mirrors/linux-bench
1
0
Fork 1
mirror of https://github.com/aquasecurity/linux-bench.git synced 2025-02-23 14:45:33 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #1 from aquasecurity/improved-yaml-version-1.1.0

Browse source 
Improved yaml - 1.1.0
This commit is contained in:
Liz Rice 2019-02-05 14:33:57 +00:00 committed by GitHub
commit 9e295a64c4
Failed to generate hash of commit
3 changed files with 1587 additions and 1537 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
README.md
View file

@ -1,14 +1,20 @@
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
Linux-bench is a Go application that checks whether The linux operating system is configured securely by running the checks documented in the CIS Linux Benchmark. Linux-bench is a Go application that checks whether The linux operating system is configured securely by running the checks documented in the CIS Distribution Independent Linux Benchmark.
Tests are configured with YAML files, making this tool easy to update as test specifications evolve. Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
## CIS Linux Benchmark support ## CIS Linux Benchmark support
linux-bench currently supports tests for multiple platforms of Linux (ubntu, rhel and debian). linux-bench currently supports tests for benchmark version 1.1.0 only.
linux-bench will determine the test set to run based on the operating system and the boot loader running on the host machine.
linux-bench will determine the test set to run on the host machine based on the following:
##### Operating system platform - ubuntu/debian/rhel/coreos
##### Boot loader - grub/grub2
##### System logging tool - rsyslog/syslog-ng
##### Lsm - selinux/apparmor
## Installation ## Installation
### Installing from sources ### Installing from sources
@ -28,12 +34,12 @@ go build -o linux-bench .
./linux-bench ./linux-bench
# Run checks for specified linux cis version # Run checks for specified linux cis version
./linux-bench ./linux-bench --version <version>
``` ```
# Tests # Tests
Tests are specified in definition files `cfg/<version>/definitions.yaml. Tests are specified in definition files `cfg/<version>/definitions.yaml.`
Where `<version>` is the version of linux cis for which the test applies. Where `<version>` is the version of linux cis for which the test applies.
# Contributing # Contributing

160
cfg/1.1.0/definitions.yaml
View file

@ -86,7 +86,12 @@ groups:
checks: checks:
- id: 1.1.1.8.a - id: 1.1.1.8.a
description: "Ensure mounting of FAT filesystems is disabled" description: "Ensure mounting of FAT filesystems is disabled"
sub_checks:
- check:
audit: "modprobe -n -v vfat" audit: "modprobe -n -v vfat"
constraints:
platform:
- rhel7
tests: tests:
test_items: test_items:
- flag : "install /bin/true" - flag : "install /bin/true"
@ -102,14 +107,19 @@ groups:
# rmmod vfat # rmmod vfat
scored: true scored: true
- id: 1.1.1.8.b - id: 1.1.1.8.b
description: "Ensure mounting of FAT filesystems is disabled" description: "Ensure mounting of FAT filesystems is disabled"
sub_checks:
- check:
audit: "lsmod | grep vfat" audit: "lsmod | grep vfat"
constraints:
platform:
- rhel7
tests: tests:
test_items: test_items:
- flag : "" - flag : ""
set: true set: true
remediation: | remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
@ -150,7 +160,6 @@ groups:
# zypper install libselinux # zypper install libselinux
The previous commands install SELinux, use the appropriate package if AppArmor is desired. The previous commands install SELinux, use the appropriate package if AppArmor is desired.
scored: false
- check: - check:
audit: "rpm -q apparmor" audit: "rpm -q apparmor"
constraints: constraints:
@ -174,9 +183,6 @@ groups:
# zypper install libselinux # zypper install libselinux
The previous commands install SELinux, use the appropriate package if AppArmor is desired. The previous commands install SELinux, use the appropriate package if AppArmor is desired.
scored: false
- check: - check:
audit: "dpkg -s libselinux1" audit: "dpkg -s libselinux1"
constraints: constraints:
@ -200,10 +206,6 @@ groups:
# zypper install libselinux # zypper install libselinux
The previous commands install SELinux, use the appropriate package if AppArmor is desired. The previous commands install SELinux, use the appropriate package if AppArmor is desired.
