Skip to content

Commit

Permalink
differentiate redhat/debian test, add extra conditions like entropy o…
Browse files Browse the repository at this point in the history 
…r ENV dependent test
  • Loading branch information
@juju4
juju4 committed Sep 18, 2016
1 parent da3a1b6 commit 790371c
Show file tree
Hide file tree
Showing 3 changed files with 141 additions and 18 deletions.
92 changes: 83 additions & 9 deletions controls/os_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,27 @@
# author: Dominik Richter
# author: Patrick Muench

if ENV['login_defs_umask']
login_defs_umask = ENV['login_defs_umask']
else
login_defs_umask = '027'
end
if ENV['login_defs_passmaxdays']
login_defs_passmaxdays = ENV['login_defs_passmaxdays']
else
login_defs_passmaxdays = 60
end
if ENV['login_defs_passmindays']
login_defs_passmindays = ENV['login_defs_passmindays']
else
login_defs_passmindays = 7
end
if ENV['login_defs_passwarnage']
login_defs_passwarnage = ENV['login_defs_passwarnage']
else
login_defs_passwarnage = 7
end

control 'os-01' do
impact 1.0
title 'Trusted hosts login'
Expand All @@ -38,13 +59,19 @@
it { should exist }
it { should be_file }
it { should be_owned_by 'root' }
its('group') { should eq 'root' }
it { should_not be_executable }
it { should be_writable.by('owner') }
it { should be_readable.by('owner') }
it { should_not be_readable.by('group') }
it { should_not be_readable.by('other') }
end
describe file('/etc/shadow'), :if => os.family == 'redhat' do
its('group') { should eq 'root' }
it { should_not be_readable.by('group') }
end
describe file('/etc/shadow'), :if => os.family == 'debian' do
its('group') { should eq 'shadow' }
it { should be_readable.by('group') }
end
end

control 'os-03' do
Expand Down Expand Up @@ -86,28 +113,38 @@
it { should be_owned_by 'root' }
its('group') { should eq 'root' }
it { should_not be_executable }
it { should_not be_writable }
it { should be_readable.by('owner') }
it { should be_readable.by('group') }
it { should be_readable.by('other') }
end
describe file('/etc/login.defs'), :if => os.family == 'redhat' do
it { should_not be_writable }
end
describe login_defs do
its('ENV_SUPATH') { should include('/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin') }
its('ENV_PATH') { should include('/usr/local/bin:/usr/bin:/bin') }
its('UMASK') { should include('027') }
its('PASS_MAX_DAYS') { should eq '60' }
its('PASS_MIN_DAYS') { should eq '7' }
its('PASS_WARN_AGE') { should eq '7' }
its('UMASK') { should include(login_defs_umask) }
its('PASS_MAX_DAYS') { should eq login_defs_passmaxdays }
its('PASS_MIN_DAYS') { should eq login_defs_passmindays }
its('PASS_WARN_AGE') { should eq login_defs_passwarnage }
its('LOGIN_RETRIES') { should eq '5' }
its('LOGIN_TIMEOUT') { should eq '60' }
its('UID_MIN') { should eq '1000' }
its('GID_MIN') { should eq '1000' }
end
describe login_defs, :if => os.family == 'redhat' do
its('SYS_UID_MIN') { should eq '100' }
its('SYS_UID_MAX') { should eq '999' }
its('SYS_GID_MIN') { should eq '100' }
its('SYS_GID_MAX') { should eq '999' }
its('ENCRYPT_METHOD') { should eq 'SHA512' }
end
# describe login_defs, :if => os.family == 'debian' do
## Those are commented on debian/ubuntu
# its('SYS_UID_MIN') { should eq '100' }
# its('SYS_UID_MAX') { should eq '999' }
# its('SYS_GID_MIN') { should eq '100' }
# its('SYS_GID_MAX') { should eq '999' }
# end
end

