Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update profile to match CIS v1.1.0 #54

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Update profile to match CIS v1.1.0 #54

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
a7756f8
Modified controls to use the built in kernel_module
csabapatyi Aug 1, 2018
4ab9f25
Added back accidentaly deleted control id
csabapatyi Aug 2, 2018
b417d54
Updating section 1.1.* to CIS version 1.1.0
Aug 28, 2018
6116fc9
Modifed 1.1.10-1.1.14 to skip because they are only duplocates pf 1.1.9
Aug 29, 2018
6b895de
Updateing 4.1.* CIS rules to v1.1.0
Sep 5, 2018
10298df
Updateing 4.2.* check to match CIS version 1.1.0
Sep 6, 2018
057158e
Updating section 5 to CIS v1.1.0
Sep 7, 2018
500036e
Modified cis-dil-benchmark-5.4.2 to avoid deprecation warning
Sep 7, 2018
eefb9bd
Updating README.md file
Sep 7, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# CIS Distribution Independent Linux Benchmark - InSpec Profile

## Description
This profile implements the [CIS Distribution Independent Linux 1.0.1 Benchmark](https://www.cisecurity.org/benchmark/distribution_independent_linux/).
This profile implements the [CIS Distribution Independent Linux 1.1.0 Benchmark](https://www.cisecurity.org/benchmark/distribution_independent_linux/).

## Attributes

Expand Down
145 changes: 100 additions & 45 deletions controls/1_1_filesystem_configuration.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,9 @@
tag cis: 'distribution-independent-linux:1.1.1.1'
tag level: 1

describe linux_module('cramfs') do
describe kernel_module('cramfs') do
it { should_not be_loaded }
its(:command) { should match(%r{^install /bin/true$}) }
it { should be_disabled }
end
end

Expand All @@ -41,9 +41,9 @@
tag cis: 'distribution-independent-linux:1.1.1.2'
tag level: 1

describe linux_module('freevxfs') do
describe kernel_module('freevxfs') do
it { should_not be_loaded }
its(:command) { should match(%r{^install /bin/true$}) }
it { should be_disabled }
end
end

Expand All @@ -55,9 +55,9 @@
tag cis: 'distribution-independent-linux:1.1.1.3'
tag level: 1

describe linux_module('jffs2') do
describe kernel_module('jffs2') do
it { should_not be_loaded }
its(:command) { should match(%r{^install /bin/true$}) }
it { should be_disabled }
end
end

Expand All @@ -69,9 +69,9 @@
tag cis: 'distribution-independent-linux:1.1.1.4'
tag level: 1

describe linux_module('hfs') do
describe kernel_module('hfs') do
it { should_not be_loaded }
its(:command) { should match(%r{^install /bin/true$}) }
it { should be_disabled }
end
end

Expand All @@ -83,9 +83,9 @@
tag cis: 'distribution-independent-linux:1.1.1.5'
tag level: 1

describe linux_module('hfsplus') do
describe kernel_module('hfsplus') do
it { should_not be_loaded }
its(:command) { should match(%r{^install /bin/true$}) }
it { should be_disabled }
end
end

Expand All @@ -97,9 +97,9 @@
tag cis: 'distribution-independent-linux:1.1.1.6'
tag level: 1

describe linux_module('squashfs') do
describe kernel_module('squashfs') do
it { should_not be_loaded }
its(:command) { should match(%r{^install /bin/true$}) }
it { should be_disabled }
end
end

Expand All @@ -111,9 +111,9 @@
tag cis: 'distribution-independent-linux:1.1.1.7'
tag level: 1

describe linux_module('udf') do
describe kernel_module('udf') do
it { should_not be_loaded }
its(:command) { should match(%r{^install /bin/true$}) }
it { should be_disabled }
end
end

Expand All @@ -125,9 +125,9 @@
tag cis: 'distribution-independent-linux:1.1.1.8'
tag level: 1

describe linux_module('vfat') do
describe kernel_module('vfat') do
it { should_not be_loaded }
its(:command) { should match(%r{^install /bin/true$}) }
it { should be_disabled }
end
end

Expand Down Expand Up @@ -237,6 +237,8 @@
end
end

# There is a mistake in the official CIS DIL documentaion 1.1.10-1.1.14 are
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we remove them? I think there is no value in adding CIS misstakes in this profile. We could point this out in the README.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed, these can be left out. It's acknowledged as a bug by the CIS maintainers, however unresolved for about 8 months now.

# duplicates of 1.1.9. So I used "skipped" to keep the order of the numbering.
control 'cis-dil-benchmark-1.1.10' do
title 'Ensure noexec option set on /var/tmp partition'
desc "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
Expand All @@ -245,44 +247,97 @@
tag cis: 'distribution-independent-linux:1.1.10'
tag level: 1

describe mount('/var/tmp') do
its(:options) { should include 'noexec' }
describe 'cis-dil-benchmark-1.1.10' do
skip 'Duplicate of cis-dil-benchmark-1.1.9'
end
end

control 'cis-dil-benchmark-1.1.11' do
title 'Ensure noexec option set on /var/tmp partition'
desc "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
impact 1.0

tag cis: 'distribution-independent-linux:1.1.11'
tag level: 1


describe 'cis-dil-benchmark-1.1.11' do
skip 'Duplicate of cis-dil-benchmark-1.1.9'
end
end

control 'cis-dil-benchmark-1.1.12' do
title 'Ensure noexec option set on /var/tmp partition'
desc "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
impact 1.0

tag cis: 'distribution-independent-linux:1.1.12'
tag level: 1

describe 'cis-dil-benchmark-1.1.12' do
skip 'Duplicate of cis-dil-benchmark-1.1.9'
end
end

control 'cis-dil-benchmark-1.1.13' do
title 'Ensure noexec option set on /var/tmp partition'
desc "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
impact 1.0

tag cis: 'distribution-independent-linux:1.1.13'
tag level: 1

describe 'cis-dil-benchmark-1.1.13' do
skip 'Duplicate of cis-dil-benchmark-1.1.9'
end
end

control 'cis-dil-benchmark-1.1.14' do
title 'Ensure noexec option set on /var/tmp partition'
desc "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
impact 1.0

tag cis: 'distribution-independent-linux:1.1.14'
tag level: 1

describe 'cis-dil-benchmark-1.1.14' do
skip 'Duplicate of cis-dil-benchmark-1.1.9'
end
end

if cis_level == '2'
control 'cis-dil-benchmark-1.1.11' do
control 'cis-dil-benchmark-1.1.15' do
title 'Ensure separate partition exists for /var/log'
desc "The /var/log directory is used by system services to store log data .\n\nRationale: There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
impact 1.0

tag cis: 'distribution-independent-linux:1.1.11'
tag cis: 'distribution-independent-linux:1.1.15'
tag level: 2

describe mount('/var/log') do
it { should be_mounted }
end
end

control 'cis-dil-benchmark-1.1.12' do
control 'cis-dil-benchmark-1.1.16' do
title 'Ensure separate partition exists for /var/log/audit'
desc "The auditing daemon, auditd, stores log data in the /var/log/audit directory.\n\nRationale: There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired."
impact 1.0

tag cis: 'distribution-independent-linux:1.1.12'
tag cis: 'distribution-independent-linux:1.1.16'
tag level: 2

describe mount('/var/log/audit') do
it { should be_mounted }
end
end

control 'cis-dil-benchmark-1.1.13' do
control 'cis-dil-benchmark-1.1.17' do
title 'Ensure separate partition exists for /home'
desc "The /home directory is used to support disk storage needs of local users.\n\nRationale: If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
impact 1.0

tag cis: 'distribution-independent-linux:1.1.13'
tag cis: 'distribution-independent-linux:1.1.17'
tag level: 2

describe mount('/home') do
Expand All @@ -291,116 +346,116 @@
end
end

control 'cis-dil-benchmark-1.1.14' do
control 'cis-dil-benchmark-1.1.18' do
title 'Ensure nodev option set on /home partition'
desc "The nodev mount option specifies that the filesystem cannot contain special devices.\n\nRationale: Since the user partitions are not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices."
impact 1.0

tag cis: 'distribution-independent-linux:1.1.14'
tag cis: 'distribution-independent-linux:1.1.18'
tag level: 1

describe mount('/home') do
its(:options) { should include 'nodev' }
end
end

control 'cis-dil-benchmark-1.1.15' do
control 'cis-dil-benchmark-1.1.19' do
title 'Ensure nodev option set on /dev/shm partition'
desc "The nodev mount option specifies that the filesystem cannot contain special devices.\n\nRationale: Since the /run/shm filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create special devices in /dev/shm partitions."
impact 1.0

tag cis: 'distribution-independent-linux:1.1.15'
tag cis: 'distribution-independent-linux:1.1.19'
tag level: 1

