mirrors/linux-bench
1
0
Fork 1
mirror of https://github.com/aquasecurity/linux-bench.git synced 2025-02-22 22:25:33 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #1 from aquasecurity/improved-yaml-version-1.1.0

Browse source 
Improved yaml - 1.1.0
This commit is contained in:
Liz Rice 2019-02-05 14:33:57 +00:00 committed by GitHub
commit 9e295a64c4
Failed to generate hash of commit
3 changed files with 1587 additions and 1537 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
README.md
View file

@ -1,14 +1,20 @@
[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
Linux-bench is a Go application that checks whether The linux operating system is configured securely by running the checks documented in the CIS Linux Benchmark.
Linux-bench is a Go application that checks whether The linux operating system is configured securely by running the checks documented in the CIS Distribution Independent Linux Benchmark.
Tests are configured with YAML files, making this tool easy to update as test specifications evolve.
## CIS Linux Benchmark support
linux-bench currently supports tests for multiple platforms of Linux (ubntu, rhel and debian).
linux-bench will determine the test set to run based on the operating system and the boot loader running on the host machine.
linux-bench currently supports tests for benchmark version 1.1.0 only.
linux-bench will determine the test set to run on the host machine based on the following:
##### Operating system platform - ubuntu/debian/rhel/coreos
##### Boot loader - grub/grub2
##### System logging tool - rsyslog/syslog-ng
##### Lsm - selinux/apparmor
## Installation
### Installing from sources
@ -28,12 +34,12 @@ go build -o linux-bench .
./linux-bench
# Run checks for specified linux cis version
./linux-bench
./linux-bench --version <version>
```
# Tests
Tests are specified in definition files `cfg/<version>/definitions.yaml.
Tests are specified in definition files `cfg/<version>/definitions.yaml.`
Where `<version>` is the version of linux cis for which the test applies.
# Contributing

160
cfg/1.1.0/definitions.yaml
View file

@ -86,7 +86,12 @@ groups:
checks:
- id: 1.1.1.8.a
description: "Ensure mounting of FAT filesystems is disabled"
sub_checks:
- check:
audit: "modprobe -n -v vfat"
constraints:
platform:
- rhel7
tests:
test_items:
- flag : "install /bin/true"
@ -102,14 +107,19 @@ groups:
# rmmod vfat
scored: true
- id: 1.1.1.8.b
description: "Ensure mounting of FAT filesystems is disabled"
sub_checks:
- check:
audit: "lsmod | grep vfat"
constraints:
platform:
- rhel7
tests:
test_items:
- flag : ""
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
@ -150,7 +160,6 @@ groups:
# zypper install libselinux
The previous commands install SELinux, use the appropriate package if AppArmor is desired.
scored: false
- check:
audit: "rpm -q apparmor"
constraints:
@ -174,9 +183,6 @@ groups:
# zypper install libselinux
The previous commands install SELinux, use the appropriate package if AppArmor is desired.
scored: false
- check:
audit: "dpkg -s libselinux1"
constraints:
@ -200,10 +206,6 @@ groups:
# zypper install libselinux
The previous commands install SELinux, use the appropriate package if AppArmor is desired.
scored: false
- check:
audit: "dpkg -s apparmor"
constraints:
@ -228,10 +230,6 @@ groups:
The previous commands install SELinux, use the appropriate package if AppArmor is desired.
scored: false
- id: 1.6.1
description: "Configure SELinuxonfigure SELinux"
checks:
@ -263,8 +261,6 @@ groups:
Run the following command to update the `grub2` configuration:
# update-grub
scored: true
- check:
audit: "grep LINUX /etc/default/grub"
constraints:
@ -290,7 +286,6 @@ groups:
Run the following command to update the `grub2` configuration:
# update-grub
scored: true
- id: 1.6.1.2.a
description: "Ensure the SELinux state is enforcing"
@ -314,7 +309,6 @@ groups:
Run the following command to update the `grub2` configuration:
# update-grub
scored: true
- id: 1.6.1.2.b
description: "Ensure the SELinux state is enforcing"
@ -351,9 +345,7 @@ groups:
Run the following command to update the `grub2` configuration:
# update-grub
scored: true
- id: 1.6.1.3.a
description: "Ensure SELinux policy is configured"
sub_checks:
@ -370,7 +362,6 @@ groups:
Edit the `/etc/selinux/config` file to set the SELINUXTYPE parameter:
SELINUXTYPE=targeted
scored: true
- id: 1.6.1.3.b
description: "Ensure SELinux policy is configured"
@ -391,7 +382,6 @@ groups:
Edit the `/etc/selinux/config` file to set the SELINUXTYPE parameter:
SELINUXTYPE=targeted
scored: true
@ -419,8 +409,6 @@ groups:
# zypper remove setroubleshoot
scored: true
- check:
audit: "dpkg -s setroubleshoot"
constraints:
@ -442,7 +430,6 @@ groups:
# zypper remove setroubleshoot
scored: true
- id: 1.6.1.5
description: "Ensure the MCS Translation Service (mcstrans) is not installed"
@ -452,8 +439,6 @@ groups:
constraints:
platform:
- rhel7
lsm:
- selinux
tests:
test_items:
- flag: "is not installed"
@ -468,19 +453,14 @@ groups:
zypper remove mcstrans
scored: true
- check:
audit: "dpkg -s mcstrans"
constraints:
platform:
- ubuntu
lsm:
- selinux
tests:
test_items:
- flag: "is not installed"
- flag: ""
set: true
remediation: |
Uninstall `mcstrans` using the appropriate package manager or manual installation:
