I am running the following command inspec exec https://github.com/dev-sec/linux-baseline -t ssh://ubuntu@10.0.1.22 -i ~/.ssh/id_rsa --sudo
And I am getting failures for
- Check login.defs (4 failed)
- All these params look like they should pass
- sysctl-29: Disable loading kernel modules
- I accidentally set
echo "1" > /proc/sys/kernel/modules_disabled
and now I’m unable to set it back 🙁
- I accidentally set
- package-07: Install syslog server package
- What package should I install?
- os-06: Check for SUID/ SGID blacklist
- Where can I set this?
ubuntu@ip-10-0-1-10:~/.ssh$ inspec exec https://github.com/dev-sec/linux-baseline -t ssh://ubuntu@10.0.1.22 -i ~/.ssh/id_rsa --sudo
/usr/local/rvm/gems/ruby-2.3.1@global/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:679: warning: already initialized constant RSpec::Core::ExampleGroup::INSTANCE_VARIABLE_TO_IGNORE
/usr/local/rvm/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:679: warning: previous definition of INSTANCE_VARIABLE_TO_IGNORE was here
/usr/local/rvm/gems/ruby-2.3.1@global/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:722: warning: already initialized constant RSpec::Core::ExampleGroup::WrongScopeError
/usr/local/rvm/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:722: warning: previous definition of WrongScopeError was here
verify_host_key: false is deprecated, use :never
[2020-08-15T21:22:01+00:00] WARN: URL target https://github.com/dev-sec/linux-baseline transformed to https://github.com/dev-sec/linux-baseline/archive/master.tar.gz. Consider using the git fetcher
[2020-08-15T21:22:01+00:00] WARN: Attribute 'login_defs_umask' does not have a value. Use --attrs to provide a value for 'login_defs_umask' or specify a default value with `attribute('login_defs_umask', default: 'somedefault', ...)`.
[2020-08-15T21:22:01+00:00] WARN: Attribute 'login_defs_passmaxdays' does not have a value. Use --attrs to provide a value for 'login_defs_passmaxdays' or specify a default value with `attribute('login_defs_passmaxdays', default: 'somedefault', ...)`.
[2020-08-15T21:22:01+00:00] WARN: Attribute 'login_defs_passmindays' does not have a value. Use --attrs to provide a value for 'login_defs_passmindays' or specify a default value with `attribute('login_defs_passmindays', default: 'somedefault', ...)`.
[2020-08-15T21:22:01+00:00] WARN: Attribute 'login_defs_passwarnage' does not have a value. Use --attrs to provide a value for 'login_defs_passwarnage' or specify a default value with `attribute('login_defs_passwarnage', default: 'somedefault', ...)`.
[2020-08-15T21:22:02+00:00] WARN: Attribute 'blacklist' does not have a value. Use --attrs to provide a value for 'blacklist' or specify a default value with `attribute('blacklist', default: 'somedefault', ...)`.
[2020-08-15T21:22:02+00:00] WARN: Attribute 'syslog_pkg' does not have a value. Use --attrs to provide a value for 'syslog_pkg' or specify a default value with `attribute('syslog_pkg', default: 'somedefault', ...)`.
[2020-08-15T21:22:02+00:00] WARN: Attribute 'sysctl_forwarding' does not have a value. Use --attrs to provide a value for 'sysctl_forwarding' or specify a default value with `attribute('sysctl_forwarding', default: 'somedefault', ...)`.
[2020-08-15T21:22:02+00:00] WARN: Attribute 'kernel_modules_disabled' does not have a value. Use --attrs to provide a value for 'kernel_modules_disabled' or specify a default value with `attribute('kernel_modules_disabled', default: 'somedefault', ...)`.
Profile: DevSec Linux Security Baseline (linux-baseline)
Version: 2.4.6
Target: ssh://ubuntu@10.0.1.22:22
✔ os-01: Trusted hosts login
✔ File /etc/hosts.equiv should not exist
✔ os-02: Check owner and permissions for /etc/shadow
✔ File /etc/shadow should exist
✔ File /etc/shadow should be file
✔ File /etc/shadow should be owned by "root"
✔ File /etc/shadow should not be executable
✔ File /etc/shadow should not be readable by other
✔ File /etc/shadow group should eq "shadow"
✔ File /etc/shadow should be writable by owner
✔ File /etc/shadow should be readable by owner
✔ File /etc/shadow should be readable by group
✔ os-03: Check owner and permissions for /etc/passwd
✔ File /etc/passwd should exist
✔ File /etc/passwd should be file
✔ File /etc/passwd should be owned by "root"
✔ File /etc/passwd should not be executable
✔ File /etc/passwd should be writable by owner
✔ File /etc/passwd should not be writable by group
✔ File /etc/passwd should not be writable by other
✔ File /etc/passwd should be readable by owner
✔ File /etc/passwd should be readable by group
✔ File /etc/passwd should be readable by other
✔ File /etc/passwd group should eq "root"
✔ os-03b: Check passwords hashes in /etc/passwd
✔ /etc/passwd passwords should be in "x" and "*"
✔ os-04: Dot in PATH variable
✔ Environment variable PATH split should not include ""
✔ Environment variable PATH split should not include "."
× os-05: Check login.defs (4 failed)
✔ File /etc/login.defs should exist
✔ File /etc/login.defs should be file
✔ File /etc/login.defs should be owned by "root"
✔ File /etc/login.defs should not be executable
✔ File /etc/login.defs should be readable by owner
✔ File /etc/login.defs should be readable by group
✔ File /etc/login.defs should be readable by other
✔ File /etc/login.defs group should eq "root"
✔ login.defs ENV_SUPATH should include "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
✔ login.defs ENV_PATH should include "/usr/local/bin:/usr/bin:/bin"
× login.defs UMASK should include #<Inspec::Attribute::DEFAULT_ATTRIBUTE:0x00000005a1ea00 @name="login_defs_umask">
can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to String (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_str gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
× login.defs PASS_MAX_DAYS should eq #<Inspec::Attribute::DEFAULT_ATTRIBUTE:0x00000005a1e3e8 @name="login_defs_passmaxdays">
can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to Array (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_ary gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
× login.defs PASS_MIN_DAYS should eq #<Inspec::Attribute::DEFAULT_ATTRIBUTE:0x00000005a1dee8 @name="login_defs_passmindays">
can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to Array (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_ary gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
× login.defs PASS_WARN_AGE should eq #<Inspec::Attribute::DEFAULT_ATTRIBUTE:0x00000005a1da38 @name="login_defs_passwarnage">
can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to Array (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_ary gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
✔ login.defs LOGIN_RETRIES should eq "5"
✔ login.defs LOGIN_TIMEOUT should eq "60"
✔ login.defs UID_MIN should eq "1000"
✔ login.defs GID_MIN should eq "1000"
↺ os-05b: Check login.defs - RedHat specific
↺ Skipped control due to only_if condition.
× os-06: Check for SUID/ SGID blacklist
× suid_check diff
can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to Array (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_ary gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
✔ os-07: Unique uid and gid
✔ /etc/passwd uids should not contain duplicates
✔ /etc/group gids should not contain duplicates
✔ os-08: Entropy
✔ 3092 should >= 1000
✔ os-09: Check for .rhosts and .netrc file
✔ [] should be empty
✔ os-10: CIS: Disable unused filesystems
✔ File /etc/modprobe.d/dev-sec.conf content should match "install cramfs /bin/true"
✔ File /etc/modprobe.d/dev-sec.conf content should match "install freevxfs /bin/true"
✔ File /etc/modprobe.d/dev-sec.conf content should match "install jffs2 /bin/true"
✔ File /etc/modprobe.d/dev-sec.conf content should match "install hfs /bin/true"
✔ File /etc/modprobe.d/dev-sec.conf content should match "install hfsplus /bin/true"
✔ File /etc/modprobe.d/dev-sec.conf content should match "install squashfs /bin/true"
✔ File /etc/modprobe.d/dev-sec.conf content should match "install udf /bin/true"
✔ File /etc/modprobe.d/dev-sec.conf content should match "install vfat /bin/true"
✔ os-11: Protect log-directory
✔ File /var/log should be directory
✔ File /var/log should be owned by "root"
✔ File /var/log group should match /^root|syslog$/
✔ package-01: Do not run deprecated inetd or xinetd
✔ System Package inetd should not be installed
✔ System Package xinetd should not be installed
✔ package-02: Do not install Telnet server
✔ System Package telnetd should not be installed
✔ package-03: Do not install rsh server
✔ System Package rsh-server should not be installed
✔ package-05: Do not install ypserv server (NIS)
✔ System Package ypserv should not be installed
✔ package-06: Do not install tftp server
✔ System Package tftp-server should not be installed
× package-07: Install syslog server package
× System Package Attribute 'syslog_pkg' does not have a value. Skipping test. should be installed
expected that `System Package Attribute 'syslog_pkg' does not have a value. Skipping test.` is installed
✔ package-08: Install auditd
✔ System Package auditd should be installed
✔ Audit Daemon Config log_file should cmp == "/var/log/audit/audit.log"
✔ Audit Daemon Config log_format should cmp == "raw"
✔ Audit Daemon Config flush should match /^incremental|INCREMENTAL|incremental_async|INCREMENTAL_ASYNC$/
✔ Audit Daemon Config max_log_file_action should cmp == "keep_logs"
✔ Audit Daemon Config space_left should cmp == 75
✔ Audit Daemon Config action_mail_acct should cmp == "root"
✔ Audit Daemon Config space_left_action should cmp == "SYSLOG"
✔ Audit Daemon Config admin_space_left should cmp == 50
✔ Audit Daemon Config admin_space_left_action should cmp == "SUSPEND"
✔ Audit Daemon Config disk_full_action should cmp == "SUSPEND"
✔ Audit Daemon Config disk_error_action should cmp == "SUSPEND"
✔ package-09: CIS: Additional process hardening
✔ System Package prelink should not be installed
↺ sysctl-01: IPv4 Forwarding
↺ Skipped control due to only_if condition.
✔ sysctl-02: Reverse path filtering
✔ Kernel Parameter net.ipv4.conf.all.rp_filter value should eq 1
✔ Kernel Parameter net.ipv4.conf.default.rp_filter value should eq 1
✔ sysctl-03: ICMP ignore bogus error responses
✔ Kernel Parameter net.ipv4.icmp_ignore_bogus_error_responses value should eq 1
✔ sysctl-04: ICMP echo ignore broadcasts
✔ Kernel Parameter net.ipv4.icmp_echo_ignore_broadcasts value should eq 1
✔ sysctl-05: ICMP ratelimit
✔ Kernel Parameter net.ipv4.icmp_ratelimit value should eq 100
✔ sysctl-06: ICMP ratemask
✔ Kernel Parameter net.ipv4.icmp_ratemask value should eq 88089
✔ sysctl-07: TCP timestamps
✔ Kernel Parameter net.ipv4.tcp_timestamps value should eq 0
✔ sysctl-08: ARP ignore
✔ Kernel Parameter net.ipv4.conf.all.arp_ignore value should eq 1
✔ sysctl-09: ARP announce
✔ Kernel Parameter net.ipv4.conf.all.arp_announce value should eq 2
✔ sysctl-10: TCP RFC1337 Protect Against TCP Time-Wait
✔ Kernel Parameter net.ipv4.tcp_rfc1337 value should eq 1
✔ sysctl-11: Protection against SYN flood attacks
✔ Kernel Parameter net.ipv4.tcp_syncookies value should eq 1
✔ sysctl-12: Shared Media IP Architecture
✔ Kernel Parameter net.ipv4.conf.all.shared_media value should eq 1
✔ Kernel Parameter net.ipv4.conf.default.shared_media value should eq 1
✔ sysctl-13: Disable Source Routing
✔ Kernel Parameter net.ipv4.conf.all.accept_source_route value should eq 0
✔ Kernel Parameter net.ipv4.conf.default.accept_source_route value should eq 0
✔ sysctl-14: Disable acceptance of all IPv4 redirected packets
✔ Kernel Parameter net.ipv4.conf.default.accept_redirects value should eq 0
✔ Kernel Parameter net.ipv4.conf.all.accept_redirects value should eq 0
✔ sysctl-15: Disable acceptance of all secure redirected packets
✔ Kernel Parameter net.ipv4.conf.all.secure_redirects value should eq 0
✔ Kernel Parameter net.ipv4.conf.default.secure_redirects value should eq 0
✔ sysctl-16: Disable sending of redirects packets
✔ Kernel Parameter net.ipv4.conf.default.send_redirects value should eq 0
✔ Kernel Parameter net.ipv4.conf.all.send_redirects value should eq 0
✔ sysctl-17: Disable log martians
✔ Kernel Parameter net.ipv4.conf.all.log_martians value should eq 1
✔ Kernel Parameter net.ipv4.conf.default.log_martians value should eq 1
✔ sysctl-18: Disable IPv6 if it is not needed
✔ Kernel Parameter net.ipv6.conf.all.disable_ipv6 value should eq 1
↺ sysctl-19: IPv6 Forwarding
↺ Skipped control due to only_if condition.
✔ sysctl-20: Disable acceptance of all IPv6 redirected packets
✔ Kernel Parameter net.ipv6.conf.default.accept_redirects value should eq 0
✔ Kernel Parameter net.ipv6.conf.all.accept_redirects value should eq 0
✔ sysctl-21: Disable acceptance of IPv6 router solicitations messages
✔ Kernel Parameter net.ipv6.conf.default.router_solicitations value should eq 0
✔ sysctl-22: Disable Accept Router Preference from router advertisement
✔ Kernel Parameter net.ipv6.conf.default.accept_ra_rtr_pref value should eq 0
✔ sysctl-23: Disable learning Prefix Information from router advertisement
✔ Kernel Parameter net.ipv6.conf.default.accept_ra_pinfo value should eq 0
✔ sysctl-24: Disable learning Hop limit from router advertisement
✔ Kernel Parameter net.ipv6.conf.default.accept_ra_defrtr value should eq 0
✔ sysctl-25: Disable the system`s acceptance of router advertisement
✔ Kernel Parameter net.ipv6.conf.all.accept_ra value should eq 0
✔ Kernel Parameter net.ipv6.conf.default.accept_ra value should eq 0
✔ sysctl-26: Disable IPv6 autoconfiguration
✔ Kernel Parameter net.ipv6.conf.default.autoconf value should eq 0
✔ sysctl-27: Disable neighbor solicitations to send out per address
✔ Kernel Parameter net.ipv6.conf.default.dad_transmits value should eq 0
✔ sysctl-28: Assign one global unicast IPv6 addresses to each interface
✔ Kernel Parameter net.ipv6.conf.default.max_addresses value should eq 1
× sysctl-29: Disable loading kernel modules
× Kernel Parameter kernel.modules_disabled value should eq #<Inspec::Attribute::DEFAULT_ATTRIBUTE:0x000000052722e8 @name="kernel_modules_disabled">
can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to Array (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_ary gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
✔ sysctl-30: Magic SysRq
✔ Kernel Parameter kernel.sysrq value should eq 0
✔ sysctl-31a: Secure Core Dumps - dump settings
✔ Kernel Parameter fs.suid_dumpable value should cmp == /(0|2)/
✔ sysctl-31b: Secure Core Dumps - dump path
✔ Kernel Parameter kernel.core_pattern value should match /^|?/.*/
✔ sysctl-32: kernel.randomize_va_space
✔ Kernel Parameter kernel.randomize_va_space value should eq 2
✔ sysctl-33: CPU No execution Flag or Kernel ExecShield
✔ /proc/cpuinfo Flags should include NX
Profile Summary: 48 successful controls, 4 control failures, 3 controls skipped
Test Summary: 112 successful, 7 failures, 3 skipped
Go to Source
Author: CLJ