added sysctl-34 for checking link protection settings (#160)

Common and long-standing exploits regard unprotected links, fifos and regular files, which are created or controlled by an attacker to gain access to other files or control over other programs. Signed-off-by: Claudius Heine <ch@denx.de>
dev-sec · Oct 19, 2021 · 00d24ba · 00d24ba
1 parent 2735730
commit 00d24ba
Showing 1 changed file with 19 additions and 0 deletions.
diff --git a/controls/sysctl_spec.rb b/controls/sysctl_spec.rb
@@ -407,3 +407,22 @@
     end
   end
 end
+
+control 'sysctl-34' do
+  impact 1.0
+  title 'Ensure links are protected'
+  desc 'Protects against common exploits in regards to links, fifos and regular files created or controlled by attackers'
+  only_if { !container_execution }
+  describe kernel_parameter('fs.protected_fifos') do
+    its(:value) { should match cmp(/(1|2)/) }
+  end
+  describe kernel_parameter('fs.protected_hardlinks') do
+    its(:value) { should eq 1 }
+  end
+  describe kernel_parameter('fs.protected_regular') do
+    its(:value) { should eq 2 }
+  end
+  describe kernel_parameter('fs.protected_symlinks') do
+    its(:value) { should eq 1 }
+  end
+end