | repo_watcher: 60 143 | # Uncomment if you would like to receive notifications for events triggered by asynchronous operations in the system. 144 | # In addition, uncomment the webhooks section and supply the configuration for either a 'general' or an 'event_log' webhook 145 | # event_log: 146 | # notification: 147 | # enabled: True 148 | # # (optional) notify events that match these levels. If this section is commented, notifications for all events are sent 149 | # level: 150 | # - error 151 | simplequeue: 152 | enabled: True 153 | require_auth: True 154 | endpoint_hostname: '${ANCHORE_ENDPOINT_HOSTNAME}' 155 | listen: '0.0.0.0' 156 | port: 8083 157 | # external_port: 8083 158 | # external_tls: False 159 | analyzer: 160 | enabled: True 161 | require_auth: True 162 | cycle_timer_seconds: 1 163 | cycle_timers: 164 | image_analyzer: 5 165 | max_threads: 1 166 | analyzer_driver: 'nodocker' 167 | endpoint_hostname: '${ANCHORE_ENDPOINT_HOSTNAME}' 168 | listen: '0.0.0.0' 169 | port: 8084 170 | # external_port: 8084 171 | # external_tls: False 172 | policy_engine: 173 | enabled: True 174 | require_auth: True 175 | endpoint_hostname: '${ANCHORE_ENDPOINT_HOSTNAME}' 176 | listen: '0.0.0.0' 177 | port: 8087 178 | # external_port: 8087 179 | # external_tls: False 180 | cycle_timer_seconds: 1 181 | cycle_timers: 182 | feed_sync: 21600 # 6 hours between feed syncs 183 | feed_sync_checker: 3600 # 1 hour between checks to see if there needs to be a task queued 184 | -------------------------------------------------------------------------------- /Anchore-Engine/docker-compose.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # IMPORTANT NOTE - for anchore-engine 0.4.0 and latest, we have moved 3 | # to a new docker-compose method and approach for deploying 4 | # anchore-engine with docker-compose, which more accurately reflects 5 | # production deployment setups. 6 | # 7 | # Please refer to the latest documentation for running anchore-engine 8 | # with docker-compose: 9 | # 10 | # https://docs.anchore.com/2.0/docs/engine/engine_installation/docker_compose/ 11 | # 12 | # The following docker-compose.yaml has been altered to reference the 13 | # latest 0.3 series release of anchore-engine for continuity, but 14 | # note that both this and the associated config.yaml in this 15 | # directory will be removed in the future. 16 | # 17 | 18 | version: '2' 19 | services: 20 | anchore-engine: 21 | image: docker.io/anchore/anchore-engine:v0.3.4 22 | #privileged: true 23 | depends_on: 24 | - anchore-db 25 | ports: 26 | - "8228:8228" 27 | - "8338:8338" 28 | volumes: 29 | - ./config:/config/:z 30 | logging: 31 | driver: "json-file" 32 | options: 33 | max-size: 100m 34 | environment: 35 | # NOTE: this should be set to the same name as this service (e.g. anchore-engine) 36 | - ANCHORE_HOST_ID=dockerhostid-anchore-engine 37 | - ANCHORE_ENDPOINT_HOSTNAME=anchore-engine 38 | anchore-db: 39 | image: "postgres:9" 40 | volumes: 41 | - ./db:/var/lib/postgresql/data/pgdata/:z 42 | environment: 43 | - POSTGRES_PASSWORD=mysecretpassword 44 | - PGDATA=/var/lib/postgresql/data/pgdata/ 45 | logging: 46 | driver: "json-file" 47 | options: 48 | max-size: 100m 49 | #uncomment to expose a port to allow direct/external access to the DB, for debugging 50 | #ports: 51 | # - "2345:5432" 52 | #### uncomment this section to enable a prometheus service running alongside anchore-engine for metrics gathering/display 53 | # anchore-prometheus: 54 | # image: docker.io/prom/prometheus:latest 55 | # depends_on: 56 | # - anchore-engine 57 | # volumes: 58 | # - ./anchore-prometheus.yaml:/etc/prometheus/prometheus.yml:z 59 | # logging: 60 | # driver: "json-file" 61 | # options: 62 | # max-size: 100m 63 | # ports: 64 | # - "9090:9090" 65 | -------------------------------------------------------------------------------- /Archerysec-ZeD/README.md: -------------------------------------------------------------------------------- 1 | # ArcherySec-Zed 2 | This guide helps you set up archerysec, a tool that helps developers and pentesters to perform scans and manage vulnerabilities, and run a OWASP-**Z**ed **A**ttack **P**roxy (**ZAP**) scan to detect security vulnerabilities in your application. ZAP is run on the target url where our application is running and Archerysec will import the scanned results from ZAP and display the detected vulnerabilities in our application. 3 | 4 | # Pre-requisites 5 | - Must have docker and docker-compose installed. 6 | 7 | # Getting Started 8 | - Run the docker-compose file to set up the environment on your system. 9 | ``` 10 | git clone https://github.com/Devops-Accelerators/DevSecOps-Template.git && cd Archerysec-ZeD 11 | 12 | docker-compose up -d 13 | ``` 14 | - Once the containers are up and running check if they are accessible by accessing the below urls 15 | ``` 16 | ArcherySec: http://your_system_ip_address:8000 17 | OWASP ZAP: http://your_system_ip_address:8090 18 | ``` 19 | - Open the ArcherySec portal, go to the settings page , edit the ZAP settings by providing ZAP API Host & ZAP API Port. 20 | 21 | - Next step is to install archerysec-cli tool on the jenkins server. 22 | ``` 23 | pip install archerysec-cli 24 | Or 25 | git clone https://github.com/archerysec/archerysec-cli.git 26 | cd archerysec-cli 27 | pip install -r requirements.txt 28 | 29 | # Install jq tool 30 | sudo apt-get install jq 31 | ``` 32 | - Now run the scripts, archery_script.py and zapscan.sh on the jenkins CI pipeline. Replace the ARCHERY_HOST value with your system ip and TARGET_URL value with the application url. 33 | ``` 34 | node { 35 | stage('DAST') { 36 | sh """ 37 | echo ${targetURL} 38 | export ARCHERY_HOST=http://your_system_ip_address:8000 39 | export TARGET_URL='http://${targetURL}/app' 40 | bash `pwd`/zapscan.sh || true 41 | """ 42 | 43 | ``` 44 | 45 | 46 | -------------------------------------------------------------------------------- /Archerysec-ZeD/archery_script.py: -------------------------------------------------------------------------------- 1 | 2 | from pyArchery import api 3 | from optparse import OptionParser, OptionGroup 4 | import json 5 | import time 6 | 7 | parser = OptionParser() 8 | 9 | group = OptionGroup(parser, "", 10 | "") 11 | 12 | parser.add_option_group(group) 13 | 14 | group = OptionGroup(parser, "Archery Scan status", 15 | "Upload multiple scanners reports" 16 | ) 17 | 18 | group.add_option("--scanner", 19 | help="Input input scanner name i.e zap_scan, arachni_scan", 20 | action="store") 21 | 22 | group.add_option("--scan_id", 23 | help="Input Scan Id", 24 | action="store") 25 | 26 | group.add_option("--username", 27 | help="Input ArcherySec Username", 28 | action="store") 29 | 30 | group.add_option("--password", 31 | help="Input ArcherySec Password", 32 | action="store") 33 | 34 | group.add_option("--host", 35 | help="Input ArcherySec Host", 36 | action="store") 37 | 38 | group.add_option("-r", "--high", 39 | help="Numbers of issue", 40 | action="store") 41 | 42 | group.add_option("-m", "--medium", 43 | help="Numbers of issue", 44 | action="store") 45 | 46 | (args, _) = parser.parse_args() 47 | 48 | def archery_host(): 49 | # Setup archery connection 50 | archery = api.ArcheryAPI(args.host) 51 | 52 | return archery 53 | 54 | def archery_auth(): 55 | # # Set Archery url 56 | # host = 'http://127.0.0.1:8000' 57 | archery = archery_host() 58 | 59 | # Provide Archery Credentials for authentication. 60 | authenticate = archery.archery_auth(args.username, args.password) 61 | 62 | # Collect Token after authentication 63 | token = authenticate.data 64 | for key, value in token.viewitems(): 65 | token = value 66 | 67 | return token 68 | 69 | # Get the scan result 70 | if args.scanner == 'zap_scan': 71 | time.sleep(5) 72 | archery = archery_host() 73 | web_scan_result = archery.zap_scan_status( 74 | auth=archery_auth(), 75 | scan_id=args.scan_id, 76 | ) 77 | results = web_scan_result.data_json() 78 | j_result = json.loads(results) 79 | for j in j_result: 80 | scan_status = j['vul_status'] 81 | print scan_status 82 | while (int(scan_status) < 100): 83 | web_scan_result = archery.zap_scan_status( 84 | auth=archery_auth(), 85 | scan_id=args.scan_id, 86 | ) 87 | results = web_scan_result.data_json() 88 | j_result = json.loads(results) 89 | try: 90 | for j in j_result: 91 | scan_status = j['vul_status'] 92 | except Exception as e: 93 | scan_status = 100 94 | time.sleep(10) 95 | print "Scan Status", scan_status 96 | time.sleep(60) 97 | 98 | web_scan_result = archery.zap_scan_status( 99 | auth=archery_auth(), 100 | scan_id=args.scan_id, 101 | ) 102 | results = web_scan_result.data_json() 103 | j_result = json.loads(results) 104 | for j in j_result: 105 | total_vul = j['total_vul'] 106 | high_vul = j['high_vul'] 107 | medium_vul = j['medium_vul'] 108 | low_vul = j['low_vul'] 109 | 110 | print "Total Vul", total_vul 111 | print "Total High", high_vul 112 | print "Total Medium", medium_vul 113 | print "Total Low", low_vul 114 | 115 | if int(high_vul) >= int(args.high): 116 | fail = "FAILURE" 117 | print "Coz total high Vulnerability", high_vul 118 | elif int(medium_vul) >= int(args.medium): 119 | fail = "FAILURE" 120 | print "Coz total Medium Vulnerability", medium_vul 121 | else: 122 | fail = "SUCCESS" 123 | print "Test Passed" 124 | 125 | print fail -------------------------------------------------------------------------------- /Archerysec-ZeD/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '3.6' 2 | 3 | services: 4 | db: 5 | image: postgres:10.1-alpine 6 | volumes: 7 | - dbdata:/var/lib/postgresql/data 8 | environment: 9 | - POSTGRES_DB=archerysec 10 | - POSTGRES_PASSWORD=archerysec 11 | - POSTGRES_USER=archerysec 12 | 13 | archerysec: 14 | image: archerysec/archerysec 15 | ports: 16 | - "8000:8000" 17 | expose: 18 | - "8000" 19 | depends_on: 20 | - db 21 | links: 22 | - db:db 23 | environment: 24 | - DB_PASSWORD=archerysec 25 | - DB_USER=archerysec 26 | - DB_NAME=archerysec 27 | - DB_HOST=db 28 | - DJANGO_SETTINGS_MODULE=archerysecurity.settings.development 29 | - DJANGO_SECRET_KEY=${DJANGO_SECRET_KEY:-"SETME"} 30 | - DJANGO_DEBUG=1 31 | - EMAIL_HOST=mailhog 32 | - EMAIL_PORT=1025 33 | container_name: archerysec 34 | 35 | zaproxy: 36 | image: owasp/zap2docker-stable 37 | command: zap.sh -daemon -host 0.0.0.0 -port 8090 -config api.disablekey=true -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true 38 | ports: 39 | - "8090:8090" 40 | expose: 41 | # ZAP is running on 8090, we want it to be accessible by our tools 42 | - "8090" 43 | links: 44 | - archerysec 45 | container_name: zapscanner 46 | -------------------------------------------------------------------------------- /Archerysec-ZeD/zapscan.sh: -------------------------------------------------------------------------------- 1 | DATE=`date +%Y-%m-%d` 2 | 3 | ARCHERY_USER=admin 4 | ARCHERY_PASS=admin 5 | 6 | export PROJECT_ID=`archerysec-cli -s ${ARCHERY_HOST} -u ${ARCHERY_USER} -p ${ARCHERY_PASS} --createproject --project_name=DevSecOps --project_disc=PROJECT_DISC --project_start=${DATE} --project_end=${DATE} --project_owner=test_project | tail -n1 | jq '.project_id' | sed -e 's/^"//' -e 's/"$//'` 7 | 8 | export SCAN_ID=`archerysec-cli -s ${ARCHERY_HOST} -u ${ARCHERY_USER} -p ${ARCHERY_PASS} --zapscan --target_url=''${TARGET_URL}'' --project_id=''$PROJECT_ID'' | tail -n1 | jq '.scanid' | sed -e 's/^"//' -e 's/"$//'` 9 | 10 | echo "scan id......" $SCAN_ID 11 | 12 | python /var/lib/jenkins/archery/archery_script.py --scanner=zap_scan --scan_id=$SCAN_ID --username=${ARCHERY_USER} --password=${ARCHERY_PASS} --host=${ARCHERY_HOST} --high=10 --medium=15 13 | 14 | export job_status=`python /var/lib/jenkins/archery/archery_script.py --scanner=zap_scan --scan_id=$SCAN_ID --username=${ARCHERY_USER} --password=${ARCHERY_PASS} --host=${ARCHERY_HOST} --high=10 --medium=15` 15 | 16 | if [ -n "$job_status" ] 17 | then 18 | #Run your script commands here 19 | echo "$job_status" 20 | echo "Build Sucess" 21 | else 22 | echo "BUILD FAILURE: Other build is unsuccessful or status could not be obtained." 23 | exit 100 24 | fi 25 | -------------------------------------------------------------------------------- /Inspec/README.md: -------------------------------------------------------------------------------- 1 | # Chef Inspec 2 | Chef InSpec is a free and open-source framework for testing and auditing your applications and infrastructure. Chef InSpec works by comparing the actual state of your system with the desired state that you express in easy-to-read and easy-to-write Chef InSpec code. Chef InSpec detects violations and displays findings in the form of a report, but puts you in control of remediation. 3 | 4 | # Pre-requisites 5 | 6 | - Need to have Chef Inspec on the host machine to run the test. 7 | - The Chef InSpec package is available for MacOS, RedHat, Ubuntu and Windows. 8 | ``` 9 | curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec 10 | ``` 11 | 12 | # Getting started 13 | 14 | - Run the inspec profile on any target machine. 15 | - 16 | ``` 17 | stage ('Inspec') 18 | { 19 | sh """ 20 | inspec exec Inspec/hardening-test -t ssh://${hostMachineName}@${hostMachineIP} --password=${hostMachinePassword} --reporter json:./inspec_results 21 | """ 22 | } 23 | 24 | ``` 25 | -------------------------------------------------------------------------------- /Inspec/hardening-test/README.md: -------------------------------------------------------------------------------- 1 | # Example InSpec Profile 2 | 3 | This example shows the implementation of an InSpec profile. 4 | -------------------------------------------------------------------------------- /Inspec/hardening-test/controls/example.rb: -------------------------------------------------------------------------------- 1 | require_controls 'linux-baseline' do 2 | control 'os-01' 3 | end 4 | 5 | require_controls 'ssh-baseline' do 6 | control 'ssh-01' 7 | control 'ssh-03' 8 | end 9 | -------------------------------------------------------------------------------- /Inspec/hardening-test/controls/hardening.rb: -------------------------------------------------------------------------------- 1 | container_execution = begin 2 | virtualization.role == 'guest' && virtualization.system =~ /^(lxc|docker)$/ 3 | rescue NoMethodError 4 | false 5 | end 6 | 7 | 8 | 9 | control 'lnx-01' do 10 | impact 1.0 11 | title 'Check owner and permissions for /etc/passwd' 12 | desc 'Check periodically the owner and permissions for /etc/passwd' 13 | describe file('/etc/passwd') do 14 | it { should exist } 15 | it { should be_file } 16 | it { should be_owned_by 'root' } 17 | its('group') { should eq 'root' } 18 | it { should_not be_executable } 19 | it { should be_writable.by('owner') } 20 | it { should_not be_writable.by('group') } 21 | it { should_not be_writable.by('other') } 22 | it { should be_readable.by('owner') } 23 | it { should be_readable.by('group') } 24 | it { should be_readable.by('other') } 25 | end 26 | end 27 | 28 | control 'lnx-02' do 29 | impact 1.0 30 | title 'Protect log-directory' 31 | desc 'The log-directory /var/log should belong to root' 32 | describe file('/var/log') do 33 | it { should be_directory } 34 | it { should be_owned_by 'root' } 35 | its(:group) { should match(/^root|syslog$/) } 36 | end 37 | end 38 | 39 | control 'lnx-03' do 40 | impact 1.0 41 | title 'ICMP ignore bogus error responses' 42 | desc 'Sometimes routers send out invalid responses to broadcast frames. This is a violation of RFC 1122 and the kernel will logged this. To avoid filling up your logfile with unnecessary stuff, you can tell the kernel not to issue these warnings' 43 | only_if { !container_execution } 44 | describe kernel_parameter('net.ipv4.icmp_ignore_bogus_error_responses') do 45 | its(:value) { should eq 1 } 46 | end 47 | end 48 | 49 | control 'lnx-04' do 50 | impact 1.0 51 | title 'ICMP echo ignore broadcasts' 52 | desc 'Blocking ICMP ECHO requests to broadcast addresses' 53 | only_if { !container_execution } 54 | describe kernel_parameter('net.ipv4.icmp_echo_ignore_broadcasts') do 55 | its(:value) { should eq 1 } 56 | end 57 | end 58 | 59 | control 'lnx-05' do 60 | impact 1.0 61 | title 'ICMP echo ignore ping' 62 | desc 'Blocking ICMP ECHO requests to ping addresses' 63 | only_if { !container_execution } 64 | describe kernel_parameter('net.ipv4.icmp_echo_ignore_all') do 65 | its(:value) { should eq 1 } 66 | end 67 | end 68 | 69 | control 'lnx-06' do 70 | impact 1.0 71 | title 'Disable IPv6 if it is not needed' 72 | desc 'Disable IPv6 if it is not needed' 73 | only_if { !container_execution } 74 | describe kernel_parameter('net.ipv6.conf.all.disable_ipv6') do 75 | its(:value) { should eq 1 } 76 | end 77 | end 78 | 79 | control "lnx-07" do 80 | title "Ensure permissions on /etc/crontab are configured" 81 | desc " 82 | The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file. 83 | 84 | Rationale: This file contains information on what system jobs are run by cron. Write access to these files could provide unprivileged users with the ability to elevate their privileges. Read access to these files could provide users with the ability to gain insight on system jobs that run on the system and could provide them a way to gain unauthorized privileged access. 