mirrors/linux-bench
1
0
Fork 1
mirror of https://github.com/aquasecurity/linux-bench.git synced 2025-02-23 14:45:33 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #69 from aquasecurity/test-order

Browse source 
Make unit tests work under GitHub Actions
This commit is contained in:
Yoav Rotem 2020-12-22 11:31:08 +02:00 committed by GitHub
commit ca36ec8929
Failed to generate hash of commit
3 changed files with 8930 additions and 8974 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
app_test.go
View file

@ -5,15 +5,9 @@ import (
"testing" "testing"
) )
var (
cfgdir = "./cfg"
ver = "1.1.0"
path string
)
// Tests all standard linux-bench defintion files // Tests all standard linux-bench defintion files
func TestGetDefinitionFilePath(t *testing.T) { func TestGetDefinitionFilePath(t *testing.T) {
d, err := os.Open(cfgdir) d, err := os.Open("./cfg")
if err != nil { if err != nil {
t.Errorf("unexpected error: %s\n", err) t.Errorf("unexpected error: %s\n", err)
} }
@ -24,6 +18,7 @@ func TestGetDefinitionFilePath(t *testing.T) {
} }
for _, ver := range vers { for _, ver := range vers {
t.Logf("%v", ver)
_, err := getDefinitionFilePath(ver) _, err := getDefinitionFilePath(ver)
if err != nil { if err != nil {
t.Errorf("unexpected error: %s\n", err) t.Errorf("unexpected error: %s\n", err)
@ -31,20 +26,13 @@ func TestGetDefinitionFilePath(t *testing.T) {
} }
} }
func TestGetControls(t *testing.T) {
var err error
path, err = getDefinitionFilePath(ver)
if err != nil {
t.Errorf("unexpected error: %s\n", err)
}
_, err = getControls(path, nil)
if err != nil {
t.Errorf("unexpected error: %s\n", err)
}
}
func TestRunControls(t *testing.T) { func TestRunControls(t *testing.T) {
cfgDir = "./hack"
path, err := getDefinitionFilePath("test-definitions")
if err != nil {
t.Errorf("unexpected error: %s\n", err)
}
control, err := getControls(path, nil) control, err := getControls(path, nil)
if err != nil { if err != nil {
t.Errorf("unexpected error: %s\n", err) t.Errorf("unexpected error: %s\n", err)

169
cfg/2.0.0/definitions.yaml
View file

@ -372,7 +372,6 @@ groups:
# mount -o remount,nodev /tmp # mount -o remount,nodev /tmp
scored: true scored: true
- id: 1.1.4 - id: 1.1.4
description: "Ensure nosuid option set on /tmp partition" description: "Ensure nosuid option set on /tmp partition"
audit: "mount | grep -E '\\s/tmp\\s' | grep -v nosuid" audit: "mount | grep -E '\\s/tmp\\s' | grep -v nosuid"
@ -396,7 +395,6 @@ groups:
# mount -o remount,nosuid /tmp # mount -o remount,nosuid /tmp
scored: true scored: true
- id: 1.1.5 - id: 1.1.5
description: "Ensure noexec option set on /tmp partition" description: "Ensure noexec option set on /tmp partition"
audit: "mount | grep -E '\\s/tmp\\s' | grep -v noexec" audit: "mount | grep -E '\\s/tmp\\s' | grep -v noexec"
@ -455,7 +453,6 @@ groups:
scored: true scored: true
- id: 1.1.9 - id: 1.1.9
description: "Ensure nosuid option set on /var/tmp partition" description: "Ensure nosuid option set on /var/tmp partition"
audit: "mount | grep -E '\\s/var/tmp\\s' | grep -v nosuid" audit: "mount | grep -E '\\s/var/tmp\\s' | grep -v nosuid"
@ -559,7 +556,6 @@ groups:
scored: true scored: true
- id: 1.1.16 - id: 1.1.16
description: "Ensure nosuid option set on /dev/shm partition" description: "Ensure nosuid option set on /dev/shm partition"
audit: "mount | grep -E '\\s/dev/shm\\s' | grep -v nosuid" audit: "mount | grep -E '\\s/dev/shm\\s' | grep -v nosuid"
@ -1032,7 +1028,7 @@ groups:
description: "Ensure interactive boot is not enabled" description: "Ensure interactive boot is not enabled"
sub_checks: sub_checks:
- check: - check:
audit: "grep \"^PROMPT_FOR_CONFIRM=\" /etc/sysconfig/boot" audit: 'grep "^PROMPT_FOR_CONFIRM=" /etc/sysconfig/boot'
constraints: constraints:
boot: boot:
- grub - grub
@ -1040,7 +1036,7 @@ groups:
- rhel7 - rhel7
tests: tests:
test_items: test_items:
- flag: "PROMPT_FOR_CONFIRM=\"no\"" - flag: 'PROMPT_FOR_CONFIRM="no"'
set: true set: true
remediation: | remediation: |
If interactive boot is available disable it. If interactive boot is available disable it.
@ -1062,7 +1058,6 @@ groups:
If interactive boot is available disable it. If interactive boot is available disable it.
scored: false scored: false
- id: 1.5 - id: 1.5
description: "Additional Process Hardening" description: "Additional Process Hardening"
checks: checks:
@ -1479,7 +1474,6 @@ groups:
op: eq op: eq
value: "0" value: "0"
set: false set: false
test_items:
- flag: "enforcing" - flag: "enforcing"
compare: compare:
op: eq op: eq
@ -1588,7 +1582,6 @@ groups:
SELINUXTYPE=targeted SELINUXTYPE=targeted
scored: true scored: true
- id: 1.6.2.4 - id: 1.6.2.4
description: "Ensure SETroubleshoot is not installed" description: "Ensure SETroubleshoot is not installed"
sub_checks: sub_checks:
@ -1719,7 +1712,7 @@ groups:
scored: true scored: true
- id: 1.6.2.6 - id: 1.6.2.6
description: "Ensure no unconfined daemons exist" description: "Ensure no unconfined daemons exist"
audit: "ps -eZ | egrep \"initrc\" | grep -E -v -w \"tr|ps|egrep|bash|awk \" | tr ':' ' ' | awk '{ print $NF }'" audit: 'ps -eZ | egrep "initrc" | grep -E -v -w "tr|ps|egrep|bash|awk " | tr '':'' '' '' | awk ''{ print $NF }'''
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -1803,7 +1796,6 @@ groups:
Any unconfined processes may need to have a profile created or activated for them and then be restarted. Any unconfined processes may need to have a profile created or activated for them and then be restarted.
scored: true scored: true
- id: 1.7 - id: 1.7
description: "Warning Banners" description: "Warning Banners"
checks: checks:
@ -1896,7 +1888,6 @@ groups:
# chmod 644 /etc/motd # chmod 644 /etc/motd
scored: true scored: true
- id: 1.7.1.5 - id: 1.7.1.5
description: "Ensure permissions on /etc/issue are configured" description: "Ensure permissions on /etc/issue are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/issue" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/issue"
@ -1978,7 +1969,7 @@ groups:
checks: checks:
- id: 2.1.1.a - id: 2.1.1.a
description: "Ensure chargen services are not enabled" description: "Ensure chargen services are not enabled"
audit: "grep -R \"^chargen\" /etc/inetd.*" audit: 'grep -R "^chargen" /etc/inetd.*'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -1993,7 +1984,7 @@ groups:
- id: 2.1.1.b - id: 2.1.1.b
description: "Ensure chargen services are not enabled" description: "Ensure chargen services are not enabled"
audit: "grep -R \"^chargen\" /etc/xinetd.conf /etc/xinetd.* " audit: 'grep -R "^chargen" /etc/xinetd.conf /etc/xinetd.* '
tests: tests:
test_items: test_items:
- flag: "disable" - flag: "disable"
@ -2008,7 +1999,7 @@ groups:
- id: 2.1.2.a - id: 2.1.2.a
description: "Ensure daytime services are not enabled" description: "Ensure daytime services are not enabled"
audit: "grep -R \"^daytime\" /etc/inetd.*" audit: 'grep -R "^daytime" /etc/inetd.*'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -2023,7 +2014,7 @@ groups:
- id: 2.1.2.b - id: 2.1.2.b
description: "Ensure daytime services are not enabled" description: "Ensure daytime services are not enabled"
audit: "grep -R \"^daytime\" /etc/xinetd.conf /etc/xinetd.*" audit: 'grep -R "^daytime" /etc/xinetd.conf /etc/xinetd.*'
tests: tests:
test_items: test_items:
- flag: "disable" - flag: "disable"
@ -2038,7 +2029,7 @@ groups:
- id: 2.1.3.a - id: 2.1.3.a
description: "Ensure discard services are not enabled" description: "Ensure discard services are not enabled"
audit: "grep -R \"^discard\" /etc/inetd.*" audit: 'grep -R "^discard" /etc/inetd.*'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -2053,7 +2044,7 @@ groups:
- id: 2.1.3.b - id: 2.1.3.b
description: "Ensure discard services are not enabled" description: "Ensure discard services are not enabled"
audit: "grep -R \"^discard\" /etc/xinetd.conf /etc/xinetd.*" audit: 'grep -R "^discard" /etc/xinetd.conf /etc/xinetd.*'
tests: tests:
test_items: test_items:
- flag: "disable" - flag: "disable"
@ -2068,7 +2059,7 @@ groups:
- id: 2.1.4.a - id: 2.1.4.a
description: "Ensure echo services are not enabled" description: "Ensure echo services are not enabled"
audit: "grep -R \"^echo\" /etc/inetd.*" audit: 'grep -R "^echo" /etc/inetd.*'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -2083,7 +2074,7 @@ groups:
- id: 2.1.4.b - id: 2.1.4.b
description: "Ensure echo services are not enabled" description: "Ensure echo services are not enabled"
audit: "grep -R \"^echo\" /etc/xinetd.conf /etc/xinetd.*" audit: 'grep -R "^echo" /etc/xinetd.conf /etc/xinetd.*'
tests: tests:
test_items: test_items:
- flag: "disable" - flag: "disable"
@ -2098,7 +2089,7 @@ groups:
- id: 2.1.5.a - id: 2.1.5.a
description: "Ensure time services are not enabled" description: "Ensure time services are not enabled"
audit: "grep -R \"^time\" /etc/inetd.*" audit: 'grep -R "^time" /etc/inetd.*'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -2113,7 +2104,7 @@ groups:
- id: 2.1.5.b - id: 2.1.5.b
description: "Ensure time services are not enabled" description: "Ensure time services are not enabled"
audit: "grep -R \"^time\" /etc/xinetd.conf /etc/xinetd.*" audit: 'grep -R "^time" /etc/xinetd.conf /etc/xinetd.*'
tests: tests:
test_items: test_items:
- flag: "disable" - flag: "disable"
@ -2128,7 +2119,7 @@ groups:
- id: 2.1.6.a - id: 2.1.6.a
description: "Ensure rsh server is not enabled" description: "Ensure rsh server is not enabled"
audit: "grep -R \"^shell\" /etc/inetd.*; grep -R \"^login\" /etc/inetd.*; grep -R \"^exec\" /etc/inetd.*" audit: 'grep -R "^shell" /etc/inetd.*; grep -R "^login" /etc/inetd.*; grep -R "^exec" /etc/inetd.*'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -2143,7 +2134,7 @@ groups:
- id: 2.1.6.b - id: 2.1.6.b
description: "Ensure rsh server is not enabled" description: "Ensure rsh server is not enabled"
audit: "grep -R \"^shell\" /etc/xinetd.*; grep -R \"^login\" /etc/xinetd.*; grep -R \"^exec\" /etc/xinetd.*" audit: 'grep -R "^shell" /etc/xinetd.*; grep -R "^login" /etc/xinetd.*; grep -R "^exec" /etc/xinetd.*'
tests: tests:
test_items: test_items:
- flag: "disable" - flag: "disable"
@ -2158,7 +2149,7 @@ groups:
- id: 2.1.7.a - id: 2.1.7.a
description: "Ensure talk server is not enabled" description: "Ensure talk server is not enabled"
audit: "grep -R \"^talk\" /etc/inetd.*; grep -R \"^ntalk\" /etc/inetd.*" audit: 'grep -R "^talk" /etc/inetd.*; grep -R "^ntalk" /etc/inetd.*'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -2173,7 +2164,7 @@ groups:
- id: 2.1.7.b - id: 2.1.7.b
description: "Ensure talk server is not enabled" description: "Ensure talk server is not enabled"
audit: "grep -R \"^talk\" /etc/xinetd.*; grep -R \"^ntalk\" /etc/xinetd.*" audit: 'grep -R "^talk" /etc/xinetd.*; grep -R "^ntalk" /etc/xinetd.*'
tests: tests:
test_items: test_items:
- flag: "disable" - flag: "disable"
@ -2188,7 +2179,7 @@ groups:
- id: 2.1.8.a - id: 2.1.8.a
description: "Ensure telnet server is not enabled" description: "Ensure telnet server is not enabled"
audit: "grep -R \"^telnet\" /etc/inetd.*" audit: 'grep -R "^telnet" /etc/inetd.*'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -2203,7 +2194,7 @@ groups:
- id: 2.1.8.b - id: 2.1.8.b
description: "Ensure telnet server is not enabled" description: "Ensure telnet server is not enabled"
audit: "grep -R \"^telnet\" /etc/xinetd.*" audit: 'grep -R "^telnet" /etc/xinetd.*'
tests: tests:
test_items: test_items:
- flag: "disable" - flag: "disable"
@ -2218,7 +2209,7 @@ groups:
- id: 2.1.9.a - id: 2.1.9.a
description: "Ensure tftp server is not enabled" description: "Ensure tftp server is not enabled"
audit: "grep -R \"^tftp\" /etc/inetd.*" audit: 'grep -R "^tftp" /etc/inetd.*'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -2233,7 +2224,7 @@ groups:
- id: 2.1.9.b - id: 2.1.9.b
description: "Ensure tftp server is not enabled" description: "Ensure tftp server is not enabled"
audit: "grep -R \"^tftp\" /etc/xinetd.*" audit: 'grep -R "^tftp" /etc/xinetd.*'
tests: tests:
test_items: test_items:
- flag: "disable" - flag: "disable"
@ -2456,7 +2447,7 @@ groups:
test_items: test_items:
- flag: "restrict -4 default kod nomodify notrap nopeer noquery" - flag: "restrict -4 default kod nomodify notrap nopeer noquery"
set: true set: true
flag: "restrict -6 default kod nomodify notrap nopeer noquery" - flag: "restrict -6 default kod nomodify notrap nopeer noquery"
set: true set: true
remediation: | remediation: |
Add or edit restrict lines in `/etc/ntp.conf` to match the following: Add or edit restrict lines in `/etc/ntp.conf` to match the following:
@ -2485,7 +2476,7 @@ groups:
- id: 2.2.1.2.b - id: 2.2.1.2.b
description: "Ensure ntp is configured" description: "Ensure ntp is configured"
audit: "grep -E \"^(server|pool)\" /etc/ntp.conf" audit: 'grep -E "^(server|pool)" /etc/ntp.conf'
type: manual type: manual
tests: tests:
test_items: test_items:
@ -2526,7 +2517,7 @@ groups:
- rhel7 - rhel7
tests: tests:
test_items: test_items:
- flag: "OPTIONS=\"-u ntp:ntp\"" - flag: 'OPTIONS="-u ntp:ntp"'
set: true set: true
remediation: | remediation: |
Add or edit restrict lines in `/etc/ntp.conf` to match the following: Add or edit restrict lines in `/etc/ntp.conf` to match the following:
@ -2558,7 +2549,7 @@ groups:
- ubuntu18 - ubuntu18
tests: tests:
test_items: test_items:
- flag: "OPTIONS=\"-u ntp:ntp\"" - flag: 'OPTIONS="-u ntp:ntp"'
set: true set: true
remediation: | remediation: |
Add or edit restrict lines in `/etc/ntp.conf` to match the following: Add or edit restrict lines in `/etc/ntp.conf` to match the following:
@ -2594,7 +2585,7 @@ groups:
- rhel7 - rhel7
tests: tests:
test_items: test_items:
- flag: "NTPD_OPTIONS=\"-u ntp:ntp\"" - flag: 'NTPD_OPTIONS="-u ntp:ntp"'
set: true set: true
remediation: | remediation: |
Add or edit restrict lines in `/etc/ntp.conf` to match the following: Add or edit restrict lines in `/etc/ntp.conf` to match the following:
@ -2626,7 +2617,7 @@ groups:
- ubuntu18 - ubuntu18
tests: tests:
test_items: test_items:
- flag: "NTPD_OPTIONS=\"-u ntp:ntp\"" - flag: 'NTPD_OPTIONS="-u ntp:ntp"'
set: true set: true
remediation: | remediation: |
Add or edit restrict lines in `/etc/ntp.conf` to match the following: Add or edit restrict lines in `/etc/ntp.conf` to match the following:
@ -2689,7 +2680,7 @@ groups:
- id: 2.2.1.3.a - id: 2.2.1.3.a
description: "Ensure chrony is configured" description: "Ensure chrony is configured"
audit: "grep -E \"^(server|pool)\" /etc/chrony.conf" audit: 'grep -E "^(server|pool)" /etc/chrony.conf'
type: manual type: manual
tests: tests:
test_items: test_items:
@ -2749,7 +2740,6 @@ groups:
# timedatectl set-ntp true # timedatectl set-ntp true
scored: true scored: true
- id: 2.2.2 - id: 2.2.2
description: "Ensure X Window System is not installed" description: "Ensure X Window System is not installed"
sub_checks: sub_checks:
@ -4786,7 +4776,6 @@ groups:
scored: true scored: true
- id: 3.2.3.a - id: 3.2.3.a
description: "Ensure secure ICMP redirects are not accepted" description: "Ensure secure ICMP redirects are not accepted"
audit: "sysctl net.ipv4.conf.all.secure_redirects" audit: "sysctl net.ipv4.conf.all.secure_redirects"
@ -5386,7 +5375,6 @@ groups:
where each `/` combination (for example, "192.168.1.0/255.255.255.0") represents one network block in use by your organization that requires access to this system. where each `/` combination (for example, "192.168.1.0/255.255.255.0") represents one network block in use by your organization that requires access to this system.
scored: false scored: false
- id: 3.3.3 - id: 3.3.3
description: "Ensure /etc/hosts.deny is configured" description: "Ensure /etc/hosts.deny is configured"
audit: "cat /etc/hosts.deny" audit: "cat /etc/hosts.deny"
@ -5401,7 +5389,6 @@ groups:
scored: false scored: false
- id: 3.3.4 - id: 3.3.4
description: "Ensure permissions on /etc/hosts.allow are configured" description: "Ensure permissions on /etc/hosts.allow are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/hosts.allow" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/hosts.allow"
@ -5417,7 +5404,6 @@ groups:
scored: true scored: true
- id: 3.3.5 - id: 3.3.5
description: "Ensure permissions on /etc/hosts.deny are configured" description: "Ensure permissions on /etc/hosts.deny are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/hosts.deny" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/hosts.deny"
@ -5433,7 +5419,6 @@ groups:
scored: true scored: true
- id: 3.4 - id: 3.4
description: "Uncommon Network Protocols" description: "Uncommon Network Protocols"
checks: checks:
@ -5596,8 +5581,7 @@ groups:
type: manual type: manual
tests: tests:
test_items: test_items:
- - flag: |
flag: |
Chain INPUT (policy DROP 0 packets, 0 bytes) Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
@ -5618,8 +5602,7 @@ groups:
type: manual type: manual
tests: tests:
test_items: test_items:
- - flag: |
flag: |
Chain OUTPUT (policy DROP 0 packets, 0 bytes) Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
@ -5700,8 +5683,7 @@ groups:
type: manual type: manual
tests: tests:
test_items: test_items:
- - flag: |
flag: |
Chain INPUT (policy DROP 0 packets, 0 bytes) Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
@ -5722,8 +5704,7 @@ groups:
type: manual type: manual
tests: tests:
test_items: test_items:
- - flag: |
flag: |
Chain OUTPUT (policy DROP 0 packets, 0 bytes) Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
@ -5757,8 +5738,7 @@ groups:
type: manual type: manual
tests: tests:
test_items: test_items:
- - flag: |
flag: |
Active Internet connections (only servers) Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
@ -5776,8 +5756,7 @@ groups:
type: manual type: manual
tests: tests:
test_items: test_items:
- - flag: |
flag: |
Chain INPUT (policy DROP 0 packets, 0 bytes) Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
@ -5930,7 +5909,6 @@ groups:
# update-grub # update-grub
scored: false scored: false
- id: 4 - id: 4
description: "Logging and Auditing" description: "Logging and Auditing"
- id: 4.1 - id: 4.1
@ -6447,7 +6425,6 @@ groups:
scored: true scored: true
- id: 4.1.9.b - id: 4.1.9.b
description: "Ensure login and logout events are collected" description: "Ensure login and logout events are collected"
audit: "auditctl -l | grep logins" audit: "auditctl -l | grep logins"
@ -6643,7 +6620,6 @@ groups:
And add all resulting lines to the file. And add all resulting lines to the file.
scored: true scored: true
- id: 4.1.14.a - id: 4.1.14.a
description: "Ensure successful file system mounts are collected" description: "Ensure successful file system mounts are collected"
audit: "grep mounts /etc/audit/rules.d/*.rules" audit: "grep mounts /etc/audit/rules.d/*.rules"
@ -6757,13 +6733,6 @@ groups:
-w /etc/sudoers.d/ -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope
scored: true scored: true
remediation: |
Add the following line to the `/etc/audit/rules.d/*.rules` file:
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
scored: true
- id: 4.1.17.a - id: 4.1.17.a
description: "Ensure system administrator actions (sudolog) are collected" description: "Ensure system administrator actions (sudolog) are collected"
@ -6845,10 +6814,8 @@ groups:
-w /sbin/rmmod -p x -k modules -w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules -w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules
scored: true scored: true
scored: true
- id: 4.1.19 - id: 4.1.19
description: "Ensure the audit configuration is immutable" description: "Ensure the audit configuration is immutable"
audit: "grep ^\\s*[^#] /etc/audit/rules.d/*.rules | tail -1" audit: "grep ^\\s*[^#] /etc/audit/rules.d/*.rules | tail -1"
@ -7265,7 +7232,6 @@ groups:
scored: true scored: true
- id: 5.1.3 - id: 5.1.3
description: "Ensure permissions on /etc/cron.hourly are configured" description: "Ensure permissions on /etc/cron.hourly are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.hourly" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.hourly"
@ -7281,7 +7247,6 @@ groups:
scored: true scored: true
- id: 5.1.4 - id: 5.1.4
description: "Ensure permissions on /etc/cron.daily are configured" description: "Ensure permissions on /etc/cron.daily are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.daily" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.daily"
@ -7297,7 +7262,6 @@ groups:
scored: true scored: true
- id: 5.1.5 - id: 5.1.5
description: "Ensure permissions on /etc/cron.weekly are configured" description: "Ensure permissions on /etc/cron.weekly are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.weekly" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.weekly"
@ -7313,7 +7277,6 @@ groups:
scored: true scored: true
- id: 5.1.6 - id: 5.1.6
description: "Ensure permissions on /etc/cron.monthly are configured" description: "Ensure permissions on /etc/cron.monthly are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.monthly" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.monthly"
@ -7329,7 +7292,6 @@ groups:
scored: true scored: true
- id: 5.1.7 - id: 5.1.7
description: "Ensure permissions on /etc/cron.d are configured" description: "Ensure permissions on /etc/cron.d are configured"
audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.d" audit: "stat -c %a/Uid:%U/%uGid:%G/%g /etc/cron.d"
@ -7345,7 +7307,6 @@ groups:
scored: true scored: true
- id: 5.1.8.a - id: 5.1.8.a
description: "Ensure at/cron is restricted to authorized users" description: "Ensure at/cron is restricted to authorized users"
audit: "stat /etc/cron.deny" audit: "stat /etc/cron.deny"
@ -7448,7 +7409,6 @@ groups:
scored: true scored: true
- id: 5.2.2 - id: 5.2.2
description: "Ensure permissions on SSH private host key files are configured" description: "Ensure permissions on SSH private host key files are configured"
audit: "find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat {} \\;" audit: "find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat {} \\;"
@ -7499,7 +7459,6 @@ groups:
LogLevel INFO LogLevel INFO
scored: true scored: true
- id: 5.2.6 - id: 5.2.6
description: "Ensure SSH X11 forwarding is disabled" description: "Ensure SSH X11 forwarding is disabled"
audit: "grep ^X11Forwarding /etc/ssh/sshd_config" audit: "grep ^X11Forwarding /etc/ssh/sshd_config"
@ -7514,8 +7473,6 @@ groups:
scored: true scored: true
- id: 5.2.7 - id: 5.2.7
description: "Ensure SSH MaxAuthTries is set to 4 or less" description: "Ensure SSH MaxAuthTries is set to 4 or less"
audit: "sshd -T | grep maxauthtries" audit: "sshd -T | grep maxauthtries"
@ -7547,7 +7504,6 @@ groups:
scored: true scored: true
- id: 5.2.9 - id: 5.2.9
description: "Ensure SSH HostbasedAuthentication is disabled" description: "Ensure SSH HostbasedAuthentication is disabled"
audit: "sshd -T | grep hostbasedauthentication" audit: "sshd -T | grep hostbasedauthentication"
@ -7562,7 +7518,6 @@ groups:
scored: true scored: true
- id: 5.2.10 - id: 5.2.10
description: "Ensure SSH root login is disabled" description: "Ensure SSH root login is disabled"
audit: "sshd -T | grep permitrootlogin" audit: "sshd -T | grep permitrootlogin"
@ -7577,8 +7532,6 @@ groups:
scored: true scored: true
- id: 5.2.11 - id: 5.2.11
description: "Ensure SSH PermitEmptyPasswords is disabled" description: "Ensure SSH PermitEmptyPasswords is disabled"
audit: "sshd -T | grep permitemptypasswords" audit: "sshd -T | grep permitemptypasswords"
@ -7607,7 +7560,6 @@ groups:
scored: true scored: true
- id: 5.2.13 - id: 5.2.13
description: "Ensure only approved MAC algorithms are used" description: "Ensure only approved MAC algorithms are used"
audit: "sshd -T | grep ciphers" audit: "sshd -T | grep ciphers"
@ -7641,10 +7593,9 @@ groups:
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
scored: true scored: true
- id: 5.2.14 - id: 5.2.14
description: "Ensure only strong MAC algorithms are used" description: "Ensure only strong MAC algorithms are used"
audit: "sshd -T | grep -i \"MACs\"" audit: 'sshd -T | grep -i "MACs"'
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -7764,7 +7715,6 @@ groups:
scored: true scored: true
- id: 5.2.18.a - id: 5.2.18.a
description: "Ensure SSH access is limited" description: "Ensure SSH access is limited"
audit: "sshd -T | grep allowusers" audit: "sshd -T | grep allowusers"
@ -7895,7 +7845,6 @@ groups:
MaxSessions 4 MaxSessions 4
scored: true scored: true
- id: 5.3 - id: 5.3
description: "Configure PAM" description: "Configure PAM"
checks: checks:
@ -8214,7 +8163,6 @@ groups:
scored: true scored: true
- id: 5.4.4.a - id: 5.4.4.a
description: "Ensure default user umask is 027 or more restrictive" description: "Ensure default user umask is 027 or more restrictive"
sub_checks: sub_checks:
@ -8417,10 +8365,9 @@ groups:
scored: true scored: true
- id: 6.1.3 - id: 6.1.3
description: "Ensure permissions on /etc/shadow are configured" description: "Ensure permissions on /etc/shadow are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G permissions=%a\" /etc/shadow" audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/shadow'
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -8429,7 +8376,7 @@ groups:
- flag: "Gid" - flag: "Gid"
compare: compare:
op: regex op: regex
value: 'shadow|root' value: "shadow|root"
set: true set: true
- flag: "permissions" - flag: "permissions"
compare: compare:
@ -8445,10 +8392,9 @@ groups:
scored: true scored: true
- id: 6.1.4 - id: 6.1.4
description: "Ensure permissions on /etc/group are configured" description: "Ensure permissions on /etc/group are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G/%g permissions=%a\" /etc/group" audit: 'stat -c "Uid:%U/%u Gid:%G/%g permissions=%a" /etc/group'
tests: tests:
test_items: test_items:
- flag: "Uid:root/0 Gid:root/0 permissions=644" - flag: "Uid:root/0 Gid:root/0 permissions=644"
@ -8461,10 +8407,9 @@ groups:
scored: true scored: true
- id: 6.1.5 - id: 6.1.5
description: "Ensure permissions on /etc/gshadow are configured" description: "Ensure permissions on /etc/gshadow are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G permissions=%a\" /etc/gshadow" audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/gshadow'
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -8473,7 +8418,7 @@ groups:
- flag: "Gid" - flag: "Gid"
compare: compare:
op: regex op: regex
value: 'shadow|root' value: "shadow|root"
set: true set: true
- flag: "permissions" - flag: "permissions"
compare: compare:
@ -8491,7 +8436,7 @@ groups:
- id: 6.1.6 - id: 6.1.6
description: "Ensure permissions on /etc/passwd- are configured" description: "Ensure permissions on /etc/passwd- are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G/%g permissions=%a\" /etc/passwd-" audit: 'stat -c "Uid:%U/%u Gid:%G/%g permissions=%a" /etc/passwd-'
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -8510,10 +8455,9 @@ groups:
scored: true scored: true
- id: 6.1.7 - id: 6.1.7
description: "Ensure permissions on /etc/shadow- are configured" description: "Ensure permissions on /etc/shadow- are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G permissions=%a\" /etc/shadow-" audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/shadow-'
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -8522,7 +8466,7 @@ groups:
- flag: "Gid" - flag: "Gid"
compare: compare:
op: regex op: regex
value: 'shadow|root' value: "shadow|root"
set: true set: true
- flag: "permissions" - flag: "permissions"
compare: compare:
@ -8538,10 +8482,9 @@ groups:
scored: true scored: true
- id: 6.1.8 - id: 6.1.8
description: "Ensure permissions on /etc/group- are configured" description: "Ensure permissions on /etc/group- are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G/%g permissions=%a\" /etc/group-" audit: 'stat -c "Uid:%U/%u Gid:%G/%g permissions=%a" /etc/group-'
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -8560,10 +8503,9 @@ groups:
scored: true scored: true
- id: 6.1.9 - id: 6.1.9
description: "Ensure permissions on /etc/gshadow- are configured" description: "Ensure permissions on /etc/gshadow- are configured"
audit: "stat -c \"Uid:%U/%u Gid:%G permissions=%a\" /etc/gshadow-" audit: 'stat -c "Uid:%U/%u Gid:%G permissions=%a" /etc/gshadow-'
tests: tests:
bin_op: and bin_op: and
test_items: test_items:
@ -8572,7 +8514,7 @@ groups:
- flag: "Gid" - flag: "Gid"
compare: compare:
op: regex op: regex
value: 'shadow|root' value: "shadow|root"
set: true set: true
- flag: "permissions" - flag: "permissions"
compare: compare:
@ -8588,7 +8530,6 @@ groups:
scored: true scored: true
- id: 6.1.10.a - id: 6.1.10.a
description: "Ensure no world writable files exist" description: "Ensure no world writable files exist"
audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 | head -n 100" audit: "df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 | head -n 100"
@ -8706,7 +8647,7 @@ groups:
checks: checks:
- id: 6.2.1 - id: 6.2.1
description: "Ensure password fields are not empty" description: "Ensure password fields are not empty"
audit: "awk -F: '($2 == \"\" ) { print $1 \" does not have a password \"}' /etc/shadow" audit: 'awk -F: ''($2 == "" ) { print $1 " does not have a password "}'' /etc/shadow'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -8723,7 +8664,7 @@ groups:
scored: true scored: true
- id: 6.2.2 - id: 6.2.2
description: "Ensure no legacy \"+\" entries exist in /etc/passwd" description: 'Ensure no legacy "+" entries exist in /etc/passwd'
audit: "grep '^\\+:' /etc/passwd" audit: "grep '^\\+:' /etc/passwd"
tests: tests:
test_items: test_items:
@ -8736,9 +8677,8 @@ groups:
Remove any legacy '+' entries from `/etc/passwd` if they exist. Remove any legacy '+' entries from `/etc/passwd` if they exist.
scored: true scored: true
- id: 6.2.3 - id: 6.2.3
description: "Ensure no legacy \"+\" entries exist in /etc/shadow" description: 'Ensure no legacy "+" entries exist in /etc/shadow'
audit: "grep '^\\+:' /etc/shadow" audit: "grep '^\\+:' /etc/shadow"
tests: tests:
test_items: test_items:
@ -8751,9 +8691,8 @@ groups:
Remove any legacy '+' entries from `/etc/shadow` if they exist. Remove any legacy '+' entries from `/etc/shadow` if they exist.
scored: true scored: true
- id: 6.2.4 - id: 6.2.4
description: "Ensure no legacy \"+\" entries exist in /etc/group" description: 'Ensure no legacy "+" entries exist in /etc/group'
audit: "grep '^\\+:' /etc/group" audit: "grep '^\\+:' /etc/group"
tests: tests:
test_items: test_items:
@ -8766,7 +8705,6 @@ groups:
Remove any legacy '+' entries from `/etc/group` if they exist. Remove any legacy '+' entries from `/etc/group` if they exist.
scored: true scored: true
- id: 6.2.5 - id: 6.2.5
description: "Ensure root is the only UID 0 account" description: "Ensure root is the only UID 0 account"
audit: "awk -F: '($3 == 0) { print $1 }' /etc/passwd" audit: "awk -F: '($3 == 0) { print $1 }' /etc/passwd"
@ -8825,7 +8763,6 @@ groups:
Correct or justify any items discovered in the Audit step. Correct or justify any items discovered in the Audit step.
scored: true scored: true
- id: 6.2.7 - id: 6.2.7
description: "Ensure all users' home directories exist" description: "Ensure all users' home directories exist"
audit: | audit: |
@ -8907,7 +8844,6 @@ groups:
Change the ownership of any home directories that are not owned by the defined user to the correct user. Change the ownership of any home directories that are not owned by the defined user to the correct user.
scored: true scored: true
- id: 6.2.10 - id: 6.2.10
description: "Ensure users' dot files are not group or world writable" description: "Ensure users' dot files are not group or world writable"
audit: | audit: |
@ -8964,7 +8900,6 @@ groups:
Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user `.forward` files and determine the action to be taken in accordance with site policy. Making global modifications to users' files without alerting the user community can result in unexpected outages and unhappy users. Therefore, it is recommended that a monitoring policy be established to report user `.forward` files and determine the action to be taken in accordance with site policy.
scored: true scored: true
- id: 6.2.12 - id: 6.2.12
description: "Ensure no users have .netrc files" description: "Ensure no users have .netrc files"
audit: | audit: |
@ -9152,7 +9087,6 @@ groups:
Based on the results of the audit script, establish unique user names for the users. File ownerships will automatically reflect the change as long as the users have unique UIDs. Based on the results of the audit script, establish unique user names for the users. File ownerships will automatically reflect the change as long as the users have unique UIDs.
scored: true scored: true
- id: 6.2.19 - id: 6.2.19
description: "Ensure no duplicate group names exist" description: "Ensure no duplicate group names exist"
audit: | audit: |
@ -9192,7 +9126,7 @@ groups:
- id: 6.2.20.b - id: 6.2.20.b
description: "Ensure shadow group is empty" description: "Ensure shadow group is empty"
audit: "awk -F: '($4 == \"\") { print }' /etc/passwd" audit: 'awk -F: ''($4 == "") { print }'' /etc/passwd'
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
@ -9203,4 +9137,3 @@ groups:
remediation: | remediation: |
Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group. Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group.
scored: true scored: true

35
hack/test-definitions/definitions.yaml Normal file
View file

@ -0,0 +1,35 @@
---
controls:
version: 0.1
id: 1
description: "Test YAMl file"
type: "hack"
groups:
- id: 1.1
description: "Filesystem Configuration"
checks:
- id: 1.1.1
description: "Disable unused filesystems"
checks:
- id: 1.1.1.1.a
description: "Ensure mounting of cramfs filesystems is disabled"
audit: "echo hello"
tests:
test_items:
- flag: "hello"
set: true
remediation: |
Correct something about this test
scored: true
- id: 1.1.1.1.b
description: "Ensure mounting of cramfs filesystems is disabled"
audit: "echo hello=false"
tests:
test_items:
- flag: "hello"
compare:
op: eq
value: "false"
set: true
remediation: |
Put your remediation here