From 8f0f5ff0ca7cc25beaf36c5dc32a20226eee17db Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Tue, 7 May 2019 13:59:57 +0300 Subject: [PATCH 1/5] Update definitions.yaml fixed: 1.1.2, 1.5.1.a, 5.3.4 --- cfg/1.1.0/definitions.yaml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/cfg/1.1.0/definitions.yaml b/cfg/1.1.0/definitions.yaml index cdc1369..e1cb61d 100644 --- a/cfg/1.1.0/definitions.yaml +++ b/cfg/1.1.0/definitions.yaml @@ -262,7 +262,7 @@ groups: audit: "mount | grep /tmp" tests: test_items: - - flag: "tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)" + - flag: "tmpfs on /tmp type tmpfs" set: true remediation: | For new installations, during installation create a custom partition setup and specify a separate partition for `/tmp` . @@ -987,11 +987,15 @@ groups: checks: - id: 1.5.1.a description: "Ensure core dumps are restricted" - audit: "grep -h ^* /etc/security/limits.conf /etc/security/limits.d/*" + audit: "grep -h ^[^#].*hard[[:blank:]]*core /etc/security/limits.conf /etc/security/limits.d/*" tests: - test_items: - - flag: "hard core 0" - set: true + tests: + bin_op: and + test_items: + - flag: "hard" + set: true + - flag: "core" + set: true remediation: | Add the following line to `/etc/security/limits.conf` or a `/etc/security/limits.d/*` file: @@ -7180,10 +7184,10 @@ groups: - id: 5.3.4 description: "Ensure password hashing algorithm is SHA-512" - audit: "grep password /etc/pam.d/common-password /etc/pam.d/system-auth /etc/pam.d/password-auth" + audit: "grep -E ^[^#].*sha512 /etc/pam.d/common-password /etc/pam.d/system-auth /etc/pam.d/password-auth" tests: test_items: - - flag: "password sufficient pam_unix.so sha512" + - flag: "sha512" set: true remediation: | Set password hashing algorithm to sha512. Many distributions provide tools for updating PAM configuration, consult your documentation for details. If no tooling is provided edit the appropriate `/etc/pam.d/` configuration file and add or modify the `pam_unix.so` lines to include the sha512 option: From d2ab36f8007f83bdeceb1e4743cffcb47a25e1b3 Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Tue, 21 May 2019 14:40:16 +0300 Subject: [PATCH 2/5] Update definitions.yaml Has a problem with the pipelines in the audit command. Solved with script 1.1.25.sh file --- cfg/1.1.0/definitions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cfg/1.1.0/definitions.yaml b/cfg/1.1.0/definitions.yaml index cdc1369..fcc7389 100644 --- a/cfg/1.1.0/definitions.yaml +++ b/cfg/1.1.0/definitions.yaml @@ -564,7 +564,7 @@ groups: - id: 1.1.25 description: "Ensure sticky bit is set on all world-writable directories" - audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) 2>/dev/null" + audit: "./1.1.25.sh" tests: test_items: - flag: "" From 0a50f06540cc27dcd33cf97405f1cf6ca1f79faf Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Tue, 21 May 2019 14:42:57 +0300 Subject: [PATCH 3/5] Create 1.1.25.sh Made for test 1.1.25 --- cfg/1.1.0/1.1.25.sh | 1 + 1 file changed, 1 insertion(+) create mode 100644 cfg/1.1.0/1.1.25.sh diff --git a/cfg/1.1.0/1.1.25.sh b/cfg/1.1.0/1.1.25.sh new file mode 100644 index 0000000..5b3fd58 --- /dev/null +++ b/cfg/1.1.0/1.1.25.sh @@ -0,0 +1 @@ +df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null From 90e23dc3a27b26d8b6ea784361aeefa2b34598d3 Mon Sep 17 00:00:00 2001 From: nshauli Date: Thu, 23 May 2019 17:34:21 +0300 Subject: [PATCH 4/5] Add support for writing JSON results to output file using --output flag --- app.go | 2 +- root.go | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/app.go b/app.go index 2cb16a5..b168e99 100644 --- a/app.go +++ b/app.go @@ -51,7 +51,7 @@ func outputResults(controls *check.Controls, summary check.Summary) error { if err != nil { return err } - fmt.Println(string(out)) + util.PrintOutput(string(out), outputFile) } else { util.PrettyPrint(controls, summary, noRemediations, includeTestOutput) } diff --git a/root.go b/root.go index 212ba7a..862db75 100644 --- a/root.go +++ b/root.go @@ -35,6 +35,7 @@ var ( checkList string jsonFmt bool includeTestOutput bool + outputFile string ) // RootCmd represents the base command when called without any subcommands @@ -74,6 +75,7 @@ func init() { RootCmd.Flags().StringVarP(&cfgDir, "config-dir", "D", "cfg", "directory to get benchmark definitions") RootCmd.PersistentFlags().BoolVar(&jsonFmt, "json", false, "Prints the results as JSON") RootCmd.PersistentFlags().BoolVar(&includeTestOutput, "include-test-output", false, "Prints the test's output") + RootCmd.PersistentFlags().StringVar(&outputFile, "outputfile", "", "Writes the JSON results to output file") RootCmd.PersistentFlags().StringVarP( &checkList, "check", From 23dc330bc17c818966f3099e8f564a3ec1dbb912 Mon Sep 17 00:00:00 2001 From: yoavrotems Date: Sun, 26 May 2019 15:07:06 +0300 Subject: [PATCH 5/5] Add limit to specific tests output - in order to be more efficient 6.1.10 6.1.11 6.1.12 6.1.13 6.1.14 and test 1.1.25 been changed in the script 1.1.25.sh --- cfg/1.1.0/definitions.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/cfg/1.1.0/definitions.yaml b/cfg/1.1.0/definitions.yaml index fcc7389..daf06e5 100644 --- a/cfg/1.1.0/definitions.yaml +++ b/cfg/1.1.0/definitions.yaml @@ -7820,7 +7820,7 @@ groups: - id: 6.1.10.a description: "Ensure no world writable files exist" - audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002" + audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 | head -n 100" tests: test_items: - flag: "" @@ -7842,7 +7842,7 @@ groups: - id: 6.1.11.a description: "Ensure no unowned files or directories exist" - audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser" + audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser | head -n 100" tests: test_items: - flag: "" @@ -7864,7 +7864,7 @@ groups: - id: 6.1.12.a description: "Ensure no ungrouped files or directories exist" - audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup" + audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup | head -n 100" tests: test_items: - flag: "" @@ -7886,7 +7886,7 @@ groups: - id: 6.1.13.a description: "Audit SUID executables" - audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000" + audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 | head -n 100" type: manual tests: test_items: @@ -7909,7 +7909,7 @@ groups: - id: 6.1.14.a description: "Audit SGID executables" - audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000" + audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 | head -n 100" type: manual tests: test_items: