mirrors/linux-bench
1
0
Fork 1
mirror of https://github.com/aquasecurity/linux-bench.git synced 2025-02-23 06:35:33 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #71 from aquasecurity/yaml-lint

Browse source 
Add YAML linting
This commit is contained in:
Yoav Rotem 2020-12-23 12:29:21 +02:00 committed by GitHub
commit fcdd2a9cfc
Failed to generate hash of commit
3 changed files with 45 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
.github/workflows/yaml.yml vendored Normal file
View file

@ -0,0 +1,34 @@
name: YAML Linting
on:
push:
paths-ignore:
- "*.md"
- "LICENSE"
- "NOTICE"
pull_request:
paths-ignore:
- "*.md"
- "LICENSE"
- "NOTICE"
workflow_dispatch:
jobs:
YAML-lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: YAML Lint
uses: ibiqlik/action-yamllint@v3.0.0
with:
config_data: |
extends: relaxed
rules:
# new-line-at-end-of-file:
# level: warning
trailing-spaces: disable
line-length: disable
new-lines:
level: warning

4
.goreleaser.yml
View file

@ -1,6 +1,8 @@
---
env: env:
- GO111MODULE=on - GO111MODULE=on
- LINUXBENCH_CFG=/etc/linux-bench/cfg - LINUXBENCH_CFG=/etc/linux-bench/cfg
builds: builds:
- main: . - main: .
binary: linux-bench binary: linux-bench
@ -19,7 +21,7 @@ builds:
archives: archives:
- id: compress - id: compress
format: tar.gz format: tar.gz
name_template: '{{ .Binary }}_{{.Version}}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{.Arm }}{{ end }}' name_template: "{{ .Binary }}_{{.Version}}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{.Arm }}{{ end }}"
files: files:
- "cfg/**/*" - "cfg/**/*"
nfpms: nfpms:

22
cfg/1.1.0/definitions.yaml
View file

@ -1229,7 +1229,6 @@ groups:
test_items: test_items:
- flag: "selinux=0" - flag: "selinux=0"
set: false set: false
test_items:
- flag: "enforcing=0" - flag: "enforcing=0"
set: false set: false
remediation: | remediation: |
@ -1254,7 +1253,6 @@ groups:
test_items: test_items:
- flag: "selinux=0" - flag: "selinux=0"
set: false set: false
test_items:
- flag: "enforcing=0" - flag: "enforcing=0"
set: false set: false
remediation: | remediation: |
@ -3553,7 +3551,7 @@ groups:
test_items: test_items:
- flag: "restrict -4 default kod nomodify notrap nopeer noquery" - flag: "restrict -4 default kod nomodify notrap nopeer noquery"
set: true set: true
flag: "restrict -6 default kod nomodify notrap nopeer noquery" - flag: "restrict -6 default kod nomodify notrap nopeer noquery"
set: true set: true
remediation: | remediation: |
Add or edit restrict lines in `/etc/ntp.conf` to match the following: Add or edit restrict lines in `/etc/ntp.conf` to match the following:
@ -6258,14 +6256,6 @@ groups:
-w /etc/sudoers -p wa -k scope -w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope
scored: true
remediation: |
Add the following line to the `/etc/audit/audit.rules` file:
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
scored: true scored: true
- id: 4.1.16.a - id: 4.1.16.a
@ -6344,10 +6334,8 @@ groups:
-w /sbin/rmmod -p x -k modules -w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules -w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules
scored: true scored: true
scored: true
- id: 4.1.18 - id: 4.1.18
description: "Ensure the audit configuration is immutable" description: "Ensure the audit configuration is immutable"
audit: "grep ^\\s*[^#] /etc/audit/audit.rules | tail -1" audit: "grep ^\\s*[^#] /etc/audit/audit.rules | tail -1"
@ -7606,7 +7594,7 @@ groups:
test_items: test_items:
- flag: "PASS_MAX_DAYS" - flag: "PASS_MAX_DAYS"
set: true set: true
flag: "90" - flag: "90"
set: true set: true
remediation: | remediation: |
Set the `PASS_MAX_DAYS` parameter to conform to site policy in `/etc/login.defs` : Set the `PASS_MAX_DAYS` parameter to conform to site policy in `/etc/login.defs` :
@ -7665,7 +7653,7 @@ groups:
test_items: test_items:
- flag: "PASS_MIN_DAYS" - flag: "PASS_MIN_DAYS"
set: true set: true
flag: "7" - flag: "7"
set: true set: true
remediation: | remediation: |
Set the `PASS_MIN_DAYS` parameter to 7 in `/etc/login.defs` : Set the `PASS_MIN_DAYS` parameter to 7 in `/etc/login.defs` :
@ -7724,7 +7712,7 @@ groups:
test_items: test_items:
- flag: "PASS_WARN_AGE" - flag: "PASS_WARN_AGE"
set: true set: true
flag: "7" - flag: "7"
set: true set: true
remediation: | remediation: |
Set the `PASS_WARN_AGE` parameter to 7 in `/etc/login.defs` : Set the `PASS_WARN_AGE` parameter to 7 in `/etc/login.defs` :
@ -7854,10 +7842,10 @@ groups:
test_items: test_items:
- flag: "Last Change : <date>" - flag: "Last Change : <date>"
set: true set: true
type: manual
remediation: | remediation: |
Investigate any users with a password change date in the future and correct them. Locking the account, expiring the password, or resetting the password manually may be appropriate. Investigate any users with a password change date in the future and correct them. Locking the account, expiring the password, or resetting the password manually may be appropriate.
scored: true scored: true
- id: 5.4.2 - id: 5.4.2
description: "Ensure system accounts are non-login" description: "Ensure system accounts are non-login"
audit: "egrep -v \"^\\+\" /etc/passwd | awk -F: '($1!=\"root\" && $1!=\"sync\" && $1!=\"shutdown\" && $1!=\"halt\" && $3<500 && $7!=\"/sbin/nologin\" && $7!=\"/bin/false\") {print}'" audit: "egrep -v \"^\\+\" /etc/passwd | awk -F: '($1!=\"root\" && $1!=\"sync\" && $1!=\"shutdown\" && $1!=\"halt\" && $3<500 && $7!=\"/sbin/nologin\" && $7!=\"/bin/false\") {print}'"