Skip to content

Commit

Permalink
use only metadata
Browse files Browse the repository at this point in the history
Signed-off-by: Martin Schurz <[email protected]>
  • Loading branch information
schurzi committed Nov 19, 2023
1 parent b850f35 commit d079b4a
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 12 deletions.
20 changes: 8 additions & 12 deletions controls/os_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,11 @@
# author: Dominik Richter
# author: Patrick Muench

login_defs_umask = input('login_defs_umask', value: "#{os.redhat? ? '077' : '027'}", description: 'Default umask to set in login.defs')
login_defs_umask = input('login_defs_umask', value: os.redhat? ? '077' : '027')

login_defs_passmaxdays = input('login_defs_passmaxdays', value: '60', description: 'Default password maxdays to set in login.defs')
login_defs_passmindays = input('login_defs_passmindays', value: '7', description: 'Default password mindays to set in login.defs')
login_defs_passwarnage = input('login_defs_passwarnage', value: '7', description: 'Default password warnage (days) to set in login.defs')
login_defs_passmaxdays = input('login_defs_passmaxdays', value: '60')
login_defs_passmindays = input('login_defs_passmindays', value: '7')
login_defs_passwarnage = input('login_defs_passwarnage', value: '7')

shadow_group = 'root'
shadow_group = 'shadow' if os.debian? || os.suse? || os.name == 'alpine'
Expand All @@ -35,8 +35,7 @@

blacklist = input(
'blacklist',
value: "#{suid_blacklist.default}",
description: 'blacklist of suid/sgid program on system'
value: suid_blacklist.default
)

cpuvulndir = '/sys/devices/system/cpu/vulnerabilities/'
Expand All @@ -59,20 +58,17 @@

mount_exec_blocklist = input(
'mount_exec_blocklist',
value: ['/boot', '/dev', '/dev/shm', '/tmp', '/var/log', '/var/log/audit', '/var/tmp'],
description: 'List of mountpoints where \'noexec\' mount option should be set'
value: ['/boot', '/dev', '/dev/shm', '/tmp', '/var/log', '/var/log/audit', '/var/tmp']
)

mount_suid_blocklist = input(
'mount_suid_blocklist',
value: ['/boot', '/dev', '/dev/shm', '/home', '/run', '/tmp', '/var', '/var/log', '/var/log/audit', '/var/tmp'],
description: 'List of mountpoints where \'nosuid\' mount option should be set'
value: ['/boot', '/dev', '/dev/shm', '/home', '/run', '/tmp', '/var', '/var/log', '/var/log/audit', '/var/tmp']
)

mount_dev_blocklist = input(
'mount_dev_blocklist',
value: ['/boot', '/dev/shm', '/home', '/run', '/tmp', '/var', '/var/log', '/var/log/audit', '/var/tmp'],
description: 'List of mountpoints where \'nodev\' mount option should be set'
value: ['/boot', '/dev/shm', '/home', '/run', '/tmp', '/var', '/var/log', '/var/log/audit', '/var/tmp']
)

control 'os-01' do
Expand Down
17 changes: 17 additions & 0 deletions inspec.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,3 +10,20 @@ inspec_version: '>= 4.6.3'
version: 2.9.0
supports:
- os-family: linux
inputs:
- name: login_defs_umask
description: Default umask to set in login.defs
- name: login_defs_passmaxdays
description: Default password maxdays to set in login.defs
- name: login_defs_passmindays
description: Default password mindays to set in login.defs
- name: login_defs_passwarnage
description: Default password warnage (days) to set in login.defs
- name: blacklist
description: blacklist of suid/sgid program on system
- name: mount_exec_blocklist
description: List of mountpoints where 'noexec' mount option should be set
- name: mount_suid_blocklist
description: List of mountpoints where \'nosuid\' mount option should be set
- name: mount_dev_blocklist
description: List of mountpoints where \'nodev\' mount option should be set

0 comments on commit d079b4a

Please sign in to comment.