Created
April 19, 2018 06:39
-
-
Save vjeffrey/5318ffc73e9f8bf9656b35c50d33f14a to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {"platform":{"name":"amazon","release":"2017.09"},"profiles":[{"name":"ssh-baseline","version":"2.3.1","sha256":"db29311bd6781b1f7c3f22422f2d8370405e54efdea3e4f99eb5e54695c65502","title":"DevSec SSH Baseline","maintainer":"DevSec Hardening Framework Team","summary":"Test-suite for best-practice SSH hardening","license":"Apache-2.0","copyright":"DevSec Hardening Framework Team","copyright_email":"[email protected]","supports":[{"os-family":"unix"}],"attributes":[],"groups":[{"id":"controls/ssh_spec.rb","controls":["ssh-01","ssh-02","ssh-03","ssh-04","ssh-05","ssh-06","ssh-07","ssh-08","ssh-09","ssh-10","ssh-11","ssh-12","ssh-13","ssh-14","ssh-15","ssh-16","ssh-17","ssh-18","ssh-19","ssh-20","ssh-21"],"title":"SSH client config"},{"id":"controls/sshd_spec.rb","controls":["sshd-01","sshd-02","sshd-03","sshd-04","sshd-05","sshd-06","sshd-07","sshd-08","sshd-09","sshd-10","sshd-11","sshd-12","sshd-13","sshd-14","sshd-15","sshd-16","sshd-17","sshd-18","sshd-19","sshd-20","sshd-21","sshd-22","sshd-23","sshd-24","sshd-25","sshd-27","sshd-28","sshd-29","sshd-30","sshd-31","sshd-32","sshd-33","sshd-34","sshd-35","sshd-36","sshd-37","sshd-38","sshd-39","sshd-40","sshd-41","sshd-42","sshd-43","sshd-44","sshd-45","sshd-46","sshd-47","sshd-48"],"title":"SSH server config"}],"controls":[{"id":"ssh-01","title":"client: Check ssh_config owner, group and permissions.","desc":"The ssh_config should owned by root, only be writable by owner and readable to all.","impact":1.0,"refs":[],"tags":{},"code":"control 'ssh-01' do\n impact 1.0\n title 'client: Check ssh_config owner, group and permissions.'\n desc 'The ssh_config should owned by root, only be writable by owner and readable to all.'\n\n describe file('/etc/ssh/ssh_config') do\n it { should exist }\n it { should be_file }\n it { should be_owned_by 'root' }\n it { should be_grouped_into os.darwin? ? 'wheel' : 'root' }\n it { should_not be_executable }\n it { should be_readable.by('owner') }\n it { should be_readable.by('group') }\n it { should be_readable.by('other') }\n it { should be_writable.by('owner') }\n it { should_not be_writable.by('group') }\n it { should_not be_writable.by('other') }\n end\nend\n","source_location":{"line":25,"ref":"ssh-baseline-master/controls/ssh_spec.rb"},"results":[{"status":"passed","code_desc":"File /etc/ssh/ssh_config should exist","run_time":0.108111,"start_time":"2018-04-19T00:38:28-06:00"},{"status":"passed","code_desc":"File /etc/ssh/ssh_config should be file","run_time":0.002034,"start_time":"2018-04-19T00:38:28-06:00"},{"status":"passed","code_desc":"File /etc/ssh/ssh_config should be owned by \"root\"","run_time":0.000207,"start_time":"2018-04-19T00:38:28-06:00"},{"status":"passed","code_desc":"File /etc/ssh/ssh_config should be grouped into \"root\"","run_time":0.000144,"start_time":"2018-04-19T00:38:28-06:00"},{"status":"passed","code_desc":"File /etc/ssh/ssh_config should not be executable","run_time":0.000177,"start_time":"2018-04-19T00:38:28-06:00"},{"status":"passed","code_desc":"File /etc/ssh/ssh_config should be readable by owner","run_time":9.7e-05,"start_time":"2018-04-19T00:38:28-06:00"},{"status":"passed","code_desc":"File /etc/ssh/ssh_config should be readable by group","run_time":0.000159,"start_time":"2018-04-19T00:38:28-06:00"},{"status":"passed","code_desc":"File /etc/ssh/ssh_config should be readable by other","run_time":8.4e-05,"start_time":"2018-04-19T00:38:28-06:00"},{"status":"passed","code_desc":"File /etc/ssh/ssh_config should be writable by owner","run_time":0.000112,"start_time":"2018-04-19T00:38:28-06:00"},{"status":"passed","code_desc":"File /etc/ssh/ssh_config should not be writable by group","run_time":8.8e-05,"start_time":"2018-04-19T00:38:28-06:00"},{"status":"passed","code_desc":"File /etc/ssh/ssh_config should not be writable by other","run_time":0.000163,"start_time":"2018-04-19T00:38:28-06:00"}]},{"id":"ssh-02","title":"Client: Specify the AddressFamily to your need","desc":"OpenSSH should be configured to the network family. Set it to inet if you use IPv4 only. For IPv6 only set it to inet6.","impact":1.0,"refs":[],"tags":{},"code":"control 'ssh-02' do\n impact 1.0\n title 'Client: Specify the AddressFamily to your need'\n desc 'OpenSSH should be configured to the network family. Set it to inet if you use IPv4 only. For IPv6 only set it to inet6.'\n describe ssh_config do\n its('AddressFamily') { should match(/inet|inet6|any/) }\n end\nend\n","source_location":{"line":45,"ref":"ssh-baseline-master/controls/ssh_spec.rb"},"results":[{"status":"failed","code_desc":"SSH Configuration AddressFamily should match /inet|inet6|any/","run_time":0.009846,"start_time":"2018-04-19T00:38:28-06:00","message":"expected nil to match /inet|inet6|any/"}]},{"id":"ssh-03","title":"Client: Specify expected ssh port","desc":"Always specify which port the SSH client should connect. Prevent unexpected settings.","impact":1.0,"refs":[],"tags":{},"code":"control 'ssh-03' do\n impact 1.0\n title 'Client: Specify expected ssh port'\n desc 'Always specify which port the SSH client should connect. Prevent unexpected settings.'\n describe ssh_config do\n its('Port') { should eq('22') }\n end\nend\n","source_location":{"line":54,"ref":"ssh-baseline-master/controls/ssh_spec.rb"},"results":[{"status":"failed","code_desc":"SSH Configuration Port should eq \"22\"","run_time":0.001208,"start_time":"2018-04-19T00:38:28-06:00","message":"\nexpected: \"22\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"ssh-04","title":"Client: Specify protocol version 2","desc":"Only SSH protocol version 2 connections should be permitted. Version 1 of the protocol contains security vulnerabilities. Don't use legacy insecure SSHv1 connections anymore.","impact":1.0,"refs":[],"tags":{},"code":"control 'ssh-04' do\n impact 1.0\n title 'Client: Specify protocol version 2'\n desc \"Only SSH protocol version 2 connections should be permitted. Version 1 of the protocol contains security vulnerabilities. Don't use legacy insecure SSHv1 connections anymore.\"\n describe ssh_config do\n its('Protocol') { should eq('2') }\n end\nend\n","source_location":{"line":63,"ref":"ssh-baseline-master/controls/ssh_spec.rb"},"results":[{"status":"failed","code_desc":"SSH Configuration Protocol should eq \"2\"","run_time":0.000453,"start_time":"2018-04-19T00:38:28-06:00","message":"\nexpected: \"2\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"ssh-05","title":"Client: Disable batch mode","desc":"Avoid batch mode in the default configuration.","impact":1.0,"refs":[],"tags":{},"code":"control 'ssh-05' do\n impact 1.0\n title 'Client: Disable batch mode'\n desc 'Avoid batch mode in the default configuration.'\n describe ssh_config do\n its('BatchMode') { should eq('no') }\n end\nend\n","source_location":{"line":72,"ref":"ssh-baseline-master/controls/ssh_spec.rb"},"results":[{"status":"failed","code_desc":"SSH Configuration BatchMode should eq \"no\"","run_time":0.000372,"start_time":"2018-04-19T00:38:28-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"ssh-06","title":"Client: Check Host IPs","desc":"Make sure that SSH checks the host IP address in the known_hosts file, to avoid DNS spoofing effects.","impact":1.0,"refs":[],"tags":{},"code":"control 'ssh-06' do\n impact 1.0\n title 'Client: Check Host IPs'\n desc 'Make sure that SSH checks the host IP address in the known_hosts file, to avoid DNS spoofing effects.'\n describe ssh_config do\n its('CheckHostIP') { should eq('yes') }\n end\nend\n","source_location":{"line":81,"ref":"ssh-baseline-master/controls/ssh_spec.rb"},"results":[{"status":"failed","code_desc":"SSH Configuration CheckHostIP should eq \"yes\"","run_time":0.000495,"start_time":"2018-04-19T00:38:28-06:00","message":"\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"ssh-07","title":"Client: Ask when checking host keys","desc":"Don't automatically add new hosts keys to the list of known hosts.","impact":1.0,"refs":[],"tags":{},"code":"control 'ssh-07' do\n impact 1.0\n title 'Client: Ask when checking host keys'\n desc \"Don't automatically add new hosts keys to the list of known hosts.\"\n describe ssh_config do\n its('StrictHostKeyChecking') { should match(/ask|yes/) }\n end\nend\n","source_location":{"line":90,"ref":"ssh-baseline-master/controls/ssh_spec.rb"},"results":[{"status":"failed","code_desc":"SSH Configuration StrictHostKeyChecking should match /ask|yes/","run_time":0.000408,"start_time":"2018-04-19T00:38:28-06:00","message":"expected nil to match /ask|yes/"}]},{"id":"ssh-08","title":"Client: Check for secure ssh ciphers","desc":"Configure a list of ciphers to the best secure ciphers (avoid older and weaker ciphers)","impact":1.0,"refs":[],"tags":{},"code":"control 'ssh-08' do\n impact 1.0\n title 'Client: Check for secure ssh ciphers'\n desc 'Configure a list of ciphers to the best secure ciphers (avoid older and weaker ciphers)'\n describe ssh_config do\n its('Ciphers') { should eq(ssh_crypto.valid_ciphers) }\n end\nend\n","source_location":{"line":99,"ref":"ssh-baseline-master/controls/ssh_spec.rb"},"results":[{"status":"failed","code_desc":"SSH Configuration Ciphers should eq \"[email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr\"","run_time":0.000542,"start_time":"2018-04-19T00:38:28-06:00","message":"\nexpected: \"[email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"ssh-09","title":"Client: Check for secure ssh Key-Exchange Algorithm","desc":"Configure a list of Key-Exchange Algorithms (Kexs) to the best secure Kexs (avoid older and weaker Key-Exchange Algorithm)","impact":1.0,"refs":[],"tags":{},"code":"control 'ssh-09' do\n impact 1.0\n title 'Client: Check for secure ssh Key-Exchange Algorithm'\n desc 'Configure a list of Key-Exchange Algorithms (Kexs) to the best secure Kexs (avoid older and weaker Key-Exchange Algorithm)'\n describe ssh_config do\n its('KexAlgorithms') { should eq(ssh_crypto.valid_kexs) }\n end\nend\n","source_location":{"line":108,"ref":"ssh-baseline-master/controls/ssh_spec.rb"},"results":[{"status":"failed","code_desc":"SSH Configuration KexAlgorithms should eq \"[email protected],diffie-hellman-group-exchange-sha256\"","run_time":0.000455,"start_time":"2018-04-19T00:38:28-06:00","message":"\nexpected: \"[email protected],diffie-hellman-group-exchange-sha256\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"ssh-10","title":"Client: Check for secure ssh Message Authentication Codes","desc":"Configure a list of Message Authentication Codes (MACs) to the best secure MACs (avoid older and weaker Message Authentication Codes)","impact":1.0,"refs":[],"tags":{},"code":"control 'ssh-10' do\n impact 1.0\n title 'Client: Check for secure ssh Message Authentication Codes'\n desc 'Configure a list of Message Authentication Codes (MACs) to the best secure MACs (avoid older and weaker Message Authentication Codes)'\n describe ssh_config do\n its('MACs') { should eq(ssh_crypto.valid_macs) }\n end\nend\n","source_location":{"line":117,"ref":"ssh-baseline-master/controls/ssh_spec.rb"},"results":[{"status":"failed","code_desc":"SSH Configuration MACs should eq \"[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256\"","run_time":0.000404,"start_time":"2018-04-19T00:38:28-06:00","message":"\nexpected: \"[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"ssh-11","title":"Client: Disable agent forwarding","desc":"Prevent agent forwarding by default, as it can be used in a limited way to enable attacks.","impact":1.0,"refs":[],"tags":{},"code":"control 'ssh-11' do\n impact 1.0\n title 'Client: Disable agent forwarding'\n desc 'Prevent agent forwarding by default, as it can be used in a limited way to enable attacks.'\n describe ssh_config do\n its('ForwardAgent') { should eq('no') }\n end\nend\n","source_location":{"line":126,"ref":"ssh-baseline-master/controls/ssh_spec.rb"},"results":[{"status":"failed","code_desc":"SSH Configuration ForwardAgent should eq \"no\"","run_time":0.000479,"start_time":"2018-04-19T00:38:28-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"ssh-12","title":"Client: Disable X11Forwarding","desc":"Prevent X11 forwarding by default, as it can be used in a limited way to enable attacks.","impact":1.0,"refs":[],"tags":{},"code":"control 'ssh-12' do\n impact 1.0\n title 'Client: Disable X11Forwarding'\n desc 'Prevent X11 forwarding by default, as it can be used in a limited way to enable attacks.'\n describe ssh_config do\n its('ForwardX11') { should eq('no') }\n end\nend\n","source_location":{"line":135,"ref":"ssh-baseline-master/controls/ssh_spec.rb"},"results":[{"status":"failed","code_desc":"SSH Configuration ForwardX11 should eq \"no\"","run_time":0.000531,"start_time":"2018-04-19T00:38:28-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"ssh-13","title":"Client: Disable HostbasedAuthentication","desc":"This option is a weak way for authentication and provide attacker more ways to enter the system.","impact":1.0,"refs":[],"tags":{},"code":"control 'ssh-13' do\n impact 1.0\n title 'Client: Disable HostbasedAuthentication'\n desc 'This option is a weak way for authentication and provide attacker more ways to enter the system.'\n describe ssh_config do\n its('HostbasedAuthentication') { should eq('no') }\n end\nend\n","source_location":{"line":144,"ref":"ssh-baseline-master/controls/ssh_spec.rb"},"results":[{"status":"failed","code_desc":"SSH Configuration HostbasedAuthentication should eq \"no\"","run_time":0.000488,"start_time":"2018-04-19T00:38:28-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"ssh-14","title":"Client: Disable rhosts-based authentication","desc":"Avoid rhosts-based authentication, as it opens more ways for an attacker to enter a system.","impact":1.0,"refs":[],"tags":{},"code":"control 'ssh-14' do\n impact 1.0\n title 'Client: Disable rhosts-based authentication'\n desc 'Avoid rhosts-based authentication, as it opens more ways for an attacker to enter a system.'\n describe ssh_config do\n its('RhostsRSAAuthentication') { should eq('no') }\n end\nend\n","source_location":{"line":153,"ref":"ssh-baseline-master/controls/ssh_spec.rb"},"results":[{"status":"failed","code_desc":"SSH Configuration RhostsRSAAuthentication should eq \"no\"","run_time":0.000597,"start_time":"2018-04-19T00:38:28-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"ssh-15","title":"Client: Enable RSA authentication","desc":"Make sure RSA authentication is used by default.","impact":1.0,"refs":[],"tags":{},"code":"control 'ssh-15' do\n impact 1.0\n title 'Client: Enable RSA authentication'\n desc 'Make sure RSA authentication is used by default.'\n describe ssh_config do\n its('RSAAuthentication') { should eq('yes') }\n end\nend\n","source_location":{"line":162,"ref":"ssh-baseline-master/controls/ssh_spec.rb"},"results":[{"status":"failed","code_desc":"SSH Configuration RSAAuthentication should eq \"yes\"","run_time":0.000834,"start_time":"2018-04-19T00:38:28-06:00","message":"\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"ssh-16","title":"Client: Disable password-based authentication","desc":"Avoid password-based authentications.","impact":1.0,"refs":[],"tags":{},"code":"control 'ssh-16' do\n impact 1.0\n title 'Client: Disable password-based authentication'\n desc 'Avoid password-based authentications.'\n describe ssh_config do\n its('PasswordAuthentication') { should eq('no') }\n end\nend\n","source_location":{"line":171,"ref":"ssh-baseline-master/controls/ssh_spec.rb"},"results":[{"status":"failed","code_desc":"SSH Configuration PasswordAuthentication should eq \"no\"","run_time":0.000566,"start_time":"2018-04-19T00:38:28-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"ssh-17","title":"Client: Disable GSSAPIAuthentication","desc":"If you do not use GSSAPI authentication then disable it.","impact":1.0,"refs":[],"tags":{},"code":"control 'ssh-17' do\n impact 1.0\n title 'Client: Disable GSSAPIAuthentication'\n desc 'If you do not use GSSAPI authentication then disable it.'\n describe ssh_config do\n its('GSSAPIAuthentication') { should eq('no') }\n end\nend\n","source_location":{"line":180,"ref":"ssh-baseline-master/controls/ssh_spec.rb"},"results":[{"status":"failed","code_desc":"SSH Configuration GSSAPIAuthentication should eq \"no\"","run_time":0.000665,"start_time":"2018-04-19T00:38:28-06:00","message":"\nexpected: \"no\"\n got: \"yes\"\n\n(compared using ==)\n"}]},{"id":"ssh-18","title":"Client: Disable GSSAPIDelegateCredentials","desc":"If you do not use GSSAPI authentication then disable it.","impact":1.0,"refs":[],"tags":{},"code":"control 'ssh-18' do\n impact 1.0\n title 'Client: Disable GSSAPIDelegateCredentials'\n desc 'If you do not use GSSAPI authentication then disable it.'\n describe ssh_config do\n its('GSSAPIDelegateCredentials') { should eq('no') }\n end\nend\n","source_location":{"line":189,"ref":"ssh-baseline-master/controls/ssh_spec.rb"},"results":[{"status":"failed","code_desc":"SSH Configuration GSSAPIDelegateCredentials should eq \"no\"","run_time":0.000735,"start_time":"2018-04-19T00:38:28-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"ssh-19","title":"Client: Disable tunnels","desc":"Avoid using SSH tunnels.","impact":1.0,"refs":[],"tags":{},"code":"control 'ssh-19' do\n impact 1.0\n title 'Client: Disable tunnels'\n desc 'Avoid using SSH tunnels.'\n describe ssh_config do\n its('Tunnel') { should eq('no') }\n end\nend\n","source_location":{"line":198,"ref":"ssh-baseline-master/controls/ssh_spec.rb"},"results":[{"status":"failed","code_desc":"SSH Configuration Tunnel should eq \"no\"","run_time":0.000663,"start_time":"2018-04-19T00:38:28-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"ssh-20","title":"Client: Do not permit local commands","desc":"Do not permit any local command execution.","impact":1.0,"refs":[],"tags":{},"code":"control 'ssh-20' do\n impact 1.0\n title 'Client: Do not permit local commands'\n desc 'Do not permit any local command execution.'\n describe ssh_config do\n its('PermitLocalCommand') { should eq('no') }\n end\nend\n","source_location":{"line":207,"ref":"ssh-baseline-master/controls/ssh_spec.rb"},"results":[{"status":"failed","code_desc":"SSH Configuration PermitLocalCommand should eq \"no\"","run_time":0.000623,"start_time":"2018-04-19T00:38:28-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"ssh-21","title":"Client: Do not allow Roaming","desc":"Workaround for SSH Client Bug CVE-2016-0777 and CVE-2016-0778","impact":1.0,"refs":[],"tags":{},"code":"control 'ssh-21' do\n impact 1.0\n title 'Client: Do not allow Roaming'\n desc 'Workaround for SSH Client Bug CVE-2016-0777 and CVE-2016-0778'\n describe ssh_config do\n its('UseRoaming') { should eq('no') }\n end\nend\n","source_location":{"line":216,"ref":"ssh-baseline-master/controls/ssh_spec.rb"},"results":[{"status":"failed","code_desc":"SSH Configuration UseRoaming should eq \"no\"","run_time":0.000627,"start_time":"2018-04-19T00:38:28-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-01","title":"Server: Check for secure ssh ciphers","desc":"Configure a list of ciphers to the best secure ciphers (avoid older and weaker ciphers)","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-01' do\n impact 1.0\n title 'Server: Check for secure ssh ciphers'\n desc 'Configure a list of ciphers to the best secure ciphers (avoid older and weaker ciphers)'\n describe sshd_config do\n its('Ciphers') { should eq(ssh_crypto.valid_ciphers) }\n end\nend\n","source_location":{"line":25,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration Ciphers should eq \"[email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr\"","run_time":0.001202,"start_time":"2018-04-19T00:38:28-06:00","message":"\nexpected: \"[email protected],[email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-02","title":"Server: Check for secure ssh Key-Exchange Algorithm","desc":"Configure a list of Key-Exchange Algorithms (Kexs) to the best secure Kexs (avoid older and weaker Key-Exchange Algorithm)","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-02' do\n impact 1.0\n title 'Server: Check for secure ssh Key-Exchange Algorithm'\n desc 'Configure a list of Key-Exchange Algorithms (Kexs) to the best secure Kexs (avoid older and weaker Key-Exchange Algorithm)'\n describe sshd_config do\n its('KexAlgorithms') { should eq(ssh_crypto.valid_kexs) }\n end\nend\n","source_location":{"line":34,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration KexAlgorithms should eq \"[email protected],diffie-hellman-group-exchange-sha256\"","run_time":0.001931,"start_time":"2018-04-19T00:38:28-06:00","message":"\nexpected: \"[email protected],diffie-hellman-group-exchange-sha256\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-03","title":"Server: Check for secure ssh Message Authentication Codes","desc":"Configure a list of Message Authentication Codes (MACs) to the best secure MACs (avoid older and weaker Message Authentication Codes)","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-03' do\n impact 1.0\n title 'Server: Check for secure ssh Message Authentication Codes'\n desc 'Configure a list of Message Authentication Codes (MACs) to the best secure MACs (avoid older and weaker Message Authentication Codes)'\n describe sshd_config do\n its('MACs') { should eq(ssh_crypto.valid_macs) }\n end\nend\n","source_location":{"line":43,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration MACs should eq \"[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256\"","run_time":0.001228,"start_time":"2018-04-19T00:38:28-06:00","message":"\nexpected: \"[email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-04","title":"Server: Check SSH folder owner, group and permissions.","desc":"The SSH folder should owned by root, only be writable by owner and readable by others.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-04' do\n impact 1.0\n title 'Server: Check SSH folder owner, group and permissions.'\n desc 'The SSH folder should owned by root, only be writable by owner and readable by others.'\n describe file('/etc/ssh') do\n it { should exist }\n it { should be_directory }\n it { should be_owned_by 'root' }\n it { should be_grouped_into os.darwin? ? 'wheel' : 'root' }\n it { should be_executable }\n it { should be_readable.by('owner') }\n it { should be_readable.by('group') }\n it { should be_readable.by('other') }\n it { should be_writable.by('owner') }\n it { should_not be_writable.by('group') }\n it { should_not be_writable.by('other') }\n end\nend\n","source_location":{"line":52,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"passed","code_desc":"File /etc/ssh should exist","run_time":0.158346,"start_time":"2018-04-19T00:38:28-06:00"},{"status":"passed","code_desc":"File /etc/ssh should be directory","run_time":0.215663,"start_time":"2018-04-19T00:38:28-06:00"},{"status":"passed","code_desc":"File /etc/ssh should be owned by \"root\"","run_time":0.000529,"start_time":"2018-04-19T00:38:29-06:00"},{"status":"passed","code_desc":"File /etc/ssh should be grouped into \"root\"","run_time":0.000247,"start_time":"2018-04-19T00:38:29-06:00"},{"status":"passed","code_desc":"File /etc/ssh should be executable","run_time":0.000212,"start_time":"2018-04-19T00:38:29-06:00"},{"status":"passed","code_desc":"File /etc/ssh should be readable by owner","run_time":0.000171,"start_time":"2018-04-19T00:38:29-06:00"},{"status":"passed","code_desc":"File /etc/ssh should be readable by group","run_time":0.00017,"start_time":"2018-04-19T00:38:29-06:00"},{"status":"passed","code_desc":"File /etc/ssh should be readable by other","run_time":0.000295,"start_time":"2018-04-19T00:38:29-06:00"},{"status":"passed","code_desc":"File /etc/ssh should be writable by owner","run_time":0.000303,"start_time":"2018-04-19T00:38:29-06:00"},{"status":"passed","code_desc":"File /etc/ssh should not be writable by group","run_time":0.000123,"start_time":"2018-04-19T00:38:29-06:00"},{"status":"passed","code_desc":"File /etc/ssh should not be writable by other","run_time":0.00011,"start_time":"2018-04-19T00:38:29-06:00"}]},{"id":"sshd-05","title":"Server: Check sshd_config owner, group and permissions.","desc":"The sshd_config should owned by root, only be writable/readable by owner and not be executable.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-05' do\n impact 1.0\n title 'Server: Check sshd_config owner, group and permissions.'\n desc 'The sshd_config should owned by root, only be writable/readable by owner and not be executable.'\n\n describe file('/etc/ssh/sshd_config') do\n it { should exist }\n it { should be_file }\n it { should be_owned_by 'root' }\n it { should be_grouped_into os.darwin? ? 'wheel' : 'root' }\n it { should_not be_executable }\n it { should be_readable.by('owner') }\n it { should_not be_readable.by('group') }\n it { should_not be_readable.by('other') }\n it { should be_writable.by('owner') }\n it { should_not be_writable.by('group') }\n it { should_not be_writable.by('other') }\n end\nend\n","source_location":{"line":71,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"passed","code_desc":"File /etc/ssh/sshd_config should exist","run_time":0.191231,"start_time":"2018-04-19T00:38:29-06:00"},{"status":"passed","code_desc":"File /etc/ssh/sshd_config should be file","run_time":0.000221,"start_time":"2018-04-19T00:38:29-06:00"},{"status":"passed","code_desc":"File /etc/ssh/sshd_config should be owned by \"root\"","run_time":0.000188,"start_time":"2018-04-19T00:38:29-06:00"},{"status":"passed","code_desc":"File /etc/ssh/sshd_config should be grouped into \"root\"","run_time":0.000473,"start_time":"2018-04-19T00:38:29-06:00"},{"status":"passed","code_desc":"File /etc/ssh/sshd_config should not be executable","run_time":0.000142,"start_time":"2018-04-19T00:38:29-06:00"},{"status":"passed","code_desc":"File /etc/ssh/sshd_config should be readable by owner","run_time":0.000105,"start_time":"2018-04-19T00:38:29-06:00"},{"status":"failed","code_desc":"File /etc/ssh/sshd_config should not be readable by group","run_time":0.000476,"start_time":"2018-04-19T00:38:29-06:00","message":"expected File /etc/ssh/sshd_config not to be readable by group"},{"status":"failed","code_desc":"File /etc/ssh/sshd_config should not be readable by other","run_time":0.000219,"start_time":"2018-04-19T00:38:29-06:00","message":"expected File /etc/ssh/sshd_config not to be readable by other"},{"status":"passed","code_desc":"File /etc/ssh/sshd_config should be writable by owner","run_time":0.000169,"start_time":"2018-04-19T00:38:29-06:00"},{"status":"passed","code_desc":"File /etc/ssh/sshd_config should not be writable by group","run_time":0.000355,"start_time":"2018-04-19T00:38:29-06:00"},{"status":"passed","code_desc":"File /etc/ssh/sshd_config should not be writable by other","run_time":0.000116,"start_time":"2018-04-19T00:38:29-06:00"}]},{"id":"sshd-06","title":"Server: Do not permit root-based login or do not allow password and keyboard-interactive authentication","desc":"Reduce the potential risk to gain full privileges access of the system because of weak password and keyboard-interactive authentication, do not allow logging in as the root user or with password authentication.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-06' do\n impact 1.0\n title 'Server: Do not permit root-based login or do not allow password and keyboard-interactive authentication'\n desc 'Reduce the potential risk to gain full privileges access of the system because of weak password and keyboard-interactive authentication, do not allow logging in as the root user or with password authentication.'\n describe sshd_config do\n its('PermitRootLogin') { should match(/no|without-password/) }\n end\nend\n","source_location":{"line":91,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration PermitRootLogin should match /no|without-password/","run_time":0.001587,"start_time":"2018-04-19T00:38:29-06:00","message":"expected \"forced-commands-only\" to match /no|without-password/\nDiff:\n@@ -1,2 +1,2 @@\n-/no|without-password/\n+\"forced-commands-only\"\n"}]},{"id":"sshd-07","title":"Server: Specify the listen ssh Port","desc":"Always specify which port the SSH server should listen to. Prevent unexpected settings.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-07' do\n impact 1.0\n title 'Server: Specify the listen ssh Port'\n desc 'Always specify which port the SSH server should listen to. Prevent unexpected settings.'\n describe sshd_config do\n its('Port') { should eq('22') }\n end\nend\n","source_location":{"line":100,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration Port should eq \"22\"","run_time":0.001016,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"22\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-08","title":"Server: Specify the AddressFamily to your need","desc":"OpenSSH should be configured to the network family. Set it to inet if you use IPv4 only. For IPv6 only set it to inet6.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-08' do\n impact 1.0\n title 'Server: Specify the AddressFamily to your need'\n desc 'OpenSSH should be configured to the network family. Set it to inet if you use IPv4 only. For IPv6 only set it to inet6.'\n describe sshd_config do\n its('AddressFamily') { should match(/inet|inet6|any/) }\n end\nend\n","source_location":{"line":109,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration AddressFamily should match /inet|inet6|any/","run_time":0.001098,"start_time":"2018-04-19T00:38:29-06:00","message":"expected nil to match /inet|inet6|any/"}]},{"id":"sshd-09","title":"Server: Specify ListenAddress","desc":"Limit the SSH server to listen to a specific address. Don't let it listen on all interfaces to avoid logins from unexpected sources.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-09' do\n impact 1.0\n title 'Server: Specify ListenAddress'\n desc \"Limit the SSH server to listen to a specific address. Don't let it listen on all interfaces to avoid logins from unexpected sources.\"\n describe sshd_config do\n its('ListenAddress') { should match(/.*/) }\n end\nend\n","source_location":{"line":118,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration ListenAddress should match /.