mirrors/linux-bench
1
0
Fork 1
mirror of https://github.com/aquasecurity/linux-bench.git synced 2025-02-23 14:45:33 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'master' into patch-1

Browse source
This commit is contained in:
Liz Rice 2019-08-08 12:18:27 +01:00 committed by GitHub
commit fa96c00891
Failed to generate hash of commit
1 changed files with 239 additions and 240 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

479
cfg/1.1.0/definitions.yaml
View file

@ -10,252 +10,251 @@ groups:
checks: checks:
- id: 1.1.1 - id: 1.1.1
description: "Disable unused filesystems" description: "Disable unused filesystems"
checks: - id: 1.1.1.1.a
- id: 1.1.1.1.a description: "Ensure mounting of cramfs filesystems is disabled"
description: "Ensure mounting of cramfs filesystems is disabled" audit: "modprobe -n -v cramfs"
audit: "modprobe -n -v cramfs" tests:
tests: test_items:
test_items: - flag: "install /bin/true"
- flag: "install /bin/true" set: true
set: true remediation: |
remediation: | Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: install cramfs /bin/true
install cramfs /bin/true Run the following command to unload the `cramfs` module:
Run the following command to unload the `cramfs` module: # rmmod cramfs
# rmmod cramfs scored: true
scored: true - id: 1.1.1.1.b
- id: 1.1.1.1.b description: "Ensure mounting of cramfs filesystems is disabled"
description: "Ensure mounting of cramfs filesystems is disabled" audit: "lsmod | grep cramfs"
audit: "lsmod | grep cramfs" tests:
test_items:
- flag: ""
compare:
op: eq
value: ""
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install cramfs /bin/true
Run the following command to unload the `cramfs` module:
# rmmod cramfs
scored: true
- id: 1.1.1.2.a
description: "Ensure mounting of freevxfs filesystems is disabled"
audit: "modprobe -n -v freevxfs"
tests:
test_items:
- flag: "install /bin/true"
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install freevxfs /bin/true
Run the following command to unload the `freevxfs` module:
# rmmod freevxfs
scored: true
- id: 1.1.1.2.b
description: "Ensure mounting of freevxfs filesystems is disabled"
audit: "lsmod | grep freevxfs"
tests:
test_items:
- flag: ""
compare:
op: eq
value: ""
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install freevxfs /bin/true
Run the following command to unload the `freevxfs` module:
# rmmod freevxfs
scored: true
- id: 1.1.1.3.a
description: "Ensure mounting of jffs2 filesystems is disabled"
audit: "modprobe -n -v jffs2"
tests:
test_items:
- flag: "install /bin/true"
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install jffs2 /bin/true
Run the following command to unload the `jffs2` module:
# rmmod jffs2
scored: true
- id: 1.1.1.3.b
description: "Ensure mounting of jffs2 filesystems is disabled"
audit: "lsmod | grep jffs2"
tests:
test_items:
- flag: ""
compare:
op: eq
value: ""
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install jffs2 /bin/true
Run the following command to unload the `jffs2` module:
# rmmod jffs2
scored: true
- id: 1.1.1.4.a
description: "Ensure mounting of hfs filesystems is disabled"
audit: "modprobe -n -v hfs"
tests:
test_items:
- flag: "install /bin/true"
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install hfs /bin/true
Run the following command to unload the `hfs` module:
# rmmod hfs
scored: true
- id: 1.1.1.4.b
description: "Ensure mounting of hfs filesystems is disabled"
audit: "lsmod | grep hfs"
tests:
test_items:
- flag: ""
compare:
op: eq
value: ""
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install hfs /bin/true
Run the following command to unload the `hfs` module:
# rmmod hfs
scored: true
- id: 1.1.1.5.a
description: "Ensure mounting of hfsplus filesystems is disabled"
audit: "modprobe -n -v hfsplus"
tests:
test_items:
- flag: "install /bin/true"
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install hfsplus /bin/true
Run the following command to unload the `hfsplus` module:
# rmmod hfsplus
scored: true
- id: 1.1.1.5.b
description: "Ensure mounting of hfsplus filesystems is disabled"
audit: "lsmod | grep hfsplus"
tests:
test_items:
- flag: ""
compare:
op: eq
value: ""
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install hfsplus /bin/true
Run the following command to unload the `hfsplus` module:
# rmmod hfsplus
scored: true
- id: 1.1.1.6.a
description: "Ensure mounting of squashfs filesystems is disabled"
sub_checks:
- check:
audit: "modprobe -n -v squashfs"
constraints:
platform:
- rhel7
tests:
test_items:
- flag: "install /bin/true"
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install squashfs /bin/true
Run the following command to unload the `squashfs` module:
# rmmod squashfs
scored: true
- id: 1.1.1.6.b
description: "Ensure mounting of squashfs filesystems is disabled"
sub_checks:
- check:
audit: "lsmod | grep squashfs"
constraints:
platform:
- rhel7
tests:
test_items:
- flag: ""
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install squashfs /bin/true
Run the following command to unload the `squashfs` module:
# rmmod squashfs
scored: true
- id: 1.1.1.7.a
description: "Ensure mounting of udf filesystems is disabled"
audit: "modprobe -n -v udf"
tests:
test_items:
- flag: "install /bin/true"
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install udf /bin/true
Run the following command to unload the `udf` module:
# rmmod udf
scored: true
- id: 1.1.1.7.b
description: "Ensure mounting of udf filesystems is disabled"
audit: "lsmod | grep udf"
tests:
test_items:
- flag: ""
compare:
op: eq
value: ""
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install udf /bin/true
Run the following command to unload the `udf` module:
# rmmod udf
scored: true
- id: 1.1.1.8.a
description: "Ensure mounting of FAT filesystems is disabled"
