From 3d77a3a8d788d8fe885184e2b56f7f5344104e03 Mon Sep 17 00:00:00 2001 From: Christoph Hartmann Date: Sun, 19 Nov 2017 11:48:07 +0100 Subject: [PATCH] Fixes #86 by deferring the execution of permissions to profile execution instead of profile initialisation Signed-off-by: Christoph Hartmann --- controls/os_spec.rb | 52 +++++------------------------------- libraries/suid_blacklist.rb | 53 +++++++++++++++++++++++++++++++++++++ libraries/suid_check.rb | 27 +++++++++++++++++++ 3 files changed, 86 insertions(+), 46 deletions(-) create mode 100644 libraries/suid_blacklist.rb create mode 100644 libraries/suid_check.rb diff --git a/controls/os_spec.rb b/controls/os_spec.rb index 226e3ea..82b8274 100644 --- a/controls/os_spec.rb +++ b/controls/os_spec.rb @@ -20,55 +20,17 @@ log_dir_group = 'root' log_dir_group = 'syslog' if os.name == 'ubuntu' && os[:release].to_i >= 14 login_defs_umask = attribute('login_defs_umask', default: os.redhat? ? '077' : '027', description: 'Default umask to set in login.defs') + login_defs_passmaxdays = attribute('login_defs_passmaxdays', default: '60', description: 'Default password maxdays to set in login.defs') login_defs_passmindays = attribute('login_defs_passmindays', default: '7', description: 'Default password mindays to set in login.defs') login_defs_passwarnage = attribute('login_defs_passwarnage', default: '7', description: 'Default password warnage (days) to set in login.defs') + shadow_group = 'root' shadow_group = 'shadow' if os.debian? || os.suse? + blacklist = attribute( 'blacklist', - default: [ - # blacklist as provided by NSA - '/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh', - # sshd must not use host-based authentication (see ssh cookbook) - '/usr/libexec/openssh/ssh-keysign', - '/usr/lib/openssh/ssh-keysign', - # misc others - '/sbin/netreport', # not normally required for user - '/usr/sbin/usernetctl', # modify interfaces via functional accounts - # connecting to ... - '/usr/sbin/userisdnctl', # no isdn... - '/usr/sbin/pppd', # no ppp / dsl ... - # lockfile - '/usr/bin/lockfile', - '/usr/bin/mail-lock', - '/usr/bin/mail-unlock', - '/usr/bin/mail-touchlock', - '/usr/bin/dotlockfile', - # need more investigation, blacklist for now - '/usr/bin/arping', - '/usr/sbin/arping', - '/usr/sbin/uuidd', - '/usr/bin/mtr', # investigate current state... - '/usr/lib/evolution/camel-lock-helper-1.2', # investigate current state... - '/usr/lib/pt_chown', # pseudo-tty, needed? - '/usr/lib/eject/dmcrypt-get-device', - '/usr/lib/mc/cons.saver' # midnight commander screensaver - # from Ubuntu xenial, need to investigate - # '/sbin/unix_chkpwd', - # '/sbin/pam_extrausers_chkpwd', - # '/usr/lib/x86_64-linux-gnu/utempter/utempter', - # '/usr/sbin/postdrop', - # '/usr/sbin/postqueue', - # '/usr/bin/ssh-agent', - # '/usr/bin/mlocate', - # '/usr/bin/crontab', - # '/usr/bin/screen', - # '/usr/bin/expiry', - # '/usr/bin/wall', - # '/usr/bin/chage', - # '/usr/bin/bsd-write' - ], + default: suid_blacklist.default, description: 'blacklist of suid/sgid program on system' ) @@ -193,10 +155,8 @@ title 'Check for SUID/ SGID blacklist' desc 'Find blacklisted SUID and SGID files to ensure that no rogue SUID and SGID files have been introduced into the system' - output = command('find / -perm -4000 -o -perm -2000 -type f ! -path \'/proc/*\' ! -path \'/var/lib/lxd/containers/*\' -print 2>/dev/null | grep -v \'^find:\'') - diff = output.stdout.split(/\r?\n/) & blacklist - describe diff do - it { should be_empty } + describe suid_check(blacklist) do + its('diff') { should be_empty } end end diff --git a/libraries/suid_blacklist.rb b/libraries/suid_blacklist.rb new file mode 100644 index 0000000..b013baa --- /dev/null +++ b/libraries/suid_blacklist.rb @@ -0,0 +1,53 @@ +# encoding: utf-8 + +# author: Christoph Hartmann + +class SUIDBlacklist < Inspec.resource(1) + name 'suid_blacklist' + desc 'The suid_blacklist resoruce returns the default suid blacklist' + + def default + [ + # blacklist as provided by NSA + '/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh', + # sshd must not use host-based authentication (see ssh cookbook) + '/usr/libexec/openssh/ssh-keysign', + '/usr/lib/openssh/ssh-keysign', + # misc others + '/sbin/netreport', # not normally required for user + '/usr/sbin/usernetctl', # modify interfaces via functional accounts + # connecting to ... + '/usr/sbin/userisdnctl', # no isdn... + '/usr/sbin/pppd', # no ppp / dsl ... + # lockfile + '/usr/bin/lockfile', + '/usr/bin/mail-lock', + '/usr/bin/mail-unlock', + '/usr/bin/mail-touchlock', + '/usr/bin/dotlockfile', + # need more investigation, blacklist for now + '/usr/bin/arping', + '/usr/sbin/arping', + '/usr/sbin/uuidd', + '/usr/bin/mtr', # investigate current state... + '/usr/lib/evolution/camel-lock-helper-1.2', # investigate current state... + '/usr/lib/pt_chown', # pseudo-tty, needed? + '/usr/lib/eject/dmcrypt-get-device', + '/usr/lib/mc/cons.saver' # midnight commander screensaver + # from Ubuntu xenial, need to investigate + # '/sbin/unix_chkpwd', + # '/sbin/pam_extrausers_chkpwd', + # '/usr/lib/x86_64-linux-gnu/utempter/utempter', + # '/usr/sbin/postdrop', + # '/usr/sbin/postqueue', + # '/usr/bin/ssh-agent', + # '/usr/bin/mlocate', + # '/usr/bin/crontab', + # '/usr/bin/screen', + # '/usr/bin/expiry', + # '/usr/bin/wall', + # '/usr/bin/chage', + # '/usr/bin/bsd-write' + ] + end +end diff --git a/libraries/suid_check.rb b/libraries/suid_check.rb new file mode 100644 index 0000000..19dad22 --- /dev/null +++ b/libraries/suid_check.rb @@ -0,0 +1,27 @@ +# encoding: utf-8 + +# author: Christoph Hartmann + +class SUIDCheck < Inspec.resource(1) + name 'suid_check' + desc 'Use the suid_check resource to verify the current SUID/SGID against a blacklist' + example " + describe suid_check(blacklist) do + its('diff') { should be_empty } + end + " + + def initialize(blacklist = nil) + blacklist = default if blacklist.nil? + @blacklist = blacklist + end + + def permissions + output = inspec.command('find / -perm -4000 -o -perm -2000 -type f ! -path \'/proc/*\' ! -path \'/var/lib/lxd/containers/*\' -print 2>/dev/null | grep -v \'^find:\'') + output.stdout.split(/\r?\n/) + end + + def diff + permissions & @blacklist + end +end