dev-sec · atomic111 · Nov 23, 2017 · Nov 19, 2017
diff --git a/controls/os_spec.rb b/controls/os_spec.rb
@@ -20,55 +20,17 @@
 log_dir_group = 'root'
 log_dir_group = 'syslog' if os.name == 'ubuntu' && os[:release].to_i >= 14
 login_defs_umask = attribute('login_defs_umask', default: os.redhat? ? '077' : '027', description: 'Default umask to set in login.defs')
+
 login_defs_passmaxdays = attribute('login_defs_passmaxdays', default: '60', description: 'Default password maxdays to set in login.defs')
 login_defs_passmindays = attribute('login_defs_passmindays', default: '7', description: 'Default password mindays to set in login.defs')
 login_defs_passwarnage = attribute('login_defs_passwarnage', default: '7', description: 'Default password warnage (days) to set in login.defs')
+
 shadow_group = 'root'
 shadow_group = 'shadow' if os.debian? || os.suse?
+
 blacklist = attribute(
   'blacklist',
-  default: [
-    # blacklist as provided by NSA
-    '/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh',
-    # sshd must not use host-based authentication (see ssh cookbook)
-    '/usr/libexec/openssh/ssh-keysign',
-    '/usr/lib/openssh/ssh-keysign',
-    # misc others
-    '/sbin/netreport',                                            # not normally required for user
-    '/usr/sbin/usernetctl',                                       # modify interfaces via functional accounts
-    # connecting to ...
-    '/usr/sbin/userisdnctl',                                      # no isdn...
-    '/usr/sbin/pppd',                                             # no ppp / dsl ...
-    # lockfile
-    '/usr/bin/lockfile',
-    '/usr/bin/mail-lock',
-    '/usr/bin/mail-unlock',
-    '/usr/bin/mail-touchlock',
-    '/usr/bin/dotlockfile',
-    # need more investigation, blacklist for now
-    '/usr/bin/arping',
-    '/usr/sbin/arping',
-    '/usr/sbin/uuidd',
-    '/usr/bin/mtr',                                               # investigate current state...
-    '/usr/lib/evolution/camel-lock-helper-1.2',                   # investigate current state...
-    '/usr/lib/pt_chown',                                          # pseudo-tty, needed?
-    '/usr/lib/eject/dmcrypt-get-device',
-    '/usr/lib/mc/cons.saver' # midnight commander screensaver
-    # from Ubuntu xenial, need to investigate
-    # '/sbin/unix_chkpwd',
-    # '/sbin/pam_extrausers_chkpwd',
-    # '/usr/lib/x86_64-linux-gnu/utempter/utempter',
-    # '/usr/sbin/postdrop',
-    # '/usr/sbin/postqueue',
-    # '/usr/bin/ssh-agent',
-    # '/usr/bin/mlocate',
-    # '/usr/bin/crontab',
-    # '/usr/bin/screen',
-    # '/usr/bin/expiry',
-    # '/usr/bin/wall',
-    # '/usr/bin/chage',
-    # '/usr/bin/bsd-write'
-  ],
+  default: suid_blacklist.default,
   description: 'blacklist of suid/sgid program on system'
 )
 
@@ -193,10 +155,8 @@
   title 'Check for SUID/ SGID blacklist'
   desc 'Find blacklisted SUID and SGID files to ensure that no rogue SUID and SGID files have been introduced into the system'
 
-  output = command('find / -perm -4000 -o -perm -2000 -type f ! -path \'/proc/*\' ! -path \'/var/lib/lxd/containers/*\' -print 2>/dev/null | grep -v \'^find:\'')
-  diff = output.stdout.split(/\r?\n/) & blacklist
-  describe diff do
-    it { should be_empty }
+  describe suid_check(blacklist) do
+    its('diff') { should be_empty }
   end
 end
 

diff --git a/libraries/suid_blacklist.rb b/libraries/suid_blacklist.rb
@@ -0,0 +1,53 @@
+# encoding: utf-8
+
+# author: Christoph Hartmann
+
+class SUIDBlacklist < Inspec.resource(1)
+  name 'suid_blacklist'
+  desc 'The suid_blacklist resoruce returns the default suid blacklist'
+
+  def default
+    [
+      # blacklist as provided by NSA
+      '/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh',
+      # sshd must not use host-based authentication (see ssh cookbook)
+      '/usr/libexec/openssh/ssh-keysign',
+      '/usr/lib/openssh/ssh-keysign',
+      # misc others
+      '/sbin/netreport',                                            # not normally required for user
+      '/usr/sbin/usernetctl',                                       # modify interfaces via functional accounts
+      # connecting to ...
+      '/usr/sbin/userisdnctl',                                      # no isdn...
+      '/usr/sbin/pppd',                                             # no ppp / dsl ...
+      # lockfile
+      '/usr/bin/lockfile',
+      '/usr/bin/mail-lock',
+      '/usr/bin/mail-unlock',
+      '/usr/bin/mail-touchlock',
+      '/usr/bin/dotlockfile',
+      # need more investigation, blacklist for now
+      '/usr/bin/arping',
+      '/usr/sbin/arping',
+      '/usr/sbin/uuidd',
+      '/usr/bin/mtr',                                               # investigate current state...
+      '/usr/lib/evolution/camel-lock-helper-1.2',                   # investigate current state...
+      '/usr/lib/pt_chown',                                          # pseudo-tty, needed?
+      '/usr/lib/eject/dmcrypt-get-device',
+      '/usr/lib/mc/cons.saver' # midnight commander screensaver
+      # from Ubuntu xenial, need to investigate
+      # '/sbin/unix_chkpwd',
+      # '/sbin/pam_extrausers_chkpwd',
+      # '/usr/lib/x86_64-linux-gnu/utempter/utempter',
+      # '/usr/sbin/postdrop',
+      # '/usr/sbin/postqueue',
+      # '/usr/bin/ssh-agent',
+      # '/usr/bin/mlocate',
+      # '/usr/bin/crontab',
+      # '/usr/bin/screen',
+      # '/usr/bin/expiry',
+      # '/usr/bin/wall',
+      # '/usr/bin/chage',
+      # '/usr/bin/bsd-write'
+    ]
+  end
+end
diff --git a/libraries/suid_check.rb b/libraries/suid_check.rb
@@ -0,0 +1,27 @@
+# encoding: utf-8
+
+# author: Christoph Hartmann
+
+class SUIDCheck < Inspec.resource(1)
+  name 'suid_check'
+  desc 'Use the suid_check resource to verify the current SUID/SGID against a blacklist'
+  example "
+     describe suid_check(blacklist) do
+       its('diff') { should be_empty }
+     end
+   "
+
+  def initialize(blacklist = nil)
+    blacklist = default if blacklist.nil?
+    @blacklist = blacklist
+  end
+
+  def permissions
+    output = inspec.command('find / -perm -4000 -o -perm -2000 -type f ! -path \'/proc/*\' ! -path \'/var/lib/lxd/containers/*\' -print 2>/dev/null | grep -v \'^find:\'')
+    output.stdout.split(/\r?\n/)
+  end
+
+  def diff
+    permissions & @blacklist
+  end
+end