From b37b4c57a07a8e334a80c8c13c0384ba1af1f4e0 Mon Sep 17 00:00:00 2001 From: Ivo van Doorn Date: Thu, 23 Nov 2023 10:25:44 +0100 Subject: [PATCH] Restrict NX/XD check to the x86 architectures The NX/XD check used to validate CIS 1.5.2 only works on the X86 architectures, and we should skip the validation for all other architectures (until a valid check has been implemented). Signed-off-by: Ivo van Doorn --- controls/1_5_additional_process_hardening.rb | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/controls/1_5_additional_process_hardening.rb b/controls/1_5_additional_process_hardening.rb index 27e121e..ffb16f1 100644 --- a/controls/1_5_additional_process_hardening.rb +++ b/controls/1_5_additional_process_hardening.rb @@ -19,6 +19,8 @@ title '1.5 Additional Process Hardening' +uname_machine = command('uname -m').stdout.strip + control 'cis-dil-benchmark-1.5.1' do title 'Ensure core dumps are restricted' desc "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user.\n\nRationale: Setting a hard limit on core dumps prevents users from overriding the soft variable. If core dumps are required, consider setting limits for user groups (see limits.conf(5)). In addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from dumping core." @@ -52,8 +54,14 @@ tag cis: 'distribution-independent-linux:1.5.2' tag level: 1 - describe command('dmesg | grep NX') do - its(:stdout) { should match(/NX \(Execute Disable\) protection: active/) } + if uname_machine == 'i386' || uname_machine == 'i686' || uname_machine == 'x86_64' + describe command('dmesg | grep NX') do + its(:stdout) { should match(/NX \(Execute Disable\) protection: active/) } + end + else + describe 'cis-dil-benchmark-1.5.2' do + skip 'Not implemented' + end end end