mirrors/linux-bench
1
0
Fork 1
mirror of https://github.com/aquasecurity/linux-bench.git synced 2025-02-22 22:25:33 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #17 from yoavrotems/patch-9

Browse source 
Update the file
This commit is contained in:
Liz Rice 2019-06-03 10:38:37 +02:00 committed by GitHub
commit 61e54c1bf7
Failed to generate hash of commit
1 changed files with 459 additions and 55 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

514
cfg/1.1.0/definitions.yaml
View file

@ -606,7 +606,8 @@ groups:
constraints:
platform:
- rhel7
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "disabled"
@ -662,7 +663,8 @@ groups:
audit: "apt-cache policy"
constraints:
platform:
- ubuntu
- ubuntu16
- ubuntu18
type: manual
remediation: |
Configure your package manager repositories according to site policy.
@ -690,7 +692,8 @@ groups:
audit: "apt-key list"
constraints:
platform:
- ubuntu
- ubuntu16
- ubuntu18
type: manual
remediation: |
Update your package manager GPG keys in accordance with site policy.
@ -737,7 +740,7 @@ groups:
audit: "dpkg -s aide"
constraints:
platform:
- ubuntu
- ubuntu16
tests:
test_items:
- flag: "install ok installed"
@ -751,6 +754,30 @@ groups:
# apt-get install aide
# zypper install aide
Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options.
Initialize AIDE:
# aide --init
- check:
audit: "apt-cache show aide"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: true
remediation: |
Install AIDE using the appropriate package manager or manual installation:
# yum install aide
# apt-get install aide
# zypper install aide
Configure AIDE as appropriate for your environment. Consult the AIDE documentation for options.
@ -989,13 +1016,12 @@ groups:
description: "Ensure core dumps are restricted"
audit: "grep -h ^[^#].*hard[[:blank:]]*core /etc/security/limits.conf /etc/security/limits.d/*"
tests:
tests:
bin_op: and
test_items:
- flag: "hard"
set: true
- flag: "core"
set: true
set: true
remediation: |
Add the following line to `/etc/security/limits.conf` or a `/etc/security/limits.d/*` file:
@ -1140,7 +1166,7 @@ groups:
audit: "dpkg -s prelink"
constraints:
platform:
- ubuntu
- ubuntu16
tests:
test_items:
- flag: "install ok installed"
@ -1159,6 +1185,29 @@ groups:
zypper remove prelink
- check:
audit: "apt-cache show prelink"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: false
remediation: |
Run the following command to restore binaries to normal:
# prelink -ua
Uninstall `prelink` using the appropriate package manager or manual installation:
yum remove prelink
apt-get remove prelink
zypper remove prelink
scored: true
- id: 1.6
description: "Mandatory Access Control"
@ -1346,7 +1395,7 @@ groups:
audit: "dpkg -s setroubleshoot"
constraints:
platform:
- ubuntu
- ubuntu16
lsm:
- selinux
tests:
@ -1362,6 +1411,27 @@ groups:
# apt-get remove setroubleshoot
# zypper remove setroubleshoot
- check:
audit: "apt-cache show setroubleshoot"
constraints:
platform:
- ubuntu18
lsm:
- selinux
tests:
test_items:
- flag: "Installed-Size:"
set: false
remediation: |
Uninstall s `etroubleshoot` using the appropriate package manager or manual installation:
# yum remove setroubleshoot
# apt-get remove setroubleshoot
# zypper remove setroubleshoot
scored: true
- id: 1.6.1.5
@ -1390,7 +1460,7 @@ groups:
audit: "dpkg -s mcstrans"
constraints:
platform:
- ubuntu
- ubuntu16
tests:
test_items:
- flag: "install ok installed"
@ -1405,6 +1475,25 @@ groups:
zypper remove mcstrans
- check:
audit: "apt-cache show mcstrans"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: false
remediation: |
Uninstall `mcstrans` using the appropriate package manager or manual installation:
yum remove mcstrans
apt-get remove mcstrans
zypper remove mcstrans
scored: true
- id: 1.6.1.6
description: "Ensure no unconfined daemons exist"
@ -1507,7 +1596,7 @@ groups:
# zypper install libselinux
The previous commands install SELinux, use the appropriate package if AppArmor is desired.
- check:
audit: "rpm -qapparmor"
audit: "rpm -q apparmor"
constraints:
platform:
- rhel7
@ -1527,7 +1616,7 @@ groups:
audit: "dpkg -s libselinux1"
constraints:
platform:
- ubuntu
- ubuntu16
lsm:
- selinux
tests:
@ -1544,7 +1633,7 @@ groups:
audit: "dpkg -s apparmor"
constraints:
platform:
- ubuntu
- ubuntu16
lsm:
- apparmor
tests:
@ -1557,6 +1646,41 @@ groups:
# apt-get install libselinux1
# zypper install libselinux
The previous commands install SELinux, use the appropriate package if AppArmor is desired.
- check:
audit: "apt-cache show libselinux1"
constraints:
platform:
- ubuntu18
lsm:
- selinux
tests:
test_items:
- flag: "Installed-Size:"
set: true
remediation: |
Install SELinux or apparmor using the appropriate package manager or manual installation:
# yum install libselinux
# apt-get install libselinux1
# zypper install libselinux
The previous commands install SELinux, use the appropriate package if AppArmor is desired.
- check:
audit: "apt-cache show apparmor"
constraints:
platform:
- ubuntu18
lsm:
- apparmor
tests:
test_items:
- flag: "Installed-Size:"
set: true
remediation: |
Install SELinux or apparmor using the appropriate package manager or manual installation:
# yum install libselinux
# apt-get install libselinux1
# zypper install libselinux
The previous commands install SELinux, use the appropriate package if AppArmor is desired.
scored: false
- id: 1.7
description: "Warning Banners"
@ -1867,7 +1991,8 @@ groups:
type: manual
constraints:
platform:
- ubuntu
- ubuntu16
- ubuntu18
remediation: |
Use your package manager to update all packages on the system according to site policy.
- check:
@ -2182,7 +2307,8 @@ groups:
constraints:
platform:
- rhel7
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "enabled"
@ -2247,7 +2373,7 @@ groups:
audit: "dpkg -l xserver-xorg*"
constraints:
platform:
- ubuntu
- ubuntu16
tests:
test_items:
- flag: "ii"
@ -2261,6 +2387,25 @@ groups:
apt-get remove xserver-xorg*
zypper remove xorg-x11*
- check:
audit: "apt-cache show xserver-xorg*"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: false
remediation: |
Remove the X Windows System packages using the appropriate package manager or manual installation:
yum remove xorg-x11*
apt-get remove xserver-xorg*
zypper remove xorg-x11*
scored: true
- id: 2.2.3
@ -2290,7 +2435,8 @@ groups:
constraints:
platform:
- rhel7
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "enabled"
@ -2353,7 +2499,8 @@ groups:
constraints:
platform:
- rhel7
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "enabled"
@ -2416,7 +2563,8 @@ groups:
constraints:
platform:
- rhel7
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "enabled"
@ -2479,7 +2627,8 @@ groups:
constraints:
platform:
- rhel7
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "enabled"
@ -2543,7 +2692,8 @@ groups:
constraints:
platform:
- rhel7
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "enabled"
@ -2607,7 +2757,8 @@ groups:
constraints:
platform:
- rhel7
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "enabled"
@ -2671,7 +2822,8 @@ groups:
constraints:
platform:
- rhel7
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "enabled"
@ -2734,7 +2886,8 @@ groups:
constraints:
platform:
- rhel7
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "enabled"
@ -2797,7 +2950,8 @@ groups:
constraints:
platform:
- rhel7
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "enabled"
@ -2860,7 +3014,8 @@ groups:
constraints:
platform:
- rhel7
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "enabled"
@ -2923,7 +3078,8 @@ groups:
constraints:
platform:
- rhel7
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "enabled"
@ -2986,7 +3142,8 @@ groups:
constraints:
platform:
- rhel7
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "enabled"
@ -3049,7 +3206,8 @@ groups:
constraints:
platform:
- rhel7
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "enabled"
@ -3140,7 +3298,8 @@ groups:
constraints:
platform:
- rhel7
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "enabled"
@ -3203,7 +3362,8 @@ groups:
constraints:
platform:
- rhel7
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "enabled"
@ -3272,7 +3432,7 @@ groups:
audit: "dpkg -s ntp"
constraints:
platform:
- ubuntu
- ubuntu16
tests:
test_items:
- flag: "install ok installed"
@ -3286,6 +3446,28 @@ groups:
# apt-get install ntp
# zypper install ntp
The previous commands install NTP, use the appropriate package if chrony is desired.
On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization.
- check:
audit: "apt-cache show ntp"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: true
remediation: |
On physical systems or virtual systems where host based time synchronization is not available install NTP or chrony using the appropriate package manager or manual installation:
# yum install ntp
# apt-get install ntp
# zypper install ntp
The previous commands install NTP, use the appropriate package if chrony is desired.
@ -3322,7 +3504,7 @@ groups:
audit: "dpkg -s chrony"
constraints:
platform:
- ubuntu
- ubuntu16
tests:
test_items:
- flag: "install ok installed"
@ -3340,6 +3522,29 @@ groups:
The previous commands install NTP, use the appropriate package if chrony is desired.
On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization.
- check:
audit: "apt-cache show chrony"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: true
remediation: |
On physical systems or virtual systems where host based time synchronization is not available install NTP or chrony using the appropriate package manager or manual installation:
# yum install ntp
# apt-get install ntp
# zypper install ntp
The previous commands install NTP, use the appropriate package if chrony is desired.
On virtual systems where host based time synchronization is available consult your virtualization software documentation and setup host based synchronization.
scored: false
- id: 2.2.1.2.a
description: "Ensure ntp is configured"
@ -3447,7 +3652,8 @@ groups:
audit: "grep ^OPTIONS /etc/default/ntp"
constraints:
platform:
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "OPTIONS=\"-u ntp:ntp\""
@ -3514,7 +3720,8 @@ groups:
audit: "grep ^NTPD_OPTIONS /etc/default/ntp"
constraints:
platform:
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "NTPD_OPTIONS=\"-u ntp:ntp\""
@ -3640,7 +3847,7 @@ groups:
audit: "dpkg -s ypbind"
constraints:
platform:
- ubuntu
- ubuntu16
tests:
test_items:
- flag: "install ok installed"
@ -3656,7 +3863,26 @@ groups:
zypper remove ypbind
set: true
- check:
audit: "apt-cache show ypbind"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: false
remediation: |
Uninstall `ypbind` using the appropriate package manager or manual installation:
yum remove ypbind
apt-get remove ypbind
zypper remove ypbind
set: true
scored: true
- id: 2.3.2
description: "Ensure rsh client is not installed"
@ -3685,7 +3911,7 @@ groups:
audit: "dpkg -s rsh-client rsh-redone-client"
constraints:
platform:
- ubuntu
- ubuntu16
tests:
test_items:
- flag: "install ok installed"
@ -3701,6 +3927,26 @@ groups:
zypper remove rsh
set: true
- check:
audit: "apt-cache show rsh-client rsh-redone-client"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: false
remediation: |
Uninstall `rsh` using the appropriate package manager or manual installation:
yum remove rsh
apt-get remove rsh
zypper remove rsh
set: true
scored: true
- id: 2.3.3
description: "Ensure talk client is not installed"
@ -3729,7 +3975,7 @@ groups:
audit: "dpkg -s talk"
constraints:
platform:
- ubuntu
- ubuntu16
tests:
test_items:
- flag: "install ok installed"
@ -3743,6 +3989,25 @@ groups:
apt-get remove talk
zypper remove talk
- check:
audit: "apt-cache show talk"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: false
remediation: |
Uninstall `talk` using the appropriate package manager or manual installation:
yum remove talk
apt-get remove talk
zypper remove talk
scored: true
- id: 2.3.4
@ -3772,7 +4037,7 @@ groups:
audit: "dpkg -s telnet"
constraints:
platform:
- ubuntu
- ubuntu16
tests:
test_items:
- flag: "install ok installed"
@ -3786,6 +4051,25 @@ groups:
# apt-get remove telnet
# zypper remove telnet
- check:
audit: "apt-cache show telnet"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: false
remediation: |
Uninstall `telnet` using the appropriate package manager or manual installation:
# yum remove telnet
# apt-get remove telnet
# zypper remove telnet
scored: true
- id: 2.3.5
@ -3814,7 +4098,7 @@ groups:
audit: "dpkg -s openldap-clients"
constraints:
platform:
- ubuntu
- ubuntu16
tests:
test_items:
- flag: "install ok installed"
@ -3828,6 +4112,25 @@ groups:
# apt-get remove openldap-clients
# zypper remove openldap-clients
- check:
audit: "apt-cache show openldap-clients"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: false
remediation: |
Uninstall `openldap-clients` using the appropriate package manager or manual installation:
# yum remove openldap-clients
# apt-get remove openldap-clients
# zypper remove openldap-clients
scored: true
- id: 3
@ -4740,7 +5043,7 @@ groups:
audit: "dpkg -s tcpd"
constraints:
platform:
- ubuntu
- ubuntu16
tests:
test_items:
