diff --git a/data/common.yaml b/data/common.yaml index 37645a51..a1f8f177 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -1,7 +1,7 @@ --- secure_linux_cis::banner: > Authorized uses only. All activity may be monitored and reported. - + secure_linux_cis::motd: 🐉 Module by Fervid 🐉 @@ -33,8 +33,8 @@ secure_linux_cis::pass_min_days: 7 secure_linux_cis::pass_warn_days: 7 secure_linux_cis::pass_inactive_days: 30 secure_linux_cis::timeout: 600 - secure_linux_cis::auto_restart: false +secure_linux_cis::manage_sshd_service: false secure_linux_cis::logging_host: '' secure_linux_cis::is_logging_host: false secure_linux_cis::exclude_logs: [] @@ -96,4 +96,4 @@ secure_linux_cis::approved_ciphers: - aes128-gcm@openssh.com - aes256-ctr - aes192-ctr - - aes128-ctr \ No newline at end of file + - aes128-ctr diff --git a/data/os/Debian/version/11.yaml b/data/os/Debian/version/11.yaml index 4e264b2b..fbfed37b 100644 --- a/data/os/Debian/version/11.yaml +++ b/data/os/Debian/version/11.yaml @@ -20,7 +20,6 @@ secure_linux_cis::server_level_1: - ensure_automatic_error_reporting_is_not_enabled - ensure_core_dumps_are_restricted - ensure_apparmor_is_installed -- ensure_apparmor_is_enabled_in_the_bootloader_configuration - ensure_all_apparmor_profiles_are_in_enforce_or_complain_mode - ensure_message_of_the_day_is_configured_properly - ensure_local_login_warning_banner_is_configured_properly @@ -77,7 +76,7 @@ secure_linux_cis::server_level_1: - ensure_reverse_path_filtering_is_enabled - ensure_tcp_syn_cookies_is_enabled - ensure_a_nftables_table_exists -- ensure_iptables_packages_are_installed +- ensure_iptables_package_is_installed - ensure_nftables_is_not_installed_with_iptables - ensure_ufw_is_uninstalled_or_disabled_with_iptables - ensure_iptables_default_deny_firewall_policy @@ -201,7 +200,6 @@ secure_linux_cis::server_level_2: - ensure_automatic_error_reporting_is_not_enabled - ensure_core_dumps_are_restricted - ensure_apparmor_is_installed -- ensure_apparmor_is_enabled_in_the_bootloader_configuration - ensure_all_apparmor_profiles_are_enforcing - ensure_message_of_the_day_is_configured_properly - ensure_local_login_warning_banner_is_configured_properly @@ -263,7 +261,7 @@ secure_linux_cis::server_level_2: - ensure_reverse_path_filtering_is_enabled - ensure_tcp_syn_cookies_is_enabled - ensure_a_nftables_table_exists -- ensure_iptables_packages_are_installed +- ensure_iptables_package_is_installed - ensure_nftables_is_not_installed_with_iptables - ensure_ufw_is_uninstalled_or_disabled_with_iptables - ensure_iptables_default_deny_firewall_policy @@ -471,7 +469,7 @@ secure_linux_cis::workstation_level_1: - ensure_reverse_path_filtering_is_enabled - ensure_tcp_syn_cookies_is_enabled - ensure_a_nftables_table_exists -- ensure_iptables_packages_are_installed +- ensure_iptables_package_is_installed - ensure_nftables_is_not_installed_with_iptables - ensure_ufw_is_uninstalled_or_disabled_with_iptables - ensure_iptables_default_deny_firewall_policy @@ -657,7 +655,7 @@ secure_linux_cis::workstation_level_2: - ensure_reverse_path_filtering_is_enabled - ensure_tcp_syn_cookies_is_enabled - ensure_a_nftables_table_exists -- ensure_iptables_packages_are_installed +- ensure_iptables_package_is_installed - ensure_nftables_is_not_installed_with_iptables - ensure_ufw_is_uninstalled_or_disabled_with_iptables - ensure_iptables_default_deny_firewall_policy diff --git a/files/aidecheck.service b/files/aidecheck.service index 82d9f216..4a83f7a4 100644 --- a/files/aidecheck.service +++ b/files/aidecheck.service @@ -3,7 +3,7 @@ Description=Aide Check [Service] Type=simple -ExecStart=/usr/sbin/aide --check +ExecStart=/usr/bin/aide --check --config /etc/aide/aide.conf [Install] -WantedBy=multi-user.target \ No newline at end of file +WantedBy=multi-user.target diff --git a/files/audit_all_logfiles_have_appropriate_permissions_and_ownership.sh b/files/audit_all_logfiles_have_appropriate_permissions_and_ownership.sh index 2a08bd56..421f9231 100644 --- a/files/audit_all_logfiles_have_appropriate_permissions_and_ownership.sh +++ b/files/audit_all_logfiles_have_appropriate_permissions_and_ownership.sh @@ -2,8 +2,8 @@ { echo -e "\n- Start check - logfiles have appropriate permissions and ownership" output="" - - find /var/log -type f | (while read -r fname; do + + find /var/log -type f | while read -r fname; do bname="$(basename "$fname")" case "$bname" in @@ -11,7 +11,7 @@ if ! stat -Lc "%a" "$fname" | grep -Pq -- '^\h*[0,2,4,6][0,2,4,6][0,4]\h*$'; then output="$output\n- File: \"$fname\" mode: \"$(stat -Lc "%a" "$fname")\"\n" fi - + if ! stat -Lc "%U %G" "$fname" | grep -Pq -- '^\h*root\h+(utmp|root)\h*$'; then output="$output\n- File: \"$fname\" ownership: \"$(stat -Lc "%U:%G" "$fname")\"\n" fi @@ -64,7 +64,7 @@ else # print the reason why we are failing echo -e "\n- FAIL:\n$output" + exit 1 fi echo -e "- End check - logfiles have appropriate permissions and ownership\n" - ) -} \ No newline at end of file +} diff --git a/files/audit_local_interactive_user_dot_files_are_not_group_or_world_writable.sh b/files/audit_local_interactive_user_dot_files_are_not_group_or_world_writable.sh index 7acd3f49..34edf617 100644 --- a/files/audit_local_interactive_user_dot_files_are_not_group_or_world_writable.sh +++ b/files/audit_local_interactive_user_dot_files_are_not_group_or_world_writable.sh @@ -3,17 +3,16 @@ output="" perm_mask='0022' maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )" - valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s - d '|' - ))$" - awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do + valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do for dfile in $(find "$home" -type f -name '.*'); do mode=$( stat -L -c '%#a' "$dfile" ) [ $(( $mode & $perm_mask )) -gt 0 ] && output="$output\n- User $user file: \"$dfile\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)" done done if [ -n "$output" ]; then - echo -e "\n- Failed:$output" - else - echo -e "\n- Passed:\n- All user home dot files are mode: \"$maxperm\" or more restrictive" + echo -e "\n- FAIL:$output" + exit 1 fi - ) -} \ No newline at end of file + echo -e "\n- PASS:\n- All user home dot files are mode: \"$maxperm\" or more restrictive" +} diff --git a/files/audit_local_interactive_user_home_directories_exist.sh b/files/audit_local_interactive_user_home_directories_exist.sh index 4d1b35d5..05795277 100644 --- a/files/audit_local_interactive_user_home_directories_exist.sh +++ b/files/audit_local_interactive_user_home_directories_exist.sh @@ -1,16 +1,15 @@ #!