From a77acf851f917fc32a5f45c5c7869bfee0d9ca56 Mon Sep 17 00:00:00 2001 From: Frank van Boven Date: Wed, 24 Oct 2018 11:10:03 +0200 Subject: [PATCH] Processed feedback from original PR Processed the feedback given on original PR https://github.com/dev-sec/cis-dil-benchmark/pull/54 Signed-off-by: Frank van Boven --- controls/1_1_filesystem_configuration.rb | 104 +++--------------- .../4_1_configure_system_accounting_auditd.rb | 30 +++-- controls/4_2_configure_logging.rb | 38 +++---- .../5_4_user_accounts_and_environments.rb | 36 +++--- inspec.lock | 3 - 5 files changed, 68 insertions(+), 143 deletions(-) delete mode 100644 inspec.lock diff --git a/controls/1_1_filesystem_configuration.rb b/controls/1_1_filesystem_configuration.rb index 1f9650b..2733c24 100644 --- a/controls/1_1_filesystem_configuration.rb +++ b/controls/1_1_filesystem_configuration.rb @@ -237,96 +237,28 @@ end end -# There is a mistake in the official CIS DIL documentaion 1.1.10-1.1.14 are -# duplicates of 1.1.9. So I used "skipped" to keep the order of the numbering. -control 'cis-dil-benchmark-1.1.10' do - title 'Ensure noexec option set on /var/tmp partition' - desc "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp." +control 'cis-dil-benchmark-1.1.15' do + title 'Ensure separate partition exists for /var/log' + desc "The /var/log directory is used by system services to store log data .\n\nRationale: There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." impact 1.0 - tag cis: 'distribution-independent-linux:1.1.10' - tag level: 1 - - describe 'cis-dil-benchmark-1.1.10' do - skip 'Duplicate of cis-dil-benchmark-1.1.9' - end -end - -control 'cis-dil-benchmark-1.1.11' do - title 'Ensure noexec option set on /var/tmp partition' - desc "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp." - impact 1.0 - - tag cis: 'distribution-independent-linux:1.1.11' - tag level: 1 - - - describe 'cis-dil-benchmark-1.1.11' do - skip 'Duplicate of cis-dil-benchmark-1.1.9' - end -end - -control 'cis-dil-benchmark-1.1.12' do - title 'Ensure noexec option set on /var/tmp partition' - desc "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp." - impact 1.0 - - tag cis: 'distribution-independent-linux:1.1.12' - tag level: 1 - - describe 'cis-dil-benchmark-1.1.12' do - skip 'Duplicate of cis-dil-benchmark-1.1.9' - end -end - -control 'cis-dil-benchmark-1.1.13' do - title 'Ensure noexec option set on /var/tmp partition' - desc "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp." - impact 1.0 - - tag cis: 'distribution-independent-linux:1.1.13' - tag level: 1 - - describe 'cis-dil-benchmark-1.1.13' do - skip 'Duplicate of cis-dil-benchmark-1.1.9' - end -end - -control 'cis-dil-benchmark-1.1.14' do - title 'Ensure noexec option set on /var/tmp partition' - desc "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp." - impact 1.0 - - tag cis: 'distribution-independent-linux:1.1.14' - tag level: 1 - - describe 'cis-dil-benchmark-1.1.14' do - skip 'Duplicate of cis-dil-benchmark-1.1.9' - end -end - -if cis_level == '2' - control 'cis-dil-benchmark-1.1.15' do - title 'Ensure separate partition exists for /var/log' - desc "The /var/log directory is used by system services to store log data .\n\nRationale: There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data." - impact 1.0 + tag cis: 'distribution-independent-linux:1.1.15' + tag level: 2 - tag cis: 'distribution-independent-linux:1.1.15' - tag level: 2 + only_if { cis_level == 2 } describe mount('/var/log') do it { should be_mounted } end - only_if { cis_level == 2 } end - control 'cis-dil-benchmark-1.1.16' do - title 'Ensure separate partition exists for /var/log/audit' - desc "The auditing daemon, auditd, stores log data in the /var/log/audit directory.\n\nRationale: There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." - impact 1.0 +control 'cis-dil-benchmark-1.1.16' do + title 'Ensure separate partition exists for /var/log/audit' + desc "The auditing daemon, auditd, stores log data in the /var/log/audit directory.\n\nRationale: There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired." + impact 1.0 - tag cis: 'distribution-independent-linux:1.1.16' - tag level: 2 + tag cis: 'distribution-independent-linux:1.1.16' + tag level: 2 only_if { cis_level == 2 } @@ -335,13 +267,13 @@ end end - control 'cis-dil-benchmark-1.1.17' do - title 'Ensure separate partition exists for /home' - desc "The /home directory is used to support disk storage needs of local users.\n\nRationale: If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." - impact 1.0 +control 'cis-dil-benchmark-1.1.17' do + title 'Ensure separate partition exists for /home' + desc "The /home directory is used to support disk storage needs of local users.\n\nRationale: If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home." + impact 1.0 - tag cis: 'distribution-independent-linux:1.1.17' - tag level: 2 + tag cis: 'distribution-independent-linux:1.1.17' + tag level: 2 only_if { cis_level == 2 } diff --git a/controls/4_1_configure_system_accounting_auditd.rb b/controls/4_1_configure_system_accounting_auditd.rb index 6551a60..dad17e1 100644 --- a/controls/4_1_configure_system_accounting_auditd.rb +++ b/controls/4_1_configure_system_accounting_auditd.rb @@ -240,16 +240,15 @@ tag cis: 'distribution-independent-linux:4.1.9' tag level: 2 - describe file('/etc/audit/audit.rules') do - its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EACCES -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) } - its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EPERM -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) } - end + describe file('/etc/audit/audit.rules') do + its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EACCES -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) } + its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EPERM -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) } + end - if command('uname -m').stdout.strip == 'x86_64' - describe file('/etc/audit/audit.rules') do - its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EACCES -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) } - its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EPERM -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) } - end + if command('uname -m').stdout.strip == 'x86_64' + describe file('/etc/audit/audit.rules') do + its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EACCES -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) } + its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EPERM -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) } end end end @@ -310,14 +309,13 @@ tag cis: 'distribution-independent-linux:4.1.12' tag level: 2 - describe file('/etc/audit/audit.rules') do - its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=#{uid_min} -F auid!=4294967295 (-k delete|-F key=delete)$/) } - end + describe file('/etc/audit/audit.rules') do + its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=#{uid_min} -F auid!=4294967295 (-k delete|-F key=delete)$/) } + end - if command('uname -m').stdout.strip == 'x86_64' - describe file('/etc/audit/audit.rules') do - its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=#{uid_min} -F auid!=4294967295 (-k delete|-F key=delete)$/) } - end + if command('uname -m').stdout.strip == 'x86_64' + describe file('/etc/audit/audit.rules') do + its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=#{uid_min} -F auid!=4294967295 (-k delete|-F key=delete)$/) } end end end diff --git a/controls/4_2_configure_logging.rb b/controls/4_2_configure_logging.rb index 4295af4..075de29 100644 --- a/controls/4_2_configure_logging.rb +++ b/controls/4_2_configure_logging.rb @@ -52,28 +52,28 @@ end describe.one do - command('find /etc/rsyslog.d -name "*.conf"').stdout.split.each do |conf_file| + command('find /etc/rsyslog.d -name "*.conf"').stdout.split.each do |conf_file| describe file(conf_file) do - its(:content) { should match(%r{^\*.emerg(\s)+:omusrmsg:\*}) } - its(:content) { should match(%r{^mail.\*(\s)+-/var/log/mail}) } - its(:content) { should match(%r{^mail.info(\s)+-/var/log/mail.info}) } - its(:content) { should match(%r{^mail.warning(\s)+-/var/log/mail.warn}) } - its(:content) { should match(%r{^mail.err(\s)+/var/log/mail.err}) } - its(:content) { should match(%r{^news.crit(\s)+-/var/log/news/news.crit}) } - its(:content) { should match(%r{^news.crit(\s)+-/var/log/news/news.crit}) } - its(:content) { should match(%r{^news.notice(\s)+-/var/log/news/news.notice}) } - its(:content) { should match(%r{^\*.=warning;\*.=err(\s)+-/var/log/warn}) } - its(:content) { should match(%r{^\*.crit(\s)+/var/log/warn}) } - its(:content) { should match(%r{^\*.\*;mail.none;news.none(\s)+-/var/log/messages}) } - its(:content) { should match(%r{^local0,local1.\*(\s)+-/var/log/localmessages}) } - its(:content) { should match(%r{^local2,local3.\*(\s)+-/var/log/localmessages}) } - its(:content) { should match(%r{^local2,local3.\*(\s)+-/var/log/localmessages}) } - its(:content) { should match(%r{^local4,local5.\*(\s)+-/var/log/localmessages}) } - its(:content) { should match(%r{^local6,local7.\*(\s)+-/var/log/localmessages}) } - end + its(:content) { should match(%r{^\*.emerg(\s)+:omusrmsg:\*}) } + its(:content) { should match(%r{^mail.\*(\s)+-/var/log/mail}) } + its(:content) { should match(%r{^mail.info(\s)+-/var/log/mail.info}) } + its(:content) { should match(%r{^mail.warning(\s)+-/var/log/mail.warn}) } + its(:content) { should match(%r{^mail.err(\s)+/var/log/mail.err}) } + its(:content) { should match(%r{^news.crit(\s)+-/var/log/news/news.crit}) } + its(:content) { should match(%r{^news.crit(\s)+-/var/log/news/news.crit}) } + its(:content) { should match(%r{^news.notice(\s)+-/var/log/news/news.notice}) } + its(:content) { should match(%r{^\*.=warning;\*.=err(\s)+-/var/log/warn}) } + its(:content) { should match(%r{^\*.crit(\s)+/var/log/warn}) } + its(:content) { should match(%r{^\*.\*;mail.none;news.none(\s)+-/var/log/messages}) } + its(:content) { should match(%r{^local0,local1.\*(\s)+-/var/log/localmessages}) } + its(:content) { should match(%r{^local2,local3.\*(\s)+-/var/log/localmessages}) } + its(:content) { should match(%r{^local2,local3.\*(\s)+-/var/log/localmessages}) } + its(:content) { should match(%r{^local4,local5.\*(\s)+-/var/log/localmessages}) } + its(:content) { should match(%r{^local6,local7.\*(\s)+-/var/log/localmessages}) } + end end - describe file('/etc/rsyslog.conf') do + describe file('/etc/rsyslog.conf') do its(:content) { should match(%r{^\*.emerg(\s)+:omusrmsg:\*}) } its(:content) { should match(%r{^mail.\*(\s)+-/var/log/mail}) } its(:content) { should match(%r{^mail.info(\s)+-/var/log/mail.info}) } diff --git a/controls/5_4_user_accounts_and_environments.rb b/controls/5_4_user_accounts_and_environments.rb index f27f2f5..237588a 100644 --- a/controls/5_4_user_accounts_and_environments.rb +++ b/controls/5_4_user_accounts_and_environments.rb @@ -27,8 +27,6 @@ time_now = Time.now.to_i - - # The official documentation specifying 365 days in the description but, using # 90 as an example settings control 'cis-dil-benchmark-5.4.1.1' do @@ -132,9 +130,9 @@ tag level: 1 command("cat /etc/shadow | cut -d: -f1").stdout.split.each do |username| - describe command('date -d "`export LANG="en_US.UTF-8" ; chage --list root | grep "Last password" | cut -d: -f2`" +%s') do + describe command('date -d "`export LANG="en_US.UTF-8" ; chage --list root | grep "Last password" | cut -d: -f2`" +%s') do its(:stdout) { should cmp <= time_now } - end + end end end @@ -201,25 +199,25 @@ end end -if cis_level == '2' - control 'cis-dil-benchmark-5.4.5' do - title 'Ensure default user shell timeout is 900 seconds or less' - desc "The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds.\n\nRationale: Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening." - impact 1.0 +control 'cis-dil-benchmark-5.4.5' do + title 'Ensure default user shell timeout is 900 seconds or less' + desc "The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds.\n\nRationale: Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening." + impact 1.0 + + tag cis: 'distribution-independent-linux:5.4.5' + tag level: 2 - tag cis: 'distribution-independent-linux:5.4.5' - tag level: 2 + only_if { cis_level == 2 } - command("sudo find /etc/ -maxdepth 1 -name *bashrc*").stdout.split.each do |bashrc_file| - describe command("grep '^TMOUT' #{bashrc_file} | cut -d= -f2") do - its(:stdout) { should cmp <= 900 } - end + command("sudo find /etc/ -maxdepth 1 -name *bashrc*").stdout.split.each do |bashrc_file| + describe command("grep '^TMOUT' #{bashrc_file} | cut -d= -f2") do + its(:stdout) { should cmp <= 900 } end + end - %w(profile).each do |f| - describe command("grep '^TMOUT' /etc/#{f} | cut -d= -f2") do - its(:stdout) { should cmp <= 900 } - end + %w(profile).each do |f| + describe command("grep '^TMOUT' /etc/#{f} | cut -d= -f2") do + its(:stdout) { should cmp <= 900 } end end end diff --git a/inspec.lock b/inspec.lock deleted file mode 100644 index e687b9b..0000000 --- a/inspec.lock +++ /dev/null @@ -1,3 +0,0 @@ ---- -lockfile_version: 1 -depends: []