describe mount('/dev/shm') do
its(:options) { should include 'nodev' }
end
end

control 'cis-dil-benchmark-1.1.16' do
control 'cis-dil-benchmark-1.1.20' do
title 'Ensure nosuid option set on /dev/shm partitionrun'
desc "The nosuid mount option specifies that the filesystem cannot contain setuid files.\n\nRationale: Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
impact 1.0

tag cis: 'distribution-independent-linux:1.1.16'
tag cis: 'distribution-independent-linux:1.1.20'
tag level: 1

describe mount('/dev/shm') do
its(:options) { should include 'nosuid' }
end
end

control 'cis-dil-benchmark-1.1.17' do
control 'cis-dil-benchmark-1.1.21' do
title 'Ensure noexec option set on /dev/shm partition'
desc "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system."
impact 1.0

tag cis: 'distribution-independent-linux:1.1.17'
tag cis: 'distribution-independent-linux:1.1.21'
tag level: 1

describe mount('/dev/shm') do
its(:options) { should include 'noexec' }
end
end

control 'cis-dil-benchmark-1.1.18' do
control 'cis-dil-benchmark-1.1.22' do
title 'Ensure nodev option set on removable media partitions'
desc "The nodev mount option specifies that the filesystem cannot contain special devices.\n\nRationale: Removable media containing character and block special devices could be used to circumvent security controls by allowing non-root users to access sensitive device files such as /dev/kmem or the raw disk partitions."
impact 0.0

tag cis: 'distribution-independent-linux:1.1.18'
tag cis: 'distribution-independent-linux:1.1.22'
tag level: 1

describe 'cis-dil-benchmark-1.1.18' do
describe 'cis-dil-benchmark-1.1.22' do
skip 'Not implemented'
end
end

control 'cis-dil-benchmark-1.1.19' do
control 'cis-dil-benchmark-1.1.23' do
title 'Ensure nosuid option set on removable media partitions'
desc "The nosuid mount option specifies that the filesystem cannot contain setuid files.\n\nRationale: Setting this option on a file system prevents users from introducing privileged programs onto the system and allowing non-root users to execute them."
impact 0.0

tag cis: 'distribution-independent-linux:1.1.19'
tag cis: 'distribution-independent-linux:1.1.23'
tag level: 1

describe 'cis-dil-benchmark-1.1.19' do
describe 'cis-dil-benchmark-1.1.23' do
skip 'Not implemented'
end
end

control 'cis-dil-benchmark-1.1.20' do
control 'cis-dil-benchmark-1.1.24' do
title 'Ensure noexec option set on removable media partitions'
desc "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Setting this option on a file system prevents users from executing programs from the removable media. This deters users from being able to introduce potentially malicious software on the system."
impact 0.0

tag cis: 'distribution-independent-linux:1.1.20'
tag cis: 'distribution-independent-linux:1.1.24'
tag level: 1

describe 'cis-dil-benchmark-1.1.20' do
describe 'cis-dil-benchmark-1.1.24' do
skip 'Not implemented'
end
end

control 'cis-dil-benchmark-1.1.21' do
control 'cis-dil-benchmark-1.1.25' do
csabapatyi marked this conversation as resolved.
Show resolved Hide resolved
title 'Ensure sticky bit is set on all world-writable directories'
desc "Setting the sticky bit on world writable directories prevents users from deleting or renaming files in that directory that are not owned by them.\n\nRationale: This feature prevents the ability to delete or rename files in world writable directories (such as /tmp) that are owned by another user."
impact 1.0

tag cis: 'distribution-independent-linux:1.1.21'
tag cis: 'distribution-independent-linux:1.1.25'
tag level: 1

describe command("df --local -P | awk '{ if (NR!=1) print $6 }' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \)") do
its(:stdout) { should eq '' }
end
end

control 'cis-dil-benchmark-1.1.22' do
control 'cis-dil-benchmark-1.1.26' do
title 'Disable Automounting'
desc "autofs allows automatic mounting of devices, typically including CD/DVDs and USB drives.\n\nRationale: With automounting enabled anyone with physical access could attach a USB drive or disc and have its contents available in system even if they lacked permissions to mount it themselves."
impact 1.0

tag cis: 'distribution-independent-linux:1.1.22'
tag cis: 'distribution-independent-linux:1.1.26'
tag level: 1

describe.one do
Expand Down
Loading