/usr/bin/env bash { output="" - valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s - d '|' - ))$" + valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" - awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do [ ! -d "$home" ] && output="$output\n - User \"$user\" home directory \"$home\" doesn't exist" done - if [ -z "$output" ]; then - echo -e "\n-PASSED: - All local interactive users have a home directory\n" - else - echo -e "\n- FAILED:\n$output\n" + if [ -n "$output" ]; then + echo -e "\n- FAIL:\n${output}\n" + exit 1 fi - ) -} \ No newline at end of file + echo -e "\n-PASS: - All local interactive users have a home directory\n" +} diff --git a/files/audit_local_interactive_users_home_directories_are_mode_750_or_more_restrictive.sh b/files/audit_local_interactive_users_home_directories_are_mode_750_or_more_restrictive.sh index c948bb8c..8fff6ac4 100644 --- a/files/audit_local_interactive_users_home_directories_are_mode_750_or_more_restrictive.sh +++ b/files/audit_local_interactive_users_home_directories_are_mode_750_or_more_restrictive.sh @@ -3,18 +3,17 @@ output="" perm_mask='0027' maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )" - valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s - d '|' - ))$" - awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do + valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do if [ -d "$home" ]; then mode=$( stat -L -c '%#a' "$home" ) [ $(( $mode & $perm_mask )) -gt 0 ] && output="$output\n- User $user home directory: \"$home\" is too permissive: \"$mode\" (should be: \"$maxperm\" or more restrictive)" fi done - + if [ -n "$output" ]; then - echo -e "\n- Failed:$output" - else - echo -e "\n- Passed:\n- All user home directories are mode: \"$maxperm\" or more restrictive" + echo -e "\n- FAIL:\n${output}\n" + exit 1 fi - ) -} \ No newline at end of file + echo -e "\n- PASS:\n- All user home directories are mode: \"$maxperm\" or more restrictive" +} diff --git a/files/audit_local_interactive_users_own_their_home_directories.sh b/files/audit_local_interactive_users_own_their_home_directories.sh index e46f46e8..aca060d2 100644 --- a/files/audit_local_interactive_users_own_their_home_directories.sh +++ b/files/audit_local_interactive_users_own_their_home_directories.sh @@ -1,15 +1,15 @@ #!/usr/bin/env bash { output="" - valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s - d '|' - ))$" - awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do + valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do owner="$(stat -L -c "%U" "$home")" [ "$owner" != "$user" ] && output="$output\n - User \"$user\" home directory \"$home\" is owned by user \"$owner\"" done if [ -z "$output" ]; then - echo -e "\n-PASSED: - All local interactive users have a home directory\n" + echo -e "\n- PASS: - All local interactive users have a home directory\n" else - echo -e "\n- FAILED:\n$output\n" + echo -e "\n- FAIL:\n$output\n" + exit 1 fi - ) -} \ No newline at end of file +} diff --git a/files/audit_no_local_interactive_user_has_forward_files.sh b/files/audit_no_local_interactive_user_has_forward_files.sh index 21275f38..244b1f26 100644 --- a/files/audit_no_local_interactive_user_has_forward_files.sh +++ b/files/audit_no_local_interactive_user_has_forward_files.sh @@ -2,14 +2,14 @@ { output="" fname=".forward" - valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s - d '|' - ))$" - awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do + valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do [ -f "$home/$fname" ] && output="$output\n - User \"$user\" file: \"$home/$fname\" exists" done if [ -z "$output" ]; then - echo -e "\n-PASSED: - No local interactive users have \"$fname\" files in their home directory\n" + echo -e "\n-PASS: - No local interactive users have \"$fname\" files in their home directory\n" else - echo -e "\n- FAILED:\n$output\n" + echo -e "\n- FAIL:\n$output\n" + exit 1 fi - ) -} \ No newline at end of file +} diff --git a/files/audit_no_local_interactive_user_has_netrc_files.sh b/files/audit_no_local_interactive_user_has_netrc_files.sh index 3a08f315..0c120782 100644 --- a/files/audit_no_local_interactive_user_has_netrc_files.sh +++ b/files/audit_no_local_interactive_user_has_netrc_files.sh @@ -4,7 +4,7 @@ perm_mask='0177' maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )" valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" - awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do if [ -f "$home/.netrc" ]; then mode="$( stat -L -c '%#a' "$home/.netrc" )" if [ $(( $mode & $perm_mask )) -gt 0 ]; then @@ -14,15 +14,8 @@ fi fi done - if [ -z "$output" ]; then - if [ -z "$output2" ]; then - echo -e "\n-PASSED: - No local interactive users have \".netrc\" files in their home directory\n" - else - echo -e "\n- WARNING:\n$output2\n" - fi - else - echo -e "\n- FAILED:\n$output\n" - [ -n "$output2" ] && echo -e "\n- WARNING:\n$output2\n" - fi - ) -} \ No newline at end of file + [[ "${output}" ]] && echo -e "\n- FAIL:\n${output}\n" + [[ "${output2}" ]] && echo -e "\n- WARN:\n${output2}\n" + [[ "${output}" || "${output2}" ]] && exit 1 + echo -e "\n-PASSED: - No local interactive users have \".netrc\" files in their home directory\n" +} diff --git a/files/audit_no_local_interactive_user_has_rhosts_files.sh b/files/audit_no_local_interactive_user_has_rhosts_files.sh new file mode 100644 index 00000000..bf0aee51 --- /dev/null +++ b/files/audit_no_local_interactive_user_has_rhosts_files.sh @@ -0,0 +1,10 @@ +#!/bin/bash +interactive_user_dirs=( $(awk -F: '($7 !~ "nologin" && $7!="/bin/false" && $7!="/usr/bin/false") {print $6}' /etc/passwd) ) +for interactive_user_dir in "${interactive_user_dirs[@]}"; do + rhosts_files+=( $(find "${interactive_user_dir}" -name .rhosts) ) +done +if [ -n "${rhosts_files}" ]; then + echo "FAIL: found .rhosts files: ${rhosts_files[@]}" + exit 1 +fi +echo "PASS: no .rhosts files found." diff --git a/files/audit_nologin_system_accounts.sh b/files/audit_nologin_system_accounts.sh index 02e404bf..4f1f889a 100644 --- a/files/audit_nologin_system_accounts.sh +++ b/files/audit_nologin_system_accounts.sh @@ -1 +1 @@ -awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!="'"$(which nologin)"'" && $7!="/bin/false") {print}' /etc/passwd \ No newline at end of file +awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $1!~/^\+/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!="'"$(which nologin)"'" && $7!="/bin/false") {print}' /etc/passwd diff --git a/files/audit_priv.sh b/files/audit_priv.sh index 5a76f483..aaf58caa 100755 --- a/files/audit_priv.sh +++ b/files/audit_priv.sh @@ -1,4 +1,4 @@ #!/bin/sh df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null | \ - awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }' | sort + awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged" }' | grep -v docker | sort diff --git a/files/audit_use_of_privileged_commands_are_collected.sh b/files/audit_use_of_privileged_commands_are_collected.sh index 87518c09..a4f3dbce 100644 --- a/files/audit_use_of_privileged_commands_are_collected.sh +++ b/files/audit_use_of_privileged_commands_are_collected.sh @@ -1,5 +1,9 @@ for PARTITION in $(findmnt -n -l -k -it $(awk '/nodev/ { print $2 }' /proc/filesystems | paste -sd,) | grep -Pv "noexec|nosuid" | awk '{print $1}'); do for PRIVILEGED in $(find "${PARTITION}" -xdev -perm /6000 -type f); do - grep -qr "${PRIVILEGED}" /etc/audit/rules.d && printf "OK: '${PRIVILEGED}' found in auditing rules.\n" || printf "Warning: '${PRIVILEGED}' not found in on disk configuration.\n" + if ! grep -qr "${PRIVILEGED}" /etc/audit/rules.d; then + printf "WARN: '${PRIVILEGED}' not found in on disk configuration.\n" + exit 1 + fi + printf "PASS: '${PRIVILEGED}' found in auditing rules.\n" \ done -done \ No newline at end of file +done diff --git a/files/ensure_local_interactive_user_home_directories_exist.sh b/files/ensure_local_interactive_user_home_directories_exist.sh index 1987f6eb..418c3df6 100644 --- a/files/ensure_local_interactive_user_home_directories_exist.sh +++ b/files/ensure_local_interactive_user_home_directories_exist.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash { -valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s - d '|' - ))$" +valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do if [ ! -d "$home" ]; then echo -e "\n- User \"$user\" home directory \"$home\" doesn't exist\n- creating home directory \"$home\"\n" @@ -9,4 +9,4 @@ awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passw chown "$user" "$home" fi done -} \ No newline at end of file +} diff --git a/files/ensure_local_interactive_users_home_directories_are_mode_750_or_more_restrictive.sh b/files/ensure_local_interactive_users_home_directories_are_mode_750_or_more_restrictive.sh index 0916e743..661b2621 100644 --- a/files/ensure_local_interactive_users_home_directories_are_mode_750_or_more_restrictive.sh +++ b/files/ensure_local_interactive_users_home_directories_are_mode_750_or_more_restrictive.sh @@ -2,13 +2,12 @@ { perm_mask='0027' maxperm="$( printf '%o' $(( 0777 & ~$perm_mask)) )" - valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s - d '|' - ))$" - awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do + valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do mode=$( stat -L -c '%#a' "$home" ) if [ $(( $mode & $perm_mask )) -gt 0 ]; then echo -e "- modifying User $user home directory: \"$home\"\n- removing excessive permissions from current mode of \"$mode\"" chmod g-w,o-rwx "$home" fi done - ) -} \ No newline at end of file +} diff --git a/files/ensure_local_interactive_users_own_their_home_directories.sh b/files/ensure_local_interactive_users_own_their_home_directories.sh index fef4d34c..b0727090 100644 --- a/files/ensure_local_interactive_users_own_their_home_directories.sh +++ b/files/ensure_local_interactive_users_own_their_home_directories.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash { output="" - valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s - d '|' - ))$" + valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do owner="$(stat -L -c "%U" "$home")" if [ "$owner" != "$user" ]; then @@ -9,4 +9,4 @@ chown "$user" "$home" fi done -} \ No newline at end of file +} diff --git a/files/ensure_no_local_interactive_user_has_forward_files.sh b/files/ensure_no_local_interactive_user_has_forward_files.sh index 1282e2e7..450f89b6 100644 --- a/files/ensure_no_local_interactive_user_has_forward_files.sh +++ b/files/ensure_no_local_interactive_user_has_forward_files.sh @@ -3,11 +3,10 @@ output="" fname=".forward" valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" - awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | (while read -r user home; do + awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do if [ -f "$home/$fname" ]; then echo -e "$output\n- User \"$user\" file: \"$home/$fname\" exists\n - removing file: \"$home/$fname\"\n" rm -r "$home/$fname" fi done - ) -} \ No newline at end of file +} diff --git a/files/ensure_no_local_interactive_user_has_netrc_files.sh b/files/ensure_no_local_interactive_user_has_netrc_files.sh index a1be48f6..dfa99386 100644 --- a/files/ensure_no_local_interactive_user_has_netrc_files.sh +++ b/files/ensure_no_local_interactive_user_has_netrc_files.sh @@ -1,11 +1,11 @@ #!/usr/bin/env bash { perm_mask='0177' - valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s - d '|' - ))$" + valid_shells="^($( sed -rn '/^\//{s,/,\\\\/,g;p}' /etc/shells | paste -s -d '|' - ))$" awk -v pat="$valid_shells" -F: '$(NF) ~ pat { print $1 " " $(NF-1) }' /etc/passwd | while read -r user home; do if [ -f "$home/.netrc" ]; then echo -e "\n- User \"$user\" file: \"$home/.netrc\" exists\n - removing file: \"$home/.netrc\"\n" rm -f "$home/.netrc" fi done -} \ No newline at end of file +} diff --git a/files/ensure_no_local_interactive_user_has_rhosts_files.sh b/files/ensure_no_local_interactive_user_has_rhosts_files.sh new file mode 100644 index 00000000..1a13c6a8 --- /dev/null +++ b/files/ensure_no_local_interactive_user_has_rhosts_files.sh @@ -0,0 +1,6 @@ +#!/bin/bash +interactive_user_dirs=( $(awk -F: '($7 !~ "nologin" && $7!="/bin/false" && $7!="/usr/bin/false") {print $6}' /etc/passwd) ) +for interactive_user_dir in "${interactive_user_dirs[@]}"; do + find "${interactive_user_dir}" -name .rhosts -exec rm -v {} \; +done + diff --git a/lib/facter/fstab_entries.rb b/lib/facter/fstab_entries.rb new file mode 100644 index 00000000..d6fb68e9 --- /dev/null +++ b/lib/facter/fstab_entries.rb @@ -0,0 +1,11 @@ +# frozen_string_literal: true + +# fstab_entries.rb +# Get uncommented fstab entries + +Facter.add('fstab_entries') do + confine kernel: 'Linux' + setcode do + Facter::Core::Execution.exec("grep -v '^\s*#' /etc/fstab | awk '{print $2}'").split("\n") + end +end diff --git a/lib/facter/root_path.rb b/lib/facter/root_path.rb index 2412b680..74637c76 100644 --- a/lib/facter/root_path.rb +++ b/lib/facter/root_path.rb @@ -3,6 +3,6 @@ Facter.add('root_path') do confine kernel: 'Linux' setcode do - Facter::Core::Execution.exec('sudo -Hiu root env | grep \'^PATH\' | cut -d= -f2') + Facter::Core::Execution.exec('sudo -Hu root env | grep \'^PATH\' | cut -d= -f2') end end diff --git a/manifests/init.pp b/manifests/init.pp index 2358e4b7..3631545e 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -58,6 +58,7 @@ # @param auditd_package Auditd package # @param selinux_mode SElinux mode enforcing or permissive. Defaults to enforcing. # @param default_firewalld_zone Firewalld zone to default o. Defaults to drop. +# @param manage_sshd_service Should sshd service be managed # class secure_linux_cis ( Array[String] $grub_config_files, @@ -78,13 +79,14 @@ Array[String] $server_level_1, Array[String] $server_level_2, Boolean $auto_restart, + Boolean $manage_sshd_service, String $logging_host, String $update_command, Boolean $is_logging_host, Array[Stdlib::Unixpath] $exclude_logs, String $max_startups, String $auditd_package, - Enum['ntp', 'chrony', 'systemd-timesuncd'] $time_sync, + Enum['ntp', 'chrony', 'systemd-timesyncd', 'none'] $time_sync, Enum['postfix', 'exim', 'none'] $mta, Enum['selinux', 'apparmor', 'none'] $mac, Enum['enforcing', 'permissive'] $selinux_mode, diff --git a/manifests/mount_options.pp b/manifests/mount_options.pp index 1242edda..2a0149c4 100644 --- a/manifests/mount_options.pp +++ b/manifests/mount_options.pp @@ -13,12 +13,12 @@ String $mount = '/root', String $opt = 'rw', ) { - if $facts['mountpoints'][$mount] { + if $mount in $facts['fstab_entries'] { if member($facts['mountpoints'][$mount]['options'], $opt) == false { augeas { "/etc/fstab - ${opt} on ${mount}": context => '/files/etc/fstab', changes => [ - "ins opt after /files/etc/fstab/*[file = '${mount}']/opt[last()]", + "ins opt after *[file = '${mount}']/opt[last()]", "set *[file = '${mount}']/opt[last()] ${opt}", ], onlyif => "match *[file = '${mount}']/opt[. = '${opt}'] size == 0", diff --git a/manifests/refresh_mount_options.pp b/manifests/refresh_mount_options.pp index 50247028..1bab30d5 100644 --- a/manifests/refresh_mount_options.pp +++ b/manifests/refresh_mount_options.pp @@ -10,8 +10,11 @@ command => 'augenrules --load', path => ['/bin', '/sbin', '/usr/bin', '/usr/sbin'], } - ~> reboot { 'Reboot required to load rules': - when => 'refreshed', - onlyif => 'test `auditctl -s | grep "enabled"` =~ "2"', + if $secure_linux_cis::auto_restart { + reboot { 'Reboot required to load rules': + when => 'refreshed', + onlyif => 'test `auditctl -s | grep "enabled"` =~ "2"', + subscribe => Exec['configure mount options'], + } } } diff --git a/manifests/rules/ensure_all_logfiles_have_appropriate_permissions_and_ownership.pp b/manifests/rules/ensure_all_logfiles_have_appropriate_permissions_and_ownership.pp index 36b2f803..f10d0604 100644 --- a/manifests/rules/ensure_all_logfiles_have_appropriate_permissions_and_ownership.pp +++ b/manifests/rules/ensure_all_logfiles_have_appropriate_permissions_and_ownership.pp @@ -1,6 +1,6 @@ # @api private # -# @summary Ensure all logfiles have appropriate permissions and ownership +# @summary Ensure all logfiles have appropriate permissions and ownership # class secure_linux_cis::rules::ensure_all_logfiles_have_appropriate_permissions_and_ownership { file { 'audit_all_logfiles_have_appropriate_permissions_and_ownership': @@ -18,9 +18,9 @@ } exec { 'Fix logfile permissions and ownership': - command => '/root/scripts/ensure_all_logfiles_have_appropriate_permissions_and_ownership.sh', - unless => 'cd /root; X=`/root/scripts/audit_all_logfiles_have_appropriate_permissions_and_ownership.sh`; echo "$X" | grep -P -- \'PASS\'', - require => [ + command => '/root/scripts/ensure_all_logfiles_have_appropriate_permissions_and_ownership.sh', + unless => '/root/scripts/audit_all_logfiles_have_appropriate_permissions_and_ownership.sh', + require => [ File['audit_all_logfiles_have_appropriate_permissions_and_ownership'], File['ensure_all_logfiles_have_appropriate_permissions_and_ownership'] ], diff --git a/manifests/rules/ensure_automatic_error_reporting_is_not_enabled.pp b/manifests/rules/ensure_automatic_error_reporting_is_not_enabled.pp index 04f0ca92..df2bdb9d 100644 --- a/manifests/rules/ensure_automatic_error_reporting_is_not_enabled.pp +++ b/manifests/rules/ensure_automatic_error_reporting_is_not_enabled.pp @@ -1,13 +1,13 @@ # @api private # -# @summary Ensure Automatic Error Reporting is not enabled +# @summary Ensure Automatic Error Reporting is not enabled # class secure_linux_cis::rules::ensure_automatic_error_reporting_is_not_enabled { file { '/etc/default/apport': ensure => file, } - file_line { 'Ensure apparmor reporting is not enabled': + -> file_line { 'Ensure apparmor reporting is not enabled': ensure => present, path => '/etc/default/apport', line => 'enabled=0', diff --git a/manifests/rules/ensure_grpquota_option_set_on_home_partition.pp b/manifests/rules/ensure_grpquota_option_set_on_home_partition.pp index 31650cee..eecf529a 100644 --- a/manifests/rules/ensure_grpquota_option_set_on_home_partition.pp +++ b/manifests/rules/ensure_grpquota_option_set_on_home_partition.pp @@ -1,9 +1,9 @@ # @api private # -# @summary Ensure grpquota option set on /home partition +# @summary Ensure grpquota option set on /home partition # class secure_linux_cis::rules::ensure_grpquota_option_set_on_home_partition { - if $facts['mountpoints']['/home'] { + if '/home' in $facts['fstab_entries'] { augeas { '/etc/fstab - grpquota on /home': context => '/files/etc/fstab', changes => [ diff --git a/manifests/rules/ensure_home_partition_includes_the_nodev_option.pp b/manifests/rules/ensure_home_partition_includes_the_nodev_option.pp index 02b8afdc..d83a0a2c 100644 --- a/manifests/rules/ensure_home_partition_includes_the_nodev_option.pp +++ b/manifests/rules/ensure_home_partition_includes_the_nodev_option.pp @@ -1,13 +1,13 @@ # @api private # -# @summary Ensure /home partition includes the nodev option +# @summary Ensure /home partition includes the nodev option # class secure_linux_cis::rules::ensure_home_partition_includes_the_nodev_option { - if $facts['mountpoints']['/tmp'] { + if '/tmp' in $facts['fstab_entries'] { augeas { '/etc/fstab - nodev on /tmp': context => '/files/etc/fstab', changes => [ - "ins opt after /files/etc/fstab/*[file = '/tmp']/opt[last()]", + "ins opt after *[file = '/tmp']/opt[last()]", "set *[file = '/tmp']/opt[last()] nodev", ], onlyif => "match *[file = '/tmp']/opt[. = 'nodev'] size == 0", diff --git a/manifests/rules/ensure_local_interactive_user_dot_files_are_not_group_or_world_writable.pp b/manifests/rules/ensure_local_interactive_user_dot_files_are_not_group_or_world_writable.pp index a1278ff4..23693c2e 100644 --- a/manifests/rules/ensure_local_interactive_user_dot_files_are_not_group_or_world_writable.pp +++ b/manifests/rules/ensure_local_interactive_user_dot_files_are_not_group_or_world_writable.pp @@ -1,6 +1,6 @@ # @api private # -# @summary Ensure local interactive user dot files are not group or  world writable +# @summary Ensure local interactive user dot files are not group or  world writable # class secure_linux_cis::rules::ensure_local_interactive_user_dot_files_are_not_group_or_world_writable { file { 'audit_local_interactive_user_dot_files_are_not_group_or_world_writable': @@ -19,7 +19,7 @@ exec { 'Remove group and world writable dfrpm user dot files': command => '/root/scripts/ensure_local_interactive_user_dot_files_are_not_group_or_world_writable.sh', - unless => 'cd /root; X=`/root/scripts/audit_local_interactive_user_dot_files_are_not_group_or_world_writable.sh`; echo "$X" | grep -Pi -- \'PASSED\'', + unless => '/root/scripts/audit_local_interactive_user_dot_files_are_not_group_or_world_writable.sh', require => [ File['audit_local_interactive_user_dot_files_are_not_group_or_world_writable'], File['ensure_local_interactive_user_dot_files_are_not_group_or_world_writable'] diff --git a/manifests/rules/ensure_local_interactive_user_home_directories_exist.pp b/manifests/rules/ensure_local_interactive_user_home_directories_exist.pp index e6e6200f..67535983 100644 --- a/manifests/rules/ensure_local_interactive_user_home_directories_exist.pp +++ b/manifests/rules/ensure_local_interactive_user_home_directories_exist.pp @@ -1,6 +1,6 @@ # @api private # -# @summary Ensure local interactive user home directories exist +# @summary Ensure local interactive user home directories exist # class secure_linux_cis::rules::ensure_local_interactive_user_home_directories_exist { file { 'audit_local_interactive_user_home_directories_exist': @@ -18,9 +18,9 @@ } exec { 'Add local interactive user home directories': - command => '/root/scripts/ensure_local_interactive_user_home_directories_exist.sh', - unless => 'cd /root; X=`/root/scripts/audit_all_logfiles_have_appropriate_permissions_and_ownership.sh`; echo "$X" | grep -Pi -- \'PASSED\'', - require => [ + command => '/root/scripts/ensure_local_interactive_user_home_directories_exist.sh', + unless => '/root/scripts/audit_all_logfiles_have_appropriate_permissions_and_ownership.sh', + require => [ File['audit_local_interactive_user_home_directories_exist'], File['ensure_local_interactive_user_home_directories_exist'] ], diff --git a/manifests/rules/ensure_local_interactive_users_own_their_home_directories.pp b/manifests/rules/ensure_local_interactive_users_own_their_home_directories.pp index 97ec7aa7..1a24e964 100644 --- a/manifests/rules/ensure_local_interactive_users_own_their_home_directories.pp +++ b/manifests/rules/ensure_local_interactive_users_own_their_home_directories.pp @@ -1,6 +1,6 @@ # @api private # -# @summary Ensure local interactive users own their home directories +# @summary Ensure local interactive users own their home directories # class secure_linux_cis::rules::ensure_local_interactive_users_own_their_home_directories { file { 'audit_local_interactive_users_own_their_home_directories': @@ -19,7 +19,7 @@ exec { 'Fix home directories ownership for interactive users': command => '/root/scripts/ensure_local_interactive_users_own_their_home_directories.sh', - unless => 'cd /root; X=`/root/scripts/audit_local_interactive_users_own_their_home_directories.sh`; echo "$X" | grep -Pi -- \'PASSED\'', + unless => '/root/scripts/audit_local_interactive_users_own_their_home_directories.sh', require => [ File['audit_local_interactive_users_own_their_home_directories'], File['ensure_local_interactive_users_own_their_home_directories'] diff --git a/manifests/rules/ensure_no_local_interactive_user_has_forward_files.pp b/manifests/rules/ensure_no_local_interactive_user_has_forward_files.pp index 647d1616..be423ce4 100644 --- a/manifests/rules/ensure_no_local_interactive_user_has_forward_files.pp +++ b/manifests/rules/ensure_no_local_interactive_user_has_forward_files.pp @@ -1,6 +1,6 @@ # @api private # -# @summary Ensure no local interactive user has .forward files +# @summary Ensure no local interactive user has .forward files # class secure_linux_cis::rules::ensure_no_local_interactive_user_has_forward_files { file { 'audit_no_local_interactive_user_has_forward_files': @@ -19,7 +19,7 @@ exec { 'Remove local interactive forward files': command => '/root/scripts/ensure_no_local_interactive_user_has_forward_files.sh', - unless => 'cd /root; X=`/root/scripts/audit_no_local_interactive_user_has_forward_files.sh`; echo "$X" | grep -Pi -- \'PASSED\'', + unless => '/root/scripts/audit_no_local_interactive_user_has_forward_files.sh', require => [ File['audit_no_local_interactive_user_has_forward_files'], File['ensure_no_local_interactive_user_has_forward_files'] diff --git a/manifests/rules/ensure_no_local_interactive_user_has_netrc_files.pp b/manifests/rules/ensure_no_local_interactive_user_has_netrc_files.pp index d4d1b710..b86d49c6 100644 --- a/manifests/rules/ensure_no_local_interactive_user_has_netrc_files.pp +++ b/manifests/rules/ensure_no_local_interactive_user_has_netrc_files.pp @@ -1,6 +1,6 @@ # @api private # -# @summary Ensure no local interactive user has .netrc files +# @summary Ensure no local interactive user has .netrc files # class secure_linux_cis::rules::ensure_no_local_interactive_user_has_netrc_files { file { 'audit_no_local_interactive_user_has_netrc_files': @@ -19,7 +19,7 @@ exec { 'Remove local interactive netrc files': command => '/root/scripts/ensure_no_local_interactive_user_has_netrc_files.sh', - unless => 'cd /root; X=`/root/scripts/audit_no_local_interactive_user_has_netrc_files.sh`; echo "$X" | grep -Pi -- \'PASSED\'', + unless => '/root/scripts/audit_no_local_interactive_user_has_netrc_files.sh', require => [ File['audit_no_local_interactive_user_has_netrc_files'], File['ensure_no_local_interactive_user_has_netrc_files'] diff --git a/manifests/rules/ensure_no_local_interactive_user_has_rhosts_files.pp b/manifests/rules/ensure_no_local_interactive_user_has_rhosts_files.pp index 9b491e19..dae77965 100644 --- a/manifests/rules/ensure_no_local_interactive_user_has_rhosts_files.pp +++ b/manifests/rules/ensure_no_local_interactive_user_has_rhosts_files.pp @@ -1,6 +1,6 @@ # @api private # -# @summary Ensure no local interactive user has .rhosts files +# @summary Ensure no local interactive user has .rhosts files # class secure_linux_cis::rules::ensure_no_local_interactive_user_has_rhosts_files { file { 'audit_no_local_interactive_user_has_rhosts_files': @@ -19,7 +19,7 @@ exec { 'Remove local interactive rhosts files': command => '/root/scripts/ensure_no_local_interactive_user_has_rhosts_files.sh', - unless => 'cd /root; X=`/root/scripts/audit_no_local_interactive_user_has_rhosts_files.sh`; echo "$X" | grep -Pi -- \'PASSED\'', + unless => '/root/scripts/audit_no_local_interactive_user_has_rhosts_files.sh', require => [ File['audit_no_local_interactive_user_has_rhosts_files'], File['ensure_no_local_interactive_user_has_rhosts_files'] diff --git a/manifests/rules/ensure_nodev_option_set_on_home_partition.pp b/manifests/rules/ensure_nodev_option_set_on_home_partition.pp index d34a46cb..78b42bbb 100644 --- a/manifests/rules/ensure_nodev_option_set_on_home_partition.pp +++ b/manifests/rules/ensure_nodev_option_set_on_home_partition.pp @@ -1,9 +1,9 @@ # @api private # -# @summary Ensure nodev option set on /home partition +# @summary Ensure nodev option set on /home partition # class secure_linux_cis::rules::ensure_nodev_option_set_on_home_partition { - if $facts['mountpoints']['/home'] { + if '/home' in $facts['fstab_entries'] { augeas { '/etc/fstab - nodev on /home': context => '/files/etc/fstab', changes => [ diff --git a/manifests/rules/ensure_nodev_option_set_on_tmp_partition.pp b/manifests/rules/ensure_nodev_option_set_on_tmp_partition.pp index 8fa4ddf5..4461deb8 100644 --- a/manifests/rules/ensure_nodev_option_set_on_tmp_partition.pp +++ b/manifests/rules/ensure_nodev_option_set_on_tmp_partition.pp @@ -1,13 +1,13 @@ # @api private # -# @summary Ensure nodev option set on /tmp partition +# @summary Ensure nodev option set on /tmp partition # class secure_linux_cis::rules::ensure_nodev_option_set_on_tmp_partition { - if $facts['mountpoints']['/tmp'] { + if '/tmp' in $facts['fstab_entries'] { augeas { '/etc/fstab - nodev on /tmp': context => '/files/etc/fstab', changes => [ - "ins opt after /files/etc/fstab/*[file = '/tmp']/opt[last()]", + "ins opt after *[file = '/tmp']/opt[last()]", "set *[file = '/tmp']/opt[last()] nodev", ], onlyif => "match *[file = '/tmp']/opt[. = 'nodev'] size == 0", diff --git a/manifests/rules/ensure_nodev_option_set_on_var_log_audit_partition.pp b/manifests/rules/ensure_nodev_option_set_on_var_log_audit_partition.pp index 5f1fa1c7..23a3ecce 100644 --- a/manifests/rules/ensure_nodev_option_set_on_var_log_audit_partition.pp +++ b/manifests/rules/ensure_nodev_option_set_on_var_log_audit_partition.pp @@ -1,13 +1,13 @@ # @api private # -# @summary Ensure nodev option set on /var/log/audit partition +# @summary Ensure nodev option set on /var/log/audit partition # class secure_linux_cis::rules::ensure_nodev_option_set_on_var_log_audit_partition { - if $facts['mountpoints']['/var/log/audit'] { + if '/var/log/audit' in $facts['fstab_entries'] { augeas { '/etc/fstab - nodev on /var/log/audit': context => '/files/etc/fstab', changes => [ - "ins opt after /files/etc/fstab/*[file = '/var/log/audit']/opt[last()]", + "ins opt after *[file = '/var/log/audit']/opt[last()]", "set *[file = '/var/log/audit']/opt[last()] nodev", ], onlyif => "match *[file = '/var/log/audit']/opt[. = 'nodev'] size == 0", diff --git a/manifests/rules/ensure_nodev_option_set_on_var_log_partition.pp b/manifests/rules/ensure_nodev_option_set_on_var_log_partition.pp index 1a29ca6f..4ee686b6 100644 --- a/manifests/rules/ensure_nodev_option_set_on_var_log_partition.pp +++ b/manifests/rules/ensure_nodev_option_set_on_var_log_partition.pp @@ -1,13 +1,13 @@ # @api private # -# @summary Ensure nodev option set on /var/log partition +# @summary Ensure nodev option set on /var/log partition # class secure_linux_cis::rules::ensure_nodev_option_set_on_var_log_partition { - if $facts['mountpoints']['/var/log'] { + if '/var/log' in $facts['fstab_entries'] { augeas { '/etc/fstab - nodev on /var/log': context => '/files/etc/fstab', changes => [ - "ins opt after /files/etc/fstab/*[file = '/var/log']/opt[last()]", + "ins opt after *[file = '/var/log']/opt[last()]", "set *[file = '/var/log']/opt[last()] nodev", ], onlyif => "match *[file = '/var/log']/opt[. = 'nodev'] size == 0", diff --git a/manifests/rules/ensure_nodev_option_set_on_var_partition.pp b/manifests/rules/ensure_nodev_option_set_on_var_partition.pp index 15b714c4..99776b46 100644 --- a/manifests/rules/ensure_nodev_option_set_on_var_partition.pp +++ b/manifests/rules/ensure_nodev_option_set_on_var_partition.pp @@ -1,13 +1,13 @@ # @api private # -# @summary Ensure nodev option set on /var partition +# @summary Ensure nodev option set on /var partition # class secure_linux_cis::rules::ensure_nodev_option_set_on_var_partition { - if $facts['mountpoints']['/var'] { + if '/var' in $facts['fstab_entries'] { augeas { '/etc/fstab - nodev on /var': context => '/files/etc/fstab', changes => [ - "ins opt after /files/etc/fstab/*[file = '/var']/opt[last()]", + "ins opt after *[file = '/var']/opt[last()]", "set *[file = '/var']/opt[last()] nodev", ], onlyif => "match *[file = '/var']/opt[. = 'nodev'] size == 0", diff --git a/manifests/rules/ensure_nodev_option_set_on_var_tmp_partition.pp b/manifests/rules/ensure_nodev_option_set_on_var_tmp_partition.pp index 33b1a1fb..b90a040a 100644 --- a/manifests/rules/ensure_nodev_option_set_on_var_tmp_partition.pp +++ b/manifests/rules/ensure_nodev_option_set_on_var_tmp_partition.pp @@ -1,13 +1,13 @@ # @api private # -# @summary Ensure nodev option set on /var/tmp partition +# @summary Ensure nodev option set on /var/tmp partition # class secure_linux_cis::rules::ensure_nodev_option_set_on_var_tmp_partition { - if $facts['mountpoints']['/var/tmp'] { + if '/var/tmp' in $facts['fstab_entries'] { augeas { '/etc/fstab - nodev on /var/tmp': context => '/files/etc/fstab', changes => [ - "ins opt after /files/etc/fstab/*[file = '/var/tmp']/opt[last()]", + "ins opt after *[file = '/var/tmp']/opt[last()]", "set *[file = '/var/tmp']/opt[last()] nodev", ], onlyif => "match *[file = '/var/tmp']/opt[. = 'nodev'] size == 0", diff --git a/manifests/rules/ensure_noexec_option_set_on_dev_shm_partition.pp b/manifests/rules/ensure_noexec_option_set_on_dev_shm_partition.pp index 80cd0e02..0390904d 100644 --- a/manifests/rules/ensure_noexec_option_set_on_dev_shm_partition.pp +++ b/manifests/rules/ensure_noexec_option_set_on_dev_shm_partition.pp @@ -1,9 +1,9 @@ # @api private # -# @summary Ensure noexec option set on /dev/shm partition +# @summary Ensure noexec option set on /dev/shm partition # class secure_linux_cis::rules::ensure_noexec_option_set_on_dev_shm_partition { - if $facts['mountpoints']['/dev/shm'] { + if '/dev/shm' in $facts['fstab_entries'] { augeas { '/etc/fstab - noexec on /dev/shm': context => '/files/etc/fstab', changes => [ diff --git a/manifests/rules/ensure_noexec_option_set_on_home_partition.pp b/manifests/rules/ensure_noexec_option_set_on_home_partition.pp index f255df11..8b2da645 100644 --- a/manifests/rules/ensure_noexec_option_set_on_home_partition.pp +++ b/manifests/rules/ensure_noexec_option_set_on_home_partition.pp @@ -7,7 +7,7 @@ # @summary 7 Ensure noexec option set on /home partition (Scored) # class secure_linux_cis::rules::ensure_noexec_option_set_on_home_partition { - if $facts['mountpoints']['/home'] { + if '/home' in $facts['fstab_entries'] { augeas { '/etc/fstab - noexec on /home': context => '/files/etc/fstab', changes => [ diff --git a/manifests/rules/ensure_noexec_option_set_on_tmp_partition.pp b/manifests/rules/ensure_noexec_option_set_on_tmp_partition.pp index 89a862e0..9a72d2be 100644 --- a/manifests/rules/ensure_noexec_option_set_on_tmp_partition.pp +++ b/manifests/rules/ensure_noexec_option_set_on_tmp_partition.pp @@ -1,13 +1,13 @@ # @api private # -# @summary Ensure noexec option set on /tmp partition +# @summary Ensure noexec option set on /tmp partition # class secure_linux_cis::rules::ensure_noexec_option_set_on_tmp_partition { - if $facts['mountpoints']['/tmp'] { + if '/tmp' in $facts['fstab_entries'] { augeas { '/etc/fstab - noexec on /tmp': context => '/files/etc/fstab', changes => [ - "ins opt after /files/etc/fstab/*[file = '/tmp']/opt[last()]", + "ins opt after *[file = '/tmp']/opt[last()]", "set *[file = '/tmp']/opt[last()] noexec", ], onlyif => "match *[file = '/tmp']/opt[. = 'noexec'] size == 0", diff --git a/manifests/rules/ensure_noexec_option_set_on_var_log_audit_partition.pp b/manifests/rules/ensure_noexec_option_set_on_var_log_audit_partition.pp index bf1aeedd..c247e346 100644 --- a/manifests/rules/ensure_noexec_option_set_on_var_log_audit_partition.pp +++ b/manifests/rules/ensure_noexec_option_set_on_var_log_audit_partition.pp @@ -1,13 +1,13 @@ # @api private # -# @summary Ensure noexec option set on /var/log/audit partition +# @summary Ensure noexec option set on /var/log/audit partition # class secure_linux_cis::rules::ensure_noexec_option_set_on_var_log_audit_partition { - if $facts['mountpoints']['/var/log/audit'] { + if '/var/log/audit' in $facts['fstab_entries'] { augeas { '/etc/fstab - noexec on /var/log/audit': context => '/files/etc/fstab', changes => [ - "ins opt after /files/etc/fstab/*[file = '/var/log/audit']/opt[last()]", + "ins opt after *[file = '/var/log/audit']/opt[last()]", "set *[file = '/var/log/audit']/opt[last()] noexec", ], onlyif => "match *[file = '/var/log/audit']/opt[. = 'noexec'] size == 0", diff --git a/manifests/rules/ensure_noexec_option_set_on_var_log_partition.pp b/manifests/rules/ensure_noexec_option_set_on_var_log_partition.pp index cee1003a..182fc1cb 100644 --- a/manifests/rules/ensure_noexec_option_set_on_var_log_partition.pp +++ b/manifests/rules/ensure_noexec_option_set_on_var_log_partition.pp @@ -1,13 +1,13 @@ # @api private # -# @summary Ensure noexec option set on /var/log partition +# @summary Ensure noexec option set on /var/log partition # class secure_linux_cis::rules::ensure_noexec_option_set_on_var_log_partition { - if $facts['mountpoints']['/var/log'] { + if '/var/log' in $facts['fstab_entries'] { augeas { '/etc/fstab - noexec on /var/log': context => '/files/etc/fstab', changes => [ - "ins opt after /files/etc/fstab/*[file = '/var/log']/opt[last()]", + "ins opt after *[file = '/var/log']/opt[last()]", "set *[file = '/var/log']/opt[last()] noexec", ], onlyif => "match *[file = '/var/log']/opt[. = 'noexec'] size == 0", diff --git a/manifests/rules/ensure_noexec_option_set_on_var_partition.pp b/manifests/rules/ensure_noexec_option_set_on_var_partition.pp index cc2e8ca4..ef99eb31 100644 --- a/manifests/rules/ensure_noexec_option_set_on_var_partition.pp +++ b/manifests/rules/ensure_noexec_option_set_on_var_partition.pp @@ -1,13 +1,13 @@ # @api private # -# @summary Ensure noexec option set on /var partition +# @summary Ensure noexec option set on /var partition # class secure_linux_cis::rules::ensure_noexec_option_set_on_var_partition { - if $facts['mountpoints']['/var'] { + if '/var' in $facts['fstab_entries'] { augeas { '/etc/fstab - noexec on /var': context => '/files/etc/fstab', changes => [ - "ins opt after /files/etc/fstab/*[file = '/var']/opt[last()]", + "ins opt after *[file = '/var']/opt[last()]", "set *[file = '/var']/opt[last()] noexec", ], onlyif => "match *[file = '/var']/opt[. = 'noexec'] size == 0", diff --git a/manifests/rules/ensure_noexec_option_set_on_var_tmp_partition.pp b/manifests/rules/ensure_noexec_option_set_on_var_tmp_partition.pp index e6c2ebfb..94087ade 100644 --- a/manifests/rules/ensure_noexec_option_set_on_var_tmp_partition.pp +++ b/manifests/rules/ensure_noexec_option_set_on_var_tmp_partition.pp @@ -1,13 +1,13 @@ # @api private # -# @summary Ensure noexec option set on /var/tmp partition   +# @summary Ensure noexec option set on /var/tmp partition   # class secure_linux_cis::rules::ensure_noexec_option_set_on_var_tmp_partition { - if $facts['mountpoints']['/var/tmp'] { + if '/var/tmp' in $facts['fstab_entries'] { augeas { '/etc/fstab - noexec on /var/tmp': context => '/files/etc/fstab', changes => [ - "ins opt after /files/etc/fstab/*[file = '/var/tmp']/opt[last()]", + "ins opt after *[file = '/var/tmp']/opt[last()]", "set *[file = '/var/tmp']/opt[last()] noexec", ], onlyif => "match *[file = '/var/tmp']/opt[. = 'noexec'] size == 0", diff --git a/manifests/rules/ensure_nosuid_option_set_on_dev_shm_partition.pp b/manifests/rules/ensure_nosuid_option_set_on_dev_shm_partition.pp index 245155f0..f0f12497 100644 --- a/manifests/rules/ensure_nosuid_option_set_on_dev_shm_partition.pp +++ b/manifests/rules/ensure_nosuid_option_set_on_dev_shm_partition.pp @@ -1,13 +1,13 @@ # @api private # -# @summary Ensure nosuid option set on /dev/shm partition +# @summary Ensure nosuid option set on /dev/shm partition # class secure_linux_cis::rules::ensure_nosuid_option_set_on_dev_shm_partition { - if $facts['mountpoints']['/dev/shm'] { + if '/dev/shm' in $facts['fstab_entries'] { augeas { '/etc/fstab - nosuid on /dev/shm': context => '/files/etc/fstab', changes => [ - "ins opt after /files/etc/fstab/*[file = '/dev/shm']/opt[last()]", + "ins opt after *[file = '/dev/shm']/opt[last()]", "set *[file = '/dev/shm']/opt[last()] nosuid", ], onlyif => "match *[file = '/dev/shm']/opt[. = 'nosuid'] size == 0", diff --git a/manifests/rules/ensure_nosuid_option_set_on_home_partition.pp b/manifests/rules/ensure_nosuid_option_set_on_home_partition.pp index 3dc6b594..70c605db 100644 --- a/manifests/rules/ensure_nosuid_option_set_on_home_partition.pp +++ b/manifests/rules/ensure_nosuid_option_set_on_home_partition.pp @@ -1,13 +1,13 @@ # @api private # -# @summary Ensure nosuid option set on /home partition +# @summary Ensure nosuid option set on /home partition # class secure_linux_cis::rules::ensure_nosuid_option_set_on_home_partition { - if $facts['mountpoints']['/home'] { + if '/home' in $facts['fstab_entries'] { augeas { '/etc/fstab - nosuid on /home': context => '/files/etc/fstab', changes => [ - "ins opt after /files/etc/fstab/*[file = '/home']/opt[last()]", + "ins opt after *[file = '/home']/opt[last()]", "set *[file = '/home']/opt[last()] nosuid", ], onlyif => "match *[file = '/home']/opt[. = 'nosuid'] size == 0", diff --git a/manifests/rules/ensure_nosuid_option_set_on_tmp_partition.pp b/manifests/rules/ensure_nosuid_option_set_on_tmp_partition.pp index 8a2cbf97..7e34a441 100644 --- a/manifests/rules/ensure_nosuid_option_set_on_tmp_partition.pp +++ b/manifests/rules/ensure_nosuid_option_set_on_tmp_partition.pp @@ -1,13 +1,13 @@ # @api private # -# @summary Ensure nosuid option set on /tmp partition +# @summary Ensure nosuid option set on /tmp partition # class secure_linux_cis::rules::ensure_nosuid_option_set_on_tmp_partition { - if $facts['mountpoints']['/tmp'] { + if '/tmp' in $facts['fstab_entries'] { augeas { '/etc/fstab - nosuid on /tmp': context => '/files/etc/fstab', changes => [ - "ins opt after /files/etc/fstab/*[file = '/tmp']/opt[last()]", + "ins opt after *[file = '/tmp']/opt[last()]", "set *[file = '/tmp']/opt[last()] nosuid", ], onlyif => "match *[file = '/tmp']/opt[. = 'nosuid'] size == 0", diff --git a/manifests/rules/ensure_nosuid_option_set_on_var_log_audit_partition.pp b/manifests/rules/ensure_nosuid_option_set_on_var_log_audit_partition.pp index 37799bd7..75e3d797 100644 --- a/manifests/rules/ensure_nosuid_option_set_on_var_log_audit_partition.pp +++ b/manifests/rules/ensure_nosuid_option_set_on_var_log_audit_partition.pp @@ -1,13 +1,13 @@ # @api private # -# @summary Ensure nosuid option set on /var/log/audit partition +# @summary Ensure nosuid option set on /var/log/audit partition # class secure_linux_cis::rules::ensure_nosuid_option_set_on_var_log_audit_partition { - if $facts['mountpoints']['/var/log/audit'] { + if '/var/log/audit' in $facts['fstab_entries'] { augeas { '/etc/fstab - nosuid on /var/log/audit': context => '/files/etc/fstab', changes => [ - "ins opt after /files/etc/fstab/*[file = '/var/log/audit']/opt[last()]", + "ins opt after *[file = '/var/log/audit']/opt[last()]", "set *[file = '/var/log/audit']/opt[last()] nosuid", ], onlyif => "match *[file = '/var/log/audit']/opt[. = 'nosuid'] size == 0", diff --git a/manifests/rules/ensure_nosuid_option_set_on_var_log_partition.pp b/manifests/rules/ensure_nosuid_option_set_on_var_log_partition.pp index c439f599..b738baf3 100644 --- a/manifests/rules/ensure_nosuid_option_set_on_var_log_partition.pp +++ b/manifests/rules/ensure_nosuid_option_set_on_var_log_partition.pp @@ -1,13 +1,13 @@ # @api private # -# @summary Ensure nosuid option set on /var/log partition +# @summary Ensure nosuid option set on /var/log partition # class secure_linux_cis::rules::ensure_nosuid_option_set_on_var_log_partition { - if $facts['mountpoints']['/var/log'] { + if '/var/log' in $facts['fstab_entries'] { augeas { '/etc/fstab - nosuid on /var/log': context => '/files/etc/fstab', changes => [ - "ins opt after /files/etc/fstab/*[file = '/var/log']/opt[last()]", + "ins opt after *[file = '/var/log']/opt[last()]", "set *[file = '/var/log']/opt[last()] nosuid", ], onlyif => "match *[file = '/var/log']/opt[. = 'nosuid'] size == 0", diff --git a/manifests/rules/ensure_nosuid_option_set_on_var_partition.pp b/manifests/rules/ensure_nosuid_option_set_on_var_partition.pp index 4181b33f..8456c005 100644 --- a/manifests/rules/ensure_nosuid_option_set_on_var_partition.pp +++ b/manifests/rules/ensure_nosuid_option_set_on_var_partition.pp @@ -1,13 +1,13 @@ # @api private # -# @summary Ensure nosuid option set on /var partition +# @summary Ensure nosuid option set on /var partition # class secure_linux_cis::rules::ensure_nosuid_option_set_on_var_partition { - if $facts['mountpoints']['/var'] { + if '/var' in $facts['fstab_entries'] { augeas { '/etc/fstab - nosuid on /var': context => '/files/etc/fstab', changes => [ - "ins opt after /files/etc/fstab/*[file = '/var']/opt[last()]", + "ins opt after *[file = '/var']/opt[last()]", "set *[file = '/var']/opt[last()] nosuid", ], onlyif => "match *[file = '/var']/opt[. = 'nosuid'] size == 0", diff --git a/manifests/rules/ensure_nosuid_option_set_on_var_tmp_partition.pp b/manifests/rules/ensure_nosuid_option_set_on_var_tmp_partition.pp index 99abd5b9..929e9e37 100644 --- a/manifests/rules/ensure_nosuid_option_set_on_var_tmp_partition.pp +++ b/manifests/rules/ensure_nosuid_option_set_on_var_tmp_partition.pp @@ -1,13 +1,13 @@ # @api private # -# @summary Ensure nosuid option set on /var/tmp partition +# @summary Ensure nosuid option set on /var/tmp partition # class secure_linux_cis::rules::ensure_nosuid_option_set_on_var_tmp_partition { - if $facts['mountpoints']['/var/tmp'] { + if '/var/tmp' in $facts['fstab_entries'] { augeas { '/etc/fstab - nosuid on /var/tmp': context => '/files/etc/fstab', changes => [ - "ins opt after /files/etc/fstab/*[file = '/var/tmp']/opt[last()]", + "ins opt after *[file = '/var/tmp']/opt[last()]", "set *[file = '/var/tmp']/opt[last()] nosuid", ], onlyif => "match *[file = '/var/tmp']/opt[. = 'nosuid'] size == 0", diff --git a/manifests/rules/ensure_root_path_integrity.pp b/manifests/rules/ensure_root_path_integrity.pp index 77e02d35..0b7b9a6c 100644 --- a/manifests/rules/ensure_root_path_integrity.pp +++ b/manifests/rules/ensure_root_path_integrity.pp @@ -1,13 +1,13 @@ # @api private # -# @summary Ensure root PATH Integrity +# @summary Ensure root PATH Integrity # class secure_linux_cis::rules::ensure_root_path_integrity { $root_path_dirs = split($facts['root_path'], /:/) $root_path_dirs.each | Stdlib::Absolutepath $path | { file { $path: - ensure => directory, + ensure => present, owner => 'root', mode => 'go-w', } diff --git a/manifests/rules/ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client.pp b/manifests/rules/ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client.pp index dc65d86c..ca929330 100644 --- a/manifests/rules/ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client.pp +++ b/manifests/rules/ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client.pp @@ -1,31 +1,35 @@ # @api private # -# @summary Ensure rsyslog is not configured to recieve logs from a remote client +# @summary Ensure rsyslog is not configured to recieve logs from a remote client # class secure_linux_cis::rules::ensure_rsyslog_is_not_configured_to_recieve_logs_from_a_remote_client { $facts['rsyslog_configuration_files'].each | String $path | { - file { "Remove ModLoad on ${path}": - ensure => absent, - path => $path, - match => '^\s*$ModLoad\s+imtcp', + file_line { "Remove ModLoad on ${path}": + ensure => absent, + path => $path, + match => '^\s*$ModLoad\s+imtcp', + match_for_absence => true, } - file { "Remove InputTCPServerRun on ${path}": - ensure => absent, - path => $path, - match => '^\s*$InputTCPServerRun', + file_line { "Remove InputTCPServerRun on ${path}": + ensure => absent, + path => $path, + match => '^\s*$InputTCPServerRun', + match_for_absence => true, } - file { "Remove module imtcp load on ${path}": - ensure => absent, - path => $path, - match => '^\s*module(load="imtcp")', + file_line { "Remove module imtcp load on ${path}": + ensure => absent, + path => $path, + match => '^\s*module(load="imtcp")', + match_for_absence => true, } - file { "Remove input imtcp on ${path}": - ensure => absent, - path => $path, - match => '^\s*input(\s+type="imtcp"\s+port="514"\s+)', + file_line { "Remove input imtcp on ${path}": + ensure => absent, + path => $path, + match => '^\s*input(\s+type="imtcp"\s+port="514"\s+)', + match_for_absence => true, } } } diff --git a/manifests/rules/ensure_use_of_privileged_commands_are_collected.pp b/manifests/rules/ensure_use_of_privileged_commands_are_collected.pp index 31b112d9..8ce8a2d5 100644 --- a/manifests/rules/ensure_use_of_privileged_commands_are_collected.pp +++ b/manifests/rules/ensure_use_of_privileged_commands_are_collected.pp @@ -1,6 +1,6 @@ # @api private # -# @summary Ensure use of privileged commands are collected +# @summary Ensure use of privileged commands are collected # class secure_linux_cis::rules::ensure_use_of_privileged_commands_are_collected { file { 'audit_use_of_privileged_commands_are_collected': @@ -18,9 +18,9 @@ } exec { 'audit privileged commands': - command => '/root/scripts/ensure_use_of_privileged_commands_are_collected.sh', - unless => 'cd /root; X=`/root/scripts/audit_use_of_privileged_commands_are_collected.sh`; echo "$X" | grep -P -- \'OK\'', - require => [ + command => '/root/scripts/ensure_use_of_privileged_commands_are_collected.sh', + unless => '/root/scripts/audit_use_of_privileged_commands_are_collected.sh', + require => [ File['audit_use_of_privileged_commands_are_collected'], File['ensure_use_of_privileged_commands_are_collected'] ], diff --git a/manifests/rules/ensure_usrquota_option_set_on_home_partition.pp b/manifests/rules/ensure_usrquota_option_set_on_home_partition.pp index 5cabfc89..a7b21df6 100644 --- a/manifests/rules/ensure_usrquota_option_set_on_home_partition.pp +++ b/manifests/rules/ensure_usrquota_option_set_on_home_partition.pp @@ -1,9 +1,9 @@ # @api private # -# @summary Ensure usrquota option set on /home partition +# @summary Ensure usrquota option set on /home partition # class secure_linux_cis::rules::ensure_usrquota_option_set_on_home_partition { - if $facts['mountpoints']['/home'] { + if '/home' in $facts['fstab_entries'] { augeas { '/etc/fstab - usrquota on /home': context => '/files/etc/fstab', changes => [ diff --git a/manifests/sshd_service.pp b/manifests/sshd_service.pp index f2e12391..17f6a57e 100644 --- a/manifests/sshd_service.pp +++ b/manifests/sshd_service.pp @@ -4,19 +4,21 @@ # @example # include secure_linux_cis::redhat7 class secure_linux_cis::sshd_service { - # ## Shared resources used in more than one class - # # Set default path for execs - # Exec { path => '/bin/:/sbin/:/usr/bin/:/usr/sbin/' } + ## Shared resources used in more than one class + # Set default path for execs + Exec { path => '/bin/:/sbin/:/usr/bin/:/usr/sbin/' } - # # Reload sshd config (only if running) - # exec { 'reload sshd': - # command => 'systemctl reload sshd', - # onlyif => 'systemctl status sshd | grep running', - # refreshonly => true, - # } + # Reload sshd config (only if running) + exec { 'reload sshd': + command => 'systemctl reload sshd', + onlyif => 'systemctl status sshd | grep running', + refreshonly => true, + } - service { 'sshd': - ensure => running, - enable => true, + if $secure_linux_cis::manage_sshd_service { + service { 'sshd': + ensure => running, + enable => true, + } } }