├── .github ├── version-drafter.yml └── workflows │ ├── codespell.yml │ ├── release.yml │ └── test.yml ├── .gitignore ├── .rubocop.yml ├── CHANGELOG.md ├── Gemfile ├── LICENSE ├── README.md ├── Rakefile ├── controls ├── os_spec.rb ├── package_spec.rb └── sysctl_spec.rb ├── inspec.yml ├── libraries ├── suid_blacklist.rb └── suid_check.rb └── renovate.json /.github/version-drafter.yml: -------------------------------------------------------------------------------- 1 | --- 2 | -------------------------------------------------------------------------------- /.github/workflows/codespell.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Codespell - Spellcheck 3 | 4 | on: # yamllint disable-line rule:truthy 5 | push: 6 | branches: [master] 7 | pull_request: 8 | branches: [master] 9 | 10 | jobs: 11 | codespell: 12 | uses: "dev-sec/.github/.github/workflows/codespell.yml@main" 13 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: New release 3 | 4 | on: # yamllint disable-line rule:truthy 5 | workflow_dispatch: 6 | push: 7 | branches: 8 | - master 9 | 10 | jobs: 11 | generate_changelog: 12 | uses: dev-sec/.github/.github/workflows/baseline-release.yml@main 13 | -------------------------------------------------------------------------------- /.github/workflows/test.yml: -------------------------------------------------------------------------------- 1 | name: Test 2 | 3 | on: 4 | push: 5 | branches: [ master ] 6 | pull_request: 7 | branches: [ master ] 8 | schedule: 9 | - cron: '0 6 * * *' 10 | 11 | jobs: 12 | test: 13 | uses: dev-sec/.github/.github/workflows/baseline-test.yml@main 14 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | **/.librarian 2 | **/.tmp 3 | **/Puppetfile.lock 4 | Gemfile.lock 5 | Berksfile.lock 6 | inspec.lock 7 | -------------------------------------------------------------------------------- /.rubocop.yml: -------------------------------------------------------------------------------- 1 | --- 2 | AllCops: 3 | Exclude: 4 | - vendor/**/* 5 | -------------------------------------------------------------------------------- /CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # Changelog 2 | 3 | ## [2.9.0](https://github.com/dev-sec/linux-baseline/tree/2.9.0) (2024-08-21) 4 | 5 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.8.3...2.9.0) 6 | 7 | **Implemented enhancements:** 8 | 9 | - extend sysctls for ipv6 [\#179](https://github.com/dev-sec/linux-baseline/pull/179) ([rndmh3ro](https://github.com/rndmh3ro)) 10 | - use centralised issue templates and workflows [\#178](https://github.com/dev-sec/linux-baseline/pull/178) ([schurzi](https://github.com/schurzi)) 11 | 12 | **Fixed bugs:** 13 | 14 | - fix wrong sysctl [\#180](https://github.com/dev-sec/linux-baseline/pull/180) ([rndmh3ro](https://github.com/rndmh3ro)) 15 | 16 | **Merged pull requests:** 17 | 18 | - ensure compatibility with new inspec version [\#184](https://github.com/dev-sec/linux-baseline/pull/184) ([schurzi](https://github.com/schurzi)) 19 | - add spellchecking with codespell [\#183](https://github.com/dev-sec/linux-baseline/pull/183) ([schurzi](https://github.com/schurzi)) 20 | - Configure Renovate [\#182](https://github.com/dev-sec/linux-baseline/pull/182) ([renovate[bot]](https://github.com/apps/renovate)) 21 | 22 | ## [2.8.3](https://github.com/dev-sec/linux-baseline/tree/2.8.3) (2022-09-29) 23 | 24 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.8.2...2.8.3) 25 | 26 | **Fixed bugs:** 27 | 28 | - fix handling of sysctl fs.protected\_fifos and fs.protected\_regular [\#172](https://github.com/dev-sec/linux-baseline/pull/172) ([schurzi](https://github.com/schurzi)) 29 | 30 | **Closed issues:** 31 | 32 | - Remove control 'os-08' because entropy is always at 256 [\#176](https://github.com/dev-sec/linux-baseline/issues/176) 33 | - How to deal with squashfs in Ubuntu 22 [\#174](https://github.com/dev-sec/linux-baseline/issues/174) 34 | - why keep\_logs? [\#171](https://github.com/dev-sec/linux-baseline/issues/171) 35 | - sysctl-34 - fs.protected\_regular is Ubuntu specific [\#170](https://github.com/dev-sec/linux-baseline/issues/170) 36 | 37 | **Merged pull requests:** 38 | 39 | - remove entropy-test [\#177](https://github.com/dev-sec/linux-baseline/pull/177) ([rndmh3ro](https://github.com/rndmh3ro)) 40 | - only disable SquashFS if it's not needed [\#175](https://github.com/dev-sec/linux-baseline/pull/175) ([schurzi](https://github.com/schurzi)) 41 | - Change linting to Cookstyle [\#169](https://github.com/dev-sec/linux-baseline/pull/169) ([schurzi](https://github.com/schurzi)) 42 | - Improve SUID find [\#168](https://github.com/dev-sec/linux-baseline/pull/168) ([magmax](https://github.com/magmax)) 43 | 44 | ## [2.8.2](https://github.com/dev-sec/linux-baseline/tree/2.8.2) (2022-01-12) 45 | 46 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.8.1...2.8.2) 47 | 48 | **Merged pull requests:** 49 | 50 | - missing inputs changed [\#167](https://github.com/dev-sec/linux-baseline/pull/167) ([micheelengronne](https://github.com/micheelengronne)) 51 | 52 | ## [2.8.1](https://github.com/dev-sec/linux-baseline/tree/2.8.1) (2022-01-12) 53 | 54 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.8.0...2.8.1) 55 | 56 | **Closed issues:** 57 | 58 | - Add checks for mount options \(noexec, nosuid, nodev\) [\#163](https://github.com/dev-sec/linux-baseline/issues/163) 59 | - Ensure links are protected [\#159](https://github.com/dev-sec/linux-baseline/issues/159) 60 | 61 | **Merged pull requests:** 62 | 63 | - use input instead of attribute [\#166](https://github.com/dev-sec/linux-baseline/pull/166) ([micheelengronne](https://github.com/micheelengronne)) 64 | - feat\(os-14\) add rule to check noexec, nosuid and nodev mount options [\#164](https://github.com/dev-sec/linux-baseline/pull/164) ([cmhe](https://github.com/cmhe)) 65 | - added sysctl-34 for checking link protection settings [\#160](https://github.com/dev-sec/linux-baseline/pull/160) ([cmhe](https://github.com/cmhe)) 66 | 67 | ## [2.8.0](https://github.com/dev-sec/linux-baseline/tree/2.8.0) (2021-05-06) 68 | 69 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.7.0...2.8.0) 70 | 71 | **Implemented enhancements:** 72 | 73 | - remove sysctl-18 - ipv6 no longer needs to be disabled [\#155](https://github.com/dev-sec/linux-baseline/pull/155) ([schurzi](https://github.com/schurzi)) 74 | - Disable source routing for IPv6. [\#152](https://github.com/dev-sec/linux-baseline/pull/152) ([joubbi](https://github.com/joubbi)) 75 | 76 | **Closed issues:** 77 | 78 | - Remove package-07 test [\#149](https://github.com/dev-sec/linux-baseline/issues/149) 79 | 80 | **Merged pull requests:** 81 | 82 | - remove control package-07 [\#154](https://github.com/dev-sec/linux-baseline/pull/154) ([rndmh3ro](https://github.com/rndmh3ro)) 83 | - fix rubocop error for Rakefile [\#153](https://github.com/dev-sec/linux-baseline/pull/153) ([schurzi](https://github.com/schurzi)) 84 | - add dependency to chef-config for CI [\#151](https://github.com/dev-sec/linux-baseline/pull/151) ([schurzi](https://github.com/schurzi)) 85 | 86 | ## [2.7.0](https://github.com/dev-sec/linux-baseline/tree/2.7.0) (2021-02-22) 87 | 88 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.6.4...2.7.0) 89 | 90 | **Implemented enhancements:** 91 | 92 | - add cron permissions hardening [\#150](https://github.com/dev-sec/linux-baseline/pull/150) ([rndmh3ro](https://github.com/rndmh3ro)) 93 | 94 | ## [2.6.4](https://github.com/dev-sec/linux-baseline/tree/2.6.4) (2021-02-02) 95 | 96 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.6.3...2.6.4) 97 | 98 | **Closed issues:** 99 | 100 | - os-06: Check for SUID/ SGID blacklist control previously passing is now falling [\#146](https://github.com/dev-sec/linux-baseline/issues/146) 101 | 102 | **Merged pull requests:** 103 | 104 | - use version tag for changelog action [\#148](https://github.com/dev-sec/linux-baseline/pull/148) ([schurzi](https://github.com/schurzi)) 105 | 106 | ## [2.6.3](https://github.com/dev-sec/linux-baseline/tree/2.6.3) (2021-01-29) 107 | 108 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.6.2...2.6.3) 109 | 110 | **Merged pull requests:** 111 | 112 | - fix super call [\#147](https://github.com/dev-sec/linux-baseline/pull/147) ([schurzi](https://github.com/schurzi)) 113 | 114 | ## [2.6.2](https://github.com/dev-sec/linux-baseline/tree/2.6.2) (2021-01-29) 115 | 116 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.6.1...2.6.2) 117 | 118 | **Merged pull requests:** 119 | 120 | - update code to conform to new linting rules [\#145](https://github.com/dev-sec/linux-baseline/pull/145) ([schurzi](https://github.com/schurzi)) 121 | - add github action for testing [\#144](https://github.com/dev-sec/linux-baseline/pull/144) ([rndmh3ro](https://github.com/rndmh3ro)) 122 | - Fix tiny typo [\#143](https://github.com/dev-sec/linux-baseline/pull/143) ([danwit](https://github.com/danwit)) 123 | 124 | ## [2.6.1](https://github.com/dev-sec/linux-baseline/tree/2.6.1) (2020-12-28) 125 | 126 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.6.0...2.6.1) 127 | 128 | **Merged pull requests:** 129 | 130 | - Allow arp\_ignore = 2 [\#142](https://github.com/dev-sec/linux-baseline/pull/142) ([mcgege](https://github.com/mcgege)) 131 | 132 | ## [2.6.0](https://github.com/dev-sec/linux-baseline/tree/2.6.0) (2020-12-16) 133 | 134 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.5.0...2.6.0) 135 | 136 | **Implemented enhancements:** 137 | 138 | - feat\(osbaseline\): support validation for cpu vulnerabilities [\#138](https://github.com/dev-sec/linux-baseline/pull/138) ([imjoseangel](https://github.com/imjoseangel)) 139 | 140 | **Closed issues:** 141 | 142 | - cpu-vulnerability-directory \(1 failed\) - Ubuntu [\#139](https://github.com/dev-sec/linux-baseline/issues/139) 143 | - Support for validation of cpu vulnerabilities [\#114](https://github.com/dev-sec/linux-baseline/issues/114) 144 | 145 | **Merged pull requests:** 146 | 147 | - only check cpu vulnerabilities if not in container [\#141](https://github.com/dev-sec/linux-baseline/pull/141) ([schurzi](https://github.com/schurzi)) 148 | 149 | ## [2.5.0](https://github.com/dev-sec/linux-baseline/tree/2.5.0) (2020-08-25) 150 | 151 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.4.6...2.5.0) 152 | 153 | **Implemented enhancements:** 154 | 155 | - add archlinux-support for audit-check [\#136](https://github.com/dev-sec/linux-baseline/pull/136) ([rndmh3ro](https://github.com/rndmh3ro)) 156 | 157 | **Closed issues:** 158 | 159 | - os-10: CIS: Disable unused filesystems \(1 failed\) [\#135](https://github.com/dev-sec/linux-baseline/issues/135) 160 | 161 | ## [2.4.6](https://github.com/dev-sec/linux-baseline/tree/2.4.6) (2020-07-23) 162 | 163 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.4.5...2.4.6) 164 | 165 | **Closed issues:** 166 | 167 | - Default umask 077/027 leads into several problems installing software packages [\#133](https://github.com/dev-sec/linux-baseline/issues/133) 168 | 169 | **Merged pull requests:** 170 | 171 | - The release draft references the correct SHA [\#134](https://github.com/dev-sec/linux-baseline/pull/134) ([micheelengronne](https://github.com/micheelengronne)) 172 | 173 | ## [2.4.5](https://github.com/dev-sec/linux-baseline/tree/2.4.5) (2020-06-30) 174 | 175 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.4.4...2.4.5) 176 | 177 | **Closed issues:** 178 | 179 | - /etc/passwd should not contain any password hashes [\#117](https://github.com/dev-sec/linux-baseline/issues/117) 180 | 181 | **Merged pull requests:** 182 | 183 | - Adds /etc/passwd format check [\#132](https://github.com/dev-sec/linux-baseline/pull/132) ([imjoseangel](https://github.com/imjoseangel)) 184 | 185 | ## [2.4.4](https://github.com/dev-sec/linux-baseline/tree/2.4.4) (2020-05-19) 186 | 187 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.4.3...2.4.4) 188 | 189 | **Merged pull requests:** 190 | 191 | - CHANGELOG for RELEASE done before the push to avoid breaking [\#131](https://github.com/dev-sec/linux-baseline/pull/131) ([micheelengronne](https://github.com/micheelengronne)) 192 | 193 | ## [2.4.3](https://github.com/dev-sec/linux-baseline/tree/2.4.3) (2020-05-19) 194 | 195 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.4.2...2.4.3) 196 | 197 | **Merged pull requests:** 198 | 199 | - release trigger [\#130](https://github.com/dev-sec/linux-baseline/pull/130) ([micheelengronne](https://github.com/micheelengronne)) 200 | 201 | ## [2.4.2](https://github.com/dev-sec/linux-baseline/tree/2.4.2) (2020-05-19) 202 | 203 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.4.1...2.4.2) 204 | 205 | **Merged pull requests:** 206 | 207 | - align versions [\#129](https://github.com/dev-sec/linux-baseline/pull/129) ([micheelengronne](https://github.com/micheelengronne)) 208 | 209 | ## [2.4.1](https://github.com/dev-sec/linux-baseline/tree/2.4.1) (2020-05-19) 210 | 211 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.4.0...2.4.1) 212 | 213 | **Closed issues:** 214 | 215 | - New release [\#127](https://github.com/dev-sec/linux-baseline/issues/127) 216 | 217 | **Merged pull requests:** 218 | 219 | - github actions [\#128](https://github.com/dev-sec/linux-baseline/pull/128) ([micheelengronne](https://github.com/micheelengronne)) 220 | 221 | ## [2.4.0](https://github.com/dev-sec/linux-baseline/tree/2.4.0) (2020-03-26) 222 | 223 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.3.0...2.4.0) 224 | 225 | **Closed issues:** 226 | 227 | - net.ipv4.ip\_forward needs to be '1' on docker hosts [\#126](https://github.com/dev-sec/linux-baseline/issues/126) 228 | - sysctl-19 should check the sysctl\_forwarding attribute [\#124](https://github.com/dev-sec/linux-baseline/issues/124) 229 | - Issue after upgrading to the latest version of Inspec. [\#122](https://github.com/dev-sec/linux-baseline/issues/122) 230 | - Support for ESXi [\#116](https://github.com/dev-sec/linux-baseline/issues/116) 231 | - Deprecation Warnings [\#115](https://github.com/dev-sec/linux-baseline/issues/115) 232 | - systctl-33 - undefined method `expect' [\#107](https://github.com/dev-sec/linux-baseline/issues/107) 233 | 234 | **Merged pull requests:** 235 | 236 | - skip the sysctl-19 control when sysctl\_forwarding is true [\#125](https://github.com/dev-sec/linux-baseline/pull/125) ([b-dean](https://github.com/b-dean)) 237 | - add documentation for missing package-04 control [\#123](https://github.com/dev-sec/linux-baseline/pull/123) ([chris-rock](https://github.com/chris-rock)) 238 | - Allow core dumps to be piped into a program with an absolute path. [\#121](https://github.com/dev-sec/linux-baseline/pull/121) ([samjmarshall](https://github.com/samjmarshall)) 239 | - Allow for lowercase auditd config flush value. [\#120](https://github.com/dev-sec/linux-baseline/pull/120) ([samjmarshall](https://github.com/samjmarshall)) 240 | - Fixing some deprecation notices [\#119](https://github.com/dev-sec/linux-baseline/pull/119) ([jjasghar](https://github.com/jjasghar)) 241 | 242 | ## [2.3.0](https://github.com/dev-sec/linux-baseline/tree/2.3.0) (2019-05-15) 243 | 244 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.2.2...2.3.0) 245 | 246 | **Closed issues:** 247 | 248 | - Audit Daemon Fails on Amazon Linux 2 [\#109](https://github.com/dev-sec/linux-baseline/issues/109) 249 | - os-11 fails on vanilla Ubuntu 16.04/18.04 [\#104](https://github.com/dev-sec/linux-baseline/issues/104) 250 | - Container conditions to skip tests? [\#102](https://github.com/dev-sec/linux-baseline/issues/102) 251 | - Duplicate testing for telnetd instead of rsh [\#97](https://github.com/dev-sec/linux-baseline/issues/97) 252 | - Profile summary VS Test Summary [\#93](https://github.com/dev-sec/linux-baseline/issues/93) 253 | - Control Sysctl 31-b from sysctl\_spec.rb causing Inspec to exit with error code [\#92](https://github.com/dev-sec/linux-baseline/issues/92) 254 | 255 | **Merged pull requests:** 256 | 257 | - Bump version to 2.3.0 and switch to inspec 3 for check [\#113](https://github.com/dev-sec/linux-baseline/pull/113) ([alexpop](https://github.com/alexpop)) 258 | - Add compatibility for alpine based images [\#111](https://github.com/dev-sec/linux-baseline/pull/111) ([zopanix](https://github.com/zopanix)) 259 | - Minor grammatical fix in README [\#108](https://github.com/dev-sec/linux-baseline/pull/108) ([cachedout](https://github.com/cachedout)) 260 | - Update issue templates [\#106](https://github.com/dev-sec/linux-baseline/pull/106) ([rndmh3ro](https://github.com/rndmh3ro)) 261 | - \#104 Fix os-11 for Ubuntu 16.04 and newer [\#105](https://github.com/dev-sec/linux-baseline/pull/105) ([IceBear2k](https://github.com/IceBear2k)) 262 | - efi-check should run on remote host, not locally [\#103](https://github.com/dev-sec/linux-baseline/pull/103) ([rndmh3ro](https://github.com/rndmh3ro)) 263 | - update grammar in desc [\#101](https://github.com/dev-sec/linux-baseline/pull/101) ([juliandunn](https://github.com/juliandunn)) 264 | - Update to test for rsh-server instead of duplicate telnetd [\#98](https://github.com/dev-sec/linux-baseline/pull/98) ([aavetis](https://github.com/aavetis)) 265 | 266 | ## [2.2.2](https://github.com/dev-sec/linux-baseline/tree/2.2.2) (2018-07-19) 267 | 268 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.2.1...2.2.2) 269 | 270 | **Merged pull requests:** 271 | 272 | - Update to version 2.2.2 [\#99](https://github.com/dev-sec/linux-baseline/pull/99) ([james-stocks](https://github.com/james-stocks)) 273 | - Do not disable vfat by default [\#96](https://github.com/dev-sec/linux-baseline/pull/96) ([rndmh3ro](https://github.com/rndmh3ro)) 274 | - fix virtualization usage in older inspec versions [\#95](https://github.com/dev-sec/linux-baseline/pull/95) ([mattlqx](https://github.com/mattlqx)) 275 | 276 | ## [2.2.1](https://github.com/dev-sec/linux-baseline/tree/2.2.1) (2018-05-14) 277 | 278 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.2.0...2.2.1) 279 | 280 | **Closed issues:** 281 | 282 | - /etc/shadow permissions false positive on Fedora [\#89](https://github.com/dev-sec/linux-baseline/issues/89) 283 | 284 | **Merged pull requests:** 285 | 286 | - Skip auditd and sysctl tests for containers [\#91](https://github.com/dev-sec/linux-baseline/pull/91) ([artem-sidorenko](https://github.com/artem-sidorenko)) 287 | - Fixes \#89 false positive /etc/shadow on Fedora [\#90](https://github.com/dev-sec/linux-baseline/pull/90) ([marcelhuth](https://github.com/marcelhuth)) 288 | - Fix typos in `inspec.yml` [\#88](https://github.com/dev-sec/linux-baseline/pull/88) ([jerryaldrichiii](https://github.com/jerryaldrichiii)) 289 | 290 | ## [2.2.0](https://github.com/dev-sec/linux-baseline/tree/2.2.0) (2017-12-01) 291 | 292 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.1.1...2.2.0) 293 | 294 | **Closed issues:** 295 | 296 | - linux-baseline os-06 can not be skipped [\#86](https://github.com/dev-sec/linux-baseline/issues/86) 297 | - control os-10 fails \(/etc/modprobe.d/dev-sec.conf\) [\#80](https://github.com/dev-sec/linux-baseline/issues/80) 298 | - package-08 error on amazon linux [\#79](https://github.com/dev-sec/linux-baseline/issues/79) 299 | 300 | **Merged pull requests:** 301 | 302 | - deferring the execution of permissions to profile execution [\#87](https://github.com/dev-sec/linux-baseline/pull/87) ([chris-rock](https://github.com/chris-rock)) 303 | - CIS 4.1.1.3 [\#85](https://github.com/dev-sec/linux-baseline/pull/85) ([tomhaynes](https://github.com/tomhaynes)) 304 | - Update Fedora controls [\#84](https://github.com/dev-sec/linux-baseline/pull/84) ([shoekstra](https://github.com/shoekstra)) 305 | - Fix log\_dir\_group for Ubuntu 14.04+ [\#83](https://github.com/dev-sec/linux-baseline/pull/83) ([shoekstra](https://github.com/shoekstra)) 306 | - Tune some parameters for RedHat system [\#82](https://github.com/dev-sec/linux-baseline/pull/82) ([strangeman](https://github.com/strangeman)) 307 | - add logdir-check [\#81](https://github.com/dev-sec/linux-baseline/pull/81) ([rndmh3ro](https://github.com/rndmh3ro)) 308 | - Optimize file search routines [\#77](https://github.com/dev-sec/linux-baseline/pull/77) ([mcgege](https://github.com/mcgege)) 309 | - Check for Amazon Linux when determining audit package. [\#76](https://github.com/dev-sec/linux-baseline/pull/76) ([HenryTheHamster](https://github.com/HenryTheHamster)) 310 | - Update package\_spec.rb [\#74](https://github.com/dev-sec/linux-baseline/pull/74) ([lnxchk](https://github.com/lnxchk)) 311 | - CIS 1.5.4 Ensure prelink is disabled [\#73](https://github.com/dev-sec/linux-baseline/pull/73) ([bitvijays](https://github.com/bitvijays)) 312 | - Added net.ipv4.conf.default.log\_martians for Martian Packets in sysctl\_spec.rb [\#72](https://github.com/dev-sec/linux-baseline/pull/72) ([bitvijays](https://github.com/bitvijays)) 313 | - 1.1.1 CIS Disable unused filesystem [\#71](https://github.com/dev-sec/linux-baseline/pull/71) ([bitvijays](https://github.com/bitvijays)) 314 | - os-02: Fix for SUSE environments [\#70](https://github.com/dev-sec/linux-baseline/pull/70) ([mcgege](https://github.com/mcgege)) 315 | - On SUSE environments 'auditd' is part of package 'audit' [\#69](https://github.com/dev-sec/linux-baseline/pull/69) ([mcgege](https://github.com/mcgege)) 316 | - use recommended spdx license identifier [\#68](https://github.com/dev-sec/linux-baseline/pull/68) ([chris-rock](https://github.com/chris-rock)) 317 | 318 | ## [2.1.1](https://github.com/dev-sec/linux-baseline/tree/2.1.1) (2017-06-02) 319 | 320 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.1.0...2.1.1) 321 | 322 | **Closed issues:** 323 | 324 | - systctl-33 doesn't see nx flag [\#65](https://github.com/dev-sec/linux-baseline/issues/65) 325 | - check for audit\(d\) fails on aws linux ami [\#60](https://github.com/dev-sec/linux-baseline/issues/60) 326 | 327 | **Merged pull requests:** 328 | 329 | - CI: update to ruby 2.4.1 and rubocop 0.49.1 [\#66](https://github.com/dev-sec/linux-baseline/pull/66) ([artem-sidorenko](https://github.com/artem-sidorenko)) 330 | - Use assignment\_regex, only\_if and bump profile version [\#64](https://github.com/dev-sec/linux-baseline/pull/64) ([alexpop](https://github.com/alexpop)) 331 | - num\_logs has different values on different distros [\#63](https://github.com/dev-sec/linux-baseline/pull/63) ([artem-sidorenko](https://github.com/artem-sidorenko)) 332 | - Allow verification if kernel modules loading is disabled [\#62](https://github.com/dev-sec/linux-baseline/pull/62) ([artem-sidorenko](https://github.com/artem-sidorenko)) 333 | - Fix: more generic auditd settings [\#61](https://github.com/dev-sec/linux-baseline/pull/61) ([artem-sidorenko](https://github.com/artem-sidorenko)) 334 | 335 | ## [2.1.0](https://github.com/dev-sec/linux-baseline/tree/2.1.0) (2017-05-08) 336 | 337 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.0.1...2.1.0) 338 | 339 | **Merged pull requests:** 340 | 341 | - update metadata [\#58](https://github.com/dev-sec/linux-baseline/pull/58) ([chris-rock](https://github.com/chris-rock)) 342 | - update gemfile [\#57](https://github.com/dev-sec/linux-baseline/pull/57) ([atomic111](https://github.com/atomic111)) 343 | - restrict ruby testing to version 2.3.3 [\#56](https://github.com/dev-sec/linux-baseline/pull/56) ([atomic111](https://github.com/atomic111)) 344 | - Properly verify the kernel dump setting [\#52](https://github.com/dev-sec/linux-baseline/pull/52) ([artem-sidorenko](https://github.com/artem-sidorenko)) 345 | - auditd package is called audit in the rhel family [\#51](https://github.com/dev-sec/linux-baseline/pull/51) ([rdeusser](https://github.com/rdeusser)) 346 | - Ignore inspec.lock file [\#50](https://github.com/dev-sec/linux-baseline/pull/50) ([techraf](https://github.com/techraf)) 347 | - Remove duplicated expectation from sysctl-16 [\#49](https://github.com/dev-sec/linux-baseline/pull/49) ([techraf](https://github.com/techraf)) 348 | - update links in readme [\#47](https://github.com/dev-sec/linux-baseline/pull/47) ([chris-rock](https://github.com/chris-rock)) 349 | - essay: differentiate redhat/debian, add extra conditions [\#44](https://github.com/dev-sec/linux-baseline/pull/44) ([juju4](https://github.com/juju4)) 350 | 351 | ## [2.0.1](https://github.com/dev-sec/linux-baseline/tree/2.0.1) (2016-12-21) 352 | 353 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/2.0.0...2.0.1) 354 | 355 | **Closed issues:** 356 | 357 | - permissions /etc/shadow [\#41](https://github.com/dev-sec/linux-baseline/issues/41) 358 | - False positives in control os-06 [\#40](https://github.com/dev-sec/linux-baseline/issues/40) 359 | 360 | **Merged pull requests:** 361 | 362 | - update profile metadata & tooling [\#46](https://github.com/dev-sec/linux-baseline/pull/46) ([chris-rock](https://github.com/chris-rock)) 363 | - update Gemfile [\#43](https://github.com/dev-sec/linux-baseline/pull/43) ([atomic111](https://github.com/atomic111)) 364 | - Update links in README file [\#42](https://github.com/dev-sec/linux-baseline/pull/42) ([netflash](https://github.com/netflash)) 365 | - Fix cpu flags and change default for net.ipv4.conf.all.log\_martians [\#39](https://github.com/dev-sec/linux-baseline/pull/39) ([chris-rock](https://github.com/chris-rock)) 366 | 367 | ## [2.0.0](https://github.com/dev-sec/linux-baseline/tree/2.0.0) (2016-04-29) 368 | 369 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/1.3.0...2.0.0) 370 | 371 | **Merged pull requests:** 372 | 373 | - inspec profile [\#38](https://github.com/dev-sec/linux-baseline/pull/38) ([chris-rock](https://github.com/chris-rock)) 374 | 375 | ## [1.3.0](https://github.com/dev-sec/linux-baseline/tree/1.3.0) (2016-04-25) 376 | 377 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/1.2.0...1.3.0) 378 | 379 | **Fixed bugs:** 380 | 381 | - update identifier [\#37](https://github.com/dev-sec/linux-baseline/pull/37) ([chris-rock](https://github.com/chris-rock)) 382 | 383 | **Merged pull requests:** 384 | 385 | - prevent nil in flags [\#36](https://github.com/dev-sec/linux-baseline/pull/36) ([arlimus](https://github.com/arlimus)) 386 | 387 | ## [1.2.0](https://github.com/dev-sec/linux-baseline/tree/1.2.0) (2015-12-08) 388 | 389 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/1.1.0...1.2.0) 390 | 391 | **Merged pull requests:** 392 | 393 | - removed serverspec support and created all inspec tests [\#35](https://github.com/dev-sec/linux-baseline/pull/35) ([atomic111](https://github.com/atomic111)) 394 | 395 | ## [1.1.0](https://github.com/dev-sec/linux-baseline/tree/1.1.0) (2015-10-15) 396 | 397 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/1.0.0...1.1.0) 398 | 399 | **Merged pull requests:** 400 | 401 | - bugfix: lint error [\#20](https://github.com/dev-sec/linux-baseline/pull/20) ([chris-rock](https://github.com/chris-rock)) 402 | 403 | ## [1.0.0](https://github.com/dev-sec/linux-baseline/tree/1.0.0) (2014-08-13) 404 | 405 | [Full Changelog](https://github.com/dev-sec/linux-baseline/compare/d39ff2f0ed650ff62f3eda29ba2adc9f36721d91...1.0.0) 406 | 407 | **Merged pull requests:** 408 | 409 | - Lockdown mode [\#19](https://github.com/dev-sec/linux-baseline/pull/19) ([arlimus](https://github.com/arlimus)) 410 | - split sysctl\_spec.rb, added suid whitliste and uid unique search [\#18](https://github.com/dev-sec/linux-baseline/pull/18) ([atomic111](https://github.com/atomic111)) 411 | - added additional test [\#17](https://github.com/dev-sec/linux-baseline/pull/17) ([atomic111](https://github.com/atomic111)) 412 | - add travis config, add default task to rakefile [\#16](https://github.com/dev-sec/linux-baseline/pull/16) ([ehaselwanter](https://github.com/ehaselwanter)) 413 | - update rubocop, add common linter task, fix rubocop issues [\#15](https://github.com/dev-sec/linux-baseline/pull/15) ([ehaselwanter](https://github.com/ehaselwanter)) 414 | - fix exec-shield test [\#14](https://github.com/dev-sec/linux-baseline/pull/14) ([chris-rock](https://github.com/chris-rock)) 415 | - add lint rake task with robocop and fix issues [\#13](https://github.com/dev-sec/linux-baseline/pull/13) ([chris-rock](https://github.com/chris-rock)) 416 | - added Telekom Security Requirement numbers to the corresponding kitchen test [\#12](https://github.com/dev-sec/linux-baseline/pull/12) ([atomic111](https://github.com/atomic111)) 417 | - add ruby gem source [\#11](https://github.com/dev-sec/linux-baseline/pull/11) ([chris-rock](https://github.com/chris-rock)) 418 | - add standalone usage feature [\#10](https://github.com/dev-sec/linux-baseline/pull/10) ([ehaselwanter](https://github.com/ehaselwanter)) 419 | - serverspec has a contract on running commands remote. this fixes the local [\#9](https://github.com/dev-sec/linux-baseline/pull/9) ([ehaselwanter](https://github.com/ehaselwanter)) 420 | - add lockfiles and delete them from tree [\#8](https://github.com/dev-sec/linux-baseline/pull/8) ([ehaselwanter](https://github.com/ehaselwanter)) 421 | - rubocop fixes [\#7](https://github.com/dev-sec/linux-baseline/pull/7) ([ehaselwanter](https://github.com/ehaselwanter)) 422 | - moved site.pp to the shared test, were it belongs [\#6](https://github.com/dev-sec/linux-baseline/pull/6) ([ehaselwanter](https://github.com/ehaselwanter)) 423 | - bugfix: arp restrictions should apply to all, not just eth0 [\#5](https://github.com/dev-sec/linux-baseline/pull/5) ([arlimus](https://github.com/arlimus)) 424 | - one folder level up [\#4](https://github.com/dev-sec/linux-baseline/pull/4) ([ehaselwanter](https://github.com/ehaselwanter)) 425 | - Fix: change value of log\_martians to the cookbook default [\#3](https://github.com/dev-sec/linux-baseline/pull/3) ([atomic111](https://github.com/atomic111)) 426 | - discard one level to be able to use the defaults in test-kitchen by just [\#2](https://github.com/dev-sec/linux-baseline/pull/2) ([ehaselwanter](https://github.com/ehaselwanter)) 427 | - added tests from chef-os-hardening [\#1](https://github.com/dev-sec/linux-baseline/pull/1) ([ehaselwanter](https://github.com/ehaselwanter)) 428 | 429 | 430 | 431 | \* *This Changelog was automatically generated by [github_changelog_generator](https://github.com/github-changelog-generator/github-changelog-generator)* 432 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | source 'https://rubygems.org' 4 | 5 | gem 'cookstyle' 6 | gem 'highline' 7 | gem 'rack' 8 | gem 'rake' 9 | gem 'rubocop' 10 | 11 | group :tools do 12 | gem 'github_changelog_generator' 13 | gem 'pry-coolline' 14 | end 15 | 16 | source 'https://rubygems.cinc.sh' do 17 | gem 'chef-config' 18 | gem 'cinc-auditor-bin' 19 | end 20 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | DevSec Linux Baseline 2 | ===================== 3 | 4 | This Compliance Profile ensures that all hardening projects keep the same quality. 5 | 6 | - https://github.com/dev-sec/puppet-os-hardening 7 | - https://github.com/dev-sec/chef-os-hardening 8 | - https://github.com/dev-sec/ansible-os-hardening 9 | 10 | ## Standalone Usage 11 | 12 | This Compliance Profile requires [InSpec](https://github.com/chef/inspec) for execution: 13 | 14 | ``` 15 | $ git clone https://github.com/dev-sec/linux-baseline 16 | $ inspec exec linux-baseline 17 | ``` 18 | 19 | You can also execute the profile directly from Github: 20 | 21 | ``` 22 | $ inspec exec https://github.com/dev-sec/linux-baseline 23 | ``` 24 | 25 | ## License and Author 26 | 27 | * Author:: Patrick Muench 28 | * Author:: Dominik Richter 29 | * Author:: Christoph Hartmann 30 | * Author:: Edmund Haselwanter 31 | 32 | * Copyright 2014-2021, The Hardening Framework Team 33 | 34 | Licensed under the Apache License, Version 2.0 (the "License"); 35 | you may not use this file except in compliance with the License. 36 | You may obtain a copy of the License at 37 | 38 | http://www.apache.org/licenses/LICENSE-2.0 39 | 40 | Unless required by applicable law or agreed to in writing, software 41 | distributed under the License is distributed on an "AS IS" BASIS, 42 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 43 | See the License for the specific language governing permissions and 44 | limitations under the License. 45 | -------------------------------------------------------------------------------- /Rakefile: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | require 'cookstyle' 4 | require 'rake/testtask' 5 | require 'rubocop/rake_task' 6 | 7 | # Rubocop 8 | desc 'Run Rubocop lint checks' 9 | task :rubocop do 10 | RuboCop::RakeTask.new 11 | end 12 | 13 | RuboCop::RakeTask.new(:cookstyle) do |task| 14 | task.options << '--display-cop-names' 15 | end 16 | 17 | # lint the project 18 | desc 'Run robocop linter' 19 | task lint: [:rubocop] 20 | 21 | # run tests 22 | task default: [:lint, 'test:check'] 23 | 24 | namespace :test do 25 | # run inspec check to verify that the profile is properly configured 26 | task :check do 27 | require 'inspec' 28 | puts "Checking profile with InSpec Version: #{Inspec::VERSION}" 29 | profile = Inspec::Profile.for_target('.', backend: Inspec::Backend.create(Inspec::Config.mock)) 30 | pp profile.check 31 | end 32 | end 33 | -------------------------------------------------------------------------------- /controls/os_spec.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | # 4 | # Copyright:: 2015, Patrick Muench 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | # author: Christoph Hartmann 19 | # author: Dominik Richter 20 | # author: Patrick Muench 21 | 22 | login_defs_umask = input('login_defs_umask', value: os.redhat? ? '077' : '027') 23 | 24 | login_defs_passmaxdays = input('login_defs_passmaxdays', value: '60') 25 | login_defs_passmindays = input('login_defs_passmindays', value: '7') 26 | login_defs_passwarnage = input('login_defs_passwarnage', value: '7') 27 | 28 | shadow_group = 'root' 29 | shadow_group = 'shadow' if os.debian? || os.suse? || os.name == 'alpine' 30 | container_execution = begin 31 | virtualization.role == 'guest' && virtualization.system =~ /^(lxc|docker)$/ 32 | rescue NoMethodError 33 | false 34 | end 35 | 36 | blacklist = input( 37 | 'blacklist', 38 | value: suid_blacklist.default 39 | ) 40 | 41 | cpuvulndir = '/sys/devices/system/cpu/vulnerabilities/' 42 | 43 | # Overview of necessary mount options to be checked: 44 | # 45 | #--------------------------------------------------------- 46 | # Mount point nodev noexec nosuid 47 | # /boot v v v 48 | # /dev v v 49 | # /dev/shm v v v 50 | # /home v v 51 | # /run v v 52 | # /tmp v v v 53 | # /var v v 54 | # /var/log v v v 55 | # /var/log/audit v v v 56 | # /var/tmp v v v 57 | #--------------------------------------------------------- 58 | 59 | mount_exec_blocklist = input( 60 | 'mount_exec_blocklist', 61 | value: ['/boot', '/dev', '/dev/shm', '/tmp', '/var/log', '/var/log/audit', '/var/tmp'] 62 | ) 63 | 64 | mount_suid_blocklist = input( 65 | 'mount_suid_blocklist', 66 | value: ['/boot', '/dev', '/dev/shm', '/home', '/run', '/tmp', '/var', '/var/log', '/var/log/audit', '/var/tmp'] 67 | ) 68 | 69 | mount_dev_blocklist = input( 70 | 'mount_dev_blocklist', 71 | value: ['/boot', '/dev/shm', '/home', '/run', '/tmp', '/var', '/var/log', '/var/log/audit', '/var/tmp'] 72 | ) 73 | 74 | control 'os-01' do 75 | impact 1.0 76 | title 'Trusted hosts login' 77 | desc "hosts.equiv file is a weak implementation of authentication. Disabling the hosts.equiv support helps to prevent users from subverting the system's normal access control mechanisms of the system." 78 | describe file('/etc/hosts.equiv') do 79 | it { should_not exist } 80 | end 81 | end 82 | 83 | control 'os-02' do 84 | impact 1.0 85 | title 'Check owner and permissions for /etc/shadow' 86 | desc 'Check periodically the owner and permissions for /etc/shadow' 87 | describe file('/etc/shadow') do 88 | it { should exist } 89 | it { should be_file } 90 | it { should be_owned_by 'root' } 91 | its('group') { should eq shadow_group } 92 | it { should_not be_executable } 93 | it { should_not be_readable.by('other') } 94 | end 95 | if os.redhat? || os.name == 'fedora' 96 | describe file('/etc/shadow') do 97 | it { should_not be_writable.by('owner') } 98 | it { should_not be_readable.by('owner') } 99 | end 100 | else 101 | describe file('/etc/shadow') do 102 | it { should be_writable.by('owner') } 103 | it { should be_readable.by('owner') } 104 | end 105 | end 106 | if os.debian? || os.suse? 107 | describe file('/etc/shadow') do 108 | it { should be_readable.by('group') } 109 | end 110 | else 111 | describe file('/etc/shadow') do 112 | it { should_not be_readable.by('group') } 113 | end 114 | end 115 | end 116 | 117 | control 'os-03' do 118 | impact 1.0 119 | title 'Check owner and permissions for /etc/passwd' 120 | desc 'Check periodically the owner and permissions for /etc/passwd' 121 | describe file('/etc/passwd') do 122 | it { should exist } 123 | it { should be_file } 124 | it { should be_owned_by 'root' } 125 | its('group') { should eq 'root' } 126 | it { should_not be_executable } 127 | it { should be_writable.by('owner') } 128 | it { should_not be_writable.by('group') } 129 | it { should_not be_writable.by('other') } 130 | it { should be_readable.by('owner') } 131 | it { should be_readable.by('group') } 132 | it { should be_readable.by('other') } 133 | end 134 | end 135 | 136 | control 'os-03b' do 137 | impact 1.0 138 | title 'Check passwords hashes in /etc/passwd' 139 | desc 'Check periodically that /etc/passwd does not contain passwords' 140 | describe passwd do 141 | its('passwords') { should be_in ['x', '*'] } 142 | end 143 | end 144 | 145 | control 'os-04' do 146 | impact 1.0 147 | title 'Dot in PATH variable' 148 | desc 'Do not include the current working directory in PATH variable. This makes it easier for an attacker to gain extensive rights by executing a Trojan program' 149 | describe os_env('PATH') do 150 | its('split') { should_not include('') } 151 | its('split') { should_not include('.') } 152 | end 153 | end 154 | 155 | control 'os-05' do 156 | impact 1.0 157 | title 'Check login.defs' 158 | desc 'Check owner and permissions for login.defs. Also check the configured PATH variable and umask in login.defs' 159 | describe file('/etc/login.defs') do 160 | it { should exist } 161 | it { should be_file } 162 | it { should be_owned_by 'root' } 163 | its('group') { should eq 'root' } 164 | it { should_not be_executable } 165 | it { should be_readable.by('owner') } 166 | it { should be_readable.by('group') } 167 | it { should be_readable.by('other') } 168 | end 169 | describe login_defs do 170 | its('ENV_SUPATH') { should include('/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin') } 171 | its('ENV_PATH') { should include('/usr/local/bin:/usr/bin:/bin') } 172 | its('UMASK') { should include(login_defs_umask) } 173 | its('PASS_MAX_DAYS') { should eq login_defs_passmaxdays } 174 | its('PASS_MIN_DAYS') { should eq login_defs_passmindays } 175 | its('PASS_WARN_AGE') { should eq login_defs_passwarnage } 176 | its('LOGIN_RETRIES') { should eq '5' } 177 | its('LOGIN_TIMEOUT') { should eq '60' } 178 | its('UID_MIN') { should eq '1000' } 179 | its('GID_MIN') { should eq '1000' } 180 | end 181 | end 182 | 183 | control 'os-05b' do 184 | impact 1.0 185 | title 'Check login.defs - RedHat specific' 186 | desc 'Check owner and permissions for login.defs. Also check the configured PATH variable and umask in login.defs' 187 | describe file('/etc/login.defs') do 188 | it { should_not be_writable } 189 | end 190 | describe login_defs do 191 | its('SYS_UID_MIN') { should eq '201' } 192 | its('SYS_UID_MAX') { should eq '999' } 193 | its('SYS_GID_MIN') { should eq '201' } 194 | its('SYS_GID_MAX') { should eq '999' } 195 | end 196 | only_if { os.redhat? } 197 | end 198 | 199 | control 'os-06' do 200 | impact 1.0 201 | title 'Check for SUID/ SGID blacklist' 202 | desc 'Find blacklisted SUID and SGID files to ensure that no rogue SUID and SGID files have been introduced into the system' 203 | 204 | describe suid_check(blacklist) do 205 | its('diff') { should be_empty } 206 | end 207 | end 208 | 209 | control 'os-07' do 210 | impact 1.0 211 | title 'Unique uid and gid' 212 | desc 'Check for unique uids gids' 213 | describe passwd do 214 | its('uids') { should_not contain_duplicates } 215 | end 216 | describe etc_group do 217 | its('gids') { should_not contain_duplicates } 218 | end 219 | end 220 | 221 | control 'os-09' do 222 | impact 1.0 223 | title 'Check for .rhosts and .netrc file' 224 | desc 'Find .rhosts and .netrc files - CIS Benchmark 9.2.9-10' 225 | output = command('find / -maxdepth 3 \( -iname .rhosts -o -iname .netrc \) -print 2>/dev/null | grep -v \'^find:\'') 226 | out = output.stdout.split(/\r?\n/) 227 | describe out do 228 | it { should be_empty } 229 | end 230 | end 231 | 232 | control 'os-10' do 233 | impact 1.0 234 | title 'CIS: Disable unused filesystems' 235 | desc '1.1.1 Ensure mounting of cramfs, freevxfs, jffs2, hfs, hfsplus, squashfs, udf, FAT' 236 | only_if { !container_execution } 237 | efi_dir = inspec.file('/sys/firmware/efi') 238 | describe file('/etc/modprobe.d/dev-sec.conf') do 239 | its(:content) { should match 'install cramfs /bin/true' } 240 | its(:content) { should match 'install freevxfs /bin/true' } 241 | its(:content) { should match 'install jffs2 /bin/true' } 242 | its(:content) { should match 'install hfs /bin/true' } 243 | its(:content) { should match 'install hfsplus /bin/true' } 244 | # Ubuntu Snaps need SquashFS to function 245 | unless service('snapd').running? 246 | its(:content) { should match 'install squashfs /bin/true' } 247 | end 248 | its(:content) { should match 'install udf /bin/true' } 249 | # if efi is active, do not disable vfat. otherwise the system 250 | # won't boot anymore 251 | unless efi_dir.exist? 252 | its(:content) { should match 'install vfat /bin/true' } 253 | end 254 | end 255 | end 256 | 257 | control 'os-11' do 258 | impact 1.0 259 | title 'Protect log-directory' 260 | desc 'The log-directory /var/log should belong to root' 261 | describe file('/var/log') do 262 | it { should be_directory } 263 | it { should be_owned_by 'root' } 264 | its(:group) { should match(/^root|syslog$/) } 265 | end 266 | end 267 | 268 | control 'os-12' do 269 | impact 1.0 270 | title 'Detect vulnerabilities in the cpu-vulnerability-directory' 271 | desc 'Check for known cpu vulnerabilities described here: https://www.kernel.org/doc/html/v5.6/admin-guide/hw-vuln/index.html' 272 | only_if { !container_execution } 273 | 274 | if file(cpuvulndir).exist? 275 | describe file(cpuvulndir) do 276 | it { should be_directory } 277 | end 278 | 279 | loaded_files = command("find #{cpuvulndir} -type f -maxdepth 1").stdout.split(/\n/).map(&:strip).find_all { |vulnfiles| !vulnfiles.empty? } 280 | 281 | loaded_files.each do |vulnfile| 282 | describe file(vulnfile) do 283 | its(:content) { should_not match 'vulnerable' } 284 | its(:content) { should_not match 'Vulnerable' } 285 | end 286 | end 287 | end 288 | end 289 | 290 | control 'os-13' do 291 | impact 1.0 292 | title 'Protect cron directories and files' 293 | desc 'The cron directories and files should belong to root.' 294 | 295 | cron_files = ['/etc/crontab', '/etc/cron.hourly', '/etc/cron.daily', '/etc/cron.weekly', '/etc/cron.monthly', '/etc/cron.d'] 296 | 297 | cron_files.each do |cron_file| 298 | next unless file(cron_file).exist? 299 | 300 | describe file(cron_file) do 301 | it { should be_owned_by 'root' } 302 | it { should_not be_writable.by('group') } 303 | it { should_not be_writable.by('other') } 304 | it { should_not be_readable.by('group') } 305 | it { should_not be_readable.by('other') } 306 | end 307 | end 308 | end 309 | 310 | control 'os-14' do 311 | impact 1.0 312 | title 'Check mountpoints for noexec mount options' 313 | desc 'Use the noexec mount options to limit attack vectors via mount points' 314 | 315 | mount_exec_blocklist.each do |mnt_point| 316 | next unless mount(mnt_point).mounted? 317 | 318 | describe mount(mnt_point) do 319 | its('options') { should include('noexec') } 320 | end 321 | end 322 | end 323 | 324 | control 'os-15' do 325 | impact 1.0 326 | title 'Check mountpoints for nosuid mount options' 327 | desc 'Use the nosuid mount options to limit attack vectors via mount points' 328 | 329 | mount_suid_blocklist.each do |mnt_point| 330 | next unless mount(mnt_point).mounted? 331 | 332 | describe mount(mnt_point) do 333 | its('options') { should include('nosuid') } 334 | end 335 | end 336 | end 337 | 338 | control 'os-16' do 339 | impact 1.0 340 | title 'Check mountpoints for nodev mount options' 341 | desc 'Use the nodev mount options to limit attack vectors via mount points' 342 | 343 | mount_dev_blocklist.each do |mnt_point| 344 | next unless mount(mnt_point).mounted? 345 | 346 | describe mount(mnt_point) do 347 | its('options') { should include('nodev') } 348 | end 349 | end 350 | end 351 | -------------------------------------------------------------------------------- /controls/package_spec.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | # 4 | # Copyright:: 2015, Patrick Muench 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | # author: Christoph Hartmann 19 | # author: Dominik Richter 20 | # author: Patrick Muench 21 | 22 | container_execution = begin 23 | virtualization.role == 'guest' && virtualization.system =~ /^(lxc|docker)$/ 24 | rescue NoMethodError 25 | false 26 | end 27 | 28 | control 'package-01' do 29 | impact 1.0 30 | title 'Do not run deprecated inetd or xinetd' 31 | desc 'http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.1' 32 | describe package('inetd') do 33 | it { should_not be_installed } 34 | end 35 | describe package('xinetd') do 36 | it { should_not be_installed } 37 | end 38 | end 39 | 40 | control 'package-02' do 41 | impact 1.0 42 | title 'Do not install Telnet server' 43 | desc 'Telnet protocol uses unencrypted communication, that means the password and other sensitive data are unencrypted. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.2' 44 | describe package('telnetd') do 45 | it { should_not be_installed } 46 | end 47 | end 48 | 49 | control 'package-03' do 50 | impact 1.0 51 | title 'Do not install rsh server' 52 | desc 'The r-commands suffers same problem as telnet. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.3' 53 | describe package('rsh-server') do 54 | it { should_not be_installed } 55 | end 56 | end 57 | 58 | # package-04 is reserved, because we forgot to use it in the first-place :-) 59 | 60 | control 'package-05' do 61 | impact 1.0 62 | title 'Do not install ypserv server (NIS)' 63 | desc 'Network Information Service (NIS) has some security design weaknesses like inadequate protection of important authentication information. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.4' 64 | describe package('ypserv') do 65 | it { should_not be_installed } 66 | end 67 | end 68 | 69 | control 'package-06' do 70 | impact 1.0 71 | title 'Do not install tftp server' 72 | desc 'tftp-server provides little security http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.5' 73 | describe package('tftp-server') do 74 | it { should_not be_installed } 75 | end 76 | end 77 | 78 | control 'package-08' do 79 | impact 1.0 80 | title 'Install auditd' 81 | desc 'auditd provides extended logging capabilities on recent distributions' 82 | only_if { !container_execution } 83 | audit_pkg = os.redhat? || os.suse? || os.name == 'amazon' || os.name == 'fedora' || os.name == 'arch' ? 'audit' : 'auditd' 84 | describe package(audit_pkg) do 85 | it { should be_installed } 86 | end 87 | describe auditd_conf do 88 | its('log_file') { should cmp '/var/log/audit/audit.log' } 89 | its('log_format') { should cmp 'raw' } 90 | its('flush') { should match(/^incremental|INCREMENTAL|incremental_async|INCREMENTAL_ASYNC$/) } 91 | its('max_log_file_action') { should cmp 'keep_logs' } 92 | its('space_left') { should cmp 75 } 93 | its('action_mail_acct') { should cmp 'root' } 94 | its('space_left_action') { should cmp 'SYSLOG' } 95 | its('admin_space_left') { should cmp 50 } 96 | its('admin_space_left_action') { should cmp 'SUSPEND' } 97 | its('disk_full_action') { should cmp 'SUSPEND' } 98 | its('disk_error_action') { should cmp 'SUSPEND' } 99 | end 100 | end 101 | 102 | control 'package-09' do 103 | impact 1.0 104 | title 'CIS: Additional process hardening' 105 | desc '1.5.4 Ensure prelink is disabled' 106 | describe package('prelink') do 107 | it { should_not be_installed } 108 | end 109 | end 110 | -------------------------------------------------------------------------------- /controls/sysctl_spec.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | # 4 | # Copyright:: 2015, Patrick Muench 5 | # 6 | # Licensed under the Apache License, Version 2.0 (the "License"); 7 | # you may not use this file except in compliance with the License. 8 | # You may obtain a copy of the License at 9 | # 10 | # http://www.apache.org/licenses/LICENSE-2.0 11 | # 12 | # Unless required by applicable law or agreed to in writing, software 13 | # distributed under the License is distributed on an "AS IS" BASIS, 14 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 | # See the License for the specific language governing permissions and 16 | # limitations under the License. 17 | # 18 | # author: Christoph Hartmann 19 | # author: Dominik Richter 20 | # author: Patrick Muench 21 | 22 | sysctl_forwarding = input('sysctl_forwarding', value: false) 23 | kernel_modules_disabled = input('kernel_modules_disabled', value: 0) 24 | container_execution = begin 25 | virtualization.role == 'guest' && virtualization.system =~ /^(lxc|docker)$/ 26 | rescue NoMethodError 27 | false 28 | end 29 | 30 | control 'sysctl-01' do 31 | impact 1.0 32 | title 'IPv4 Forwarding' 33 | desc "If you're not intending for your system to forward traffic between interfaces, or if you only have a single interface, the forwarding function must be disable." 34 | only_if { sysctl_forwarding == false && !container_execution } 35 | describe kernel_parameter('net.ipv4.ip_forward') do 36 | its(:value) { should eq 0 } 37 | end 38 | describe kernel_parameter('net.ipv4.conf.all.forwarding') do 39 | its(:value) { should eq 0 } 40 | end 41 | end 42 | 43 | control 'sysctl-02' do 44 | impact 1.0 45 | title 'Reverse path filtering' 46 | desc "The rp_filter can reject incoming packets if their source address doesn't match the network interface that they're arriving on, which helps to prevent IP spoofing." 47 | only_if { !container_execution } 48 | describe kernel_parameter('net.ipv4.conf.all.rp_filter') do 49 | its(:value) { should eq 1 } 50 | end 51 | describe kernel_parameter('net.ipv4.conf.default.rp_filter') do 52 | its(:value) { should eq 1 } 53 | end 54 | end 55 | 56 | control 'sysctl-03' do 57 | impact 1.0 58 | title 'ICMP ignore bogus error responses' 59 | desc 'Sometimes routers send out invalid responses to broadcast frames. This is a violation of RFC 1122 and the kernel will logged this. To avoid filling up your logfile with unnecessary stuff, you can tell the kernel not to issue these warnings' 60 | only_if { !container_execution } 61 | describe kernel_parameter('net.ipv4.icmp_ignore_bogus_error_responses') do 62 | its(:value) { should eq 1 } 63 | end 64 | end 65 | 66 | control 'sysctl-04' do 67 | impact 1.0 68 | title 'ICMP echo ignore broadcasts' 69 | desc 'Blocking ICMP ECHO requests to broadcast addresses' 70 | only_if { !container_execution } 71 | describe kernel_parameter('net.ipv4.icmp_echo_ignore_broadcasts') do 72 | its(:value) { should eq 1 } 73 | end 74 | end 75 | 76 | control 'sysctl-05' do 77 | impact 1.0 78 | title 'ICMP ratelimit' 79 | desc 'icmp_ratelimit defines how many packets that match the icmp_ratemask per second' 80 | only_if { !container_execution } 81 | describe kernel_parameter('net.ipv4.icmp_ratelimit') do 82 | its(:value) { should eq 100 } 83 | end 84 | end 85 | 86 | control 'sysctl-06' do 87 | impact 1.0 88 | title 'ICMP ratemask' 89 | desc 'Ratemask is a logical OR of all ICMP codes to rate limit' 90 | only_if { !container_execution } 91 | describe kernel_parameter('net.ipv4.icmp_ratemask') do 92 | its(:value) { should eq 88089 } 93 | end 94 | end 95 | 96 | control 'sysctl-07' do 97 | impact 1.0 98 | title 'TCP timestamps' 99 | desc "It is possible to estimate the current uptime of a Linux system. It's preferable to disable TCP timestamps on your systems." 100 | only_if { !container_execution } 101 | describe kernel_parameter('net.ipv4.tcp_timestamps') do 102 | its(:value) { should eq 0 } 103 | end 104 | end 105 | 106 | control 'sysctl-08' do 107 | impact 1.0 108 | title 'ARP ignore' 109 | desc 'Reply only if the target IP address is local address configured on the incoming interface.' 110 | only_if { !container_execution } 111 | describe kernel_parameter('net.ipv4.conf.all.arp_ignore') do 112 | its(:value) { should cmp(/(1|2)/) } 113 | end 114 | end 115 | 116 | control 'sysctl-09' do 117 | impact 1.0 118 | title 'ARP announce' 119 | desc 'Always use the best local address for this target. In this mode we ignore the source address in the IP packet and try to select local address that we prefer for talks with the target host.' 120 | only_if { !container_execution } 121 | describe kernel_parameter('net.ipv4.conf.all.arp_announce') do 122 | its(:value) { should eq 2 } 123 | end 124 | end 125 | 126 | control 'sysctl-10' do 127 | impact 1.0 128 | title 'TCP RFC1337 Protect Against TCP Time-Wait' 129 | desc 'This enables a fix for time-wait assassination hazards in tcp, described in RFC 1337. If enabled, this causes the kernel to drop RST packets for sockets in the time-wait state.' 130 | only_if { !container_execution } 131 | describe kernel_parameter('net.ipv4.tcp_rfc1337') do 132 | its(:value) { should eq 1 } 133 | end 134 | end 135 | 136 | control 'sysctl-11' do 137 | impact 1.0 138 | title 'Protection against SYN flood attacks' 139 | desc 'A SYN-Attack is a denial of service (DoS) attack that consumes resources on your system forcing you to reboot.' 140 | only_if { !container_execution } 141 | describe kernel_parameter('net.ipv4.tcp_syncookies') do 142 | its(:value) { should eq 1 } 143 | end 144 | end 145 | 146 | control 'sysctl-12' do 147 | impact 1.0 148 | title 'Shared Media IP Architecture' 149 | desc 'Send(router) or accept(host) RFC1620 shared media redirects. If it is not set the kernel does not assume that different subnets on this device can communicate directly.' 150 | only_if { !container_execution } 151 | describe kernel_parameter('net.ipv4.conf.all.shared_media') do 152 | its(:value) { should eq 1 } 153 | end 154 | describe kernel_parameter('net.ipv4.conf.default.shared_media') do 155 | its(:value) { should eq 1 } 156 | end 157 | end 158 | 159 | control 'sysctl-13' do 160 | impact 1.0 161 | title 'Disable Source Routing' 162 | desc 'The accept_source_route option causes network interfaces to accept packets with the Strict Source Route (SSR) or Loose Source Routing (LSR) option set. An attacker is able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it is not communicating with a trusted server' 163 | only_if { !container_execution } 164 | describe kernel_parameter('net.ipv4.conf.all.accept_source_route') do 165 | its(:value) { should eq 0 } 166 | end 167 | describe kernel_parameter('net.ipv4.conf.default.accept_source_route') do 168 | its(:value) { should eq 0 } 169 | end 170 | describe kernel_parameter('net.ipv6.conf.all.accept_source_route') do 171 | its(:value) { should eq 0 } 172 | end 173 | describe kernel_parameter('net.ipv6.conf.default.accept_source_route') do 174 | its(:value) { should eq 0 } 175 | end 176 | end 177 | 178 | control 'sysctl-14' do 179 | impact 1.0 180 | title 'Disable acceptance of all IPv4 redirected packets' 181 | desc 'Disable acceptance of all redirected packets these prevents Man-in-the-Middle attacks.' 182 | only_if { !container_execution } 183 | describe kernel_parameter('net.ipv4.conf.default.accept_redirects') do 184 | its(:value) { should eq 0 } 185 | end 186 | describe kernel_parameter('net.ipv4.conf.all.accept_redirects') do 187 | its(:value) { should eq 0 } 188 | end 189 | end 190 | 191 | control 'sysctl-15' do 192 | impact 1.0 193 | title 'Disable acceptance of all secure redirected packets' 194 | desc 'Disable acceptance of all secure redirected packets these prevents Man-in-the-Middle attacks.' 195 | only_if { !container_execution } 196 | describe kernel_parameter('net.ipv4.conf.all.secure_redirects') do 197 | its(:value) { should eq 0 } 198 | end 199 | describe kernel_parameter('net.ipv4.conf.default.secure_redirects') do 200 | its(:value) { should eq 0 } 201 | end 202 | end 203 | 204 | control 'sysctl-16' do 205 | impact 1.0 206 | title 'Disable sending of redirects packets' 207 | desc 'Disable sending of redirects packets' 208 | only_if { !container_execution } 209 | describe kernel_parameter('net.ipv4.conf.default.send_redirects') do 210 | its(:value) { should eq 0 } 211 | end 212 | describe kernel_parameter('net.ipv4.conf.all.send_redirects') do 213 | its(:value) { should eq 0 } 214 | end 215 | end 216 | 217 | control 'sysctl-17' do 218 | impact 1.0 219 | title 'Disable log martians' 220 | desc 'log_martians can cause a denial of service attack to the host' 221 | only_if { !container_execution } 222 | describe kernel_parameter('net.ipv4.conf.all.log_martians') do 223 | its(:value) { should eq 1 } 224 | end 225 | describe kernel_parameter('net.ipv4.conf.default.log_martians') do 226 | its(:value) { should eq 1 } 227 | end 228 | end 229 | 230 | control 'sysctl-19' do 231 | impact 1.0 232 | title 'IPv6 Forwarding' 233 | desc "If you're not intending for your system to forward traffic between interfaces, or if you only have a single interface, the forwarding function must be disable." 234 | only_if { sysctl_forwarding == false && !container_execution } 235 | describe kernel_parameter('net.ipv6.conf.all.forwarding') do 236 | its(:value) { should eq 0 } 237 | end 238 | end 239 | 240 | control 'sysctl-20' do 241 | impact 1.0 242 | title 'Disable acceptance of all IPv6 redirected packets' 243 | desc 'Disable acceptance of all redirected packets these prevents Man-in-the-Middle attacks.' 244 | only_if { !container_execution } 245 | describe kernel_parameter('net.ipv6.conf.default.accept_redirects') do 246 | its(:value) { should eq 0 } 247 | end 248 | describe kernel_parameter('net.ipv6.conf.all.accept_redirects') do 249 | its(:value) { should eq 0 } 250 | end 251 | end 252 | 253 | control 'sysctl-21' do 254 | impact 1.0 255 | title 'Disable acceptance of IPv6 router solicitations messages' 256 | desc 'The router solicitations setting determines how many router solicitations are sent when bringing up the interface. If addresses are statically assigned, there is no need to send any solicitations.' 257 | only_if { !container_execution } 258 | describe kernel_parameter('net.ipv6.conf.default.router_solicitations') do 259 | its(:value) { should eq 0 } 260 | end 261 | describe kernel_parameter('net.ipv6.conf.all.router_solicitations') do 262 | its(:value) { should eq 0 } 263 | end 264 | end 265 | 266 | control 'sysctl-22' do 267 | impact 1.0 268 | title 'Disable Accept Router Preference from router advertisement' 269 | desc 'Disable Accept Router Preference from router advertisement' 270 | only_if { !container_execution } 271 | describe kernel_parameter('net.ipv6.conf.default.accept_ra_rtr_pref') do 272 | its(:value) { should eq 0 } 273 | end 274 | end 275 | 276 | control 'sysctl-23' do 277 | impact 1.0 278 | title 'Disable learning Prefix Information from router advertisement' 279 | desc 'The accept_ra_pinfo setting controls whether the system will accept prefix info from the router.' 280 | only_if { !container_execution } 281 | describe kernel_parameter('net.ipv6.conf.default.accept_ra_pinfo') do 282 | its(:value) { should eq 0 } 283 | end 284 | end 285 | 286 | control 'sysctl-24' do 287 | impact 1.0 288 | title 'Disable learning Hop limit from router advertisement' 289 | desc 'The accept_ra_defrtr setting controls whether the system will accept Hop Limit settings from a router advertisement. Setting it to 0 prevents a router from changing your default IPv6 Hop Limit for outgoing packets.' 290 | only_if { !container_execution } 291 | describe kernel_parameter('net.ipv6.conf.default.accept_ra_defrtr') do 292 | its(:value) { should eq 0 } 293 | end 294 | end 295 | 296 | control 'sysctl-25' do 297 | impact 1.0 298 | title 'Disable the system`s acceptance of router advertisement' 299 | desc 'Setting controls whether the system will accept router advertisement' 300 | only_if { !container_execution } 301 | describe kernel_parameter('net.ipv6.conf.all.accept_ra') do 302 | its(:value) { should eq 0 } 303 | end 304 | describe kernel_parameter('net.ipv6.conf.default.accept_ra') do 305 | its(:value) { should eq 0 } 306 | end 307 | end 308 | 309 | control 'sysctl-26' do 310 | impact 1.0 311 | title 'Disable IPv6 autoconfiguration' 312 | desc 'The autoconf setting controls whether router advertisements can cause the system to assign a global unicast address to an interface.' 313 | only_if { !container_execution } 314 | describe kernel_parameter('net.ipv6.conf.default.autoconf') do 315 | its(:value) { should eq 0 } 316 | end 317 | describe kernel_parameter('net.ipv6.conf.all.autoconf') do 318 | its(:value) { should eq 0 } 319 | end 320 | end 321 | 322 | control 'sysctl-27' do 323 | impact 1.0 324 | title 'Disable neighbor solicitations to send out per address' 325 | desc 'The dad_transmits setting determines how many neighbor solicitations to send out per address (global and link-local) when bringing up an interface to ensure the desired address is unique on the network.' 326 | only_if { !container_execution } 327 | describe kernel_parameter('net.ipv6.conf.default.dad_transmits') do 328 | its(:value) { should eq 0 } 329 | end 330 | end 331 | 332 | control 'sysctl-28' do 333 | impact 1.0 334 | title 'Assign one global unicast IPv6 addresses to each interface' 335 | desc 'The max_addresses setting determines how many global unicast IPv6 addresses can be assigned to each interface. The default is 16, but it should be set to exactly the number of statically configured global addresses required.' 336 | only_if { !container_execution } 337 | describe kernel_parameter('net.ipv6.conf.default.max_addresses') do 338 | its(:value) { should eq 1 } 339 | end 340 | end 341 | 342 | control 'sysctl-29' do 343 | impact 1.0 344 | title 'Disable loading kernel modules' 345 | desc 'The sysctl key kernel.modules_disabled is very straightforward. If it contains a "1" it will disable loading new modules, where a "0" will still allow loading them. Using this option will be a great protection against loading malicious kernel modules.' 346 | only_if { !container_execution } 347 | describe kernel_parameter('kernel.modules_disabled') do 348 | its(:value) { should eq kernel_modules_disabled } 349 | end 350 | end 351 | 352 | control 'sysctl-30' do 353 | impact 1.0 354 | title 'Magic SysRq' 355 | desc "Kernel.sysreg is a 'magical' key combo you can hit which the kernel will respond to regardless of whatever else it is doing, unless it is completely locked up." 356 | only_if { !container_execution } 357 | describe kernel_parameter('kernel.sysrq') do 358 | its(:value) { should eq 0 } 359 | end 360 | end 361 | 362 | control 'sysctl-31a' do 363 | impact 1.0 364 | title 'Secure Core Dumps - dump settings' 365 | desc 'Ensure that core dumps can never be made by setuid programs' 366 | only_if { !container_execution } 367 | describe kernel_parameter('fs.suid_dumpable') do 368 | its(:value) { should cmp(/(0|2)/) } 369 | end 370 | end 371 | 372 | control 'sysctl-31b' do 373 | impact 1.0 374 | title 'Secure Core Dumps - dump path' 375 | desc 'Ensure that core dumps are done with fully qualified path' 376 | only_if { kernel_parameter('fs.suid_dumpable').value == 2 && !container_execution } 377 | describe kernel_parameter('kernel.core_pattern') do 378 | its(:value) { should match %r{^\|?/.*} } 379 | end 380 | end 381 | 382 | control 'sysctl-32' do 383 | impact 1.0 384 | title 'kernel.randomize_va_space' 385 | desc 'kernel.randomize_va_space' 386 | only_if { !container_execution } 387 | describe kernel_parameter('kernel.randomize_va_space') do 388 | its(:value) { should eq 2 } 389 | end 390 | end 391 | 392 | control 'sysctl-33' do 393 | impact 1.0 394 | title 'CPU No execution Flag or Kernel ExecShield' 395 | desc 'Kernel features and CPU flags provide a protection against buffer overflows. The CPU NX Flag and the kernel parameter exec-shield prevents code execution on a per memory page basis. If the CPU supports the NX-Flag then this should be used instead of the kernel parameter exec-shield.' 396 | only_if { !container_execution } 397 | 398 | # parse for cpu flags 399 | flags = parse_config_file('/proc/cpuinfo', assignment_regex: /^([^:]*?)\s+:\s+(.*?)$/).flags 400 | flags ||= '' 401 | flags = flags.split(' ') 402 | 403 | describe '/proc/cpuinfo' do 404 | it 'Flags should include NX' do 405 | expect(flags).to include('nx') 406 | end 407 | end 408 | 409 | unless flags.include?('nx') 410 | # if no nx flag is present, we require exec-shield 411 | describe kernel_parameter('kernel.exec-shield') do 412 | its(:value) { should eq 1 } 413 | end 414 | end 415 | end 416 | 417 | control 'sysctl-34' do 418 | impact 1.0 419 | title 'Ensure links are protected' 420 | desc 'Protects against common exploits in regards to links, fifos and regular files created or controlled by attackers' 421 | only_if { !container_execution } 422 | describe kernel_parameter('fs.protected_fifos') do 423 | its(:value) { should eq(1).or eq(2).or eq(nil) } # include nil because RHEL7 does not have this parameter 424 | end 425 | describe kernel_parameter('fs.protected_hardlinks') do 426 | its(:value) { should eq 1 } 427 | end 428 | describe kernel_parameter('fs.protected_regular') do 429 | its(:value) { should eq(2).or eq(nil) } # include nil because RHEL7 does not have this parameter 430 | end 431 | describe kernel_parameter('fs.protected_symlinks') do 432 | its(:value) { should eq 1 } 433 | end 434 | end 435 | -------------------------------------------------------------------------------- /inspec.yml: -------------------------------------------------------------------------------- 1 | --- 2 | name: linux-baseline 3 | title: DevSec Linux Security Baseline 4 | maintainer: DevSec Hardening Framework Team 5 | copyright: DevSec Hardening Framework Team 6 | copyright_email: hello@dev-sec.io 7 | license: Apache-2.0 8 | summary: Test suite for best practice Linux OS hardening 9 | inspec_version: '>= 4.6.3' 10 | version: 2.9.0 11 | supports: 12 | - os-family: linux 13 | inputs: 14 | - name: login_defs_umask 15 | description: Default umask to set in login.defs 16 | - name: login_defs_passmaxdays 17 | description: Default password maxdays to set in login.defs 18 | - name: login_defs_passmindays 19 | description: Default password mindays to set in login.defs 20 | - name: login_defs_passwarnage 21 | description: Default password warnage (days) to set in login.defs 22 | - name: blacklist 23 | description: blacklist of suid/sgid program on system 24 | - name: mount_exec_blocklist 25 | description: List of mountpoints where 'noexec' mount option should be set 26 | - name: mount_suid_blocklist 27 | description: List of mountpoints where 'nosuid' mount option should be set 28 | - name: mount_dev_blocklist 29 | description: List of mountpoints where 'nodev' mount option should be set 30 | - name: sysctl_forwarding 31 | description: Is network forwarding needed? 32 | - name: kernel_modules_disabled 33 | description: Should loading of kernel modules be disabled? 34 | -------------------------------------------------------------------------------- /libraries/suid_blacklist.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | # author: Christoph Hartmann 4 | 5 | class SUIDBlacklist < Inspec.resource(1) 6 | name 'suid_blacklist' 7 | desc 'The suid_blacklist resource returns the default suid blacklist' 8 | 9 | def default 10 | [ 11 | # blacklist as provided by NSA 12 | '/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh', 13 | # sshd must not use host-based authentication (see ssh cookbook) 14 | '/usr/libexec/openssh/ssh-keysign', 15 | '/usr/lib/openssh/ssh-keysign', 16 | # misc others 17 | '/sbin/netreport', # not normally required for user 18 | '/usr/sbin/usernetctl', # modify interfaces via functional accounts 19 | # connecting to ... 20 | '/usr/sbin/userisdnctl', # no isdn... 21 | '/usr/sbin/pppd', # no ppp / dsl ... 22 | # lockfile 23 | '/usr/bin/lockfile', 24 | '/usr/bin/mail-lock', 25 | '/usr/bin/mail-unlock', 26 | '/usr/bin/mail-touchlock', 27 | '/usr/bin/dotlockfile', 28 | # need more investigation, blacklist for now 29 | '/usr/bin/arping', 30 | '/usr/sbin/arping', 31 | '/usr/sbin/uuidd', 32 | '/usr/bin/mtr', # investigate current state... 33 | '/usr/lib/evolution/camel-lock-helper-1.2', # investigate current state... 34 | '/usr/lib/pt_chown', # pseudo-tty, needed? 35 | '/usr/lib/eject/dmcrypt-get-device', 36 | '/usr/lib/mc/cons.saver' # midnight commander screensaver 37 | # from Ubuntu xenial, need to investigate 38 | # '/sbin/unix_chkpwd', 39 | # '/sbin/pam_extrausers_chkpwd', 40 | # '/usr/lib/x86_64-linux-gnu/utempter/utempter', 41 | # '/usr/sbin/postdrop', 42 | # '/usr/sbin/postqueue', 43 | # '/usr/bin/ssh-agent', 44 | # '/usr/bin/mlocate', 45 | # '/usr/bin/crontab', 46 | # '/usr/bin/screen', 47 | # '/usr/bin/expiry', 48 | # '/usr/bin/wall', 49 | # '/usr/bin/chage', 50 | # '/usr/bin/bsd-write' 51 | ] 52 | end 53 | end 54 | -------------------------------------------------------------------------------- /libraries/suid_check.rb: -------------------------------------------------------------------------------- 1 | # frozen_string_literal: true 2 | 3 | # author: Christoph Hartmann 4 | 5 | class SUIDCheck < Inspec.resource(1) 6 | name 'suid_check' 7 | desc 'Use the suid_check resource to verify the current SUID/SGID against a blacklist' 8 | example " 9 | describe suid_check(blacklist) do 10 | its('diff') { should be_empty } 11 | end 12 | " 13 | 14 | def initialize(blacklist = nil) 15 | super() 16 | blacklist = default if blacklist.nil? 17 | @blacklist = blacklist 18 | end 19 | 20 | def permissions 21 | output = inspec.command('find / -type d \( -path \'/proc/*\' -o -path \'/var/lib/lxd/containers/*\' \) -prune -type f -o -perm -2000 -o -perm 4000 2>/dev/null | grep -v \'^find:\'') 22 | output.stdout.split(/\r?\n/) 23 | end 24 | 25 | def diff 26 | permissions & @blacklist 27 | end 28 | end 29 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": [ 4 | "config:base", 5 | ":gitSignOff" 6 | ], 7 | "dependencyDashboard": true, 8 | "dependencyDashboardAutoclose": true, 9 | "packageRules": [ 10 | { 11 | "matchUpdateTypes": ["patch", "minor"], 12 | "automerge": true 13 | } 14 | ] 15 | } 16 | --------------------------------------------------------------------------------