85 | " 86 | impact 1.0 87 | describe file("/etc/crontab") do 88 | it { should exist } 89 | end 90 | describe file("/etc/crontab") do 91 | it { should_not be_executable.by "group" } 92 | end 93 | describe file("/etc/crontab") do 94 | it { should_not be_readable.by "group" } 95 | end 96 | describe file("/etc/crontab") do 97 | its("gid") { should cmp 0 } 98 | end 99 | describe file("/etc/crontab") do 100 | it { should_not be_writable.by "group" } 101 | end 102 | describe file("/etc/crontab") do 103 | it { should_not be_executable.by "other" } 104 | end 105 | describe file("/etc/crontab") do 106 | it { should_not be_readable.by "other" } 107 | end 108 | describe file("/etc/crontab") do 109 | it { should_not be_writable.by "other" } 110 | end 111 | describe file("/etc/crontab") do 112 | its("uid") { should cmp 0 } 113 | end 114 | end 115 | 116 | control "lnx-08" do 117 | title "Ensure permissions on /etc/cron.hourly are configured" 118 | desc " 119 | This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory. 120 | 121 | Rationale: Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls. 122 | " 123 | impact 1.0 124 | describe file("/etc/cron.hourly") do 125 | it { should exist } 126 | end 127 | describe file("/etc/cron.hourly") do 128 | it { should_not be_executable.by "group" } 129 | end 130 | describe file("/etc/cron.hourly") do 131 | it { should_not be_readable.by "group" } 132 | end 133 | describe file("/etc/cron.hourly") do 134 | its("gid") { should cmp 0 } 135 | end 136 | describe file("/etc/cron.hourly") do 137 | it { should_not be_writable.by "group" } 138 | end 139 | describe file("/etc/cron.hourly") do 140 | it { should_not be_executable.by "other" } 141 | end 142 | describe file("/etc/cron.hourly") do 143 | it { should_not be_readable.by "other" } 144 | end 145 | describe file("/etc/cron.hourly") do 146 | it { should_not be_writable.by "other" } 147 | end 148 | describe file("/etc/cron.hourly") do 149 | its("uid") { should cmp 0 } 150 | end 151 | end 152 | 153 | control "lnx-09" do 154 | title "Ensure permissions on /etc/passwd- are configured" 155 | desc " 156 | The /etc/passwd- file contains backup user account information. 157 | 158 | Rationale: It is critical to ensure that the /etc/passwd- file is protected from unauthorized access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions. 159 | " 160 | impact 1.0 161 | describe file("/etc/passwd-") do 162 | it { should exist } 163 | end 164 | describe file("/etc/passwd-") do 165 | it { should_not be_executable.by "group" } 166 | end 167 | describe file("/etc/passwd-") do 168 | it { should_not be_readable.by "group" } 169 | end 170 | describe file("/etc/passwd-") do 171 | its("gid") { should cmp 0 } 172 | end 173 | describe file("/etc/passwd-") do 174 | it { should_not be_writable.by "group" } 175 | end 176 | describe file("/etc/passwd-") do 177 | it { should_not be_executable.by "other" } 178 | end 179 | describe file("/etc/passwd-") do 180 | it { should_not be_readable.by "other" } 181 | end 182 | describe file("/etc/passwd-") do 183 | it { should_not be_writable.by "other" } 184 | end 185 | describe file("/etc/passwd-") do 186 | it { should_not be_setgid } 187 | end 188 | describe file("/etc/passwd-") do 189 | it { should_not be_sticky } 190 | end 191 | describe file("/etc/passwd-") do 192 | it { should_not be_setuid } 193 | end 194 | describe file("/etc/passwd-") do 195 | it { should_not be_executable.by "owner" } 196 | end 197 | describe file("/etc/passwd-") do 198 | its("uid") { should cmp 0 } 199 | end 200 | end 201 | 202 | control "lnx-10" do 203 | title "Ensure password fields are not empty" 204 | desc " 205 | An account with an empty password field means that anybody may log in as that user without providing a password. 206 | 207 | Rationale: All accounts must have passwords or be locked to prevent the account from being used by an unauthorized user. 208 | " 209 | impact 1.0 210 | describe shadow.where { user =~ /.+/ and password !~ /.+/ } do 211 | its("raw_data") { should be_empty } 212 | end 213 | end 214 | 215 | control "lnx-11" do 216 | title "Ensure password expiration warning days is 7 or more" 217 | desc " 218 | The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days. 219 | 220 | Rationale: Providing an advance warning that a password will be expiring gives users time to think of a secure password. Users caught unaware may choose a simple password or write it down where it may be discovered. 221 | " 222 | impact 1.0 223 | describe file("/etc/login.defs") do 224 | its("content") { should match(/^\s*PASS_WARN_AGE\s+([789]|[1-9][0-9]+)\s*(\s+#.*)?$/) } 225 | end 226 | describe shadow.where { user =~ /.+/ and password =~ /^[^!*]/ and (warn_days.nil? or warn_days.to_i < 7) } do 227 | its("raw_data") { should be_empty } 228 | end 229 | end 230 | 231 | control "lnx-12" do 232 | title "Ensure root login is restricted to system console" 233 | desc " 234 | The file /etc/securetty contains a list of valid terminals that may be logged in directly as root. 235 | 236 | Rationale: Since the system console has special properties to handle emergency situations, it is important to ensure that the console is in a physically secure location and that unauthorized consoles have not been defined. 237 | " 238 | impact 0.0 239 | describe "No tests defined for this control" do 240 | skip "No tests defined for this control" 241 | end 242 | end 243 | -------------------------------------------------------------------------------- /Inspec/hardening-test/inspec.lock: -------------------------------------------------------------------------------- 1 | --- 2 | lockfile_version: 1 3 | depends: 4 | - name: linux-baseline 5 | resolved_source: 6 | url: https://github.com/dev-sec/linux-baseline/archive/master.tar.gz 7 | sha256: 1e596626f2305160dffad6f3c3a2c03b853a03f0b773d6d8ae957b6046b64146 8 | version_constraints: [] 9 | - name: ssh-baseline 10 | resolved_source: 11 | url: https://github.com/dev-sec/ssh-baseline/archive/master.tar.gz 12 | sha256: cb0da29499dc5d27497ce906abfd3111970710fd0021ed0a013eb7cb2cc22c5b 13 | version_constraints: [] 14 | -------------------------------------------------------------------------------- /Inspec/hardening-test/inspec.yml: -------------------------------------------------------------------------------- 1 | name: hardening-test 2 | title: InSpec Profile 3 | maintainer: The Authors 4 | copyright: The Authors 5 | copyright_email: you@example.com 6 | license: Apache-2.0 7 | summary: An InSpec Compliance Profile 8 | version: 0.1.0 9 | supports: 10 | platform: os 11 | 12 | depends: 13 | - name: linux-baseline 14 | url: https://github.com/dev-sec/linux-baseline/archive/master.tar.gz 15 | - name: ssh-baseline 16 | url: https://github.com/dev-sec/ssh-baseline/archive/master.tar.gz 17 | 18 | -------------------------------------------------------------------------------- /Inspec/hardening-test/vendor/1e596626f2305160dffad6f3c3a2c03b853a03f0b773d6d8ae957b6046b64146/linux-baseline-master/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Change Log 2 | 3 | ## [2.3.0](https://github.com/dev-sec/linux-baseline/tree/2.3.0) (2019-05-14) 4 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.2.2...2.3.0) 5 | 6 | **Closed issues:** 7 | 8 | - Audit Daemon Fails on Amazon Linux 2 [\#109](https://github.com/dev-sec/linux-baseline/issues/109) 9 | - os-11 fails on vanilla Ubuntu 16.04/18.04 [\#104](https://github.com/dev-sec/linux-baseline/issues/104) 10 | - Container conditions to skip tests? [\#102](https://github.com/dev-sec/linux-baseline/issues/102) 11 | - Duplicate testing for telnetd instead of rsh [\#97](https://github.com/dev-sec/linux-baseline/issues/97) 12 | - Profile summary VS Test Summary [\#93](https://github.com/dev-sec/linux-baseline/issues/93) 13 | - Control Sysctl 31-b from sysctl\_spec.rb causing Inspec to exit with error code [\#92](https://github.com/dev-sec/linux-baseline/issues/92) 14 | 15 | **Merged pull requests:** 16 | 17 | - Add compatibility for alpine based images [\#111](https://github.com/dev-sec/linux-baseline/pull/111) ([zopanix](https://github.com/zopanix)) 18 | - Minor grammatical fix in README [\#108](https://github.com/dev-sec/linux-baseline/pull/108) ([cachedout](https://github.com/cachedout)) 19 | - Update issue templates [\#106](https://github.com/dev-sec/linux-baseline/pull/106) ([rndmh3ro](https://github.com/rndmh3ro)) 20 | - \#104 Fix os-11 for Ubuntu 16.04 and newer [\#105](https://github.com/dev-sec/linux-baseline/pull/105) ([IceBear2k](https://github.com/IceBear2k)) 21 | - efi-check should run on remote host, not locally [\#103](https://github.com/dev-sec/linux-baseline/pull/103) ([rndmh3ro](https://github.com/rndmh3ro)) 22 | - update grammar in desc [\#101](https://github.com/dev-sec/linux-baseline/pull/101) ([juliandunn](https://github.com/juliandunn)) 23 | - Update to test for rsh-server instead of duplicate telnetd [\#98](https://github.com/dev-sec/linux-baseline/pull/98) ([aavetis](https://github.com/aavetis)) 24 | 25 | ## [2.2.2](https://github.com/dev-sec/linux-baseline/tree/2.2.2) (2018-07-19) 26 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.2.1...2.2.2) 27 | 28 | **Merged pull requests:** 29 | 30 | - Update to version 2.2.2 [\#99](https://github.com/dev-sec/linux-baseline/pull/99) ([james-stocks](https://github.com/james-stocks)) 31 | - Do not disable vfat by default [\#96](https://github.com/dev-sec/linux-baseline/pull/96) ([rndmh3ro](https://github.com/rndmh3ro)) 32 | - fix virtualization usage in older inspec versions [\#95](https://github.com/dev-sec/linux-baseline/pull/95) ([mattlqx](https://github.com/mattlqx)) 33 | 34 | ## [2.2.1](https://github.com/dev-sec/linux-baseline/tree/2.2.1) (2018-05-14) 35 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.2.0...2.2.1) 36 | 37 | **Closed issues:** 38 | 39 | - /etc/shadow permissions false positive on Fedora [\#89](https://github.com/dev-sec/linux-baseline/issues/89) 40 | 41 | **Merged pull requests:** 42 | 43 | - Skip auditd and sysctl tests for containers [\#91](https://github.com/dev-sec/linux-baseline/pull/91) ([artem-sidorenko](https://github.com/artem-sidorenko)) 44 | - Fixes \#89 false positive /etc/shadow on Fedora [\#90](https://github.com/dev-sec/linux-baseline/pull/90) ([marcelhuth](https://github.com/marcelhuth)) 45 | - Fix typos in `inspec.yml` [\#88](https://github.com/dev-sec/linux-baseline/pull/88) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) 46 | 47 | ## [2.2.0](https://github.com/dev-sec/linux-baseline/tree/2.2.0) (2017-12-01) 48 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.1.1...2.2.0) 49 | 50 | **Closed issues:** 51 | 52 | - linux-baseline os-06 can not be skipped [\#86](https://github.com/dev-sec/linux-baseline/issues/86) 53 | - control os-10 fails \(/etc/modprobe.d/dev-sec.conf\) [\#80](https://github.com/dev-sec/linux-baseline/issues/80) 54 | - package-08 error on amazon linux [\#79](https://github.com/dev-sec/linux-baseline/issues/79) 55 | 56 | **Merged pull requests:** 57 | 58 | - deferring the execution of permissions to profile execution [\#87](https://github.com/dev-sec/linux-baseline/pull/87) ([chris-rock](https://github.com/chris-rock)) 59 | - CIS 4.1.1.3 [\#85](https://github.com/dev-sec/linux-baseline/pull/85) ([tomhaynes](https://github.com/tomhaynes)) 60 | - Update Fedora controls [\#84](https://github.com/dev-sec/linux-baseline/pull/84) ([shoekstra](https://github.com/shoekstra)) 61 | - Fix log\_dir\_group for Ubuntu 14.04+ [\#83](https://github.com/dev-sec/linux-baseline/pull/83) ([shoekstra](https://github.com/shoekstra)) 62 | - Tune some parameters for RedHat system [\#82](https://github.com/dev-sec/linux-baseline/pull/82) ([strangeman](https://github.com/strangeman)) 63 | - add logdir-check [\#81](https://github.com/dev-sec/linux-baseline/pull/81) ([rndmh3ro](https://github.com/rndmh3ro)) 64 | - Optimize file search routines [\#77](https://github.com/dev-sec/linux-baseline/pull/77) ([mcgege](https://github.com/mcgege)) 65 | - Check for Amazon Linux when determining audit package. [\#76](https://github.com/dev-sec/linux-baseline/pull/76) ([HenryTheHamster](https://github.com/HenryTheHamster)) 66 | - Update package\_spec.rb [\#74](https://github.com/dev-sec/linux-baseline/pull/74) ([lnxchk](https://github.com/lnxchk)) 67 | - CIS 1.5.4 Ensure prelink is disabled [\#73](https://github.com/dev-sec/linux-baseline/pull/73) ([bitvijays](https://github.com/bitvijays)) 68 | - Added net.ipv4.conf.default.log\_martians for Martian Packets in sysctl\_spec.rb [\#72](https://github.com/dev-sec/linux-baseline/pull/72) ([bitvijays](https://github.com/bitvijays)) 69 | - 1.1.1 CIS Disable unused filesystem [\#71](https://github.com/dev-sec/linux-baseline/pull/71) ([bitvijays](https://github.com/bitvijays)) 70 | - os-02: Fix for SUSE environments [\#70](https://github.com/dev-sec/linux-baseline/pull/70) ([mcgege](https://github.com/mcgege)) 71 | - On SUSE environments 'auditd' is part of package 'audit' [\#69](https://github.com/dev-sec/linux-baseline/pull/69) ([mcgege](https://github.com/mcgege)) 72 | - use recommended spdx license identifier [\#68](https://github.com/dev-sec/linux-baseline/pull/68) ([chris-rock](https://github.com/chris-rock)) 73 | 74 | ## [2.1.1](https://github.com/dev-sec/linux-baseline/tree/2.1.1) (2017-06-02) 75 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.1.0...2.1.1) 76 | 77 | **Closed issues:** 78 | 79 | - systctl-33 doesn't see nx flag [\#65](https://github.com/dev-sec/linux-baseline/issues/65) 80 | - check for audit\(d\) fails on aws linux ami [\#60](https://github.com/dev-sec/linux-baseline/issues/60) 81 | 82 | **Merged pull requests:** 83 | 84 | - CI: update to ruby 2.4.1 and rubocop 0.49.1 [\#66](https://github.com/dev-sec/linux-baseline/pull/66) ([artem-sidorenko](https://github.com/artem-sidorenko)) 85 | - Use assignment\_regex, only\_if and bump profile version [\#64](https://github.com/dev-sec/linux-baseline/pull/64) ([alexpop](https://github.com/alexpop)) 86 | - num\_logs has different values on different distros [\#63](https://github.com/dev-sec/linux-baseline/pull/63) ([artem-sidorenko](https://github.com/artem-sidorenko)) 87 | - Allow verification if kernel modules loading is disabled [\#62](https://github.com/dev-sec/linux-baseline/pull/62) ([artem-sidorenko](https://github.com/artem-sidorenko)) 88 | - Fix: more generic auditd settings [\#61](https://github.com/dev-sec/linux-baseline/pull/61) ([artem-sidorenko](https://github.com/artem-sidorenko)) 89 | 90 | ## [2.1.0](https://github.com/dev-sec/linux-baseline/tree/2.1.0) (2017-05-08) 91 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.0.1...2.1.0) 92 | 93 | **Merged pull requests:** 94 | 95 | - update metadata [\#58](https://github.com/dev-sec/linux-baseline/pull/58) ([chris-rock](https://github.com/chris-rock)) 96 | - update gemfile [\#57](https://github.com/dev-sec/linux-baseline/pull/57) ([atomic111](https://github.com/atomic111)) 97 | - restrict ruby testing to version 2.3.3 [\#56](https://github.com/dev-sec/linux-baseline/pull/56) ([atomic111](https://github.com/atomic111)) 98 | - Properly verify the kernel dump setting [\#52](https://github.com/dev-sec/linux-baseline/pull/52) ([artem-sidorenko](https://github.com/artem-sidorenko)) 99 | - auditd package is called audit in the rhel family [\#51](https://github.com/dev-sec/linux-baseline/pull/51) ([rdeusser](https://github.com/rdeusser)) 100 | - Ignore inspec.lock file [\#50](https://github.com/dev-sec/linux-baseline/pull/50) ([techraf](https://github.com/techraf)) 101 | - Remove duplicated expectation from sysctl-16 [\#49](https://github.com/dev-sec/linux-baseline/pull/49) ([techraf](https://github.com/techraf)) 102 | - update links in readme [\#47](https://github.com/dev-sec/linux-baseline/pull/47) ([chris-rock](https://github.com/chris-rock)) 103 | - essay: differentiate redhat/debian, add extra conditions [\#44](https://github.com/dev-sec/linux-baseline/pull/44) ([juju4](https://github.com/juju4)) 104 | 105 | ## [2.0.1](https://github.com/dev-sec/linux-baseline/tree/2.0.1) (2016-12-21) 106 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.0.0...2.0.1) 107 | 108 | **Closed issues:** 109 | 110 | - permissions /etc/shadow [\#41](https://github.com/dev-sec/linux-baseline/issues/41) 111 | - False positives in control os-06 [\#40](https://github.com/dev-sec/linux-baseline/issues/40) 112 | 113 | **Merged pull requests:** 114 | 115 | - update profile metadata & tooling [\#46](https://github.com/dev-sec/linux-baseline/pull/46) ([chris-rock](https://github.com/chris-rock)) 116 | - update Gemfile [\#43](https://github.com/dev-sec/linux-baseline/pull/43) ([atomic111](https://github.com/atomic111)) 117 | - Update links in README file [\#42](https://github.com/dev-sec/linux-baseline/pull/42) ([netflash](https://github.com/netflash)) 118 | - Fix cpu flags and change default for net.ipv4.conf.all.log\_martians [\#39](https://github.com/dev-sec/linux-baseline/pull/39) ([chris-rock](https://github.com/chris-rock)) 119 | 120 | ## [2.0.0](https://github.com/dev-sec/linux-baseline/tree/2.0.0) (2016-04-29) 121 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/1.3.0...2.0.0) 122 | 123 | **Merged pull requests:** 124 | 125 | - inspec profile [\#38](https://github.com/dev-sec/linux-baseline/pull/38) ([chris-rock](https://github.com/chris-rock)) 126 | 127 | ## [1.3.0](https://github.com/dev-sec/linux-baseline/tree/1.3.0) (2016-04-25) 128 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/1.2.0...1.3.0) 129 | 130 | **Fixed bugs:** 131 | 132 | - update identifier [\#37](https://github.com/dev-sec/linux-baseline/pull/37) ([chris-rock](https://github.com/chris-rock)) 133 | 134 | **Merged pull requests:** 135 | 136 | - prevent nil in flags [\#36](https://github.com/dev-sec/linux-baseline/pull/36) ([arlimus](https://github.com/arlimus)) 137 | 138 | ## [1.2.0](https://github.com/dev-sec/linux-baseline/tree/1.2.0) (2015-12-08) 139 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/1.1.0...1.2.0) 140 | 141 | **Merged pull requests:** 142 | 143 | - removed serverspec support and created all inspec tests [\#35](https://github.com/dev-sec/linux-baseline/pull/35) ([atomic111](https://github.com/atomic111)) 144 | 145 | ## [1.1.0](https://github.com/dev-sec/linux-baseline/tree/1.1.0) (2015-10-15) 146 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/1.0.0...1.1.0) 147 | 148 | **Merged pull requests:** 149 | 150 | - Remove whitespace [\#34](https://github.com/dev-sec/linux-baseline/pull/34) ([rndmh3ro](https://github.com/rndmh3ro)) 151 | - Improve Ansible tests [\#33](https://github.com/dev-sec/linux-baseline/pull/33) ([rndmh3ro](https://github.com/rndmh3ro)) 152 | - Fix typos [\#31](https://github.com/dev-sec/linux-baseline/pull/31) ([rndmh3ro](https://github.com/rndmh3ro)) 153 | - update urls [\#30](https://github.com/dev-sec/linux-baseline/pull/30) ([chris-rock](https://github.com/chris-rock)) 154 | - bugfix: add missing: ipv6 accept\_ra = 0 [\#29](https://github.com/dev-sec/linux-baseline/pull/29) ([arlimus](https://github.com/arlimus)) 155 | - Ansible support [\#28](https://github.com/dev-sec/linux-baseline/pull/28) ([rndmh3ro](https://github.com/rndmh3ro)) 156 | - add json format option [\#26](https://github.com/dev-sec/linux-baseline/pull/26) ([atomic111](https://github.com/atomic111)) 157 | - Update common [\#25](https://github.com/dev-sec/linux-baseline/pull/25) ([arlimus](https://github.com/arlimus)) 158 | - feature: add schroot to suid/sgid whitelist [\#24](https://github.com/dev-sec/linux-baseline/pull/24) ([arlimus](https://github.com/arlimus)) 159 | - Update common [\#23](https://github.com/dev-sec/linux-baseline/pull/23) ([arlimus](https://github.com/arlimus)) 160 | - updating common files [\#22](https://github.com/dev-sec/linux-baseline/pull/22) ([arlimus](https://github.com/arlimus)) 161 | - changed GIS to DTAG SEC [\#21](https://github.com/dev-sec/linux-baseline/pull/21) ([atomic111](https://github.com/atomic111)) 162 | - bugfix: lint error [\#20](https://github.com/dev-sec/linux-baseline/pull/20) ([chris-rock](https://github.com/chris-rock)) 163 | 164 | ## [1.0.0](https://github.com/dev-sec/linux-baseline/tree/1.0.0) (2014-08-13) 165 | **Merged pull requests:** 166 | 167 | - Lockdown mode [\#19](https://github.com/dev-sec/linux-baseline/pull/19) ([arlimus](https://github.com/arlimus)) 168 | - split sysctl\_spec.rb, added suid whitliste and uid unique search [\#18](https://github.com/dev-sec/linux-baseline/pull/18) ([atomic111](https://github.com/atomic111)) 169 | - added additional test [\#17](https://github.com/dev-sec/linux-baseline/pull/17) ([atomic111](https://github.com/atomic111)) 170 | - add travis config, add default task to rakefile [\#16](https://github.com/dev-sec/linux-baseline/pull/16) ([ehaselwanter](https://github.com/ehaselwanter)) 171 | - update rubocop, add common linter task, fix rubocop issues [\#15](https://github.com/dev-sec/linux-baseline/pull/15) ([ehaselwanter](https://github.com/ehaselwanter)) 172 | - fix exec-shield test [\#14](https://github.com/dev-sec/linux-baseline/pull/14) ([chris-rock](https://github.com/chris-rock)) 173 | - add lint rake task with robocop and fix issues [\#13](https://github.com/dev-sec/linux-baseline/pull/13) ([chris-rock](https://github.com/chris-rock)) 174 | - added Telekom Security Requirement numbers to the corresponding kitchen test [\#12](https://github.com/dev-sec/linux-baseline/pull/12) ([atomic111](https://github.com/atomic111)) 175 | - add ruby gem source [\#11](https://github.com/dev-sec/linux-baseline/pull/11) ([chris-rock](https://github.com/chris-rock)) 176 | - add standalone usage feature [\#10](https://github.com/dev-sec/linux-baseline/pull/10) ([ehaselwanter](https://github.com/ehaselwanter)) 177 | - serverspec has a contract on running commands remote. this fixes the local [\#9](https://github.com/dev-sec/linux-baseline/pull/9) ([ehaselwanter](https://github.com/ehaselwanter)) 178 | - add lockfiles and delete them from tree [\#8](https://github.com/dev-sec/linux-baseline/pull/8) ([ehaselwanter](https://github.com/ehaselwanter)) 179 | - rubocop fixes [\#7](https://github.com/dev-sec/linux-baseline/pull/7) ([ehaselwanter](https://github.com/ehaselwanter)) 180 | - moved site.pp to the shared test, were it belongs [\#6](https://github.com/dev-sec/linux-baseline/pull/6) ([ehaselwanter](https://github.com/ehaselwanter)) 181 | - bugfix: arp restrictions should apply to all, not just eth0 [\#5](https://github.com/dev-sec/linux-baseline/pull/5) ([arlimus](https://github.com/arlimus)) 182 | - one folder level up [\#4](https://github.com/dev-sec/linux-baseline/pull/4) ([ehaselwanter](https://github.com/ehaselwanter)) 183 | - Fix: change value of log\_martians to the cookbook default [\#3](https://github.com/dev-sec/linux-baseline/pull/3) ([atomic111](https://github.com/atomic111)) 184 | - discard one level to be able to use the defaults in test-kitchen by just [\#2](https://github.com/dev-sec/linux-baseline/pull/2) ([ehaselwanter](https://github.com/ehaselwanter)) 185 | - added tests from chef-os-hardening [\#1](https://github.com/dev-sec/linux-baseline/pull/1) ([ehaselwanter](https://github.com/ehaselwanter)) 186 | 187 | 188 | 189 | \* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* -------------------------------------------------------------------------------- /Inspec/hardening-test/vendor/1e596626f2305160dffad6f3c3a2c03b853a03f0b773d6d8ae957b6046b64146/linux-baseline-master/Gemfile: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | source 'https://rubygems.org' 4 | 5 | gem 'highline', '~> 2.0.2' 6 | gem 'inspec', '~> 3' 7 | gem 'rack', '~> 2.0.7' 8 | gem 'rake', '~> 12.3.2' 9 | gem 'rubocop', '~> 0.68.1' 10 | 11 | group :tools do 12 | gem 'github_changelog_generator', '~> 1.14.3' 13 | gem 'pry-coolline', '~> 0.2.5' 14 | end 15 | -------------------------------------------------------------------------------- /Inspec/hardening-test/vendor/1e596626f2305160dffad6f3c3a2c03b853a03f0b773d6d8ae957b6046b64146/linux-baseline-master/LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | -------------------------------------------------------------------------------- /Inspec/hardening-test/vendor/1e596626f2305160dffad6f3c3a2c03b853a03f0b773d6d8ae957b6046b64146/linux-baseline-master/README.md: -------------------------------------------------------------------------------- 1 | DevSec Linux Baseline 2 | ===================== 3 | 4 | This Compliance Profile ensures that all hardening projects keep the same quality. 5 | 6 | - https://github.com/dev-sec/puppet-os-hardening 7 | - https://github.com/dev-sec/chef-os-hardening 8 | - https://github.com/dev-sec/ansible-os-hardening 9 | 10 | ## Standalone Usage 11 | 12 | This Compliance Profile requires [InSpec](https://github.com/chef/inspec) for execution: 13 | 14 | ``` 15 | $ git clone https://github.com/dev-sec/linux-baseline 16 | $ inspec exec linux-baseline 17 | ``` 18 | 19 | You can also execute the profile directly from Github: 20 | 21 | ``` 22 | $ inspec exec https://github.com/dev-sec/linux-baseline 23 | ``` 24 | 25 | ## License and Author 26 | 27 | * Author:: Patrick Muench 28 | * Author:: Dominik Richter 29 | * Author:: Christoph Hartmann 30 | * Author:: Edmund Haselwanter 31 | 32 | * Copyright 2014-2016, The Hardening Framework Team 33 | 34 | Licensed under the Apache License, Version 2.0 (the "License"); 35 | you may not use this file except in compliance with the License. 36 | You may obtain a copy of the License at 37 | 38 | http://www.apache.org/licenses/LICENSE-2.0 39 | 40 | Unless required by applicable law or agreed to in writing, software 41 | distributed under the License is distributed on an "AS IS" BASIS, 42 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 43 | See the License for the specific language governing permissions and 44 | limitations under the License. 45 | -------------------------------------------------------------------------------- /Inspec/hardening-test/vendor/1e596626f2305160dffad6f3c3a2c03b853a03f0b773d6d8ae957b6046b64146/linux-baseline-master/Rakefile: -------------------------------------------------------------------------------- 1 | require 'rake/testtask' 2 | require 'rubocop/rake_task' 3 | 4 | # Rubocop 5 | desc 'Run Rubocop lint checks' 6 | task :rubocop do 7 | RuboCop::RakeTask.new 8 | end 9 | 10 | # lint the project 11 | desc 'Run robocop linter' 12 | task lint: [:rubocop] 13 | 14 | # run tests 15 | task default: [:lint, 'test:check'] 16 | 17 | namespace :test do 18 | # run inspec check to verify that the profile is properly configured 19 | task :check do 20 | require 'inspec' 21 | puts "Checking profile with InSpec Version: #{Inspec::VERSION}" 22 | profile = Inspec::Profile.for_target('.', backend: Inspec::Backend.create(Inspec::Config.mock)) 23 | pp profile.check 24 | end 25 | end 26 | 27 | task :changelog do 28 | # Automatically generate a changelog for this project. Only loaded if 29 | # the necessary gem is installed. By default its picking up the version from 30 | # inspec.yml. You can override that behavior with `rake changelog to=1.2.0` 31 | begin 32 | require 'yaml' 33 | metadata = YAML.load_file('inspec.yml') 34 | v = ENV['to'] || metadata['version'] 35 | puts " * Generating changelog for version #{v}" 36 | require 'github_changelog_generator/task' 37 | GitHubChangelogGenerator::RakeTask.new :changelog do |config| 38 | config.future_release = v 39 | config.user = 'dev-sec' 40 | config.project = 'linux-baseline' 41 | end 42 | Rake::Task[:changelog].execute 43 | rescue LoadError 44 | puts '>>>>> GitHub Changelog Generator not loaded, omitting tasks' 45 | end 46 | end 47 | -------------------------------------------------------------------------------- /Inspec/hardening-test/vendor/1e596626f2305160dffad6f3c3a2c03b853a03f0b773d6d8ae957b6046b64146/linux-baseline-master/controls/os_spec.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2015, Patrick Muench 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | # author: Christoph Hartmann 17 | # author: Dominik Richter 18 | # author: Patrick Muench 19 | 20 | login_defs_umask = attribute('login_defs_umask', default: os.redhat? ? '077' : '027', description: 'Default umask to set in login.defs') 21 | 22 | login_defs_passmaxdays = attribute('login_defs_passmaxdays', default: '60', description: 'Default password maxdays to set in login.defs') 23 | login_defs_passmindays = attribute('login_defs_passmindays', default: '7', description: 'Default password mindays to set in login.defs') 24 | login_defs_passwarnage = attribute('login_defs_passwarnage', default: '7', description: 'Default password warnage (days) to set in login.defs') 25 | 26 | shadow_group = 'root' 27 | shadow_group = 'shadow' if os.debian? || os.suse? || os.name == 'alpine' 28 | container_execution = begin 29 | virtualization.role == 'guest' && virtualization.system =~ /^(lxc|docker)$/ 30 | rescue NoMethodError 31 | false 32 | end 33 | 34 | blacklist = attribute( 35 | 'blacklist', 36 | default: suid_blacklist.default, 37 | description: 'blacklist of suid/sgid program on system' 38 | ) 39 | 40 | control 'os-01' do 41 | impact 1.0 42 | title 'Trusted hosts login' 43 | desc "hosts.equiv file is a weak implemenation of authentication. Disabling the hosts.equiv support helps to prevent users from subverting the system's normal access control mechanisms of the system." 44 | describe file('/etc/hosts.equiv') do 45 | it { should_not exist } 46 | end 47 | end 48 | 49 | control 'os-02' do 50 | impact 1.0 51 | title 'Check owner and permissions for /etc/shadow' 52 | desc 'Check periodically the owner and permissions for /etc/shadow' 53 | describe file('/etc/shadow') do 54 | it { should exist } 55 | it { should be_file } 56 | it { should be_owned_by 'root' } 57 | its('group') { should eq shadow_group } 58 | it { should_not be_executable } 59 | it { should_not be_readable.by('other') } 60 | end 61 | if os.redhat? || os.name == 'fedora' 62 | describe file('/etc/shadow') do 63 | it { should_not be_writable.by('owner') } 64 | it { should_not be_readable.by('owner') } 65 | end 66 | else 67 | describe file('/etc/shadow') do 68 | it { should be_writable.by('owner') } 69 | it { should be_readable.by('owner') } 70 | end 71 | end 72 | if os.debian? || os.suse? 73 | describe file('/etc/shadow') do 74 | it { should be_readable.by('group') } 75 | end 76 | else 77 | describe file('/etc/shadow') do 78 | it { should_not be_readable.by('group') } 79 | end 80 | end 81 | end 82 | 83 | control 'os-03' do 84 | impact 1.0 85 | title 'Check owner and permissions for /etc/passwd' 86 | desc 'Check periodically the owner and permissions for /etc/passwd' 87 | describe file('/etc/passwd') do 88 | it { should exist } 89 | it { should be_file } 90 | it { should be_owned_by 'root' } 91 | its('group') { should eq 'root' } 92 | it { should_not be_executable } 93 | it { should be_writable.by('owner') } 94 | it { should_not be_writable.by('group') } 95 | it { should_not be_writable.by('other') } 96 | it { should be_readable.by('owner') } 97 | it { should be_readable.by('group') } 98 | it { should be_readable.by('other') } 99 | end 100 | end 101 | 102 | control 'os-04' do 103 | impact 1.0 104 | title 'Dot in PATH variable' 105 | desc 'Do not include the current working directory in PATH variable. This makes it easier for an attacker to gain extensive rigths by executing a Trojan program' 106 | describe os_env('PATH') do 107 | its('split') { should_not include('') } 108 | its('split') { should_not include('.') } 109 | end 110 | end 111 | 112 | control 'os-05' do 113 | impact 1.0 114 | title 'Check login.defs' 115 | desc 'Check owner and permissions for login.defs. Also check the configured PATH variable and umask in login.defs' 116 | describe file('/etc/login.defs') do 117 | it { should exist } 118 | it { should be_file } 119 | it { should be_owned_by 'root' } 120 | its('group') { should eq 'root' } 121 | it { should_not be_executable } 122 | it { should be_readable.by('owner') } 123 | it { should be_readable.by('group') } 124 | it { should be_readable.by('other') } 125 | end 126 | describe login_defs do 127 | its('ENV_SUPATH') { should include('/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin') } 128 | its('ENV_PATH') { should include('/usr/local/bin:/usr/bin:/bin') } 129 | its('UMASK') { should include(login_defs_umask) } 130 | its('PASS_MAX_DAYS') { should eq login_defs_passmaxdays } 131 | its('PASS_MIN_DAYS') { should eq login_defs_passmindays } 132 | its('PASS_WARN_AGE') { should eq login_defs_passwarnage } 133 | its('LOGIN_RETRIES') { should eq '5' } 134 | its('LOGIN_TIMEOUT') { should eq '60' } 135 | its('UID_MIN') { should eq '1000' } 136 | its('GID_MIN') { should eq '1000' } 137 | end 138 | end 139 | 140 | control 'os-05b' do 141 | impact 1.0 142 | title 'Check login.defs - RedHat specific' 143 | desc 'Check owner and permissions for login.defs. Also check the configured PATH variable and umask in login.defs' 144 | describe file('/etc/login.defs') do 145 | it { should_not be_writable } 146 | end 147 | describe login_defs do 148 | its('SYS_UID_MIN') { should eq '201' } 149 | its('SYS_UID_MAX') { should eq '999' } 150 | its('SYS_GID_MIN') { should eq '201' } 151 | its('SYS_GID_MAX') { should eq '999' } 152 | end 153 | only_if { os.redhat? } 154 | end 155 | 156 | control 'os-06' do 157 | impact 1.0 158 | title 'Check for SUID/ SGID blacklist' 159 | desc 'Find blacklisted SUID and SGID files to ensure that no rogue SUID and SGID files have been introduced into the system' 160 | 161 | describe suid_check(blacklist) do 162 | its('diff') { should be_empty } 163 | end 164 | end 165 | 166 | control 'os-07' do 167 | impact 1.0 168 | title 'Unique uid and gid' 169 | desc 'Check for unique uids gids' 170 | describe passwd do 171 | its('uids') { should_not contain_duplicates } 172 | end 173 | describe etc_group do 174 | its('gids') { should_not contain_duplicates } 175 | end 176 | end 177 | 178 | control 'os-08' do 179 | impact 1.0 180 | title 'Entropy' 181 | desc 'Check system has enough entropy - greater than 1000' 182 | describe file('/proc/sys/kernel/random/entropy_avail').content.to_i do 183 | it { should >= 1000 } 184 | end 185 | end 186 | 187 | control 'os-09' do 188 | impact 1.0 189 | title 'Check for .rhosts and .netrc file' 190 | desc 'Find .rhosts and .netrc files - CIS Benchmark 9.2.9-10' 191 | output = command('find / -maxdepth 3 \( -iname .rhosts -o -iname .netrc \) -print 2>/dev/null | grep -v \'^find:\'') 192 | out = output.stdout.split(/\r?\n/) 193 | describe out do 194 | it { should be_empty } 195 | end 196 | end 197 | 198 | control 'os-10' do 199 | impact 1.0 200 | title 'CIS: Disable unused filesystems' 201 | desc '1.1.1 Ensure mounting of cramfs, freevxfs, jffs2, hfs, hfsplus, squashfs, udf, FAT' 202 | only_if { !container_execution } 203 | efi_dir = inspec.file('/sys/firmware/efi') 204 | describe file('/etc/modprobe.d/dev-sec.conf') do 205 | its(:content) { should match 'install cramfs /bin/true' } 206 | its(:content) { should match 'install freevxfs /bin/true' } 207 | its(:content) { should match 'install jffs2 /bin/true' } 208 | its(:content) { should match 'install hfs /bin/true' } 209 | its(:content) { should match 'install hfsplus /bin/true' } 210 | its(:content) { should match 'install squashfs /bin/true' } 211 | its(:content) { should match 'install udf /bin/true' } 212 | # if efi is active, do not disable vfat. otherwise the system 213 | # won't boot anymore 214 | unless efi_dir.exist? 215 | its(:content) { should match 'install vfat /bin/true' } 216 | end 217 | end 218 | end 219 | 220 | control 'os-11' do 221 | impact 1.0 222 | title 'Protect log-directory' 223 | desc 'The log-directory /var/log should belong to root' 224 | describe file('/var/log') do 225 | it { should be_directory } 226 | it { should be_owned_by 'root' } 227 | its(:group) { should match(/^root|syslog$/) } 228 | end 229 | end 230 | -------------------------------------------------------------------------------- /Inspec/hardening-test/vendor/1e596626f2305160dffad6f3c3a2c03b853a03f0b773d6d8ae957b6046b64146/linux-baseline-master/controls/package_spec.