Difference between revisions of "Inspec exec linux-baseline"

From wikieduonline
Jump to navigation Jump to search
 
Line 1: Line 1:
  
  inspec exec linux-baseline
+
  [[inspec exec]] linux-baseline
 
  +---------------------------------------------+
 
  +---------------------------------------------+
 
             Chef License Acceptance
 
             Chef License Acceptance

Latest revision as of 05:54, 27 July 2021

inspec exec linux-baseline
+---------------------------------------------+
            Chef License Acceptance

Before you can continue, 1 product license
must be accepted. View the license at
https://www.chef.io/end-user-license-agreement/

License that need accepting:
  * Chef InSpec

Do you accept the 1 product license (yes/no)?
> yes

Persisting 1 product license...
✔ 1 product license persisted.

+---------------------------------------------+

Profile: DevSec Linux Security Baseline (linux-baseline)
Version: 2.8.0
Target:  local://

  ✔  os-01: Trusted hosts login
     ✔  File /etc/hosts.equiv is expected not to exist
  ✔  os-02: Check owner and permissions for /etc/shadow
     ✔  File /etc/shadow is expected to exist
     ✔  File /etc/shadow is expected to be file
     ✔  File /etc/shadow is expected to be owned by "root"
     ✔  File /etc/shadow is expected not to be executable
     ✔  File /etc/shadow is expected not to be readable by other
     ✔  File /etc/shadow group is expected to eq "shadow"
     ✔  File /etc/shadow is expected to be writable by owner
     ✔  File /etc/shadow is expected to be readable by owner
     ✔  File /etc/shadow is expected to be readable by group
  ✔  os-03: Check owner and permissions for /etc/passwd
     ✔  File /etc/passwd is expected to exist
     ✔  File /etc/passwd is expected to be file
     ✔  File /etc/passwd is expected to be owned by "root"
     ✔  File /etc/passwd is expected not to be executable
     ✔  File /etc/passwd is expected to be writable by owner
     ✔  File /etc/passwd is expected not to be writable by group
     ✔  File /etc/passwd is expected not to be writable by other
     ✔  File /etc/passwd is expected to be readable by owner
     ✔  File /etc/passwd is expected to be readable by group
     ✔  File /etc/passwd is expected to be readable by other
     ✔  File /etc/passwd group is expected to eq "root"
  ✔  os-03b: Check passwords hashes in /etc/passwd
     ✔  /etc/passwd passwords is expected to be in "x" and "*"
  ✔  os-04: Dot in PATH variable
     ✔  Environment variable PATH split is expected not to include ""
     ✔  Environment variable PATH split is expected not to include "."
  ×  os-05: Check login.defs (3 failed)
     ✔  File /etc/login.defs is expected to exist
     ✔  File /etc/login.defs is expected to be file
     ✔  File /etc/login.defs is expected to be owned by "root"
     ✔  File /etc/login.defs is expected not to be executable
     ✔  File /etc/login.defs is expected to be readable by owner
     ✔  File /etc/login.defs is expected to be readable by group
     ✔  File /etc/login.defs is expected to be readable by other
     ✔  File /etc/login.defs group is expected to eq "root"
     ✔  login.defs ENV_SUPATH is expected to include "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
     ✔  login.defs ENV_PATH is expected to include "/usr/local/bin:/usr/bin:/bin"
     ×  login.defs UMASK is expected to include "027"
     expected "022" to include "027"
     ×  login.defs PASS_MAX_DAYS is expected to eq "60"

     expected: "60"
          got: "99999"

     (compared using ==)

     ×  login.defs PASS_MIN_DAYS is expected to eq "7"

     expected: "7"
          got: "0"

     (compared using ==)

     ✔  login.defs PASS_WARN_AGE is expected to eq "7"
     ✔  login.defs LOGIN_RETRIES is expected to eq "5"
     ✔  login.defs LOGIN_TIMEOUT is expected to eq "60"
     ✔  login.defs UID_MIN is expected to eq "1000"
     ✔  login.defs GID_MIN is expected to eq "1000"
  ↺  os-05b: Check login.defs - RedHat specific
     ↺  Skipped control due to only_if condition.
  ✔  os-06: Check for SUID/ SGID blacklist
     ✔  suid_check diff is expected to be empty
  ✔  os-07: Unique uid and gid
     ✔  /etc/passwd uids is expected not to contain duplicates
     ✔  /etc/group gids is expected not to contain duplicates
  ✔  os-08: Entropy
     ✔  1369 is expected to >= 1000
  ✔  os-09: Check for .rhosts and .netrc file
     ✔  [] is expected to be empty
  ×  os-10: CIS: Disable unused filesystems (8 failed)
     ×  File /etc/modprobe.d/dev-sec.conf content is expected to match "install cramfs /bin/true"
     expected nil to match "install cramfs /bin/true"
     ×  File /etc/modprobe.d/dev-sec.conf content is expected to match "install freevxfs /bin/true"
     expected nil to match "install freevxfs /bin/true"
     ×  File /etc/modprobe.d/dev-sec.conf content is expected to match "install jffs2 /bin/true"
     expected nil to match "install jffs2 /bin/true"
     ×  File /etc/modprobe.d/dev-sec.conf content is expected to match "install hfs /bin/true"
     expected nil to match "install hfs /bin/true"
     ×  File /etc/modprobe.d/dev-sec.conf content is expected to match "install hfsplus /bin/true"
     expected nil to match "install hfsplus /bin/true"
     ×  File /etc/modprobe.d/dev-sec.conf content is expected to match "install squashfs /bin/true"
     expected nil to match "install squashfs /bin/true"
     ×  File /etc/modprobe.d/dev-sec.conf content is expected to match "install udf /bin/true"
     expected nil to match "install udf /bin/true"
     ×  File /etc/modprobe.d/dev-sec.conf content is expected to match "install vfat /bin/true"
     expected nil to match "install vfat /bin/true"
  ✔  os-11: Protect log-directory
     ✔  File /var/log is expected to be directory
     ✔  File /var/log is expected to be owned by "root"
     ✔  File /var/log group is expected to match /^root|syslog$/
  ×  os-12: Detect vulnerabilities in the cpu-vulnerability-directory (3 failed)
     ✔  File /sys/devices/system/cpu/vulnerabilities/ is expected to be directory
     ✔  File /sys/devices/system/cpu/vulnerabilities/spectre_v2 content is expected not to match "vulnerable"
     ✔  File /sys/devices/system/cpu/vulnerabilities/spectre_v2 content is expected not to match "Vulnerable"
     ✔  File /sys/devices/system/cpu/vulnerabilities/itlb_multihit content is expected not to match "vulnerable"
     ×  File /sys/devices/system/cpu/vulnerabilities/itlb_multihit content is expected not to match "Vulnerable"
     expected "KVM: Vulnerable\n" not to match "Vulnerable"
     Diff:
     @@ -1,2 +1,2 @@
     -Vulnerable
     +KVM: Vulnerable

     ✔  File /sys/devices/system/cpu/vulnerabilities/mds content is expected not to match "vulnerable"
     ×  File /sys/devices/system/cpu/vulnerabilities/mds content is expected not to match "Vulnerable"
     expected "Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown\n" not to match "Vulnerable"
     Diff:
     @@ -1,2 +1,2 @@
     -Vulnerable
     +Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown

     ✔  File /sys/devices/system/cpu/vulnerabilities/l1tf content is expected not to match "vulnerable"
     ✔  File /sys/devices/system/cpu/vulnerabilities/l1tf content is expected not to match "Vulnerable"
     ✔  File /sys/devices/system/cpu/vulnerabilities/spec_store_bypass content is expected not to match "vulnerable"
     ×  File /sys/devices/system/cpu/vulnerabilities/spec_store_bypass content is expected not to match "Vulnerable"
     expected "Vulnerable\n" not to match "Vulnerable"
     ✔  File /sys/devices/system/cpu/vulnerabilities/tsx_async_abort content is expected not to match "vulnerable"
     ✔  File /sys/devices/system/cpu/vulnerabilities/tsx_async_abort content is expected not to match "Vulnerable"
     ✔  File /sys/devices/system/cpu/vulnerabilities/spectre_v1 content is expected not to match "vulnerable"
     ✔  File /sys/devices/system/cpu/vulnerabilities/spectre_v1 content is expected not to match "Vulnerable"
     ✔  File /sys/devices/system/cpu/vulnerabilities/srbds content is expected not to match "vulnerable"
     ✔  File /sys/devices/system/cpu/vulnerabilities/srbds content is expected not to match "Vulnerable"
     ✔  File /sys/devices/system/cpu/vulnerabilities/meltdown content is expected not to match "vulnerable"
     ✔  File /sys/devices/system/cpu/vulnerabilities/meltdown content is expected not to match "Vulnerable"
  ×  os-13: Protect cron directories and files (12 failed)
     ✔  File /etc/crontab is expected to be owned by "root"
     ✔  File /etc/crontab is expected not to be writable by group
     ✔  File /etc/crontab is expected not to be writable by other
     ×  File /etc/crontab is expected not to be readable by group
     expected File /etc/crontab not to be readable by group
     ×  File /etc/crontab is expected not to be readable by other
     expected File /etc/crontab not to be readable by other
     ✔  File /etc/cron.hourly is expected to be owned by "root"
     ✔  File /etc/cron.hourly is expected not to be writable by group
     ✔  File /etc/cron.hourly is expected not to be writable by other
     ×  File /etc/cron.hourly is expected not to be readable by group
     expected File /etc/cron.hourly not to be readable by group
     ×  File /etc/cron.hourly is expected not to be readable by other
     expected File /etc/cron.hourly not to be readable by other
     ✔  File /etc/cron.daily is expected to be owned by "root"
     ✔  File /etc/cron.daily is expected not to be writable by group
     ✔  File /etc/cron.daily is expected not to be writable by other
     ×  File /etc/cron.daily is expected not to be readable by group
     expected File /etc/cron.daily not to be readable by group
     ×  File /etc/cron.daily is expected not to be readable by other
     expected File /etc/cron.daily not to be readable by other
     ✔  File /etc/cron.weekly is expected to be owned by "root"
     ✔  File /etc/cron.weekly is expected not to be writable by group
     ✔  File /etc/cron.weekly is expected not to be writable by other
     ×  File /etc/cron.weekly is expected not to be readable by group
     expected File /etc/cron.weekly not to be readable by group
     ×  File /etc/cron.weekly is expected not to be readable by other
     expected File /etc/cron.weekly not to be readable by other
     ✔  File /etc/cron.monthly is expected to be owned by "root"
     ✔  File /etc/cron.monthly is expected not to be writable by group
     ✔  File /etc/cron.monthly is expected not to be writable by other
     ×  File /etc/cron.monthly is expected not to be readable by group
     expected File /etc/cron.monthly not to be readable by group
     ×  File /etc/cron.monthly is expected not to be readable by other
     expected File /etc/cron.monthly not to be readable by other
     ✔  File /etc/cron.d is expected to be owned by "root"
     ✔  File /etc/cron.d is expected not to be writable by group
     ✔  File /etc/cron.d is expected not to be writable by other
     ×  File /etc/cron.d is expected not to be readable by group
     expected File /etc/cron.d not to be readable by group
     ×  File /etc/cron.d is expected not to be readable by other
     expected File /etc/cron.d not to be readable by other
  ✔  package-01: Do not run deprecated inetd or xinetd
     ✔  System Package inetd is expected not to be installed
     ✔  System Package xinetd is expected not to be installed
  ✔  package-02: Do not install Telnet server
     ✔  System Package telnetd is expected not to be installed
  ✔  package-03: Do not install rsh server
     ✔  System Package rsh-server is expected not to be installed
  ✔  package-05: Do not install ypserv server (NIS)
     ✔  System Package ypserv is expected not to be installed
  ✔  package-06: Do not install tftp server
     ✔  System Package tftp-server is expected not to be installed
  ↺  package-08: Install auditd (1 failed) (1 skipped)
     ×  System Package auditd is expected to be installed
     expected that `System Package auditd` is installed
     ↺  Can't find file: /etc/audit/auditd.conf
  ✔  package-09: CIS: Additional process hardening
     ✔  System Package prelink is expected not to be installed
  ×  sysctl-01: IPv4 Forwarding (2 failed)
     ×  Kernel Parameter net.ipv4.ip_forward value is expected to eq 0

     expected: 0
          got: 1

     (compared using ==)

     ×  Kernel Parameter net.ipv4.conf.all.forwarding value is expected to eq 0

     expected: 0
          got: 1

     (compared using ==)

  ×  sysctl-02: Reverse path filtering (2 failed)
     ×  Kernel Parameter net.ipv4.conf.all.rp_filter value is expected to eq 1

     expected: 1
          got: 2

     (compared using ==)

     ×  Kernel Parameter net.ipv4.conf.default.rp_filter value is expected to eq 1

     expected: 1
          got: 2

     (compared using ==)

  ✔  sysctl-03: ICMP ignore bogus error responses
     ✔  Kernel Parameter net.ipv4.icmp_ignore_bogus_error_responses value is expected to eq 1
  ✔  sysctl-04: ICMP echo ignore broadcasts
     ✔  Kernel Parameter net.ipv4.icmp_echo_ignore_broadcasts value is expected to eq 1
  ×  sysctl-05: ICMP ratelimit
     ×  Kernel Parameter net.ipv4.icmp_ratelimit value is expected to eq 100

     expected: 100
          got: 1000

     (compared using ==)

  ×  sysctl-06: ICMP ratemask
     ×  Kernel Parameter net.ipv4.icmp_ratemask value is expected to eq 88089

     expected: 88089
          got: 6168

     (compared using ==)

  ×  sysctl-07: TCP timestamps
     ×  Kernel Parameter net.ipv4.tcp_timestamps value is expected to eq 0

     expected: 0
          got: 1

     (compared using ==)

  ×  sysctl-08: ARP ignore
     ×  Kernel Parameter net.ipv4.conf.all.arp_ignore value is expected to cmp == /(1|2)/

     expected: (?-mix:(1|2))
          got: 0

     (compared using `cmp` matcher)

  ×  sysctl-09: ARP announce
     ×  Kernel Parameter net.ipv4.conf.all.arp_announce value is expected to eq 2

     expected: 2
          got: 0

     (compared using ==)

  ×  sysctl-10: TCP RFC1337 Protect Against TCP Time-Wait
     ×  Kernel Parameter net.ipv4.tcp_rfc1337 value is expected to eq 1

     expected: 1
          got: 0

     (compared using ==)

  ✔  sysctl-11: Protection against SYN flood attacks
     ✔  Kernel Parameter net.ipv4.tcp_syncookies value is expected to eq 1
  ✔  sysctl-12: Shared Media IP Architecture
     ✔  Kernel Parameter net.ipv4.conf.all.shared_media value is expected to eq 1
     ✔  Kernel Parameter net.ipv4.conf.default.shared_media value is expected to eq 1
  ×  sysctl-13: Disable Source Routing (1 failed)
     ✔  Kernel Parameter net.ipv4.conf.all.accept_source_route value is expected to eq 0
     ×  Kernel Parameter net.ipv4.conf.default.accept_source_route value is expected to eq 0

     expected: 0
          got: 1

     (compared using ==)

     ✔  Kernel Parameter net.ipv6.conf.all.accept_source_route value is expected to eq 0
     ✔  Kernel Parameter net.ipv6.conf.default.accept_source_route value is expected to eq 0
  ×  sysctl-14: Disable acceptance of all IPv4 redirected packets (1 failed)
     ×  Kernel Parameter net.ipv4.conf.default.accept_redirects value is expected to eq 0

     expected: 0
          got: 1

     (compared using ==)

     ✔  Kernel Parameter net.ipv4.conf.all.accept_redirects value is expected to eq 0
  ×  sysctl-15: Disable acceptance of all secure redirected packets (2 failed)
     ×  Kernel Parameter net.ipv4.conf.all.secure_redirects value is expected to eq 0

     expected: 0
          got: 1

     (compared using ==)

     ×  Kernel Parameter net.ipv4.conf.default.secure_redirects value is expected to eq 0

     expected: 0
          got: 1

     (compared using ==)

  ×  sysctl-16: Disable sending of redirects packets (2 failed)
     ×  Kernel Parameter net.ipv4.conf.default.send_redirects value is expected to eq 0

     expected: 0
          got: 1

     (compared using ==)

     ×  Kernel Parameter net.ipv4.conf.all.send_redirects value is expected to eq 0

     expected: 0
          got: 1

     (compared using ==)

  ×  sysctl-17: Disable log martians (2 failed)
     ×  Kernel Parameter net.ipv4.conf.all.log_martians value is expected to eq 1

     expected: 1
          got: 0

     (compared using ==)

     ×  Kernel Parameter net.ipv4.conf.default.log_martians value is expected to eq 1

     expected: 1
          got: 0

     (compared using ==)

  ✔  sysctl-19: IPv6 Forwarding
     ✔  Kernel Parameter net.ipv6.conf.all.forwarding value is expected to eq 0
  ×  sysctl-20: Disable acceptance of all IPv6 redirected packets (2 failed)
     ×  Kernel Parameter net.ipv6.conf.default.accept_redirects value is expected to eq 0

     expected: 0
          got: 1

     (compared using ==)

     ×  Kernel Parameter net.ipv6.conf.all.accept_redirects value is expected to eq 0

     expected: 0
          got: 1

     (compared using ==)

  ×  sysctl-21: Disable acceptance of IPv6 router solicitations messages
     ×  Kernel Parameter net.ipv6.conf.default.router_solicitations value is expected to eq 0

     expected: 0
          got: "-1"

     (compared using ==)

  ×  sysctl-22: Disable Accept Router Preference from router advertisement
     ×  Kernel Parameter net.ipv6.conf.default.accept_ra_rtr_pref value is expected to eq 0

     expected: 0
          got: 1

     (compared using ==)

  ×  sysctl-23: Disable learning Prefix Information from router advertisement
     ×  Kernel Parameter net.ipv6.conf.default.accept_ra_pinfo value is expected to eq 0

     expected: 0
          got: 1

     (compared using ==)

  ×  sysctl-24: Disable learning Hop limit from router advertisement
     ×  Kernel Parameter net.ipv6.conf.default.accept_ra_defrtr value is expected to eq 0

     expected: 0
          got: 1

     (compared using ==)

  ×  sysctl-25: Disable the system`s acceptance of router advertisement (2 failed)
     ×  Kernel Parameter net.ipv6.conf.all.accept_ra value is expected to eq 0

     expected: 0
          got: 1

     (compared using ==)

     ×  Kernel Parameter net.ipv6.conf.default.accept_ra value is expected to eq 0

     expected: 0
          got: 1

     (compared using ==)

  ×  sysctl-26: Disable IPv6 autoconfiguration
     ×  Kernel Parameter net.ipv6.conf.default.autoconf value is expected to eq 0

     expected: 0
          got: 1

     (compared using ==)

  ×  sysctl-27: Disable neighbor solicitations to send out per address
     ×  Kernel Parameter net.ipv6.conf.default.dad_transmits value is expected to eq 0

     expected: 0
          got: 1

     (compared using ==)

  ×  sysctl-28: Assign one global unicast IPv6 addresses to each interface
     ×  Kernel Parameter net.ipv6.conf.default.max_addresses value is expected to eq 1

     expected: 1
          got: 16

     (compared using ==)

  ✔  sysctl-29: Disable loading kernel modules
     ✔  Kernel Parameter kernel.modules_disabled value is expected to eq 0
  ×  sysctl-30: Magic SysRq
     ×  Kernel Parameter kernel.sysrq value is expected to eq 0

     expected: 0
          got: 176

     (compared using ==)

  ✔  sysctl-31a: Secure Core Dumps - dump settings
     ✔  Kernel Parameter fs.suid_dumpable value is expected to cmp == /(0|2)/
  ✔  sysctl-31b: Secure Core Dumps - dump path
     ✔  Kernel Parameter kernel.core_pattern value is expected to match /^\|?\/.*/
  ✔  sysctl-32: kernel.randomize_va_space
     ✔  Kernel Parameter kernel.randomize_va_space value is expected to eq 2
  ✔  sysctl-33: CPU No execution Flag or Kernel ExecShield
     ✔  /proc/cpuinfo Flags should include NX


Profile Summary: 26 successful controls, 28 control failures, 1 control skipped
Test Summary: 103 successful, 57 failures, 2 skipped


See also[edit]

Advertising: