Merge pull request #71 from aquasecurity/yaml-lint

Add YAML linting
2025-02-22 14:15:32 +01:00 · 2020-12-23 12:29:21 +02:00 · 2020-12-23 12:29:21 +02:00 · fcdd2a9cfc
commit fcdd2a9cfc
parent ca36ec8929 9fc95ff756
3 changed files with 45 additions and 21 deletions
--- a/.github/workflows/yaml.yml
+++ b/.github/workflows/yaml.yml
@ -0,0 +1,34 @@
+name: YAML Linting
+
+on:
+  push:
+    paths-ignore:
+      - "*.md"
+      - "LICENSE"
+      - "NOTICE"
+  pull_request:
+    paths-ignore:
+      - "*.md"
+      - "LICENSE"
+      - "NOTICE"
+  workflow_dispatch:
+
+jobs:
+  YAML-lint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: YAML Lint
+        uses: ibiqlik/action-yamllint@v3.0.0
+        with:
+          config_data: |
+            extends: relaxed
+            rules:
+            #   new-line-at-end-of-file:
+            #     level: warning
+              trailing-spaces: disable
+              line-length: disable
+              new-lines:
+                level: warning
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -1,6 +1,8 @@
+---
 env:
  - GO111MODULE=on
  - LINUXBENCH_CFG=/etc/linux-bench/cfg
+
 builds:
  - main: .
    binary: linux-bench
@ -14,12 +16,12 @@ builds:
      - 6
      - 7
    ldflags:
-     - "-X github.com/aquasecurity/linux-bench/root.cfgDir={{.Env.LINUXBENCH_CFG}}"
+      - "-X github.com/aquasecurity/linux-bench/root.cfgDir={{.Env.LINUXBENCH_CFG}}"
 # Archive customization
 archives:
  - id: compress
    format: tar.gz
-    name_template: '{{ .Binary }}_{{.Version}}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{.Arm }}{{ end }}'
+    name_template: "{{ .Binary }}_{{.Version}}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{.Arm }}{{ end }}"
    files:
      - "cfg/**/*"
 nfpms:
--- a/cfg/1.1.0/definitions.yaml
+++ b/cfg/1.1.0/definitions.yaml
@ -1229,7 +1229,6 @@ groups:
          test_items:
          - flag: "selinux=0"
            set: false            
-          test_items:
          - flag: "enforcing=0"
            set: false                                  
        remediation: |
@ -1254,7 +1253,6 @@ groups:
          test_items:
          - flag: "selinux=0"
            set: false            
-          test_items:
          - flag: "enforcing=0"
            set: false                                  
        remediation: |
@ -3553,7 +3551,7 @@ groups:
        test_items:
        - flag: "restrict -4 default kod nomodify notrap nopeer noquery"
          set: true
-          flag: "restrict -6 default kod nomodify notrap nopeer noquery"
+        - flag: "restrict -6 default kod nomodify notrap nopeer noquery"
          set: true
      remediation: |
            Add or edit restrict lines in `/etc/ntp.conf` to match the following:
@ -6257,16 +6255,8 @@ groups:
            Add the following line to the `/etc/audit/audit.rules` file:
            
            -w /etc/sudoers -p wa -k scope
-            -w /etc/sudoers.d/ -p wa -k scope
-            
+            -w /etc/sudoers.d/ -p wa -k scope            
      scored: true                     
-      remediation: |
-            Add the following line to the `/etc/audit/audit.rules` file:
-            
-            -w /etc/sudoers -p wa -k scope
-            -w /etc/sudoers.d/ -p wa -k scope
-            
-      scored: true                  
            
    - id: 4.1.16.a
      description: "Ensure system administrator actions (sudolog) are collected"
@ -6344,10 +6334,8 @@ groups:
            -w /sbin/rmmod -p x -k modules
            -w /sbin/modprobe -p x -k modules
            -a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-            
      scored: true
-
-      scored: true              
+      
    - id: 4.1.18
      description: "Ensure the audit configuration is immutable"
      audit: "grep ^\\s*[^#] /etc/audit/audit.rules | tail -1"   
@ -7606,7 +7594,7 @@ groups:
          test_items:
          - flag: "PASS_MAX_DAYS"
            set: true
-            flag: "90"
+          - flag: "90"
            set: true
        remediation: |
          Set the `PASS_MAX_DAYS` parameter to conform to site policy in `/etc/login.defs` :
@ -7665,7 +7653,7 @@ groups:
          test_items:
          - flag: "PASS_MIN_DAYS"
            set: true
-            flag: "7"
+          - flag: "7"
            set: true
        remediation: |
          Set the `PASS_MIN_DAYS` parameter to 7 in `/etc/login.defs` :
@ -7724,7 +7712,7 @@ groups:
          test_items:
          - flag: "PASS_WARN_AGE"
            set: true
-            flag: "7"
+          - flag: "7"
            set: true
        remediation: |
          Set the `PASS_WARN_AGE` parameter to 7 in `/etc/login.defs` :
@ -7854,10 +7842,10 @@ groups:
          test_items:
          - flag: "Last Change : <date>"
            set: true
-        type: manual
        remediation: |
          Investigate any users with a password change date in the future and correct them. Locking the account, expiring the password, or resetting the password manually may be appropriate.
        scored: true
+
    - id: 5.4.2
      description: "Ensure system accounts are non-login"
      audit: "egrep -v \"^\\+\" /etc/passwd | awk -F: '($1!=\"root\" && $1!=\"sync\" && $1!=\"shutdown\" && $1!=\"halt\" && $3<500 && $7!=\"/sbin/nologin\" && $7!=\"/bin/false\") {print}'"