Ubuntu modinfo (#26)

* Each MAC entry should be an element in the list. * Check if each MAC is approved instead of specific sets of MACs. * Trying to get syntax right to iterate over array. * Ensuring the MACs list is proper. * Fixing linting error. * Fix checking of password quality items. * Trying to get the check right. * Try using whether a package is installed as the identifier. * pwquality requires a different package on amazon and centos7. * Adding a whole section for cracklib checks also. * Missing an end to a describe. * Working on regex check for password quality. * Got the regex right. * More work on the password options regex. * Fixed regex for cracklib adding back in if statement for package. * Fix linting issues, added an inline ignore to large block length for this control. * Add just a bashrc file for Centos7 and check for file existence before checking for values in it. * Fix file existence syntax. * Wrap block in if statement. * Fix style issues for rubocop. * Remove ruby-version from commit. * Remove Gemfile.lock. * Adjust modprobe check to remove false positives. * updated regex to account for sha512 not being first option * Fix deprecation warnings. (dev-sec#34) HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop <github@timstoop.nl> (github: timstoop) * Change regex to allow multiple spaces. (dev-sec#35) HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop <github@timstoop.nl> (github: timstoop) * Debian uses group 42, which is just as secure. (dev-sec#33) HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop <github@timstoop.nl> (github: timstoop) * ubuntu modinfo
michael-c-hoffman · Jun 13, 2018 · a1e4d22 · a1e4d22
1 parent 964a183
commit a1e4d22
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 7 deletions.
diff --git a/controls/1_4_secure_boot_settings.rb b/controls/1_4_secure_boot_settings.rb
@@ -69,7 +69,7 @@
   tag level: 1
 
   describe.one do
-    describe shadow.users('root') do
+    describe shadow.user('root') do
       its(:password) { should_not include('*') }
       its(:password) { should_not include('!') }
     end

diff --git a/controls/5_4_user_accounts_and_environments.rb b/controls/5_4_user_accounts_and_environments.rb
@@ -82,7 +82,7 @@
   end
 
   shadow_files.each do |f|
-    shadow(f).users(/.+/).entries.each do |user|
+    shadow(f).user(/.+/).entries.each do |user|
       next if (user.password && %w(* !)).any?
 
       describe user do
@@ -105,7 +105,7 @@
   end
 
   shadow_files.each do |f|
-    shadow(f).users(/.+/).entries.each do |user|
+    shadow(f).user(/.+/).entries.each do |user|
       next if (user.password && %w(* !)).any?
 
       describe user do
@@ -199,6 +199,6 @@
   tag level: 1
 
   describe file('/etc/pam.d/su') do
-    its(:content) { should match(/^auth required pam_wheel.so use_uid$/) }
+    its(:content) { should match(/^auth\s+required\s+pam_wheel.so use_uid$/) }
   end
 end
diff --git a/controls/6_1_system_file_permissions.rb b/controls/6_1_system_file_permissions.rb
@@ -77,6 +77,9 @@
   shadow_files = ['/etc/shadow']
   shadow_files << '/usr/share/baselayout/shadow' if file('/etc/nsswitch.conf').content =~ /^shadow:\s+(\S+\s+)*usrfiles/
 
+  expected_gid = 0
+  expected_gid = 42 if os.debian?
+
   shadow_files.each do |f|
     describe file(f) do
       it { should exist }
@@ -90,7 +93,7 @@
       it { should_not be_writable.by 'other' }
       it { should_not be_executable.by 'other' }
       its(:uid) { should cmp 0 }
-      its(:gid) { should cmp 0 }
+      its(:gid) { should cmp expected_gid }
       its(:sticky) { should equal false }
       its(:suid) { should equal false }
       its(:sgid) { should equal false }
@@ -141,6 +144,9 @@
   gshadow_files = ['/etc/gshadow']
   gshadow_files << '/usr/share/baselayout/gshadow' if file('/etc/nsswitch.conf').content =~ /^gshadow:\s+(\S+\s+)*usrfiles/
 
+  expected_gid = 0
+  expected_gid = 42 if os.debian?
+
   gshadow_files.each do |f|
     describe file(f) do
       it { should exist }
@@ -154,7 +160,7 @@
       it { should_not be_writable.by 'other' }
       it { should_not be_executable.by 'other' }
       its(:uid) { should cmp 0 }
-      its(:gid) { should cmp 0 }
+      its(:gid) { should cmp expected_gid }
       its(:sticky) { should equal false }
       its(:suid) { should equal false }
       its(:sgid) { should equal false }

diff --git a/libraries/linux_module.rb b/libraries/linux_module.rb
@@ -60,7 +60,11 @@ def version
   def command
     # Lets just ensure the last line in the kernel module's configuration is 'install /bin/true'
     # this is enough to be sure the module will not be loaded on next reboot or run of modprobe
-    modinfo_cmd = "/sbin/modprobe -n -v #{@module} | tail -n 1 | awk '{$1=$1;print}'"
+    modinfo_cmd = if inspec.os.redhat? || inspec.os.name == 'fedora'
+                    "/sbin/modprobe -n -v #{@module} | tail -n 1 | awk '{$1=$1;print}'"
+                  else
+                    "modprobe --showconfig | grep ${@module} | tail -n 1 | sed 's/#{@module}//g' | awk '{$1=$1;print}'"
+                  end
 
     cmd = inspec.command(modinfo_cmd)
     cmd.exit_status.zero? ? cmd.stdout.delete("\n") : nil