From d3da2816dbd63c2aa384b7f4a8a30e071470cb63 Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Tue, 17 Sep 2019 01:43:10 +0300 Subject: [PATCH 1/7] Fix tests There was some test that brings wrong impression like false positive behavior or the opposite situation --- cfg/2.0.0/definitions.yaml | 289 ++++++++++++++++++++++++++++--------- 1 file changed, 223 insertions(+), 66 deletions(-) diff --git a/cfg/2.0.0/definitions.yaml b/cfg/2.0.0/definitions.yaml index 5a62c99..94f57b1 100644 --- a/cfg/2.0.0/definitions.yaml +++ b/cfg/2.0.0/definitions.yaml @@ -1099,7 +1099,7 @@ groups: audit: "sysctl fs.suid_dumpable" tests: test_items: - - flag: "fs.suid_dumpable =" + - flag: "fs.suid_dumpable" compare: op: eq value: "0" @@ -1129,7 +1129,7 @@ groups: audit: "grep -h \"fs\\.suid_dumpable\" /etc/sysctl.conf /etc/sysctl.d/* | head -n 1" tests: test_items: - - flag: "fs.suid_dumpable =" + - flag: "fs.suid_dumpable" compare: op: eq value: "0" @@ -1203,7 +1203,10 @@ groups: audit: "sysctl kernel.randomize_va_space" tests: test_items: - - flag: "kernel.randomize_va_space = 2" + - flag: "kernel.randomize_va_space" + compare: + op: eq + value: "2" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -1221,7 +1224,10 @@ groups: audit: "grep \"kernel\\.randomize_va_space\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "kernel.randomize_va_space = 2" + - flag: "kernel.randomize_va_space" + compare: + op: eq + value: "2" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -1435,10 +1441,16 @@ groups: tests: bin_op: and test_items: - - flag: "selinux=0" + - flag: "selinux" + compare: + op: eq + value: "0" set: false test_items: - - flag: "enforcing=0" + - flag: "enforcing" + compare: + op: eq + value: "0" set: false remediation: | For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `selinux=0` and `enforcing=0` on all `kernel` lines. @@ -1460,10 +1472,16 @@ groups: tests: bin_op: and test_items: - - flag: "selinux=0" + - flag: "selinux" + compare: + op: eq + value: "0" set: false test_items: - - flag: "enforcing=0" + - flag: "enforcing" + compare: + op: eq + value: "0" set: false remediation: | For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `selinux=0` and `enforcing=0` on all `kernel` lines. @@ -1725,7 +1743,10 @@ groups: - grub tests: test_items: - - flag: "apparmor=0" + - flag: "apparmor" + compare: + op: eq + value: "0" set: false remediation: | For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `apparmor=0` on all `kernel` lines. @@ -1746,7 +1767,10 @@ groups: - grub2 tests: test_items: - - flag: "apparmor=0" + - flag: "apparmor" + compare: + op: eq + value: "0" set: false remediation: | For `grub` based systems edit `/boot/grub/menu.lst` and remove all instances of `apparmor=0` on all `kernel` lines. @@ -1898,7 +1922,7 @@ groups: scored: true - id: 1.7.2 description: "Ensure GDM login banner is configured" - audit: "cat /etc/gdm3/greeter.dconf-defaults" + audit: "grep -v ^#.* /etc/gdm3/greeter.dconf-defaults" tests: bin_op: and test_items: @@ -2246,9 +2270,10 @@ groups: audit: "systemctl is-enabled xinetd" constraints: platform: - - rhel7 - - ubuntu16 - ubuntu18 + #- rhel7 + #- ubuntu16 + #- ubuntu18 tests: test_items: - flag: "enabled" @@ -3622,7 +3647,7 @@ groups: - id: 2.2.15 description: "Ensure mail transfer agent is configured for local-only mode" audit: | - ss -lntu | grep -E ':25\\s' | grep -E -v '\\s(127.0.0.1\|::1):25\\s' + ss -lntu | grep -E ':25\\s' | grep -E -v '\\s(127.0.0.1|::1):25\\s' tests: test_items: - flag: "" @@ -4097,7 +4122,10 @@ groups: audit: "sysctl net.ipv4.ip_forward" tests: test_items: - - flag: "net.ipv4.ip_forward = 0" + - flag: "net.ipv4.ip_forward" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4119,7 +4147,10 @@ groups: audit: "grep \"net\\.ipv4\\.ip_forward\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.ip_forward = 0" + - flag: "net.ipv4.ip_forward" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4140,7 +4171,10 @@ groups: audit: "sysctl net.ipv6.conf.all.forwarding" tests: test_items: - - flag: "net.ipv6.conf.all.forwarding = 0" + - flag: "net.ipv6.conf.all.forwarding" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4161,7 +4195,10 @@ groups: audit: "grep \"net\\.ipv6\\.conf\\.all\\.forwarding\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv6.conf.all.forwarding = 0" + - flag: "net.ipv6.conf.all.forwarding" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4182,7 +4219,10 @@ groups: audit: "sysctl net.ipv4.conf.all.send_redirects" tests: test_items: - - flag: "net.ipv4.conf.all.send_redirects = 0" + - flag: "net.ipv4.conf.all.send_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4203,7 +4243,10 @@ groups: audit: "sysctl net.ipv4.conf.default.send_redirects" tests: test_items: - - flag: "net.ipv4.conf.default.send_redirects = 0" + - flag: "net.ipv4.conf.default.send_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4224,7 +4267,10 @@ groups: audit: "grep \"net\\.ipv4\\.conf\\.all\\.send_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.all.send_redirects = 0" + - flag: "net.ipv4.conf.all.send_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4245,7 +4291,10 @@ groups: audit: "grep \"net\\.ipv4\\.conf\\.default\\.send_redirects /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.default.send_redirects = 0" + - flag: "net.ipv4.conf.default.send_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4272,7 +4321,7 @@ groups: - flag: "net.ipv4.conf.all.accept_source_route" compare: op: eq - value: 0 + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4300,8 +4349,8 @@ groups: test_items: - flag: "net.ipv4.conf.default.accept_source_route" compare: - op: eq - value: 0 + op: eq + value: 0 set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4324,10 +4373,13 @@ groups: - id: 3.2.1.c description: "Ensure source routed packets are not accepted" - audit: "grep \"net\\.ipv4\\.conf\\.all\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep -h \"net\\.ipv4\\.conf\\.all\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/* | head -n 1" tests: test_items: - - flag: "net.ipv4.conf.all.accept_source_route = 0" + - flag: "net.ipv4.conf.all.accept_source_route" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4353,7 +4405,10 @@ groups: audit: "grep \"net\\.ipv4\\.conf\\.default\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.default.accept_source_route = 0" + - flag: "net.ipv4.conf.default.accept_source_route" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4374,12 +4429,15 @@ groups: scored: true - - id: 3.1.2.e + - id: 3.2.1.e description: "Ensure packet redirect sending is disabled" audit: "sysctl net.ipv6.conf.all.accept_source_route" tests: test_items: - - flag: "net.ipv6.conf.all.accept_source_route = 0" + - flag: "net.ipv6.conf.all.accept_source_route" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4400,12 +4458,15 @@ groups: scored: true - - id: 3.1.2.f + - id: 3.2.1.f description: "Ensure packet redirect sending is disabled" audit: "sysctl net.ipv6.conf.default.accept_source_route" tests: test_items: - - flag: "net.ipv6.conf.default.accept_source_route = 0" + - flag: "net.ipv6.conf.default.accept_source_route" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4426,12 +4487,15 @@ groups: scored: true - - id: 3.1.2.g + - id: 3.2.1.g description: "Ensure packet redirect sending is disabled" audit: "grep \"net\\.ipv6\\.conf\\.all\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv6.conf.all.accept_source_route = 0" + - flag: "net.ipv6.conf.all.accept_source_route" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4452,12 +4516,15 @@ groups: scored: true - - id: 3.1.2.h + - id: 3.2.1.h description: "Ensure packet redirect sending is disabled" audit: "grep \"net\\.ipv6\\.conf\\.default\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv6.conf.default.accept_source_route = 0" + - flag: "net.ipv6.conf.default.accept_source_route" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4483,7 +4550,10 @@ groups: audit: "sysctl net.ipv4.conf.all.accept_redirects" tests: test_items: - - flag: "net.ipv4.conf.all.accept_redirects = 0" + - flag: "net.ipv4.conf.all.accept_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4509,7 +4579,10 @@ groups: audit: "sysctl net.ipv4.conf.default.accept_redirects" tests: test_items: - - flag: "net.ipv4.conf.default.accept_redirects = 0" + - flag: "net.ipv4.conf.default.accept_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4535,7 +4608,10 @@ groups: audit: "grep \"net\\.ipv4\\.conf\\.all\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.all.accept_redirects = 0" + - flag: "net.ipv4.conf.all.accept_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4561,7 +4637,10 @@ groups: audit: "grep \"net\\.ipv4\\.conf\\.default\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.default.accept_redirects = 0" + - flag: "net.ipv4.conf.default.accept_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4587,7 +4666,10 @@ groups: audit: "sysctl net.ipv6.conf.all.accept_redirects" tests: test_items: - - flag: "net.ipv6.conf.all.accept_redirects = 0" + - flag: "net.ipv6.conf.all.accept_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4613,7 +4695,10 @@ groups: audit: "sysctl net.ipv6.conf.default.accept_redirects" tests: test_items: - - flag: "net.ipv6.conf.default.accept_redirects = 0" + - flag: "net.ipv6.conf.default.accept_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4639,7 +4724,10 @@ groups: audit: "grep \"net\\.ipv6\\.conf\\.all\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv6.conf.all.accept_redirects = 0" + - flag: "net.ipv6.conf.all.accept_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4665,7 +4753,10 @@ groups: audit: "grep \"net\\.ipv6\\.conf\\.default\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv6.conf.default.accept_redirects = 0" + - flag: "net.ipv6.conf.default.accept_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4692,7 +4783,10 @@ groups: audit: "sysctl net.ipv4.conf.all.secure_redirects" tests: test_items: - - flag: "net.ipv4.conf.all.secure_redirects = 0" + - flag: "net.ipv4.conf.all.secure_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4713,7 +4807,10 @@ groups: audit: "sysctl net.ipv4.conf.default.secure_redirects" tests: test_items: - - flag: "net.ipv4.conf.default.secure_redirects = 0" + - flag: "net.ipv4.conf.default.secure_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4734,7 +4831,10 @@ groups: audit: "grep \"net\\.ipv4\\.conf\\.all\\.secure_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.all.secure_redirects = 0" + - flag: "net.ipv4.conf.all.secure_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4755,7 +4855,10 @@ groups: audit: "grep \"net\\.ipv4\\.conf\\.default\\.secure_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.default.secure_redirects = 0" + - flag: "net.ipv4.conf.default.secure_redirects" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4776,7 +4879,10 @@ groups: audit: "sysctl net.ipv4.conf.all.log_martians" tests: test_items: - - flag: "net.ipv4.conf.all.log_martians = 1" + - flag: "net.ipv4.conf.all.log_martians" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4797,7 +4903,10 @@ groups: audit: "sysctl net.ipv4.conf.default.log_martians" tests: test_items: - - flag: "net.ipv4.conf.default.log_martians = 1" + - flag: "net.ipv4.conf.default.log_martians" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4818,7 +4927,10 @@ groups: audit: "grep \"net\\.ipv4\\.conf\\.all\\.log_martians\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.all.log_martians = 1" + - flag: "net.ipv4.conf.all.log_martians" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4839,7 +4951,10 @@ groups: audit: "grep \"net\\.ipv4\\.conf\\.default\\.log_martians\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.default.log_martians = 1" + - flag: "net.ipv4.conf.default.log_martians" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4860,7 +4975,10 @@ groups: audit: "sysctl net.ipv4.icmp_echo_ignore_broadcasts" tests: test_items: - - flag: "net.ipv4.icmp_echo_ignore_broadcasts = 1" + - flag: "net.ipv4.icmp_echo_ignore_broadcasts" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4879,7 +4997,10 @@ groups: audit: "grep \"net\\.ipv4\\.icmp_echo_ignore_broadcasts\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.icmp_echo_ignore_broadcasts = 1" + - flag: "net.ipv4.icmp_echo_ignore_broadcasts" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4898,7 +5019,10 @@ groups: audit: "sysctl net.ipv4.icmp_ignore_bogus_error_responses" tests: test_items: - - flag: "net.ipv4.icmp_ignore_bogus_error_responses = 1" + - flag: "net.ipv4.icmp_ignore_bogus_error_responses" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4917,7 +5041,10 @@ groups: audit: "grep \"net\\.ipv4\\.icmp_ignore_bogus_error_responses\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.icmp_ignore_bogus_error_responses = 1" + - flag: "net.ipv4.icmp_ignore_bogus_error_responses" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4936,7 +5063,10 @@ groups: audit: "sysctl net.ipv4.conf.all.rp_filter" tests: test_items: - - flag: "net.ipv4.conf.all.rp_filter = 1" + - flag: "net.ipv4.conf.all.rp_filter" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4957,7 +5087,10 @@ groups: audit: "sysctl net.ipv4.conf.default.rp_filter" tests: test_items: - - flag: "net.ipv4.conf.default.rp_filter = 1" + - flag: "net.ipv4.conf.default.rp_filter" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4978,7 +5111,10 @@ groups: audit: "grep \"net\\.ipv4\\.conf\\.all\\.rp_filter\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.all.rp_filter = 1" + - flag: "net.ipv4.conf.all.rp_filter" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -4999,7 +5135,10 @@ groups: audit: "grep \"net\\.ipv4\\.conf\\.default\\.rp_filter\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.conf.default.rp_filter = 1" + - flag: "net.ipv4.conf.default.rp_filter" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -5020,7 +5159,10 @@ groups: audit: "sysctl net.ipv4.tcp_syncookies" tests: test_items: - - flag: "net.ipv4.tcp_syncookies = 1" + - flag: "net.ipv4.tcp_syncookies" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -5039,7 +5181,10 @@ groups: audit: "grep \"net\\.ipv4\\.tcp_syncookies\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv4.tcp_syncookies = 1" + - flag: "net.ipv4.tcp_syncookies" + compare: + op: eq + value: "1" set: true remediation: | Set the following parameter in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -5058,7 +5203,10 @@ groups: audit: "sysctl net.ipv6.conf.all.accept_ra" tests: test_items: - - flag: "net.ipv6.conf.all.accept_ra = 0" + - flag: "net.ipv6.conf.all.accept_ra" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -5079,7 +5227,10 @@ groups: audit: "sysctl net.ipv6.conf.default.accept_ra" tests: test_items: - - flag: "net.ipv6.conf.default.accept_ra = 0" + - flag: "net.ipv6.conf.default.accept_ra" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -5100,7 +5251,10 @@ groups: audit: "grep \"net\\.ipv6\\.conf\\.all\\.accept_ra\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv6.conf.all.accept_ra = 0" + - flag: "net.ipv6.conf.all.accept_ra" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: @@ -5121,7 +5275,10 @@ groups: audit: "grep \"net\\.ipv6\\.conf\\.default\\.accept_ra\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - - flag: "net.ipv6.conf.default.accept_ra = 0" + - flag: "net.ipv6.conf.default.accept_ra" + compare: + op: eq + value: "0" set: true remediation: | Set the following parameters in `/etc/sysctl.conf` or a `/etc/sysctl.d/*` file: From c828e22bce73174172b6c37ce8f4265177ae0b83 Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Thu, 26 Sep 2019 00:07:20 +0300 Subject: [PATCH 2/7] Update definitions.yaml Add The yaml after checking it --- cfg/2.0.0/definitions.yaml | 338 ++++++++++++++++++------------------- 1 file changed, 167 insertions(+), 171 deletions(-) diff --git a/cfg/2.0.0/definitions.yaml b/cfg/2.0.0/definitions.yaml index 94f57b1..4d1a529 100644 --- a/cfg/2.0.0/definitions.yaml +++ b/cfg/2.0.0/definitions.yaml @@ -1126,7 +1126,7 @@ groups: - id: 1.5.1.c description: "Ensure core dumps are restricted" - audit: "grep -h \"fs\\.suid_dumpable\" /etc/sysctl.conf /etc/sysctl.d/* | head -n 1" + audit: "grep \"fs\\.suid_dumpable\" /etc/sysctl.conf /etc/sysctl.d/* | head -n 1" tests: test_items: - flag: "fs.suid_dumpable" @@ -4144,7 +4144,7 @@ groups: - id: 3.1.1.b description: "Ensure IP forwarding is disabled" - audit: "grep \"net\\.ipv4\\.ip_forward\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.ip_forward\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.ip_forward" @@ -4192,7 +4192,7 @@ groups: scored: true - id: 3.1.1.d description: "Ensure IP forwarding is disabled" - audit: "grep \"net\\.ipv6\\.conf\\.all\\.forwarding\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv6\\.conf\\.all\\.forwarding\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv6.conf.all.forwarding" @@ -4264,7 +4264,7 @@ groups: - id: 3.1.2.c description: "Ensure packet redirect sending is disabled" - audit: "grep \"net\\.ipv4\\.conf\\.all\\.send_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.all\\.send_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.all.send_redirects" @@ -4288,7 +4288,7 @@ groups: - id: 3.1.2.d description: "Ensure packet redirect sending is disabled" - audit: "grep \"net\\.ipv4\\.conf\\.default\\.send_redirects /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.default\\.send_redirects /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.default.send_redirects" @@ -4373,7 +4373,7 @@ groups: - id: 3.2.1.c description: "Ensure source routed packets are not accepted" - audit: "grep -h \"net\\.ipv4\\.conf\\.all\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/* | head -n 1" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.all\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.all.accept_source_route" @@ -4402,7 +4402,7 @@ groups: - id: 3.2.1.d description: "Ensure source routed packets are not accepted" - audit: "grep \"net\\.ipv4\\.conf\\.default\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.default\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.default.accept_source_route" @@ -4489,7 +4489,7 @@ groups: - id: 3.2.1.g description: "Ensure packet redirect sending is disabled" - audit: "grep \"net\\.ipv6\\.conf\\.all\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv6\\.conf\\.all\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv6.conf.all.accept_source_route" @@ -4518,7 +4518,7 @@ groups: - id: 3.2.1.h description: "Ensure packet redirect sending is disabled" - audit: "grep \"net\\.ipv6\\.conf\\.default\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv6\\.conf\\.default\\.accept_source_route\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv6.conf.default.accept_source_route" @@ -4605,7 +4605,7 @@ groups: - id: 3.2.2.c description: "Ensure ICMP redirects are not accepted" - audit: "grep \"net\\.ipv4\\.conf\\.all\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.all\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.all.accept_redirects" @@ -4634,7 +4634,7 @@ groups: - id: 3.2.2.d description: "Ensure ICMP redirects are not accepted" - audit: "grep \"net\\.ipv4\\.conf\\.default\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.default\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.default.accept_redirects" @@ -4721,7 +4721,7 @@ groups: - id: 3.2.2.g description: "Ensure ICMP redirects are not accepted" - audit: "grep \"net\\.ipv6\\.conf\\.all\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv6\\.conf\\.all\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv6.conf.all.accept_redirects" @@ -4750,7 +4750,7 @@ groups: - id: 3.2.2.h description: "Ensure ICMP redirects are not accepted" - audit: "grep \"net\\.ipv6\\.conf\\.default\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv6\\.conf\\.default\\.accept_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv6.conf.default.accept_redirects" @@ -4828,7 +4828,7 @@ groups: - id: 3.2.3.c description: "Ensure secure ICMP redirects are not accepted" - audit: "grep \"net\\.ipv4\\.conf\\.all\\.secure_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.all\\.secure_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.all.secure_redirects" @@ -4852,7 +4852,7 @@ groups: - id: 3.2.3.d description: "Ensure secure ICMP redirects are not accepted" - audit: "grep \"net\\.ipv4\\.conf\\.default\\.secure_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.default\\.secure_redirects\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.default.secure_redirects" @@ -4924,7 +4924,7 @@ groups: - id: 3.2.4.c description: "Ensure suspicious packets are logged" - audit: "grep \"net\\.ipv4\\.conf\\.all\\.log_martians\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.all\\.log_martians\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.all.log_martians" @@ -4948,7 +4948,7 @@ groups: - id: 3.2.4.d description: "Ensure suspicious packets are logged" - audit: "grep \"net\\.ipv4\\.conf\\.default\\.log_martians\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.default\\.log_martians\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.default.log_martians" @@ -4994,7 +4994,7 @@ groups: - id: 3.2.5.b description: "Ensure broadcast ICMP requests are ignored" - audit: "grep \"net\\.ipv4\\.icmp_echo_ignore_broadcasts\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.icmp_echo_ignore_broadcasts\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.icmp_echo_ignore_broadcasts" @@ -5038,7 +5038,7 @@ groups: - id: 3.2.6.b description: "Ensure bogus ICMP responses are ignored" - audit: "grep \"net\\.ipv4\\.icmp_ignore_bogus_error_responses\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.icmp_ignore_bogus_error_responses\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.icmp_ignore_bogus_error_responses" @@ -5108,7 +5108,7 @@ groups: - id: 3.2.7.c description: "Ensure Reverse Path Filtering is enabled" - audit: "grep \"net\\.ipv4\\.conf\\.all\\.rp_filter\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.all\\.rp_filter\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.all.rp_filter" @@ -5132,7 +5132,7 @@ groups: - id: 3.2.7.d description: "Ensure Reverse Path Filtering is enabled" - audit: "grep \"net\\.ipv4\\.conf\\.default\\.rp_filter\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.conf\\.default\\.rp_filter\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.conf.default.rp_filter" @@ -5178,7 +5178,7 @@ groups: - id: 3.2.8.b description: "Ensure TCP SYN Cookies is enabled" - audit: "grep \"net\\.ipv4\\.tcp_syncookies\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv4\\.tcp_syncookies\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv4.tcp_syncookies" @@ -5248,7 +5248,7 @@ groups: - id: 3.2.9.c description: "Ensure IPv6 router advertisements are not accepted" - audit: "grep \"net\\.ipv6\\.conf\\.all\\.accept_ra\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv6\\.conf\\.all\\.accept_ra\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv6.conf.all.accept_ra" @@ -5272,7 +5272,7 @@ groups: - id: 3.2.9.d description: "Ensure IPv6 router advertisements are not accepted" - audit: "grep \"net\\.ipv6\\.conf\\.default\\.accept_ra\" /etc/sysctl.conf /etc/sysctl.d/*" + audit: "grep ^\\s*\"net\\.ipv6\\.conf\\.default\\.accept_ra\" /etc/sysctl.conf /etc/sysctl.d/*" tests: test_items: - flag: "net.ipv6.conf.default.accept_ra" @@ -5292,48 +5292,8 @@ groups: # sysctl -w net.ipv6.conf.default.accept_ra=0 # sysctl -w net.ipv6.route.flush=1 - scored: true - + scored: true - description: "Ensure IPv6 is disabled" - sub_checks: - - check: - audit: "grep kernel /boot/grub/menu.lst" - constraints: - boot: - - grub - tests: - test_items: - - flag: "ipv6.disable=1" - set: false - remediation: | - For `grub` based systems edit `/boot/grub/menu.lst` and remove add `ipv6.disable=1` to all `kernel` lines. - For `grub2` based systems edit `/etc/default/grub` and remove add `ipv6.disable=1` to the `GRUB_CMDLINE_LINUX` parameters: - - GRUB_CMDLINE_LINUX="ipv6.disable=1" - - Run the following command to update the `grub2` configuration: - - # update-grub - - check: - audit: "grep LINUX /etc/default/grub" - constraints: - boot: - - grub2 - tests: - test_items: - - flag: "ipv6.disable=1" - set: false - remediation: | - For `grub` based systems edit `/boot/grub/menu.lst` and remove add `ipv6.disable=1` to all `kernel` lines. - For `grub2` based systems edit `/etc/default/grub` and remove add `ipv6.disable=1` to the `GRUB_CMDLINE_LINUX` parameters: - - GRUB_CMDLINE_LINUX="ipv6.disable=1" - - Run the following command to update the `grub2` configuration: - - # update-grub - scored: false - id: 3.3 description: "TCP Wrappers" checks: @@ -5619,6 +5579,8 @@ groups: # iptables -P INPUT DROP # iptables -P OUTPUT DROP # iptables -P FORWARD DROP + scored: true + - id: 3.5.1.2.a description: "Ensure IPv6 loopback traffic is configured" audit: "ip6tables -L INPUT -v -n" @@ -5661,8 +5623,6 @@ groups: # ip6tables -A INPUT -s ::1 -j DROP scored: true - - scored: true - id: 3.5.1.3 description: "Ensure IPv6 outbound and established connections are configured" audit: "ip6tables -L -v -n" @@ -5939,6 +5899,7 @@ groups: # grub2-mkconfig –o /boot/grub2/grub.cfg or # update-grub + - check: audit: "grep \"^\\s*linux\" /boot/grub2/grub.cfg | grep -v ipv6.disabled=1" constraints: @@ -7195,21 +7156,21 @@ groups: Storage=persistent scored: true -- id: 4.2.3 - description: "Ensure permissions on all logfiles are configured" - audit: "find /var/log -type f -ls" - type: manual - remediation: | - Run the following commands to set permissions on all existing log files: - find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" + - scored: true -- id: 4.3 - description: "Ensure logrotate is configured" - audit: "cat /etc/logrotate.conf; cat /etc/logrotate.d/* ;" - type: manual - remediation: | - Edit `/etc/logrotate.conf` and `/etc/logrotate.d/*` to ensure logs are rotated according to site policy. - scored: false + - id: 4.2.3 + description: "Ensure permissions on all logfiles are configured" + audit: "find /var/log -type f -ls" + type: manual + remediation: | + Run the following commands to set permissions on all existing log files: + find /var/log -type f -exec chmod g-wx,o-rwx "{}" + -o -type d -exec chmod g-w,o-rwx "{}" + + scored: true + - id: 4.3 + description: "Ensure logrotate is configured" + audit: "cat /etc/logrotate.conf; cat /etc/logrotate.d/* ;" + type: manual + remediation: | + Edit `/etc/logrotate.conf` and `/etc/logrotate.d/*` to ensure logs are rotated according to site policy. + scored: false - id: 5 description: "Access, Authentication and Authorization" - id: 5.1 @@ -7378,8 +7339,8 @@ groups: audit: "stat /etc/cron.deny" tests: test_items: - - flag: "stat: cannot stat '/etc/cron.deny': No such file or directory" - set: true + - flag: "File: /etc/cron.deny" + set: false remediation: | Run the following commands to remove `/etc/cron.deny` and `/etc/at.deny` and create and set permissions and ownership for `/etc/cron.allow` and `/etc/at.allow` : @@ -7399,8 +7360,8 @@ groups: audit: "stat /etc/at.deny" tests: test_items: - - flag: "stat: cannot stat '/etc/at.deny': No such file or directory" - set: true + - flag: "File: /etc/at.deny" + set: false remediation: | Run the following commands to remove `/etc/cron.deny` and `/etc/at.deny` and create and set permissions and ownership for `/etc/cron.allow` and `/etc/at.allow` : @@ -7548,7 +7509,10 @@ groups: audit: "sshd -T | grep maxauthtries" tests: test_items: - - flag: "MaxAuthTries 4" + - flag: "maxauthtries" + compare: + op: lte + value: "4" set: true remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: @@ -7562,7 +7526,7 @@ groups: audit: "sshd -T | grep ignorerhosts" tests: test_items: - - flag: "IgnoreRhosts yes" + - flag: "ignorerhosts yes" set: true remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: @@ -7577,12 +7541,12 @@ groups: audit: "sshd -T | grep hostbasedauthentication" tests: test_items: - - flag: "HostbasedAuthentication no" + - flag: "hostbasedauthentication no" set: true remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: - HostbasedAuthentication no + hostbasedauthentication no scored: true @@ -7592,12 +7556,12 @@ groups: audit: "sshd -T | grep permitrootlogin" tests: test_items: - - flag: "PermitRootLogin no" + - flag: "permitrootlogin no" set: true remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: - PermitRootLogin no + permitrootlogin no scored: true @@ -7608,12 +7572,12 @@ groups: audit: "sshd -T | grep permitemptypasswords" tests: test_items: - - flag: "PermitEmptyPasswords no" + - flag: "permitemptypasswords no" set: true remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: - PermitEmptyPasswords no + permitemptypasswords no scored: true @@ -7622,12 +7586,12 @@ groups: audit: "sshd -T | grep permituserenvironment" tests: test_items: - - flag: "PermitUserEnvironment no" + - flag: "permituserenvironment no" set: true remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: - PermitUserEnvironment no + permituserenvironment no scored: true @@ -7734,13 +7698,16 @@ groups: audit: "sshd -T | grep clientaliveinterval" tests: test_items: - - flag: "ClientAliveInterval 300" + - flag: "clientaliveinterval" + compare: + op: lte + value: "300" set: true remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameters according to site policy: - ClientAliveInterval 300 - ClientAliveCountMax 0 + clientaliveinterval 300 + clientalivecountmax 0 scored: true @@ -7749,13 +7716,16 @@ groups: audit: "sshd -T | grep clientalivecountmax" tests: test_items: - - flag: "ClientAliveCountMax 0" + - flag: "clientalivecountmax" + compare: + op: lte + value: "3" set: true remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameters according to site policy: - ClientAliveInterval 300 - ClientAliveCountMax 0 + clientaliveinterval 300 + clientalivecountmax 0 scored: true @@ -7764,12 +7734,15 @@ groups: audit: "sshd -T | grep logingracetime" tests: test_items: - - flag: "LoginGraceTime 60" + - flag: "logingracetime" + compare: + op: lte + value: "60" set: true remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: - LoginGraceTime 60 + logingracetime 60 scored: true @@ -7851,12 +7824,12 @@ groups: audit: "sshd -T | grep banner" tests: test_items: - - flag: "Banner /etc/issue.net" + - flag: "banner /etc/issue.net" set: true remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameter as follows: - Banner /etc/issue.net + banner /etc/issue.net scored: true - id: 5.2.20 @@ -7875,11 +7848,11 @@ groups: audit: "sshd -T | grep -i allowtcpforwarding" tests: test_items: - - flag: "AllowTcpForwarding no" + - flag: "allowtcpforwarding no" set: true remediation: | Edit the /etc/ssh/sshd_config file to set the parameter as follows: - AllowTcpForwarding no + allowtcpforwarding no scored: true - id: 5.2.22 description: "Ensure SSH MaxStartups is configured" @@ -7894,7 +7867,10 @@ groups: audit: "sshd -T | grep -i maxsessions" tests: test_items: - - flag: "maxsessions 4" + - flag: "maxsessions" + compare: + op: lte + value: "4" set: true remediation: | Edit the /etc/ssh/sshd_config file to set the parameter as follows: @@ -7984,12 +7960,12 @@ groups: description: "Ensure password expiration is 365 days or less" audit: "grep ^PASS_MAX_DAYS /etc/login.defs" tests: - bin_op: and test_items: - flag: "PASS_MAX_DAYS" - set: true - flag: "365" - set: true + compare: + op: lte + value: "365" + set: true remediation: | Set the `PASS_MAX_DAYS` parameter to conform to site policy in `/etc/login.defs` : @@ -8024,12 +8000,13 @@ groups: description: "Ensure minimum days between password changes is 7 or more" audit: "grep ^PASS_MIN_DAYS /etc/login.defs" tests: - bin_op: and test_items: - flag: "PASS_MIN_DAYS" + compare: + op: gte + value: "7" set: true - flag: "7" - set: true + remediation: | Set the `PASS_MIN_DAYS` parameter to 7 in `/etc/login.defs` : @@ -8064,11 +8041,11 @@ groups: description: "Ensure password expiration warning days is 7 or more" audit: "grep ^PASS_WARN_AGE /etc/login.defs" tests: - bin_op: and test_items: - flag: "PASS_WARN_AGE" - set: true - flag: "7" + compare: + op: gte + value: "7" set: true remediation: | Set the `PASS_WARN_AGE` parameter to 7 in `/etc/login.defs` : @@ -8145,17 +8122,17 @@ groups: tests: test_items: - flag: "" - compare: - op: eq - value: "" - set: true + compare: + op: eq + value: "" + set: true remediation: | Investigate any users with a password change date in the future and correct them. Locking the account, expiring the password, or resetting the password manually may be appropriate. scored: true - - id: 5.4.2 + - id: 5.4.2.a description: "Ensure system accounts are non-login" - audit: "egrep -v \"^\\+\" /etc/passwd | awk -F: '($1!=\"root\" && $1!=\"sync\" && $1!=\"shutdown\" && $1!=\"halt\" && $3<500 && $7!=\"/sbin/nologin\" && $7!=\"/bin/false\") {print}'" + audit: "awk -F: '($1!=\"root\" && $1!=\"sync\" && $1!=\"shutdown\" && $1!=\"halt\" && $1!~/^\\+/ && $3<'\"$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs)\"' && $7!=\"'\"$(which nologin)\"'\" && $7!=\"/bin/false\") {print}' /etc/passwd" tests: test_items: - flag: "" @@ -8164,24 +8141,39 @@ groups: value: "" set: true remediation: | - Set the shell for any accounts returned by the audit script to `/sbin/nologin` : - - # usermod -s /sbin/nologin - - The following script will automatically set all user shells required to `/sbin/nologin` and lock the `sync` , `shutdown` , and `halt` users: - - #!/bin/bash - for user in `awk -F: '($3 < 500) {print $1 }' /etc/passwd` ; do - if [ $user != "root" ]; then - usermod -L $user - if [ $user != "sync" ] && [ $user != "shutdown" ] & then - usermod -s /sbin/nologin $user - fi - fi - done + Run the commands appropriate for your distribution: + Set the shell for any accounts returned by the audit to nologin: + # usermod -s $(which nologin) + Lock any non root accounts returned by the audit: + # usermod -L + The following command will set all system accounts to a non login shell: + awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!="'"$(which nologin)"'" && $7!="/bin/false") {print $1}' /etc/passwd | while read user do usermod -s $(which nologin) $user done + The following command will automatically lock not root system accounts: + awk -F: '($1!="root" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!="L" && $2!="LK") {print $1}' | while read user do usermod -L $user done scored: true + - id: 5.4.2.b + description: "Ensure system accounts are non-login" + audit: "awk -F: '($1!=\"root\" && $1!~/^\\+/ && $3<'\"$(awk '/^\\s*UID_MIN/{print $2}' /etc/login.defs)\"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!=\"L\" && $2!=\"LK\") {print $1}'" + tests: + test_items: + - flag: "" + compare: + op: eq + value: "" + set: true + remediation: | + Run the commands appropriate for your distribution: + Set the shell for any accounts returned by the audit to nologin: + # usermod -s $(which nologin) + Lock any non root accounts returned by the audit: + # usermod -L + The following command will set all system accounts to a non login shell: + awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!="'"$(which nologin)"'" && $7!="/bin/false") {print $1}' /etc/passwd | while read user do usermod -s $(which nologin) $user done + The following command will automatically lock not root system accounts: + awk -F: '($1!="root" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!="L" && $2!="LK") {print $1}' | while read user do usermod -L $user done + scored: true - id: 5.4.3 description: "Ensure default group for the root account is GID 0" audit: "grep ^root: /etc/passwd | cut -f4 -d:" @@ -8307,45 +8299,49 @@ groups: Remove entries for any consoles that are not in a physically secure location. scored: true -- id: 5.6.a - description: "Ensure access to the su command is restricted" - audit: "grep pam_wheel.so /etc/pam.d/su" - tests: - test_items: - - flag: "auth" - compare: - op: eq - value: "sufficient pam_wheel.so trust use_uid" - set: true - remediation: | - Add the following line to the `/etc/pam.d/su` file: + - id: 5.6.a + description: "Ensure access to the su command is restricted" + audit: "grep pam_wheel.so /etc/pam.d/su" + tests: + bin_op: and + test_items: + - flag: "auth" + set: true + - flag: "required" + set: true + - flag: "pam_wheel.so" + set: true + - flag: "use_uid" + set: true + remediation: | + Add the following line to the `/etc/pam.d/su` file: - auth required pam_wheel.so use_uid + auth required pam_wheel.so use_uid - Create a comma separated list of users in the wheel statement in the `/etc/group` file: + Create a comma separated list of users in the wheel statement in the `/etc/group` file: - wheel:x:10:root, + wheel:x:10:root, - scored: true + scored: true -- id: 5.6.b - description: "Ensure access to the su command is restricted" - audit: "grep wheel /etc/group" - type: manual - tests: - test_items: - - flag: "wheel:x:10:root," - set: true - remediation: | - Add the following line to the `/etc/pam.d/su` file: + - id: 5.6.b + description: "Ensure access to the su command is restricted" + audit: "grep wheel /etc/group" + type: manual + tests: + test_items: + - flag: "wheel:x:10:root," + set: true + remediation: | + Add the following line to the `/etc/pam.d/su` file: - auth required pam_wheel.so use_uid + auth required pam_wheel.so use_uid - Create a comma separated list of users in the wheel statement in the `/etc/group` file: + Create a comma separated list of users in the wheel statement in the `/etc/group` file: - wheel:x:10:root, + wheel:x:10:root, - scored: true + scored: true - id: 6 description: "System Maintenance" @@ -8462,7 +8458,7 @@ groups: Run the following command to set permissions on `/etc/passwd-` : # chown root:root /etc/passwd- - # chmod u-x,go-wx /etc/passwd- + # chmod u-x,go-rwx /etc/passwd- scored: true From 15bd1d2c3aec7acaef4513170ec59a452763f537 Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Sun, 6 Oct 2019 19:33:07 +0300 Subject: [PATCH 3/7] Fixing Fixing some mistakes from review like: https://github.com/aquasecurity/linux-bench/pull/25#discussion_r329935214 --- cfg/2.0.0/definitions.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/cfg/2.0.0/definitions.yaml b/cfg/2.0.0/definitions.yaml index 4d1a529..ba35b04 100644 --- a/cfg/2.0.0/definitions.yaml +++ b/cfg/2.0.0/definitions.yaml @@ -7697,12 +7697,18 @@ groups: description: "Ensure SSH Idle Timeout Interval is configured" audit: "sshd -T | grep clientaliveinterval" tests: + bin_op: and test_items: - flag: "clientaliveinterval" compare: op: lte value: "300" - set: true + set: true + - flag: "clientaliveinterval" + compare: + op: gte + value: "1" + set: true remediation: | Edit the `/etc/ssh/sshd_config` file to set the parameters according to site policy: From 8bb91188a710d55cf650f8c38b1c5c5b368d2769 Mon Sep 17 00:00:00 2001 From: Parikshit Hooda Date: Fri, 11 Oct 2019 01:50:31 +0530 Subject: [PATCH 4/7] Update README.md - refactor documentation Converted identifying requirements to bullet points rather than plain lines, owing to better comprehensibility. Changed \####\ to ** ** - Because it makes sense to bolden the bullet points, rather than declaring them as headers --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 1df65bd..ab1ceb6 100644 --- a/README.md +++ b/README.md @@ -15,10 +15,10 @@ Tests are configured with YAML files, making this tool easy to update as test sp linux-bench currently supports tests for benchmark version 1.1.0 only. linux-bench will determine the test set to run on the host machine based on the following: -##### Operating system platform - ubuntu/debian/rhel/coreos -##### Boot loader - grub/grub2 -##### System logging tool - rsyslog/syslog-ng -##### Lsm - selinux/apparmor +- **Operating system platform - ubuntu/debian/rhel/coreos** +- **Boot loader - grub/grub2** +- **System logging tool - rsyslog/syslog-ng** +- **Lsm - selinux/apparmor** ## Installation From 7bddb5404fd7cc02983082ce0dbffcdc5bca3a19 Mon Sep 17 00:00:00 2001 From: alvesgabriel Date: Fri, 11 Oct 2019 19:22:09 -0300 Subject: [PATCH 5/7] fix README.md 'install' word in line 27 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1df65bd..154938b 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ linux-bench will determine the test set to run on the host machine based on the ## Installation ### Installing from sources -Intall [Go](https://golang.org/doc/install), then +Install [Go](https://golang.org/doc/install), then clone this repository and run as follows (assuming your [$GOPATH is set](https://github.com/golang/go/wiki/GOPATH)): ```shell From 553b2881bfdc84e9bac069fb8f1b91f33e5a4754 Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Tue, 15 Oct 2019 14:55:21 +0300 Subject: [PATCH 6/7] Update definitions.yaml delete duplicate line --- cfg/2.0.0/definitions.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/cfg/2.0.0/definitions.yaml b/cfg/2.0.0/definitions.yaml index ba35b04..b2016cb 100644 --- a/cfg/2.0.0/definitions.yaml +++ b/cfg/2.0.0/definitions.yaml @@ -1446,7 +1446,6 @@ groups: op: eq value: "0" set: false - test_items: - flag: "enforcing" compare: op: eq From 2e252863c8cd9dcb4a0dd25bea6e5b66458721a1 Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Thu, 17 Oct 2019 00:39:35 +0300 Subject: [PATCH 7/7] Update definitions.yaml --- cfg/2.0.0/definitions.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cfg/2.0.0/definitions.yaml b/cfg/2.0.0/definitions.yaml index b2016cb..22af783 100644 --- a/cfg/2.0.0/definitions.yaml +++ b/cfg/2.0.0/definitions.yaml @@ -7338,8 +7338,8 @@ groups: audit: "stat /etc/cron.deny" tests: test_items: - - flag: "File: /etc/cron.deny" - set: false + - flag: "stat: cannot stat '/etc/cron.deny': No such file or directory" + set: true remediation: | Run the following commands to remove `/etc/cron.deny` and `/etc/at.deny` and create and set permissions and ownership for `/etc/cron.allow` and `/etc/at.allow` : @@ -7359,8 +7359,8 @@ groups: audit: "stat /etc/at.deny" tests: test_items: - - flag: "File: /etc/at.deny" - set: false + - flag: "stat: cannot stat '/etc/at.deny': No such file or directory" + set: true remediation: | Run the following commands to remove `/etc/cron.deny` and `/etc/at.deny` and create and set permissions and ownership for `/etc/cron.allow` and `/etc/at.allow` :