From 8f0f5ff0ca7cc25beaf36c5dc32a20226eee17db Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Tue, 7 May 2019 13:59:57 +0300 Subject: [PATCH 1/6] Update definitions.yaml fixed: 1.1.2, 1.5.1.a, 5.3.4 --- cfg/1.1.0/definitions.yaml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/cfg/1.1.0/definitions.yaml b/cfg/1.1.0/definitions.yaml index cdc1369..e1cb61d 100644 --- a/cfg/1.1.0/definitions.yaml +++ b/cfg/1.1.0/definitions.yaml @@ -262,7 +262,7 @@ groups: audit: "mount | grep /tmp" tests: test_items: - - flag: "tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)" + - flag: "tmpfs on /tmp type tmpfs" set: true remediation: | For new installations, during installation create a custom partition setup and specify a separate partition for `/tmp` . @@ -987,11 +987,15 @@ groups: checks: - id: 1.5.1.a description: "Ensure core dumps are restricted" - audit: "grep -h ^* /etc/security/limits.conf /etc/security/limits.d/*" + audit: "grep -h ^[^#].*hard[[:blank:]]*core /etc/security/limits.conf /etc/security/limits.d/*" tests: - test_items: - - flag: "hard core 0" - set: true + tests: + bin_op: and + test_items: + - flag: "hard" + set: true + - flag: "core" + set: true remediation: | Add the following line to `/etc/security/limits.conf` or a `/etc/security/limits.d/*` file: @@ -7180,10 +7184,10 @@ groups: - id: 5.3.4 description: "Ensure password hashing algorithm is SHA-512" - audit: "grep password /etc/pam.d/common-password /etc/pam.d/system-auth /etc/pam.d/password-auth" + audit: "grep -E ^[^#].*sha512 /etc/pam.d/common-password /etc/pam.d/system-auth /etc/pam.d/password-auth" tests: test_items: - - flag: "password sufficient pam_unix.so sha512" + - flag: "sha512" set: true remediation: | Set password hashing algorithm to sha512. Many distributions provide tools for updating PAM configuration, consult your documentation for details. If no tooling is provided edit the appropriate `/etc/pam.d/` configuration file and add or modify the `pam_unix.so` lines to include the sha512 option: From 43081d61f24a6e54f28297696542775bc49180d8 Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Tue, 21 May 2019 19:19:49 +0300 Subject: [PATCH 2/6] gets also ubuntu version There are differences between Ubuntu 16 and Ubuntu 18 features so the system needs to know the specific version --- utils.go | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/utils.go b/utils.go index 5a53cc1..a8715f9 100644 --- a/utils.go +++ b/utils.go @@ -104,11 +104,16 @@ func GetLSM() (lsm string, err error) { func getPlatformVersion(output, platform string) string { flagRe := regexp.MustCompile("version_id" + `=([^ \n]*)`) vals := flagRe.FindStringSubmatch(output) - + if vals == nil { + flagRe := regexp.MustCompile("version" + `=([^ \n]*)`) + vals = flagRe.FindStringSubmatch(output) + } if len(vals) > 1 { switch platform { case "rhel": return vals[1][:1] // Get the major version only, examaple: 7.6 will return 7 + case "ubuntu": + return vals[1][:2] // Get the major version only, examaple: 18.04 will return 18 default: return "" } From 90e23dc3a27b26d8b6ea784361aeefa2b34598d3 Mon Sep 17 00:00:00 2001 From: nshauli Date: Thu, 23 May 2019 17:34:21 +0300 Subject: [PATCH 3/6] Add support for writing JSON results to output file using --output flag --- app.go | 2 +- root.go | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/app.go b/app.go index 2cb16a5..b168e99 100644 --- a/app.go +++ b/app.go @@ -51,7 +51,7 @@ func outputResults(controls *check.Controls, summary check.Summary) error { if err != nil { return err } - fmt.Println(string(out)) + util.PrintOutput(string(out), outputFile) } else { util.PrettyPrint(controls, summary, noRemediations, includeTestOutput) } diff --git a/root.go b/root.go index 212ba7a..862db75 100644 --- a/root.go +++ b/root.go @@ -35,6 +35,7 @@ var ( checkList string jsonFmt bool includeTestOutput bool + outputFile string ) // RootCmd represents the base command when called without any subcommands @@ -74,6 +75,7 @@ func init() { RootCmd.Flags().StringVarP(&cfgDir, "config-dir", "D", "cfg", "directory to get benchmark definitions") RootCmd.PersistentFlags().BoolVar(&jsonFmt, "json", false, "Prints the results as JSON") RootCmd.PersistentFlags().BoolVar(&includeTestOutput, "include-test-output", false, "Prints the test's output") + RootCmd.PersistentFlags().StringVar(&outputFile, "outputfile", "", "Writes the JSON results to output file") RootCmd.PersistentFlags().StringVarP( &checkList, "check", From 23dc330bc17c818966f3099e8f564a3ec1dbb912 Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Sun, 26 May 2019 15:07:06 +0300 Subject: [PATCH 4/6] Add limit to specific tests output - in order to be more efficient 6.1.10 6.1.11 6.1.12 6.1.13 6.1.14 and test 1.1.25 been changed in the script 1.1.25.sh --- cfg/1.1.0/definitions.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/cfg/1.1.0/definitions.yaml b/cfg/1.1.0/definitions.yaml index fcc7389..daf06e5 100644 --- a/cfg/1.1.0/definitions.yaml +++ b/cfg/1.1.0/definitions.yaml @@ -7820,7 +7820,7 @@ groups: - id: 6.1.10.a description: "Ensure no world writable files exist" - audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002" + audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 | head -n 100" tests: test_items: - flag: "" @@ -7842,7 +7842,7 @@ groups: - id: 6.1.11.a description: "Ensure no unowned files or directories exist" - audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser" + audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser | head -n 100" tests: test_items: - flag: "" @@ -7864,7 +7864,7 @@ groups: - id: 6.1.12.a description: "Ensure no ungrouped files or directories exist" - audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup" + audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup | head -n 100" tests: test_items: - flag: "" @@ -7886,7 +7886,7 @@ groups: - id: 6.1.13.a description: "Audit SUID executables" - audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000" + audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 | head -n 100" type: manual tests: test_items: @@ -7909,7 +7909,7 @@ groups: - id: 6.1.14.a description: "Audit SGID executables" - audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000" + audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 | head -n 100" type: manual tests: test_items: From 7e664be835155db634218ebc8b2564f919d4984a Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Tue, 28 May 2019 01:20:47 +0300 Subject: [PATCH 5/6] Update the file Update the file - fix tests such as 3.2.1.c ,1.1.2 and 1.5.1.a, and separate ubunut 16 from 18. Because of the separation of ubuntu to ubuntu16 and ubuntu18, PR https://github.com/aquasecurity/linux-bench/pull/13 *must* be approved first or the system won't auto detect platform ubuntu16 or ubuntu18 as needed --- cfg/1.1.0/definitions.yaml | 526 ++++++++++++++++++++++++++++++++----- 1 file changed, 467 insertions(+), 59 deletions(-) diff --git a/cfg/1.1.0/definitions.yaml b/cfg/1.1.0/definitions.yaml index daf06e5..9113d91 100644 --- a/cfg/1.1.0/definitions.yaml +++ b/cfg/1.1.0/definitions.yaml @@ -262,7 +262,7 @@ groups: audit: "mount | grep /tmp" tests: test_items: - - flag: "tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)" + - flag: "tmpfs on /tmp type tmpfs " set: true remediation: | For new installations, during installation create a custom partition setup and specify a separate partition for `/tmp` . @@ -606,7 +606,8 @@ groups: constraints: platform: - rhel7 - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "disabled" @@ -662,7 +663,8 @@ groups: audit: "apt-cache policy" constraints: platform: - - ubuntu + - ubuntu16 + - ubuntu18 type: manual remediation: | Configure your package manager repositories according to site policy. @@ -690,7 +692,8 @@ groups: audit: "apt-key list" constraints: platform: - - ubuntu + - ubuntu16 + - ubuntu18 type: manual remediation: | Update your package manager GPG keys in accordance with site policy. @@ -737,7 +740,7 @@ groups: audit: "dpkg -s aide" constraints: platform: - - ubuntu + - ubuntu16 tests: test_items: - flag: "install ok installed" @@ -751,6 +754,30 @@ groups: # apt-get install aide + # zypper install aide + + Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. + Initialize AIDE: + + # aide --init + - check: + audit: "apt-cache show aide" + constraints: + platform: + - ubuntu18 + tests: + test_items: + - flag: "Installed-Size:" + set: true + remediation: | + Install AIDE using the appropriate package manager or manual installation: + + # yum install aide + + + # apt-get install aide + + # zypper install aide Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. @@ -987,11 +1014,14 @@ groups: checks: - id: 1.5.1.a description: "Ensure core dumps are restricted" - audit: "grep -h ^* /etc/security/limits.conf /etc/security/limits.d/*" + audit: "grep -h ^[^#].*hard[[:blank:]]*core /etc/security/limits.conf /etc/security/limits.d/*" tests: - test_items: - - flag: "hard core 0" - set: true + bin_op: and + test_items: + - flag: "hard" + set: true + - flag: "core" + set: true remediation: | Add the following line to `/etc/security/limits.conf` or a `/etc/security/limits.d/*` file: @@ -1136,7 +1166,7 @@ groups: audit: "dpkg -s prelink" constraints: platform: - - ubuntu + - ubuntu16 tests: test_items: - flag: "install ok installed" @@ -1155,6 +1185,29 @@ groups: zypper remove prelink + - check: + audit: "apt-cache show prelink" + constraints: + platform: + - ubuntu18 + tests: + test_items: + - flag: "Installed-Size:" + set: false + remediation: | + Run the following command to restore binaries to normal: + + # prelink -ua + + Uninstall `prelink` using the appropriate package manager or manual installation: + + yum remove prelink + + + apt-get remove prelink + + + zypper remove prelink scored: true - id: 1.6 description: "Mandatory Access Control" @@ -1342,7 +1395,7 @@ groups: audit: "dpkg -s setroubleshoot" constraints: platform: - - ubuntu + - ubuntu16 lsm: - selinux tests: @@ -1358,6 +1411,27 @@ groups: # apt-get remove setroubleshoot + # zypper remove setroubleshoot + - check: + audit: "apt-cache show setroubleshoot" + constraints: + platform: + - ubuntu18 + lsm: + - selinux + tests: + test_items: + - flag: "Installed-Size:" + set: false + remediation: | + Uninstall s `etroubleshoot` using the appropriate package manager or manual installation: + + # yum remove setroubleshoot + + + # apt-get remove setroubleshoot + + # zypper remove setroubleshoot scored: true - id: 1.6.1.5 @@ -1386,7 +1460,7 @@ groups: audit: "dpkg -s mcstrans" constraints: platform: - - ubuntu + - ubuntu16 tests: test_items: - flag: "install ok installed" @@ -1401,6 +1475,25 @@ groups: zypper remove mcstrans + - check: + audit: "apt-cache show mcstrans" + constraints: + platform: + - ubuntu18 + tests: + test_items: + - flag: "Installed-Size:" + set: false + remediation: | + Uninstall `mcstrans` using the appropriate package manager or manual installation: + + yum remove mcstrans + + + apt-get remove mcstrans + + + zypper remove mcstrans scored: true - id: 1.6.1.6 description: "Ensure no unconfined daemons exist" @@ -1503,7 +1596,7 @@ groups: # zypper install libselinux The previous commands install SELinux, use the appropriate package if AppArmor is desired. - check: - audit: "rpm -qapparmor" + audit: "rpm -q apparmor" constraints: platform: - rhel7 @@ -1523,7 +1616,7 @@ groups: audit: "dpkg -s libselinux1" constraints: platform: - - ubuntu + - ubuntu16 lsm: - selinux tests: @@ -1540,7 +1633,7 @@ groups: audit: "dpkg -s apparmor" constraints: platform: - - ubuntu + - ubuntu16 lsm: - apparmor tests: @@ -1553,6 +1646,41 @@ groups: # apt-get install libselinux1 # zypper install libselinux The previous commands install SELinux, use the appropriate package if AppArmor is desired. + - check: + audit: "apt-cache show libselinux1" + constraints: + platform: + - ubuntu18 + lsm: + - selinux + tests: + test_items: + - flag: "Installed-Size:" + set: true + remediation: | + Install SELinux or apparmor using the appropriate package manager or manual installation: + # yum install libselinux + # apt-get install libselinux1 + # zypper install libselinux + The previous commands install SELinux, use the appropriate package if AppArmor is desired. + - check: + audit: "apt-cache show apparmor" + constraints: + platform: + - ubuntu18 + lsm: + - apparmor + tests: + test_items: + - flag: "Installed-Size:" + set: true + remediation: | + Install SELinux or apparmor using the appropriate package manager or manual installation: + # yum install libselinux + # apt-get install libselinux1 + # zypper install libselinux + The previous commands install SELinux, use the appropriate package if AppArmor is desired. + scored: false - id: 1.7 description: "Warning Banners" @@ -1863,7 +1991,8 @@ groups: type: manual constraints: platform: - - ubuntu + - ubuntu16 + - ubuntu18 remediation: | Use your package manager to update all packages on the system according to site policy. - check: @@ -2178,7 +2307,8 @@ groups: constraints: platform: - rhel7 - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "enabled" @@ -2243,7 +2373,7 @@ groups: audit: "dpkg -l xserver-xorg*" constraints: platform: - - ubuntu + - ubuntu16 tests: test_items: - flag: "ii" @@ -2257,6 +2387,25 @@ groups: apt-get remove xserver-xorg* + zypper remove xorg-x11* + - check: + audit: "apt-cache show xserver-xorg*" + constraints: + platform: + - ubuntu18 + tests: + test_items: + - flag: "Installed-Size:" + set: false + remediation: | + Remove the X Windows System packages using the appropriate package manager or manual installation: + + yum remove xorg-x11* + + + apt-get remove xserver-xorg* + + zypper remove xorg-x11* scored: true - id: 2.2.3 @@ -2286,7 +2435,8 @@ groups: constraints: platform: - rhel7 - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "enabled" @@ -2349,7 +2499,8 @@ groups: constraints: platform: - rhel7 - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "enabled" @@ -2412,7 +2563,8 @@ groups: constraints: platform: - rhel7 - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "enabled" @@ -2475,7 +2627,8 @@ groups: constraints: platform: - rhel7 - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "enabled" @@ -2539,7 +2692,8 @@ groups: constraints: platform: - rhel7 - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "enabled" @@ -2603,7 +2757,8 @@ groups: constraints: platform: - rhel7 - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "enabled" @@ -2667,7 +2822,8 @@ groups: constraints: platform: - rhel7 - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "enabled" @@ -2730,7 +2886,8 @@ groups: constraints: platform: - rhel7 - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "enabled" @@ -2793,7 +2950,8 @@ groups: constraints: platform: - rhel7 - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "enabled" @@ -2856,7 +3014,8 @@ groups: constraints: platform: - rhel7 - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "enabled" @@ -2919,7 +3078,8 @@ groups: constraints: platform: - rhel7 - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "enabled" @@ -2982,7 +3142,8 @@ groups: constraints: platform: - rhel7 - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "enabled" @@ -3045,7 +3206,8 @@ groups: constraints: platform: - rhel7 - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "enabled" @@ -3136,7 +3298,8 @@ groups: constraints: platform: - rhel7 - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "enabled" @@ -3199,7 +3362,8 @@ groups: constraints: platform: - rhel7 - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "enabled" @@ -3268,7 +3432,7 @@ groups: audit: "dpkg -s ntp" constraints: platform: - - ubuntu + - ubuntu16 tests: test_items: - flag: "install ok installed" @@ -3282,6 +3446,28 @@ groups: # apt-get install ntp + # zypper install ntp + + The previous commands install NTP, use the appropriate package if chrony is desired. + On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization. + - check: + audit: "apt-cache show ntp" + constraints: + platform: + - ubuntu18 + tests: + test_items: + - flag: "Installed-Size:" + set: true + remediation: | + On physical systems or virtual systems where host based time synchronization is not available install NTP or chrony using the appropriate package manager or manual installation: + + # yum install ntp + + + # apt-get install ntp + + # zypper install ntp The previous commands install NTP, use the appropriate package if chrony is desired. @@ -3318,7 +3504,7 @@ groups: audit: "dpkg -s chrony" constraints: platform: - - ubuntu + - ubuntu16 tests: test_items: - flag: "install ok installed" @@ -3336,6 +3522,29 @@ groups: The previous commands install NTP, use the appropriate package if chrony is desired. On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization. + - check: + audit: "apt-cache show chrony" + constraints: + platform: + - ubuntu18 + tests: + test_items: + - flag: "Installed-Size:" + set: true + remediation: | + On physical systems or virtual systems where host based time synchronization is not available install NTP or chrony using the appropriate package manager or manual installation: + + # yum install ntp + + + # apt-get install ntp + + + # zypper install ntp + + The previous commands install NTP, use the appropriate package if chrony is desired. + On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization. + scored: false - id: 2.2.1.2.a description: "Ensure ntp is configured" @@ -3443,7 +3652,8 @@ groups: audit: "grep ^OPTIONS /etc/default/ntp" constraints: platform: - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "OPTIONS=\"-u ntp:ntp\"" @@ -3510,7 +3720,8 @@ groups: audit: "grep ^NTPD_OPTIONS /etc/default/ntp" constraints: platform: - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "NTPD_OPTIONS=\"-u ntp:ntp\"" @@ -3636,7 +3847,7 @@ groups: audit: "dpkg -s ypbind" constraints: platform: - - ubuntu + - ubuntu16 tests: test_items: - flag: "install ok installed" @@ -3652,7 +3863,26 @@ groups: zypper remove ypbind set: true - + - check: + audit: "apt-cache show ypbind" + constraints: + platform: + - ubuntu18 + tests: + test_items: + - flag: "Installed-Size:" + set: false + remediation: | + Uninstall `ypbind` using the appropriate package manager or manual installation: + + yum remove ypbind + + + apt-get remove ypbind + + + zypper remove ypbind + set: true scored: true - id: 2.3.2 description: "Ensure rsh client is not installed" @@ -3681,7 +3911,7 @@ groups: audit: "dpkg -s rsh-client rsh-redone-client" constraints: platform: - - ubuntu + - ubuntu16 tests: test_items: - flag: "install ok installed" @@ -3697,6 +3927,26 @@ groups: zypper remove rsh set: true + - check: + audit: "apt-cache show rsh-client rsh-redone-client" + constraints: + platform: + - ubuntu18 + tests: + test_items: + - flag: "Installed-Size:" + set: false + remediation: | + Uninstall `rsh` using the appropriate package manager or manual installation: + + yum remove rsh + + + apt-get remove rsh + + + zypper remove rsh + set: true scored: true - id: 2.3.3 description: "Ensure talk client is not installed" @@ -3725,7 +3975,7 @@ groups: audit: "dpkg -s talk" constraints: platform: - - ubuntu + - ubuntu16 tests: test_items: - flag: "install ok installed" @@ -3739,6 +3989,25 @@ groups: apt-get remove talk + zypper remove talk + - check: + audit: "apt-cache show talk" + constraints: + platform: + - ubuntu18 + tests: + test_items: + - flag: "Installed-Size:" + set: false + remediation: | + Uninstall `talk` using the appropriate package manager or manual installation: + + yum remove talk + + + apt-get remove talk + + zypper remove talk scored: true - id: 2.3.4 @@ -3768,7 +4037,7 @@ groups: audit: "dpkg -s telnet" constraints: platform: - - ubuntu + - ubuntu16 tests: test_items: - flag: "install ok installed" @@ -3782,6 +4051,25 @@ groups: # apt-get remove telnet + # zypper remove telnet + - check: + audit: "apt-cache show telnet" + constraints: + platform: + - ubuntu18 + tests: + test_items: + - flag: "Installed-Size:" + set: false + remediation: | + Uninstall `telnet` using the appropriate package manager or manual installation: + + # yum remove telnet + + + # apt-get remove telnet + + # zypper remove telnet scored: true - id: 2.3.5 @@ -3810,7 +4098,7 @@ groups: audit: "dpkg -s openldap-clients" constraints: platform: - - ubuntu + - ubuntu16 tests: test_items: - flag: "install ok installed" @@ -3824,6 +4112,25 @@ groups: # apt-get remove openldap-clients + # zypper remove openldap-clients + - check: + audit: "apt-cache show openldap-clients" + constraints: + platform: + - ubuntu18 + tests: + test_items: + - flag: "Installed-Size:" + set: false + remediation: | + Uninstall `openldap-clients` using the appropriate package manager or manual installation: + + # yum remove openldap-clients + + + # apt-get remove openldap-clients + + # zypper remove openldap-clients scored: true - id: 3 @@ -4736,7 +5043,7 @@ groups: audit: "dpkg -s tcpd" constraints: platform: - - ubuntu + - ubuntu16 tests: test_items: - flag: "install ok installed" @@ -4750,6 +5057,25 @@ groups: apt-get install tcpd + zypper install tcpd + - check: + audit: "apt-cache show tcpd" + constraints: + platform: + - ubuntu18 + tests: + test_items: + - flag: "Installed-Size:" + set: true + remediation: | + Install TCP Wrappers using the appropriate package manager or manual installation: + + yum install tcp_wrappers + + + apt-get install tcpd + + zypper install tcpd scored: true - id: 3.4.2 @@ -4980,7 +5306,7 @@ groups: audit: "dpkg -s iptables" constraints: platform: - - ubuntu + - ubuntu16 tests: test_items: @@ -4995,6 +5321,26 @@ groups: # apt-get install iptables + # zypper install iptables + - check: + audit: "apt-cache show iptables" + constraints: + platform: + - ubuntu18 + + tests: + test_items: + - flag: "Installed-Size:" + set: true + remediation: | + Install `iptables` using the appropriate package manager or manual installation: + + # yum install iptables + + + # apt-get install iptables + + # zypper install iptables scored: true - id: 3.6.2 @@ -5177,7 +5523,8 @@ groups: constraints: platform: - rhel7 - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "enabled" @@ -5404,7 +5751,8 @@ groups: audit: "grep system-locale /etc/audit/audit.rules" constraints: platform: - - ubuntu + - ubuntu16 + - ubuntu18 tests: bin_op: and test_items: @@ -5466,7 +5814,8 @@ groups: audit: "grep system-locale /etc/audit/audit.rules" constraints: platform: - - ubuntu + - ubuntu16 + - ubuntu18 tests: bin_op: and test_items: @@ -6149,7 +6498,7 @@ groups: audit: "dpkg -s rsyslog" constraints: platform: - - ubuntu + - ubuntu16 syslog: - rsyslog tests: @@ -6172,7 +6521,7 @@ groups: audit: "dpkg -s syslog-ng" constraints: platform: - - ubuntu + - ubuntu16 syslog: - syslog-ng tests: @@ -6188,6 +6537,52 @@ groups: # apt-get install rsyslog + # zypper install rsyslog + + The previous commands install `rsyslog` , use the appropriate package if `syslog-ng` is desired. + - check: + audit: "apt-cache show rsyslog" + constraints: + platform: + - ubuntu18 + syslog: + - rsyslog + tests: + test_items: + - flag: "Installed-Size:" + set: true + remediation: | + Install rsyslog or `syslog-ng` using the appropriate package manager or manual installation: + + # yum install rsyslog + + + # apt-get install rsyslog + + + # zypper install rsyslog + + The previous commands install `rsyslog` , use the appropriate package if `syslog-ng` is desired. + - check: + audit: "apt-cache show syslog-ng" + constraints: + platform: + - ubuntu18 + syslog: + - syslog-ng + tests: + test_items: + - flag: "Installed-Size:" + set: true + remediation: | + Install rsyslog or `syslog-ng` using the appropriate package manager or manual installation: + + # yum install rsyslog + + + # apt-get install rsyslog + + # zypper install rsyslog The previous commands install `rsyslog` , use the appropriate package if `syslog-ng` is desired. @@ -6231,7 +6626,8 @@ groups: constraints: platform: - rhel7 - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "enabled" @@ -6421,7 +6817,8 @@ groups: constraints: platform: - rhel7 - - ubuntu + - ubuntu16 + - ubuntu18 syslog: - syslog-ng tests: @@ -6616,7 +7013,8 @@ groups: audit: "systemctl is-enabled cron" constraints: platform: - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "enabled" @@ -7180,10 +7578,10 @@ groups: - id: 5.3.4 description: "Ensure password hashing algorithm is SHA-512" - audit: "grep password /etc/pam.d/common-password /etc/pam.d/system-auth /etc/pam.d/password-auth" + audit: "grep -E ^[^#].*sha512 /etc/pam.d/common-password /etc/pam.d/system-auth /etc/pam.d/password-auth" tests: test_items: - - flag: "password sufficient pam_unix.so sha512" + - flag: "sha512" set: true remediation: | Set password hashing algorithm to sha512. Many distributions provide tools for updating PAM configuration, consult your documentation for details. If no tooling is provided edit the appropriate `/etc/pam.d/` configuration file and add or modify the `pam_unix.so` lines to include the sha512 option: @@ -7522,7 +7920,8 @@ groups: audit: "grep umask /etc/bash.bashrc" constraints: platform: - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "umask 027" @@ -7569,7 +7968,8 @@ groups: audit: "grep ^TMOUT /etc/bash.bashrc" constraints: platform: - - ubuntu + - ubuntu16 + - ubuntu18 tests: test_items: - flag: "TMOUT" @@ -7671,7 +8071,15 @@ groups: type: "manual" constraints: platform: - - ubuntu + - ubuntu16 + remediation: | + Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. + - check: + audit: "apt-get source > " + type: "manual" + constraints: + platform: + - ubuntu18 remediation: | Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. scored: false @@ -8234,4 +8642,4 @@ groups: remediation: | Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group. scored: true - + From c5293e858c292d4d4457b7e97c0a4e596432f258 Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Thu, 30 May 2019 00:04:10 +0300 Subject: [PATCH 6/6] change the regex to catch version Taking Liz comment's https://github.com/aquasecurity/linux-bench/pull/13/files#r287555525 changes so will work on ubuntu and rhel within one line --- utils.go | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/utils.go b/utils.go index a8715f9..a7d3f67 100644 --- a/utils.go +++ b/utils.go @@ -102,12 +102,8 @@ func GetLSM() (lsm string, err error) { } func getPlatformVersion(output, platform string) string { - flagRe := regexp.MustCompile("version_id" + `=([^ \n]*)`) + flagRe := regexp.MustCompile(`version[_id]*=([^ \n]*)`) vals := flagRe.FindStringSubmatch(output) - if vals == nil { - flagRe := regexp.MustCompile("version" + `=([^ \n]*)`) - vals = flagRe.FindStringSubmatch(output) - } if len(vals) > 1 { switch platform { case "rhel":