From a1e4d22fa160d6622811c5429676ea273b9a98af Mon Sep 17 00:00:00 2001 From: crashdummymch Date: Wed, 13 Jun 2018 15:27:36 -0400 Subject: [PATCH] Ubuntu modinfo (#26) * Each MAC entry should be an element in the list. * Check if each MAC is approved instead of specific sets of MACs. * Trying to get syntax right to iterate over array. * Ensuring the MACs list is proper. * Fixing linting error. * Fix checking of password quality items. * Trying to get the check right. * Try using whether a package is installed as the identifier. * pwquality requires a different package on amazon and centos7. * Adding a whole section for cracklib checks also. * Missing an end to a describe. * Working on regex check for password quality. * Got the regex right. * More work on the password options regex. * Fixed regex for cracklib adding back in if statement for package. * Fix linting issues, added an inline ignore to large block length for this control. * Add just a bashrc file for Centos7 and check for file existence before checking for values in it. * Fix file existence syntax. * Wrap block in if statement. * Fix style issues for rubocop. * Remove ruby-version from commit. * Remove Gemfile.lock. * Adjust modprobe check to remove false positives. * updated regex to account for sha512 not being first option * Fix deprecation warnings. (#34) HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop (github: timstoop) * Change regex to allow multiple spaces. (#35) HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop (github: timstoop) * Debian uses group 42, which is just as secure. (#33) HardeningFramework-DCO-1.1-Signed-off-by: Tim Stoop (github: timstoop) * ubuntu modinfo --- controls/1_4_secure_boot_settings.rb | 2 +- controls/5_4_user_accounts_and_environments.rb | 6 +++--- controls/6_1_system_file_permissions.rb | 10 ++++++++-- libraries/linux_module.rb | 6 +++++- 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/controls/1_4_secure_boot_settings.rb b/controls/1_4_secure_boot_settings.rb index 167d598..d4620c2 100644 --- a/controls/1_4_secure_boot_settings.rb +++ b/controls/1_4_secure_boot_settings.rb @@ -69,7 +69,7 @@ tag level: 1 describe.one do - describe shadow.users('root') do + describe shadow.user('root') do its(:password) { should_not include('*') } its(:password) { should_not include('!') } end diff --git a/controls/5_4_user_accounts_and_environments.rb b/controls/5_4_user_accounts_and_environments.rb index bea8dc8..79abd4e 100644 --- a/controls/5_4_user_accounts_and_environments.rb +++ b/controls/5_4_user_accounts_and_environments.rb @@ -82,7 +82,7 @@ end shadow_files.each do |f| - shadow(f).users(/.+/).entries.each do |user| + shadow(f).user(/.+/).entries.each do |user| next if (user.password && %w(* !)).any? describe user do @@ -105,7 +105,7 @@ end shadow_files.each do |f| - shadow(f).users(/.+/).entries.each do |user| + shadow(f).user(/.+/).entries.each do |user| next if (user.password && %w(* !)).any? describe user do @@ -199,6 +199,6 @@ tag level: 1 describe file('/etc/pam.d/su') do - its(:content) { should match(/^auth required pam_wheel.so use_uid$/) } + its(:content) { should match(/^auth\s+required\s+pam_wheel.so use_uid$/) } end end diff --git a/controls/6_1_system_file_permissions.rb b/controls/6_1_system_file_permissions.rb index 0d04689..e1c6f26 100644 --- a/controls/6_1_system_file_permissions.rb +++ b/controls/6_1_system_file_permissions.rb @@ -77,6 +77,9 @@ shadow_files = ['/etc/shadow'] shadow_files << '/usr/share/baselayout/shadow' if file('/etc/nsswitch.conf').content =~ /^shadow:\s+(\S+\s+)*usrfiles/ + expected_gid = 0 + expected_gid = 42 if os.debian? + shadow_files.each do |f| describe file(f) do it { should exist } @@ -90,7 +93,7 @@ it { should_not be_writable.by 'other' } it { should_not be_executable.by 'other' } its(:uid) { should cmp 0 } - its(:gid) { should cmp 0 } + its(:gid) { should cmp expected_gid } its(:sticky) { should equal false } its(:suid) { should equal false } its(:sgid) { should equal false } @@ -141,6 +144,9 @@ gshadow_files = ['/etc/gshadow'] gshadow_files << '/usr/share/baselayout/gshadow' if file('/etc/nsswitch.conf').content =~ /^gshadow:\s+(\S+\s+)*usrfiles/ + expected_gid = 0 + expected_gid = 42 if os.debian? + gshadow_files.each do |f| describe file(f) do it { should exist } @@ -154,7 +160,7 @@ it { should_not be_writable.by 'other' } it { should_not be_executable.by 'other' } its(:uid) { should cmp 0 } - its(:gid) { should cmp 0 } + its(:gid) { should cmp expected_gid } its(:sticky) { should equal false } its(:suid) { should equal false } its(:sgid) { should equal false } diff --git a/libraries/linux_module.rb b/libraries/linux_module.rb index aa680c2..bc1457a 100644 --- a/libraries/linux_module.rb +++ b/libraries/linux_module.rb @@ -60,7 +60,11 @@ def version def command # Lets just ensure the last line in the kernel module's configuration is 'install /bin/true' # this is enough to be sure the module will not be loaded on next reboot or run of modprobe - modinfo_cmd = "/sbin/modprobe -n -v #{@module} | tail -n 1 | awk '{$1=$1;print}'" + modinfo_cmd = if inspec.os.redhat? || inspec.os.name == 'fedora' + "/sbin/modprobe -n -v #{@module} | tail -n 1 | awk '{$1=$1;print}'" + else + "modprobe --showconfig | grep ${@module} | tail -n 1 | sed 's/#{@module}//g' | awk '{$1=$1;print}'" + end cmd = inspec.command(modinfo_cmd) cmd.exit_status.zero? ? cmd.stdout.delete("\n") : nil