control 'os-06' do
Expand Down Expand Up @@ -142,9 +179,24 @@
'/usr/lib/pt_chown', # pseudo-tty, needed?
'/usr/lib/eject/dmcrypt-get-device',
'/usr/lib/mc/cons.saver' # midnight commander screensaver
# # from Ubuntu xenial
# '/sbin/unix_chkpwd',
# '/sbin/pam_extrausers_chkpwd',
# '/usr/lib/x86_64-linux-gnu/utempter/utempter',
# '/usr/sbin/postdrop',
# '/usr/sbin/postqueue',
# '/usr/bin/ssh-agent',
# '/usr/bin/mlocate',
# '/usr/bin/crontab',
# '/usr/bin/dotlockfile',
# '/usr/bin/screen',
# '/usr/bin/expiry',
# '/usr/bin/wall',
# '/usr/bin/chage',
# '/usr/bin/bsd-write',
]

output = command('find / -perm -4000 -o -perm -2000 -type f ! -path \'/proc/*\' -print 2>/dev/null | grep -v \'^find:\'')
output = command('find / -perm -4000 -o -perm -2000 -type f ! -path \'/proc/*\' ! -path \'/var/lib/lxd/containers/*\' -print 2>/dev/null | grep -v \'^find:\'')
diff = output.stdout.split(/\r?\n/) & blacklist
describe diff do
it { should be_empty }
Expand All @@ -162,3 +214,25 @@
its('gids') { should_not contain_duplicates }
end
end

control 'os-08' do
impact 1.0
title 'Entropy'
desc 'Check system has enough entropy - greater than 1000'
describe file('/proc/sys/kernel/random/entropy_avail').content.to_i do
it { should >= 1000 }
end
end

control 'os-09' do
impact 1.0
title 'Check for .rhosts and .netrc file'
desc 'Find .rhosts and .netrc files - CIS Benchmark 9.2.9-10'

output = command('find / \( -iname .rhosts -o -iname .netrc \) -print 2>/dev/null | grep -v \'^find:\'')
out = output.stdout.split(/\r?\n/)
describe out do
it { should be_empty }
end
end

35 changes: 35 additions & 0 deletions controls/package_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,3 +65,38 @@
it { should_not be_installed }
end
end

## can also be syslog-ng...
control 'package-07' do
impact 1.0
title 'Install rsyslog server'
desc 'Syslog server is required to receive system and applications logs'
describe package('rsyslog') do
it { should be_installed }
end
end

control 'package-08' do
impact 1.0
title 'Install auditd'
desc 'auditd provides extended logging capacities on recent distribution'
describe package('auditd') do
it { should be_installed }
end
describe auditd_conf do
its('log_file') { should cmp '/var/log/audit/audit.log' }

This comment has been minimized.

Sign in to view

Copy link
@artem-sidorenko

artem-sidorenko Mar 17, 2017

Member

@juju4 this is another part I have to fix, I hope you can help me here too. Can you tell me the source/guide/whatever for this settings of auditd? Or is it something from some base OS defaults?

This comment has been minimized.

Sign in to view

Copy link
@juju4

juju4 Mar 17, 2017

Author Contributor

here we test only if package is present and have log file. it doesn't test configuration which by default is almost inexistent in many distributions

few guides on top of my head
https://linux-audit.com/configuring-and-auditing-linux-systems-with-audit-daemon/
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html
(french 6.7.3) https://www.ssi.gouv.fr/guide/recommandations-de-securite-relatives-a-un-systeme-gnulinux/

also discover recently that it's conflicting if osquery present with file integrity monitoring configured
https://osquery.readthedocs.io/en/stable/deployment/process-auditing/
its('log_format') { should cmp 'raw' }
its('flush') { should cmp 'INCREMENTAL' }
its('freq') { should cmp 20 }
its('num_logs') { should cmp 5 }
its('max_log_file') { should cmp 6 }
its('max_log_file_action') { should cmp 'ROTATE' }
its('space_left') { should cmp 75 }
its('action_mail_acct') { should cmp 'root' }
its('space_left_action') { should cmp 'SYSLOG' }
its('admin_space_left') { should cmp 50 }
its('admin_space_left_action') { should cmp 'SUSPEND' }
its('disk_full_action') { should cmp 'SUSPEND' }
its('disk_error_action') { should cmp 'SUSPEND' }
end
end
32 changes: 23 additions & 9 deletions controls/sysctl_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,14 @@
impact 1.0
title 'IPv4 Forwarding'
desc "If you're not intending for your system to forward traffic between interfaces, or if you only have a single interface, the forwarding function must be disable."
describe kernel_parameter('net.ipv4.ip_forward') do
its(:value) { should eq 0 }
end
describe kernel_parameter('net.ipv4.conf.all.forwarding') do
its(:value) { should eq 0 }
end
# unless defined? ENV['sysctl_forwarding']
describe kernel_parameter('net.ipv4.ip_forward') do
its(:value) { should eq 0 }
end
describe kernel_parameter('net.ipv4.conf.all.forwarding') do
its(:value) { should eq 0 }
end
# end
end

control 'sysctl-02' do
Expand Down Expand Up @@ -317,11 +319,23 @@

control 'sysctl-31' do
impact 1.0
title 'Disable Core Dumps'
desc 'Ensure that core dumps can never be made by setuid programs'
title 'Secure Core Dumps'
desc 'Ensure that core dumps can never be made by setuid programs or with fully qualified path'

describe kernel_parameter('fs.suid_dumpable') do
its(:value) { should eq 0 }
# its(:value) { should eq 0 or should eq 2 } NOK
# its(:value) { should match /[02]/ } NOK
# its(:value) { should match /0|2/ } NOK
its(:value) { should eq 2 }
end
# unless kernel_parameter('fs.suid_dumpable') == 2
# describe kernel_parameter('fs.suid_dumpable') do
# its(:value) { should eq 2 }
# end
describe kernel_parameter('kernel.core_pattern') do
its(:value) { should match /^\// }

This comment has been minimized.

Sign in to view

Copy link
@artem-sidorenko

artem-sidorenko Mar 12, 2017

Member

@juju4 @chris-rock @atomic111 this change is part of #44 merged shortly. This test fails for chef-os-hardening and I'm looking for a way how to resolve it.

Can somebody please explain this kernel.core_pattern test for me and the reasons behind it? I can't really get it from the description and/or commit messages :(

This comment has been minimized.

Sign in to view

Copy link
@juju4

juju4 Mar 12, 2017

Author Contributor

the point is avoiding suid dump at a bad place.

Options are

  • disable core dump

  • enable core dump but with an absolute path meaning ensuring it starts with '/'
    in my ansible role, I set it to "/tmp/cores/core.%e.%p.%h.%t"
    with fs.suid_dumpable=2

2 - (suidsafe) - any binary which normally not be dumped is dumped
   readable by root only. This allows the end user to remove
   such a dump but not access it directly. For security reasons
   core dumps in this mode will not overwrite one another or 
   other files. This mode is appropriate when adminstrators are
   attempting to debug problems in a normal environment.

https://lwn.net/Articles/104341/

The two are valid. not sure how to make it check for one or other.

This comment has been minimized.

Sign in to view

Copy link
@artem-sidorenko

artem-sidorenko Mar 13, 2017

Member

@juju4 thanks! Let me summarize it:

  • accepted safe values for us for fs.suid_dumpable are 0 and 2
  • if fs.suid_dumpable is set to 2, when we require that kernel.core_pattern should be set to absolute path
  • if fs.suid_dumpable is set to 0, we do not check the kernel.core_pattern

Is my understanding right?

This comment has been minimized.

Sign in to view

Copy link
@juju4

juju4 Mar 13, 2017

Author Contributor

yes!
end
# end
end

control 'sysctl-32' do
Expand Down

0 comments on commit 790371c

Please sign in to comment.