scored: false
- check: - check:
audit: "dpkg -s apparmor" audit: "dpkg -s apparmor"
constraints: constraints:
@ -228,10 +230,6 @@ groups:
The previous commands install SELinux, use the appropriate package if AppArmor is desired. The previous commands install SELinux, use the appropriate package if AppArmor is desired.
scored: false scored: false
- id: 1.6.1 - id: 1.6.1
description: "Configure SELinuxonfigure SELinux" description: "Configure SELinuxonfigure SELinux"
checks: checks:
@ -263,8 +261,6 @@ groups:
Run the following command to update the `grub2` configuration: Run the following command to update the `grub2` configuration:
# update-grub # update-grub
scored: true
- check: - check:
audit: "grep LINUX /etc/default/grub" audit: "grep LINUX /etc/default/grub"
constraints: constraints:
@ -290,7 +286,6 @@ groups:
Run the following command to update the `grub2` configuration: Run the following command to update the `grub2` configuration:
# update-grub # update-grub
scored: true scored: true
- id: 1.6.1.2.a - id: 1.6.1.2.a
description: "Ensure the SELinux state is enforcing" description: "Ensure the SELinux state is enforcing"
@ -314,7 +309,6 @@ groups:
Run the following command to update the `grub2` configuration: Run the following command to update the `grub2` configuration:
# update-grub # update-grub
scored: true scored: true
- id: 1.6.1.2.b - id: 1.6.1.2.b
description: "Ensure the SELinux state is enforcing" description: "Ensure the SELinux state is enforcing"
@ -351,9 +345,7 @@ groups:
Run the following command to update the `grub2` configuration: Run the following command to update the `grub2` configuration:
# update-grub # update-grub
scored: true scored: true
- id: 1.6.1.3.a - id: 1.6.1.3.a
description: "Ensure SELinux policy is configured" description: "Ensure SELinux policy is configured"
sub_checks: sub_checks:
@ -370,7 +362,6 @@ groups:
Edit the `/etc/selinux/config` file to set the SELINUXTYPE parameter: Edit the `/etc/selinux/config` file to set the SELINUXTYPE parameter:
SELINUXTYPE=targeted SELINUXTYPE=targeted
scored: true scored: true
- id: 1.6.1.3.b - id: 1.6.1.3.b
description: "Ensure SELinux policy is configured" description: "Ensure SELinux policy is configured"
@ -391,7 +382,6 @@ groups:
Edit the `/etc/selinux/config` file to set the SELINUXTYPE parameter: Edit the `/etc/selinux/config` file to set the SELINUXTYPE parameter:
SELINUXTYPE=targeted SELINUXTYPE=targeted
scored: true scored: true
@ -419,8 +409,6 @@ groups:
# zypper remove setroubleshoot # zypper remove setroubleshoot
scored: true
- check: - check:
audit: "dpkg -s setroubleshoot" audit: "dpkg -s setroubleshoot"
constraints: constraints:
@ -442,7 +430,6 @@ groups:
# zypper remove setroubleshoot # zypper remove setroubleshoot
scored: true scored: true
- id: 1.6.1.5 - id: 1.6.1.5
description: "Ensure the MCS Translation Service (mcstrans) is not installed" description: "Ensure the MCS Translation Service (mcstrans) is not installed"
@ -452,8 +439,6 @@ groups:
constraints: constraints:
platform: platform:
- rhel7 - rhel7
lsm:
- selinux
tests: tests:
test_items: test_items:
- flag: "is not installed" - flag: "is not installed"
@ -468,19 +453,14 @@ groups:
zypper remove mcstrans zypper remove mcstrans
scored: true
- check: - check:
audit: "dpkg -s mcstrans" audit: "dpkg -s mcstrans"
constraints: constraints:
platform: platform:
- ubuntu - ubuntu
lsm:
- selinux
tests: tests:
test_items: test_items:
- flag: "is not installed" - flag: ""
set: true set: true
remediation: | remediation: |
Uninstall `mcstrans` using the appropriate package manager or manual installation: Uninstall `mcstrans` using the appropriate package manager or manual installation:
@ -492,11 +472,7 @@ groups:
zypper remove mcstrans zypper remove mcstrans
scored: true scored: true
- id: 1.6.1.6 - id: 1.6.1.6
description: "Ensure no unconfined daemons exist" description: "Ensure no unconfined daemons exist"
audit: "ps -eZ | egrep \"initrc\" | egrep -vw \"tr|ps|egrep|bash|awk \" | tr ':' ' ' | awk '{ print $NF }'" audit: "ps -eZ | egrep \"initrc\" | egrep -vw \"tr|ps|egrep|bash|awk \" | tr ':' ' ' | awk '{ print $NF }'"
@ -536,15 +512,13 @@ groups:
Run the following command to update the `grub2` configuration: Run the following command to update the `grub2` configuration:
# update-grub # update-grub
scored: true
- check: - check:
audit: "grep \"^\\s*LINUX\" /etc/default/grub" audit: "grep LINUX /etc/default/grub"
constraints: constraints:
lsm: lsm:
- apparmor - apparmor
boot: boot:
- grub - grub2
tests: tests:
test_items: test_items:
- flag: "apparmor=0" - flag: "apparmor=0"
@ -559,7 +533,6 @@ groups:
Run the following command to update the `grub2` configuration: Run the following command to update the `grub2` configuration:
# update-grub # update-grub
scored: true scored: true
- id: 1.6.2.2 - id: 1.6.2.2
description: "Ensure all AppArmor Profiles are enforcing" description: "Ensure all AppArmor Profiles are enforcing"
@ -604,8 +577,6 @@ groups:
# update-rc.d auditd enable # update-rc.d auditd enable
scored: true
- check: - check:
audit: "systemctl is-enabled auditd" audit: "systemctl is-enabled auditd"
constraints: constraints:
@ -625,8 +596,6 @@ groups:
# update-rc.d auditd enable # update-rc.d auditd enable
scored: true
- check: - check:
audit: "ls /etc/rc*.d | grep auditd" audit: "ls /etc/rc*.d | grep auditd"
type: manual type: manual
@ -647,7 +616,6 @@ groups:
# update-rc.d auditd enable # update-rc.d auditd enable
scored: true scored: true
- id: 4.1.3 - id: 4.1.3
description: "Ensure auditing for processes that start prior to auditd is enabled" description: "Ensure auditing for processes that start prior to auditd is enabled"
@ -670,8 +638,6 @@ groups:
Run the following command to update the `grub2` configuration: Run the following command to update the `grub2` configuration:
# update-grub # update-grub
scored: true
- check: - check:
audit: "grep -i linux /etc/default/grub" audit: "grep -i linux /etc/default/grub"
constraints: constraints:
@ -693,9 +659,7 @@ groups:
Run the following command to update the `grub2` configuration: Run the following command to update the `grub2` configuration:
# update-grub # update-grub
scored: true scored: true
- id: 4.1.4.a - id: 4.1.4.a
description: "Ensure events that modify date and time information are collected" description: "Ensure events that modify date and time information are collected"
audit: "grep time-change /etc/audit/audit.rules" audit: "grep time-change /etc/audit/audit.rules"
@ -807,7 +771,12 @@ groups:
- id: 4.1.6.a - id: 4.1.6.a
description: "Ensure events that modify the system's network environment are collected" description: "Ensure events that modify the system's network environment are collected"
sub_checks:
- check:
audit: "grep system-locale /etc/audit/audit.rules" audit: "grep system-locale /etc/audit/audit.rules"
constraints:
platform:
- rhel7
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -832,12 +801,44 @@ groups:
-w /etc/issue.net -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale -w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale
- check:
audit: "grep system-locale /etc/audit/audit.rules"
constraints:
platform:
- ubuntu
tests:
bin_op: and
test_items:
- flag: "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale"
set: true
- flag: "-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale"
set: true
- flag: "-w /etc/issue -p wa -k system-locale"
set: true
- flag: "-w /etc/issue.net -p wa -k system-locale"
set: true
- flag: "-w /etc/hosts -p wa -k system-locale"
set: true
- flag: "-w /etc/network -p wa -k system-locale"
set: true
remediation: |
For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file:
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale
scored: true scored: true
- id: 4.1.6.b - id: 4.1.6.b
description: "Ensure events that modify the system's network environment are collected" description: "Ensure events that modify the system's network environment are collected"
sub_checks:
- check:
audit: "grep system-locale /etc/audit/audit.rules" audit: "grep system-locale /etc/audit/audit.rules"
constraints:
platform:
- rhel7
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -862,9 +863,36 @@ groups:
-w /etc/issue.net -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale -w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale
- check:
audit: "grep system-locale /etc/audit/audit.rules"
constraints:
platform:
- ubuntu
tests:
bin_op: and
test_items:
- flag: "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale"
set: true
- flag: "-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale"
set: true
- flag: "-w /etc/issue -p wa -k system-locale"
set: true
- flag: "-w /etc/issue.net -p wa -k system-locale"
set: true
- flag: "-w /etc/hosts -p wa -k system-locale"
set: true
- flag: "-w /etc/network -p wa -k system-locale"
set: true
remediation: |
For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file:
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale
scored: true scored: true
- id: 4.1.7.a - id: 4.1.7.a
description: "Ensure events that modify the system's Mandatory Access Controls are collected" description: "Ensure events that modify the system's Mandatory Access Controls are collected"
sub_checks: sub_checks:
@ -885,8 +913,6 @@ groups:
-w /etc/selinux/ -p wa -k MAC-policy -w /etc/selinux/ -p wa -k MAC-policy
-w /usr/share/selinux/ -p wa -k MAC-policy -w /usr/share/selinux/ -p wa -k MAC-policy
scored: true
- check: - check:
audit: "grep MAC-policy /etc/audit/audit.rules" audit: "grep MAC-policy /etc/audit/audit.rules"
constraints: constraints:
@ -926,13 +952,11 @@ groups:
-w /etc/selinux/ -p wa -k MAC-policy -w /etc/selinux/ -p wa -k MAC-policy
-w /usr/share/selinux/ -p wa -k MAC-policy -w /usr/share/selinux/ -p wa -k MAC-policy
scored: true
- check: - check:
audit: "auditctl -l | grep MAC-policy" audit: "auditctl -l | grep MAC-policy"
constraints: constraints:
lsm: lsm:
- selinux - apparmor
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -1476,7 +1500,28 @@ groups:
checks: checks:
- id: 5.4.5.a - id: 5.4.5.a
description: "Ensure default user shell timeout is 900 seconds or less" description: "Ensure default user shell timeout is 900 seconds or less"
sub_checks:
- check:
audit: "grep ^TMOUT /etc/bashrc" audit: "grep ^TMOUT /etc/bashrc"
constraints:
platform:
- rhel7
tests:
test_items:
- flag: "TMOUT"
compare:
op: lte
value: "900"
set: true
remediation: |
Edit the `/etc/bashrc` and `/etc/profile` files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows:
TMOUT=600
- check:
audit: "grep ^TMOUT /etc/bash.bashrc"
constraints:
platform:
- ubuntu
tests: tests:
test_items: test_items:
- flag: "TMOUT" - flag: "TMOUT"
@ -1490,7 +1535,6 @@ groups:
TMOUT=600 TMOUT=600
scored: true scored: true
- id: 5.4.5.b - id: 5.4.5.b
description: "Ensure default user shell timeout is 900 seconds or less" description: "Ensure default user shell timeout is 900 seconds or less"
audit: "grep ^TMOUT /etc/profile" audit: "grep ^TMOUT /etc/profile"

2
root.go
View file

@ -41,7 +41,7 @@ var (
var RootCmd = &cobra.Command{ var RootCmd = &cobra.Command{
Use: "linux-bench", Use: "linux-bench",
Short: "linux-bench is a Go application that checks whether the linux operating system is deployed securely", Short: "linux-bench is a Go application that checks whether the linux operating system is deployed securely",
Long: `This tool runs the CIS Linux Benchmark (https://www.cisecurity.org/benchmark/linux/)`, Long: `This tool runs the CIS Linux Benchmark (https://www.cisecurity.org/cis-benchmarks)`,
Run: app, Run: app,
} }