Merge branch 'master' into patch-6

app.go

@@ -51,7 +51,7 @@ func outputResults(controls *check.Controls, summary check.Summary) error {
 		if err != nil {
 			return err
 		}
-		fmt.Println(string(out))
+		util.PrintOutput(string(out), outputFile)
 	} else {
 		util.PrettyPrint(controls, summary, noRemediations, includeTestOutput)
 	}

cfg/1.1.0/1.1.25.sh

@@ -0,0 +1 @@
+df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null

cfg/1.1.0/definitions.yaml

@@ -262,7 +262,7 @@ groups:
       audit: "mount | grep /tmp"   
       tests:
         test_items:
-        - flag: "tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)"
+        - flag: "tmpfs on /tmp type tmpfs"
           set: true                        
       remediation: |
             For new installations, during installation create a custom partition setup and specify a separate partition for `/tmp` .
@@ -564,7 +564,7 @@ groups:
             
     - id: 1.1.25
       description: "Ensure sticky bit is set on all world-writable directories"
-      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) 2>/dev/null"   
+      audit: "./1.1.25.sh"   
       tests:
         test_items:
         - flag: ""
@@ -987,11 +987,15 @@ groups:
   checks:
     - id: 1.5.1.a
       description: "Ensure core dumps are restricted"
-      audit: "grep -h ^* /etc/security/limits.conf /etc/security/limits.d/*"   
+      audit: "grep -h ^[^#].*hard[[:blank:]]*core /etc/security/limits.conf /etc/security/limits.d/*"   
       tests:
-        test_items:
+        tests:
-        - flag: "hard core 0"
+        bin_op: and
-          set: true                        
+        test_items:                     
+        - flag: "hard"
+          set: true
+        - flag: "core"
+          set: true                   
       remediation: |
             Add the following line to `/etc/security/limits.conf` or a `/etc/security/limits.d/*` file:
             
@@ -7180,10 +7184,10 @@ groups:
             
     - id: 5.3.4
       description: "Ensure password hashing algorithm is SHA-512"
-      audit: "grep password /etc/pam.d/common-password /etc/pam.d/system-auth /etc/pam.d/password-auth"   
+      audit: "grep -E ^[^#].*sha512  /etc/pam.d/common-password /etc/pam.d/system-auth /etc/pam.d/password-auth"   
       tests:
         test_items:
-        - flag: "password    sufficient    pam_unix.so sha512"
+        - flag: "sha512"
           set: true                                  
       remediation: |
             Set password hashing algorithm to sha512. Many distributions provide tools for updating PAM configuration, consult your documentation for details. If no tooling is provided edit the appropriate `/etc/pam.d/` configuration file and add or modify the `pam_unix.so` lines to include the sha512 option:
@@ -7820,7 +7824,7 @@ groups:
             
     - id: 6.1.10.a
       description: "Ensure no world writable files exist"
-      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002"   
+      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 | head -n 100"   
       tests:
         test_items:
         - flag: ""
@@ -7842,7 +7846,7 @@ groups:
 
     - id: 6.1.11.a
       description: "Ensure no unowned files or directories exist"
-      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser"   
+      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser | head -n 100"   
       tests:
         test_items:
         - flag: ""
@@ -7864,7 +7868,7 @@ groups:
             
     - id: 6.1.12.a
       description: "Ensure no ungrouped files or directories exist"
-      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup"   
+      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup | head -n 100"   
       tests:
         test_items:
         - flag: ""
@@ -7886,7 +7890,7 @@ groups:
             
     - id: 6.1.13.a
       description: "Audit SUID executables"
-      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000"   
+      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 | head -n 100"   
       type: manual
       tests:
         test_items:
@@ -7909,7 +7913,7 @@ groups:
             
     - id: 6.1.14.a
       description: "Audit SGID executables"
-      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000"   
+      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 | head -n 100"   
       type: manual 
       tests:
         test_items:

root.go

@@ -35,6 +35,7 @@ var (
 	checkList         string
 	jsonFmt           bool
 	includeTestOutput bool
+	outputFile        string
 )
 
 // RootCmd represents the base command when called without any subcommands
@@ -74,6 +75,7 @@ func init() {
 	RootCmd.Flags().StringVarP(&cfgDir, "config-dir", "D", "cfg", "directory to get benchmark definitions")
 	RootCmd.PersistentFlags().BoolVar(&jsonFmt, "json", false, "Prints the results as JSON")
 	RootCmd.PersistentFlags().BoolVar(&includeTestOutput, "include-test-output", false, "Prints the test's output")
+	RootCmd.PersistentFlags().StringVar(&outputFile, "outputfile", "", "Writes the JSON results to output file")
 	RootCmd.PersistentFlags().StringVarP(
 		&checkList,
 		"check",