Merge pull request #143 from dev-sec/martians

add missing sysctl parameter

.kitchen.vagrant.yml

@@ -24,47 +24,36 @@ transport:
   max_ssh_sessions: 5
 
 platforms:
-- name: ubuntu-14.04
+- name: ubuntu14.04
   driver_config:
     box: opscode-ubuntu-14.04
     box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-14.04_chef-provisionerless.box
-- name: ubuntu-16.04
+- name: ubuntu16.04
   driver_config:
     box: opscode-ubuntu-16.04
     box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_ubuntu-16.04_chef-provisionerless.box
-- name: centos-6.4
+- name: centos6
   driver_config:
-    box: opscode-centos-6.4
-    box_url: https://opscode-vm.s3.amazonaws.com/vagrant/opscode_centos-6.4_provisionerless.box
-- name: centos-6.5
+    box: bento/centos-6.9
+- name: centos7
   driver_config:
-    box: opscode-centos-6.5
-    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_centos-6.5_chef-provisionerless.box
-- name: centos-6.8
-  driver_config:
-    box: bento/centos-6.8
-- name: centos-7
-  driver_config:
-    box: bento/centos-7.2
-- name: oracle-6.4
-  driver_config:
-    box: oracle-6.4
-    box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel64-64.box
-- name: oracle-6.5
+    box: bento/centos-7.3
+- name: oracle6
   driver_config:
     box: oracle-6.5
     box_url: https://storage.us2.oraclecloud.com/v1/istoilis-istoilis/vagrant/oel65-64.box
-- name: oracle-7
+- name: oracle7
   driver_config:
     box: boxcutter/ol72
-- name: debian-7
+- name: debian7
+  driver_config:
+    box: bento/debian-7.11
+- name: debian8
   driver_config:
-    box: debian-7
-    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-7.8_chef-provisionerless.box
-- name: debian-8
+    box: bento/debian-8.8
+- name: debian9
   driver_config:
-    box: debian-8
-    box_url: https://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box
+    box: bento/debian-9.0
 
 verifier:
   name: inspec

README.md

@@ -52,7 +52,6 @@ Otherwise inspec will fail. For more information, see [issue #124](https://githu
 | `os_auth_pam_passwdqc_options`| "min=disabled,disabled,16,12,8" | set to any option line (as a string) that you want to pass to passwdqc|
 | `os_security_users_allow`| [] | list of things, that a user is allowed to do. May contain `change_user`.
 | `os_security_kernel_enable_module_loading`| true | true if you want to allowed to change kernel modules once the system is running (eg `modprobe`, `rmmod`)|
-| `os_security_kernel_enable_sysrq`| false | sysrq is a 'magical' key combo you can hit which the kernel will respond to regardless of whatever else it is doing, unless it is completely locked up. |
 | `os_security_kernel_enable_core_dump`| false | kernel is crashing or otherwise misbehaving and a kernel core dump is created |
 | `os_security_suid_sgid_enforce`| true | true if you want to reduce SUID/SGID bits. There is already a list of items which are searched for configured, but you can also add your own|
 | `os_security_suid_sgid_blacklist`| [] | a list of paths which should have their SUID/SGID bits removed|

defaults/main.yml

@@ -120,6 +120,7 @@ sysctl_config:
 
   # log martian packets | sysctl-17
   net.ipv4.conf.all.log_martians: 1
+  net.ipv4.conf.default.log_martians: 1
 
   # ipv6 config
   # Disable acceptance of IPv6 router solicitations messages | sysctl-21