-
Notifications
You must be signed in to change notification settings - Fork 7
/
test_section_01_level1.yml
229 lines (194 loc) · 6.83 KB
/
test_section_01_level1.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
---
# CIS Ubuntu Linux 20.04 LTS Benchmark v1.0.0
#
# 1 Initial Setup
# 1.2.1 Ensure package manager repositories are configured (Manual): not implemented
# 1.2.2 Ensure GPG keys are configured (Manual): not implemented
# 1.3.2 Ensure sudo commands use pty (Automated): not implemented
# 1.4 Filesystem Integrity Checking
# 1.4.1 Ensure AIDE is installed (Automated) : not implemented
# 1.4.2 Ensure filesystem integrity is regularly checked (Automated): not implemented
# 1.5 Secure Boot Settings
# 1.5.1 Ensure bootloader password is set (Automated): not implemented
# 1.5.3 Ensure authentication required for single user mode (Automated): not implemented
command:
# 1.1 Filesystem Configuration
# 1.1.1 Disable unused filesystems
# 1.1.1.1 Ensure mounting of cramfs filesystems is disabled (Automated)
modprobe -n -v cramfs:
exit-status: 0
stdout:
- "install /bin/false"
lsmod | grep cramfs:
exit-status: 1
# 1.1.1.2 Ensure mounting of freevxfs filesystems is disabled (Automated)
modprobe -n -v freevxfs:
exit-status: 0
stdout:
- "install /bin/false"
lsmod | grep freevxfs:
exit-status: 1
# 1.1.1.3 Ensure mounting of jffs2 filesystems is disabled (Automated)
modprobe -n -v jffs2:
exit-status: 0
stdout:
- "install /bin/false"
lsmod | grep jffs2:
exit-status: 1
# 1.1.1.4 Ensure mounting of hfs filesystems is disabled (Automated)
modprobe -n -v hfs:
exit-status: 0
stdout:
- "install /bin/false"
lsmod | grep hfs:
exit-status: 1
# 1.1.1.5 Ensure mounting of hfsplus filesystems is disabled (Automated)
modprobe -n -v hfsplus:
exit-status: 0
stdout:
- "install /bin/false"
lsmod | grep hfsplus:
exit-status: 1
# 1.1.1.6 Ensure mounting of udf filesystems is disabled (Automated)
modprobe -n -v udf | grep -E '(udf|install)':
exit-status: 0
stdout:
- "install /bin/true"
lsmod | grep udf:
exit-status: 1
# 1.1.2 Ensure /tmp is configured (Automated)
systemctl is-enabled tmp.mount:
exit-status: 0
stdout:
- "enabled"
# 1.1.3 Ensure nodev option set on /tmp partition (Automated)
mount | grep -E '\s/tmp\s' | grep -v nodev:
exit-status: 1
# 1.1.4 Ensure nosuid option set on /tmp partition (Automated)
mount | grep -E '\s/tmp\s' | grep -v nosuid:
exit-status: 1
# 1.1.5 Ensure noexec option set on /tmp partition (Automated)
mount | grep -E '\s/tmp\s' | grep -v noexec:
exit-status: 1
# 1.1.6 Ensure /dev/shm is configured (Automated)
mount | grep -E '\s/dev/shm\s':
exit-status: 1
# 1.1.7 Ensure nodev option set on /dev/shm partition (Automated)
mount | grep -E '\s/dev/shm\s' | grep -v nodev:
exit-status: 1
# 1.1.8 Ensure nosuid option set on /dev/shm partition (Automated)
mount | grep -E '\s/dev/shm\s' | grep -v nosuid:
exit-status: 1
# 1.1.9 Ensure noexec option set on /dev/shm partition (Automated)
mount | grep -E '\s/dev/shm\s' | grep -v noexec:
exit-status: 1
# 1.1.22 Ensure sticky bit is set on all world-writable directories (Automated)
df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null:
exit-status: 0
stdout: []
timeout: 1000000
# 1.1.23 Disable Automounting (Automated)
systemctl is-enabled autofs:
exit-status: 1
# 1.1.24 Disable USB Storage (Automated)
modprobe -n -v usb-storage:
exit-status: 0
stdout:
- "install /bin/true"
lsmod | grep usb-storage:
exit-status: 1
# 1.2 Configure Software Updates
# 1.3 Configure sudo
# 1.3.1 Ensure sudo is installed (Automated)
dpkg -s sudo:
exit-status: 0
# 1.3.3 Ensure sudo log file exists (Automated)
grep -Ei '^\s*Defaults\s+logfile=\S+' /etc/sudoers /etc/sudoers.d/*:
exit-status: 0
stdout:
- 'Defaults logfile="/var/log/sudo.log"'
# 1.5.2 Ensure permissions on bootloader config are configured (Automated)
stat -c "%a-%u-%g-%U-%G" /boot/grub/grub.cfg:
exit-status: 0
stdout:
- "400-0-0-root-root"
# 1.6 Additional Process Hardening
# 1.6.1 Ensure XD/NX support is enabled (Automated)
journalctl -k | egrep "NX.*protection:.*active":
exit-status: 0
# 1.6.2 Ensure address space layout randomization (ASLR) is enabled (Automated)
sysctl kernel.randomize_va_space:
exit-status: 0
stdout:
- "kernel.randomize_va_space = 2"
# 1.6.3 Ensure prelink is disabled (Automated)
dpkg -s prelink:
exit-status: 1
# 1.6.4 Ensure core dumps are restricted (Automated)
grep -E '^(\*|\s).*hard.*core.*(\s+#.*)?$' /etc/security/limits.conf /etc/security/limits.d/* 2>/dev/null:
exit-status: 0
stdout:
- "* hard core 0"
sysctl fs.suid_dumpable:
exit-status: 0
stdout:
- "fs.suid_dumpable = 0"
grep "fs.suid_dumpable" /etc/sysctl.conf /etc/sysctl.d/*:
exit-status: 0
stdout:
- "fs.suid_dumpable = 0"
# 1.7 Mandatory Access Control
# 1.7.1 Configure AppArmor
dpkg -s apparmor | grep Status:
exit-status: 0
stdout:
- "Status: install ok installed"
# 1.7.1.2 Ensure AppArmor is enabled in the bootloader configuration
grep "^\s*linux" /boot/grub/grub.cfg | grep -v "apparmor=1":
exit-status: 1
stdout: []
grep "^\s*linux" /boot/grub/grub.cfg | grep -v "security=apparmor":
exit-status: 1
stdout: []
# 1.7.1.3 Ensure all AppArmor Profiles are in enforce or complain mode
test $(expr `apparmor_status --enforced` + `apparmor_status --complaining`) = $(apparmor_status --profiled):
exit-status: 0
# 1.7.1.4 Ensure all AppArmor Profiles are enforcing (Automated): level 2
# 1.9 Ensure updates, patches, and additional security software are installed (Manual)
/usr/lib/update-notifier/apt-check:
exit-status: 0
stdout:
- ""
# 1.10 Ensure GDM is removed or login is configured (Automated)
dpkg -s gdm3:
exit-status: 1
file:
# 1.8 Warning Banners
# 1.8.1 Command Line Warning Banners
# 1.8.1.1 Ensure message of the day is configured properly (Automated)
# 1.8.1.4 Ensure permissions on /etc/motd are configured (Automated)
/etc/motd:
exists: true
mode: "0644"
owner: root
group: root
contains:
- "Authorized uses only. All activity may be monitored and reported."
# 1.8.1.2 Ensure local login warning banner is configured properly (Automated)
# 1.8.1.5 Ensure permissions on /etc/issue are configured (Automated)
/etc/issue:
exists: true
mode: "0644"
owner: root
group: root
contains:
- "Authorized uses only. All activity may be monitored and reported."
# 1.8.1.3 Ensure remote login warning banner is configured properly (Automated)
# 1.8.1.6 Ensure permissions on /etc/issue.net are configured (Automated)
/etc/issue.net:
exists: true
mode: "0644"
owner: root
group: root
contains:
- "Authorized uses only. All activity may be monitored and reported."