Inspec errors using https://github.com/dev-sec/linux-baseline

I am running the following command inspec exec https://github.com/dev-sec/linux-baseline -t ssh://ubuntu@10.0.1.22 -i ~/.ssh/id_rsa --sudo

And I am getting failures for

  • Check login.defs (4 failed)
    • All these params look like they should pass
  • sysctl-29: Disable loading kernel modules
    • I accidentally set echo "1" > /proc/sys/kernel/modules_disabled and now I’m unable to set it back 🙁
  • package-07: Install syslog server package
    • What package should I install?
  • os-06: Check for SUID/ SGID blacklist
    • Where can I set this?
ubuntu@ip-10-0-1-10:~/.ssh$ inspec exec https://github.com/dev-sec/linux-baseline -t ssh://ubuntu@10.0.1.22 -i ~/.ssh/id_rsa --sudo
/usr/local/rvm/gems/ruby-2.3.1@global/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:679: warning: already initialized constant RSpec::Core::ExampleGroup::INSTANCE_VARIABLE_TO_IGNORE
/usr/local/rvm/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:679: warning: previous definition of INSTANCE_VARIABLE_TO_IGNORE was here
/usr/local/rvm/gems/ruby-2.3.1@global/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:722: warning: already initialized constant RSpec::Core::ExampleGroup::WrongScopeError
/usr/local/rvm/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:722: warning: previous definition of WrongScopeError was here
verify_host_key: false is deprecated, use :never
[2020-08-15T21:22:01+00:00] WARN: URL target https://github.com/dev-sec/linux-baseline transformed to https://github.com/dev-sec/linux-baseline/archive/master.tar.gz. Consider using the git fetcher
[2020-08-15T21:22:01+00:00] WARN: Attribute 'login_defs_umask' does not have a value. Use --attrs to provide a value for 'login_defs_umask' or specify a default  value with `attribute('login_defs_umask', default: 'somedefault', ...)`.
[2020-08-15T21:22:01+00:00] WARN: Attribute 'login_defs_passmaxdays' does not have a value. Use --attrs to provide a value for 'login_defs_passmaxdays' or specify a default  value with `attribute('login_defs_passmaxdays', default: 'somedefault', ...)`.
[2020-08-15T21:22:01+00:00] WARN: Attribute 'login_defs_passmindays' does not have a value. Use --attrs to provide a value for 'login_defs_passmindays' or specify a default  value with `attribute('login_defs_passmindays', default: 'somedefault', ...)`.
[2020-08-15T21:22:01+00:00] WARN: Attribute 'login_defs_passwarnage' does not have a value. Use --attrs to provide a value for 'login_defs_passwarnage' or specify a default  value with `attribute('login_defs_passwarnage', default: 'somedefault', ...)`.
[2020-08-15T21:22:02+00:00] WARN: Attribute 'blacklist' does not have a value. Use --attrs to provide a value for 'blacklist' or specify a default  value with `attribute('blacklist', default: 'somedefault', ...)`.
[2020-08-15T21:22:02+00:00] WARN: Attribute 'syslog_pkg' does not have a value. Use --attrs to provide a value for 'syslog_pkg' or specify a default  value with `attribute('syslog_pkg', default: 'somedefault', ...)`.
[2020-08-15T21:22:02+00:00] WARN: Attribute 'sysctl_forwarding' does not have a value. Use --attrs to provide a value for 'sysctl_forwarding' or specify a default  value with `attribute('sysctl_forwarding', default: 'somedefault', ...)`.
[2020-08-15T21:22:02+00:00] WARN: Attribute 'kernel_modules_disabled' does not have a value. Use --attrs to provide a value for 'kernel_modules_disabled' or specify a default  value with `attribute('kernel_modules_disabled', default: 'somedefault', ...)`.

Profile: DevSec Linux Security Baseline (linux-baseline)
Version: 2.4.6
Target:  ssh://ubuntu@10.0.1.22:22

  ✔  os-01: Trusted hosts login
     ✔  File /etc/hosts.equiv should not exist
  ✔  os-02: Check owner and permissions for /etc/shadow
     ✔  File /etc/shadow should exist
     ✔  File /etc/shadow should be file
     ✔  File /etc/shadow should be owned by "root"
     ✔  File /etc/shadow should not be executable
     ✔  File /etc/shadow should not be readable by other
     ✔  File /etc/shadow group should eq "shadow"
     ✔  File /etc/shadow should be writable by owner
     ✔  File /etc/shadow should be readable by owner
     ✔  File /etc/shadow should be readable by group
  ✔  os-03: Check owner and permissions for /etc/passwd
     ✔  File /etc/passwd should exist
     ✔  File /etc/passwd should be file
     ✔  File /etc/passwd should be owned by "root"
     ✔  File /etc/passwd should not be executable
     ✔  File /etc/passwd should be writable by owner
     ✔  File /etc/passwd should not be writable by group
     ✔  File /etc/passwd should not be writable by other
     ✔  File /etc/passwd should be readable by owner
     ✔  File /etc/passwd should be readable by group
     ✔  File /etc/passwd should be readable by other
     ✔  File /etc/passwd group should eq "root"
  ✔  os-03b: Check passwords hashes in /etc/passwd
     ✔  /etc/passwd passwords should be in "x" and "*"
  ✔  os-04: Dot in PATH variable
     ✔  Environment variable PATH split should not include ""
     ✔  Environment variable PATH split should not include "."
  ×  os-05: Check login.defs (4 failed)
     ✔  File /etc/login.defs should exist
     ✔  File /etc/login.defs should be file
     ✔  File /etc/login.defs should be owned by "root"
     ✔  File /etc/login.defs should not be executable
     ✔  File /etc/login.defs should be readable by owner
     ✔  File /etc/login.defs should be readable by group
     ✔  File /etc/login.defs should be readable by other
     ✔  File /etc/login.defs group should eq "root"
     ✔  login.defs ENV_SUPATH should include "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
     ✔  login.defs ENV_PATH should include "/usr/local/bin:/usr/bin:/bin"
     ×  login.defs UMASK should include #<Inspec::Attribute::DEFAULT_ATTRIBUTE:0x00000005a1ea00 @name="login_defs_umask">
     can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to String (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_str gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
     ×  login.defs PASS_MAX_DAYS should eq #<Inspec::Attribute::DEFAULT_ATTRIBUTE:0x00000005a1e3e8 @name="login_defs_passmaxdays">
     can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to Array (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_ary gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
     ×  login.defs PASS_MIN_DAYS should eq #<Inspec::Attribute::DEFAULT_ATTRIBUTE:0x00000005a1dee8 @name="login_defs_passmindays">
     can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to Array (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_ary gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
     ×  login.defs PASS_WARN_AGE should eq #<Inspec::Attribute::DEFAULT_ATTRIBUTE:0x00000005a1da38 @name="login_defs_passwarnage">
     can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to Array (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_ary gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
     ✔  login.defs LOGIN_RETRIES should eq "5"
     ✔  login.defs LOGIN_TIMEOUT should eq "60"
     ✔  login.defs UID_MIN should eq "1000"
     ✔  login.defs GID_MIN should eq "1000"
  ↺  os-05b: Check login.defs - RedHat specific
     ↺  Skipped control due to only_if condition.
  ×  os-06: Check for SUID/ SGID blacklist
     ×  suid_check diff
     can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to Array (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_ary gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
  ✔  os-07: Unique uid and gid
     ✔  /etc/passwd uids should not contain duplicates
     ✔  /etc/group gids should not contain duplicates
  ✔  os-08: Entropy
     ✔  3092 should >= 1000
  ✔  os-09: Check for .rhosts and .netrc file
     ✔  [] should be empty
  ✔  os-10: CIS: Disable unused filesystems
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install cramfs /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install freevxfs /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install jffs2 /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install hfs /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install hfsplus /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install squashfs /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install udf /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install vfat /bin/true"
  ✔  os-11: Protect log-directory
     ✔  File /var/log should be directory
     ✔  File /var/log should be owned by "root"
     ✔  File /var/log group should match /^root|syslog$/
  ✔  package-01: Do not run deprecated inetd or xinetd
     ✔  System Package inetd should not be installed
     ✔  System Package xinetd should not be installed
  ✔  package-02: Do not install Telnet server
     ✔  System Package telnetd should not be installed
  ✔  package-03: Do not install rsh server
     ✔  System Package rsh-server should not be installed
  ✔  package-05: Do not install ypserv server (NIS)
     ✔  System Package ypserv should not be installed
  ✔  package-06: Do not install tftp server
     ✔  System Package tftp-server should not be installed
  ×  package-07: Install syslog server package
     ×  System Package Attribute 'syslog_pkg' does not have a value. Skipping test. should be installed
     expected that `System Package Attribute 'syslog_pkg' does not have a value. Skipping test.` is installed
  ✔  package-08: Install auditd
     ✔  System Package auditd should be installed
     ✔  Audit Daemon Config log_file should cmp == "/var/log/audit/audit.log"
     ✔  Audit Daemon Config log_format should cmp == "raw"
     ✔  Audit Daemon Config flush should match /^incremental|INCREMENTAL|incremental_async|INCREMENTAL_ASYNC$/
     ✔  Audit Daemon Config max_log_file_action should cmp == "keep_logs"
     ✔  Audit Daemon Config space_left should cmp == 75
     ✔  Audit Daemon Config action_mail_acct should cmp == "root"
     ✔  Audit Daemon Config space_left_action should cmp == "SYSLOG"
     ✔  Audit Daemon Config admin_space_left should cmp == 50
     ✔  Audit Daemon Config admin_space_left_action should cmp == "SUSPEND"
     ✔  Audit Daemon Config disk_full_action should cmp == "SUSPEND"
     ✔  Audit Daemon Config disk_error_action should cmp == "SUSPEND"
  ✔  package-09: CIS: Additional process hardening
     ✔  System Package prelink should not be installed
  ↺  sysctl-01: IPv4 Forwarding
     ↺  Skipped control due to only_if condition.
  ✔  sysctl-02: Reverse path filtering
     ✔  Kernel Parameter net.ipv4.conf.all.rp_filter value should eq 1
     ✔  Kernel Parameter net.ipv4.conf.default.rp_filter value should eq 1
  ✔  sysctl-03: ICMP ignore bogus error responses
     ✔  Kernel Parameter net.ipv4.icmp_ignore_bogus_error_responses value should eq 1
  ✔  sysctl-04: ICMP echo ignore broadcasts
     ✔  Kernel Parameter net.ipv4.icmp_echo_ignore_broadcasts value should eq 1
  ✔  sysctl-05: ICMP ratelimit
     ✔  Kernel Parameter net.ipv4.icmp_ratelimit value should eq 100
  ✔  sysctl-06: ICMP ratemask
     ✔  Kernel Parameter net.ipv4.icmp_ratemask value should eq 88089
  ✔  sysctl-07: TCP timestamps
     ✔  Kernel Parameter net.ipv4.tcp_timestamps value should eq 0
  ✔  sysctl-08: ARP ignore
     ✔  Kernel Parameter net.ipv4.conf.all.arp_ignore value should eq 1
  ✔  sysctl-09: ARP announce
     ✔  Kernel Parameter net.ipv4.conf.all.arp_announce value should eq 2
  ✔  sysctl-10: TCP RFC1337 Protect Against TCP Time-Wait
     ✔  Kernel Parameter net.ipv4.tcp_rfc1337 value should eq 1
  ✔  sysctl-11: Protection against SYN flood attacks
     ✔  Kernel Parameter net.ipv4.tcp_syncookies value should eq 1
  ✔  sysctl-12: Shared Media IP Architecture
     ✔  Kernel Parameter net.ipv4.conf.all.shared_media value should eq 1
     ✔  Kernel Parameter net.ipv4.conf.default.shared_media value should eq 1
  ✔  sysctl-13: Disable Source Routing
     ✔  Kernel Parameter net.ipv4.conf.all.accept_source_route value should eq 0
     ✔  Kernel Parameter net.ipv4.conf.default.accept_source_route value should eq 0
  ✔  sysctl-14: Disable acceptance of all IPv4 redirected packets
     ✔  Kernel Parameter net.ipv4.conf.default.accept_redirects value should eq 0
     ✔  Kernel Parameter net.ipv4.conf.all.accept_redirects value should eq 0
  ✔  sysctl-15: Disable acceptance of all secure redirected packets
     ✔  Kernel Parameter net.ipv4.conf.all.secure_redirects value should eq 0
     ✔  Kernel Parameter net.ipv4.conf.default.secure_redirects value should eq 0
  ✔  sysctl-16: Disable sending of redirects packets
     ✔  Kernel Parameter net.ipv4.conf.default.send_redirects value should eq 0
     ✔  Kernel Parameter net.ipv4.conf.all.send_redirects value should eq 0
  ✔  sysctl-17: Disable log martians
     ✔  Kernel Parameter net.ipv4.conf.all.log_martians value should eq 1
     ✔  Kernel Parameter net.ipv4.conf.default.log_martians value should eq 1
  ✔  sysctl-18: Disable IPv6 if it is not needed
     ✔  Kernel Parameter net.ipv6.conf.all.disable_ipv6 value should eq 1
  ↺  sysctl-19: IPv6 Forwarding
     ↺  Skipped control due to only_if condition.
  ✔  sysctl-20: Disable acceptance of all IPv6 redirected packets
     ✔  Kernel Parameter net.ipv6.conf.default.accept_redirects value should eq 0
     ✔  Kernel Parameter net.ipv6.conf.all.accept_redirects value should eq 0
  ✔  sysctl-21: Disable acceptance of IPv6 router solicitations messages
     ✔  Kernel Parameter net.ipv6.conf.default.router_solicitations value should eq 0
  ✔  sysctl-22: Disable Accept Router Preference from router advertisement
     ✔  Kernel Parameter net.ipv6.conf.default.accept_ra_rtr_pref value should eq 0
  ✔  sysctl-23: Disable learning Prefix Information from router advertisement
     ✔  Kernel Parameter net.ipv6.conf.default.accept_ra_pinfo value should eq 0
  ✔  sysctl-24: Disable learning Hop limit from router advertisement
     ✔  Kernel Parameter net.ipv6.conf.default.accept_ra_defrtr value should eq 0
  ✔  sysctl-25: Disable the system`s acceptance of router advertisement
     ✔  Kernel Parameter net.ipv6.conf.all.accept_ra value should eq 0
     ✔  Kernel Parameter net.ipv6.conf.default.accept_ra value should eq 0
  ✔  sysctl-26: Disable IPv6 autoconfiguration
     ✔  Kernel Parameter net.ipv6.conf.default.autoconf value should eq 0
  ✔  sysctl-27: Disable neighbor solicitations to send out per address
     ✔  Kernel Parameter net.ipv6.conf.default.dad_transmits value should eq 0
  ✔  sysctl-28: Assign one global unicast IPv6 addresses to each interface
     ✔  Kernel Parameter net.ipv6.conf.default.max_addresses value should eq 1
  ×  sysctl-29: Disable loading kernel modules
     ×  Kernel Parameter kernel.modules_disabled value should eq #<Inspec::Attribute::DEFAULT_ATTRIBUTE:0x000000052722e8 @name="kernel_modules_disabled">
     can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to Array (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_ary gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
  ✔  sysctl-30: Magic SysRq
     ✔  Kernel Parameter kernel.sysrq value should eq 0
  ✔  sysctl-31a: Secure Core Dumps - dump settings
     ✔  Kernel Parameter fs.suid_dumpable value should cmp == /(0|2)/
  ✔  sysctl-31b: Secure Core Dumps - dump path
     ✔  Kernel Parameter kernel.core_pattern value should match /^|?/.*/
  ✔  sysctl-32: kernel.randomize_va_space
     ✔  Kernel Parameter kernel.randomize_va_space value should eq 2
  ✔  sysctl-33: CPU No execution Flag or Kernel ExecShield
     ✔  /proc/cpuinfo Flags should include NX


Profile Summary: 48 successful controls, 4 control failures, 3 controls skipped
Test Summary: 112 successful, 7 failures, 3 skipped


Go to Source
Author: CLJ