*/","run_time":0.000891,"start_time":"2018-04-19T00:38:29-06:00","message":"expected nil to match /.*/"}]},{"id":"sshd-10","title":"Server: Specify protocol version 2","desc":"Only SSH protocol version 2 connections should be permitted. Version 1 of the protocol contains security vulnerabilities. Don't use legacy insecure SSHv1 connections anymore.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-10' do\n impact 1.0\n title 'Server: Specify protocol version 2'\n desc \"Only SSH protocol version 2 connections should be permitted. Version 1 of the protocol contains security vulnerabilities. Don't use legacy insecure SSHv1 connections anymore.\"\n describe sshd_config do\n its('Protocol') { should eq('2') }\n end\nend\n","source_location":{"line":127,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration Protocol should eq \"2\"","run_time":0.000882,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"2\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-11","title":"Server: Enable StrictModes","desc":"Prevent the use of insecure home directory and key file permissions.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-11' do\n impact 1.0\n title 'Server: Enable StrictModes'\n desc 'Prevent the use of insecure home directory and key file permissions.'\n describe sshd_config do\n its('StrictModes') { should eq('yes') }\n end\nend\n","source_location":{"line":136,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration StrictModes should eq \"yes\"","run_time":0.000869,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-12","title":"Server: Specify SyslogFacility to AUTH","desc":"Logging should be set to go to the /var/log/auth.log facility by using the SysLog AUTH parameter. This will ensure that any problems around invalid logins or the like are forwarded to a central security file for auditing purposes","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-12' do\n impact 1.0\n title 'Server: Specify SyslogFacility to AUTH'\n desc 'Logging should be set to go to the /var/log/auth.log facility by using the SysLog AUTH parameter. This will ensure that any problems around invalid logins or the like are forwarded to a central security file for auditing purposes'\n describe sshd_config do\n its('SyslogFacility') { should eq('AUTH') }\n end\nend\n","source_location":{"line":145,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration SyslogFacility should eq \"AUTH\"","run_time":0.001362,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"AUTH\"\n got: \"AUTHPRIV\"\n\n(compared using ==)\n"}]},{"id":"sshd-13","title":"Server: Specify LogLevel to VERBOSE","desc":"Be verbose in logging, to allow analysis in case of unexpected behavior.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-13' do\n impact 1.0\n title 'Server: Specify LogLevel to VERBOSE'\n desc 'Be verbose in logging, to allow analysis in case of unexpected behavior.'\n describe sshd_config do\n its('LogLevel') { should eq('VERBOSE') }\n end\nend\n","source_location":{"line":154,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration LogLevel should eq \"VERBOSE\"","run_time":0.000964,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"VERBOSE\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-14","title":"Server: Specify SSH HostKeys","desc":"Specify HostKey for protection against Man-In-The-Middle Attacks","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-14' do\n impact 1.0\n title 'Server: Specify SSH HostKeys'\n desc 'Specify HostKey for protection against Man-In-The-Middle Attacks'\n describe sshd_config do\n its('HostKey') { should cmp ssh_crypto.valid_hostkeys }\n end\nend\n","source_location":{"line":163,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"passed","code_desc":"SSHD Configuration HostKey should cmp == [\"/etc/ssh/ssh_host_rsa_key\", \"/etc/ssh/ssh_host_ecdsa_key\", \"/etc/ssh/ssh_host_ed25519_key\"]","run_time":0.000944,"start_time":"2018-04-19T00:38:29-06:00"}]},{"id":"sshd-15","title":"Server: Specify UseLogin to NO","desc":"Disable legacy login mechanism and do not use login for interactive login sessions.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-15' do\n impact 1.0\n title 'Server: Specify UseLogin to NO'\n desc 'Disable legacy login mechanism and do not use login for interactive login sessions.'\n describe sshd_config do\n its('UseLogin') { should eq('no') }\n end\nend\n","source_location":{"line":172,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration UseLogin should eq \"no\"","run_time":0.00077,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-16","title":"Server: Use privilege separation","desc":"UsePrivilegeSeparation is an option, when enabled will allow the OpenSSH server to run a small (necessary) amount of code as root and the of the code in a chroot jail environment. This enables ssh to deal incoming network traffic in an unprivileged child process to avoid privilege escalation by an attacker.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-16' do\n impact 1.0\n title 'Server: Use privilege separation'\n desc 'UsePrivilegeSeparation is an option, when enabled will allow the OpenSSH server to run a small (necessary) amount of code as root and the of the code in a chroot jail environment. This enables ssh to deal incoming network traffic in an unprivileged child process to avoid privilege escalation by an attacker.'\n describe sshd_config do\n its('UsePrivilegeSeparation') { should eq(ssh_crypto.valid_privseparation) }\n end\nend\n","source_location":{"line":181,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"passed","code_desc":"SSHD Configuration UsePrivilegeSeparation should eq \"sandbox\"","run_time":0.000928,"start_time":"2018-04-19T00:38:29-06:00"}]},{"id":"sshd-17","title":"Server: Disable PermitUserEnvironment","desc":"Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-17' do\n impact 1.0\n title 'Server: Disable PermitUserEnvironment'\n desc 'Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.'\n describe sshd_config do\n its('PermitUserEnvironment') { should eq('no') }\n end\nend\n","source_location":{"line":190,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration PermitUserEnvironment should eq \"no\"","run_time":0.000826,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-18","title":"Server: Specify LoginGraceTime","desc":"The LoginGraceTime gives the user 30 seconds to accomplish a login. This could be used to conduct a Denial of Service (DoS) against a running SSH daemon.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-18' do\n impact 1.0\n title 'Server: Specify LoginGraceTime'\n desc 'The LoginGraceTime gives the user 30 seconds to accomplish a login. This could be used to conduct a Denial of Service (DoS) against a running SSH daemon.'\n describe sshd_config do\n its('LoginGraceTime') { should eq('30s') }\n end\nend\n","source_location":{"line":199,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration LoginGraceTime should eq \"30s\"","run_time":0.000914,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"30s\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-19","title":"Server: Specify Limit for maximum authentication retries","desc":"MaxAuthTries limits the user to three wrong attempts before the login attempt is denied. This avoid resource starvation attacks.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-19' do\n impact 1.0\n title 'Server: Specify Limit for maximum authentication retries'\n desc 'MaxAuthTries limits the user to three wrong attempts before the login attempt is denied. This avoid resource starvation attacks.'\n describe sshd_config do\n its('MaxAuthTries') { should eq('2') }\n end\nend\n","source_location":{"line":208,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration MaxAuthTries should eq \"2\"","run_time":0.000863,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"2\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-20","title":"Server: Specify maximum sessions","desc":"Specifies the maximum number of open sessions permitted per network connection. This could be used to conduct a Denial of Service (DoS) against a running SSH daemon.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-20' do\n impact 1.0\n title 'Server: Specify maximum sessions'\n desc 'Specifies the maximum number of open sessions permitted per network connection. This could be used to conduct a Denial of Service (DoS) against a running SSH daemon.'\n describe sshd_config do\n its('MaxSessions') { should eq('10') }\n end\nend\n","source_location":{"line":217,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration MaxSessions should eq \"10\"","run_time":0.000875,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"10\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-21","title":"Server: Specify maximum startups","desc":"Limit the number of concurrent unauthenticated sessions to prevent Denial of Service (DoS) against a running SSH daemon.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-21' do\n impact 1.0\n title 'Server: Specify maximum startups'\n desc 'Limit the number of concurrent unauthenticated sessions to prevent Denial of Service (DoS) against a running SSH daemon.'\n describe sshd_config do\n its('MaxStartups') { should eq('10:30:100') }\n end\nend\n","source_location":{"line":226,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration MaxStartups should eq \"10:30:100\"","run_time":0.0009,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"10:30:100\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-22","title":"Server: Enable PubkeyAuthentication","desc":"Prefer public key authentication mechanisms, because other methods are weaker (e.g. passwords).","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-22' do\n impact 1.0\n title 'Server: Enable PubkeyAuthentication'\n desc 'Prefer public key authentication mechanisms, because other methods are weaker (e.g. passwords).'\n describe sshd_config do\n its('PubkeyAuthentication') { should eq('yes') }\n end\nend\n","source_location":{"line":235,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration PubkeyAuthentication should eq \"yes\"","run_time":0.000918,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-23","title":"Server: Disable IgnoreRhosts","desc":"Ignore legacy .rhosts configuration, because rhosts are a weak way to authenticate systems and provide attacker more ways to enter the system.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-23' do\n impact 1.0\n title 'Server: Disable IgnoreRhosts'\n desc 'Ignore legacy .rhosts configuration, because rhosts are a weak way to authenticate systems and provide attacker more ways to enter the system.'\n describe sshd_config do\n its('IgnoreRhosts') { should eq('yes') }\n end\nend\n","source_location":{"line":244,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration IgnoreRhosts should eq \"yes\"","run_time":0.000871,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-24","title":"Server: Enable IgnoreUserKnownHosts","desc":"This option is a weak way for authentication and provide attacker more ways to enter the system.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-24' do\n impact 1.0\n title 'Server: Enable IgnoreUserKnownHosts'\n desc 'This option is a weak way for authentication and provide attacker more ways to enter the system.'\n describe sshd_config do\n its('IgnoreUserKnownHosts') { should eq('yes') }\n end\nend\n","source_location":{"line":253,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration IgnoreUserKnownHosts should eq \"yes\"","run_time":0.000892,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-25","title":"Server: Disable HostbasedAuthentication","desc":"This option is a weak way for authentication and provide attacker more ways to enter the system.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-25' do\n impact 1.0\n title 'Server: Disable HostbasedAuthentication'\n desc 'This option is a weak way for authentication and provide attacker more ways to enter the system.'\n describe sshd_config do\n its('HostbasedAuthentication') { should eq('no') }\n end\nend\n","source_location":{"line":262,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration HostbasedAuthentication should eq \"no\"","run_time":0.000703,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-27","title":"Server: Disable password-based authentication","desc":"Avoid password-based authentications.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-27' do\n impact 1.0\n title 'Server: Disable password-based authentication'\n desc 'Avoid password-based authentications.'\n describe sshd_config do\n its('PasswordAuthentication') { should eq('no') }\n end\nend\n","source_location":{"line":271,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"passed","code_desc":"SSHD Configuration PasswordAuthentication should eq \"no\"","run_time":0.000749,"start_time":"2018-04-19T00:38:29-06:00"}]},{"id":"sshd-28","title":"Server: Disable PermitEmptyPasswords","desc":"Accounts should be protected and users should be accountable. For this reason the usage of empty passwords should never be allowed.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-28' do\n impact 1.0\n title 'Server: Disable PermitEmptyPasswords'\n desc 'Accounts should be protected and users should be accountable. For this reason the usage of empty passwords should never be allowed.'\n describe sshd_config do\n its('PermitEmptyPasswords') { should eq('no') }\n end\nend\n","source_location":{"line":280,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration PermitEmptyPasswords should eq \"no\"","run_time":0.000864,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-29","title":"Server: Disable ChallengeResponseAuthentication","desc":"Avoid challenge-response and password-based authentications.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-29' do\n impact 1.0\n title 'Server: Disable ChallengeResponseAuthentication'\n desc 'Avoid challenge-response and password-based authentications.'\n describe sshd_config do\n its('ChallengeResponseAuthentication') { should eq('no') }\n end\nend\n","source_location":{"line":289,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"passed","code_desc":"SSHD Configuration ChallengeResponseAuthentication should eq \"no\"","run_time":0.00092,"start_time":"2018-04-19T00:38:29-06:00"}]},{"id":"sshd-30","title":"Server: Disable Kerberos","desc":"Avoid kerberos authentication.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-30' do\n impact 1.0\n title 'Server: Disable Kerberos'\n desc 'Avoid kerberos authentication.'\n describe sshd_config do\n its('KerberosAuthentication') { should eq('no') }\n end\nend\n","source_location":{"line":298,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration KerberosAuthentication should eq \"no\"","run_time":0.001131,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-31","title":"Server: Disable Kerberos or Local Password","desc":"Avoid kerberos authentication because it use password-based authentication as fallback.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-31' do\n impact 1.0\n title 'Server: Disable Kerberos or Local Password'\n desc 'Avoid kerberos authentication because it use password-based authentication as fallback.'\n describe sshd_config do\n its('KerberosOrLocalPasswd') { should eq('no') }\n end\nend\n","source_location":{"line":307,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration KerberosOrLocalPasswd should eq \"no\"","run_time":0.00095,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-32","title":"Server: Enable KerberosTicketCleanup","desc":"Specifies whether to automatically destroy the user's ticket cache file on logout.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-32' do\n impact 1.0\n title 'Server: Enable KerberosTicketCleanup'\n desc \"Specifies whether to automatically destroy the user's ticket cache file on logout.\"\n describe sshd_config do\n its('KerberosTicketCleanup') { should eq('yes') }\n end\nend\n","source_location":{"line":316,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration KerberosTicketCleanup should eq \"yes\"","run_time":0.000887,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-33","title":"Server: Disable GSSAPIAuthentication","desc":"If you do not use GSSAPI authentication then disable it.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-33' do\n impact 1.0\n title 'Server: Disable GSSAPIAuthentication'\n desc 'If you do not use GSSAPI authentication then disable it.'\n describe sshd_config do\n its('GSSAPIAuthentication') { should eq('no') }\n end\nend\n","source_location":{"line":325,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration GSSAPIAuthentication should eq \"no\"","run_time":0.000738,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-34","title":"Server: Enable GSSAPICleanupCredentials","desc":"Automatically destroy the user's credentials cache on logout.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-34' do\n impact 1.0\n title 'Server: Enable GSSAPICleanupCredentials'\n desc \"Automatically destroy the user's credentials cache on logout.\"\n describe sshd_config do\n its('GSSAPICleanupCredentials') { should eq('yes') }\n end\nend\n","source_location":{"line":334,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration GSSAPICleanupCredentials should eq \"yes\"","run_time":0.000876,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-35","title":"Server: Disable TCPKeepAlive","desc":"Avoid the TCPKeepAlive messages to see if the client is still alive, because they are sent over unencrypted connection and are spoofable.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-35' do\n impact 1.0\n title 'Server: Disable TCPKeepAlive'\n desc 'Avoid the TCPKeepAlive messages to see if the client is still alive, because they are sent over unencrypted connection and are spoofable.'\n describe sshd_config do\n its('TCPKeepAlive') { should eq('no') }\n end\nend\n","source_location":{"line":343,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration TCPKeepAlive should eq \"no\"","run_time":0.000969,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-36","title":"Server: Set a client alive interval","desc":"ClientAlive messages are sent over encrypted connection and are not spoofable.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-36' do\n impact 1.0\n title 'Server: Set a client alive interval'\n desc 'ClientAlive messages are sent over encrypted connection and are not spoofable.'\n describe sshd_config do\n its('ClientAliveInterval') { should eq('300') }\n end\nend\n","source_location":{"line":352,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration ClientAliveInterval should eq \"300\"","run_time":0.001,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"300\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-37","title":"Server: Configure a few client alive counters","desc":"This indicates the total number of checkalive message sent by the ssh server without getting any response from the ssh client. ClientAlive messages are sent over encrypted connection and are not spoofable.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-37' do\n impact 1.0\n title 'Server: Configure a few client alive counters'\n desc 'This indicates the total number of checkalive message sent by the ssh server without getting any response from the ssh client. ClientAlive messages are sent over encrypted connection and are not spoofable.'\n describe sshd_config do\n its('ClientAliveCountMax') { should eq('3') }\n end\nend\n","source_location":{"line":361,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration ClientAliveCountMax should eq \"3\"","run_time":0.000905,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"3\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-38","title":"Server: Disable tunnels","desc":"Avoid to use tunnels.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-38' do\n impact 1.0\n title 'Server: Disable tunnels'\n desc 'Avoid to use tunnels.'\n describe sshd_config do\n its('PermitTunnel') { should eq('no') }\n end\nend\n","source_location":{"line":370,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration PermitTunnel should eq \"no\"","run_time":0.000887,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-39","title":"Server: Disable TCP forwarding","desc":"If you use TCP forwarding in an uncontrolled manner then you can bypass the firewalls","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-39' do\n impact 1.0\n title 'Server: Disable TCP forwarding'\n desc 'If you use TCP forwarding in an uncontrolled manner then you can bypass the firewalls'\n describe sshd_config do\n its('AllowTcpForwarding') { should eq('no') }\n end\nend\n","source_location":{"line":379,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration AllowTcpForwarding should eq \"no\"","run_time":0.000859,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-40","title":"Server: Disable Agent forwarding","desc":"Users with the ability to bypass file permissions on the remote host (for the agent's UNIX-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-40' do\n impact 1.0\n title 'Server: Disable Agent forwarding'\n desc \"Users with the ability to bypass file permissions on the remote host (for the agent's UNIX-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.\"\n describe sshd_config do\n its('AllowAgentForwarding') { should eq('no') }\n end\nend\n","source_location":{"line":388,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration AllowAgentForwarding should eq \"no\"","run_time":0.000907,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-41","title":"Server: Disable gateway ports","desc":"Prevent remote hosts from connecting to forwarded ports on the node.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-41' do\n impact 1.0\n title 'Server: Disable gateway ports'\n desc 'Prevent remote hosts from connecting to forwarded ports on the node.'\n describe sshd_config do\n its('GatewayPorts') { should eq('no') }\n end\nend\n","source_location":{"line":397,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration GatewayPorts should eq \"no\"","run_time":0.000733,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-42","title":"Server: Disable X11Forwarding","desc":"Prevent X11 forwarding by default, as it can be used in a limited way to enable attacks.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-42' do\n impact 1.0\n title 'Server: Disable X11Forwarding'\n desc 'Prevent X11 forwarding by default, as it can be used in a limited way to enable attacks.'\n describe sshd_config do\n its('X11Forwarding') { should eq('no') }\n end\nend\n","source_location":{"line":406,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration X11Forwarding should eq \"no\"","run_time":0.001072,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"no\"\n got: \"yes\"\n\n(compared using ==)\n"}]},{"id":"sshd-43","title":"Server: Enable X11UseLocalhost","desc":"SSH daemon should bind the X11 forwarding server to the loopback address. This prevents remote hosts from connecting to the proxy display and reduce the attack surface","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-43' do\n impact 1.0\n title 'Server: Enable X11UseLocalhost'\n desc 'SSH daemon should bind the X11 forwarding server to the loopback address. This prevents remote hosts from connecting to the proxy display and reduce the attack surface'\n describe sshd_config do\n its('X11UseLocalhost') { should eq('yes') }\n end\nend\n","source_location":{"line":415,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration X11UseLocalhost should eq \"yes\"","run_time":0.000948,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"yes\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-44","title":"Server: Disable PrintMotd","desc":"This specifies that the SSH daemon itself should not read and display the message of the day file.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-44' do\n impact 1.0\n title 'Server: Disable PrintMotd'\n desc 'This specifies that the SSH daemon itself should not read and display the message of the day file.'\n describe sshd_config do\n its('PrintMotd') { should eq('no') }\n end\nend\n","source_location":{"line":424,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration PrintMotd should eq \"no\"","run_time":0.001118,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"no\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-45","title":"Server: PrintLastLog","desc":"This tells the SSH daemon to print out information about the last time you logged in.","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-45' do\n impact 1.0\n title 'Server: PrintLastLog'\n desc 'This tells the SSH daemon to print out information about the last time you logged in.'\n describe sshd_config do\n its('PrintLastLog') { should eq('no') }\n end\nend\n","source_location":{"line":433,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration PrintLastLog should eq \"no\"","run_time":0.001426,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"no\"\n got: \"yes\"\n\n(compared using ==)\n"}]},{"id":"sshd-46","title":"Server: Banner","desc":"Specifies a banner file to serve before authentication succeeds","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-46' do\n impact 1.0\n title 'Server: Banner'\n desc 'Specifies a banner file to serve before authentication succeeds'\n describe sshd_config do\n its('Banner') { should eq('none') }\n end\nend\n","source_location":{"line":442,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"SSHD Configuration Banner should eq \"none\"","run_time":0.001002,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: \"none\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"sshd-47","title":"Server: DebianBanner","desc":"Specifies whether to include OS distribution in version information","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-47' do\n impact 1.0\n title 'Server: DebianBanner'\n desc 'Specifies whether to include OS distribution in version information'\n case os[:family]\n when 'debian' then\n describe sshd_config do\n its('DebianBanner') { should eq('no') }\n end\n else\n describe sshd_config do\n its('content') { should_not match(/DebianBanner/) }\n end\n end\nend\n","source_location":{"line":451,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"passed","code_desc":"SSHD Configuration content should not match /DebianBanner/","run_time":0.000121,"start_time":"2018-04-19T00:38:29-06:00"}]},{"id":"sshd-48","title":"Server: DH primes","desc":"Verifies if strong DH primes are used in /etc/ssh/moduli","impact":1.0,"refs":[],"tags":{},"code":"control 'sshd-48' do\n impact 1.0\n title 'Server: DH primes'\n desc 'Verifies if strong DH primes are used in /etc/ssh/moduli'\n describe command(\"test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0\") do\n its('exit_status') { should eq 0 }\n its('stdout') { should eq '' }\n its('stderr') { should eq '' }\n end\nend\n","source_location":{"line":467,"ref":"ssh-baseline-master/controls/sshd_spec.rb"},"results":[{"status":"failed","code_desc":"Command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 exit_status should eq 0","run_time":0.151694,"start_time":"2018-04-19T00:38:29-06:00","message":"\nexpected: 0\n got: 1\n\n(compared using ==)\n"},{"status":"passed","code_desc":"Command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 stdout should eq \"\"","run_time":0.000212,"start_time":"2018-04-19T00:38:29-06:00"},{"status":"passed","code_desc":"Command test $(awk '$5 < 2047 && $5 ~ /^[0-9]+$/ { print $5 }' /etc/ssh/moduli | uniq | wc -c) -eq 0 stderr should eq \"\"","run_time":0.000167,"start_time":"2018-04-19T00:38:29-06:00"}]}]},{"name":"linux-baseline","version":"2.2.0","sha256":"36c8083c0bae5155310b34632e4947754404fd8256f1b75dd07df969d3b41d64","title":"DevSec Linux Security Baseline","maintainer":"DevSec Hardening Framework Team","summary":"Test suite for best practice Linux OS hardening","license":"Apache-2.0","copyright":"DevSec Hardening Framework Team","copyright_email":"[email protected]","supports":[{"os-family":"linux"}],"attributes":[{"name":"login_defs_umask","options":{"default":"077","description":"Default umask to set in login.defs"}},{"name":"login_defs_passmaxdays","options":{"default":"60","description":"Default password maxdays to set in login.defs"}},{"name":"login_defs_passmindays","options":{"default":"7","description":"Default password mindays to set in login.defs"}},{"name":"login_defs_passwarnage","options":{"default":"7","description":"Default password warnage (days) to set in login.defs"}},{"name":"blacklist","options":{"default":["/usr/bin/rcp","/usr/bin/rlogin","/usr/bin/rsh","/usr/libexec/openssh/ssh-keysign","/usr/lib/openssh/ssh-keysign","/sbin/netreport","/usr/sbin/usernetctl","/usr/sbin/userisdnctl","/usr/sbin/pppd","/usr/bin/lockfile","/usr/bin/mail-lock","/usr/bin/mail-unlock","/usr/bin/mail-touchlock","/usr/bin/dotlockfile","/usr/bin/arping","/usr/sbin/arping","/usr/sbin/uuidd","/usr/bin/mtr","/usr/lib/evolution/camel-lock-helper-1.2","/usr/lib/pt_chown","/usr/lib/eject/dmcrypt-get-device","/usr/lib/mc/cons.saver"],"description":"blacklist of suid/sgid program on system"}},{"name":"syslog_pkg","options":{"default":"rsyslog","description":"syslog package to ensure present (default: rsyslog, alternative: syslog-ng..."}},{"name":"sysctl_forwarding","options":{"default":false,"description":"Is network forwarding needed?"}},{"name":"kernel_modules_disabled","options":{"default":0,"description":"Should loading of kernel modules be disabled?"}}],"groups":[{"id":"controls/os_spec.rb","controls":["os-01","os-02","os-03","os-04","os-05","os-05b","os-06","os-07","os-08","os-09","os-10","os-11"]},{"id":"controls/package_spec.rb","controls":["package-01","package-02","package-03","package-05","package-06","package-07","package-08","package-09"]},{"id":"controls/sysctl_spec.rb","controls":["sysctl-01","sysctl-02","sysctl-03","sysctl-04","sysctl-05","sysctl-06","sysctl-07","sysctl-08","sysctl-09","sysctl-10","sysctl-11","sysctl-12","sysctl-13","sysctl-14","sysctl-15","sysctl-16","sysctl-17","sysctl-18","sysctl-19","sysctl-20","sysctl-21","sysctl-22","sysctl-23","sysctl-24","sysctl-25","sysctl-26","sysctl-27","sysctl-28","sysctl-29","sysctl-30","sysctl-31a","sysctl-31b","sysctl-32","sysctl-33"]}],"controls":[{"id":"os-01","title":"Trusted hosts login","desc":"hosts.equiv file is a weak implemenation of authentication. Disabling the hosts.equiv support helps to prevent users from subverting the system's normal access control mechanisms of the system.","impact":1.0,"refs":[],"tags":{},"code":"control 'os-01' do\n impact 1.0\n title 'Trusted hosts login'\n desc \"hosts.equiv file is a weak implemenation of authentication. Disabling the hosts.equiv support helps to prevent users from subverting the system's normal access control mechanisms of the system.\"\n describe file('/etc/hosts.equiv') do\n it { should_not exist }\n end\nend\n","source_location":{"line":38,"ref":"linux-baseline-master/controls/os_spec.rb"},"results":[{"status":"passed","code_desc":"File /etc/hosts.equiv should not exist","run_time":0.195417,"start_time":"2018-04-19T00:38:29-06:00"}]},{"id":"os-02","title":"Check owner and permissions for /etc/shadow","desc":"Check periodically the owner and permissions for /etc/shadow","impact":1.0,"refs":[],"tags":{},"code":"control 'os-02' do\n impact 1.0\n title 'Check owner and permissions for /etc/shadow'\n desc 'Check periodically the owner and permissions for /etc/shadow'\n describe file('/etc/shadow') do\n it { should exist }\n it { should be_file }\n it { should be_owned_by 'root' }\n its('group') { should eq shadow_group }\n it { should_not be_executable }\n it { should_not be_readable.by('other') }\n end\n if os.redhat? || os.name == 'fedora'\n describe file('/etc/shadow') do\n it { should_not be_writable.by('owner') }\n it { should_not be_readable.by('owner') }\n end\n else\n describe file('/etc/shadow') do\n it { should be_writable.by('owner') }\n it { should be_readable.by('owner') }\n end\n end\n if os.debian? || os.suse?\n describe file('/etc/shadow') do\n it { should be_readable.by('group') }\n end\n else\n describe file('/etc/shadow') do\n it { should_not be_readable.by('group') }\n end\n end\nend\n","source_location":{"line":47,"ref":"linux-baseline-master/controls/os_spec.rb"},"results":[{"status":"passed","code_desc":"File /etc/shadow should exist","run_time":0.198498,"start_time":"2018-04-19T00:38:29-06:00"},{"status":"passed","code_desc":"File /etc/shadow should be file","run_time":0.190971,"start_time":"2018-04-19T00:38:29-06:00"},{"status":"passed","code_desc":"File /etc/shadow should be owned by \"root\"","run_time":0.000427,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/shadow should not be executable","run_time":0.000125,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/shadow should not be readable by other","run_time":0.000108,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/shadow group should eq \"root\"","run_time":8.6e-05,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/shadow should not be writable by owner","run_time":0.000347,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/shadow should not be readable by owner","run_time":0.000114,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/shadow should not be readable by group","run_time":0.000284,"start_time":"2018-04-19T00:38:30-06:00"}]},{"id":"os-03","title":"Check owner and permissions for /etc/passwd","desc":"Check periodically the owner and permissions for /etc/passwd","impact":1.0,"refs":[],"tags":{},"code":"control 'os-03' do\n impact 1.0\n title 'Check owner and permissions for /etc/passwd'\n desc 'Check periodically the owner and permissions for /etc/passwd'\n describe file('/etc/passwd') do\n it { should exist }\n it { should be_file }\n it { should be_owned_by 'root' }\n its('group') { should eq 'root' }\n it { should_not be_executable }\n it { should be_writable.by('owner') }\n it { should_not be_writable.by('group') }\n it { should_not be_writable.by('other') }\n it { should be_readable.by('owner') }\n it { should be_readable.by('group') }\n it { should be_readable.by('other') }\n end\nend\n","source_location":{"line":81,"ref":"linux-baseline-master/controls/os_spec.rb"},"results":[{"status":"passed","code_desc":"File /etc/passwd should exist","run_time":0.197531,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/passwd should be file","run_time":0.000228,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/passwd should be owned by \"root\"","run_time":0.000469,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/passwd should not be executable","run_time":0.00034,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/passwd should be writable by owner","run_time":0.000195,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/passwd should not be writable by group","run_time":0.000197,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/passwd should not be writable by other","run_time":0.0002,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/passwd should be readable by owner","run_time":0.000177,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/passwd should be readable by group","run_time":0.000447,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/passwd should be readable by other","run_time":0.000168,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/passwd group should eq \"root\"","run_time":0.000182,"start_time":"2018-04-19T00:38:30-06:00"}]},{"id":"os-04","title":"Dot in PATH variable","desc":"Do not include the current working directory in PATH variable. This makes it easier for an attacker to gain extensive rigths by executing a Trojan program","impact":1.0,"refs":[],"tags":{},"code":"control 'os-04' do\n impact 1.0\n title 'Dot in PATH variable'\n desc 'Do not include the current working directory in PATH variable. This makes it easier for an attacker to gain extensive rigths by executing a Trojan program'\n describe os_env('PATH') do\n its('split') { should_not include('') }\n its('split') { should_not include('.') }\n end\nend\n","source_location":{"line":100,"ref":"linux-baseline-master/controls/os_spec.rb"},"results":[{"status":"passed","code_desc":"Environment variable PATH split should not include \"\"","run_time":0.192185,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"Environment variable PATH split should not include \".\"","run_time":0.000587,"start_time":"2018-04-19T00:38:30-06:00"}]},{"id":"os-05","title":"Check login.defs","desc":"Check owner and permissions for login.defs. Also check the configured PATH variable and umask in login.defs","impact":1.0,"refs":[],"tags":{},"code":"control 'os-05' do\n impact 1.0\n title 'Check login.defs'\n desc 'Check owner and permissions for login.defs. Also check the configured PATH variable and umask in login.defs'\n describe file('/etc/login.defs') do\n it { should exist }\n it { should be_file }\n it { should be_owned_by 'root' }\n its('group') { should eq 'root' }\n it { should_not be_executable }\n it { should be_readable.by('owner') }\n it { should be_readable.by('group') }\n it { should be_readable.by('other') }\n end\n describe login_defs do\n its('ENV_SUPATH') { should include('/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin') }\n its('ENV_PATH') { should include('/usr/local/bin:/usr/bin:/bin') }\n its('UMASK') { should include(login_defs_umask) }\n its('PASS_MAX_DAYS') { should eq login_defs_passmaxdays }\n its('PASS_MIN_DAYS') { should eq login_defs_passmindays }\n its('PASS_WARN_AGE') { should eq login_defs_passwarnage }\n its('LOGIN_RETRIES') { should eq '5' }\n its('LOGIN_TIMEOUT') { should eq '60' }\n its('UID_MIN') { should eq '1000' }\n its('GID_MIN') { should eq '1000' }\n end\nend\n","source_location":{"line":110,"ref":"linux-baseline-master/controls/os_spec.rb"},"results":[{"status":"passed","code_desc":"File /etc/login.defs should exist","run_time":0.196352,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/login.defs should be file","run_time":0.000176,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/login.defs should be owned by \"root\"","run_time":0.000412,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/login.defs should not be executable","run_time":0.000153,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/login.defs should be readable by owner","run_time":0.000107,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/login.defs should be readable by group","run_time":9.9e-05,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/login.defs should be readable by other","run_time":0.000304,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"passed","code_desc":"File /etc/login.defs group should eq \"root\"","run_time":0.000105,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"failed","code_desc":"login.defs ENV_SUPATH should include \"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"","run_time":0.000862,"start_time":"2018-04-19T00:38:30-06:00","message":"expected nil to include \"/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\", but it does not respond to `include?`"},{"status":"failed","code_desc":"login.defs ENV_PATH should include \"/usr/local/bin:/usr/bin:/bin\"","run_time":0.000239,"start_time":"2018-04-19T00:38:30-06:00","message":"expected nil to include \"/usr/local/bin:/usr/bin:/bin\", but it does not respond to `include?`"},{"status":"passed","code_desc":"login.defs UMASK should include \"077\"","run_time":0.000105,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"failed","code_desc":"login.defs PASS_MAX_DAYS should eq \"60\"","run_time":0.000337,"start_time":"2018-04-19T00:38:30-06:00","message":"\nexpected: \"60\"\n got: \"99999\"\n\n(compared using ==)\n"},{"status":"failed","code_desc":"login.defs PASS_MIN_DAYS should eq \"7\"","run_time":0.000129,"start_time":"2018-04-19T00:38:30-06:00","message":"\nexpected: \"7\"\n got: \"0\"\n\n(compared using ==)\n"},{"status":"passed","code_desc":"login.defs PASS_WARN_AGE should eq \"7\"","run_time":0.000112,"start_time":"2018-04-19T00:38:30-06:00"},{"status":"failed","code_desc":"login.defs LOGIN_RETRIES should eq \"5\"","run_time":0.000368,"start_time":"2018-04-19T00:38:30-06:00","message":"\nexpected: \"5\"\n got: nil\n\n(compared using ==)\n"},{"status":"failed","code_desc":"login.defs LOGIN_TIMEOUT should eq \"60\"","run_time":0.000122,"start_time":"2018-04-19T00:38:30-06:00","message":"\nexpected: \"60\"\n got: nil\n\n(compared using ==)\n"},{"status":"failed","code_desc":"login.defs UID_MIN should eq \"1000\"","run_time":0.000127,"start_time":"2018-04-19T00:38:30-06:00","message":"\nexpected: \"1000\"\n got: \"500\"\n\n(compared using ==)\n"},{"status":"failed","code_desc":"login.defs GID_MIN should eq \"1000\"","run_time":0.000127,"start_time":"2018-04-19T00:38:30-06:00","message":"\nexpected: \"1000\"\n got: \"500\"\n\n(compared using ==)\n"}]},{"id":"os-05b","title":"Check login.defs - RedHat specific","desc":"Check owner and permissions for login.defs. Also check the configured PATH variable and umask in login.defs","impact":1.0,"refs":[],"tags":{},"code":"control 'os-05b' do\n impact 1.0\n title 'Check login.defs - RedHat specific'\n desc 'Check owner and permissions for login.defs. Also check the configured PATH variable and umask in login.defs'\n describe file('/etc/login.defs') do\n it { should_not be_writable }\n end\n describe login_defs do\n its('SYS_UID_MIN') { should eq '201' }\n its('SYS_UID_MAX') { should eq '999' }\n its('SYS_GID_MIN') { should eq '201' }\n its('SYS_GID_MAX') { should eq '999' }\n end\n only_if { os.redhat? }\nend\n","source_location":{"line":138,"ref":"linux-baseline-master/controls/os_spec.rb"},"results":[{"status":"failed","code_desc":"File /etc/login.defs should not be writable","run_time":0.000175,"start_time":"2018-04-19T00:38:30-06:00","message":"expected File /etc/login.defs not to be writable"},{"status":"failed","code_desc":"login.defs SYS_UID_MIN should eq \"201\"","run_time":0.000781,"start_time":"2018-04-19T00:38:30-06:00","message":"\nexpected: \"201\"\n got: nil\n\n(compared using ==)\n"},{"status":"failed","code_desc":"login.defs SYS_UID_MAX should eq \"999\"","run_time":0.000133,"start_time":"2018-04-19T00:38:30-06:00","message":"\nexpected: \"999\"\n got: nil\n\n(compared using ==)\n"},{"status":"failed","code_desc":"login.defs SYS_GID_MIN should eq \"201\"","run_time":0.000117,"start_time":"2018-04-19T00:38:30-06:00","message":"\nexpected: \"201\"\n got: nil\n\n(compared using ==)\n"},{"status":"failed","code_desc":"login.defs SYS_GID_MAX should eq \"999\"","run_time":0.000114,"start_time":"2018-04-19T00:38:30-06:00","message":"\nexpected: \"999\"\n got: nil\n\n(compared using ==)\n"}]},{"id":"os-06","title":"Check for SUID/ SGID blacklist","desc":"Find blacklisted SUID and SGID files to ensure that no rogue SUID and SGID files have been introduced into the system","impact":1.0,"refs":[],"tags":{},"code":"control 'os-06' do\n impact 1.0\n title 'Check for SUID/ SGID blacklist'\n desc 'Find blacklisted SUID and SGID files to ensure that no rogue SUID and SGID files have been introduced into the system'\n\n describe suid_check(blacklist) do\n its('diff') { should be_empty }\n end\nend\n","source_location":{"line":154,"ref":"linux-baseline-master/controls/os_spec.rb"},"results":[{"status":"failed","code_desc":"suid_check diff should be empty","run_time":0.509349,"start_time":"2018-04-19T00:38:30-06:00","message":"expected `[\"/sbin/netreport\", \"/usr/libexec/openssh/ssh-keysign\", \"/usr/bin/lockfile\"].empty?` to return true, got false"}]},{"id":"os-07","title":"Unique uid and gid","desc":"Check for unique uids gids","impact":1.0,"refs":[],"tags":{},"code":"control 'os-07' do\n impact 1.0\n title 'Unique uid and gid'\n desc 'Check for unique uids gids'\n describe passwd do\n its('uids') { should_not contain_duplicates }\n end\n describe etc_group do\n its('gids') { should_not contain_duplicates }\n end\nend\n","source_location":{"line":164,"ref":"linux-baseline-master/controls/os_spec.rb"},"results":[{"status":"passed","code_desc":"/etc/passwd uids should not contain duplicates","run_time":0.000355,"start_time":"2018-04-19T00:38:31-06:00"},{"status":"passed","code_desc":"/etc/group gids should not contain duplicates","run_time":0.000368,"start_time":"2018-04-19T00:38:31-06:00"}]},{"id":"os-08","title":"Entropy","desc":"Check system has enough entropy - greater than 1000","impact":1.0,"refs":[],"tags":{},"code":"control 'os-08' do\n impact 1.0\n title 'Entropy'\n desc 'Check system has enough entropy - greater than 1000'\n describe file('/proc/sys/kernel/random/entropy_avail').content.to_i do\n it { should >= 1000 }\n end\nend\n","source_location":{"line":176,"ref":"linux-baseline-master/controls/os_spec.rb"},"results":[{"status":"passed","code_desc":"3121 should >= 1000","run_time":0.003201,"start_time":"2018-04-19T00:38:31-06:00"}]},{"id":"os-09","title":"Check for .rhosts and .netrc file","desc":"Find .rhosts and .netrc files - CIS Benchmark 9.2.9-10","impact":1.0,"refs":[],"tags":{},"code":"control 'os-09' do\n impact 1.0\n title 'Check for .rhosts and .netrc file'\n desc 'Find .rhosts and .netrc files - CIS Benchmark 9.2.9-10'\n output = command('find / -maxdepth 3 \\( -iname .rhosts -o -iname .netrc \\) -print 2>/dev/null | grep -v \\'^find:\\'')\n out = output.stdout.split(/\\r?