sub_checks:
- check:
audit: "modprobe -n -v vfat"
constraints:
platform:
- rhel7
tests:
test_items:
- flag: "install /bin/true"
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install vfat /bin/true
Run the following command to unload the `vfat` module:
# rmmod vfat
scored: true
- id: 1.1.1.8.b
description: "Ensure mounting of FAT filesystems is disabled"
sub_checks:
- check:
audit: "lsmod | grep vfat"
constraints:
platform:
- rhel7
tests: tests:
test_items: test_items:
- flag: "" - flag: ""
compare:
op: eq
value: ""
set: true set: true
remediation: | remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line: Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install cramfs /bin/true install vfat /bin/true
Run the following command to unload the `cramfs` module: Run the following command to unload the `vfat` module:
# rmmod cramfs # rmmod vfat
scored: true
- id: 1.1.1.2.a
description: "Ensure mounting of freevxfs filesystems is disabled"
audit: "modprobe -n -v freevxfs"
tests:
test_items:
- flag: "install /bin/true"
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install freevxfs /bin/true
Run the following command to unload the `freevxfs` module:
# rmmod freevxfs
scored: true
- id: 1.1.1.2.b
description: "Ensure mounting of freevxfs filesystems is disabled"
audit: "lsmod | grep freevxfs"
tests:
test_items:
- flag: ""
compare:
op: eq
value: ""
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install freevxfs /bin/true
Run the following command to unload the `freevxfs` module:
# rmmod freevxfs
scored: true
- id: 1.1.1.3.a
description: "Ensure mounting of jffs2 filesystems is disabled"
audit: "modprobe -n -v jffs2"
tests:
test_items:
- flag: "install /bin/true"
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install jffs2 /bin/true
Run the following command to unload the `jffs2` module:
# rmmod jffs2
scored: true
- id: 1.1.1.3.b
description: "Ensure mounting of jffs2 filesystems is disabled"
audit: "lsmod | grep jffs2"
tests:
test_items:
- flag: ""
compare:
op: eq
value: ""
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install jffs2 /bin/true
Run the following command to unload the `jffs2` module:
# rmmod jffs2
scored: true
- id: 1.1.1.4.a
description: "Ensure mounting of hfs filesystems is disabled"
audit: "modprobe -n -v hfs"
tests:
test_items:
- flag: "install /bin/true"
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install hfs /bin/true
Run the following command to unload the `hfs` module:
# rmmod hfs
scored: true
- id: 1.1.1.4.b
description: "Ensure mounting of hfs filesystems is disabled"
audit: "lsmod | grep hfs"
tests:
test_items:
- flag: ""
compare:
op: eq
value: ""
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install hfs /bin/true
Run the following command to unload the `hfs` module:
# rmmod hfs
scored: true
- id: 1.1.1.5.a
description: "Ensure mounting of hfsplus filesystems is disabled"
audit: "modprobe -n -v hfsplus"
tests:
test_items:
- flag: "install /bin/true"
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install hfsplus /bin/true
Run the following command to unload the `hfsplus` module:
# rmmod hfsplus
scored: true
- id: 1.1.1.5.b
description: "Ensure mounting of hfsplus filesystems is disabled"
audit: "lsmod | grep hfsplus"
tests:
test_items:
- flag: ""
compare:
op: eq
value: ""
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install hfsplus /bin/true
Run the following command to unload the `hfsplus` module:
# rmmod hfsplus
scored: true
- id: 1.1.1.6.a
description: "Ensure mounting of squashfs filesystems is disabled"
sub_checks:
- check:
audit: "modprobe -n -v squashfs"
constraints:
platform:
- rhel7
tests:
test_items:
- flag: "install /bin/true"
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install squashfs /bin/true
Run the following command to unload the `squashfs` module:
# rmmod squashfs
scored: true
- id: 1.1.1.6.b
description: "Ensure mounting of squashfs filesystems is disabled"
sub_checks:
- check:
audit: "lsmod | grep squashfs"
constraints:
platform:
- rhel7
tests:
test_items:
- flag: ""
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install squashfs /bin/true
Run the following command to unload the `squashfs` module:
# rmmod squashfs
scored: true
- id: 1.1.1.7.a
description: "Ensure mounting of udf filesystems is disabled"
audit: "modprobe -n -v udf"
tests:
test_items:
- flag: "install /bin/true"
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install udf /bin/true
Run the following command to unload the `udf` module:
# rmmod udf
scored: true
- id: 1.1.1.7.b
description: "Ensure mounting of udf filesystems is disabled"
audit: "lsmod | grep udf"
tests:
test_items:
- flag: ""
compare:
op: eq
value: ""
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install udf /bin/true
Run the following command to unload the `udf` module:
# rmmod udf
scored: true
- id: 1.1.1.8.a
description: "Ensure mounting of FAT filesystems is disabled"
sub_checks:
- check:
audit: "modprobe -n -v vfat"
constraints:
platform:
- rhel7
tests:
test_items:
- flag: "install /bin/true"
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install vfat /bin/true
Run the following command to unload the `vfat` module:
# rmmod vfat
scored: true
- id: 1.1.1.8.b
description: "Ensure mounting of FAT filesystems is disabled"
sub_checks:
- check:
audit: "lsmod | grep vfat"
constraints:
platform:
- rhel7
tests:
test_items:
- flag: ""
set: true
remediation: |
Edit or create the file `/etc/modprobe.d/CIS.conf` and add the following line:
install vfat /bin/true
Run the following command to unload the `vfat` module:
# rmmod vfat
scored: true scored: true
- id: 1.1.2 - id: 1.1.2
description: "Ensure separate partition exists for /tmp" description: "Ensure separate partition exists for /tmp"