mirrors/linux-bench
1
0
Fork 1
mirror of https://github.com/aquasecurity/linux-bench.git synced 2025-02-23 14:45:33 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into patch-8

Browse source
This commit is contained in:
Liz Rice 2019-06-03 10:39:17 +02:00 committed by GitHub
commit 5f13a6a225
Failed to generate hash of commit
4 changed files with 478 additions and 67 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app.go
View file

@ -51,7 +51,7 @@ func outputResults(controls *check.Controls, summary check.Summary) error {
if err != nil { if err != nil {
return err return err
} }
fmt.Println(string(out)) util.PrintOutput(string(out), outputFile)
} else { } else {
util.PrettyPrint(controls, summary, noRemediations, includeTestOutput) util.PrettyPrint(controls, summary, noRemediations, includeTestOutput)
} }

526
cfg/1.1.0/definitions.yaml
View file

@ -262,7 +262,7 @@ groups:
audit: "mount | grep /tmp" audit: "mount | grep /tmp"
tests: tests:
test_items: test_items:
- flag: "tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)" - flag: "tmpfs on /tmp type tmpfs"
set: true set: true
remediation: | remediation: |
For new installations, during installation create a custom partition setup and specify a separate partition for `/tmp` . For new installations, during installation create a custom partition setup and specify a separate partition for `/tmp` .
@ -606,7 +606,8 @@ groups:
constraints: constraints:
platform: platform:
- rhel7 - rhel7
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "disabled" - flag: "disabled"
@ -662,7 +663,8 @@ groups:
audit: "apt-cache policy" audit: "apt-cache policy"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
- ubuntu18
type: manual type: manual
remediation: | remediation: |
Configure your package manager repositories according to site policy. Configure your package manager repositories according to site policy.
@ -690,7 +692,8 @@ groups:
audit: "apt-key list" audit: "apt-key list"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
- ubuntu18
type: manual type: manual
remediation: | remediation: |
Update your package manager GPG keys in accordance with site policy. Update your package manager GPG keys in accordance with site policy.
@ -737,7 +740,7 @@ groups:
audit: "dpkg -s aide" audit: "dpkg -s aide"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
tests: tests:
test_items: test_items:
- flag: "install ok installed" - flag: "install ok installed"
@ -751,6 +754,30 @@ groups:
# apt-get install aide # apt-get install aide
# zypper install aide
Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options.
Initialize AIDE:
# aide --init
- check:
audit: "apt-cache show aide"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: true
remediation: |
Install AIDE using the appropriate package manager or manual installation:
# yum install aide
# apt-get install aide
# zypper install aide # zypper install aide
Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options. Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options.
@ -987,10 +1014,13 @@ groups:
checks: checks:
- id: 1.5.1.a - id: 1.5.1.a
description: "Ensure core dumps are restricted" description: "Ensure core dumps are restricted"
audit: "grep -h ^* /etc/security/limits.conf /etc/security/limits.d/*" audit: "grep -h ^[^#].*hard[[:blank:]]*core /etc/security/limits.conf /etc/security/limits.d/*"
tests: tests:
bin_op: and
test_items: test_items:
- flag: "hard core 0" - flag: "hard"
set: true
- flag: "core"
set: true set: true
remediation: | remediation: |
Add the following line to `/etc/security/limits.conf` or a `/etc/security/limits.d/*` file: Add the following line to `/etc/security/limits.conf` or a `/etc/security/limits.d/*` file:
@ -1136,7 +1166,7 @@ groups:
audit: "dpkg -s prelink" audit: "dpkg -s prelink"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
tests: tests:
test_items: test_items:
- flag: "install ok installed" - flag: "install ok installed"