\\n/)\n describe out do\n it { should be_empty }\n end\nend\n","source_location":{"line":185,"ref":"linux-baseline-master/controls/os_spec.rb"},"results":[{"status":"passed","code_desc":"[] should be empty","run_time":0.00011,"start_time":"2018-04-19T00:38:31-06:00"}]},{"id":"os-10","title":"CIS: Disable unused filesystems","desc":"1.1.1 Ensure mounting of cramfs, freevxfs, jffs2, hfs, hfsplus, squashfs, udf, FAT","impact":1.0,"refs":[],"tags":{},"code":"control 'os-10' do\n impact 1.0\n title 'CIS: Disable unused filesystems'\n desc '1.1.1 Ensure mounting of cramfs, freevxfs, jffs2, hfs, hfsplus, squashfs, udf, FAT'\n only_if { !container_execution }\n describe file('/etc/modprobe.d/dev-sec.conf') do\n its(:content) { should match 'install cramfs /bin/true' }\n its(:content) { should match 'install freevxfs /bin/true' }\n its(:content) { should match 'install jffs2 /bin/true' }\n its(:content) { should match 'install hfs /bin/true' }\n its(:content) { should match 'install hfsplus /bin/true' }\n its(:content) { should match 'install squashfs /bin/true' }\n its(:content) { should match 'install udf /bin/true' }\n its(:content) { should match 'install vfat /bin/true' }\n end\nend\n","source_location":{"line":196,"ref":"linux-baseline-master/controls/os_spec.rb"},"results":[{"status":"failed","code_desc":"File /etc/modprobe.d/dev-sec.conf content should match \"install cramfs /bin/true\"","run_time":0.314917,"start_time":"2018-04-19T00:38:31-06:00","message":"expected nil to match \"install cramfs /bin/true\""},{"status":"failed","code_desc":"File /etc/modprobe.d/dev-sec.conf content should match \"install freevxfs /bin/true\"","run_time":0.000162,"start_time":"2018-04-19T00:38:31-06:00","message":"expected nil to match \"install freevxfs /bin/true\""},{"status":"failed","code_desc":"File /etc/modprobe.d/dev-sec.conf content should match \"install jffs2 /bin/true\"","run_time":0.00012,"start_time":"2018-04-19T00:38:31-06:00","message":"expected nil to match \"install jffs2 /bin/true\""},{"status":"failed","code_desc":"File /etc/modprobe.d/dev-sec.conf content should match \"install hfs /bin/true\"","run_time":0.000156,"start_time":"2018-04-19T00:38:31-06:00","message":"expected nil to match \"install hfs /bin/true\""},{"status":"failed","code_desc":"File /etc/modprobe.d/dev-sec.conf content should match \"install hfsplus /bin/true\"","run_time":0.000239,"start_time":"2018-04-19T00:38:31-06:00","message":"expected nil to match \"install hfsplus /bin/true\""},{"status":"failed","code_desc":"File /etc/modprobe.d/dev-sec.conf content should match \"install squashfs /bin/true\"","run_time":0.000123,"start_time":"2018-04-19T00:38:31-06:00","message":"expected nil to match \"install squashfs /bin/true\""},{"status":"failed","code_desc":"File /etc/modprobe.d/dev-sec.conf content should match \"install udf /bin/true\"","run_time":0.00012,"start_time":"2018-04-19T00:38:31-06:00","message":"expected nil to match \"install udf /bin/true\""},{"status":"failed","code_desc":"File /etc/modprobe.d/dev-sec.conf content should match \"install vfat /bin/true\"","run_time":0.000156,"start_time":"2018-04-19T00:38:31-06:00","message":"expected nil to match \"install vfat /bin/true\""}]},{"id":"os-11","title":"Protect log-directory","desc":"The log-directory /var/log should belong to root","impact":1.0,"refs":[],"tags":{},"code":"control 'os-11' do\n impact 1.0\n title 'Protect log-directory'\n desc 'The log-directory /var/log should belong to root'\n describe file('/var/log') do\n it { should be_directory }\n it { should be_owned_by 'root' }\n it { should be_grouped_into log_dir_group }\n end\nend\n","source_location":{"line":213,"ref":"linux-baseline-master/controls/os_spec.rb"},"results":[{"status":"passed","code_desc":"File /var/log should be directory","run_time":0.195123,"start_time":"2018-04-19T00:38:31-06:00"},{"status":"passed","code_desc":"File /var/log should be owned by \"root\"","run_time":0.000333,"start_time":"2018-04-19T00:38:31-06:00"},{"status":"passed","code_desc":"File /var/log should be grouped into \"root\"","run_time":0.000167,"start_time":"2018-04-19T00:38:31-06:00"}]},{"id":"package-01","title":"Do not run deprecated inetd or xinetd","desc":"http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.1","impact":1.0,"refs":[],"tags":{},"code":"control 'package-01' do\n impact 1.0\n title 'Do not run deprecated inetd or xinetd'\n desc 'http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.1'\n describe package('inetd') do\n it { should_not be_installed }\n end\n describe package('xinetd') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":23,"ref":"linux-baseline-master/controls/package_spec.rb"},"results":[{"status":"passed","code_desc":"System Package inetd should not be installed","run_time":0.367291,"start_time":"2018-04-19T00:38:31-06:00"},{"status":"passed","code_desc":"System Package xinetd should not be installed","run_time":0.360476,"start_time":"2018-04-19T00:38:32-06:00"}]},{"id":"package-02","title":"Do not install Telnet server","desc":"Telnet protocol uses unencrypted communication, that means the password and other sensitive data are unencrypted. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.2","impact":1.0,"refs":[],"tags":{},"code":"control 'package-02' do\n impact 1.0\n title 'Do not install Telnet server'\n desc 'Telnet protocol uses unencrypted communication, that means the password and other sensitive data are unencrypted. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.2'\n describe package('telnetd') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":35,"ref":"linux-baseline-master/controls/package_spec.rb"},"results":[{"status":"passed","code_desc":"System Package telnetd should not be installed","run_time":0.363375,"start_time":"2018-04-19T00:38:32-06:00"}]},{"id":"package-03","title":"Do not install rsh server","desc":"The r-commands suffers same problem as telnet. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.3","impact":1.0,"refs":[],"tags":{},"code":"control 'package-03' do\n impact 1.0\n title 'Do not install rsh server'\n desc 'The r-commands suffers same problem as telnet. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.3'\n describe package('telnetd') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":44,"ref":"linux-baseline-master/controls/package_spec.rb"},"results":[{"status":"passed","code_desc":"System Package telnetd should not be installed","run_time":0.000219,"start_time":"2018-04-19T00:38:32-06:00"}]},{"id":"package-05","title":"Do not install ypserv server (NIS)","desc":"Network Information Service (NIS) has some security design weaknesses like inadequate protection of important authentication information. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.4","impact":1.0,"refs":[],"tags":{},"code":"control 'package-05' do\n impact 1.0\n title 'Do not install ypserv server (NIS)'\n desc 'Network Information Service (NIS) has some security design weaknesses like inadequate protection of important authentication information. http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.4'\n describe package('ypserv') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":53,"ref":"linux-baseline-master/controls/package_spec.rb"},"results":[{"status":"passed","code_desc":"System Package ypserv should not be installed","run_time":0.409386,"start_time":"2018-04-19T00:38:32-06:00"}]},{"id":"package-06","title":"Do not install tftp server","desc":"tftp-server provides little security http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.5","impact":1.0,"refs":[],"tags":{},"code":"control 'package-06' do\n impact 1.0\n title 'Do not install tftp server'\n desc 'tftp-server provides little security http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf, Chapter 3.2.5'\n describe package('tftp-server') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":62,"ref":"linux-baseline-master/controls/package_spec.rb"},"results":[{"status":"passed","code_desc":"System Package tftp-server should not be installed","run_time":0.358297,"start_time":"2018-04-19T00:38:33-06:00"}]},{"id":"package-07","title":"Install syslog server package","desc":"Syslog server is required to receive system and applications logs","impact":1.0,"refs":[],"tags":{},"code":"control 'package-07' do\n impact 1.0\n title 'Install syslog server package'\n desc 'Syslog server is required to receive system and applications logs'\n # Fedora doesn't install with a syslogger out of the box and instead uses\n # systemd journal; as there is there is no affinity towards either rsyslog\n # or syslog-ng, we'll skip this check on Fedora hosts.\n only_if { os.name != 'fedora' && !container_execution }\n describe package(val_syslog_pkg) do\n it { should be_installed }\n end\nend\n","source_location":{"line":71,"ref":"linux-baseline-master/controls/package_spec.rb"},"results":[{"status":"passed","code_desc":"System Package rsyslog should be installed","run_time":0.366064,"start_time":"2018-04-19T00:38:33-06:00"}]},{"id":"package-08","title":"Install auditd","desc":"auditd provides extended logging capacities on recent distribution","impact":1.0,"refs":[],"tags":{},"code":"control 'package-08' do\n impact 1.0\n title 'Install auditd'\n desc 'auditd provides extended logging capacities on recent distribution'\n only_if { !container_execution }\n audit_pkg = os.redhat? || os.suse? || os.name == 'amazon' || os.name == 'fedora' ? 'audit' : 'auditd'\n describe package(audit_pkg) do\n it { should be_installed }\n end\n describe auditd_conf do\n its('log_file') { should cmp '/var/log/audit/audit.log' }\n its('log_format') { should cmp 'raw' }\n its('flush') { should match(/^INCREMENTAL|INCREMENTAL_ASYNC$/) }\n its('max_log_file_action') { should cmp 'keep_logs' }\n its('space_left') { should cmp 75 }\n its('action_mail_acct') { should cmp 'root' }\n its('space_left_action') { should cmp 'SYSLOG' }\n its('admin_space_left') { should cmp 50 }\n its('admin_space_left_action') { should cmp 'SUSPEND' }\n its('disk_full_action') { should cmp 'SUSPEND' }\n its('disk_error_action') { should cmp 'SUSPEND' }\n end\nend\n","source_location":{"line":84,"ref":"linux-baseline-master/controls/package_spec.rb"},"results":[{"status":"passed","code_desc":"System Package audit should be installed","run_time":0.361954,"start_time":"2018-04-19T00:38:33-06:00"},{"status":"passed","code_desc":"Audit Daemon Config log_file should cmp == \"/var/log/audit/audit.log\"","run_time":0.00063,"start_time":"2018-04-19T00:38:34-06:00"},{"status":"passed","code_desc":"Audit Daemon Config log_format should cmp == \"raw\"","run_time":0.000269,"start_time":"2018-04-19T00:38:34-06:00"},{"status":"passed","code_desc":"Audit Daemon Config flush should match /^INCREMENTAL|INCREMENTAL_ASYNC$/","run_time":0.000138,"start_time":"2018-04-19T00:38:34-06:00"},{"status":"failed","code_desc":"Audit Daemon Config max_log_file_action should cmp == \"keep_logs\"","run_time":0.00022,"start_time":"2018-04-19T00:38:34-06:00","message":"\nexpected: \"keep_logs\"\n got: ROTATE\n\n(compared using `cmp` matcher)\n"},{"status":"passed","code_desc":"Audit Daemon Config space_left should cmp == 75","run_time":0.000186,"start_time":"2018-04-19T00:38:34-06:00"},{"status":"passed","code_desc":"Audit Daemon Config action_mail_acct should cmp == \"root\"","run_time":0.000165,"start_time":"2018-04-19T00:38:34-06:00"},{"status":"passed","code_desc":"Audit Daemon Config space_left_action should cmp == \"SYSLOG\"","run_time":0.000159,"start_time":"2018-04-19T00:38:34-06:00"},{"status":"passed","code_desc":"Audit Daemon Config admin_space_left should cmp == 50","run_time":0.000157,"start_time":"2018-04-19T00:38:34-06:00"},{"status":"passed","code_desc":"Audit Daemon Config admin_space_left_action should cmp == \"SUSPEND\"","run_time":0.000172,"start_time":"2018-04-19T00:38:34-06:00"},{"status":"passed","code_desc":"Audit Daemon Config disk_full_action should cmp == \"SUSPEND\"","run_time":0.000161,"start_time":"2018-04-19T00:38:34-06:00"},{"status":"passed","code_desc":"Audit Daemon Config disk_error_action should cmp == \"SUSPEND\"","run_time":0.000155,"start_time":"2018-04-19T00:38:34-06:00"}]},{"id":"package-09","title":"CIS: Additional process hardening","desc":"1.5.4 Ensure prelink is disabled","impact":1.0,"refs":[],"tags":{},"code":"control 'package-09' do\n impact 1.0\n title 'CIS: Additional process hardening'\n desc '1.5.4 Ensure prelink is disabled'\n describe package('prelink') do\n it { should_not be_installed }\n end\nend\n","source_location":{"line":108,"ref":"linux-baseline-master/controls/package_spec.rb"},"results":[{"status":"passed","code_desc":"System Package prelink should not be installed","run_time":0.364607,"start_time":"2018-04-19T00:38:34-06:00"}]},{"id":"sysctl-01","title":"IPv4 Forwarding","desc":"If you're not intending for your system to forward traffic between interfaces, or if you only have a single interface, the forwarding function must be disable.","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-01' do\n impact 1.0\n title 'IPv4 Forwarding'\n desc \"If you're not intending for your system to forward traffic between interfaces, or if you only have a single interface, the forwarding function must be disable.\"\n only_if { sysctl_forwarding == false && !container_execution }\n describe kernel_parameter('net.ipv4.ip_forward') do\n its(:value) { should eq 0 }\n end\n describe kernel_parameter('net.ipv4.conf.all.forwarding') do\n its(:value) { should eq 0 }\n end\nend\n","source_location":{"line":24,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"passed","code_desc":"Kernel Parameter net.ipv4.ip_forward value should eq 0","run_time":0.192118,"start_time":"2018-04-19T00:38:34-06:00"},{"status":"passed","code_desc":"Kernel Parameter net.ipv4.conf.all.forwarding value should eq 0","run_time":0.196372,"start_time":"2018-04-19T00:38:34-06:00"}]},{"id":"sysctl-02","title":"Reverse path filtering","desc":"The rp_filter can reject incoming packets if their source address doesn't match the network interface that they're arriving on, which helps to prevent IP spoofing.","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-02' do\n impact 1.0\n title 'Reverse path filtering'\n desc \"The rp_filter can reject incoming packets if their source address doesn't match the network interface that they're arriving on, which helps to prevent IP spoofing.\"\n only_if { !container_execution }\n describe kernel_parameter('net.ipv4.conf.all.rp_filter') do\n its(:value) { should eq 1 }\n end\n describe kernel_parameter('net.ipv4.conf.default.rp_filter') do\n its(:value) { should eq 1 }\n end\nend\n","source_location":{"line":37,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter net.ipv4.conf.all.rp_filter value should eq 1","run_time":0.199243,"start_time":"2018-04-19T00:38:35-06:00","message":"\nexpected: 1\n got: 0\n\n(compared using ==)\n"},{"status":"passed","code_desc":"Kernel Parameter net.ipv4.conf.default.rp_filter value should eq 1","run_time":0.198358,"start_time":"2018-04-19T00:38:35-06:00"}]},{"id":"sysctl-03","title":"ICMP ignore bogus error responses","desc":"Sometimes routers send out invalid responses to broadcast frames. This is a violation of RFC 1122 and the kernel will logged this. To avoid filling up your logfile with unnecessary stuff, you can tell the kernel not to issue these warnings","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-03' do\n impact 1.0\n title 'ICMP ignore bogus error responses'\n desc 'Sometimes routers send out invalid responses to broadcast frames. This is a violation of RFC 1122 and the kernel will logged this. To avoid filling up your logfile with unnecessary stuff, you can tell the kernel not to issue these warnings'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv4.icmp_ignore_bogus_error_responses') do\n its(:value) { should eq 1 }\n end\nend\n","source_location":{"line":50,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"passed","code_desc":"Kernel Parameter net.ipv4.icmp_ignore_bogus_error_responses value should eq 1","run_time":0.195587,"start_time":"2018-04-19T00:38:35-06:00"}]},{"id":"sysctl-04","title":"ICMP echo ignore broadcasts","desc":"Blocking ICMP ECHO requests to broadcast addresses","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-04' do\n impact 1.0\n title 'ICMP echo ignore broadcasts'\n desc 'Blocking ICMP ECHO requests to broadcast addresses'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv4.icmp_echo_ignore_broadcasts') do\n its(:value) { should eq 1 }\n end\nend\n","source_location":{"line":60,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"passed","code_desc":"Kernel Parameter net.ipv4.icmp_echo_ignore_broadcasts value should eq 1","run_time":0.200317,"start_time":"2018-04-19T00:38:35-06:00"}]},{"id":"sysctl-05","title":"ICMP ratelimit","desc":"icmp_ratelimit defines how many packets that match the icmp_ratemask per second","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-05' do\n impact 1.0\n title 'ICMP ratelimit'\n desc 'icmp_ratelimit defines how many packets that match the icmp_ratemask per second'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv4.icmp_ratelimit') do\n its(:value) { should eq 100 }\n end\nend\n","source_location":{"line":70,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter net.ipv4.icmp_ratelimit value should eq 100","run_time":0.196829,"start_time":"2018-04-19T00:38:35-06:00","message":"\nexpected: 100\n got: 1000\n\n(compared using ==)\n"}]},{"id":"sysctl-06","title":"ICMP ratemask","desc":"Ratemask is a logical OR of all ICMP codes to rate limit","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-06' do\n impact 1.0\n title 'ICMP ratemask'\n desc 'Ratemask is a logical OR of all ICMP codes to rate limit'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv4.icmp_ratemask') do\n its(:value) { should eq 88089 }\n end\nend\n","source_location":{"line":80,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter net.ipv4.icmp_ratemask value should eq 88089","run_time":0.194364,"start_time":"2018-04-19T00:38:36-06:00","message":"\nexpected: 88089\n got: 6168\n\n(compared using ==)\n"}]},{"id":"sysctl-07","title":"TCP timestamps","desc":"It is possible to estimate the current uptime of a Linux system. It's preferable to disable TCP timestamps on your systems.","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-07' do\n impact 1.0\n title 'TCP timestamps'\n desc \"It is possible to estimate the current uptime of a Linux system. It's preferable to disable TCP timestamps on your systems.\"\n only_if { !container_execution }\n describe kernel_parameter('net.ipv4.tcp_timestamps') do\n its(:value) { should eq 0 }\n end\nend\n","source_location":{"line":90,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter net.ipv4.tcp_timestamps value should eq 0","run_time":0.197744,"start_time":"2018-04-19T00:38:36-06:00","message":"\nexpected: 0\n got: 1\n\n(compared using ==)\n"}]},{"id":"sysctl-08","title":"ARP ignore","desc":"Reply only if the target IP address is local address configured on the incoming interface.","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-08' do\n impact 1.0\n title 'ARP ignore'\n desc 'Reply only if the target IP address is local address configured on the incoming interface.'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv4.conf.all.arp_ignore') do\n its(:value) { should eq 1 }\n end\nend\n","source_location":{"line":100,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter net.ipv4.conf.all.arp_ignore value should eq 1","run_time":0.195197,"start_time":"2018-04-19T00:38:36-06:00","message":"\nexpected: 1\n got: 0\n\n(compared using ==)\n"}]},{"id":"sysctl-09","title":"ARP announce","desc":"Always use the best local address for this target. In this mode we ignore the source address in the IP packet and try to select local address that we prefer for talks with\tthe target host.","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-09' do\n impact 1.0\n title 'ARP announce'\n desc 'Always use the best local address for this target. In this mode we ignore the source address in the IP packet and try to select local address that we prefer for talks with\tthe target host.'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv4.conf.all.arp_announce') do\n its(:value) { should eq 2 }\n end\nend\n","source_location":{"line":110,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter net.ipv4.conf.all.arp_announce value should eq 2","run_time":0.186909,"start_time":"2018-04-19T00:38:36-06:00","message":"\nexpected: 2\n got: 0\n\n(compared using ==)\n"}]},{"id":"sysctl-10","title":"TCP RFC1337 Protect Against TCP Time-Wait","desc":"This enables a fix for time-wait assassination hazards in tcp, described in RFC 1337. If enabled, this causes the kernel to drop RST packets for sockets in the time-wait state.","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-10' do\n impact 1.0\n title 'TCP RFC1337 Protect Against TCP Time-Wait'\n desc 'This enables a fix for time-wait assassination hazards in tcp, described in RFC 1337. If enabled, this causes the kernel to drop RST packets for sockets in the time-wait state.'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv4.tcp_rfc1337') do\n its(:value) { should eq 1 }\n end\nend\n","source_location":{"line":120,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter net.ipv4.tcp_rfc1337 value should eq 1","run_time":0.208686,"start_time":"2018-04-19T00:38:36-06:00","message":"\nexpected: 1\n got: 0\n\n(compared using ==)\n"}]},{"id":"sysctl-11","title":"Protection against SYN flood attacks","desc":"A SYN-Attack is a denial of service (DoS) attack that consumes resources on your system forcing you to reboot.","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-11' do\n impact 1.0\n title 'Protection against SYN flood attacks'\n desc 'A SYN-Attack is a denial of service (DoS) attack that consumes resources on your system forcing you to reboot.'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv4.tcp_syncookies') do\n its(:value) { should eq 1 }\n end\nend\n","source_location":{"line":130,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"passed","code_desc":"Kernel Parameter net.ipv4.tcp_syncookies value should eq 1","run_time":0.220374,"start_time":"2018-04-19T00:38:37-06:00"}]},{"id":"sysctl-12","title":"Shared Media IP Architecture","desc":"Send(router) or accept(host) RFC1620 shared media redirects. If it is not set the kernel does not assume that different subnets on this device can communicate directly.","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-12' do\n impact 1.0\n title 'Shared Media IP Architecture'\n desc 'Send(router) or accept(host) RFC1620 shared media redirects. If it is not set the kernel does not assume that different subnets on this device can communicate directly.'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv4.conf.all.shared_media') do\n its(:value) { should eq 1 }\n end\n describe kernel_parameter('net.ipv4.conf.default.shared_media') do\n its(:value) { should eq 1 }\n end\nend\n","source_location":{"line":140,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"passed","code_desc":"Kernel Parameter net.ipv4.conf.all.shared_media value should eq 1","run_time":0.196314,"start_time":"2018-04-19T00:38:37-06:00"},{"status":"passed","code_desc":"Kernel Parameter net.ipv4.conf.default.shared_media value should eq 1","run_time":0.188494,"start_time":"2018-04-19T00:38:37-06:00"}]},{"id":"sysctl-13","title":"Disable Source Routing","desc":"The accept_source_route option causes network interfaces to accept packets with the Strict Source Route (SSR) or Loose Source Routing (LSR) option set. An attacker is able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it is not communicating with a trusted server","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-13' do\n impact 1.0\n title 'Disable Source Routing'\n desc 'The accept_source_route option causes network interfaces to accept packets with the Strict Source Route (SSR) or Loose Source Routing (LSR) option set. An attacker is able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it is not communicating with a trusted server'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv4.conf.all.accept_source_route') do\n its(:value) { should eq 0 }\n end\n describe kernel_parameter('net.ipv4.conf.default.accept_source_route') do\n its(:value) { should eq 0 }\n end\nend\n","source_location":{"line":153,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"passed","code_desc":"Kernel Parameter net.ipv4.conf.all.accept_source_route value should eq 0","run_time":0.197294,"start_time":"2018-04-19T00:38:37-06:00"},{"status":"passed","code_desc":"Kernel Parameter net.ipv4.conf.default.accept_source_route value should eq 0","run_time":0.192936,"start_time":"2018-04-19T00:38:37-06:00"}]},{"id":"sysctl-14","title":"Disable acceptance of all IPv4 redirected packets","desc":"Disable acceptance of all redirected packets these prevents Man-in-the-Middle attacks.","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-14' do\n impact 1.0\n title 'Disable acceptance of all IPv4 redirected packets'\n desc 'Disable acceptance of all redirected packets these prevents Man-in-the-Middle attacks.'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv4.conf.default.accept_redirects') do\n its(:value) { should eq 0 }\n end\n describe kernel_parameter('net.ipv4.conf.all.accept_redirects') do\n its(:value) { should eq 0 }\n end\nend\n","source_location":{"line":166,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter net.ipv4.conf.default.accept_redirects value should eq 0","run_time":0.200531,"start_time":"2018-04-19T00:38:38-06:00","message":"\nexpected: 0\n got: 1\n\n(compared using ==)\n"},{"status":"failed","code_desc":"Kernel Parameter net.ipv4.conf.all.accept_redirects value should eq 0","run_time":0.194761,"start_time":"2018-04-19T00:38:38-06:00","message":"\nexpected: 0\n got: 1\n\n(compared using ==)\n"}]},{"id":"sysctl-15","title":"Disable acceptance of all secure redirected packets","desc":"Disable acceptance of all secure redirected packets these prevents Man-in-the-Middle attacks.","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-15' do\n impact 1.0\n title 'Disable acceptance of all secure redirected packets'\n desc 'Disable acceptance of all secure redirected packets these prevents Man-in-the-Middle attacks.'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv4.conf.all.secure_redirects') do\n its(:value) { should eq 0 }\n end\n describe kernel_parameter('net.ipv4.conf.default.secure_redirects') do\n its(:value) { should eq 0 }\n end\nend\n","source_location":{"line":179,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter net.ipv4.conf.all.secure_redirects value should eq 0","run_time":0.201568,"start_time":"2018-04-19T00:38:38-06:00","message":"\nexpected: 0\n got: 1\n\n(compared using ==)\n"},{"status":"failed","code_desc":"Kernel Parameter net.ipv4.conf.default.secure_redirects value should eq 0","run_time":0.199078,"start_time":"2018-04-19T00:38:38-06:00","message":"\nexpected: 0\n got: 1\n\n(compared using ==)\n"}]},{"id":"sysctl-16","title":"Disable sending of redirects packets","desc":"Disable sending of redirects packets","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-16' do\n impact 1.0\n title 'Disable sending of redirects packets'\n desc 'Disable sending of redirects packets'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv4.conf.default.send_redirects') do\n its(:value) { should eq 0 }\n end\n describe kernel_parameter('net.ipv4.conf.all.send_redirects') do\n its(:value) { should eq 0 }\n end\nend\n","source_location":{"line":192,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter net.ipv4.conf.default.send_redirects value should eq 0","run_time":0.188793,"start_time":"2018-04-19T00:38:38-06:00","message":"\nexpected: 0\n got: 1\n\n(compared using ==)\n"},{"status":"failed","code_desc":"Kernel Parameter net.ipv4.conf.all.send_redirects value should eq 0","run_time":0.194642,"start_time":"2018-04-19T00:38:39-06:00","message":"\nexpected: 0\n got: 1\n\n(compared using ==)\n"}]},{"id":"sysctl-17","title":"Disable log martians","desc":"log_martians can cause a denial of service attack to the host","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-17' do\n impact 1.0\n title 'Disable log martians'\n desc 'log_martians can cause a denial of service attack to the host'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv4.conf.all.log_martians') do\n its(:value) { should eq 1 }\n end\n describe kernel_parameter('net.ipv4.conf.default.log_martians') do\n its(:value) { should eq 1 }\n end\nend\n","source_location":{"line":205,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter net.ipv4.conf.all.log_martians value should eq 1","run_time":0.201073,"start_time":"2018-04-19T00:38:39-06:00","message":"\nexpected: 1\n got: 0\n\n(compared using ==)\n"},{"status":"failed","code_desc":"Kernel Parameter net.ipv4.conf.default.log_martians value should eq 1","run_time":0.192843,"start_time":"2018-04-19T00:38:39-06:00","message":"\nexpected: 1\n got: 0\n\n(compared using ==)\n"}]},{"id":"sysctl-18","title":"Disable IPv6 if it is not needed","desc":"Disable IPv6 if it is not needed","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-18' do\n impact 1.0\n title 'Disable IPv6 if it is not needed'\n desc 'Disable IPv6 if it is not needed'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv6.conf.all.disable_ipv6') do\n its(:value) { should eq 1 }\n end\nend\n","source_location":{"line":218,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter net.ipv6.conf.all.disable_ipv6 value should eq 1","run_time":0.196936,"start_time":"2018-04-19T00:38:39-06:00","message":"\nexpected: 1\n got: 0\n\n(compared using ==)\n"}]},{"id":"sysctl-19","title":"IPv6 Forwarding","desc":"If you're not intending for your system to forward traffic between interfaces, or if you only have a single interface, the forwarding function must be disable.","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-19' do\n impact 1.0\n title 'IPv6 Forwarding'\n desc \"If you're not intending for your system to forward traffic between interfaces, or if you only have a single interface, the forwarding function must be disable.