Skip to content

Commit

Permalink
Processed feedback from original PR
Browse files Browse the repository at this point in the history
Processed the feedback given on original PR dev-sec#54

Signed-off-by: Frank van Boven <[email protected]>
  • Loading branch information
fatbasstard committed Oct 24, 2018
1 parent 06bb6bf commit a77acf8
Show file tree
Hide file tree
Showing 5 changed files with 68 additions and 143 deletions.
104 changes: 18 additions & 86 deletions controls/1_1_filesystem_configuration.rb
Original file line number Diff line number Diff line change
Expand Up @@ -237,96 +237,28 @@
end
end

# There is a mistake in the official CIS DIL documentaion 1.1.10-1.1.14 are
# duplicates of 1.1.9. So I used "skipped" to keep the order of the numbering.
control 'cis-dil-benchmark-1.1.10' do
title 'Ensure noexec option set on /var/tmp partition'
desc "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
control 'cis-dil-benchmark-1.1.15' do
title 'Ensure separate partition exists for /var/log'
desc "The /var/log directory is used by system services to store log data .\n\nRationale: There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
impact 1.0

tag cis: 'distribution-independent-linux:1.1.10'
tag level: 1

describe 'cis-dil-benchmark-1.1.10' do
skip 'Duplicate of cis-dil-benchmark-1.1.9'
end
end

control 'cis-dil-benchmark-1.1.11' do
title 'Ensure noexec option set on /var/tmp partition'
desc "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
impact 1.0

tag cis: 'distribution-independent-linux:1.1.11'
tag level: 1


describe 'cis-dil-benchmark-1.1.11' do
skip 'Duplicate of cis-dil-benchmark-1.1.9'
end
end

control 'cis-dil-benchmark-1.1.12' do
title 'Ensure noexec option set on /var/tmp partition'
desc "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
impact 1.0

tag cis: 'distribution-independent-linux:1.1.12'
tag level: 1

describe 'cis-dil-benchmark-1.1.12' do
skip 'Duplicate of cis-dil-benchmark-1.1.9'
end
end

control 'cis-dil-benchmark-1.1.13' do
title 'Ensure noexec option set on /var/tmp partition'
desc "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
impact 1.0

tag cis: 'distribution-independent-linux:1.1.13'
tag level: 1

describe 'cis-dil-benchmark-1.1.13' do
skip 'Duplicate of cis-dil-benchmark-1.1.9'
end
end

control 'cis-dil-benchmark-1.1.14' do
title 'Ensure noexec option set on /var/tmp partition'
desc "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
impact 1.0

tag cis: 'distribution-independent-linux:1.1.14'
tag level: 1

describe 'cis-dil-benchmark-1.1.14' do
skip 'Duplicate of cis-dil-benchmark-1.1.9'
end
end

if cis_level == '2'
control 'cis-dil-benchmark-1.1.15' do
title 'Ensure separate partition exists for /var/log'
desc "The /var/log directory is used by system services to store log data .\n\nRationale: There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
impact 1.0
tag cis: 'distribution-independent-linux:1.1.15'
tag level: 2

tag cis: 'distribution-independent-linux:1.1.15'
tag level: 2
only_if { cis_level == 2 }

describe mount('/var/log') do
it { should be_mounted }
end
only_if { cis_level == 2 }
end

control 'cis-dil-benchmark-1.1.16' do
title 'Ensure separate partition exists for /var/log/audit'
desc "The auditing daemon, auditd, stores log data in the /var/log/audit directory.\n\nRationale: There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired."
impact 1.0
control 'cis-dil-benchmark-1.1.16' do
title 'Ensure separate partition exists for /var/log/audit'
desc "The auditing daemon, auditd, stores log data in the /var/log/audit directory.\n\nRationale: There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired."
impact 1.0

tag cis: 'distribution-independent-linux:1.1.16'
tag level: 2
tag cis: 'distribution-independent-linux:1.1.16'
tag level: 2

only_if { cis_level == 2 }

Expand All @@ -335,13 +267,13 @@
end
end

control 'cis-dil-benchmark-1.1.17' do
title 'Ensure separate partition exists for /home'
desc "The /home directory is used to support disk storage needs of local users.\n\nRationale: If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
impact 1.0
control 'cis-dil-benchmark-1.1.17' do
title 'Ensure separate partition exists for /home'
desc "The /home directory is used to support disk storage needs of local users.\n\nRationale: If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
impact 1.0

tag cis: 'distribution-independent-linux:1.1.17'
tag level: 2
tag cis: 'distribution-independent-linux:1.1.17'
tag level: 2

only_if { cis_level == 2 }

Expand Down
30 changes: 14 additions & 16 deletions controls/4_1_configure_system_accounting_auditd.rb
Original file line number Diff line number Diff line change
Expand Up @@ -240,16 +240,15 @@
tag cis: 'distribution-independent-linux:4.1.9'
tag level: 2

describe file('/etc/audit/audit.rules') do
its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EACCES -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) }
its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EPERM -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) }
end
describe file('/etc/audit/audit.rules') do
its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EACCES -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) }
its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EPERM -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) }
end

if command('uname -m').stdout.strip == 'x86_64'
describe file('/etc/audit/audit.rules') do
its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EACCES -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) }
its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EPERM -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) }
end
if command('uname -m').stdout.strip == 'x86_64'
describe file('/etc/audit/audit.rules') do
its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EACCES -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) }
its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EPERM -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) }
end
end
end
Expand Down Expand Up @@ -310,14 +309,13 @@
tag cis: 'distribution-independent-linux:4.1.12'
tag level: 2

describe file('/etc/audit/audit.rules') do
its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=#{uid_min} -F auid!=4294967295 (-k delete|-F key=delete)$/) }
end
describe file('/etc/audit/audit.rules') do
its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=#{uid_min} -F auid!=4294967295 (-k delete|-F key=delete)$/) }
end

if command('uname -m').stdout.strip == 'x86_64'
describe file('/etc/audit/audit.rules') do
its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=#{uid_min} -F auid!=4294967295 (-k delete|-F key=delete)$/) }
end
if command('uname -m').stdout.strip == 'x86_64'
describe file('/etc/audit/audit.rules') do
its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=#{uid_min} -F auid!=4294967295 (-k delete|-F key=delete)$/) }
end
end
end
Expand Down
38 changes: 19 additions & 19 deletions controls/4_2_configure_logging.rb
Original file line number Diff line number Diff line change
Expand Up @@ -52,28 +52,28 @@
end

describe.one do
command('find /etc/rsyslog.d -name "*.conf"').stdout.split.each do |conf_file|
command('find /etc/rsyslog.d -name "*.conf"').stdout.split.each do |conf_file|
describe file(conf_file) do
its(:content) { should match(%r{^\*.emerg(\s)+:omusrmsg:\*}) }
its(:content) { should match(%r{^mail.\*(\s)+-/var/log/mail}) }
its(:content) { should match(%r{^mail.info(\s)+-/var/log/mail.info}) }
its(:content) { should match(%r{^mail.warning(\s)+-/var/log/mail.warn}) }
its(:content) { should match(%r{^mail.err(\s)+/var/log/mail.err}) }
its(:content) { should match(%r{^news.crit(\s)+-/var/log/news/news.crit}) }
its(:content) { should match(%r{^news.crit(\s)+-/var/log/news/news.crit}) }
its(:content) { should match(%r{^news.notice(\s)+-/var/log/news/news.notice}) }
its(:content) { should match(%r{^\*.=warning;\*.=err(\s)+-/var/log/warn}) }
its(:content) { should match(%r{^\*.crit(\s)+/var/log/warn}) }
its(:content) { should match(%r{^\*.\*;mail.none;news.none(\s)+-/var/log/messages}) }
its(:content) { should match(%r{^local0,local1.\*(\s)+-/var/log/localmessages}) }
its(:content) { should match(%r{^local2,local3.\*(\s)+-/var/log/localmessages}) }
its(:content) { should match(%r{^local2,local3.\*(\s)+-/var/log/localmessages}) }
its(:content) { should match(%r{^local4,local5.\*(\s)+-/var/log/localmessages}) }
its(:content) { should match(%r{^local6,local7.\*(\s)+-/var/log/localmessages}) }
end
its(:content) { should match(%r{^\*.emerg(\s)+:omusrmsg:\*}) }
its(:content) { should match(%r{^mail.\*(\s)+-/var/log/mail}) }
its(:content) { should match(%r{^mail.info(\s)+-/var/log/mail.info}) }
its(:content) { should match(%r{^mail.warning(\s)+-/var/log/mail.warn}) }
its(:content) { should match(%r{^mail.err(\s)+/var/log/mail.err}) }
its(:content) { should match(%r{^news.crit(\s)+-/var/log/news/news.crit}) }
its(:content) { should match(%r{^news.crit(\s)+-/var/log/news/news.crit}) }
its(:content) { should match(%r{^news.notice(\s)+-/var/log/news/news.notice}) }
its(:content) { should match(%r{^\*.=warning;\*.=err(\s)+-/var/log/warn}) }
its(:content) { should match(%r{^\*.crit(\s)+/var/log/warn}) }
its(:content) { should match(%r{^\*.\*;mail.none;news.none(\s)+-/var/log/messages}) }
its(:content) { should match(%r{^local0,local1.\*(\s)+-/var/log/localmessages}) }
its(:content) { should match(%r{^local2,local3.\*(\s)+-/var/log/localmessages}) }
its(:content) { should match(%r{^local2,local3.\*(\s)+-/var/log/localmessages}) }
its(:content) { should match(%r{^local4,local5.\*(\s)+-/var/log/localmessages}) }
its(:content) { should match(%r{^local6,local7.\*(\s)+-/var/log/localmessages}) }
end
end

describe file('/etc/rsyslog.conf') do
describe file('/etc/rsyslog.conf') do
its(:content) { should match(%r{^\*.emerg(\s)+:omusrmsg:\*}) }
its(:content) { should match(%r{^mail.\*(\s)+-/var/log/mail}) }
its(:content) { should match(%r{^mail.info(\s)+-/var/log/mail.info}) }
Expand Down
36 changes: 17 additions & 19 deletions controls/5_4_user_accounts_and_environments.rb
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,6 @@

time_now = Time.now.to_i



# The official documentation specifying 365 days in the description but, using
# 90 as an example settings
control 'cis-dil-benchmark-5.4.1.1' do
Expand Down Expand Up @@ -132,9 +130,9 @@
tag level: 1

command("cat /etc/shadow | cut -d: -f1").stdout.split.each do |username|
describe command('date -d "`export LANG="en_US.UTF-8" ; chage --list root | grep "Last password" | cut -d: -f2`" +%s') do
describe command('date -d "`export LANG="en_US.UTF-8" ; chage --list root | grep "Last password" | cut -d: -f2`" +%s') do
its(:stdout) { should cmp <= time_now }
end
end
end
end

Expand Down Expand Up @@ -201,25 +199,25 @@
end
end

if cis_level == '2'
control 'cis-dil-benchmark-5.4.5' do
title 'Ensure default user shell timeout is 900 seconds or less'
desc "The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds.\n\nRationale: Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening."
impact 1.0
control 'cis-dil-benchmark-5.4.5' do
title 'Ensure default user shell timeout is 900 seconds or less'
desc "The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds.\n\nRationale: Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening."
impact 1.0

tag cis: 'distribution-independent-linux:5.4.5'
tag level: 2

tag cis: 'distribution-independent-linux:5.4.5'
tag level: 2
only_if { cis_level == 2 }

command("sudo find /etc/ -maxdepth 1 -name *bashrc*").stdout.split.each do |bashrc_file|
describe command("grep '^TMOUT' #{bashrc_file} | cut -d= -f2") do
its(:stdout) { should cmp <= 900 }
end
command("sudo find /etc/ -maxdepth 1 -name *bashrc*").stdout.split.each do |bashrc_file|
describe command("grep '^TMOUT' #{bashrc_file} | cut -d= -f2") do
its(:stdout) { should cmp <= 900 }
end
end

%w(profile).each do |f|
describe command("grep '^TMOUT' /etc/#{f} | cut -d= -f2") do
its(:stdout) { should cmp <= 900 }
end
%w(profile).each do |f|
describe command("grep '^TMOUT' /etc/#{f} | cut -d= -f2") do
its(:stdout) { should cmp <= 900 }
end
end
end
Expand Down
3 changes: 0 additions & 3 deletions inspec.lock

This file was deleted.

0 comments on commit a77acf8

Please sign in to comment.