@ -1154,6 +1184,29 @@ groups:
apt-get remove prelink apt-get remove prelink
zypper remove prelink
- check:
audit: "apt-cache show prelink"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: false
remediation: |
Run the following command to restore binaries to normal:
# prelink -ua
Uninstall `prelink` using the appropriate package manager or manual installation:
yum remove prelink
apt-get remove prelink
zypper remove prelink zypper remove prelink
scored: true scored: true
- id: 1.6 - id: 1.6
@ -1342,7 +1395,7 @@ groups:
audit: "dpkg -s setroubleshoot" audit: "dpkg -s setroubleshoot"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
lsm: lsm:
- selinux - selinux
tests: tests:
@ -1358,6 +1411,27 @@ groups:
# apt-get remove setroubleshoot # apt-get remove setroubleshoot
# zypper remove setroubleshoot
- check:
audit: "apt-cache show setroubleshoot"
constraints:
platform:
- ubuntu18
lsm:
- selinux
tests:
test_items:
- flag: "Installed-Size:"
set: false
remediation: |
Uninstall s `etroubleshoot` using the appropriate package manager or manual installation:
# yum remove setroubleshoot
# apt-get remove setroubleshoot
# zypper remove setroubleshoot # zypper remove setroubleshoot
scored: true scored: true
- id: 1.6.1.5 - id: 1.6.1.5
@ -1386,7 +1460,7 @@ groups:
audit: "dpkg -s mcstrans" audit: "dpkg -s mcstrans"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
tests: tests:
test_items: test_items:
- flag: "install ok installed" - flag: "install ok installed"
@ -1400,6 +1474,25 @@ groups:
apt-get remove mcstrans apt-get remove mcstrans
zypper remove mcstrans
- check:
audit: "apt-cache show mcstrans"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: false
remediation: |
Uninstall `mcstrans` using the appropriate package manager or manual installation:
yum remove mcstrans
apt-get remove mcstrans
zypper remove mcstrans zypper remove mcstrans
scored: true scored: true
- id: 1.6.1.6 - id: 1.6.1.6
@ -1523,7 +1616,7 @@ groups:
audit: "dpkg -s libselinux1" audit: "dpkg -s libselinux1"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
lsm: lsm:
- selinux - selinux
tests: tests:
@ -1540,7 +1633,7 @@ groups:
audit: "dpkg -s apparmor" audit: "dpkg -s apparmor"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
lsm: lsm:
- apparmor - apparmor
tests: tests:
@ -1553,6 +1646,41 @@ groups:
# apt-get install libselinux1 # apt-get install libselinux1
# zypper install libselinux # zypper install libselinux
The previous commands install SELinux, use the appropriate package if AppArmor is desired. The previous commands install SELinux, use the appropriate package if AppArmor is desired.
- check:
audit: "apt-cache show libselinux1"
constraints:
platform:
- ubuntu18
lsm:
- selinux
tests:
test_items:
- flag: "Installed-Size:"
set: true
remediation: |
Install SELinux or apparmor using the appropriate package manager or manual installation:
# yum install libselinux
# apt-get install libselinux1
# zypper install libselinux
The previous commands install SELinux, use the appropriate package if AppArmor is desired.
- check:
audit: "apt-cache show apparmor"
constraints:
platform:
- ubuntu18
lsm:
- apparmor
tests:
test_items:
- flag: "Installed-Size:"
set: true
remediation: |
Install SELinux or apparmor using the appropriate package manager or manual installation:
# yum install libselinux
# apt-get install libselinux1
# zypper install libselinux
The previous commands install SELinux, use the appropriate package if AppArmor is desired.
scored: false scored: false
- id: 1.7 - id: 1.7
description: "Warning Banners" description: "Warning Banners"
@ -1863,7 +1991,8 @@ groups:
type: manual type: manual
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
- ubuntu18
remediation: | remediation: |
Use your package manager to update all packages on the system according to site policy. Use your package manager to update all packages on the system according to site policy.
- check: - check:
@ -2178,7 +2307,8 @@ groups:
constraints: constraints:
platform: platform:
- rhel7 - rhel7
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "enabled" - flag: "enabled"
@ -2243,7 +2373,7 @@ groups:
audit: "dpkg -l xserver-xorg*" audit: "dpkg -l xserver-xorg*"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
tests: tests:
test_items: test_items:
- flag: "ii" - flag: "ii"
@ -2257,6 +2387,25 @@ groups:
apt-get remove xserver-xorg* apt-get remove xserver-xorg*
zypper remove xorg-x11*
- check:
audit: "apt-cache show xserver-xorg*"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: false
remediation: |
Remove the X Windows System packages using the appropriate package manager or manual installation:
yum remove xorg-x11*
apt-get remove xserver-xorg*
zypper remove xorg-x11* zypper remove xorg-x11*
scored: true scored: true
- id: 2.2.3 - id: 2.2.3
@ -2286,7 +2435,8 @@ groups:
constraints: constraints:
platform: platform:
- rhel7 - rhel7
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "enabled" - flag: "enabled"
@ -2349,7 +2499,8 @@ groups:
constraints: constraints:
platform: platform:
- rhel7 - rhel7
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "enabled" - flag: "enabled"
@ -2412,7 +2563,8 @@ groups:
constraints: constraints:
platform: platform:
- rhel7 - rhel7
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "enabled" - flag: "enabled"
@ -2475,7 +2627,8 @@ groups:
constraints: constraints:
platform: platform:
- rhel7 - rhel7
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "enabled" - flag: "enabled"
@ -2539,7 +2692,8 @@ groups:
constraints: constraints:
platform: platform:
- rhel7 - rhel7
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "enabled" - flag: "enabled"
@ -2603,7 +2757,8 @@ groups:
constraints: constraints:
platform: platform:
- rhel7 - rhel7
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "enabled" - flag: "enabled"
@ -2667,7 +2822,8 @@ groups:
constraints: constraints:
platform: platform:
- rhel7 - rhel7
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "enabled" - flag: "enabled"
@ -2730,7 +2886,8 @@ groups:
constraints: constraints:
platform: platform:
- rhel7 - rhel7
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "enabled" - flag: "enabled"
@ -2793,7 +2950,8 @@ groups:
constraints: constraints:
platform: platform:
- rhel7 - rhel7
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "enabled" - flag: "enabled"
@ -2856,7 +3014,8 @@ groups:
constraints: constraints:
platform: platform:
- rhel7 - rhel7
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "enabled" - flag: "enabled"
@ -2919,7 +3078,8 @@ groups:
constraints: constraints:
platform: platform:
- rhel7 - rhel7
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "enabled" - flag: "enabled"
@ -2982,7 +3142,8 @@ groups:
constraints: constraints:
platform: platform:
- rhel7 - rhel7
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "enabled" - flag: "enabled"
@ -3045,7 +3206,8 @@ groups:
constraints: constraints:
platform: platform:
- rhel7 - rhel7
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "enabled" - flag: "enabled"
@ -3136,7 +3298,8 @@ groups:
constraints: constraints:
platform: platform:
- rhel7 - rhel7
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "enabled" - flag: "enabled"
@ -3199,7 +3362,8 @@ groups:
constraints: constraints:
platform: platform:
- rhel7 - rhel7
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "enabled" - flag: "enabled"
@ -3268,7 +3432,7 @@ groups:
audit: "dpkg -s ntp" audit: "dpkg -s ntp"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
tests: tests:
test_items: test_items:
- flag: "install ok installed" - flag: "install ok installed"
@ -3282,6 +3446,28 @@ groups:
# apt-get install ntp # apt-get install ntp
# zypper install ntp
The previous commands install NTP, use the appropriate package if chrony is desired.
On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization.
- check:
audit: "apt-cache show ntp"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: true
remediation: |
On physical systems or virtual systems where host based time synchronization is not available install NTP or chrony using the appropriate package manager or manual installation:
# yum install ntp
# apt-get install ntp
# zypper install ntp # zypper install ntp
The previous commands install NTP, use the appropriate package if chrony is desired. The previous commands install NTP, use the appropriate package if chrony is desired.
@ -3318,7 +3504,7 @@ groups:
audit: "dpkg -s chrony" audit: "dpkg -s chrony"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
tests: tests:
test_items: test_items:
- flag: "install ok installed" - flag: "install ok installed"
@ -3336,6 +3522,29 @@ groups:
The previous commands install NTP, use the appropriate package if chrony is desired. The previous commands install NTP, use the appropriate package if chrony is desired.
On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization. On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization.
- check:
audit: "apt-cache show chrony"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: true
remediation: |
On physical systems or virtual systems where host based time synchronization is not available install NTP or chrony using the appropriate package manager or manual installation:
# yum install ntp
# apt-get install ntp
# zypper install ntp
The previous commands install NTP, use the appropriate package if chrony is desired.
On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization.
scored: false scored: false
- id: 2.2.1.2.a - id: 2.2.1.2.a
description: "Ensure ntp is configured" description: "Ensure ntp is configured"
@ -3443,7 +3652,8 @@ groups:
audit: "grep ^OPTIONS /etc/default/ntp" audit: "grep ^OPTIONS /etc/default/ntp"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "OPTIONS=\"-u ntp:ntp\"" - flag: "OPTIONS=\"-u ntp:ntp\""
@ -3510,7 +3720,8 @@ groups:
audit: "grep ^NTPD_OPTIONS /etc/default/ntp" audit: "grep ^NTPD_OPTIONS /etc/default/ntp"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "NTPD_OPTIONS=\"-u ntp:ntp\"" - flag: "NTPD_OPTIONS=\"-u ntp:ntp\""
@ -3636,7 +3847,7 @@ groups:
audit: "dpkg -s ypbind" audit: "dpkg -s ypbind"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
tests: tests:
test_items: test_items:
- flag: "install ok installed" - flag: "install ok installed"
@ -3652,7 +3863,26 @@ groups:
zypper remove ypbind zypper remove ypbind
set: true set: true
- check:
audit: "apt-cache show ypbind"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: false
remediation: |
Uninstall `ypbind` using the appropriate package manager or manual installation:
yum remove ypbind
apt-get remove ypbind
zypper remove ypbind
set: true
scored: true scored: true
- id: 2.3.2 - id: 2.3.2
description: "Ensure rsh client is not installed" description: "Ensure rsh client is not installed"
@ -3681,7 +3911,7 @@ groups:
audit: "dpkg -s rsh-client rsh-redone-client" audit: "dpkg -s rsh-client rsh-redone-client"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
tests: tests:
test_items: test_items:
- flag: "install ok installed" - flag: "install ok installed"
@ -3695,6 +3925,26 @@ groups:
apt-get remove rsh apt-get remove rsh
zypper remove rsh
set: true
- check:
audit: "apt-cache show rsh-client rsh-redone-client"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: false
remediation: |
Uninstall `rsh` using the appropriate package manager or manual installation:
yum remove rsh
apt-get remove rsh
zypper remove rsh zypper remove rsh
set: true set: true
scored: true scored: true
@ -3725,7 +3975,7 @@ groups:
audit: "dpkg -s talk" audit: "dpkg -s talk"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
tests: tests:
test_items: test_items:
- flag: "install ok installed" - flag: "install ok installed"
@ -3739,6 +3989,25 @@ groups:
apt-get remove talk apt-get remove talk
zypper remove talk
- check:
audit: "apt-cache show talk"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: false
remediation: |
Uninstall `talk` using the appropriate package manager or manual installation:
yum remove talk
apt-get remove talk
zypper remove talk zypper remove talk
scored: true scored: true
- id: 2.3.4 - id: 2.3.4
@ -3768,7 +4037,7 @@ groups:
audit: "dpkg -s telnet" audit: "dpkg -s telnet"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
tests: tests:
test_items: test_items:
- flag: "install ok installed" - flag: "install ok installed"
@ -3782,6 +4051,25 @@ groups:
# apt-get remove telnet # apt-get remove telnet
# zypper remove telnet
- check:
audit: "apt-cache show telnet"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: false
remediation: |
Uninstall `telnet` using the appropriate package manager or manual installation:
# yum remove telnet
# apt-get remove telnet
# zypper remove telnet # zypper remove telnet
scored: true scored: true
- id: 2.3.5 - id: 2.3.5
@ -3810,7 +4098,7 @@ groups:
audit: "dpkg -s openldap-clients" audit: "dpkg -s openldap-clients"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
tests: tests:
test_items: test_items:
- flag: "install ok installed" - flag: "install ok installed"
@ -3824,6 +4112,25 @@ groups:
# apt-get remove openldap-clients # apt-get remove openldap-clients
# zypper remove openldap-clients
- check:
audit: "apt-cache show openldap-clients"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: false
remediation: |
Uninstall `openldap-clients` using the appropriate package manager or manual installation:
# yum remove openldap-clients
# apt-get remove openldap-clients
# zypper remove openldap-clients # zypper remove openldap-clients
scored: true scored: true
- id: 3 - id: 3
@ -4736,7 +5043,7 @@ groups:
audit: "dpkg -s tcpd" audit: "dpkg -s tcpd"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
tests: tests:
test_items: test_items:
- flag: "install ok installed" - flag: "install ok installed"
@ -4750,6 +5057,25 @@ groups:
apt-get install tcpd apt-get install tcpd
zypper install tcpd
- check:
audit: "apt-cache show tcpd"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: true
remediation: |
Install TCP Wrappers using the appropriate package manager or manual installation:
yum install tcp_wrappers
apt-get install tcpd
zypper install tcpd zypper install tcpd
scored: true scored: true
- id: 3.4.2 - id: 3.4.2
@ -4980,7 +5306,7 @@ groups:
audit: "dpkg -s iptables" audit: "dpkg -s iptables"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
