Inspec exec linux-baseline
Jump to navigation
Jump to search
inspec exec linux-baseline +---------------------------------------------+ Chef License Acceptance Before you can continue, 1 product license must be accepted. View the license at https://www.chef.io/end-user-license-agreement/ License that need accepting: * Chef InSpec Do you accept the 1 product license (yes/no)? > yes Persisting 1 product license... ✔ 1 product license persisted. +---------------------------------------------+ Profile: DevSec Linux Security Baseline (linux-baseline) Version: 2.8.0 Target: local:// ✔ os-01: Trusted hosts login ✔ File /etc/hosts.equiv is expected not to exist ✔ os-02: Check owner and permissions for /etc/shadow ✔ File /etc/shadow is expected to exist ✔ File /etc/shadow is expected to be file ✔ File /etc/shadow is expected to be owned by "root" ✔ File /etc/shadow is expected not to be executable ✔ File /etc/shadow is expected not to be readable by other ✔ File /etc/shadow group is expected to eq "shadow" ✔ File /etc/shadow is expected to be writable by owner ✔ File /etc/shadow is expected to be readable by owner ✔ File /etc/shadow is expected to be readable by group ✔ os-03: Check owner and permissions for /etc/passwd ✔ File /etc/passwd is expected to exist ✔ File /etc/passwd is expected to be file ✔ File /etc/passwd is expected to be owned by "root" ✔ File /etc/passwd is expected not to be executable ✔ File /etc/passwd is expected to be writable by owner ✔ File /etc/passwd is expected not to be writable by group ✔ File /etc/passwd is expected not to be writable by other ✔ File /etc/passwd is expected to be readable by owner ✔ File /etc/passwd is expected to be readable by group ✔ File /etc/passwd is expected to be readable by other ✔ File /etc/passwd group is expected to eq "root" ✔ os-03b: Check passwords hashes in /etc/passwd ✔ /etc/passwd passwords is expected to be in "x" and "*" ✔ os-04: Dot in PATH variable ✔ Environment variable PATH split is expected not to include "" ✔ Environment variable PATH split is expected not to include "." × os-05: Check login.defs (3 failed) ✔ File /etc/login.defs is expected to exist ✔ File /etc/login.defs is expected to be file ✔ File /etc/login.defs is expected to be owned by "root" ✔ File /etc/login.defs is expected not to be executable ✔ File /etc/login.defs is expected to be readable by owner ✔ File /etc/login.defs is expected to be readable by group ✔ File /etc/login.defs is expected to be readable by other ✔ File /etc/login.defs group is expected to eq "root" ✔ login.defs ENV_SUPATH is expected to include "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ✔ login.defs ENV_PATH is expected to include "/usr/local/bin:/usr/bin:/bin" × login.defs UMASK is expected to include "027" expected "022" to include "027" × login.defs PASS_MAX_DAYS is expected to eq "60" expected: "60" got: "99999" (compared using ==) × login.defs PASS_MIN_DAYS is expected to eq "7" expected: "7" got: "0" (compared using ==) ✔ login.defs PASS_WARN_AGE is expected to eq "7" ✔ login.defs LOGIN_RETRIES is expected to eq "5" ✔ login.defs LOGIN_TIMEOUT is expected to eq "60" ✔ login.defs UID_MIN is expected to eq "1000" ✔ login.defs GID_MIN is expected to eq "1000" ↺ os-05b: Check login.defs - RedHat specific ↺ Skipped control due to only_if condition. ✔ os-06: Check for SUID/ SGID blacklist ✔ suid_check diff is expected to be empty ✔ os-07: Unique uid and gid ✔ /etc/passwd uids is expected not to contain duplicates ✔ /etc/group gids is expected not to contain duplicates ✔ os-08: Entropy ✔ 1369 is expected to >= 1000 ✔ os-09: Check for .rhosts and .netrc file ✔ [] is expected to be empty × os-10: CIS: Disable unused filesystems (8 failed) × File /etc/modprobe.d/dev-sec.conf content is expected to match "install cramfs /bin/true" expected nil to match "install cramfs /bin/true" × File /etc/modprobe.d/dev-sec.conf content is expected to match "install freevxfs /bin/true" expected nil to match "install freevxfs /bin/true" × File /etc/modprobe.d/dev-sec.conf content is expected to match "install jffs2 /bin/true" expected nil to match "install jffs2 /bin/true" × File /etc/modprobe.d/dev-sec.conf content is expected to match "install hfs /bin/true" expected nil to match "install hfs /bin/true" × File /etc/modprobe.d/dev-sec.conf content is expected to match "install hfsplus /bin/true" expected nil to match "install hfsplus /bin/true" × File /etc/modprobe.d/dev-sec.conf content is expected to match "install squashfs /bin/true" expected nil to match "install squashfs /bin/true" × File /etc/modprobe.d/dev-sec.conf content is expected to match "install udf /bin/true" expected nil to match "install udf /bin/true" × File /etc/modprobe.d/dev-sec.conf content is expected to match "install vfat /bin/true" expected nil to match "install vfat /bin/true" ✔ os-11: Protect log-directory ✔ File /var/log is expected to be directory ✔ File /var/log is expected to be owned by "root" ✔ File /var/log group is expected to match /^root|syslog$/ × os-12: Detect vulnerabilities in the cpu-vulnerability-directory (3 failed) ✔ File /sys/devices/system/cpu/vulnerabilities/ is expected to be directory ✔ File /sys/devices/system/cpu/vulnerabilities/spectre_v2 content is expected not to match "vulnerable" ✔ File /sys/devices/system/cpu/vulnerabilities/spectre_v2 content is expected not to match "Vulnerable" ✔ File /sys/devices/system/cpu/vulnerabilities/itlb_multihit content is expected not to match "vulnerable" × File /sys/devices/system/cpu/vulnerabilities/itlb_multihit content is expected not to match "Vulnerable" expected "KVM: Vulnerable\n" not to match "Vulnerable" Diff: @@ -1,2 +1,2 @@ -Vulnerable +KVM: Vulnerable ✔ File /sys/devices/system/cpu/vulnerabilities/mds content is expected not to match "vulnerable" × File /sys/devices/system/cpu/vulnerabilities/mds content is expected not to match "Vulnerable" expected "Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown\n" not to match "Vulnerable" Diff: @@ -1,2 +1,2 @@ -Vulnerable +Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown ✔ File /sys/devices/system/cpu/vulnerabilities/l1tf content is expected not to match "vulnerable" ✔ File /sys/devices/system/cpu/vulnerabilities/l1tf content is expected not to match "Vulnerable" ✔ File /sys/devices/system/cpu/vulnerabilities/spec_store_bypass content is expected not to match "vulnerable" × File /sys/devices/system/cpu/vulnerabilities/spec_store_bypass content is expected not to match "Vulnerable" expected "Vulnerable\n" not to match "Vulnerable" ✔ File /sys/devices/system/cpu/vulnerabilities/tsx_async_abort content is expected not to match "vulnerable" ✔ File /sys/devices/system/cpu/vulnerabilities/tsx_async_abort content is expected not to match "Vulnerable" ✔ File /sys/devices/system/cpu/vulnerabilities/spectre_v1 content is expected not to match "vulnerable" ✔ File /sys/devices/system/cpu/vulnerabilities/spectre_v1 content is expected not to match "Vulnerable" ✔ File /sys/devices/system/cpu/vulnerabilities/srbds content is expected not to match "vulnerable" ✔ File /sys/devices/system/cpu/vulnerabilities/srbds content is expected not to match "Vulnerable" ✔ File /sys/devices/system/cpu/vulnerabilities/meltdown content is expected not to match "vulnerable" ✔ File /sys/devices/system/cpu/vulnerabilities/meltdown content is expected not to match "Vulnerable" × os-13: Protect cron directories and files (12 failed) ✔ File /etc/crontab is expected to be owned by "root" ✔ File /etc/crontab is expected not to be writable by group ✔ File /etc/crontab is expected not to be writable by other × File /etc/crontab is expected not to be readable by group expected File /etc/crontab not to be readable by group × File /etc/crontab is expected not to be readable by other expected File /etc/crontab not to be readable by other ✔ File /etc/cron.hourly is expected to be owned by "root" ✔ File /etc/cron.hourly is expected not to be writable by group ✔ File /etc/cron.hourly is expected not to be writable by other × File /etc/cron.hourly is expected not to be readable by group expected File /etc/cron.hourly not to be readable by group × File /etc/cron.hourly is expected not to be readable by other expected File /etc/cron.hourly not to be readable by other ✔ File /etc/cron.daily is expected to be owned by "root" ✔ File /etc/cron.daily is expected not to be writable by group ✔ File /etc/cron.daily is expected not to be writable by other × File /etc/cron.daily is expected not to be readable by group expected File /etc/cron.daily not to be readable by group × File /etc/cron.daily is expected not to be readable by other expected File /etc/cron.daily not to be readable by other ✔ File /etc/cron.weekly is expected to be owned by "root" ✔ File /etc/cron.weekly is expected not to be writable by group ✔ File /etc/cron.weekly is expected not to be writable by other × File /etc/cron.weekly is expected not to be readable by group expected File /etc/cron.weekly not to be readable by group × File /etc/cron.weekly is expected not to be readable by other expected File /etc/cron.weekly not to be readable by other ✔ File /etc/cron.monthly is expected to be owned by "root" ✔ File /etc/cron.monthly is expected not to be writable by group ✔ File /etc/cron.monthly is expected not to be writable by other × File /etc/cron.monthly is expected not to be readable by group expected File /etc/cron.monthly not to be readable by group × File /etc/cron.monthly is expected not to be readable by other expected File /etc/cron.monthly not to be readable by other ✔ File /etc/cron.d is expected to be owned by "root" ✔ File /etc/cron.d is expected not to be writable by group ✔ File /etc/cron.d is expected not to be writable by other × File /etc/cron.d is expected not to be readable by group expected File /etc/cron.d not to be readable by group × File /etc/cron.d is expected not to be readable by other expected File /etc/cron.d not to be readable by other ✔ package-01: Do not run deprecated inetd or xinetd ✔ System Package inetd is expected not to be installed ✔ System Package xinetd is expected not to be installed ✔ package-02: Do not install Telnet server ✔ System Package telnetd is expected not to be installed ✔ package-03: Do not install rsh server ✔ System Package rsh-server is expected not to be installed ✔ package-05: Do not install ypserv server (NIS) ✔ System Package ypserv is expected not to be installed ✔ package-06: Do not install tftp server ✔ System Package tftp-server is expected not to be installed ↺ package-08: Install auditd (1 failed) (1 skipped) × System Package auditd is expected to be installed expected that `System Package auditd` is installed ↺ Can't find file: /etc/audit/auditd.conf ✔ package-09: CIS: Additional process hardening ✔ System Package prelink is expected not to be installed × sysctl-01: IPv4 Forwarding (2 failed) × Kernel Parameter net.ipv4.ip_forward value is expected to eq 0 expected: 0 got: 1 (compared using ==) × Kernel Parameter net.ipv4.conf.all.forwarding value is expected to eq 0 expected: 0 got: 1 (compared using ==) × sysctl-02: Reverse path filtering (2 failed) × Kernel Parameter net.ipv4.conf.all.rp_filter value is expected to eq 1 expected: 1 got: 2 (compared using ==) × Kernel Parameter net.ipv4.conf.default.rp_filter value is expected to eq 1 expected: 1 got: 2 (compared using ==) ✔ sysctl-03: ICMP ignore bogus error responses ✔ Kernel Parameter net.ipv4.icmp_ignore_bogus_error_responses value is expected to eq 1 ✔ sysctl-04: ICMP echo ignore broadcasts ✔ Kernel Parameter net.ipv4.icmp_echo_ignore_broadcasts value is expected to eq 1 × sysctl-05: ICMP ratelimit × Kernel Parameter net.ipv4.icmp_ratelimit value is expected to eq 100 expected: 100 got: 1000 (compared using ==) × sysctl-06: ICMP ratemask × Kernel Parameter net.ipv4.icmp_ratemask value is expected to eq 88089 expected: 88089 got: 6168 (compared using ==) × sysctl-07: TCP timestamps × Kernel Parameter net.ipv4.tcp_timestamps value is expected to eq 0 expected: 0 got: 1 (compared using ==) × sysctl-08: ARP ignore × Kernel Parameter net.ipv4.conf.all.arp_ignore value is expected to cmp == /(1|2)/ expected: (?-mix:(1|2)) got: 0 (compared using `cmp` matcher) × sysctl-09: ARP announce × Kernel Parameter net.ipv4.conf.all.arp_announce value is expected to eq 2 expected: 2 got: 0 (compared using ==) × sysctl-10: TCP RFC1337 Protect Against TCP Time-Wait × Kernel Parameter net.ipv4.tcp_rfc1337 value is expected to eq 1 expected: 1 got: 0 (compared using ==) ✔ sysctl-11: Protection against SYN flood attacks ✔ Kernel Parameter net.ipv4.tcp_syncookies value is expected to eq 1 ✔ sysctl-12: Shared Media IP Architecture ✔ Kernel Parameter net.ipv4.conf.all.shared_media value is expected to eq 1 ✔ Kernel Parameter net.ipv4.conf.default.shared_media value is expected to eq 1 × sysctl-13: Disable Source Routing (1 failed) ✔ Kernel Parameter net.ipv4.conf.all.accept_source_route value is expected to eq 0 × Kernel Parameter net.ipv4.conf.default.accept_source_route value is expected to eq 0 expected: 0 got: 1 (compared using ==) ✔ Kernel Parameter net.ipv6.conf.all.accept_source_route value is expected to eq 0 ✔ Kernel Parameter net.ipv6.conf.default.accept_source_route value is expected to eq 0 × sysctl-14: Disable acceptance of all IPv4 redirected packets (1 failed) × Kernel Parameter net.ipv4.conf.default.accept_redirects value is expected to eq 0 expected: 0 got: 1 (compared using ==) ✔ Kernel Parameter net.ipv4.conf.all.accept_redirects value is expected to eq 0 × sysctl-15: Disable acceptance of all secure redirected packets (2 failed) × Kernel Parameter net.ipv4.conf.all.secure_redirects value is expected to eq 0 expected: 0 got: 1 (compared using ==) × Kernel Parameter net.ipv4.conf.default.secure_redirects value is expected to eq 0 expected: 0 got: 1 (compared using ==) × sysctl-16: Disable sending of redirects packets (2 failed) × Kernel Parameter net.ipv4.conf.default.send_redirects value is expected to eq 0 expected: 0 got: 1 (compared using ==) × Kernel Parameter net.ipv4.conf.all.send_redirects value is expected to eq 0 expected: 0 got: 1 (compared using ==) × sysctl-17: Disable log martians (2 failed) × Kernel Parameter net.ipv4.conf.all.log_martians value is expected to eq 1 expected: 1 got: 0 (compared using ==) × Kernel Parameter net.ipv4.conf.default.log_martians value is expected to eq 1 expected: 1 got: 0 (compared using ==) ✔ sysctl-19: IPv6 Forwarding ✔ Kernel Parameter net.ipv6.conf.all.forwarding value is expected to eq 0 × sysctl-20: Disable acceptance of all IPv6 redirected packets (2 failed) × Kernel Parameter net.ipv6.conf.default.accept_redirects value is expected to eq 0 expected: 0 got: 1 (compared using ==) × Kernel Parameter net.ipv6.conf.all.accept_redirects value is expected to eq 0 expected: 0 got: 1 (compared using ==) × sysctl-21: Disable acceptance of IPv6 router solicitations messages × Kernel Parameter net.ipv6.conf.default.router_solicitations value is expected to eq 0 expected: 0 got: "-1" (compared using ==) × sysctl-22: Disable Accept Router Preference from router advertisement × Kernel Parameter net.ipv6.conf.default.accept_ra_rtr_pref value is expected to eq 0 expected: 0 got: 1 (compared using ==) × sysctl-23: Disable learning Prefix Information from router advertisement × Kernel Parameter net.ipv6.conf.default.accept_ra_pinfo value is expected to eq 0 expected: 0 got: 1 (compared using ==) × sysctl-24: Disable learning Hop limit from router advertisement × Kernel Parameter net.ipv6.conf.default.accept_ra_defrtr value is expected to eq 0 expected: 0 got: 1 (compared using ==) × sysctl-25: Disable the system`s acceptance of router advertisement (2 failed) × Kernel Parameter net.ipv6.conf.all.accept_ra value is expected to eq 0 expected: 0 got: 1 (compared using ==) × Kernel Parameter net.ipv6.conf.default.accept_ra value is expected to eq 0 expected: 0 got: 1 (compared using ==) × sysctl-26: Disable IPv6 autoconfiguration × Kernel Parameter net.ipv6.conf.default.autoconf value is expected to eq 0 expected: 0 got: 1 (compared using ==) × sysctl-27: Disable neighbor solicitations to send out per address × Kernel Parameter net.ipv6.conf.default.dad_transmits value is expected to eq 0 expected: 0 got: 1 (compared using ==) × sysctl-28: Assign one global unicast IPv6 addresses to each interface × Kernel Parameter net.ipv6.conf.default.max_addresses value is expected to eq 1 expected: 1 got: 16 (compared using ==) ✔ sysctl-29: Disable loading kernel modules ✔ Kernel Parameter kernel.modules_disabled value is expected to eq 0 × sysctl-30: Magic SysRq × Kernel Parameter kernel.sysrq value is expected to eq 0 expected: 0 got: 176 (compared using ==) ✔ sysctl-31a: Secure Core Dumps - dump settings ✔ Kernel Parameter fs.suid_dumpable value is expected to cmp == /(0|2)/ ✔ sysctl-31b: Secure Core Dumps - dump path ✔ Kernel Parameter kernel.core_pattern value is expected to match /^\|?\/.*/ ✔ sysctl-32: kernel.randomize_va_space ✔ Kernel Parameter kernel.randomize_va_space value is expected to eq 2 ✔ sysctl-33: CPU No execution Flag or Kernel ExecShield ✔ /proc/cpuinfo Flags should include NX Profile Summary: 26 successful controls, 28 control failures, 1 control skipped Test Summary: 103 successful, 57 failures, 2 skipped
See also
Advertising: