-
Notifications
You must be signed in to change notification settings - Fork 34
/
Copy pathinspec-report-level2-root-2020-12-08.txt
3375 lines (2968 loc) · 174 KB
/
inspec-report-level2-root-2020-12-08.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Profile: CIS Distribution Independent Linux Benchmark Profile (cis-dil-benchmark)
Version: 0.4.4
Target: ssh://root@localhost:2222
× cis-dil-benchmark-1.1.1.1: Ensure mounting of cramfs filesystems is disabled (1 failed)
✔ Kernel Module cramfs is expected not to be loaded
× Kernel Module cramfs is expected to be disabled
expected `Kernel Module cramfs.disabled?` to be truthy, got false
× cis-dil-benchmark-1.1.1.2: Ensure mounting of freevxfs filesystems is disabled (1 failed)
✔ Kernel Module freevxfs is expected not to be loaded
× Kernel Module freevxfs is expected to be disabled
expected `Kernel Module freevxfs.disabled?` to be truthy, got false
× cis-dil-benchmark-1.1.1.3: Ensure mounting of jffs2 filesystems is disabled (1 failed)
✔ Kernel Module jffs2 is expected not to be loaded
× Kernel Module jffs2 is expected to be disabled
expected `Kernel Module jffs2.disabled?` to be truthy, got false
× cis-dil-benchmark-1.1.1.4: Ensure mounting of hfs filesystems is disabled (1 failed)
✔ Kernel Module hfs is expected not to be loaded
× Kernel Module hfs is expected to be disabled
expected `Kernel Module hfs.disabled?` to be truthy, got false
× cis-dil-benchmark-1.1.1.5: Ensure mounting of hfsplus filesystems is disabled (1 failed)
✔ Kernel Module hfsplus is expected not to be loaded
× Kernel Module hfsplus is expected to be disabled
expected `Kernel Module hfsplus.disabled?` to be truthy, got false
× cis-dil-benchmark-1.1.1.6: Ensure mounting of squashfs filesystems is disabled (1 failed)
✔ Kernel Module squashfs is expected not to be loaded
× Kernel Module squashfs is expected to be disabled
expected `Kernel Module squashfs.disabled?` to be truthy, got false
× cis-dil-benchmark-1.1.1.7: Ensure mounting of udf filesystems is disabled (1 failed)
✔ Kernel Module udf is expected not to be loaded
× Kernel Module udf is expected to be disabled
expected `Kernel Module udf.disabled?` to be truthy, got false
× cis-dil-benchmark-1.1.1.8: Ensure mounting of FAT filesystems is disabled (2 failed)
× Kernel Module vfat is expected not to be loaded
expected `Kernel Module vfat.loaded?` to be falsey, got true
× Kernel Module vfat is expected to be disabled
expected `Kernel Module vfat.disabled?` to be truthy, got false
✔ cis-dil-benchmark-1.1.2: Ensure separate partition exists for /tmp
✔ Mount /tmp is expected to be mounted
✔ cis-dil-benchmark-1.1.3: Ensure nodev option set on /tmp partition
✔ Mount /tmp options is expected to include "nodev"
✔ cis-dil-benchmark-1.1.4: Ensure nosuid option set on /tmp partition
✔ Mount /tmp options is expected to include "nosuid"
× cis-dil-benchmark-1.1.5: Ensure noexec option set on /tmp partition
× Mount /tmp options is expected to include "noexec"
expected ["rw", "nosuid", "nodev", "seclabel", "nr_inodes=409600"] to include "noexec"
× cis-dil-benchmark-1.1.6: Ensure separate partition exists for /var
× Mount /var is expected to be mounted
Mount /var is not mounted
× cis-dil-benchmark-1.1.7: Ensure separate partition exists for /var/tmp
× Mount /var/tmp is expected to be mounted
Mount /var/tmp is not mounted
↺ cis-dil-benchmark-1.1.8: Ensure nodev option set on /var/tmp partition
↺ Skipped control due to only_if condition: /var/tmp is mounted
↺ cis-dil-benchmark-1.1.9: Ensure nosuid option set on /var/tmp partition
↺ Skipped control due to only_if condition: /var/tmp is mounted
↺ cis-dil-benchmark-1.1.10: Ensure noexec option set on /var/tmp partition
↺ Skipped control due to only_if condition: /var/tmp is mounted
× cis-dil-benchmark-1.1.11: Ensure separate partition exists for /var/log
× Mount /var/log is expected to be mounted
Mount /var/log is not mounted
× cis-dil-benchmark-1.1.12: Ensure separate partition exists for /var/log/audit
× Mount /var/log/audit is expected to be mounted
Mount /var/log/audit is not mounted
× cis-dil-benchmark-1.1.13: Ensure separate partition exists for /home
× Mount /home is expected to be mounted
Mount /home is not mounted
↺ cis-dil-benchmark-1.1.14: Ensure nodev option set on /home partition
↺ Skipped control due to only_if condition: /home is mounted
✔ cis-dil-benchmark-1.1.15: Ensure nodev option set on /dev/shm partition
✔ Mount /dev/shm options is expected to include "nodev"
✔ cis-dil-benchmark-1.1.16: Ensure nosuid option set on /dev/shm partitionrun
✔ Mount /dev/shm options is expected to include "nosuid"
× cis-dil-benchmark-1.1.17: Ensure noexec option set on /dev/shm partition
× Mount /dev/shm options is expected to include "noexec"
expected ["rw", "nosuid", "nodev", "seclabel"] to include "noexec"
↺ cis-dil-benchmark-1.1.18: Ensure nodev option set on removable media partitions
↺ Not implemented
↺ cis-dil-benchmark-1.1.19: Ensure nosuid option set on removable media partitions
↺ Not implemented
↺ cis-dil-benchmark-1.1.20: Ensure noexec option set on removable media partitions
↺ Not implemented
✔ cis-dil-benchmark-1.1.21: Ensure sticky bit is set on all world-writable directories
✔ Command: `df --local -P | awk '{ if (NR!=1) print $6 }' | xargs -I '{}' find '{}' -xdev -type d ( -perm -0002 -a ! -perm -1000 )` stdout is expected to cmp == ""
✔ cis-dil-benchmark-1.1.22: Disable Automounting
✔ Service autofs is expected not to be enabled
✔ Service autofs is expected not to be running
✔ Service autofs is expected not to be enabled
✔ Service autofs is expected not to be running
× cis-dil-benchmark-1.1.23: Disable USB Storage (1 failed)
✔ Kernel Module usb_storage is expected not to be loaded
× Kernel Module usb_storage is expected to be disabled
expected `Kernel Module usb_storage.disabled?` to be truthy, got false
↺ cis-dil-benchmark-1.2.1: Ensure package manager repositories are configured
↺ Not implemented
↺ cis-dil-benchmark-1.2.2: Ensure GPG keys are configured
↺ Not implemented
× cis-dil-benchmark-1.3.1: Ensure AIDE is installed (2 failed)
× System Package aide is expected to be installed
expected that `System Package aide` is installed
× Command: `aide` is expected to exist
expected Command: `aide` to exist
× cis-dil-benchmark-1.3.2: Ensure filesystem integrity is regularly checked (4 failed)
× File /var/spool/cron/crontabs/root content is expected to match /aide (--check|-C)/
expected nil to match /aide (--check|-C)/
× File /var/spool/cron/root content is expected to match /aide (--check|-C)/
expected nil to match /aide (--check|-C)/
× File /etc/crontab content is expected to match /aide (--check|-C)/
expected nil to match /aide (--check|-C)/
× File /etc/cron.weekly/mdadm content is expected to match /aide (--check|-C)/
expected "#!/bin/sh\n# This requires that AUTOCHECK is true in /etc/default/mdadm\nif [ -x /usr/sbin/checkarray ] && [ $(date +\\%d) -le 7 ]; then\n\t/usr/sbin/checkarray --cron --all --idle --quiet\nfi\n" to match /aide (--check|-C)/
Diff:
@@ -1,5 +1,9 @@
-/aide (--check|-C)/
+#!/bin/sh
+# This requires that AUTOCHECK is true in /etc/default/mdadm
+if [ -x /usr/sbin/checkarray ] && [ $(date +\%d) -le 7 ]; then
+ /usr/sbin/checkarray --cron --all --idle --quiet
+fi
× cis-dil-benchmark-1.4.1: Ensure permissions on bootloader config are configured (22 failed)
× File /boot/grub/grub.conf is expected to exist
expected File /boot/grub/grub.conf to exist
✔ File /boot/grub/grub.conf is expected not to be readable by group
✔ File /boot/grub/grub.conf is expected not to be writable by group
✔ File /boot/grub/grub.conf is expected not to be executable by group
✔ File /boot/grub/grub.conf is expected not to be readable by other
✔ File /boot/grub/grub.conf is expected not to be writable by other
✔ File /boot/grub/grub.conf is expected not to be executable by other
× File /boot/grub/grub.conf gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/grub.conf uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/grub.cfg is expected to exist
expected File /boot/grub/grub.cfg to exist
✔ File /boot/grub/grub.cfg is expected not to be readable by group
✔ File /boot/grub/grub.cfg is expected not to be writable by group
✔ File /boot/grub/grub.cfg is expected not to be executable by group
✔ File /boot/grub/grub.cfg is expected not to be readable by other
✔ File /boot/grub/grub.cfg is expected not to be writable by other
✔ File /boot/grub/grub.cfg is expected not to be executable by other
× File /boot/grub/grub.cfg gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/grub.cfg uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/menu.lst is expected to exist
expected File /boot/grub/menu.lst to exist
✔ File /boot/grub/menu.lst is expected not to be readable by group
✔ File /boot/grub/menu.lst is expected not to be writable by group
✔ File /boot/grub/menu.lst is expected not to be executable by group
✔ File /boot/grub/menu.lst is expected not to be readable by other
✔ File /boot/grub/menu.lst is expected not to be writable by other
✔ File /boot/grub/menu.lst is expected not to be executable by other
× File /boot/grub/menu.lst gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/menu.lst uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/grub.conf is expected to exist
expected File /boot/boot/grub/grub.conf to exist
✔ File /boot/boot/grub/grub.conf is expected not to be readable by group
✔ File /boot/boot/grub/grub.conf is expected not to be writable by group
✔ File /boot/boot/grub/grub.conf is expected not to be executable by group
✔ File /boot/boot/grub/grub.conf is expected not to be readable by other
✔ File /boot/boot/grub/grub.conf is expected not to be writable by other
✔ File /boot/boot/grub/grub.conf is expected not to be executable by other
× File /boot/boot/grub/grub.conf gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/grub.conf uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/grub.cfg is expected to exist
expected File /boot/boot/grub/grub.cfg to exist
✔ File /boot/boot/grub/grub.cfg is expected not to be readable by group
✔ File /boot/boot/grub/grub.cfg is expected not to be writable by group
✔ File /boot/boot/grub/grub.cfg is expected not to be executable by group
✔ File /boot/boot/grub/grub.cfg is expected not to be readable by other
✔ File /boot/boot/grub/grub.cfg is expected not to be writable by other
✔ File /boot/boot/grub/grub.cfg is expected not to be executable by other
× File /boot/boot/grub/grub.cfg gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/grub.cfg uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
✔ File /boot/boot/grub/menu.lst is expected to exist
× File /boot/boot/grub/menu.lst is expected not to be readable by group
expected File /boot/boot/grub/menu.lst not to be readable by group
✔ File /boot/boot/grub/menu.lst is expected not to be writable by group
× File /boot/boot/grub/menu.lst is expected not to be executable by group
expected File /boot/boot/grub/menu.lst not to be executable by group
× File /boot/boot/grub/menu.lst is expected not to be readable by other
expected File /boot/boot/grub/menu.lst not to be readable by other
✔ File /boot/boot/grub/menu.lst is expected not to be writable by other
× File /boot/boot/grub/menu.lst is expected not to be executable by other
expected File /boot/boot/grub/menu.lst not to be executable by other
✔ File /boot/boot/grub/menu.lst gid is expected to cmp == 0
✔ File /boot/boot/grub/menu.lst uid is expected to cmp == 0
× File /boot/grub2/grub.cfg is expected to exist
expected File /boot/grub2/grub.cfg to exist
✔ File /boot/grub2/grub.cfg is expected not to be readable by group
✔ File /boot/grub2/grub.cfg is expected not to be writable by group
✔ File /boot/grub2/grub.cfg is expected not to be executable by group
✔ File /boot/grub2/grub.cfg is expected not to be readable by other
✔ File /boot/grub2/grub.cfg is expected not to be writable by other
✔ File /boot/grub2/grub.cfg is expected not to be executable by other
× File /boot/grub2/grub.cfg gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub2/grub.cfg uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× cis-dil-benchmark-1.4.2: Ensure bootloader password is set (14 failed)
× File /boot/grub/grub.conf content is expected to match /^set superusers/
expected nil to match /^set superusers/
× File /boot/grub/grub.conf content is expected to match /^password/
expected nil to match /^password/
× File /boot/grub/grub.cfg content is expected to match /^set superusers/
expected nil to match /^set superusers/
× File /boot/grub/grub.cfg content is expected to match /^password/
expected nil to match /^password/
× File /boot/grub/menu.lst content is expected to match /^set superusers/
expected nil to match /^set superusers/
× File /boot/grub/menu.lst content is expected to match /^password/
expected nil to match /^password/
× File /boot/boot/grub/grub.conf content is expected to match /^set superusers/
expected nil to match /^set superusers/
× File /boot/boot/grub/grub.conf content is expected to match /^password/
expected nil to match /^password/
× File /boot/boot/grub/grub.cfg content is expected to match /^set superusers/
expected nil to match /^set superusers/
× File /boot/boot/grub/grub.cfg content is expected to match /^password/
expected nil to match /^password/
× File /boot/boot/grub/menu.lst content is expected to match /^set superusers/
expected "timeout 0\ntitle CoreOS GRUB2\nroot (hd0,0)\nkernel /xen/pvboot-x86_64.elf\n" to match /^set superusers/
Diff:
@@ -1,4 +1,7 @@
-/^set superusers/
+timeout 0
+title CoreOS GRUB2
+root (hd0,0)
+kernel /xen/pvboot-x86_64.elf
× File /boot/boot/grub/menu.lst content is expected to match /^password/
expected "timeout 0\ntitle CoreOS GRUB2\nroot (hd0,0)\nkernel /xen/pvboot-x86_64.elf\n" to match /^password/
Diff:
@@ -1,4 +1,7 @@
-/^password/
+timeout 0
+title CoreOS GRUB2
+root (hd0,0)
+kernel /xen/pvboot-x86_64.elf
× File /boot/grub2/grub.cfg content is expected to match /^set superusers/
expected nil to match /^set superusers/
× File /boot/grub2/grub.cfg content is expected to match /^password/
expected nil to match /^password/
× cis-dil-benchmark-1.4.3: Ensure authentication required for single user mode (3 failed)
× /etc/shadow with user == "root" passwords is expected not to include "*"
expected ["*"] not to include "*"
✔ /etc/shadow with user == "root" passwords is expected not to include "!"
× File /etc/inittab content is expected to match /^~~:S:respawn:\/sbin\/sulogin/
expected nil to match /^~~:S:respawn:\/sbin\/sulogin/
× File /etc/sysconfig/init content is expected to match /^SINGLE=\/sbin\/sulogin$/
expected nil to match /^SINGLE=\/sbin\/sulogin$/
↺ cis-dil-benchmark-1.4.4: Ensure interactive boot is not enabled
↺ Not implemented
× cis-dil-benchmark-1.5.1: Ensure core dumps are restricted (2 failed)
× File /etc/security/limits.conf content is expected to match /^\s*\*\s+hard\s+core\s+0\s*(?:#.*)?$/
expected "# /etc/security/limits.conf\n#\n#Each line describes a limit for a user in the form:\n#\n#<domain> ... hard nproc 0\n\#@student - maxlogins 4\n\n# End of file\n" to match /^\s*\*\s+hard\s+core\s+0\s*(?:#.*)?$/
Diff:
@@ -1,50 +1,99 @@
-/^\s*\*\s+hard\s+core\s+0\s*(?:#.*)?$/
+# /etc/security/limits.conf
+#
+#Each line describes a limit for a user in the form:
+#
+#<domain> <type> <item> <value>
+#
+#Where:
+#<domain> can be:
+# - a user name
+# - a group name, with @group syntax
+# - the wildcard *, for default entry
+# - the wildcard %, can be also used with %group syntax,
+# for maxlogin limit
+#
+#<type> can have the two values:
+# - "soft" for enforcing the soft limits
+# - "hard" for enforcing hard limits
+#
+#<item> can be one of the following:
+# - core - limits the core file size (KB)
+# - data - max data size (KB)
+# - fsize - maximum filesize (KB)
+# - memlock - max locked-in-memory address space (KB)
+# - nofile - max number of open file descriptors
+# - rss - max resident set size (KB)
+# - stack - max stack size (KB)
+# - cpu - max CPU time (MIN)
+# - nproc - max number of processes
+# - as - address space limit (KB)
+# - maxlogins - max number of logins for this user
+# - maxsyslogins - max number of logins on the system
+# - priority - the priority to run user process with
+# - locks - max number of file locks the user can hold
+# - sigpending - max number of pending signals
+# - msgqueue - max memory used by POSIX message queues (bytes)
+# - nice - max nice priority allowed to raise to values: [-20, 19]
+# - rtprio - max realtime priority
+#
+#<domain> <type> <item> <value>
+#
+
+#* soft core 0
+#* hard rss 10000
+#@student hard nproc 20
+#@faculty soft nproc 20
+#@faculty hard nproc 50
+#ftp hard nproc 0
+#@student - maxlogins 4
+
+# End of file
× Kernel Parameter fs.suid_dumpable value is expected to eq 0
expected: 0
got: 2
(compared using ==)
✔ cis-dil-benchmark-1.5.2: Ensure XD/NX support is enabled
✔ Command: `dmesg | grep NX` stdout is expected to match /NX \(Execute Disable\) protection: active/
✔ cis-dil-benchmark-1.5.3: Ensure address space layout randomization (ASLR) is enabled
✔ Kernel Parameter kernel.randomize_va_space value is expected to eq 2
✔ cis-dil-benchmark-1.5.4: Ensure prelink is disabled
✔ System Package prelink is expected not to be installed
✔ Command: `prelink` is expected not to exist
× cis-dil-benchmark-1.6.1.1: Ensure SELinux or AppArmor are installed (3 failed)
× System Package libselinux is expected to be installed
expected that `System Package libselinux` is installed
× System Package libselinux1 is expected to be installed
expected that `System Package libselinux1` is installed
× System Package apparmor is expected to be installed
expected that `System Package apparmor` is installed
✔ cis-dil-benchmark-1.6.2.1: Ensure SELinux is not disabled in bootloader configuration
✔ File /boot/grub2/grub.cfg content is expected not to match /selinux=0/
✔ File /boot/grub2/grub.cfg content is expected not to match /enforcing=0/
✔ File /boot/grub/menu.lst content is expected not to match /selinux=0/
✔ File /boot/grub/menu.lst content is expected not to match /enforcing=0/
× cis-dil-benchmark-1.6.2.2: Ensure the SELinux state is enforcing (3 failed)
× File /etc/selinux/config content is expected to match /^SELINUX=enforcing\s*(?:#.*)?$/
expected "# This file controls the state of SELinux on the system on boot.\n\n# SELINUX can take one of these ...th Multi-Category Security \n#\t (mls, but only one sensitivity level)\nSELINUXTYPE=mcs\n" to match /^SELINUX=enforcing\s*(?:#.*)?$/
Diff:
@@ -1,15 +1,29 @@
-/^SELINUX=enforcing\s*(?:#.*)?$/
+# This file controls the state of SELinux on the system on boot.
+
+# SELINUX can take one of these three values:
+# enforcing - SELinux security policy is enforced.
+# permissive - SELinux prints warnings instead of enforcing.
+# disabled - No SELinux policy is loaded.
+SELINUX=permissive
+
+# SELINUXTYPE can take one of these four values:
+# targeted - Only targeted network daemons are protected.
+# strict - Full SELinux protection.
+# mls - Full SELinux protection with Multi-Level Security
+# mcs - Full SELinux protection with Multi-Category Security
+# (mls, but only one sensitivity level)
+SELINUXTYPE=mcs
✔ Command: `sestatus` stdout is expected to match /SELinux status:\s+enabled/
× Command: `sestatus` stdout is expected to match /Current mode:\s+enforcing/
expected "SELinux status: enabled\nSELinuxfs mount: /sys/fs/selinux\nSELinux ro... enabled\nPolicy deny_unknown status: allowed\nMax kernel policy version: 31\n" to match /Current mode:\s+enforcing/
Diff:
@@ -1,9 +1,17 @@
-/Current mode:\s+enforcing/
+SELinux status: enabled
+SELinuxfs mount: /sys/fs/selinux
+SELinux root directory: /etc/selinux
+Loaded policy name: mcs
+Current mode: permissive
+Mode from config file: permissive
+Policy MLS status: enabled
+Policy deny_unknown status: allowed
+Max kernel policy version: 31
× Command: `sestatus` stdout is expected to match /Mode from config file:\s+enforcing/
expected "SELinux status: enabled\nSELinuxfs mount: /sys/fs/selinux\nSELinux ro... enabled\nPolicy deny_unknown status: allowed\nMax kernel policy version: 31\n" to match /Mode from config file:\s+enforcing/
Diff:
@@ -1,9 +1,17 @@
-/Mode from config file:\s+enforcing/
+SELinux status: enabled
+SELinuxfs mount: /sys/fs/selinux
+SELinux root directory: /etc/selinux
+Loaded policy name: mcs
+Current mode: permissive
+Mode from config file: permissive
+Policy MLS status: enabled
+Policy deny_unknown status: allowed
+Max kernel policy version: 31
× cis-dil-benchmark-1.6.2.3: Ensure SELinux policy is configured (2 failed)
× File /etc/selinux/config content is expected to match /^SELINUXTYPE=(targeted|mls)\s*(?:#.*)?$/
expected "# This file controls the state of SELinux on the system on boot.\n\n# SELINUX can take one of these ...th Multi-Category Security \n#\t (mls, but only one sensitivity level)\nSELINUXTYPE=mcs\n" to match /^SELINUXTYPE=(targeted|mls)\s*(?:#.*)?$/
Diff:
@@ -1,15 +1,29 @@
-/^SELINUXTYPE=(targeted|mls)\s*(?:#.*)?$/
+# This file controls the state of SELinux on the system on boot.
+
+# SELINUX can take one of these three values:
+# enforcing - SELinux security policy is enforced.
+# permissive - SELinux prints warnings instead of enforcing.
+# disabled - No SELinux policy is loaded.
+SELINUX=permissive
+
+# SELINUXTYPE can take one of these four values:
+# targeted - Only targeted network daemons are protected.
+# strict - Full SELinux protection.
+# mls - Full SELinux protection with Multi-Level Security
+# mcs - Full SELinux protection with Multi-Category Security
+# (mls, but only one sensitivity level)
+SELINUXTYPE=mcs
× Command: `sestatus` stdout is expected to match /Policy from config file:\s+(targeted|mls)/
expected "SELinux status: enabled\nSELinuxfs mount: /sys/fs/selinux\nSELinux ro... enabled\nPolicy deny_unknown status: allowed\nMax kernel policy version: 31\n" to match /Policy from config file:\s+(targeted|mls)/
Diff:
@@ -1,9 +1,17 @@
-/Policy from config file:\s+(targeted|mls)/
+SELinux status: enabled
+SELinuxfs mount: /sys/fs/selinux
+SELinux root directory: /etc/selinux
+Loaded policy name: mcs
+Current mode: permissive
+Mode from config file: permissive
+Policy MLS status: enabled
+Policy deny_unknown status: allowed
+Max kernel policy version: 31
↺ cis-dil-benchmark-1.6.2.4: Ensure SETroubleshoot is not installed (1 skipped)
↺ The `package` resource is not supported on your OS yet.
✔ Command: `setroubleshoot` is expected not to exist
↺ cis-dil-benchmark-1.6.2.5: Ensure the MCS Translation Service (mcstrans) is not installed (1 failed) (1 skipped)
↺ The `package` resource is not supported on your OS yet.
× Command: `mcstransd` is expected not to exist
expected Command: `mcstransd` not to exist
✔ cis-dil-benchmark-1.6.2.6: Ensure no unconfined daemons exist
✔ Command: `ps -eZ | grep -E "initrc" | grep -E -v -w "tr|ps|grep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'` stdout is expected to eq ""
↺ cis-dil-benchmark-1.6.3.1: Ensure AppArmor is not disabled in bootloader configuration
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-1.6.3.2: Ensure all AppArmor Profiles are enforcing
↺ Skipped control due to only_if condition.
✔ cis-dil-benchmark-1.7.1.1: Ensure message of the day is configured properly
✔ Command: `grep -E -i '(\v|\r|\m|\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))' /etc/motd` stdout is expected to eq ""
✔ cis-dil-benchmark-1.7.1.2: Ensure local login warning banner is configured properly
✔ Command: `grep -E -i '(\v|\r|\m|\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))' /etc/issue` stdout is expected to eq ""
✔ cis-dil-benchmark-1.7.1.3: Ensure remote login warning banner is configured properly
✔ Command: `grep -E -i '(\v|\r|\m|\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))' /etc/issue.net` stdout is expected to eq ""
✔ cis-dil-benchmark-1.7.1.4: Ensure permissions on /etc/motd are configured
✔ File /etc/motd group is expected to eq "root"
✔ File /etc/motd owner is expected to eq "root"
✔ File /etc/motd mode is expected to cmp == "0644"
✔ cis-dil-benchmark-1.7.1.5: Ensure permissions on /etc/issue are configured
✔ File /etc/issue group is expected to eq "root"
✔ File /etc/issue owner is expected to eq "root"
✔ File /etc/issue mode is expected to cmp == "0644"
× cis-dil-benchmark-1.7.1.6: Ensure permissions on /etc/issue.net are configured (3 failed)
× File /etc/issue.net group is expected to eq "root"
expected: "root"
got: nil
(compared using ==)
× File /etc/issue.net owner is expected to eq "root"
expected: "root"
got: nil
(compared using ==)
× File /etc/issue.net mode is expected to cmp == "0644"
can't convert nil into Integer
↺ cis-dil-benchmark-1.7.2: Ensure GDM login banner is configured
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-1.8: Ensure updates, patches, and additional security software are installed
↺ Not implemented
↺ cis-dil-benchmark-2.1.1: Ensure chargen services are not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.2: Ensure daytime services are not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.3: Ensure discard services are not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.4: Ensure echo services are not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.5: Ensure time services are not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.6: Ensure rsh server is not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.7: Ensure talk server is not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.8: Ensure telnet server is not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.9: Ensure tftp server is not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
✔ cis-dil-benchmark-2.1.10: Ensure xinetd is not enabled
✔ Service xinetd is expected not to be enabled
✔ Service xinetd is expected not to be running
✔ cis-dil-benchmark-2.2.1.1: Ensure time synchronization is in use
✔ Command: `ntpd` is expected to exist
× cis-dil-benchmark-2.2.1.2: Ensure ntp is configured (4 failed)
✔ ntp.conf server is expected not to eq nil
✔ ["default nomodify nopeer noquery notrap limited kod", "127.0.0.1", "[::1]"] is expected to match /default\s+(\S+\s+)*kod(?:\s+|\s?")/
✔ ["default nomodify nopeer noquery notrap limited kod", "127.0.0.1", "[::1]"] is expected to match /default\s+(\S+\s+)*nomodify(?:\s+|\s?")/
✔ ["default nomodify nopeer noquery notrap limited kod", "127.0.0.1", "[::1]"] is expected to match /default\s+(\S+\s+)*notrap(?:\s+|\s?")/
✔ ["default nomodify nopeer noquery notrap limited kod", "127.0.0.1", "[::1]"] is expected to match /default\s+(\S+\s+)*nopeer(?:\s+|\s?")/
✔ ["default nomodify nopeer noquery notrap limited kod", "127.0.0.1", "[::1]"] is expected to match /default\s+(\S+\s+)*noquery(?:\s+|\s?")/
× File /etc/init.d/ntp content is expected to match /^RUNASUSER=ntp\s*(?:#.*)?$/
expected nil to match /^RUNASUSER=ntp\s*(?:#.*)?$/
× File /etc/init.d/ntpd content is expected to match /daemon\s+(\S+\s+)-u ntp:ntp(?:\s+|\s?")/
expected nil to match /daemon\s+(\S+\s+)-u ntp:ntp(?:\s+|\s?")/
× File /etc/sysconfig/ntpd content is expected to match /^OPTIONS="(?:.)?-u ntp:ntp\s*(?:.)?"\s*(?:#.*)?$/
expected nil to match /^OPTIONS="(?:.)?-u ntp:ntp\s*(?:.)?"\s*(?:#.*)?$/
× File /usr/lib/systemd/system/ntpd.service content is expected to match /^ExecStart=\/usr\/s?bin\/ntpd (?:.)?-u ntp:ntp\s*(?:.)?$/
expected "[Unit]\nDescription=Network Time Service\nAfter=ntpdate.service sntp.service\nConflicts=systemd-time...tp/ntp.drift -u ntp:ntp\nPrivateTmp=true\nRestart=always\n\n[Install]\nWantedBy=multi-user.target\n" to match /^ExecStart=\/usr\/s?bin\/ntpd (?:.)?-u ntp:ntp\s*(?:.)?$/
Diff:
@@ -1,12 +1,23 @@
-/^ExecStart=\/usr\/s?bin\/ntpd (?:.)?-u ntp:ntp\s*(?:.)?$/
+[Unit]
+Description=Network Time Service
+After=ntpdate.service sntp.service
+Conflicts=systemd-timesyncd.service
+
+[Service]
+ExecStart=/usr/sbin/ntpd -g -n -f /var/lib/ntp/ntp.drift -u ntp:ntp
+PrivateTmp=true
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
↺ cis-dil-benchmark-2.2.1.3: Ensure chrony is configured
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-2.2.1.4: Ensure systemd-timesyncd is configured
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-2.2.2: Ensure X Window System is not installed (2 skipped)
↺ The packages resource is not yet supported on OS coreos
↺ The packages resource is not yet supported on OS coreos
✔ cis-dil-benchmark-2.2.3: Ensure Avahi Server is not enabled
✔ Service avahi-daemon is expected not to be enabled
✔ Service avahi-daemon is expected not to be running
✔ cis-dil-benchmark-2.2.4: Ensure CUPS is not enabled
✔ Service cups is expected not to be enabled
✔ Service cups is expected not to be running
✔ cis-dil-benchmark-2.2.5: Ensure DHCP Server is not enabled
✔ Service isc-dhcp-server is expected not to be enabled
✔ Service isc-dhcp-server is expected not to be running
✔ Service isc-dhcp-server6 is expected not to be enabled
✔ Service isc-dhcp-server6 is expected not to be running
✔ Service dhcpd is expected not to be enabled
✔ Service dhcpd is expected not to be running
✔ cis-dil-benchmark-2.2.6: Ensure LDAP server is not enabled
✔ Service slapd is expected not to be enabled
✔ Service slapd is expected not to be running
✔ cis-dil-benchmark-2.2.7: Ensure NFS and RPC are not enabled
✔ Service nfs-kernel-server is expected not to be enabled
✔ Service nfs-kernel-server is expected not to be running
✔ Service nfs is expected not to be enabled
✔ Service nfs is expected not to be running
✔ Service rpcbind is expected not to be enabled
✔ Service rpcbind is expected not to be running
✔ cis-dil-benchmark-2.2.8: Ensure DNS Server is not enabled
✔ Service named is expected not to be enabled
✔ Service named is expected not to be running
✔ Service bind is expected not to be enabled
✔ Service bind is expected not to be running
✔ Service bind9 is expected not to be enabled
✔ Service bind9 is expected not to be running
✔ cis-dil-benchmark-2.2.9: Ensure FTP Server is not enabled
✔ Service vsftpd is expected not to be enabled
✔ Service vsftpd is expected not to be running
✔ cis-dil-benchmark-2.2.10: Ensure HTTP server is not enabled
✔ Service apache is expected not to be enabled
✔ Service apache is expected not to be running
✔ Service apache2 is expected not to be enabled
✔ Service apache2 is expected not to be running
✔ Service httpd is expected not to be enabled
✔ Service httpd is expected not to be running
✔ Service lighttpd is expected not to be enabled
✔ Service lighttpd is expected not to be running
✔ Service nginx is expected not to be enabled
✔ Service nginx is expected not to be running
✔ cis-dil-benchmark-2.2.11: Ensure IMAP and POP3 server is not enabled
✔ Service dovecot is expected not to be enabled
✔ Service dovecot is expected not to be running
✔ Service courier-imap is expected not to be enabled
✔ Service courier-imap is expected not to be running
✔ Service cyrus-imap is expected not to be enabled
✔ Service cyrus-imap is expected not to be running
✔ cis-dil-benchmark-2.2.12: Ensure Samba is not enabled
✔ Service samba is expected not to be enabled
✔ Service samba is expected not to be running
✔ Service smb is expected not to be enabled
✔ Service smb is expected not to be running
✔ Service smbd is expected not to be enabled
✔ Service smbd is expected not to be running
✔ cis-dil-benchmark-2.2.13: Ensure HTTP Proxy Server is not enabled
✔ Service squid is expected not to be enabled
✔ Service squid is expected not to be running
✔ Service squid3 is expected not to be enabled
✔ Service squid3 is expected not to be running
✔ cis-dil-benchmark-2.2.14: Ensure SNMP Server is not enabled
✔ Service snmpd is expected not to be enabled
✔ Service snmpd is expected not to be running
✔ cis-dil-benchmark-2.2.15: Ensure mail transfer agent is configured for local-only mode
✔ Port 25 with address !~ /^(127\.0\.0\.1|::1)$/ entries is expected to be empty
✔ cis-dil-benchmark-2.2.16: Ensure rsync service is not enabled
✔ Service rsync is expected not to be enabled
✔ Service rsync is expected not to be running
✔ Service rsyncd is expected not to be enabled
✔ Service rsyncd is expected not to be running
✔ cis-dil-benchmark-2.2.17: Ensure NIS Server is not enabled
✔ Service nis is expected not to be enabled
✔ Service nis is expected not to be running
✔ Service ypserv is expected not to be enabled
✔ Service ypserv is expected not to be running
↺ cis-dil-benchmark-2.3.1: Ensure NIS Client is not installed (2 skipped)
↺ The `package` resource is not supported on your OS yet.
↺ The `package` resource is not supported on your OS yet.
↺ cis-dil-benchmark-2.3.2: Ensure rsh client is not installed (3 skipped)
↺ The `package` resource is not supported on your OS yet.
↺ The `package` resource is not supported on your OS yet.
↺ The `package` resource is not supported on your OS yet.
↺ cis-dil-benchmark-2.3.3: Ensure talk client is not installed
↺ The `package` resource is not supported on your OS yet.
↺ cis-dil-benchmark-2.3.4: Ensure telnet client is not installed
↺ The `package` resource is not supported on your OS yet.
↺ cis-dil-benchmark-2.3.5: Ensure LDAP client is not installed (3 skipped)
↺ The `package` resource is not supported on your OS yet.
↺ The `package` resource is not supported on your OS yet.
↺ The `package` resource is not supported on your OS yet.
× cis-dil-benchmark-3.1.1: Ensure IP forwarding is disabled (1 failed)
✔ Kernel Parameter net.ipv4.ip_forward value is expected not to be nil
× Kernel Parameter net.ipv4.ip_forward value is expected to cmp == 0
expected: 0
got: 1
(compared using `cmp` matcher)
✔ Kernel Parameter net.ipv6.conf.all.forwarding value is expected not to be nil
✔ Kernel Parameter net.ipv6.conf.all.forwarding value is expected to cmp == 0
× cis-dil-benchmark-3.1.2: Ensure packet redirect sending is disabled (2 failed)
✔ Kernel Parameter net.ipv4.conf.all.send_redirects value is expected not to be nil
× Kernel Parameter net.ipv4.conf.all.send_redirects value is expected to cmp == 0
expected: 0
got: 1
(compared using `cmp` matcher)
✔ Kernel Parameter net.ipv4.conf.default.send_redirects value is expected not to be nil
× Kernel Parameter net.ipv4.conf.default.send_redirects value is expected to cmp == 0
expected: 0
got: 1
(compared using `cmp` matcher)
✔ cis-dil-benchmark-3.2.1: Ensure source routed packets are not accepted
✔ Kernel Parameter net.ipv4.conf.all.accept_source_route value is expected not to be nil
✔ Kernel Parameter net.ipv4.conf.all.accept_source_route value is expected to eq 0
✔ Kernel Parameter net.ipv4.conf.default.accept_source_route value is expected not to be nil
✔ Kernel Parameter net.ipv4.conf.default.accept_source_route value is expected to eq 0
✔ Kernel Parameter net.ipv6.conf.all.accept_source_route value is expected not to be nil
✔ Kernel Parameter net.ipv6.conf.all.accept_source_route value is expected to eq 0
✔ Kernel Parameter net.ipv6.conf.default.accept_source_route value is expected not to be nil
✔ Kernel Parameter net.ipv6.conf.default.accept_source_route value is expected to eq 0
× cis-dil-benchmark-3.2.2: Ensure ICMP redirects are not accepted (3 failed)
✔ Kernel Parameter net.ipv4.conf.all.accept_redirects value is expected not to be nil
✔ Kernel Parameter net.ipv4.conf.all.accept_redirects value is expected to eq 0
✔ Kernel Parameter net.ipv4.conf.default.accept_redirects value is expected not to be nil
× Kernel Parameter net.ipv4.conf.default.accept_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
✔ Kernel Parameter net.ipv6.conf.all.accept_redirects value is expected not to be nil
× Kernel Parameter net.ipv6.conf.all.accept_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
✔ Kernel Parameter net.ipv6.conf.default.accept_redirects value is expected not to be nil
× Kernel Parameter net.ipv6.conf.default.accept_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× cis-dil-benchmark-3.2.3: Ensure secure ICMP redirects are not accepted (2 failed)
✔ Kernel Parameter net.ipv4.conf.all.secure_redirects value is expected not to be nil
× Kernel Parameter net.ipv4.conf.all.secure_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
✔ Kernel Parameter net.ipv4.conf.default.secure_redirects value is expected not to be nil
× Kernel Parameter net.ipv4.conf.default.secure_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× cis-dil-benchmark-3.2.4: Ensure suspicious packets are logged (2 failed)
✔ Kernel Parameter net.ipv4.conf.all.log_martians value is expected not to be nil
× Kernel Parameter net.ipv4.conf.all.log_martians value is expected to eq 1
expected: 1
got: 0
(compared using ==)
✔ Kernel Parameter net.ipv4.conf.default.log_martians value is expected not to be nil
× Kernel Parameter net.ipv4.conf.default.log_martians value is expected to eq 1
expected: 1
got: 0
(compared using ==)
✔ cis-dil-benchmark-3.2.5: Ensure broadcast ICMP requests are ignored
✔ Kernel Parameter net.ipv4.icmp_echo_ignore_broadcasts value is expected not to be nil
✔ Kernel Parameter net.ipv4.icmp_echo_ignore_broadcasts value is expected to eq 1
✔ cis-dil-benchmark-3.2.6: Ensure bogus ICMP responses are ignored
✔ Kernel Parameter net.ipv4.icmp_ignore_bogus_error_responses value is expected not to be nil
✔ Kernel Parameter net.ipv4.icmp_ignore_bogus_error_responses value is expected to eq 1
✔ cis-dil-benchmark-3.2.7: Ensure Reverse Path Filtering is enabled
✔ Kernel Parameter net.ipv4.conf.all.rp_filter value is expected not to be nil
✔ Kernel Parameter net.ipv4.conf.all.rp_filter value is expected to eq 1