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2015, Patrick Muench 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | # author: Christoph Hartmann 17 | # author: Dominik Richter 18 | # author: Patrick Muench 19 | 20 | val_syslog_pkg = attribute('syslog_pkg', default: 'rsyslog', description: 'syslog package to ensure present (default: rsyslog, alternative: syslog-ng...') 21 | container_execution = begin 22 | virtualization.role == 'guest' && virtualization.system =~ /^(lxc|docker)$/ 23 | rescue NoMethodError 24 | false 25 | end 26 | 27 | control 'package-01' do 28 | impact 1.0 29 | title 'Do not run deprecated inetd or xinetd' 30 | desc 'http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.1' 31 | describe package('inetd') do 32 | it { should_not be_installed } 33 | end 34 | describe package('xinetd') do 35 | it { should_not be_installed } 36 | end 37 | end 38 | 39 | control 'package-02' do 40 | impact 1.0 41 | title 'Do not install Telnet server' 42 | desc 'Telnet protocol uses unencrypted communication, that means the password and other sensitive data are unencrypted. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.2' 43 | describe package('telnetd') do 44 | it { should_not be_installed } 45 | end 46 | end 47 | 48 | control 'package-03' do 49 | impact 1.0 50 | title 'Do not install rsh server' 51 | desc 'The r-commands suffers same problem as telnet. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.3' 52 | describe package('rsh-server') do 53 | it { should_not be_installed } 54 | end 55 | end 56 | 57 | control 'package-05' do 58 | impact 1.0 59 | title 'Do not install ypserv server (NIS)' 60 | desc 'Network Information Service (NIS) has some security design weaknesses like inadequate protection of important authentication information. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.4' 61 | describe package('ypserv') do 62 | it { should_not be_installed } 63 | end 64 | end 65 | 66 | control 'package-06' do 67 | impact 1.0 68 | title 'Do not install tftp server' 69 | desc 'tftp-server provides little security http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.5' 70 | describe package('tftp-server') do 71 | it { should_not be_installed } 72 | end 73 | end 74 | 75 | control 'package-07' do 76 | impact 1.0 77 | title 'Install syslog server package' 78 | desc 'Syslog server is required to receive system and applications logs' 79 | # Fedora doesn't install with a syslogger out of the box and instead uses 80 | # systemd journal; as there is there is no affinity towards either rsyslog 81 | # or syslog-ng, we'll skip this check on Fedora hosts. 82 | only_if { os.name != 'fedora' && !container_execution } 83 | describe package(val_syslog_pkg) do 84 | it { should be_installed } 85 | end 86 | end 87 | 88 | control 'package-08' do 89 | impact 1.0 90 | title 'Install auditd' 91 | desc 'auditd provides extended logging capabilities on recent distributions' 92 | only_if { !container_execution } 93 | audit_pkg = os.redhat? || os.suse? || os.name == 'amazon' || os.name == 'fedora' ? 'audit' : 'auditd' 94 | describe package(audit_pkg) do 95 | it { should be_installed } 96 | end 97 | describe auditd_conf do 98 | its('log_file') { should cmp '/var/log/audit/audit.log' } 99 | its('log_format') { should cmp 'raw' } 100 | its('flush') { should match(/^incremental|INCREMENTAL|incremental_async|INCREMENTAL_ASYNC$/) } 101 | its('max_log_file_action') { should cmp 'keep_logs' } 102 | its('space_left') { should cmp 75 } 103 | its('action_mail_acct') { should cmp 'root' } 104 | its('space_left_action') { should cmp 'SYSLOG' } 105 | its('admin_space_left') { should cmp 50 } 106 | its('admin_space_left_action') { should cmp 'SUSPEND' } 107 | its('disk_full_action') { should cmp 'SUSPEND' } 108 | its('disk_error_action') { should cmp 'SUSPEND' } 109 | end 110 | end 111 | 112 | control 'package-09' do 113 | impact 1.0 114 | title 'CIS: Additional process hardening' 115 | desc '1.5.4 Ensure prelink is disabled' 116 | describe package('prelink') do 117 | it { should_not be_installed } 118 | end 119 | end 120 | -------------------------------------------------------------------------------- /Inspec/hardening-test/vendor/1e596626f2305160dffad6f3c3a2c03b853a03f0b773d6d8ae957b6046b64146/linux-baseline-master/controls/sysctl_spec.rb: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2015, Patrick Muench 3 | # 4 | # Licensed under the Apache License, Version 2.0 (the "License"); 5 | # you may not use this file except in compliance with the License. 6 | # You may obtain a copy of the License at 7 | # 8 | # http://www.apache.org/licenses/LICENSE-2.0 9 | # 10 | # Unless required by applicable law or agreed to in writing, software 11 | # distributed under the License is distributed on an "AS IS" BASIS, 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | # See the License for the specific language governing permissions and 14 | # limitations under the License. 15 | # 16 | # author: Christoph Hartmann 17 | # author: Dominik Richter 18 | # author: Patrick Muench 19 | 20 | sysctl_forwarding = attribute('sysctl_forwarding', default: false, description: 'Is network forwarding needed?') 21 | kernel_modules_disabled = attribute('kernel_modules_disabled', default: 0, description: 'Should loading of kernel modules be disabled?') 22 | container_execution = begin 23 | virtualization.role == 'guest' && virtualization.system =~ /^(lxc|docker)$/ 24 | rescue NoMethodError 25 | false 26 | end 27 | 28 | control 'sysctl-01' do 29 | impact 1.0 30 | title 'IPv4 Forwarding' 31 | desc "If you're not intending for your system to forward traffic between interfaces, or if you only have a single interface, the forwarding function must be disable." 32 | only_if { sysctl_forwarding == false && !container_execution } 33 | describe kernel_parameter('net.ipv4.ip_forward') do 34 | its(:value) { should eq 0 } 35 | end 36 | describe kernel_parameter('net.ipv4.conf.all.forwarding') do 37 | its(:value) { should eq 0 } 38 | end 39 | end 40 | 41 | control 'sysctl-02' do 42 | impact 1.0 43 | title 'Reverse path filtering' 44 | desc "The rp_filter can reject incoming packets if their source address doesn't match the network interface that they're arriving on, which helps to prevent IP spoofing." 45 | only_if { !container_execution } 46 | describe kernel_parameter('net.ipv4.conf.all.rp_filter') do 47 | its(:value) { should eq 1 } 48 | end 49 | describe kernel_parameter('net.ipv4.conf.default.rp_filter') do 50 | its(:value) { should eq 1 } 51 | end 52 | end 53 | 54 | control 'sysctl-03' do 55 | impact 1.0 56 | title 'ICMP ignore bogus error responses' 57 | desc 'Sometimes routers send out invalid responses to broadcast frames. This is a violation of RFC 1122 and the kernel will logged this. To avoid filling up your logfile with unnecessary stuff, you can tell the kernel not to issue these warnings' 58 | only_if { !container_execution } 59 | describe kernel_parameter('net.ipv4.icmp_ignore_bogus_error_responses') do 60 | its(:value) { should eq 1 } 61 | end 62 | end 63 | 64 | control 'sysctl-04' do 65 | impact 1.0 66 | title 'ICMP echo ignore broadcasts' 67 | desc 'Blocking ICMP ECHO requests to broadcast addresses' 68 | only_if { !container_execution } 69 | describe kernel_parameter('net.ipv4.icmp_echo_ignore_broadcasts') do 70 | its(:value) { should eq 1 } 71 | end 72 | end 73 | 74 | control 'sysctl-05' do 75 | impact 1.0 76 | title 'ICMP ratelimit' 77 | desc 'icmp_ratelimit defines how many packets that match the icmp_ratemask per second' 78 | only_if { !container_execution } 79 | describe kernel_parameter('net.ipv4.icmp_ratelimit') do 80 | its(:value) { should eq 100 } 81 | end 82 | end 83 | 84 | control 'sysctl-06' do 85 | impact 1.0 86 | title 'ICMP ratemask' 87 | desc 'Ratemask is a logical OR of all ICMP codes to rate limit' 88 | only_if { !container_execution } 89 | describe kernel_parameter('net.ipv4.icmp_ratemask') do 90 | its(:value) { should eq 88089 } 91 | end 92 | end 93 | 94 | control 'sysctl-07' do 95 | impact 1.0 96 | title 'TCP timestamps' 97 | desc "It is possible to estimate the current uptime of a Linux system. It's preferable to disable TCP timestamps on your systems." 98 | only_if { !container_execution } 99 | describe kernel_parameter('net.ipv4.tcp_timestamps') do 100 | its(:value) { should eq 0 } 101 | end 102 | end 103 | 104 | control 'sysctl-08' do 105 | impact 1.0 106 | title 'ARP ignore' 107 | desc 'Reply only if the target IP address is local address configured on the incoming interface.' 108 | only_if { !container_execution } 109 | describe kernel_parameter('net.ipv4.conf.all.arp_ignore') do 110 | its(:value) { should eq 1 } 111 | end 112 | end 113 | 114 | control 'sysctl-09' do 115 | impact 1.0 116 | title 'ARP announce' 117 | desc 'Always use the best local address for this target. In this mode we ignore the source address in the IP packet and try to select local address that we prefer for talks with the target host.' 118 | only_if { !container_execution } 119 | describe kernel_parameter('net.ipv4.conf.all.arp_announce') do 120 | its(:value) { should eq 2 } 121 | end 122 | end 123 | 124 | control 'sysctl-10' do 125 | impact 1.0 126 | title 'TCP RFC1337 Protect Against TCP Time-Wait' 127 | desc 'This enables a fix for time-wait assassination hazards in tcp, described in RFC 1337. If enabled, this causes the kernel to drop RST packets for sockets in the time-wait state.' 128 | only_if { !container_execution } 129 | describe kernel_parameter('net.ipv4.tcp_rfc1337') do 130 | its(:value) { should eq 1 } 131 | end 132 | end 133 | 134 | control 'sysctl-11' do 135 | impact 1.0 136 | title 'Protection against SYN flood attacks' 137 | desc 'A SYN-Attack is a denial of service (DoS) attack that consumes resources on your system forcing you to reboot.' 138 | only_if { !container_execution } 139 | describe kernel_parameter('net.ipv4.tcp_syncookies') do 140 | its(:value) { should eq 1 } 141 | end 142 | end 143 | 144 | control 'sysctl-12' do 145 | impact 1.0 146 | title 'Shared Media IP Architecture' 147 | desc 'Send(router) or accept(host) RFC1620 shared media redirects. If it is not set the kernel does not assume that different subnets on this device can communicate directly.' 148 | only_if { !container_execution } 149 | describe kernel_parameter('net.ipv4.conf.all.shared_media') do 150 | its(:value) { should eq 1 } 151 | end 152 | describe kernel_parameter('net.ipv4.conf.default.shared_media') do 153 | its(:value) { should eq 1 } 154 | end 155 | end 156 | 157 | control 'sysctl-13' do 158 | impact 1.0 159 | title 'Disable Source Routing' 160 | desc 'The accept_source_route option causes network interfaces to accept packets with the Strict Source Route (SSR) or Loose Source Routing (LSR) option set. An attacker is able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it is not communicating with a trusted server' 161 | only_if { !container_execution } 162 | describe kernel_parameter('net.ipv4.conf.all.accept_source_route') do 163 | its(:value) { should eq 0 } 164 | end 165 | describe kernel_parameter('net.ipv4.conf.default.accept_source_route') do 166 | its(:value) { should eq 0 } 167 | end 168 | end 169 | 170 | control 'sysctl-14' do 171 | impact 1.0 172 | title 'Disable acceptance of all IPv4 redirected packets' 173 | desc 'Disable acceptance of all redirected packets these prevents Man-in-the-Middle attacks.' 174 | only_if { !container_execution } 175 | describe kernel_parameter('net.ipv4.conf.default.accept_redirects') do 176 | its(:value) { should eq 0 } 177 | end 178 | describe kernel_parameter('net.ipv4.conf.all.accept_redirects') do 179 | its(:value) { should eq 0 } 180 | end 181 | end 182 | 183 | control 'sysctl-15' do 184 | impact 1.0 185 | title 'Disable acceptance of all secure redirected packets' 186 | desc 'Disable acceptance of all secure redirected packets these prevents Man-in-the-Middle attacks.' 187 | only_if { !container_execution } 188 | describe kernel_parameter('net.ipv4.conf.all.secure_redirects') do 189 | its(:value) { should eq 0 } 190 | end 191 | describe kernel_parameter('net.ipv4.conf.default.secure_redirects') do 192 | its(:value) { should eq 0 } 193 | end 194 | end 195 | 196 | control 'sysctl-16' do 197 | impact 1.0 198 | title 'Disable sending of redirects packets' 199 | desc 'Disable sending of redirects packets' 200 | only_if { !container_execution } 201 | describe kernel_parameter('net.ipv4.conf.default.send_redirects') do 202 | its(:value) { should eq 0 } 203 | end 204 | describe kernel_parameter('net.ipv4.conf.all.send_redirects') do 205 | its(:value) { should eq 0 } 206 | end 207 | end 208 | 209 | control 'sysctl-17' do 210 | impact 1.0 211 | title 'Disable log martians' 212 | desc 'log_martians can cause a denial of service attack to the host' 213 | only_if { !container_execution } 214 | describe kernel_parameter('net.ipv4.conf.all.log_martians') do 215 | its(:value) { should eq 1 } 216 | end 217 | describe kernel_parameter('net.ipv4.conf.default.log_martians') do 218 | its(:value) { should eq 1 } 219 | end 220 | end 221 | 222 | control 'sysctl-18' do 223 | impact 1.0 224 | title 'Disable IPv6 if it is not needed' 225 | desc 'Disable IPv6 if it is not needed' 226 | only_if { !container_execution } 227 | describe kernel_parameter('net.ipv6.conf.all.disable_ipv6') do 228 | its(:value) { should eq 1 } 229 | end 230 | end 231 | 232 | control 'sysctl-19' do 233 | impact 1.0 234 | title 'IPv6 Forwarding' 235 | desc "If you're not intending for your system to forward traffic between interfaces, or if you only have a single interface, the forwarding function must be disable." 236 | only_if { !container_execution } 237 | describe kernel_parameter('net.ipv6.conf.all.forwarding') do 238 | its(:value) { should eq 0 } 239 | end 240 | end 241 | 242 | control 'sysctl-20' do 243 | impact 1.0 244 | title 'Disable acceptance of all IPv6 redirected packets' 245 | desc 'Disable acceptance of all redirected packets these prevents Man-in-the-Middle attacks.' 246 | only_if { !container_execution } 247 | describe kernel_parameter('net.ipv6.conf.default.accept_redirects') do 248 | its(:value) { should eq 0 } 249 | end 250 | describe kernel_parameter('net.ipv6.conf.all.accept_redirects') do 251 | its(:value) { should eq 0 } 252 | end 253 | end 254 | 255 | control 'sysctl-21' do 256 | impact 1.0 257 | title 'Disable acceptance of IPv6 router solicitations messages' 258 | desc 'The router solicitations setting determines how many router solicitations are sent when bringing up the interface. If addresses are statically assigned, there is no need to send any solicitations.' 259 | only_if { !container_execution } 260 | describe kernel_parameter('net.ipv6.conf.default.router_solicitations') do 261 | its(:value) { should eq 0 } 262 | end 263 | end 264 | 265 | control 'sysctl-22' do 266 | impact 1.0 267 | title 'Disable Accept Router Preference from router advertisement' 268 | desc 'Disable Accept Router Preference from router advertisement' 269 | only_if { !container_execution } 270 | describe kernel_parameter('net.ipv6.conf.default.accept_ra_rtr_pref') do 271 | its(:value) { should eq 0 } 272 | end 273 | end 274 | 275 | control 'sysctl-23' do 276 | impact 1.0 277 | title 'Disable learning Prefix Information from router advertisement' 278 | desc 'The accept_ra_pinfo setting controls whether the system will accept prefix info from the router.' 279 | only_if { !container_execution } 280 | describe kernel_parameter('net.ipv6.conf.default.accept_ra_pinfo') do 281 | its(:value) { should eq 0 } 282 | end 283 | end 284 | 285 | control 'sysctl-24' do 286 | impact 1.0 287 | title 'Disable learning Hop limit from router advertisement' 288 | desc 'The accept_ra_defrtr setting controls whether the system will accept Hop Limit settings from a router advertisement. Setting it to 0 prevents a router from changing your default IPv6 Hop Limit for outgoing packets.' 289 | only_if { !container_execution } 290 | describe kernel_parameter('net.ipv6.conf.default.accept_ra_defrtr') do 291 | its(:value) { should eq 0 } 292 | end 293 | end 294 | 295 | control 'sysctl-25' do 296 | impact 1.0 297 | title 'Disable the system`s acceptance of router advertisement' 298 | desc 'Setting controls whether the system will accept router advertisement' 299 | only_if { !container_execution } 300 | describe kernel_parameter('net.ipv6.conf.all.accept_ra') do 301 | its(:value) { should eq 0 } 302 | end 303 | describe kernel_parameter('net.ipv6.conf.default.accept_ra') do 304 | its(:value) { should eq 0 } 305 | end 306 | end 307 | 308 | control 'sysctl-26' do 309 | impact 1.0 310 | title 'Disable IPv6 autoconfiguration' 311 | desc 'The autoconf setting controls whether router advertisements can cause the system to assign a global unicast address to an interface.' 312 | only_if { !container_execution } 313 | describe kernel_parameter('net.ipv6.conf.default.autoconf') do 314 | its(:value) { should eq 0 } 315 | end 316 | end 317 | 318 | control 'sysctl-27' do 319 | impact 1.0 320 | title 'Disable neighbor solicitations to send out per address' 321 | desc 'The dad_transmits setting determines how many neighbor solicitations to send out per address (global and link-local) when bringing up an interface to ensure the desired address is unique on the network.' 322 | only_if { !container_execution } 323 | describe kernel_parameter('net.ipv6.conf.default.dad_transmits') do 324 | its(:value) { should eq 0 } 325 | end 326 | end 327 | 328 | control 'sysctl-28' do 329 | impact 1.0 330 | title 'Assign one global unicast IPv6 addresses to each interface' 331 | desc 'The max_addresses setting determines how many global unicast IPv6 addresses can be assigned to each interface. The default is 16, but it should be set to exactly the number of statically configured global addresses required.' 332 | only_if { !container_execution } 333 | describe kernel_parameter('net.ipv6.conf.default.max_addresses') do 334 | its(:value) { should eq 1 } 335 | end 336 | end 337 | 338 | control 'sysctl-29' do 339 | impact 1.0 340 | title 'Disable loading kernel modules' 341 | desc 'The sysctl key kernel.modules_disabled is very straightforward. If it contains a "1" it will disable loading new modules, where a "0" will still allow loading them. Using this option will be a great protection against loading malicious kernel modules.' 342 | only_if { !container_execution } 343 | describe kernel_parameter('kernel.modules_disabled') do 344 | its(:value) { should eq kernel_modules_disabled } 345 | end 346 | end 347 | 348 | control 'sysctl-30' do 349 | impact 1.0 350 | title 'Magic SysRq' 351 | desc "Kernel.sysreg is a 'magical' key combo you can hit which the kernel will respond to regardless of whatever else it is doing, unless it is completely locked up." 352 | only_if { !container_execution } 353 | describe kernel_parameter('kernel.sysrq') do 354 | its(:value) { should eq 0 } 355 | end 356 | end 357 | 358 | control 'sysctl-31a' do 359 | impact 1.0 360 | title 'Secure Core Dumps - dump settings' 361 | desc 'Ensure that core dumps can never be made by setuid programs' 362 | only_if { !container_execution } 363 | describe kernel_parameter('fs.suid_dumpable') do 364 | its(:value) { should cmp(/(0|2)/) } 365 | end 366 | end 367 | 368 | control 'sysctl-31b' do 369 | impact 1.0 370 | title 'Secure Core Dumps - dump path' 371 | desc 'Ensure that core dumps are done with fully qualified path' 372 | only_if { kernel_parameter('fs.suid_dumpable').value == 2 && !container_execution } 373 | describe kernel_parameter('kernel.core_pattern') do 374 | its(:value) { should match %r{^\|?/.*} } 375 | end 376 | end 377 | 378 | control 'sysctl-32' do 379 | impact 1.0 380 | title 'kernel.randomize_va_space' 381 | desc 'kernel.randomize_va_space' 382 | only_if { !container_execution } 383 | describe kernel_parameter('kernel.randomize_va_space') do 384 | its(:value) { should eq 2 } 385 | end 386 | end 387 | 388 | control 'sysctl-33' do 389 | impact 1.0 390 | title 'CPU No execution Flag or Kernel ExecShield' 391 | desc 'Kernel features and CPU flags provide a protection against buffer overflows. The CPU NX Flag and the kernel parameter exec-shield prevents code execution on a per memory page basis. If the CPU supports the NX-Flag then this should be used instead of the kernel parameter exec-shield.' 392 | only_if { !container_execution } 393 | 394 | # parse for cpu flags 395 | flags = parse_config_file('/proc/cpuinfo', assignment_regex: /^([^:]*?)\s+:\s+(.*?)$/).flags 396 | flags ||= '' 397 | flags = flags.split(' ') 398 | 399 | describe '/proc/cpuinfo' do 400 | it 'Flags should include NX' do 401 | expect(flags).to include('nx') 402 | end 403 | end 404 | 405 | unless flags.include?('nx') 406 | # if no nx flag is present, we require exec-shield 407 | describe kernel_parameter('kernel.exec-shield') do 408 | its(:value) { should eq 1 } 409 | end 410 | end 411 | end 412 | -------------------------------------------------------------------------------- /Inspec/hardening-test/vendor/1e596626f2305160dffad6f3c3a2c03b853a03f0b773d6d8ae957b6046b64146/linux-baseline-master/inspec.yml: -------------------------------------------------------------------------------- 1 | name: linux-baseline 2 | title: DevSec Linux Security Baseline 3 | maintainer: DevSec Hardening Framework Team 4 | copyright: DevSec Hardening Framework Team 5 | copyright_email: hello@dev-sec.io 6 | license: Apache-2.0 7 | summary: Test suite for best practice Linux OS hardening 8 | version: 2.3.0 9 | supports: 10 | - os-family: linux 11 | -------------------------------------------------------------------------------- /Inspec/hardening-test/vendor/1e596626f2305160dffad6f3c3a2c03b853a03f0b773d6d8ae957b6046b64146/linux-baseline-master/libraries/suid_blacklist.rb: -------------------------------------------------------------------------------- 1 | # author: Christoph Hartmann 2 | 3 | class SUIDBlacklist < Inspec.resource(1) 4 | name 'suid_blacklist' 5 | desc 'The suid_blacklist resoruce returns the default suid blacklist' 6 | 7 | def default 8 | [ 9 | # blacklist as provided by NSA 10 | '/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh', 11 | # sshd must not use host-based authentication (see ssh cookbook) 12 | '/usr/libexec/openssh/ssh-keysign', 13 | '/usr/lib/openssh/ssh-keysign', 14 | # misc others 15 | '/sbin/netreport', # not normally required for user 16 | '/usr/sbin/usernetctl', # modify interfaces via functional accounts 17 | # connecting to ... 18 | '/usr/sbin/userisdnctl', # no isdn... 19 | '/usr/sbin/pppd', # no ppp / dsl ... 20 | # lockfile 21 | '/usr/bin/lockfile', 22 | '/usr/bin/mail-lock', 23 | '/usr/bin/mail-unlock', 24 | '/usr/bin/mail-touchlock', 25 | '/usr/bin/dotlockfile', 26 | # need more investigation, blacklist for now 27 | '/usr/bin/arping', 28 | '/usr/sbin/arping', 29 | '/usr/sbin/uuidd', 30 | '/usr/bin/mtr', # investigate current state... 31 | '/usr/lib/evolution/camel-lock-helper-1.2', # investigate current state... 32 | '/usr/lib/pt_chown', # pseudo-tty, needed? 33 | '/usr/lib/eject/dmcrypt-get-device', 34 | '/usr/lib/mc/cons.saver' # midnight commander screensaver 35 | # from Ubuntu xenial, need to investigate 36 | # '/sbin/unix_chkpwd', 37 | # '/sbin/pam_extrausers_chkpwd', 38 | # '/usr/lib/x86_64-linux-gnu/utempter/utempter', 39 | # '/usr/sbin/postdrop', 40 | # '/usr/sbin/postqueue', 41 | # '/usr/bin/ssh-agent', 42 | # '/usr/bin/mlocate', 43 | # '/usr/bin/crontab', 44 | # '/usr/bin/screen', 45 | # '/usr/bin/expiry', 46 | # '/usr/bin/wall', 47 | # '/usr/bin/chage', 48 | # '/usr/bin/bsd-write' 49 | ] 50 | end 51 | end 52 | -------------------------------------------------------------------------------- /Inspec/hardening-test/vendor/1e596626f2305160dffad6f3c3a2c03b853a03f0b773d6d8ae957b6046b64146/linux-baseline-master/libraries/suid_check.rb: -------------------------------------------------------------------------------- 1 | # author: Christoph Hartmann 2 | 3 | class SUIDCheck < Inspec.resource(1) 4 | name 'suid_check' 5 | desc 'Use the suid_check resource to verify the current SUID/SGID against a blacklist' 6 | example " 7 | describe suid_check(blacklist) do 8 | its('diff') { should be_empty } 9 | end 10 | " 11 | 12 | def initialize(blacklist = nil) 13 | blacklist = default if blacklist.nil? 14 | @blacklist = blacklist 15 | end 16 | 17 | def permissions 18 | output = inspec.command('find / -perm -4000 -o -perm -2000 -type f ! -path \'/proc/*\' ! -path \'/var/lib/lxd/containers/*\' -print 2>/dev/null | grep -v \'^find:\'') 19 | output.stdout.split(/\r?\n/) 20 | end 21 | 22 | def diff 23 | permissions & @blacklist 24 | end 25 | end 26 | -------------------------------------------------------------------------------- /Inspec/hardening-test/vendor/cb0da29499dc5d27497ce906abfd3111970710fd0021ed0a013eb7cb2cc22c5b/ssh-baseline-master/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Change Log 2 | 3 | ## [2.4.0](https://github.com/dev-sec/ssh-baseline/tree/2.4.0) (2019-02-25) 4 | [Full Changelog](https://github.com/dev-sec/ssh-baseline/compare/2.3.2...2.4.0) 5 | 6 | **Closed issues:** 7 | 8 | - need to account for sshd version when checking UseRoaming in `ssh\_config` [\#121](https://github.com/dev-sec/ssh-baseline/issues/121) 9 | - profile fails inspec check [\#101](https://github.com/dev-sec/ssh-baseline/issues/101) 10 | - Deprecated option [\#95](https://github.com/dev-sec/ssh-baseline/issues/95) 11 | 12 | **Merged pull requests:** 13 | 14 | - 2.4.0 [\#124](https://github.com/dev-sec/ssh-baseline/pull/124) ([chris-rock](https://github.com/chris-rock)) 15 | - Allow prohibit-password as PermitRootLogin value [\#123](https://github.com/dev-sec/ssh-baseline/pull/123) ([jeremy-clerc](https://github.com/jeremy-clerc)) 16 | - UseRoaming is deprecated, only check on older versions [\#122](https://github.com/dev-sec/ssh-baseline/pull/122) ([rndmh3ro](https://github.com/rndmh3ro)) 17 | - Fix os detection [\#120](https://github.com/dev-sec/ssh-baseline/pull/120) ([IceBear2k](https://github.com/IceBear2k)) 18 | - Update issue templates [\#118](https://github.com/dev-sec/ssh-baseline/pull/118) ([rndmh3ro](https://github.com/rndmh3ro)) 19 | - Fixup of UsePrivilegeSeparation deprecation for Amazon [\#117](https://github.com/dev-sec/ssh-baseline/pull/117) ([artem-sidorenko](https://github.com/artem-sidorenko)) 20 | - Deprecated UsePrivilegeSeparation for Fedora/Amazon [\#116](https://github.com/dev-sec/ssh-baseline/pull/116) ([artem-sidorenko](https://github.com/artem-sidorenko)) 21 | - UseLogin is deprecated [\#114](https://github.com/dev-sec/ssh-baseline/pull/114) ([artem-sidorenko](https://github.com/artem-sidorenko)) 22 | - Add separate PrivilegeSeparation check for Ubuntu 1804 [\#113](https://github.com/dev-sec/ssh-baseline/pull/113) ([rndmh3ro](https://github.com/rndmh3ro)) 23 | - allow some customization of expected values depending on attributes [\#112](https://github.com/dev-sec/ssh-baseline/pull/112) ([juju4](https://github.com/juju4)) 24 | - Avoid checking deprecated optinos for OpenSSH \>=7.6 [\#110](https://github.com/dev-sec/ssh-baseline/pull/110) ([artem-sidorenko](https://github.com/artem-sidorenko)) 25 | - Avoid failing on EL 6 family and OpenSuse Leap 42 [\#109](https://github.com/dev-sec/ssh-baseline/pull/109) ([artem-sidorenko](https://github.com/artem-sidorenko)) 26 | - add debian 9 support [\#106](https://github.com/dev-sec/ssh-baseline/pull/106) ([rndmh3ro](https://github.com/rndmh3ro)) 27 | - adding ubuntu bionic support [\#104](https://github.com/dev-sec/ssh-baseline/pull/104) ([attachmentgenie](https://github.com/attachmentgenie)) 28 | - Initial support for Alpine Linux [\#102](https://github.com/dev-sec/ssh-baseline/pull/102) ([radhus](https://github.com/radhus)) 29 | 30 | ## [2.3.2](https://github.com/dev-sec/ssh-baseline/tree/2.3.2) (2018-04-20) 31 | [Full Changelog](https://github.com/dev-sec/ssh-baseline/compare/2.3.1...2.3.2) 32 | 33 | **Merged pull requests:** 34 | 35 | - Fix bogus success of sshd-47 on non Debian [\#100](https://github.com/dev-sec/ssh-baseline/pull/100) ([eramoto](https://github.com/eramoto)) 36 | 37 | ## [2.3.1](https://github.com/dev-sec/ssh-baseline/tree/2.3.1) (2018-02-13) 38 | [Full Changelog](https://github.com/dev-sec/ssh-baseline/compare/2.3.0...2.3.1) 39 | 40 | **Closed issues:** 41 | 42 | - No git tag for 2.3.0 [\#96](https://github.com/dev-sec/ssh-baseline/issues/96) 43 | 44 | **Merged pull requests:** 45 | 46 | - Modified the client\_alive\_interval default to suggested value [\#98](https://github.com/dev-sec/ssh-baseline/pull/98) ([iennae](https://github.com/iennae)) 47 | - Support Amazon Linux [\#97](https://github.com/dev-sec/ssh-baseline/pull/97) ([woneill](https://github.com/woneill)) 48 | 49 | ## [2.3.0](https://github.com/dev-sec/ssh-baseline/tree/2.3.0) (2017-12-01) 50 | [Full Changelog](https://github.com/dev-sec/ssh-baseline/compare/2.2.0...2.3.0) 51 | 52 | **Closed issues:** 53 | 54 | - OpenSSH 7.6 deprecated MACs [\#93](https://github.com/dev-sec/ssh-baseline/issues/93) 55 | 56 | **Merged pull requests:** 57 | 58 | - remove ripemd160 MAC from the macs66 list [\#94](https://github.com/dev-sec/ssh-baseline/pull/94) ([atomic111](https://github.com/atomic111)) 59 | - use recommended spdx license identifier [\#90](https://github.com/dev-sec/ssh-baseline/pull/90) ([chris-rock](https://github.com/chris-rock)) 60 | - CI: update to ruby 2.4.1 and rubocop 0.49 [\#89](https://github.com/dev-sec/ssh-baseline/pull/89) ([artem-sidorenko](https://github.com/artem-sidorenko)) 61 | - Support of OpenSuse Leap 42.2 [\#88](https://github.com/dev-sec/ssh-baseline/pull/88) ([artem-sidorenko](https://github.com/artem-sidorenko)) 62 | 63 | ## [2.2.0](https://github.com/dev-sec/ssh-baseline/tree/2.2.0) (2017-05-08) 64 | [Full Changelog](https://github.com/dev-sec/ssh-baseline/compare/2.1.1...2.2.0) 65 | 66 | **Merged pull requests:** 67 | 68 | - update copyright name [\#87](https://github.com/dev-sec/ssh-baseline/pull/87) ([chris-rock](https://github.com/chris-rock)) 69 | - update metadata [\#86](https://github.com/dev-sec/ssh-baseline/pull/86) ([chris-rock](https://github.com/chris-rock)) 70 | - restrict ruby testing to version 2.3.3 and update gemfile [\#85](https://github.com/dev-sec/ssh-baseline/pull/85) ([atomic111](https://github.com/atomic111)) 71 | - Proper tests for Opensuse leap 42.1 [\#84](https://github.com/dev-sec/ssh-baseline/pull/84) ([artem-sidorenko](https://github.com/artem-sidorenko)) 72 | - Fix check for os.darwin [\#83](https://github.com/dev-sec/ssh-baseline/pull/83) ([techraf](https://github.com/techraf)) 73 | - Add openssh definitions for macos [\#82](https://github.com/dev-sec/ssh-baseline/pull/82) ([artem-sidorenko](https://github.com/artem-sidorenko)) 74 | - Add support for oracle [\#80](https://github.com/dev-sec/ssh-baseline/pull/80) ([artem-sidorenko](https://github.com/artem-sidorenko)) 75 | - Algorithm/Hostkey tests for different platforms [\#79](https://github.com/dev-sec/ssh-baseline/pull/79) ([artem-sidorenko](https://github.com/artem-sidorenko)) 76 | - Test the strong DH primes [\#77](https://github.com/dev-sec/ssh-baseline/pull/77) ([artem-sidorenko](https://github.com/artem-sidorenko)) 77 | - Removal of DSA key [\#76](https://github.com/dev-sec/ssh-baseline/pull/76) ([artem-sidorenko](https://github.com/artem-sidorenko)) 78 | - Ignore inspec.lock file [\#73](https://github.com/dev-sec/ssh-baseline/pull/73) ([techraf](https://github.com/techraf)) 79 | - Remove the PAM deactivation enforcement [\#72](https://github.com/dev-sec/ssh-baseline/pull/72) ([artem-sidorenko](https://github.com/artem-sidorenko)) 80 | 81 | ## [2.1.1](https://github.com/dev-sec/ssh-baseline/tree/2.1.1) (2016-12-22) 82 | [Full Changelog](https://github.com/dev-sec/ssh-baseline/compare/2.1.0...2.1.1) 83 | 84 | **Closed issues:** 85 | 86 | - Compare ciphers as array? [\#70](https://github.com/dev-sec/ssh-baseline/issues/70) 87 | - Error performing inspec exec https://github.com/dev-sec/tests-ssh-hardening [\#66](https://github.com/dev-sec/ssh-baseline/issues/66) 88 | 89 | **Merged pull requests:** 90 | 91 | - update profile metadata & tooling [\#71](https://github.com/dev-sec/ssh-baseline/pull/71) ([chris-rock](https://github.com/chris-rock)) 92 | - update Gemfile and remove ruby 1.9.3 support [\#69](https://github.com/dev-sec/ssh-baseline/pull/69) ([arlimus](https://github.com/arlimus)) 93 | - Test server config for Banner and DebianBanner [\#67](https://github.com/dev-sec/ssh-baseline/pull/67) ([tsenart](https://github.com/tsenart)) 94 | - pin rack version [\#65](https://github.com/dev-sec/ssh-baseline/pull/65) ([chris-rock](https://github.com/chris-rock)) 95 | - rename sshd-30 [\#64](https://github.com/dev-sec/ssh-baseline/pull/64) ([attachmentgenie](https://github.com/attachmentgenie)) 96 | - Fixing inspec tests for ubuntu hosts [\#63](https://github.com/dev-sec/ssh-baseline/pull/63) ([attachmentgenie](https://github.com/attachmentgenie)) 97 | 98 | ## [2.1.0](https://github.com/dev-sec/ssh-baseline/tree/2.1.0) (2016-07-27) 99 | [Full Changelog](https://github.com/dev-sec/ssh-baseline/compare/2.0.0...2.1.0) 100 | 101 | **Closed issues:** 102 | 103 | - ListenAddress [\#45](https://github.com/dev-sec/ssh-baseline/issues/45) 104 | 105 | **Merged pull requests:** 106 | 107 | - Use new ciphers, kex, macs and priv separation sandbox for redhat family 7 [\#62](https://github.com/dev-sec/ssh-baseline/pull/62) ([atomic111](https://github.com/atomic111)) 108 | - Fixing typo in sshd\_spec.rb [\#61](https://github.com/dev-sec/ssh-baseline/pull/61) ([brimstone](https://github.com/brimstone)) 109 | - Fix: Issue ListenAddress \#45 \(\#45\) and added check for SSH Client Bug CVE-2016-0777 and CVE-2016-0778 [\#60](https://github.com/dev-sec/ssh-baseline/pull/60) ([atomic111](https://github.com/atomic111)) 110 | - changed from hardening-io to dev-sec in README.md and added ubuntu and centos version to ssh\_crypto.rb [\#59](https://github.com/dev-sec/ssh-baseline/pull/59) ([atomic111](https://github.com/atomic111)) 111 | 112 | ## [2.0.0](https://github.com/dev-sec/ssh-baseline/tree/2.0.0) (2016-04-28) 113 | [Full Changelog](https://github.com/dev-sec/ssh-baseline/compare/1.2.0...2.0.0) 114 | 115 | **Fixed bugs:** 116 | 117 | - bugfix: use new inspec load mechanism [\#58](https://github.com/dev-sec/ssh-baseline/pull/58) ([chris-rock](https://github.com/chris-rock)) 118 | 119 | **Merged pull requests:** 120 | 121 | - migrate to InSpec profile [\#56](https://github.com/dev-sec/ssh-baseline/pull/56) ([chris-rock](https://github.com/chris-rock)) 122 | 123 | ## [1.2.0](https://github.com/dev-sec/ssh-baseline/tree/1.2.0) (2016-04-25) 124 | [Full Changelog](https://github.com/dev-sec/ssh-baseline/compare/1.1.1...1.2.0) 125 | 126 | **Closed issues:** 127 | 128 | - No easy way to install Ansible on all OS's [\#47](https://github.com/dev-sec/ssh-baseline/issues/47) 129 | 130 | **Merged pull requests:** 131 | 132 | - 1.2.0 [\#57](https://github.com/dev-sec/ssh-baseline/pull/57) ([chris-rock](https://github.com/chris-rock)) 133 | - Symlinks real suite names to "default" [\#55](https://github.com/dev-sec/ssh-baseline/pull/55) ([conorsch](https://github.com/conorsch)) 134 | - complet inspec tests [\#52](https://github.com/dev-sec/ssh-baseline/pull/52) ([atomic111](https://github.com/atomic111)) 135 | - Improve Ansible tests [\#51](https://github.com/dev-sec/ssh-baseline/pull/51) ([rndmh3ro](https://github.com/rndmh3ro)) 136 | - Fix typos [\#50](https://github.com/dev-sec/ssh-baseline/pull/50) ([rndmh3ro](https://github.com/rndmh3ro)) 137 | - update urls [\#49](https://github.com/dev-sec/ssh-baseline/pull/49) ([chris-rock](https://github.com/chris-rock)) 138 | - feature: debian 8 support [\#48](https://github.com/dev-sec/ssh-baseline/pull/48) ([arlimus](https://github.com/arlimus)) 139 | - Add Ansible support [\#46](https://github.com/dev-sec/ssh-baseline/pull/46) ([rndmh3ro](https://github.com/rndmh3ro)) 140 | - feature: UsePrivilegeSeparation = sandbox for ssh \>= 5.9 [\#44](https://github.com/dev-sec/ssh-baseline/pull/44) ([arlimus](https://github.com/arlimus)) 141 | 142 | ## [1.1.1](https://github.com/dev-sec/ssh-baseline/tree/1.1.1) (2015-01-14) 143 | [Full Changelog](https://github.com/dev-sec/ssh-baseline/compare/1.1.0...1.1.1) 144 | 145 | **Merged pull requests:** 146 | 147 | - remove sha1-based key-exchange mechanisms [\#43](https://github.com/dev-sec/ssh-baseline/pull/43) ([arlimus](https://github.com/arlimus)) 148 | - add json format option [\#42](https://github.com/dev-sec/ssh-baseline/pull/42) ([atomic111](https://github.com/atomic111)) 149 | - reprioritize etm macs [\#41](https://github.com/dev-sec/ssh-baseline/pull/41) ([arlimus](https://github.com/arlimus)) 150 | 151 | ## [1.1.0](https://github.com/dev-sec/ssh-baseline/tree/1.1.0) (2015-01-12) 152 | [Full Changelog](https://github.com/dev-sec/ssh-baseline/compare/1.0.0...1.1.0) 153 | 154 | **Closed issues:** 155 | 156 | - undefined method `backend' for main:Object [\#32](https://github.com/dev-sec/ssh-baseline/issues/32) 157 | 158 | **Merged pull requests:** 159 | 160 | - feature: add back gcm [\#40](https://github.com/dev-sec/ssh-baseline/pull/40) ([arlimus](https://github.com/arlimus)) 161 | - Descriptive spec [\#39](https://github.com/dev-sec/ssh-baseline/pull/39) ([arlimus](https://github.com/arlimus)) 162 | - Update common [\#38](https://github.com/dev-sec/ssh-baseline/pull/38) ([arlimus](https://github.com/arlimus)) 163 | - remove options that only apply to SSH protocol version 1 [\#37](https://github.com/dev-sec/ssh-baseline/pull/37) ([arlimus](https://github.com/arlimus)) 164 | - Update common [\#36](https://github.com/dev-sec/ssh-baseline/pull/36) ([arlimus](https://github.com/arlimus)) 165 | - Update common [\#34](https://github.com/dev-sec/ssh-baseline/pull/34) ([arlimus](https://github.com/arlimus)) 166 | - support serverspec-2.0 [\#31](https://github.com/dev-sec/ssh-baseline/pull/31) ([bkw](https://github.com/bkw)) 167 | - changed GIS to DTAG SEC [\#30](https://github.com/dev-sec/ssh-baseline/pull/30) ([atomic111](https://github.com/atomic111)) 168 | - bugfix: lint error [\#29](https://github.com/dev-sec/ssh-baseline/pull/29) ([chris-rock](https://github.com/chris-rock)) 169 | 170 | ## [1.0.0](https://github.com/dev-sec/ssh-baseline/tree/1.0.0) (2014-08-13) 171 | **Closed issues:** 172 | 173 | - HostKeys and OSes [\#13](https://github.com/dev-sec/ssh-baseline/issues/13) 174 | - Comment-tests causing false-positives [\#5](https://github.com/dev-sec/ssh-baseline/issues/5) 175 | - Unify required crypto for ssh server and client [\#4](https://github.com/dev-sec/ssh-baseline/issues/4) 176 | - Add testing of ssh client config [\#3](https://github.com/dev-sec/ssh-baseline/issues/3) 177 | 178 | **Merged pull requests:** 179 | 180 | - bugfix: unlock user accounts during chef runs [\#28](https://github.com/dev-sec/ssh-baseline/pull/28) ([arlimus](https://github.com/arlimus)) 181 | - test for UsePAM disabled [\#27](https://github.com/dev-sec/ssh-baseline/pull/27) ([arlimus](https://github.com/arlimus)) 182 | - bugfix sed command location [\#26](https://github.com/dev-sec/ssh-baseline/pull/26) ([arlimus](https://github.com/arlimus)) 183 | - Fix puppet user unlock [\#25](https://github.com/dev-sec/ssh-baseline/pull/25) ([arlimus](https://github.com/arlimus)) 184 | - bugfix: unlock user accounts on test systems [\#24](https://github.com/dev-sec/ssh-baseline/pull/24) ([arlimus](https://github.com/arlimus)) 185 | - Fix matches [\#23](https://github.com/dev-sec/ssh-baseline/pull/23) ([arlimus](https://github.com/arlimus)) 186 | - update and fix rubocop [\#22](https://github.com/dev-sec/ssh-baseline/pull/22) ([ehaselwanter](https://github.com/ehaselwanter)) 187 | - common validator for client and server config [\#21](https://github.com/dev-sec/ssh-baseline/pull/21) ([chris-rock](https://github.com/chris-rock)) 188 | - add robocop rake task [\#20](https://github.com/dev-sec/ssh-baseline/pull/20) ([chris-rock](https://github.com/chris-rock)) 189 | - add ruby gem source [\#19](https://github.com/dev-sec/ssh-baseline/pull/19) ([chris-rock](https://github.com/chris-rock)) 190 | - added Telekom Security Requirement numbers to the corresponding kitchen test [\#18](https://github.com/dev-sec/ssh-baseline/pull/18) ([atomic111](https://github.com/atomic111)) 191 | - add tests for debian 6 and 7 [\#17](https://github.com/dev-sec/ssh-baseline/pull/17) ([arlimus](https://github.com/arlimus)) 192 | - add format html option [\#16](https://github.com/dev-sec/ssh-baseline/pull/16) ([ehaselwanter](https://github.com/ehaselwanter)) 193 | - remove host keys from checks [\#15](https://github.com/dev-sec/ssh-baseline/pull/15) ([arlimus](https://github.com/arlimus)) 194 | - make the integration tests even more useful with standalone invocation [\#14](https://github.com/dev-sec/ssh-baseline/pull/14) ([ehaselwanter](https://github.com/ehaselwanter)) 195 | - Tests update [\#12](https://github.com/dev-sec/ssh-baseline/pull/12) ([arlimus](https://github.com/arlimus)) 196 | - relax permissions on /etc/ssh and files [\#11](https://github.com/dev-sec/ssh-baseline/pull/11) ([arlimus](https://github.com/arlimus)) 197 | - Tests update: remove comments + add conditional ciphers [\#10](https://github.com/dev-sec/ssh-baseline/pull/10) ([arlimus](https://github.com/arlimus)) 198 | - add lockfiles and delete them from tree [\#9](https://github.com/dev-sec/ssh-baseline/pull/9) ([ehaselwanter](https://github.com/ehaselwanter)) 199 | - streamline rubocop, fix issue which comes with this change [\#8](https://github.com/dev-sec/ssh-baseline/pull/8) ([ehaselwanter](https://github.com/ehaselwanter)) 200 | - rubocop fixes [\#7](https://github.com/dev-sec/ssh-baseline/pull/7) ([ehaselwanter](https://github.com/ehaselwanter)) 201 | - use a per suite manifest [\#6](https://github.com/dev-sec/ssh-baseline/pull/6) ([ehaselwanter](https://github.com/ehaselwanter)) 202 | - changed AllowTcpForwarding and AllowAgentForwarding from yes to no [\#2](https://github.com/dev-sec/ssh-baseline/pull/2) ([atomic111](https://github.com/atomic111)) 203 | - move the ssh tests to this new central location [\#1](https://github.com/dev-sec/ssh-baseline/pull/1) ([ehaselwanter](https://github.com/ehaselwanter)) 204 | 205 | 206 | 207 | \* *This Change Log was automatically generated by [github_changelog_generator](https://github.com/skywinder/Github-Changelog-Generator)* -------------------------------------------------------------------------------- /Inspec/hardening-test/vendor/cb0da29499dc5d27497ce906abfd3111970710fd0021ed0a013eb7cb2cc22c5b/ssh-baseline-master/Gemfile: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | source 'https://rubygems.org' 4 | 5 | gem 'highline', '~> 2.0.2' 6 | gem 'inspec', '~> 3' 7 | gem 'rack', '~> 2.0.7' 8 | gem 'rake', '~> 12.3.2' 9 | gem 'rubocop', '~> 0.68.1' 10 | 11 | group :tools do 12 | gem 'github_changelog_generator', '~> 1.14.3' 13 | gem 'pry-coolline', '~> 0.2.5' 14 | end 15 | -------------------------------------------------------------------------------- /Inspec/hardening-test/vendor/cb0da29499dc5d27497ce906abfd3111970710fd0021ed0a013eb7cb2cc22c5b/ssh-baseline-master/LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | -------------------------------------------------------------------------------- /Inspec/hardening-test/vendor/cb0da29499dc5d27497ce906abfd3111970710fd0021ed0a013eb7cb2cc22c5b/ssh-baseline-master/README.md: -------------------------------------------------------------------------------- 1 | DevSec SSH Baseline 2 | =================== 3 | 4 | This Compliance Profile ensures, that all hardening projects keep the same quality. 5 | 6 | - https://github.com/dev-sec/puppet-ssh-hardening 7 | - https://github.com/dev-sec/chef-ssh-hardening 8 | - https://github.com/dev-sec/ansible-ssh-hardening 9 | 10 | ## Standalone Usage 11 | 12 | This Compliance Profile requires [InSpec](https://github.com/chef/inspec) for execution: 13 | 14 | ``` 15 | $ git clone https://github.com/dev-sec/ssh-baseline 16 | $ inspec exec ssh-baseline 17 | ``` 18 | 19 | You can also execute the profile directly from Github: 20 | 21 | ``` 22 | $ inspec exec https://github.com/dev-sec/ssh-baseline 23 | ``` 24 | 25 | ## License and Author 26 | 27 | * Author:: Patrick Muench 28 | * Author:: Dominik Richter 29 | * Author:: Christoph Hartmann 30 | * Author:: Edmund Haselwanter 31 | 32 | * Copyright 2014-2017, The DevSec Hardening Framework Team 33 | 34 | Licensed under the Apache License, Version 2.0 (the "License"); 35 | you may not use this file except in compliance with the License. 36 | You may obtain a copy of the License at 37 | 38 | http://www.apache.org/licenses/LICENSE-2.0 39 | 40 | Unless required by applicable law or agreed to in writing, software 41 | distributed under the License is distributed on an "AS IS" BASIS, 42 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 43 | See the License for the specific language governing permissions and 44 | limitations under the License. 45 | -------------------------------------------------------------------------------- /Inspec/hardening-test/vendor/cb0da29499dc5d27497ce906abfd3111970710fd0021ed0a013eb7cb2cc22c5b/ssh-baseline-master/Rakefile: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env rake 2 | 3 | require 'rake/testtask' 4 | require 'rubocop/rake_task' 5 | 6 | # Rubocop 7 | desc 'Run Rubocop lint checks' 8 | task :rubocop do 9 | RuboCop::RakeTask.new 10 | end 11 | 12 | # lint the project 13 | desc 'Run robocop linter' 14 | task lint: [:rubocop] 15 | 16 | # run tests 17 | task default: [:lint, 'test:check'] 18 | 19 | namespace :test do 20 | # run inspec check to verify that the profile is properly configured 21 | task :check do 22 | require 'inspec' 23 | puts "Checking profile with InSpec Version: #{Inspec::VERSION}" 24 | profile = Inspec::Profile.for_target('.', backend: Inspec::Backend.create(Inspec::Config.mock)) 25 | pp profile.check 26 | end 27 | end 28 | 29 | task :changelog do 30 | # Automatically generate a changelog for this project. Only loaded if 31 | # the necessary gem is installed. By default its picking up the version from 32 | # inspec.yml. You can override that behavior with `rake changelog to=1.2.0` 33 | begin 34 | require 'yaml' 35 | metadata = YAML.load_file('inspec.yml') 36 | v = ENV['to'] || metadata['version'] 37 | puts " * Generating changelog for version #{v}" 38 | require 'github_changelog_generator/task' 39 | GitHubChangelogGenerator::RakeTask.new :changelog do |config| 40 | config.future_release = v 41 | config.user = 'dev-sec' 42 | config.project = 'ssh-baseline' 43 | end 44 | Rake::Task[:changelog].execute 45 | rescue LoadError 46 | puts '>>>>> GitHub Changelog Generator not loaded, omitting tasks' 47 | end 48 | end 49 | -------------------------------------------------------------------------------- /Inspec/hardening-test/vendor/cb0da29499dc5d27497ce906abfd3111970710fd0021ed0a013eb7cb2cc22c5b/ssh-baseline-master/controls/ssh_spec.rb: -------------------------------------------------------------------------------- 1 | # Copyright 2015, Patrick Muench 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | # author: Christoph Hartmann 16 | # author: Dominik Richter 17 | # author: Patrick Muench 18 | 19 | title 'SSH client config' 20 | 21 | only_if do 22 | command('ssh').exist? 23 | end 24 | 25 | control 'ssh-01' do 26 | impact 1.0 27 | title 'client: Check ssh_config owner, group and permissions.' 28 | desc 'The ssh_config should owned by root, only be writable by owner and readable to all.' 29 | 30 | describe file('/etc/ssh/ssh_config') do 31 | it { should exist } 32 | it { should be_file } 33 | it { should be_owned_by 'root' } 34 | it { should be_grouped_into os.darwin? ? 'wheel' : 'root' } 35 | it { should_not be_executable } 36 | it { should be_readable.by('owner') } 37 | it { should be_readable.by('group') } 38 | it { should be_readable.by('other') } 39 | it { should be_writable.by('owner') } 40 | it { should_not be_writable.by('group') } 41 | it { should_not be_writable.by('other') } 42 | end 43 | end 44 | 45 | control 'ssh-02' do 46 | impact 1.0 47 | title 'Client: Specify the AddressFamily to your need' 48 | desc 'OpenSSH should be configured to the network family. Set it to inet if you use IPv4 only. For IPv6 only set it to inet6.' 49 | describe ssh_config do 50 | its('AddressFamily') { should match(/inet|inet6|any/) } 51 | end 52 | end 53 | 54 | control 'ssh-03' do 55 | impact 1.0 56 | title 'Client: Specify expected ssh port' 57 | desc 'Always specify which port the SSH client should connect. Prevent unexpected settings.' 58 | describe ssh_config do 59 | its('Port') { should eq('22') } 60 | end 61 | end 62 | 63 | control 'ssh-04' do 64 | impact 1.0 65 | title 'Client: Specify protocol version 2' 66 | desc "Only SSH protocol version 2 connections should be permitted. Version 1 of the protocol contains security vulnerabilities. Don't use legacy insecure SSHv1 connections anymore." 67 | describe ssh_config do 68 | its('Protocol') { should eq('2') } 69 | end 70 | end 71 | 72 | control 'ssh-05' do 73 | impact 1.0 74 | title 'Client: Disable batch mode' 75 | desc 'Avoid batch mode in the default configuration.' 76 | describe ssh_config do 77 | its('BatchMode') { should eq('no') } 78 | end 79 | end 80 | 81 | control 'ssh-06' do 82 | impact 1.0 83 | title 'Client: Check Host IPs' 84 | desc 'Make sure that SSH checks the host IP address in the known_hosts file, to avoid DNS spoofing effects.' 85 | describe ssh_config do 86 | its('CheckHostIP') { should eq('yes') } 87 | end 88 | end 89 | 90 | control 'ssh-07' do 91 | impact 1.0 92 | title 'Client: Ask when checking host keys' 93 | desc "Don't automatically add new hosts keys to the list of known hosts." 94 | describe ssh_config do 95 | its('StrictHostKeyChecking') { should match(/ask|yes/) } 96 | end 97 | end 98 | 99 | control 'ssh-08' do 100 | impact 1.0 101 | title 'Client: Check for secure ssh ciphers' 102 | desc 'Configure a list of ciphers to the best secure ciphers (avoid older and weaker ciphers)' 103 | describe ssh_config do 104 | its('Ciphers') { should eq(ssh_crypto.valid_ciphers) } 105 | end 106 | end 107 | 108 | control 'ssh-09' do 109 | impact 1.0 110 | title 'Client: Check for secure ssh Key-Exchange Algorithm' 111 | desc 'Configure a list of Key-Exchange Algorithms (Kexs) to the best secure Kexs (avoid older and weaker Key-Exchange Algorithm)' 112 | describe ssh_config do 113 | its('KexAlgorithms') { should eq(ssh_crypto.valid_kexs) } 114 | end 115 | end 116 | 117 | control 'ssh-10' do 118 | impact 1.0 119 | title 'Client: Check for secure ssh Message Authentication Codes' 120 | desc 'Configure a list of Message Authentication Codes (MACs) to the best secure MACs (avoid older and weaker Message Authentication Codes)' 121 | describe ssh_config do 122 | its('MACs') { should eq(ssh_crypto.valid_macs) } 123 | end 124 | end 125 | 126 | control 'ssh-11' do 127 | impact 1.0 128 | title 'Client: Disable agent forwarding' 129 | desc 'Prevent agent forwarding by default, as it can be used in a limited way to enable attacks.' 130 | describe ssh_config do 131 | its('ForwardAgent') { should eq('no') } 132 | end 133 | end 134 | 135 | control 'ssh-12' do 136 | impact 1.0 137 | title 'Client: Disable X11Forwarding' 138 | desc 'Prevent X11 forwarding by default, as it can be used in a limited way to enable attacks.' 139 | describe ssh_config do 140 | its('ForwardX11') { should eq('no') } 141 | end 142 | end 143 | 144 | control 'ssh-13' do 145 | impact 1.0 146 | title 'Client: Disable HostbasedAuthentication' 147 | desc 'This option is a weak way for authentication and provide attacker more ways to enter the system.' 148 | describe ssh_config do 149 | its('HostbasedAuthentication') { should eq('no') } 150 | end 151 | end 152 | 153 | control 'ssh-14' do 154 | impact 1.0 155 | title 'Client: Disable rhosts-based authentication' 156 | desc 'Avoid rhosts-based authentication, as it opens more ways for an attacker to enter a system.' 157 | only_if { ssh_crypto.ssh_version < 7.6 } 158 | describe ssh_config do 159 | its('RhostsRSAAuthentication') { should eq('no') } 160 | end 161 | end 162 | 163 | control 'ssh-15' do 164 | impact 1.0 165 | title 'Client: Enable RSA authentication' 166 | desc 'Make sure RSA authentication is used by default.' 167 | only_if { ssh_crypto.ssh_version < 7.6 } 168 | describe ssh_config do 169 | its('RSAAuthentication') { should eq('yes') } 170 | end 171 | end 172 | 173 | control 'ssh-16' do 174 | impact 1.0 175 | title 'Client: Disable password-based authentication' 176 | desc 'Avoid password-based authentications.' 177 | describe ssh_config do 178 | its('PasswordAuthentication') { should eq('no') } 179 | end 180 | end 181 | 182 | control 'ssh-17' do 183 | impact 1.0 184 | title 'Client: Disable GSSAPIAuthentication' 185 | desc 'If you do not use GSSAPI authentication then disable it.' 186 | describe ssh_config do 187 | its('GSSAPIAuthentication') { should eq('no') } 188 | end 189 | end 190 | 191 | control 'ssh-18' do 192 | impact 1.0 193 | title 'Client: Disable GSSAPIDelegateCredentials' 194 | desc 'If you do not use GSSAPI authentication then disable it.' 195 | describe ssh_config do 196 | its('GSSAPIDelegateCredentials') { should eq('no') } 197 | end 198 | end 199 | 200 | control 'ssh-19' do 201 | impact 1.0 202 | title 'Client: Disable tunnels' 203 | desc 'Avoid using SSH tunnels.' 204 | describe ssh_config do 205 | its('Tunnel') { should eq('no') } 206 | end 207 | end 208 | 209 | control 'ssh-20' do 210 | impact 1.0 211 | title 'Client: Do not permit local commands' 212 | desc 'Do not permit any local command execution.' 213 | describe ssh_config do 214 | its('PermitLocalCommand') { should eq('no') } 215 | end 216 | end 217 | 218 | control 'ssh-21' do 219 | impact 1.0 220 | title 'Client: Do not allow Roaming' 221 | desc 'Workaround for SSH Client Bug CVE-2016-0777 and CVE-2016-0778' 222 | only_if { ssh_crypto.ssh_version < 7.2 } 223 | describe ssh_config do 224 | its('UseRoaming') { should eq('no') } 225 | end 226 | end 227 | -------------------------------------------------------------------------------- /Inspec/hardening-test/vendor/cb0da29499dc5d27497ce906abfd3111970710fd0021ed0a013eb7cb2cc22c5b/ssh-baseline-master/controls/sshd_spec.rb: -------------------------------------------------------------------------------- 1 | # Copyright 2015, Patrick Muench 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | # author: Christoph Hartmann 16 | # author: Dominik Richter 17 | # author: Patrick Muench 18 | 19 | title 'SSH server config' 20 | 21 | sshd_valid_ciphers = attribute('sshd_valid_ciphers', default: ssh_crypto.valid_ciphers, description: 'Expected value for sshd_config ciphers') 22 | sshd_valid_kexs = attribute('sshd_valid_kexs', default: ssh_crypto.valid_kexs, description: 'Expected value for sshd_config kexs') 23 | sshd_valid_macs = attribute('sshd_valid_macs', default: ssh_crypto.valid_macs, description: 'Expected value for sshd_config macs') 24 | sshd_permittunnel = attribute('sshd_permittunnel', default: 'no', description: 'Expected value for sshd_config PermitTunnel') 25 | sshd_tcpforwarding = attribute('sshd_tcpforwarding', default: 'no', description: 'Expected value for sshd_config TcpForwarding') 26 | sshd_agentforwarding = attribute('sshd_agentforwarding', default: 'no', description: 'Expected value for sshd_config AgentForwarding') 27 | sshd_gatewayports = attribute('sshd_gatewayports', default: 'no', description: 'Expected value for sshd_config GatewayPorts') 28 | sshd_x11forwarding = attribute('sshd_x11forwarding', default: 'no', description: 'Expected value for sshd_config X11Forwarding') 29 | sshd_banner = attribute('sshd_banner', default: 'none', description: 'Expected value for sshd_config Banner') 30 | 31 | only_if do 32 | command('sshd').exist? 33 | end 34 | 35 | control 'sshd-01' do 36 | impact 1.0 37 | title 'Server: Check for secure ssh ciphers' 38 | desc 'Configure a list of ciphers to the best secure ciphers (avoid older and weaker ciphers)' 39 | describe sshd_config do 40 | its('Ciphers') { should eq(sshd_valid_ciphers) } 41 | end 42 | end 43 | 44 | control 'sshd-02' do 45 | impact 1.0 46 | title 'Server: Check for secure ssh Key-Exchange Algorithm' 47 | desc 'Configure a list of Key-Exchange Algorithms (Kexs) to the best secure Kexs (avoid older and weaker Key-Exchange Algorithm)' 48 | describe sshd_config do 49 | its('KexAlgorithms') { should eq(sshd_valid_kexs) } 50 | end 51 | end 52 | 53 | control 'sshd-03' do 54 | impact 1.0 55 | title 'Server: Check for secure ssh Message Authentication Codes' 56 | desc 'Configure a list of Message Authentication Codes (MACs) to the best secure MACs (avoid older and weaker Message Authentication Codes)' 57 | describe sshd_config do 58 | its('MACs') { should eq(sshd_valid_macs) } 59 | end 60 | end 61 | 62 | control 'sshd-04' do 63 | impact 1.0 64 | title 'Server: Check SSH folder owner, group and permissions.' 65 | desc 'The SSH folder should owned by root, only be writable by owner and readable by others.' 66 | describe file('/etc/ssh') do 67 | it { should exist } 68 | it { should be_directory } 69 | it { should be_owned_by 'root' } 70 | it { should be_grouped_into os.darwin? ? 'wheel' : 'root' } 71 | it { should be_executable } 72 | it { should be_readable.by('owner') } 73 | it { should be_readable.by('group') } 74 | it { should be_readable.by('other') } 75 | it { should be_writable.by('owner') } 76 | it { should_not be_writable.by('group') } 77 | it { should_not be_writable.by('other') } 78 | end 79 | end 80 | 81 | control 'sshd-05' do 82 | impact 1.0 83 | title 'Server: Check sshd_config owner, group and permissions.' 84 | desc 'The sshd_config should owned by root, only be writable/readable by owner and not be executable.' 85 | 86 | describe file('/etc/ssh/sshd_config') do 87 | it { should exist } 88 | it { should be_file } 89 | it { should be_owned_by 'root' } 90 | it { should be_grouped_into os.darwin? ? 'wheel' : 'root' } 91 | it { should_not be_executable } 92 | it { should be_readable.by('owner') } 93 | it { should_not be_readable.by('group') } 94 | it { should_not be_readable.by('other') } 95 | it { should be_writable.by('owner') } 96 | it { should_not be_writable.by('group') } 97 | it { should_not be_writable.by('other') } 98 | end 99 | end 100 | 101 | control 'sshd-06' do 102 | impact 1.0 103 | title 'Server: Do not permit root-based login or do not allow password and keyboard-interactive authentication' 104 | desc 'Reduce the potential risk to gain full privileges access of the system because of weak password and keyboard-interactive authentication, do not allow logging in as the root user or with password authentication.' 105 | describe sshd_config do 106 | its('PermitRootLogin') { should match(/no|without-password|prohibit-password/) } 107 | end 108 | end 109 | 110 | control 'sshd-07' do 111 | impact 1.0 112 | title 'Server: Specify the listen ssh Port' 113 | desc 'Always specify which port the SSH server should listen to. Prevent unexpected settings.' 114 | describe sshd_config do 115 | its('Port') { should eq('22') } 116 | end 117 | end 118 | 119 | control 'sshd-08' do 120 | impact 1.0 121 | title 'Server: Specify the AddressFamily to your need' 122 | desc 'OpenSSH should be configured to the network family. Set it to inet if you use IPv4 only. For IPv6 only set it to inet6.' 123 | describe sshd_config do 124 | its('AddressFamily') { should match(/inet|inet6|any/) } 125 | end 126 | end 127 | 128 | control 'sshd-09' do 129 | impact 1.0 130 | title 'Server: Specify ListenAddress' 131 | desc "Limit the SSH server to listen to a specific address. Don't let it listen on all interfaces to avoid logins from unexpected sources." 132 | describe sshd_config do 133 | its('ListenAddress') { should match(/.*/) } 134 | end 135 | end 136 | 137 | control 'sshd-10' do 138 | impact 1.0 139 | title 'Server: Specify protocol version 2' 140 | desc "Only SSH protocol version 2 connections should be permitted. Version 1 of the protocol contains security vulnerabilities. Don't use legacy insecure SSHv1 connections anymore." 141 | describe sshd_config do 142 | its('Protocol') { should eq('2') } 143 | end 144 | end 145 | 146 | control 'sshd-11' do 147 | impact 1.0 148 | title 'Server: Enable StrictModes' 149 | desc 'Prevent the use of insecure home directory and key file permissions.' 150 | describe sshd_config do 151 | its('StrictModes') { should eq('yes') } 152 | end 153 | end 154 | 155 | control 'sshd-12' do 156 | impact 1.0 157 | title 'Server: Specify SyslogFacility to AUTH' 158 | desc 'Logging should be set to go to the /var/log/auth.log facility by using the SysLog AUTH parameter. This will ensure that any problems around invalid logins or the like are forwarded to a central security file for auditing purposes' 159 | describe sshd_config do 160 | its('SyslogFacility') { should eq('AUTH') } 161 | end 162 | end 163 | 164 | control 'sshd-13' do 165 | impact 1.0 166 | title 'Server: Specify LogLevel to VERBOSE' 167 | desc 'Be verbose in logging, to allow analysis in case of unexpected behavior.' 168 | describe sshd_config do 169 | its('LogLevel') { should eq('VERBOSE') } 170 | end 171 | end 172 | 173 | control 'sshd-14' do 174 | impact 1.0 175 | title 'Server: Specify SSH HostKeys' 176 | desc 'Specify HostKey for protection against Man-In-The-Middle Attacks' 177 | describe sshd_config do 178 | its('HostKey') { should cmp ssh_crypto.valid_hostkeys } 179 | end 180 | end 181 | 182 | control 'sshd-15' do 183 | impact 1.0 184 | title 'Server: Specify UseLogin to NO' 185 | desc 'Disable legacy login mechanism and do not use login for interactive login sessions.' 186 | describe sshd_config do 187 | its('UseLogin') { should eq(ssh_crypto.ssh_version < 7.4 ? 'no' : nil) } 188 | end 189 | end 190 | 191 | control 'sshd-16' do 192 | impact 1.0 193 | title 'Server: Use privilege separation' 194 | desc 'UsePrivilegeSeparation is an option, when enabled will allow the OpenSSH server to run a small (necessary) amount of code as root and the of the code in a chroot jail environment. This enables ssh to deal incoming network traffic in an unprivileged child process to avoid privilege escalation by an attacker.' 195 | describe sshd_config do 196 | its('UsePrivilegeSeparation') { should eq(ssh_crypto.valid_privseparation) } 197 | end 198 | end 199 | 200 | control 'sshd-17' do 201 | impact 1.0 202 | title 'Server: Disable PermitUserEnvironment' 203 | desc 'Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.' 204 | describe sshd_config do 205 | its('PermitUserEnvironment') { should eq('no') } 206 | end 207 | end 208 | 209 | control 'sshd-18' do 210 | impact 1.0 211 | title 'Server: Specify LoginGraceTime' 212 | desc 'The LoginGraceTime gives the user 30 seconds to accomplish a login. This could be used to conduct a Denial of Service (DoS) against a running SSH daemon.' 213 | describe sshd_config do 214 | its('LoginGraceTime') { should eq('30s') } 215 | end 216 | end 217 | 218 | control 'sshd-19' do 219 | impact 1.0 220 | title 'Server: Specify Limit for maximum authentication retries' 221 | desc 'The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure. Setting the MaxAuthTries parameter to a low number will minimize the risk of successful brute force attacks to the SSH server. The default is 2 but should be configured based on site policy.' 222 | tag 'CIS Red Hat Enterprise Linux 7 Benchmark version 01-31-2017': '2.1.1' 223 | ref 'Center for Internet Security', url: 'https://www.cisecurity.org/' 224 | describe sshd_config do 225 | its('MaxAuthTries') { should cmp == attribute('max_auth_tries') } 226 | end 227 | end 228 | 229 | control 'sshd-20' do 230 | impact 1.0 231 | title 'Server: Specify maximum sessions' 232 | desc 'Specifies the maximum number of open sessions permitted per network connection. This could be used to conduct a Denial of Service (DoS) against a running SSH daemon.' 233 | describe sshd_config do 234 | its('MaxSessions') { should eq('10') } 235 | end 236 | end 237 | 238 | control 'sshd-21' do 239 | impact 1.0 240 | title 'Server: Specify maximum startups' 241 | desc 'Limit the number of concurrent unauthenticated sessions to prevent Denial of Service (DoS) against a running SSH daemon.' 242 | describe sshd_config do 243 | its('MaxStartups') { should eq('10:30:100') } 244 | end 245 | end 246 | 247 | control 'sshd-22' do 248 | impact 1.0 249 | title 'Server: Enable PubkeyAuthentication' 250 | desc 'Prefer public key authentication mechanisms, because other methods are weaker (e.g. passwords).' 251 | describe sshd_config do 252 | its('PubkeyAuthentication') { should eq('yes') } 253 | end 254 | end 255 | 256 | control 'sshd-23' do 257 | impact 1.0 258 | title 'Server: Disable IgnoreRhosts' 259 | desc 'Ignore legacy .rhosts configuration, because rhosts are a weak way to authenticate systems and provide attacker more ways to enter the system.' 260 | describe sshd_config do 261 | its('IgnoreRhosts') { should eq('yes') } 262 | end 263 | end 264 | 265 | control 'sshd-24' do 266 | impact 1.0 267 | title 'Server: Enable IgnoreUserKnownHosts' 268 | desc 'This option is a weak way for authentication and provide attacker more ways to enter the system.' 269 | describe sshd_config do 270 | its('IgnoreUserKnownHosts') { should eq('yes') } 271 | end 272 | end 273 | 274 | control 'sshd-25' do 275 | impact 1.0 276 | title 'Server: Disable HostbasedAuthentication' 277 | desc 'This option is a weak way for authentication and provide attacker more ways to enter the system.' 278 | describe sshd_config do 279 | its('HostbasedAuthentication') { should eq('no') } 280 | end 281 | end 282 | 283 | control 'sshd-27' do 284 | impact 1.0 285 | title 'Server: Disable password-based authentication' 286 | desc 'Avoid password-based authentications.' 287 | describe sshd_config do 288 | its('PasswordAuthentication') { should eq('no') } 289 | end 290 | end 291 | 292 | control 'sshd-28' do 293 | impact 1.0 294 | title 'Server: Disable PermitEmptyPasswords' 295 | desc 'Accounts should be protected and users should be accountable. For this reason the usage of empty passwords should never be allowed.' 296 | describe sshd_config do 297 | its('PermitEmptyPasswords') { should eq('no') } 298 | end 299 | end 300 | 301 | control 'sshd-29' do 302 | impact 1.0 303 | title 'Server: Disable ChallengeResponseAuthentication' 304 | desc 'Avoid challenge-response and password-based authentications.' 305 | describe sshd_config do 306 | its('ChallengeResponseAuthentication') { should eq('no') } 307 | end 308 | end 309 | 310 | control 'sshd-30' do 311 | impact 1.0 312 | title 'Server: Disable Kerberos' 313 | desc 'Avoid kerberos authentication.' 314 | describe sshd_config do 315 | its('KerberosAuthentication') { should eq('no') } 316 | end 317 | end 318 | 319 | control 'sshd-31' do 320 | impact 1.0 321 | title 'Server: Disable Kerberos or Local Password' 322 | desc 'Avoid kerberos authentication because it use password-based authentication as fallback.' 323 | describe sshd_config do 324 | its('KerberosOrLocalPasswd') { should eq('no') } 325 | end 326 | end 327 | 328 | control 'sshd-32' do 329 | impact 1.0 330 | title 'Server: Enable KerberosTicketCleanup' 331 | desc "Specifies whether to automatically destroy the user's ticket cache file on logout." 332 | describe sshd_config do 333 | its('KerberosTicketCleanup') { should eq('yes') } 334 | end 335 | end 336 | 337 | control 'sshd-33' do 338 | impact 1.0 339 | title 'Server: Disable GSSAPIAuthentication' 340 | desc 'If you do not use GSSAPI authentication then disable it.' 341 | describe sshd_config do 342 | its('GSSAPIAuthentication') { should eq('no') } 343 | end 344 | end 345 | 346 | control 'sshd-34' do 347 | impact 1.0 348 | title 'Server: Enable GSSAPICleanupCredentials' 349 | desc "Automatically destroy the user's credentials cache on logout." 350 | describe sshd_config do 351 | its('GSSAPICleanupCredentials') { should eq('yes') } 352 | end 353 | end 354 | 355 | control 'sshd-35' do 356 | impact 1.0 357 | title 'Server: Disable TCPKeepAlive' 358 | desc 'Avoid the TCPKeepAlive messages to see if the client is still alive, because they are sent over unencrypted connection and are spoofable.' 359 | describe sshd_config do 360 | its('TCPKeepAlive') { should eq('no') } 361 | end 362 | end 363 | 364 | control 'sshd-36' do 365 | impact 1.0 366 | title 'Server: Set a client alive interval' 367 | desc 'ClientAlive messages are sent over encrypted connection and are not spoofable.' 368 | describe sshd_config do 369 | its('ClientAliveInterval') { should eq('300') } 370 | end 371 | end 372 | 373 | control 'sshd-37' do 374 | impact 1.0 375 | title 'Server: Configure a few client alive counters' 376 | desc 'This indicates the total number of checkalive message sent by the ssh server without getting any response from the ssh client. ClientAlive messages are sent over encrypted connection and are not spoofable.' 377 | describe sshd_config do 378 | its('ClientAliveCountMax') { should eq('3') } 379 | end 380 | end 381 | 382 | control 'sshd-38' do 383 | impact 1.0 384 | title 'Server: Disable tunnels' 385 | desc 'Avoid to use tunnels.' 386 | describe sshd_config do 387 | its('PermitTunnel') { should eq(sshd_permittunnel) } 388 | end 389 | end 390 | 391 | control 'sshd-39' do 392 | impact 1.0 393 | title 'Server: Disable TCP forwarding' 394 | desc 'If you use TCP forwarding in an uncontrolled manner then you can bypass the firewalls' 395 | describe sshd_config do 396 | its('AllowTcpForwarding') { should eq(sshd_tcpforwarding) } 397 | end 398 | end 399 | 400 | control 'sshd-40' do 401 | impact 1.0 402 | title 'Server: Disable Agent forwarding' 403 | desc "Users with the ability to bypass file permissions on the remote host (for the agent's UNIX-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent." 404 | describe sshd_config do 405 | its('AllowAgentForwarding') { should eq(sshd_agentforwarding) } 406 | end 407 | end 408 | 409 | control 'sshd-41' do 410 | impact 1.0 411 | title 'Server: Disable gateway ports' 412 | desc 'Prevent remote hosts from connecting to forwarded ports on the node.' 413 | describe sshd_config do 414 | its('GatewayPorts') { should eq(sshd_gatewayports) } 415 | end 416 | end 417 | 418 | control 'sshd-42' do 419 | impact 1.0 420 | title 'Server: Disable X11Forwarding' 421 | desc 'Prevent X11 forwarding by default, as it can be used in a limited way to enable attacks.' 422 | describe sshd_config do 423 | its('X11Forwarding') { should eq(sshd_x11forwarding) } 424 | end 425 | end 426 | 427 | control 'sshd-43' do 428 | impact 1.0 429 | title 'Server: Enable X11UseLocalhost' 430 | desc 'SSH daemon should bind the X11 forwarding server to the loopback address. This prevents remote hosts from connecting to the proxy display and reduce the attack surface' 431 | describe sshd_config do 432 | its('X11UseLocalhost') { should eq('yes') } 433 | end 434 | end 435 | 436 | control 'sshd-44' do 437 | impact 1.0 438 | title 'Server: Disable PrintMotd' 439 | desc 'This specifies that the SSH daemon itself should not read and display the message of the day file.' 440 | describe sshd_config do 441 | its('PrintMotd') { should eq('no') } 442 | end 443 | end 444 | 445 | control 'sshd-45' do 446 | impact 1.0 447 | title 'Server: PrintLastLog' 448 | desc 'This tells the SSH daemon to print out information about the last time you logged in.' 449 | describe sshd_config do 450 | its('PrintLastLog') { should eq('no') } 451 | end 452 | end 453 | 454 | control 'sshd-46' do 455 | impact 1.0 456 | title 'Server: Banner' 457 | desc 'Specifies a banner file to serve before authentication succeeds' 458 | describe sshd_config do 459 | its('Banner') { should eq(sshd_banner) } 460 | end 461 | end 462 | 463 | control 'sshd-47' do 464 | impact 1.0 465 | title 'Server: DebianBanner' 466 | desc 'Specifies whether to include OS distribution in version information' 467 | case os[:family] 468 | when 'debian' then 469 | describe sshd_config do 470 | its('DebianBanner') { should eq('no') } 471 | end 472 | else 473 | describe sshd_config do 474 | its('content') { should_not match(/DebianBanner/) } 475 | end 476 | end 477 | end 478 | 479 | control 'sshd-48' do 480 | impact 1.0 481 | title 'Server: DH primes' 482 | desc 'Verifies if strong DH primes are used in /etc/ssh/moduli' 483 | describe bash("test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0") do 484 | its('exit_status') { should eq 0 } 485 | its('stdout') { should eq '' } 486 | its('stderr') { should eq '' } 487 | end 488 | end 489 | -------------------------------------------------------------------------------- /Inspec/hardening-test/vendor/cb0da29499dc5d27497ce906abfd3111970710fd0021ed0a013eb7cb2cc22c5b/ssh-baseline-master/inspec.yml: -------------------------------------------------------------------------------- 1 | name: ssh-baseline 2 | title: DevSec SSH Baseline 3 | maintainer: DevSec Hardening Framework Team 4 | copyright: DevSec Hardening Framework Team 5 | copyright_email: hello@dev-sec.io 6 | license: Apache-2.0 7 | summary: Test-suite for best-practice SSH hardening 8 | version: 2.4.1 9 | supports: 10 | - os-family: unix 11 | attributes: 12 | - name: max_auth_tries 13 | required: false 14 | description: 'define MaxAuthTries' 15 | value: 2 16 | type: numeric 17 | -------------------------------------------------------------------------------- /Inspec/hardening-test/vendor/cb0da29499dc5d27497ce906abfd3111970710fd0021ed0a013eb7cb2cc22c5b/ssh-baseline-master/libraries/ssh_crypto.rb: -------------------------------------------------------------------------------- 1 | # Copyright 2015, Dominik Richter 2 | # 3 | # Licensed under the Apache License, Version 2.0 (the "License"); 4 | # you may not use this file except in compliance with the License. 5 | # You may obtain a copy of the License at 6 | # 7 | # http://www.apache.org/licenses/LICENSE-2.0 8 | # 9 | # Unless required by applicable law or agreed to in writing, software 10 | # distributed under the License is distributed on an "AS IS" BASIS, 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | # See the License for the specific language governing permissions and 13 | # limitations under the License. 14 | # 15 | # author: Christoph Hartmann 16 | # author: Dominik Richter 17 | # author: Patrick Muench 18 | 19 | class SshCrypto < Inspec.resource(1) # rubocop:disable Metrics/ClassLength 20 | name 'ssh_crypto' 21 | 22 | def ssh_version 23 | inspec.command('ssh -V 2>&1 | cut -f1 -d" " | cut -f2 -d"_"').stdout.to_f 24 | end 25 | 26 | def valid_ciphers # rubocop:disable Metrics/CyclomaticComplexity, Metrics/MethodLength 27 | # define a set of default ciphers 28 | ciphers53 = 'aes256-ctr,aes192-ctr,aes128-ctr' 29 | ciphers66 = 'chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr' 30 | ciphers = ciphers53 31 | 32 | # adjust ciphers based on OS + release 33 | case inspec.os[:name] 34 | when 'ubuntu' 35 | case inspec.os[:release] 36 | when '12.04' 37 | ciphers = ciphers53 38 | when '14.04', '15.10', '16.04', '18.04' 39 | ciphers = ciphers66 40 | end 41 | when 'debian' 42 | case inspec.os[:release] 43 | when /^6\./, /^7\./ 44 | ciphers = ciphers53 45 | when /^8\./, /^9\./, /^10\./ 46 | ciphers = ciphers66 47 | end 48 | when 'redhat', 'centos', 'oracle' 49 | case inspec.os[:release] 50 | when /^6\./ 51 | ciphers = ciphers53 52 | when /^7\./ 53 | ciphers = ciphers66 54 | end 55 | when 'amazon', 'fedora', 'alpine' 56 | ciphers = ciphers66 57 | when 'opensuse' 58 | case inspec.os[:release] 59 | when /^13\.2/ 60 | ciphers = ciphers66 61 | when /^42\./ 62 | ciphers = ciphers66 63 | end 64 | when 'mac_os_x' 65 | case inspec.os[:release] 66 | when /^10.9\./ 67 | ciphers = ciphers53 68 | when /^10.10\./, /^10.11\./, /^10.12\./ 69 | ciphers = ciphers66 70 | end 71 | end 72 | 73 | ciphers 74 | end 75 | 76 | def valid_kexs # rubocop:disable Metrics/CyclomaticComplexity, Metrics/MethodLength 77 | # define a set of default KEXs 78 | kex66 = 'curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256' 79 | kex59 = 'diffie-hellman-group-exchange-sha256' 80 | kex = kex59 81 | 82 | # adjust KEXs based on OS + release 83 | case inspec.os[:name] 84 | when 'ubuntu' 85 | case inspec.os[:release] 86 | when '12.04' 87 | kex = kex59 88 | when '14.04', '15.10', '16.04', '18.04' 89 | kex = kex66 90 | end 91 | when 'debian' 92 | case inspec.os[:release] 93 | when /^6\./ 94 | kex = nil 95 | when /^7\./ 96 | kex = kex59 97 | when /^8\./, /^9\./, /^10\./ 98 | kex = kex66 99 | end 100 | when 'redhat', 'centos', 'oracle' 101 | case inspec.os[:release] 102 | when /^6\./ 103 | kex = nil 104 | when /^7\./ 105 | kex = kex66 106 | end 107 | when 'amazon', 'fedora', 'alpine' 108 | kex = kex66 109 | when 'opensuse' 110 | case inspec.os[:release] 111 | when /^13\.2/ 112 | kex = kex66 113 | when /^42\./ 114 | kex = kex66 115 | end 116 | when 'mac_os_x' 117 | case inspec.os[:release] 118 | when /^10.9\./ 119 | kex = kex59 120 | when /^10.10\./, /^10.11\./, /^10.12\./ 121 | kex = kex66 122 | end 123 | end 124 | 125 | kex 126 | end 127 | 128 | def valid_macs # rubocop:disable Metrics/CyclomaticComplexity, Metrics/MethodLength 129 | # define a set of default MACs 130 | macs66 = 'hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256' 131 | macs59 = 'hmac-sha2-512,hmac-sha2-256,hmac-ripemd160' 132 | macs53 = 'hmac-ripemd160,hmac-sha1' 133 | macs = macs59 134 | 135 | # adjust MACs based on OS + release 136 | case inspec.os[:name] 137 | when 'ubuntu' 138 | case inspec.os[:release] 139 | when '12.04' 140 | macs = macs59 141 | when '14.04', '15.10', '16.04', '18.04' 142 | macs = macs66 143 | end 144 | when 'debian' 145 | case inspec.os[:release] 146 | when /^6\./ 147 | macs = macs53 148 | when /^7\./ 149 | macs = macs59 150 | when /^8\./, /^9\./, /^10\./ 151 | macs = macs66 152 | end 153 | when 'redhat', 'centos', 'oracle' 154 | case inspec.os[:release] 155 | when /^6\./ 156 | macs = macs53 157 | when /^7\./ 158 | macs = macs66 159 | end 160 | when 'amazon', 'fedora', 'alpine' 161 | macs = macs66 162 | when 'opensuse' 163 | case inspec.os[:release] 164 | when /^13\.2/ 165 | macs = macs66 166 | when /^42\./ 167 | macs = macs66 168 | end 169 | when 'mac_os_x' 170 | case inspec.os[:release] 171 | when /^10.9\./ 172 | macs = macs59 173 | when /^10.10\./, /^10.11\./, /^10.12\./ 174 | macs = macs66 175 | end 176 | end 177 | 178 | macs 179 | end 180 | 181 | def valid_privseparation 182 | # define privilege separation set 183 | ps53 = 'yes' 184 | ps59 = 'sandbox' 185 | ps75 = nil 186 | ps = ps59 187 | 188 | # debian 7.x and newer has ssh 5.9+ 189 | # ubuntu 12.04 and newer has ssh 5.9+ 190 | 191 | case inspec.os[:name] 192 | when 'debian' 193 | case inspec.os[:release] 194 | when /^6\./ 195 | ps = ps53 196 | when /^10\./ 197 | ps = ps75 198 | end 199 | when 'redhat', 'centos', 'oracle' 200 | case inspec.os[:release] 201 | # redhat/centos/oracle 6.x has ssh 5.3 202 | when /^6\./ 203 | ps = ps53 204 | when /^7\./ 205 | ps = ps59 206 | end 207 | when 'ubuntu' 208 | case inspec.os[:release] 209 | when /^18\./ 210 | ps = ps75 211 | end 212 | when 'fedora', 'alpine' 213 | ps = ps75 214 | end 215 | 216 | ps 217 | end 218 | 219 | # return a list of valid algoriths for a current platform 220 | def valid_algorithms # rubocop:disable Metrics/CyclomaticComplexity, Metrics/MethodLength 221 | alg53 = %w[rsa] 222 | alg60 = %w[rsa ecdsa] 223 | alg66 = %w[rsa ecdsa ed25519] 224 | alg = alg66 # probably its a best suitable set for everything unknown 225 | 226 | case inspec.os[:name] 227 | when 'ubuntu' 228 | case inspec.os[:release] 229 | when '12.04' 230 | alg = alg53 231 | when '14.04', '15.10', '16.04', '18.04' 232 | alg = alg66 233 | end 234 | when 'debian' 235 | case inspec.os[:release] 236 | when /^7\./ 237 | alg = alg60 238 | when /^8\./, /^9\./ 239 | alg = alg66 240 | end 241 | when 'redhat', 'centos', 'oracle' 242 | case inspec.os[:release] 243 | when /^6\./ 244 | alg = alg53 245 | when /^7\./ 246 | alg = alg66 247 | end 248 | when 'amazon', 'fedora', 'alpine' 249 | alg = alg66 250 | when 'opensuse' 251 | case inspec.os[:release] 252 | when /^13\.2/ 253 | alg = alg66 254 | when /^42\./ 255 | alg = alg66 256 | end 257 | when 'mac_os_x' 258 | case inspec.os[:release] 259 | when /^10.9\./ 260 | alg53 261 | when /^10.10\./, /^10.11\./, /^10.12\./ 262 | alg66 263 | end 264 | end 265 | 266 | alg 267 | end 268 | 269 | # returns the hostkeys value based on valid_algorithms 270 | def valid_hostkeys 271 | hostkeys = valid_algorithms.map { |alg| "/etc/ssh/ssh_host_#{alg}_key" } 272 | # its('HostKey') provides a string for a single-element value. 273 | # we have to return a string if we have a single-element 274 | # https://github.com/chef/inspec/issues/1434 275 | return hostkeys[0] if hostkeys.length == 1 276 | 277 | hostkeys 278 | end 279 | end 280 | -------------------------------------------------------------------------------- /Jenkinsfile: -------------------------------------------------------------------------------- 1 | properties ([ 2 | parameters ([ 3 | string(name: 'appRepoURL', value: "", description: "Application's git repository"), 4 | string(name: 'dockerImage', value: "", description: "docker Image with tag"), 5 | string(name: 'targetURL', value: "", description: "Web application's URL"), 6 | choice(name: 'appType', choices: ['Java', 'Node', 'Angular'], description: 'Type of application'), 7 | string(name: 'hostMachineName', value: "", description: "Hostname of the machine"), 8 | string(name: 'hostMachineIP', value: "", description: "Public IP of the host machine") 9 | // password(name: 'hostMachinePassword', value: "", description: "Password of the target machine") 10 | ]) 11 | ]) 12 | 13 | def repoName=""; 14 | def app_type=""; 15 | def workspace=""; 16 | 17 | node { 18 | stage ('Checkout SCM') 19 | { 20 | catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') { 21 | checkout scm 22 | workspace = pwd () 23 | } 24 | } 25 | 26 | stage ('pre-build setup') 27 | { 28 | catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') { 29 | sh """ 30 | docker-compose -f Sonarqube/sonar.yml up -d 31 | docker-compose -f Anchore-Engine/docker-compose.yaml up -d 32 | """ 33 | } 34 | } 35 | 36 | stage ('Check secrets') 37 | { 38 | catchError(buildResult: 'SUCCESS', stageResult: 'UNSTABLE') { 39 | sh """ 40 | rm trufflehog || true 41 | docker run gesellix/trufflehog --json --regex ${appRepoURL} > trufflehog 42 | cat trufflehog 43 | """ 44 | 45 | def truffle = readFile "trufflehog" 46 | 47 | if (truffle.length() == 0){ 48 | echo "Good to go" 49 | } 50 | else { 51 | echo "Warning! Secrets are committed into your git repository." 52 | throw new Exception("Secrets might be committed into your git repo") 53 | } 54 | } 55 | } 56 | 57 | stage ('Source Composition Analysis') 58 | { 59 | catchError(buildResult: 'SUCCESS', stageResult: 'UNSTABLE') { 60 | sh "git clone ${appRepoURL} || true" 61 | repoName = sh(returnStdout: true, script: """echo \$(basename ${appRepoURL.trim()})""").trim() 62 | repoName=sh(returnStdout: true, script: """echo ${repoName} | sed 's/.git//g'""").trim() 63 | 64 | if (appType.equalsIgnoreCase("Java")) { 65 | app_type = "pom.xml" 66 | } 67 | else { 68 | app_type = "package.json" 69 | dir ("${repoName}") { 70 | sh "npm install" 71 | } 72 | } 73 | 74 | snykSecurity failOnIssues: false, projectName: '$BUILD_NUMBER', severity: 'high', snykInstallation: 'SnykSec', snykTokenId: 'snyk-token', targetFile: "${repoName}/${app_type}" 75 | 76 | def snykFile = readFile "snyk_report.html" 77 | if (snykFile.exists()) { 78 | throw new Exception("Vulnerable dependencies found!") 79 | } 80 | else { 81 | echo "Please enter the app repo URL" 82 | currentBuild.Result = "FAILURE" 83 | } 84 | 85 | } 86 | } 87 | 88 | 89 | stage ('SAST') 90 | { 91 | catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') { 92 | if (appType.equalsIgnoreCase("Java")) { 93 | withSonarQubeEnv('sonarqube') { 94 | dir("${repoName}"){ 95 | sh "mvn clean package sonar:sonar" 96 | } 97 | } 98 | 99 | timeout(time: 1, unit: 'HOURS') { 100 | def qg = waitForQualityGate() 101 | if (qg.status != 'OK') { 102 | error "Pipeline aborted due to quality gate failure: ${qg.status}" 103 | } 104 | } 105 | } 106 | } 107 | } 108 | 109 | stage ('Container Image Scan') 110 | { 111 | catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') { 112 | sh "rm anchore_images || true" 113 | sh """ echo "$dockerImage" > anchore_images""" 114 | anchore 'anchore_images' 115 | } 116 | } 117 | 118 | stage ('DAST') 119 | { 120 | catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') { 121 | sh """ 122 | rm -rf Archerysec-ZeD/zap_result/owasp_report || true 123 | docker run -v `pwd`/Archerysec-ZeD/:/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py \ 124 | -t ${targetURL} -J owasp_report 125 | """ 126 | } 127 | } 128 | 129 | stage ('Inspec') 130 | { 131 | 132 | 133 | catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') { 134 | 135 | /*to install inspec as a package 136 | curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec*/ 137 | sh """ 138 | rm inspec_results || true 139 | inspec exec Inspec/hardening-test -b ssh --host=${hostMachineIP} --user=${hostMachineName} -i ~/.ssh/id_rsa --reporter json:./inspec_results 140 | cat inspec_results | jq 141 | """ 142 | } 143 | } 144 | 145 | stage ('Clean up') 146 | { 147 | catchError(buildResult: 'SUCCESS', stageResult: 'FAILURE') { 148 | sh """ 149 | rm -r ${repoName} || true 150 | mkdir -p reports/trufflehog 151 | mkdir -p reports/snyk 152 | mkdir -p reports/Anchore-Engine 153 | mkdir -p reports/OWASP 154 | mkdir -p reports/Inspec 155 | mv trufflehog reports/trufflehog || true 156 | mv *.json *.html reports/snyk || true 157 | cp -r /var/lib/jenkins/jobs/${JOB_NAME}/builds/${BUILD_NUMBER}/archive/Anchore*/*.json ./reports/Anchore-Engine || true 158 | mv inspec_results reports/Inspec || true 159 | """ 160 | //cp Archerysec-ZeD/owasp_report reports/OWASP/ || ture 161 | 162 | sh """ 163 | docker system prune -f 164 | docker-compose -f Sonarqube/sonar.yml down 165 | docker-compose -f Anchore-Engine/docker-compose.yaml down -v 166 | """ 167 | } 168 | } 169 | } 170 | 171 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # DevSecOps-Template 2 | This DevSecOps utility includes various open-source security tools that can scan and report vulnerabilities within application code. We have created a parameterize Jenkinsfile, where application repository url, docker image name with tag (Publicly accessible), Server url where application running, and the project type (Java, Node) need to be define as a parameters. the job runs through various different stages as described below: 3 | 4 | - Stage 1 (Checkout SCM): This is the stage where our code is checked out. 5 | - Stage 2 (pre-build setup): This stage spins up all the necessary security tools in containers so that they are ready to be used. 6 | - Stage 3 (Check-secrets): Checks if any secrets are committed into your application repository. 7 | - Stage 4 (Source Composition Analysis): Identifies open source security risks and vulnerabilities of third-party components that was used in application code. 8 | - Stage 5 (SAST): Inspect the source code of your application and will pinpoint possible security flaws. 9 | - Stage 6 (Container Image Scan): Performs a thorough scan on the container images and the vulnerabilities are listed out in a json file. 10 | - Stage 7 (DAST): Test for security flaws once the application is up and running. 11 | - Stage 8 (Inspec): Tests your infrastructure with a inspec profile in the repo. 12 | 13 | -------------------------------------------------------------------------------- /Snyk/README.md: -------------------------------------------------------------------------------- 1 | # Snyk 2 | Snyk enables you to find, and more importantly fix known vulnerabilities in your open source.This guide helps you intergrate snyk with jenkins so that you can scan vunerabilities in your application before you deploy it to production. 3 | 4 | # Prerequisites 5 | - You must sign up for an account with Snyk before you begin. 6 | - Install the [snyk plugin](https://snyk.io/docs/install-the-snyk-plugin/) in the jenkins server. 7 | 8 | # Getting started 9 | - Go to the pipeline script generator in jenkins, find snykSecurity in the drop-down, fill in the required fields and generate the pipeline script. 10 | - Copy the generated pipe syntax and run it in a stage you want to. 11 | - Refer to this [link](https://snyk.io/docs/snyk-for-your-pipeline/) for further details. 12 | 13 | 14 | -------------------------------------------------------------------------------- /Sonarqube/README.md: -------------------------------------------------------------------------------- 1 | # 2 | -------------------------------------------------------------------------------- /Sonarqube/sonar.yml: -------------------------------------------------------------------------------- 1 | version: "3" 2 | 3 | services: 4 | sonarqube: 5 | image: sonarqube:7.7-community 6 | expose: 7 | - 9000 8 | ports: 9 | - "9000:9000" 10 | volumes: 11 | - sonarqube_conf:/opt/sonarqube/conf 12 | - sonarqube_data:/opt/sonarqube/data 13 | - sonarqube_extensions:/opt/sonarqube/extensions 14 | - sonarqube_bundled-plugins:/opt/sonarqube/lib/bundled-plugins 15 | 16 | volumes: 17 | sonarqube_conf: 18 | sonarqube_data: 19 | sonarqube_extensions: 20 | sonarqube_bundled-plugins: 21 | -------------------------------------------------------------------------------- /Trufflehog/README.md: -------------------------------------------------------------------------------- 1 | # Trufflehog 2 | Searches through git repositories for secrets, digging deep into commit history and branches. This is effective at finding secrets accidentally committed. This guide runs a trufflehog container on a machine which will search if any secrets are commited. 3 | 4 | ``` 5 | NOTE: Need to have docker installed on the host from where you'll run the trufflehog container. 6 | ``` 7 | 8 | # Getting Started 9 | 10 | - Add the following lines in your Jenkins stage. 11 | 12 | ``` 13 | docker run gesellix/trufflehog --json --regex 14 | ``` 15 | --------------------------------------------------------------------------------