- flag: "install ok installed"
@ -4754,6 +5057,25 @@ groups:
apt-get install tcpd
zypper install tcpd
- check:
audit: "apt-cache show tcpd"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: true
remediation: |
Install TCP Wrappers using the appropriate package manager or manual installation:
yum install tcp_wrappers
apt-get install tcpd
zypper install tcpd
scored: true
- id: 3.4.2
@ -4984,7 +5306,7 @@ groups:
audit: "dpkg -s iptables"
constraints:
platform:
- ubuntu
- ubuntu16
tests:
test_items:
@ -4999,6 +5321,26 @@ groups:
# apt-get install iptables
# zypper install iptables
- check:
audit: "apt-cache show iptables"
constraints:
platform:
- ubuntu18
tests:
test_items:
- flag: "Installed-Size:"
set: true
remediation: |
Install `iptables` using the appropriate package manager or manual installation:
# yum install iptables
# apt-get install iptables
# zypper install iptables
scored: true
- id: 3.6.2
@ -5181,7 +5523,8 @@ groups:
constraints:
platform:
- rhel7
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "enabled"
@ -5408,7 +5751,8 @@ groups:
audit: "grep system-locale /etc/audit/audit.rules"
constraints:
platform:
- ubuntu
- ubuntu16
- ubuntu18
tests:
bin_op: and
test_items:
@ -5470,7 +5814,8 @@ groups:
audit: "grep system-locale /etc/audit/audit.rules"
constraints:
platform:
- ubuntu
- ubuntu16
- ubuntu18
tests:
bin_op: and
test_items:
@ -6153,7 +6498,7 @@ groups:
audit: "dpkg -s rsyslog"
constraints:
platform:
- ubuntu
- ubuntu16
syslog:
- rsyslog
tests:
@ -6176,7 +6521,7 @@ groups:
audit: "dpkg -s syslog-ng"
constraints:
platform:
- ubuntu
- ubuntu16
syslog:
- syslog-ng
tests:
@ -6192,6 +6537,52 @@ groups:
# apt-get install rsyslog
# zypper install rsyslog
The previous commands install `rsyslog` , use the appropriate package if `syslog-ng` is desired.
- check:
audit: "apt-cache show rsyslog"
constraints:
platform:
- ubuntu18
syslog:
- rsyslog
tests:
test_items:
- flag: "Installed-Size:"
set: true
remediation: |
Install rsyslog or `syslog-ng` using the appropriate package manager or manual installation:
# yum install rsyslog
# apt-get install rsyslog
# zypper install rsyslog
The previous commands install `rsyslog` , use the appropriate package if `syslog-ng` is desired.
- check:
audit: "apt-cache show syslog-ng"
constraints:
platform:
- ubuntu18
syslog:
- syslog-ng
tests:
test_items:
- flag: "Installed-Size:"
set: true
remediation: |
Install rsyslog or `syslog-ng` using the appropriate package manager or manual installation:
# yum install rsyslog
# apt-get install rsyslog
# zypper install rsyslog
The previous commands install `rsyslog` , use the appropriate package if `syslog-ng` is desired.
@ -6235,7 +6626,8 @@ groups:
constraints:
platform:
- rhel7
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "enabled"
@ -6425,7 +6817,8 @@ groups:
constraints:
platform:
- rhel7
- ubuntu
- ubuntu16
- ubuntu18
syslog:
- syslog-ng
tests:
@ -6620,7 +7013,8 @@ groups:
audit: "systemctl is-enabled cron"
constraints:
platform:
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "enabled"
@ -7184,7 +7578,7 @@ groups:
- id: 5.3.4
description: "Ensure password hashing algorithm is SHA-512"
audit: "grep -E ^[^#].*sha512 /etc/pam.d/common-password /etc/pam.d/system-auth /etc/pam.d/password-auth"
audit: "grep -E ^[^#].*sha512 /etc/pam.d/common-password /etc/pam.d/system-auth /etc/pam.d/password-auth"
tests:
test_items:
- flag: "sha512"
@ -7526,7 +7920,8 @@ groups:
audit: "grep umask /etc/bash.bashrc"
constraints:
platform:
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "umask 027"
@ -7573,7 +7968,8 @@ groups:
audit: "grep ^TMOUT /etc/bash.bashrc"
constraints:
platform:
- ubuntu
- ubuntu16
- ubuntu18
tests:
test_items:
- flag: "TMOUT"
@ -7675,7 +8071,15 @@ groups:
type: "manual"
constraints:
platform:
- ubuntu
- ubuntu16
remediation: |
Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted.
- check:
audit: "apt-get source > <filename>"
type: "manual"
constraints:
platform:
- ubuntu18
remediation: |
Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted.
scored: false
@ -8238,4 +8642,4 @@ groups:
remediation: |
Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group.
scored: true