✔ Kernel Parameter net.ipv4.conf.default.rp_filter value is expected not to be nil
✔ Kernel Parameter net.ipv4.conf.default.rp_filter value is expected to eq 1
✔ cis-dil-benchmark-3.2.8: Ensure TCP SYN Cookies is enabled
✔ Kernel Parameter net.ipv4.tcp_syncookies value is expected not to be nil
✔ Kernel Parameter net.ipv4.tcp_syncookies value is expected to eq 1
× cis-dil-benchmark-3.2.9: Ensure IPv6 router advertisements are not accepted (2 failed)
✔ Kernel Parameter net.ipv6.conf.all.accept_ra value is expected not to be nil
× Kernel Parameter net.ipv6.conf.all.accept_ra value is expected to eq 0
expected: 0
got: 1
(compared using ==)
✔ Kernel Parameter net.ipv6.conf.default.accept_ra value is expected not to be nil
× Kernel Parameter net.ipv6.conf.default.accept_ra value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× cis-dil-benchmark-3.3.1: Ensure TCP Wrappers is installed (2 failed)
× System Package tcpd is expected to be installed
expected that `System Package tcpd` is installed
× System Package tcp_wrappers is expected to be installed
expected that `System Package tcp_wrappers` is installed
× cis-dil-benchmark-3.3.2: Ensure /etc/hosts.allow is configured
× File /etc/hosts.allow is expected to exist
expected File /etc/hosts.allow to exist
× cis-dil-benchmark-3.3.3: Ensure /etc/hosts.deny is configured
× File /etc/hosts.deny content is expected to match /^ALL: ALL/
expected nil to match /^ALL: ALL/
× cis-dil-benchmark-3.3.4: Ensure permissions on /etc/hosts.allow are configured (5 failed)
× File /etc/hosts.allow is expected to exist
expected File /etc/hosts.allow to exist
× File /etc/hosts.allow is expected to be file
expected `File /etc/hosts.allow.file?` to be truthy, got false
× File /etc/hosts.allow owner is expected to cmp == "root"
expected: root
got:
(compared using `cmp` matcher)
× File /etc/hosts.allow group is expected to cmp == "root"
expected: root
got:
(compared using `cmp` matcher)
× File /etc/hosts.allow mode is expected to cmp == "0644"
can't convert nil into Integer
× cis-dil-benchmark-3.3.5: Ensure permissions on /etc/hosts.deny are configured (5 failed)
× File /etc/hosts.deny is expected to exist
expected File /etc/hosts.deny to exist
× File /etc/hosts.deny is expected to be file
expected `File /etc/hosts.deny.file?` to be truthy, got false
× File /etc/hosts.deny owner is expected to cmp == "root"
expected: root
got:
(compared using `cmp` matcher)
× File /etc/hosts.deny group is expected to cmp == "root"
expected: root
got:
(compared using `cmp` matcher)
× File /etc/hosts.deny mode is expected to cmp == "0644"
can't convert nil into Integer
× cis-dil-benchmark-3.4.1: Ensure DCCP is disabled (1 failed)
✔ Kernel Module dccp is expected not to be loaded
× Kernel Module dccp is expected to be disabled
expected `Kernel Module dccp.disabled?` to be truthy, got false
× cis-dil-benchmark-3.4.2: Ensure SCTP is disabled (1 failed)
✔ Kernel Module sctp is expected not to be loaded
× Kernel Module sctp is expected to be disabled
expected `Kernel Module sctp.disabled?` to be truthy, got false
× cis-dil-benchmark-3.4.3: Ensure RDS is disabled (1 failed)
✔ Kernel Module rds is expected not to be loaded
× Kernel Module rds is expected to be disabled
expected `Kernel Module rds.disabled?` to be truthy, got false
× cis-dil-benchmark-3.4.4: Ensure TIPC is disabled (1 failed)
✔ Kernel Module tipc is expected not to be loaded
× Kernel Module tipc is expected to be disabled
expected `Kernel Module tipc.disabled?` to be truthy, got false
× cis-dil-benchmark-3.5.1.1: Ensure IPv6 default deny firewall policy (3 failed)
× Ip6tables is expected to have rule "-P INPUT DROP"
expected Ip6tables to have rule "-P INPUT DROP"
× Ip6tables is expected to have rule "-P OUTPUT DROP"
expected Ip6tables to have rule "-P OUTPUT DROP"
× Ip6tables is expected to have rule "-P FORWARD DROP"
expected Ip6tables to have rule "-P FORWARD DROP"
× cis-dil-benchmark-3.5.1.2: Ensure IPv6 loopback traffic is configured (9 failed)
× -P INPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
expected "-P INPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
+"-P OUTPUT ACCEPT"
× -P INPUT ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
expected "-P INPUT ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
+"-P OUTPUT ACCEPT"
× -P INPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/
expected "-P INPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/
+"-P OUTPUT ACCEPT"
× cis-dil-benchmark-3.5.1.3: Ensure IPv6 outbound and established connections are configured (18 failed)
× -P INPUT ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P INPUT ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
+"-P OUTPUT ACCEPT"
× -P INPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-p tcp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P INPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-p tcp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/