|
20 | 20 | log_dir_group = 'root' |
21 | 21 | log_dir_group = 'syslog' if os.name == 'ubuntu' && os[:release].to_i >= 14 |
22 | 22 | login_defs_umask = attribute('login_defs_umask', default: os.redhat? ? '077' : '027', description: 'Default umask to set in login.defs') |
| 23 | + |
23 | 24 | login_defs_passmaxdays = attribute('login_defs_passmaxdays', default: '60', description: 'Default password maxdays to set in login.defs') |
24 | 25 | login_defs_passmindays = attribute('login_defs_passmindays', default: '7', description: 'Default password mindays to set in login.defs') |
25 | 26 | login_defs_passwarnage = attribute('login_defs_passwarnage', default: '7', description: 'Default password warnage (days) to set in login.defs') |
| 27 | + |
26 | 28 | shadow_group = 'root' |
27 | 29 | shadow_group = 'shadow' if os.debian? || os.suse? |
| 30 | + |
28 | 31 | blacklist = attribute( |
29 | 32 | 'blacklist', |
30 | | - default: [ |
31 | | - # blacklist as provided by NSA |
32 | | - '/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh', |
33 | | - # sshd must not use host-based authentication (see ssh cookbook) |
34 | | - '/usr/libexec/openssh/ssh-keysign', |
35 | | - '/usr/lib/openssh/ssh-keysign', |
36 | | - # misc others |
37 | | - '/sbin/netreport', # not normally required for user |
38 | | - '/usr/sbin/usernetctl', # modify interfaces via functional accounts |
39 | | - # connecting to ... |
40 | | - '/usr/sbin/userisdnctl', # no isdn... |
41 | | - '/usr/sbin/pppd', # no ppp / dsl ... |
42 | | - # lockfile |
43 | | - '/usr/bin/lockfile', |
44 | | - '/usr/bin/mail-lock', |
45 | | - '/usr/bin/mail-unlock', |
46 | | - '/usr/bin/mail-touchlock', |
47 | | - '/usr/bin/dotlockfile', |
48 | | - # need more investigation, blacklist for now |
49 | | - '/usr/bin/arping', |
50 | | - '/usr/sbin/arping', |
51 | | - '/usr/sbin/uuidd', |
52 | | - '/usr/bin/mtr', # investigate current state... |
53 | | - '/usr/lib/evolution/camel-lock-helper-1.2', # investigate current state... |
54 | | - '/usr/lib/pt_chown', # pseudo-tty, needed? |
55 | | - '/usr/lib/eject/dmcrypt-get-device', |
56 | | - '/usr/lib/mc/cons.saver' # midnight commander screensaver |
57 | | - # from Ubuntu xenial, need to investigate |
58 | | - # '/sbin/unix_chkpwd', |
59 | | - # '/sbin/pam_extrausers_chkpwd', |
60 | | - # '/usr/lib/x86_64-linux-gnu/utempter/utempter', |
61 | | - # '/usr/sbin/postdrop', |
62 | | - # '/usr/sbin/postqueue', |
63 | | - # '/usr/bin/ssh-agent', |
64 | | - # '/usr/bin/mlocate', |
65 | | - # '/usr/bin/crontab', |
66 | | - # '/usr/bin/screen', |
67 | | - # '/usr/bin/expiry', |
68 | | - # '/usr/bin/wall', |
69 | | - # '/usr/bin/chage', |
70 | | - # '/usr/bin/bsd-write' |
71 | | - ], |
| 33 | + default: suid_blacklist.default, |
72 | 34 | description: 'blacklist of suid/sgid program on system' |
73 | 35 | ) |
74 | 36 |
|
|
193 | 155 | title 'Check for SUID/ SGID blacklist' |
194 | 156 | desc 'Find blacklisted SUID and SGID files to ensure that no rogue SUID and SGID files have been introduced into the system' |
195 | 157 |
|
196 | | - output = command('find / -perm -4000 -o -perm -2000 -type f ! -path \'/proc/*\' ! -path \'/var/lib/lxd/containers/*\' -print 2>/dev/null | grep -v \'^find:\'') |
197 | | - diff = output.stdout.split(/\r?\n/) & blacklist |
198 | | - describe diff do |
199 | | - it { should be_empty } |
| 158 | + describe suid_check(blacklist) do |
| 159 | + its('diff') { should be_empty } |
200 | 160 | end |
201 | 161 | end |
202 | 162 |
|
|
0 commit comments