Update os_spec.rb

controls/os_spec.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 #
-# Copyright:: 2015, Patrick Muench
+# Copyright 2015, Patrick Muench
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -19,62 +19,32 @@
 # author: Dominik Richter
 # author: Patrick Muench
 
-login_defs_umask = input('login_defs_umask', value: os.redhat? ? '077' : '027')
+login_defs_umask = attribute('login_defs_umask', value: os.redhat? ? '077' : '027', description: 'Default umask to set in login.defs')
 
-login_defs_passmaxdays = input('login_defs_passmaxdays', value: '60')
-login_defs_passmindays = input('login_defs_passmindays', value: '7')
-login_defs_passwarnage = input('login_defs_passwarnage', value: '7')
+login_defs_passmaxdays = attribute('login_defs_passmaxdays', value: '60', description: 'Default password maxdays to set in login.defs')
+login_defs_passmindays = attribute('login_defs_passmindays', value: '7', description: 'Default password mindays to set in login.defs')
+login_defs_passwarnage = attribute('login_defs_passwarnage', value: '7', description: 'Default password warnage (days) to set in login.defs')
 
 shadow_group = 'root'
 shadow_group = 'shadow' if os.debian? || os.suse? || os.name == 'alpine'
 container_execution = begin
   virtualization.role == 'guest' && virtualization.system =~ /^(lxc|docker)$/
-                      rescue NoMethodError
-                        false
+rescue NoMethodError
+  false
 end
 
-blacklist = input(
+blacklist = attribute(
   'blacklist',
-  value: suid_blacklist.default
+  value: suid_blacklist.default,
+  description: 'blacklist of suid/sgid program on system'
 )
 
 cpuvulndir = '/sys/devices/system/cpu/vulnerabilities/'
 
-# Overview of necessary mount options to be checked:
-#
-#---------------------------------------------------------
-#   Mount point              nodev  noexec  nosuid
-#   /boot                      v      v       v
-#   /dev                              v       v
-#   /dev/shm                   v      v       v
-#   /home                      v              v
-#   /run                       v              v
-#   /tmp                       v      v       v
-#   /var                       v              v
-#   /var/log                   v      v       v
-#   /var/log/audit             v      v       v
-#   /var/tmp                   v      v       v
-#---------------------------------------------------------
-
-mount_exec_blocklist = input(
-  'mount_exec_blocklist',
-  value: ['/boot', '/dev', '/dev/shm', '/tmp', '/var/log', '/var/log/audit', '/var/tmp']
-)
-
-mount_suid_blocklist = input(
-  'mount_suid_blocklist',
-  value: ['/boot', '/dev', '/dev/shm', '/home', '/run', '/tmp', '/var', '/var/log', '/var/log/audit', '/var/tmp']
-)
-
-mount_dev_blocklist = input(
-  'mount_dev_blocklist',
-  value: ['/boot', '/dev/shm', '/home', '/run', '/tmp', '/var', '/var/log', '/var/log/audit', '/var/tmp']
-)
-
 control 'os-01' do
   impact 1.0
   title 'Trusted hosts login'
-  desc "hosts.equiv file is a weak implementation of authentication. Disabling the hosts.equiv support helps to prevent users from subverting the system's normal access control mechanisms of the system."
+  desc "hosts.equiv file is a weak implemenation of authentication. Disabling the hosts.equiv support helps to prevent users from subverting the system's normal access control mechanisms of the system."
   describe file('/etc/hosts.equiv') do
     it { should_not exist }
   end
@@ -218,6 +188,15 @@
   end
 end
 
+control 'os-08' do
+  impact 1.0
+  title 'Entropy'
+  desc 'Check system has enough entropy - greater than 1000'
+  describe file('/proc/sys/kernel/random/entropy_avail').content.to_i do
+    it { should >= 1000 }
+  end
+end
+
 control 'os-09' do
   impact 1.0
   title 'Check for .rhosts and .netrc file'
@@ -241,10 +220,7 @@
     its(:content) { should match 'install jffs2 /bin/true' }
     its(:content) { should match 'install hfs /bin/true' }
     its(:content) { should match 'install hfsplus /bin/true' }
-    # Ubuntu Snaps need SquashFS to function
-    unless service('snapd').running?
-      its(:content) { should match 'install squashfs /bin/true' }
-    end
+    its(:content) { should match 'install squashfs /bin/true' }
     its(:content) { should match 'install udf /bin/true' }
     # if efi is active, do not disable vfat. otherwise the system
     # won't boot anymore
@@ -306,45 +282,3 @@
     end
   end
 end
-
-control 'os-14' do
-  impact 1.0
-  title 'Check mountpoints for noexec mount options'
-  desc 'Use the noexec mount options to limit attack vectors via mount points'
-
-  mount_exec_blocklist.each do |mnt_point|
-    next unless mount(mnt_point).mounted?
-
-    describe mount(mnt_point) do
-      its('options') { should include('noexec') }
-    end
-  end
-end
-
-control 'os-15' do
-  impact 1.0
-  title 'Check mountpoints for nosuid mount options'
-  desc 'Use the nosuid mount options to limit attack vectors via mount points'
-
-  mount_suid_blocklist.each do |mnt_point|
-    next unless mount(mnt_point).mounted?
-
-    describe mount(mnt_point) do
-      its('options') { should include('nosuid') }
-    end
-  end
-end
-
-control 'os-16' do
-  impact 1.0
-  title 'Check mountpoints for nodev mount options'
-  desc 'Use the nodev mount options to limit attack vectors via mount points'
-
-  mount_dev_blocklist.each do |mnt_point|
-    next unless mount(mnt_point).mounted?
-
-    describe mount(mnt_point) do
-      its('options') { should include('nodev') }
-    end
-  end
-end