Merge branch 'master' into patch-6

2025-02-23 06:35:33 +01:00 · 2019-05-28 12:56:57 +02:00 · 2019-05-28 12:56:57 +02:00 · c88d2d07c4
commit c88d2d07c4
parent 43081d61f2 3e3cff4341
4 changed files with 21 additions and 14 deletions
--- a/app.go
+++ b/app.go
@ -51,7 +51,7 @@ func outputResults(controls *check.Controls, summary check.Summary) error {
 		if err != nil {
 			return err
 		}
-		fmt.Println(string(out))
+		util.PrintOutput(string(out), outputFile)
 	} else {
 		util.PrettyPrint(controls, summary, noRemediations, includeTestOutput)
 	}
--- a/cfg/1.1.0/1.1.25.sh
+++ b/cfg/1.1.0/1.1.25.sh
@ -0,0 +1 @@
+df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null
--- a/cfg/1.1.0/definitions.yaml
+++ b/cfg/1.1.0/definitions.yaml
@ -262,7 +262,7 @@ groups:
      audit: "mount | grep /tmp"   
      tests:
        test_items:
-        - flag: "tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noexec,relatime)"
+        - flag: "tmpfs on /tmp type tmpfs"
          set: true                        
      remediation: |
            For new installations, during installation create a custom partition setup and specify a separate partition for `/tmp` .
@ -564,7 +564,7 @@ groups:
            
    - id: 1.1.25
      description: "Ensure sticky bit is set on all world-writable directories"
-      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) 2>/dev/null"   
+      audit: "./1.1.25.sh"   
      tests:
        test_items:
        - flag: ""
@ -987,11 +987,15 @@ groups:
  checks:
    - id: 1.5.1.a
      description: "Ensure core dumps are restricted"
-      audit: "grep -h ^* /etc/security/limits.conf /etc/security/limits.d/*"   
+      audit: "grep -h ^[^#].*hard[[:blank:]]*core /etc/security/limits.conf /etc/security/limits.d/*"   
      tests:
-        test_items:
-        - flag: "hard core 0"
-          set: true                        
+        tests:
+        bin_op: and
+        test_items:                     
+        - flag: "hard"
+          set: true
+        - flag: "core"
+          set: true                   
      remediation: |
            Add the following line to `/etc/security/limits.conf` or a `/etc/security/limits.d/*` file:
            
@ -7180,10 +7184,10 @@ groups:
            
    - id: 5.3.4
      description: "Ensure password hashing algorithm is SHA-512"
-      audit: "grep password /etc/pam.d/common-password /etc/pam.d/system-auth /etc/pam.d/password-auth"   
+      audit: "grep -E ^[^#].*sha512  /etc/pam.d/common-password /etc/pam.d/system-auth /etc/pam.d/password-auth"   
      tests:
        test_items:
-        - flag: "password    sufficient    pam_unix.so sha512"
+        - flag: "sha512"
          set: true                                  
      remediation: |
            Set password hashing algorithm to sha512. Many distributions provide tools for updating PAM configuration, consult your documentation for details. If no tooling is provided edit the appropriate `/etc/pam.d/` configuration file and add or modify the `pam_unix.so` lines to include the sha512 option:
@ -7820,7 +7824,7 @@ groups:
            
    - id: 6.1.10.a
      description: "Ensure no world writable files exist"
-      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002"   
+      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 | head -n 100"   
      tests:
        test_items:
        - flag: ""
@ -7842,7 +7846,7 @@ groups:

    - id: 6.1.11.a
      description: "Ensure no unowned files or directories exist"
-      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser"   
+      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser | head -n 100"   
      tests:
        test_items:
        - flag: ""
@ -7864,7 +7868,7 @@ groups:
            
    - id: 6.1.12.a
      description: "Ensure no ungrouped files or directories exist"
-      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup"   
+      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup | head -n 100"   
      tests:
        test_items:
        - flag: ""
@ -7886,7 +7890,7 @@ groups:
            
    - id: 6.1.13.a
      description: "Audit SUID executables"
-      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000"   
+      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -4000 | head -n 100"   
      type: manual
      tests:
        test_items:
@ -7909,7 +7913,7 @@ groups:
            
    - id: 6.1.14.a
      description: "Audit SGID executables"
-      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000"   
+      audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -2000 | head -n 100"   
      type: manual 
      tests:
        test_items:
--- a/root.go
+++ b/root.go
@ -35,6 +35,7 @@ var (
 	checkList         string
 	jsonFmt           bool
 	includeTestOutput bool
+	outputFile        string
 )

 // RootCmd represents the base command when called without any subcommands
@ -74,6 +75,7 @@ func init() {
 	RootCmd.Flags().StringVarP(&cfgDir, "config-dir", "D", "cfg", "directory to get benchmark definitions")
 	RootCmd.PersistentFlags().BoolVar(&jsonFmt, "json", false, "Prints the results as JSON")
 	RootCmd.PersistentFlags().BoolVar(&includeTestOutput, "include-test-output", false, "Prints the test's output")
+	RootCmd.PersistentFlags().StringVar(&outputFile, "outputfile", "", "Writes the JSON results to output file")
 	RootCmd.PersistentFlags().StringVarP(
 		&checkList,
 		"check",
				`@ -0,0 +1 @@`
				`df --local -P \| awk {'if (NR!=1) print $6'} \| xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null`