dev-sec · m41kc0d3 · Jul 23, 2021 · Jul 23, 2021 · schurzi · Jul 26, 2021
diff --git a/NOTICE b/NOTICE
@@ -0,0 +1,5 @@
+DevSec Linux Baseline
+
+Huge parts of the audit rules in controls/os_spec.rb
+was created by Deutsche Telekom AG. (https://github.com/telekom/tel-it-security-automation/blob/21dacf83ab1245bf7c42c12d1d25292562599b79/hardening-linux-server/vars/main.yml & https://github.com/telekom/tel-it-security-automation)
+Copyright (c) 2020 Maximilian Hertstein [...] Deutsche Telekom AG
diff --git a/controls/os_spec.rb b/controls/os_spec.rb
@@ -282,3 +282,43 @@
     end
   end
 end
+
+control 'os-15' do
+  impact 1.0
+  title 'Check auditd rules'
+  desc 'Check that the auditd rules are created and active'
+  output = command('auditctl -l')
+  describe output do
+    its(:stdout) { should match '-a always,exit -F arch=b64 -S execve' }
+    its(:stdout) { should match '-w /etc/localtime -p wa -k time-change' }
+    its(:stdout) { should match '-w /sbin/insmod -p x -k modules' }
+    its(:stdout) { should match '-w /etc/crontab' }
+    its(:stdout) { should match '-w /etc/sudoers -p wa -k scope' }
+    its(:stdout) { should match '-w /etc/passwd -p wa -k identity' }
+    its(:stdout) { should match '-w /var/log/audit/audit.log' }
+    its(:stdout) { should match '-w /etc/hosts -p wa -k system-locale' }
+    its(:stdout) { should match '-w /etc/ssh/sshd_config' }
+    if os.redhat? || os.name == 'amazon' || os.name == 'fedora'
 control 'os-05b' do 
   impact 1.0 
   title 'Check login.defs - RedHat specific' 
   desc 'Check owner and permissions for login.defs. Also check the configured PATH variable and umask in login.defs' 
   describe file('/etc/login.defs') do 
     it { should_not be_writable } 
   end 
   describe login_defs do 
     its('SYS_UID_MIN') { should eq '201' } 
     its('SYS_UID_MAX') { should eq '999' } 
     its('SYS_GID_MIN') { should eq '201' } 
     its('SYS_GID_MAX') { should eq '999' } 
   end 
   only_if { os.redhat? } 
 end 
 control 'os-05b' do 
   impact 1.0 
   title 'Check login.defs - RedHat specific' 
   desc 'Check owner and permissions for login.defs. Also check the configured PATH variable and umask in login.defs' 
   describe file('/etc/login.defs') do 
     it { should_not be_writable } 
   end 
   describe login_defs do 
     its('SYS_UID_MIN') { should eq '201' } 
     its('SYS_UID_MAX') { should eq '999' } 
     its('SYS_GID_MIN') { should eq '201' } 
     its('SYS_GID_MAX') { should eq '999' } 
   end 
   only_if { os.redhat? } 
 end 
+      its(:stdout) { should match '-w /usr/bin/yum -p x -k software_mgmt' }
+      its(:stdout) { should match '-w /etc/selinux -p wa -k MAC-policy' }
+    end
+    if os.suse?
+      its(:stdout) { should match '-w /usr/bin/zypper -p x -k software_mgmt' }
+    end
+    if os.debian?
+      its(:stdout) { should match '-w /usr/bin/apt-get -p x -k software_mgmt' }
+      its(:stdout) { should match '-w /var/log/system.log' }
+      its(:stdout) { should match '-w /etc/network/interfaces -p wa -k system-locale' }
+    end
+    if os.name == 'arch'
+      its(:stdout) { should match '-w /usr/bin/pacman -p x -k software_mgmt' }
+    end
+    if os.redhat? || os.name == 'amazon' || os.name == 'fedora' || os.suse?
+      its(:stdout) { should match '-w /var/log/messages' }
+      its(:stdout) { should match '-w /etc/sysconfig/network-scripts -p wa -k system-locale' }
+    end
+    if os.suse? || os.debian?
+      its(:stdout) { should match '-w /etc/apparmor -p wa -k MAC-policy' }
+    end
+  end
+end