Merge pull request #15 from crashdummymch/1_1_redhat

1 1 redhat
michael-c-hoffman · Apr 11, 2018 · 7acf3e7 · 7acf3e7
2 parents 5581595 + 31daeff
commit 7acf3e7
Show file tree

Hide file tree

Showing 8 changed files with 60 additions and 22 deletions.
diff --git a/Gemfile b/Gemfile
@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
-gem 'inspec', '~> 2'
+gem 'inspec', '2.1.0'
 gem 'rake'
 gem 'rubocop'
 

diff --git a/controls/1_1_filesystem_configuration.rb b/controls/1_1_filesystem_configuration.rb
@@ -55,9 +55,16 @@
   tag cis: 'distribution-independent-linux:1.1.1.3'
   tag level: 1
 
-  describe linux_module('jffs2') do
-    it { should_not be_loaded }
-    its(:command) { should match(%r{^install /bin/true$}) }
+  if os.redhat? && os.release.to_i < 7 then
+    describe linux_module('jffs2') do
+      it { should_not be_loaded }
+      its(:command) { should match(%r{^insmod.*zlib_deflate.koinstall /bin/true$}) }
+    end
+  else
+    describe linux_module('jffs2') do
+      it { should_not be_loaded }
+      its(:command) { should match(%r{^install /bin/true$}) }
+    end
   end
 end
 
@@ -111,9 +118,21 @@
   tag cis: 'distribution-independent-linux:1.1.1.7'
   tag level: 1
 
-  describe linux_module('udf') do
-    it { should_not be_loaded }
-    its(:command) { should match(%r{^install /bin/true$}) }
+  if os.redhat? && os.release.to_i < 7 then
+    describe linux_module('udf') do
+      it { should_not be_loaded }
+      its(:command) { should match(%r{^insmod.*crc-itu-t.koinstall /bin/true$}) }
+    end
+  elsif os.family? == 'redhat' then
+    describe linux_module('udf') do
+      it { should_not be_loaded }
+      its(:command) { should match(%r{^insmod.*crc-itu-t.ko.xzinstall /bin/true$}) }
+    end
+  else
+    describe linux_module('udf') do
+      it { should_not be_loaded }
+      its(:command) { should match(%r{^install /bin/true$}) }
+    end
   end
 end
 
@@ -127,7 +146,11 @@
 
   describe linux_module('vfat') do
     it { should_not be_loaded }
-    its(:command) { should match(%r{^install /bin/true$}) }
+    its(:command) { should match(%r{^install /bin/trueinstall /bin/true$}) }
+  end
+  describe linux_module('msdos') do
+    it { should_not be_loaded }
+    its(:command) { should match(%r{^install /bin/trueinstall /bin/true$}) }
   end
 end
 

diff --git a/controls/1_3_filesystem_integrity_checking.rb b/controls/1_3_filesystem_integrity_checking.rb
@@ -14,6 +14,7 @@
 # limitations under the License.
 #
 # author: Kristian Vlaardingerbroek
+#
 
 title '1.3 Filesystem Integrity Checking'
 
@@ -45,7 +46,7 @@
   tag level: 1
 
   describe.one do
-    %w(/var/spool/cron/crontabs/root /etc/crontab).each do |f|
+    %w(/var/spool/cron/crontabs/root /var/spool/cron/root /etc/crontab).each do |f|
       describe file(f) do
         its(:content) { should match(/aide --check/) }
       end

diff --git a/controls/1_4_secure_boot_settings.rb b/controls/1_4_secure_boot_settings.rb
@@ -26,7 +26,7 @@
   tag level: 1
 
   describe.one do
-    %w(/boot/grub/grub.conf /boot/grub/grub.cfg /boot/grub/menu.lst /boot/boot/grub/grub.conf /boot/boot/grub/grub.cfg /boot/boot/grub/menu.lst).each do |f|
+    %w(/boot/grub/grub.conf /boot/grub/grub.cfg /boot/grub/menu.lst /boot/boot/grub/grub.conf /boot/boot/grub/grub.cfg /boot/boot/grub/menu.lst /boot/grub2/grub.cfg).each do |f|
       describe file(f) do
         it { should exist }
         it { should_not be_readable.by 'group' }
@@ -51,7 +51,7 @@
   tag level: 1
 
   describe.one do
-    %w(/boot/grub/grub.conf /boot/grub/grub.cfg /boot/grub/menu.lst /boot/boot/grub/grub.conf /boot/boot/grub/grub.cfg /boot/boot/grub/menu.lst).each do |f|
+    %w(/boot/grub/grub.conf /boot/grub/grub.cfg /boot/grub/menu.lst /boot/boot/grub/grub.conf /boot/boot/grub/grub.cfg /boot/boot/grub/menu.lst /boot/grub/grub.cfg).each do |f|
       describe file(f) do
         its(:content) { should match(/^set superusers/) }
         its(:content) { should match(/^password/) }

diff --git a/controls/2_2_special_purpose_services.rb b/controls/2_2_special_purpose_services.rb
@@ -73,6 +73,10 @@
       its(:content) { should match(/^RUNASUSER=ntp\s*(?:#.*)?$/) }
     end
 
+    describe file('/etc/init.d/ntpd') do
+      its(:content) { should match(/daemon\s+(\S+\s+)-u ntp:ntp(?:\s+|\s?")/) }
+    end
+
     describe file('/etc/sysconfig/ntpd') do
       its(:content) { should match(/^OPTIONS="(?:.)?-u ntp:ntp\s*(?:.)?"\s*(?:#.*)?$/) }
     end
@@ -95,8 +99,12 @@
     package('chrony').installed? || command('chronyd').exist?
   end
 
-  describe file('/etc/chrony/chrony.conf') do
-    its(:content) { should match(/^server\s+\S+/) }
+  describe.one do
+    %w(/etc/chrony/chrony.conf /etc/chrony.conf).each do |f|
+      describe file(f) do
+        its(:content) { should match(/^server\s+\S+/) }
+      end
+    end
   end
 
   describe processes('chronyd') do

diff --git a/controls/3_4_tcp_wrappers.rb b/controls/3_4_tcp_wrappers.rb
@@ -25,8 +25,12 @@
   tag cis: 'distribution-independent-linux:3.4.1'
   tag level: 1
 
-  describe package('tcpd') do
-    it { should be_installed }
+  describe.one do
+    %w(tcpd tcp_wrappers).each do |p|
+      describe package(p) do
+        it { should be_installed }
+      end
+    end
   end
 end
 

diff --git a/controls/4_1_configure_system_accounting_auditd.rb b/controls/4_1_configure_system_accounting_auditd.rb
@@ -87,7 +87,7 @@
     tag level: 2
 
     describe.one do
-      %w(/boot/grub/grub.conf /boot/grub/grub.cfg /boot/grub/menu.lst /boot/boot/grub/grub.conf /boot/boot/grub/grub.cfg /boot/boot/grub/menu.lst).each do |f|
+      %w(/boot/grub/grub.conf /boot/grub/grub.cfg /boot/grub/menu.lst /boot/boot/grub/grub.conf /boot/boot/grub/grub.cfg /boot/boot/grub/menu.lst /boot/grub2/grub.cfg).each do |f|
         describe file(f) do
           its(:content) { should match(/audit=1/) }
         end
@@ -353,11 +353,11 @@
 
     if command('uname -m').stdout.strip == 'x86_64'
       describe file('/etc/audit/audit.rules') do
-        its(:content) { should match(/^-a (always,exit|exit,always) arch=b64 -S init_module -S delete_module -k modules$/) }
+        its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 -S init_module -S delete_module -k modules$/) }
       end
     else
       describe file('/etc/audit/audit.rules') do
-        its(:content) { should match(/^-a (always,exit|exit,always) arch=b32 -S init_module -S delete_module -k modules$/) }
+        its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 -S init_module -S delete_module -k modules$/) }
       end
     end
   end

diff --git a/controls/5_1_configure_cron.rb b/controls/5_1_configure_cron.rb
@@ -25,10 +25,12 @@
   tag cis: 'distribution-independent-linux:5.1.1'
   tag level: 1
 
-  %w(cron crond).each do |s|
-    describe service(s) do
-      it { should be_enabled }
-      it { should be_running }
+  describe.one do
+    %w(cron crond).each do |s|
+      describe service(s) do
+        it { should be_enabled }
+        it { should be_running }
+      end
     end
   end
 end