tests: tests:
test_items: test_items:
@ -4995,6 +5321,26 @@ groups:
# apt-get install iptables # apt-get install iptables
# zypper install iptables
- check:
audit: "apt-cache show iptables"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: true
remediation: |
Install `iptables` using the appropriate package manager or manual installation:
# yum install iptables
# apt-get install iptables
# zypper install iptables # zypper install iptables
scored: true scored: true
- id: 3.6.2 - id: 3.6.2
@ -5177,7 +5523,8 @@ groups:
constraints: constraints:
platform: platform:
- rhel7 - rhel7
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "enabled" - flag: "enabled"
@ -5404,7 +5751,8 @@ groups:
audit: "grep system-locale /etc/audit/audit.rules" audit: "grep system-locale /etc/audit/audit.rules"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -5466,7 +5814,8 @@ groups:
audit: "grep system-locale /etc/audit/audit.rules" audit: "grep system-locale /etc/audit/audit.rules"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -6149,7 +6498,7 @@ groups:
audit: "dpkg -s rsyslog" audit: "dpkg -s rsyslog"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
syslog: syslog:
- rsyslog - rsyslog
tests: tests:
@ -6172,7 +6521,7 @@ groups:
audit: "dpkg -s syslog-ng" audit: "dpkg -s syslog-ng"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
syslog: syslog:
- syslog-ng - syslog-ng
tests: tests:
@ -6188,6 +6537,52 @@ groups:
# apt-get install rsyslog # apt-get install rsyslog
# zypper install rsyslog
The previous commands install `rsyslog` , use the appropriate package if `syslog-ng` is desired.
- check:
audit: "apt-cache show rsyslog"
constraints:
platform:
- ubuntu18
syslog:
- rsyslog
tests:
test_items:
- flag: "Installed-Size:"
set: true
remediation: |
Install rsyslog or `syslog-ng` using the appropriate package manager or manual installation:
# yum install rsyslog
# apt-get install rsyslog
# zypper install rsyslog
The previous commands install `rsyslog` , use the appropriate package if `syslog-ng` is desired.
- check:
audit: "apt-cache show syslog-ng"
constraints:
platform:
- ubuntu18
syslog:
- syslog-ng
tests:
test_items:
- flag: "Installed-Size:"
set: true
remediation: |
Install rsyslog or `syslog-ng` using the appropriate package manager or manual installation:
# yum install rsyslog
# apt-get install rsyslog
# zypper install rsyslog # zypper install rsyslog
The previous commands install `rsyslog` , use the appropriate package if `syslog-ng` is desired. The previous commands install `rsyslog` , use the appropriate package if `syslog-ng` is desired.
@ -6231,7 +6626,8 @@ groups:
constraints: constraints:
platform: platform:
- rhel7 - rhel7
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "enabled" - flag: "enabled"
@ -6421,7 +6817,8 @@ groups:
constraints: constraints:
platform: platform:
- rhel7 - rhel7
- ubuntu - ubuntu16
- ubuntu18
syslog: syslog:
- syslog-ng - syslog-ng
tests: tests:
@ -6616,7 +7013,8 @@ groups:
audit: "systemctl is-enabled cron" audit: "systemctl is-enabled cron"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "enabled" - flag: "enabled"
@ -7180,10 +7578,10 @@ groups:
- id: 5.3.4 - id: 5.3.4
description: "Ensure password hashing algorithm is SHA-512" description: "Ensure password hashing algorithm is SHA-512"
audit: "grep password /etc/pam.d/common-password /etc/pam.d/system-auth /etc/pam.d/password-auth" audit: "grep -E ^[^#].*sha512 /etc/pam.d/common-password /etc/pam.d/system-auth /etc/pam.d/password-auth"
tests: tests:
test_items: test_items:
- flag: "password sufficient pam_unix.so sha512" - flag: "sha512"
set: true set: true
remediation: | remediation: |
Set password hashing algorithm to sha512. Many distributions provide tools for updating PAM configuration, consult your documentation for details. If no tooling is provided edit the appropriate `/etc/pam.d/` configuration file and add or modify the `pam_unix.so` lines to include the sha512 option: Set password hashing algorithm to sha512. Many distributions provide tools for updating PAM configuration, consult your documentation for details. If no tooling is provided edit the appropriate `/etc/pam.d/` configuration file and add or modify the `pam_unix.so` lines to include the sha512 option:
@ -7522,7 +7920,8 @@ groups:
audit: "grep umask /etc/bash.bashrc" audit: "grep umask /etc/bash.bashrc"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "umask 027" - flag: "umask 027"
@ -7569,7 +7968,8 @@ groups:
audit: "grep ^TMOUT /etc/bash.bashrc" audit: "grep ^TMOUT /etc/bash.bashrc"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
- ubuntu18
tests: tests:
test_items: test_items:
- flag: "TMOUT" - flag: "TMOUT"
@ -7671,7 +8071,15 @@ groups:
type: "manual" type: "manual"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu16
remediation: |
Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted.
- check:
audit: "apt-get source > <filename>"
type: "manual"
constraints:
platform:
- ubuntu18
remediation: | remediation: |
Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted.
scored: false scored: false
@ -7820,7 +8228,7 @@ groups:
- id: 6.1.10.a - id: 6.1.10.a
description: "Ensure no world writable files exist" description: "Ensure no world writable files exist"
audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002" audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 | head -n 100"
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -7842,7 +8250,7 @@ groups:
- id: 6.1.11.a - id: 6.1.11.a
description: "Ensure no unowned files or directories exist" description: "Ensure no unowned files or directories exist"
audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser" audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser | head -n 100"
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -7864,7 +8272,7 @@ groups:
- id: 6.1.12.a - id: 6.1.12.a
description: "Ensure no ungrouped files or directories exist" description: "Ensure no ungrouped files or directories exist"
audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup" audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup | head -n 100"
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -7886,7 +8294,7 @@ groups:
- id: 6.1.13.a - id: 6.1.13.a
description: "Audit SUID executables" description: "Audit SUID executables"
audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000" audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 | head -n 100"
type: manual type: manual
tests: tests:
test_items: test_items:
@ -7909,7 +8317,7 @@ groups:
- id: 6.1.14.a - id: 6.1.14.a
description: "Audit SGID executables" description: "Audit SGID executables"
audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000" audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 | head -n 100"
type: manual type: manual
tests: tests:
test_items: test_items:

2
root.go
View file

@ -35,6 +35,7 @@ var (
checkList string checkList string
jsonFmt bool jsonFmt bool
includeTestOutput bool includeTestOutput bool
outputFile string
) )
// RootCmd represents the base command when called without any subcommands // RootCmd represents the base command when called without any subcommands
@ -74,6 +75,7 @@ func init() {
RootCmd.Flags().StringVarP(&cfgDir, "config-dir", "D", "cfg", "directory to get benchmark definitions") RootCmd.Flags().StringVarP(&cfgDir, "config-dir", "D", "cfg", "directory to get benchmark definitions")
RootCmd.PersistentFlags().BoolVar(&jsonFmt, "json", false, "Prints the results as JSON") RootCmd.PersistentFlags().BoolVar(&jsonFmt, "json", false, "Prints the results as JSON")
RootCmd.PersistentFlags().BoolVar(&includeTestOutput, "include-test-output", false, "Prints the test's output") RootCmd.PersistentFlags().BoolVar(&includeTestOutput, "include-test-output", false, "Prints the test's output")
RootCmd.PersistentFlags().StringVar(&outputFile, "outputfile", "", "Writes the JSON results to output file")
RootCmd.PersistentFlags().StringVarP( RootCmd.PersistentFlags().StringVarP(
&checkList, &checkList,
"check", "check",

5
utils.go
View file

@ -102,13 +102,14 @@ func GetLSM() (lsm string, err error) {
} }
func getPlatformVersion(output, platform string) string { func getPlatformVersion(output, platform string) string {
flagRe := regexp.MustCompile("version_id" + `=([^ \n]*)`) flagRe := regexp.MustCompile(`version[_id]*=([^ \n]*)`)
vals := flagRe.FindStringSubmatch(output) vals := flagRe.FindStringSubmatch(output)
if len(vals) > 1 { if len(vals) > 1 {
switch platform { switch platform {
case "rhel": case "rhel":
return vals[1][:1] // Get the major version only, examaple: 7.6 will return 7 return vals[1][:1] // Get the major version only, examaple: 7.6 will return 7
case "ubuntu":
return vals[1][:2] // Get the major version only, examaple: 18.04 will return 18
default: default:
return "" return ""
} }