\"\n only_if { !container_execution }\n describe kernel_parameter('net.ipv6.conf.all.forwarding') do\n its(:value) { should eq 0 }\n end\nend\n","source_location":{"line":228,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"passed","code_desc":"Kernel Parameter net.ipv6.conf.all.forwarding value should eq 0","run_time":0.20386,"start_time":"2018-04-19T00:38:39-06:00"}]},{"id":"sysctl-20","title":"Disable acceptance of all IPv6 redirected packets","desc":"Disable acceptance of all redirected packets these prevents Man-in-the-Middle attacks.","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-20' do\n impact 1.0\n title 'Disable acceptance of all IPv6 redirected packets'\n desc 'Disable acceptance of all redirected packets these prevents Man-in-the-Middle attacks.'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv6.conf.default.accept_redirects') do\n its(:value) { should eq 0 }\n end\n describe kernel_parameter('net.ipv6.conf.all.accept_redirects') do\n its(:value) { should eq 0 }\n end\nend\n","source_location":{"line":238,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter net.ipv6.conf.default.accept_redirects value should eq 0","run_time":0.200757,"start_time":"2018-04-19T00:38:40-06:00","message":"\nexpected: 0\n got: 1\n\n(compared using ==)\n"},{"status":"failed","code_desc":"Kernel Parameter net.ipv6.conf.all.accept_redirects value should eq 0","run_time":0.199641,"start_time":"2018-04-19T00:38:40-06:00","message":"\nexpected: 0\n got: 1\n\n(compared using ==)\n"}]},{"id":"sysctl-21","title":"Disable acceptance of IPv6 router solicitations messages","desc":"The router solicitations setting determines how many router solicitations are sent when bringing up the interface. If addresses are statically assigned, there is no need to send any solicitations.","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-21' do\n impact 1.0\n title 'Disable acceptance of IPv6 router solicitations messages'\n desc 'The router solicitations setting determines how many router solicitations are sent when bringing up the interface. If addresses are statically assigned, there is no need to send any solicitations.'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv6.conf.default.router_solicitations') do\n its(:value) { should eq 0 }\n end\nend\n","source_location":{"line":251,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter net.ipv6.conf.default.router_solicitations value should eq 0","run_time":0.194647,"start_time":"2018-04-19T00:38:40-06:00","message":"\nexpected: 0\n got: \"-1\"\n\n(compared using ==)\n"}]},{"id":"sysctl-22","title":"Disable Accept Router Preference from router advertisement","desc":"Disable Accept Router Preference from router advertisement","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-22' do\n impact 1.0\n title 'Disable Accept Router Preference from router advertisement'\n desc 'Disable Accept Router Preference from router advertisement'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv6.conf.default.accept_ra_rtr_pref') do\n its(:value) { should eq 0 }\n end\nend\n","source_location":{"line":261,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter net.ipv6.conf.default.accept_ra_rtr_pref value should eq 0","run_time":0.192388,"start_time":"2018-04-19T00:38:40-06:00","message":"\nexpected: 0\n got: 1\n\n(compared using ==)\n"}]},{"id":"sysctl-23","title":"Disable learning Prefix Information from router advertisement","desc":"The accept_ra_pinfo setting controls whether the system will accept prefix info from the router.","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-23' do\n impact 1.0\n title 'Disable learning Prefix Information from router advertisement'\n desc 'The accept_ra_pinfo setting controls whether the system will accept prefix info from the router.'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv6.conf.default.accept_ra_pinfo') do\n its(:value) { should eq 0 }\n end\nend\n","source_location":{"line":271,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter net.ipv6.conf.default.accept_ra_pinfo value should eq 0","run_time":0.197356,"start_time":"2018-04-19T00:38:40-06:00","message":"\nexpected: 0\n got: 1\n\n(compared using ==)\n"}]},{"id":"sysctl-24","title":"Disable learning Hop limit from router advertisement","desc":"The accept_ra_defrtr setting controls whether the system will accept Hop Limit settings from a router advertisement. Setting it to 0 prevents a router from changing your default IPv6 Hop Limit for outgoing packets.","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-24' do\n impact 1.0\n title 'Disable learning Hop limit from router advertisement'\n desc 'The accept_ra_defrtr setting controls whether the system will accept Hop Limit settings from a router advertisement. Setting it to 0 prevents a router from changing your default IPv6 Hop Limit for outgoing packets.'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv6.conf.default.accept_ra_defrtr') do\n its(:value) { should eq 0 }\n end\nend\n","source_location":{"line":281,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter net.ipv6.conf.default.accept_ra_defrtr value should eq 0","run_time":0.198864,"start_time":"2018-04-19T00:38:41-06:00","message":"\nexpected: 0\n got: 1\n\n(compared using ==)\n"}]},{"id":"sysctl-25","title":"Disable the system`s acceptance of router advertisement","desc":"Setting controls whether the system will accept router advertisement","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-25' do\n impact 1.0\n title 'Disable the system`s acceptance of router advertisement'\n desc 'Setting controls whether the system will accept router advertisement'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv6.conf.all.accept_ra') do\n its(:value) { should eq 0 }\n end\n describe kernel_parameter('net.ipv6.conf.default.accept_ra') do\n its(:value) { should eq 0 }\n end\nend\n","source_location":{"line":291,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter net.ipv6.conf.all.accept_ra value should eq 0","run_time":0.195715,"start_time":"2018-04-19T00:38:41-06:00","message":"\nexpected: 0\n got: 1\n\n(compared using ==)\n"},{"status":"failed","code_desc":"Kernel Parameter net.ipv6.conf.default.accept_ra value should eq 0","run_time":0.196933,"start_time":"2018-04-19T00:38:41-06:00","message":"\nexpected: 0\n got: 1\n\n(compared using ==)\n"}]},{"id":"sysctl-26","title":"Disable IPv6 autoconfiguration","desc":"The autoconf setting controls whether router advertisements can cause the system to assign a global unicast address to an interface.","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-26' do\n impact 1.0\n title 'Disable IPv6 autoconfiguration'\n desc 'The autoconf setting controls whether router advertisements can cause the system to assign a global unicast address to an interface.'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv6.conf.default.autoconf') do\n its(:value) { should eq 0 }\n end\nend\n","source_location":{"line":304,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter net.ipv6.conf.default.autoconf value should eq 0","run_time":0.191646,"start_time":"2018-04-19T00:38:41-06:00","message":"\nexpected: 0\n got: 1\n\n(compared using ==)\n"}]},{"id":"sysctl-27","title":"Disable neighbor solicitations to send out per address","desc":"The dad_transmits setting determines how many neighbor solicitations to send out per address (global and link-local) when bringing up an interface to ensure the desired address is unique on the network.","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-27' do\n impact 1.0\n title 'Disable neighbor solicitations to send out per address'\n desc 'The dad_transmits setting determines how many neighbor solicitations to send out per address (global and link-local) when bringing up an interface to ensure the desired address is unique on the network.'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv6.conf.default.dad_transmits') do\n its(:value) { should eq 0 }\n end\nend\n","source_location":{"line":314,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter net.ipv6.conf.default.dad_transmits value should eq 0","run_time":0.191683,"start_time":"2018-04-19T00:38:41-06:00","message":"\nexpected: 0\n got: 1\n\n(compared using ==)\n"}]},{"id":"sysctl-28","title":"Assign one global unicast IPv6 addresses to each interface","desc":"The max_addresses setting determines how many global unicast IPv6 addresses can be assigned to each interface. The default is 16, but it should be set to exactly the number of statically configured global addresses required.","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-28' do\n impact 1.0\n title 'Assign one global unicast IPv6 addresses to each interface'\n desc 'The max_addresses setting determines how many global unicast IPv6 addresses can be assigned to each interface. The default is 16, but it should be set to exactly the number of statically configured global addresses required.'\n only_if { !container_execution }\n describe kernel_parameter('net.ipv6.conf.default.max_addresses') do\n its(:value) { should eq 1 }\n end\nend\n","source_location":{"line":324,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"failed","code_desc":"Kernel Parameter net.ipv6.conf.default.max_addresses value should eq 1","run_time":0.191478,"start_time":"2018-04-19T00:38:41-06:00","message":"\nexpected: 1\n got: 16\n\n(compared using ==)\n"}]},{"id":"sysctl-29","title":"Disable loading kernel modules","desc":"The sysctl key kernel.modules_disabled is very straightforward. If it contains a \"1\" it will disable loading new modules, where a \"0\" will still allow loading them. Using this option will be a great protection against loading malicious kernel modules.","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-29' do\n impact 1.0\n title 'Disable loading kernel modules'\n desc 'The sysctl key kernel.modules_disabled is very straightforward. If it contains a \"1\" it will disable loading new modules, where a \"0\" will still allow loading them. Using this option will be a great protection against loading malicious kernel modules.'\n only_if { !container_execution }\n describe kernel_parameter('kernel.modules_disabled') do\n its(:value) { should eq kernel_modules_disabled }\n end\nend\n","source_location":{"line":334,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"passed","code_desc":"Kernel Parameter kernel.modules_disabled value should eq 0","run_time":0.18988,"start_time":"2018-04-19T00:38:42-06:00"}]},{"id":"sysctl-30","title":"Magic SysRq","desc":"Kernel.sysreg is a 'magical' key combo you can hit which the kernel will respond to regardless of whatever else it is doing, unless it is completely locked up.","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-30' do\n impact 1.0\n title 'Magic SysRq'\n desc \"Kernel.sysreg is a 'magical' key combo you can hit which the kernel will respond to regardless of whatever else it is doing, unless it is completely locked up.\"\n only_if { !container_execution }\n describe kernel_parameter('kernel.sysrq') do\n its(:value) { should eq 0 }\n end\nend\n","source_location":{"line":344,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"passed","code_desc":"Kernel Parameter kernel.sysrq value should eq 0","run_time":0.198828,"start_time":"2018-04-19T00:38:42-06:00"}]},{"id":"sysctl-31a","title":"Secure Core Dumps - dump settings","desc":"Ensure that core dumps can never be made by setuid programs","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-31a' do\n impact 1.0\n title 'Secure Core Dumps - dump settings'\n desc 'Ensure that core dumps can never be made by setuid programs'\n only_if { !container_execution }\n describe kernel_parameter('fs.suid_dumpable') do\n its(:value) { should cmp(/(0|2)/) }\n end\nend\n","source_location":{"line":354,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"passed","code_desc":"Kernel Parameter fs.suid_dumpable value should cmp == /(0|2)/","run_time":0.000417,"start_time":"2018-04-19T00:38:42-06:00"}]},{"id":"sysctl-31b","title":"Secure Core Dumps - dump path","desc":"Ensure that core dumps are done with fully qualified path","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-31b' do\n impact 1.0\n title 'Secure Core Dumps - dump path'\n desc 'Ensure that core dumps are done with fully qualified path'\n only_if { kernel_parameter('fs.suid_dumpable').value == 2 && !container_execution }\n describe kernel_parameter('kernel.core_pattern') do\n its(:value) { should match %r{^/.*} }\n end\nend\n","source_location":{"line":364,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"skipped","code_desc":"Operating System Detection","run_time":1.8e-05,"start_time":"2018-04-19T00:38:42-06:00","resource":"Operating System Detection","skip_message":"Skipped control due to only_if condition."}]},{"id":"sysctl-32","title":"kernel.randomize_va_space","desc":"kernel.randomize_va_space","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-32' do\n impact 1.0\n title 'kernel.randomize_va_space'\n desc 'kernel.randomize_va_space'\n only_if { !container_execution }\n describe kernel_parameter('kernel.randomize_va_space') do\n its(:value) { should eq 2 }\n end\nend\n","source_location":{"line":374,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"passed","code_desc":"Kernel Parameter kernel.randomize_va_space value should eq 2","run_time":0.19719,"start_time":"2018-04-19T00:38:42-06:00"}]},{"id":"sysctl-33","title":"CPU No execution Flag or Kernel ExecShield","desc":"Kernel features and CPU flags provide a protection against buffer overflows. The CPU NX Flag and the kernel parameter exec-shield prevents code execution on a per memory page basis. If the CPU supports the NX-Flag then this should be used instead of the kernel parameter exec-shield.","impact":1.0,"refs":[],"tags":{},"code":"control 'sysctl-33' do\n impact 1.0\n title 'CPU No execution Flag or Kernel ExecShield'\n desc 'Kernel features and CPU flags provide a protection against buffer overflows. The CPU NX Flag and the kernel parameter exec-shield prevents code execution on a per memory page basis. If the CPU supports the NX-Flag then this should be used instead of the kernel parameter exec-shield.'\n only_if { !container_execution }\n\n # parse for cpu flags\n flags = parse_config_file('/proc/cpuinfo', assignment_regex: /^([^:]*?)\\s+:\\s+(.*?)$/).flags\n flags ||= ''\n flags = flags.split(' ')\n\n describe '/proc/cpuinfo' do\n it 'Flags should include NX' do\n expect(flags).to include('nx')\n end\n end\n\n unless flags.include?('nx')\n # if no nx flag is present, we require exec-shield\n describe kernel_parameter('kernel.exec-shield') do\n its(:value) { should eq 1 }\n end\n end\nend\n","source_location":{"line":384,"ref":"linux-baseline-master/controls/sysctl_spec.rb"},"results":[{"status":"passed","code_desc":"/proc/cpuinfo Flags should include NX","run_time":0.000164,"start_time":"2018-04-19T00:38:42-06:00"}]}]}],"statistics":{"duration":14.166371},"version":"2.1.44"} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment