diff --git a/controls/os_spec.rb b/controls/os_spec.rb index bf05f21..f6902ed 100644 --- a/controls/os_spec.rb +++ b/controls/os_spec.rb @@ -19,11 +19,11 @@ # author: Dominik Richter # author: Patrick Muench -login_defs_umask = input('login_defs_umask', value: os.redhat? ? '077' : '027', description: 'Default umask to set in login.defs') +login_defs_umask = input('login_defs_umask', value: os.redhat? ? '077' : '027') -login_defs_passmaxdays = input('login_defs_passmaxdays', value: '60', description: 'Default password maxdays to set in login.defs') -login_defs_passmindays = input('login_defs_passmindays', value: '7', description: 'Default password mindays to set in login.defs') -login_defs_passwarnage = input('login_defs_passwarnage', value: '7', description: 'Default password warnage (days) to set in login.defs') +login_defs_passmaxdays = input('login_defs_passmaxdays', value: '60') +login_defs_passmindays = input('login_defs_passmindays', value: '7') +login_defs_passwarnage = input('login_defs_passwarnage', value: '7') shadow_group = 'root' shadow_group = 'shadow' if os.debian? || os.suse? || os.name == 'alpine' @@ -35,8 +35,7 @@ blacklist = input( 'blacklist', - value: suid_blacklist.default, - description: 'blacklist of suid/sgid program on system' + value: suid_blacklist.default ) cpuvulndir = '/sys/devices/system/cpu/vulnerabilities/' @@ -59,20 +58,17 @@ mount_exec_blocklist = input( 'mount_exec_blocklist', - value: ['/boot', '/dev', '/dev/shm', '/tmp', '/var/log', '/var/log/audit', '/var/tmp'], - description: 'List of mountpoints where \'noexec\' mount option should be set' + value: ['/boot', '/dev', '/dev/shm', '/tmp', '/var/log', '/var/log/audit', '/var/tmp'] ) mount_suid_blocklist = input( 'mount_suid_blocklist', - value: ['/boot', '/dev', '/dev/shm', '/home', '/run', '/tmp', '/var', '/var/log', '/var/log/audit', '/var/tmp'], - description: 'List of mountpoints where \'nosuid\' mount option should be set' + value: ['/boot', '/dev', '/dev/shm', '/home', '/run', '/tmp', '/var', '/var/log', '/var/log/audit', '/var/tmp'] ) mount_dev_blocklist = input( 'mount_dev_blocklist', - value: ['/boot', '/dev/shm', '/home', '/run', '/tmp', '/var', '/var/log', '/var/log/audit', '/var/tmp'], - description: 'List of mountpoints where \'nodev\' mount option should be set' + value: ['/boot', '/dev/shm', '/home', '/run', '/tmp', '/var', '/var/log', '/var/log/audit', '/var/tmp'] ) control 'os-01' do diff --git a/controls/sysctl_spec.rb b/controls/sysctl_spec.rb index 5cbcbfb..3cc9f34 100644 --- a/controls/sysctl_spec.rb +++ b/controls/sysctl_spec.rb @@ -19,8 +19,8 @@ # author: Dominik Richter # author: Patrick Muench -sysctl_forwarding = input('sysctl_forwarding', value: false, description: 'Is network forwarding needed?') -kernel_modules_disabled = input('kernel_modules_disabled', value: 0, description: 'Should loading of kernel modules be disabled?') +sysctl_forwarding = input('sysctl_forwarding', value: false) +kernel_modules_disabled = input('kernel_modules_disabled', value: 0) container_execution = begin virtualization.role == 'guest' && virtualization.system =~ /^(lxc|docker)$/ rescue NoMethodError diff --git a/inspec.yml b/inspec.yml index df562f1..79359fb 100644 --- a/inspec.yml +++ b/inspec.yml @@ -10,3 +10,24 @@ inspec_version: '>= 4.6.3' version: 2.9.0 supports: - os-family: linux +inputs: + - name: login_defs_umask + description: Default umask to set in login.defs + - name: login_defs_passmaxdays + description: Default password maxdays to set in login.defs + - name: login_defs_passmindays + description: Default password mindays to set in login.defs + - name: login_defs_passwarnage + description: Default password warnage (days) to set in login.defs + - name: blacklist + description: blacklist of suid/sgid program on system + - name: mount_exec_blocklist + description: List of mountpoints where 'noexec' mount option should be set + - name: mount_suid_blocklist + description: List of mountpoints where 'nosuid' mount option should be set + - name: mount_dev_blocklist + description: List of mountpoints where 'nodev' mount option should be set + - name: sysctl_forwarding + description: Is network forwarding needed? + - name: kernel_modules_disabled + description: Should loading of kernel modules be disabled?