@ -492,11 +472,7 @@ groups:
zypper remove mcstrans
scored: true
- id: 1.6.1.6
description: "Ensure no unconfined daemons exist"
audit: "ps -eZ | egrep \"initrc\" | egrep -vw \"tr|ps|egrep|bash|awk \" | tr ':' ' ' | awk '{ print $NF }'"
@ -536,15 +512,13 @@ groups:
Run the following command to update the `grub2` configuration:
# update-grub
scored: true
- check:
audit: "grep \"^\\s*LINUX\" /etc/default/grub"
audit: "grep LINUX /etc/default/grub"
constraints:
lsm:
- apparmor
boot:
- grub
- grub2
tests:
test_items:
- flag: "apparmor=0"
@ -559,7 +533,6 @@ groups:
Run the following command to update the `grub2` configuration:
# update-grub
scored: true
- id: 1.6.2.2
description: "Ensure all AppArmor Profiles are enforcing"
@ -604,8 +577,6 @@ groups:
# update-rc.d auditd enable
scored: true
- check:
audit: "systemctl is-enabled auditd"
constraints:
@ -625,8 +596,6 @@ groups:
# update-rc.d auditd enable
scored: true
- check:
audit: "ls /etc/rc*.d | grep auditd"
type: manual
@ -647,7 +616,6 @@ groups:
# update-rc.d auditd enable
scored: true
- id: 4.1.3
description: "Ensure auditing for processes that start prior to auditd is enabled"
@ -670,8 +638,6 @@ groups:
Run the following command to update the `grub2` configuration:
# update-grub
scored: true
- check:
audit: "grep -i linux /etc/default/grub"
constraints:
@ -693,9 +659,7 @@ groups:
Run the following command to update the `grub2` configuration:
# update-grub
scored: true
- id: 4.1.4.a
description: "Ensure events that modify date and time information are collected"
audit: "grep time-change /etc/audit/audit.rules"
@ -807,7 +771,12 @@ groups:
- id: 4.1.6.a
description: "Ensure events that modify the system's network environment are collected"
sub_checks:
- check:
audit: "grep system-locale /etc/audit/audit.rules"
constraints:
platform:
- rhel7
tests:
bin_op: and
test_items:
@ -832,12 +801,44 @@ groups:
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
- check:
audit: "grep system-locale /etc/audit/audit.rules"
constraints:
platform:
- ubuntu
tests:
bin_op: and
test_items:
- flag: "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale"
set: true
- flag: "-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale"
set: true
- flag: "-w /etc/issue -p wa -k system-locale"
set: true
- flag: "-w /etc/issue.net -p wa -k system-locale"
set: true
- flag: "-w /etc/hosts -p wa -k system-locale"
set: true
- flag: "-w /etc/network -p wa -k system-locale"
set: true
remediation: |
For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file:
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale
scored: true
- id: 4.1.6.b
description: "Ensure events that modify the system's network environment are collected"
sub_checks:
- check:
audit: "grep system-locale /etc/audit/audit.rules"
constraints:
platform:
- rhel7
tests:
bin_op: and
test_items:
@ -862,9 +863,36 @@ groups:
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
- check:
audit: "grep system-locale /etc/audit/audit.rules"
constraints:
platform:
- ubuntu
tests:
bin_op: and
test_items:
- flag: "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale"
set: true
- flag: "-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale"
set: true
- flag: "-w /etc/issue -p wa -k system-locale"
set: true
- flag: "-w /etc/issue.net -p wa -k system-locale"
set: true
- flag: "-w /etc/hosts -p wa -k system-locale"
set: true
- flag: "-w /etc/network -p wa -k system-locale"
set: true
remediation: |
For 64 bit systems add the following lines to the `/etc/audit/audit.rules` file:
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale
scored: true
- id: 4.1.7.a
description: "Ensure events that modify the system's Mandatory Access Controls are collected"
sub_checks:
@ -885,8 +913,6 @@ groups:
-w /etc/selinux/ -p wa -k MAC-policy
-w /usr/share/selinux/ -p wa -k MAC-policy
scored: true
- check:
audit: "grep MAC-policy /etc/audit/audit.rules"
constraints:
@ -926,13 +952,11 @@ groups:
-w /etc/selinux/ -p wa -k MAC-policy
-w /usr/share/selinux/ -p wa -k MAC-policy
scored: true
- check:
audit: "auditctl -l | grep MAC-policy"
constraints:
lsm:
- selinux
- apparmor
tests:
bin_op: and
test_items:
@ -1476,7 +1500,28 @@ groups:
checks:
- id: 5.4.5.a
description: "Ensure default user shell timeout is 900 seconds or less"
sub_checks:
- check:
audit: "grep ^TMOUT /etc/bashrc"
constraints:
platform:
- rhel7
tests:
test_items:
- flag: "TMOUT"
compare:
op: lte
value: "900"
set: true
remediation: |
Edit the `/etc/bashrc` and `/etc/profile` files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows:
TMOUT=600
- check:
audit: "grep ^TMOUT /etc/bash.bashrc"
constraints:
platform:
- ubuntu
tests:
test_items:
- flag: "TMOUT"
@ -1490,7 +1535,6 @@ groups:
TMOUT=600
scored: true
- id: 5.4.5.b
description: "Ensure default user shell timeout is 900 seconds or less"
audit: "grep ^TMOUT /etc/profile"

2
root.go
View file

@ -41,7 +41,7 @@ var (
var RootCmd = &cobra.Command{
Use: "linux-bench",
Short: "linux-bench is a Go application that checks whether the linux operating system is deployed securely",
Long: `This tool runs the CIS Linux Benchmark (https://www.cisecurity.org/benchmark/linux/)`,
Long: `This tool runs the CIS Linux Benchmark (https://www.cisecurity.org/cis-benchmarks)`,
Run: app,
}