From b3ee8b50a8ba85c9804de01a5fc752c716ba36f1 Mon Sep 17 00:00:00 2001 From: bryaend Date: Tue, 14 Mar 2023 21:59:42 -0500 Subject: [PATCH 1/4] motd may be configured under /etc/update-motd.d/ Signed-off-by: bryaend Signed-off-by: Bryan Endres --- controls/1_7_warning_banners.rb | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/controls/1_7_warning_banners.rb b/controls/1_7_warning_banners.rb index c756a21..1079d00 100644 --- a/controls/1_7_warning_banners.rb +++ b/controls/1_7_warning_banners.rb @@ -59,17 +59,28 @@ end control 'cis-dil-benchmark-1.7.1.4' do - title 'Ensure permissions on /etc/motd are configured' - desc "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users.\n\nRationale: If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information." + title 'Ensure permissions on /etc/motd and /etc/update-motd.d/* are configured' + desc "The contents of the /etc/motd and /etc/update-motd.d/* files are displayed to users after login and function as a message of the day for authenticated users.\n\nRationale: If the files do not have the correct ownership, they could be modified by unauthorized users with incorrect or misleading information." impact 0.0 tag cis: 'distribution-independent-linux:1.7.1.4' tag level: 1 - describe file('/etc/motd') do - its('group') { should eq 'root' } - its('owner') { should eq 'root' } - its('mode') { should cmp '0644' } + motd_file = '/etc/motd' + + if File.exist?(motd_file) + describe file(motd_file) do + its('group') { should eq 'root' } + its('owner') { should eq 'root' } + its('mode') { should cmp '0644' } + end + end + command('find /etc/update-motd.d/ -type f').stdout.split.each do |f| + describe file(f) do + its('group') { should eq 'root' } + its('owner') { should eq 'root' } + its('mode') { should cmp '0755' } + end end end From dbfc2c195091cbbcb22636fb85b179f5b561d308 Mon Sep 17 00:00:00 2001 From: Bryan Endres Date: Fri, 17 Mar 2023 17:18:43 -0500 Subject: [PATCH 2/4] Don't fail modules that should be disabled if they're not even installed Signed-off-by: Bryan Endres --- controls/1_1_filesystem_configuration.rb | 103 +++++++++++++++------ controls/3_4_uncommon_network_protocols.rb | 46 ++++++--- 2 files changed, 107 insertions(+), 42 deletions(-) diff --git a/controls/1_1_filesystem_configuration.rb b/controls/1_1_filesystem_configuration.rb index 1dfd490..bc56094 100644 --- a/controls/1_1_filesystem_configuration.rb +++ b/controls/1_1_filesystem_configuration.rb @@ -20,7 +20,7 @@ cis_level = input('cis_level') title '1.1 Filesystem Configuration' - +kernel_module control 'cis-dil-benchmark-1.1.1.1' do title 'Ensure mounting of cramfs filesystems is disabled' desc "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image.\n\nRationale: Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." @@ -29,9 +29,14 @@ tag cis: 'distribution-independent-linux:1.1.1.1' tag level: 1 - describe kernel_module('cramfs') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^cramfs\s/) } + end + describe kernel_module('cramfs') do + it { should_not be_loaded } + it { should be_disabled } + end end end @@ -43,9 +48,14 @@ tag cis: 'distribution-independent-linux:1.1.1.2' tag level: 1 - describe kernel_module('freevxfs') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^freevxfs\s/) } + end + describe kernel_module('freevxfs') do + it { should_not be_loaded } + it { should be_disabled } + end end end @@ -57,9 +67,14 @@ tag cis: 'distribution-independent-linux:1.1.1.3' tag level: 1 - describe kernel_module('jffs2') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^jffs2\s/) } + end + describe kernel_module('jffs2') do + it { should_not be_loaded } + it { should be_disabled } + end end end @@ -71,9 +86,14 @@ tag cis: 'distribution-independent-linux:1.1.1.4' tag level: 1 - describe kernel_module('hfs') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^hfs\s/) } + end + describe kernel_module('hfs') do + it { should_not be_loaded } + it { should be_disabled } + end end end @@ -85,9 +105,14 @@ tag cis: 'distribution-independent-linux:1.1.1.5' tag level: 1 - describe kernel_module('hfsplus') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^hfsplus\s/) } + end + describe kernel_module('hfsplus') do + it { should_not be_loaded } + it { should be_disabled } + end end end @@ -99,9 +124,14 @@ tag cis: 'distribution-independent-linux:1.1.1.6' tag level: 1 - describe kernel_module('squashfs') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^squashfs\s/) } + end + describe kernel_module('squashfs') do + it { should_not be_loaded } + it { should be_disabled } + end end end @@ -113,9 +143,14 @@ tag cis: 'distribution-independent-linux:1.1.1.7' tag level: 1 - describe kernel_module('udf') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^udf\s/) } + end + describe kernel_module('udf') do + it { should_not be_loaded } + it { should be_disabled } + end end end @@ -127,9 +162,14 @@ tag cis: 'distribution-independent-linux:1.1.1.8' tag level: 2 - describe kernel_module('vfat') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^vfat\s/) } + end + describe kernel_module('vfat') do + it { should_not be_loaded } + it { should be_disabled } + end end only_if { cis_level == 2 } @@ -465,8 +505,13 @@ # kernel modules need to use underscores # ref: https://github.com/inspec/inspec/issues/5190 - describe kernel_module('usb_storage') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^usb_storage\s/) } + end + describe kernel_module('usb_storage') do + it { should_not be_loaded } + it { should be_disabled } + end end -end +end \ No newline at end of file diff --git a/controls/3_4_uncommon_network_protocols.rb b/controls/3_4_uncommon_network_protocols.rb index 45011d8..4aa90e2 100644 --- a/controls/3_4_uncommon_network_protocols.rb +++ b/controls/3_4_uncommon_network_protocols.rb @@ -31,9 +31,14 @@ only_if { cis_level == 2 } - describe kernel_module('dccp') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^dccp\s/) } + end + describe kernel_module('dccp') do + it { should_not be_loaded } + it { should be_disabled } + end end end @@ -47,9 +52,14 @@ only_if { cis_level == 2 } - describe kernel_module('sctp') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^sctp\s/) } + end + describe kernel_module('sctp') do + it { should_not be_loaded } + it { should be_disabled } + end end end @@ -63,9 +73,14 @@ only_if { cis_level == 2 } - describe kernel_module('rds') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^rds\s/) } + end + describe kernel_module('rds') do + it { should_not be_loaded } + it { should be_disabled } + end end end @@ -79,8 +94,13 @@ only_if { cis_level == 2 } - describe kernel_module('tipc') do - it { should_not be_loaded } - it { should be_disabled } + describe.one do + describe file('/proc/modules') do + its('content') { should_not match(/^tipc\s/) } + end + describe kernel_module('tipc') do + it { should_not be_loaded } + it { should be_disabled } + end end -end +end \ No newline at end of file From 8999ad47196f839f7069158f7dc928ff25f7b5e4 Mon Sep 17 00:00:00 2001 From: Bryan Endres Date: Fri, 17 Mar 2023 17:22:28 -0500 Subject: [PATCH 3/4] Added new line to end of file to adhere to formatting standards Signed-off-by: Bryan Endres --- controls/1_1_filesystem_configuration.rb | 2 +- controls/3_4_uncommon_network_protocols.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/controls/1_1_filesystem_configuration.rb b/controls/1_1_filesystem_configuration.rb index bc56094..dbb9281 100644 --- a/controls/1_1_filesystem_configuration.rb +++ b/controls/1_1_filesystem_configuration.rb @@ -514,4 +514,4 @@ it { should be_disabled } end end -end \ No newline at end of file +end diff --git a/controls/3_4_uncommon_network_protocols.rb b/controls/3_4_uncommon_network_protocols.rb index 4aa90e2..5c80c18 100644 --- a/controls/3_4_uncommon_network_protocols.rb +++ b/controls/3_4_uncommon_network_protocols.rb @@ -103,4 +103,4 @@ it { should be_disabled } end end -end \ No newline at end of file +end From a04b28933c7a9176c2f0836e0b735cc1ea1a4e28 Mon Sep 17 00:00:00 2001 From: Bryan Endres Date: Wed, 29 Mar 2023 18:34:17 -0500 Subject: [PATCH 4/4] Revert "motd may be configured under /etc/update-motd.d/" This reverts commit 79d234cd241f868a005c33a51560bfdb61dfaf40. Signed-off-by: Bryan Endres --- controls/1_7_warning_banners.rb | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/controls/1_7_warning_banners.rb b/controls/1_7_warning_banners.rb index 1079d00..c756a21 100644 --- a/controls/1_7_warning_banners.rb +++ b/controls/1_7_warning_banners.rb @@ -59,28 +59,17 @@ end control 'cis-dil-benchmark-1.7.1.4' do - title 'Ensure permissions on /etc/motd and /etc/update-motd.d/* are configured' - desc "The contents of the /etc/motd and /etc/update-motd.d/* files are displayed to users after login and function as a message of the day for authenticated users.\n\nRationale: If the files do not have the correct ownership, they could be modified by unauthorized users with incorrect or misleading information." + title 'Ensure permissions on /etc/motd are configured' + desc "The contents of the /etc/motd file are displayed to users after login and function as a message of the day for authenticated users.\n\nRationale: If the /etc/motd file does not have the correct ownership it could be modified by unauthorized users with incorrect or misleading information." impact 0.0 tag cis: 'distribution-independent-linux:1.7.1.4' tag level: 1 - motd_file = '/etc/motd' - - if File.exist?(motd_file) - describe file(motd_file) do - its('group') { should eq 'root' } - its('owner') { should eq 'root' } - its('mode') { should cmp '0644' } - end - end - command('find /etc/update-motd.d/ -type f').stdout.split.each do |f| - describe file(f) do - its('group') { should eq 'root' } - its('owner') { should eq 'root' } - its('mode') { should cmp '0755' } - end + describe file('/etc/motd') do + its('group') { should eq 'root' } + its('owner') { should eq 'root' } + its('mode') { should cmp '0644' } end end