Inspec exec linux-baseline
Jump to navigation
Jump to search
inspec exec linux-baseline +---------------------------------------------+ Chef License Acceptance Before you can continue, 1 product license must be accepted. View the license at https://www.chef.io/end-user-license-agreement/ License that need accepting: * Chef InSpec Do you accept the 1 product license (yes/no)?
> yes
Persisting 1 product license...
✔ 1 product license persisted.
+---------------------------------------------+
Profile: DevSec Linux Security Baseline (linux-baseline)
Version: 2.8.0
Target: local://
✔ os-01: Trusted hosts login
✔ File /etc/hosts.equiv is expected not to exist
✔ os-02: Check owner and permissions for /etc/shadow
✔ File /etc/shadow is expected to exist
✔ File /etc/shadow is expected to be file
✔ File /etc/shadow is expected to be owned by "root"
✔ File /etc/shadow is expected not to be executable
✔ File /etc/shadow is expected not to be readable by other
✔ File /etc/shadow group is expected to eq "shadow"
✔ File /etc/shadow is expected to be writable by owner
✔ File /etc/shadow is expected to be readable by owner
✔ File /etc/shadow is expected to be readable by group
✔ os-03: Check owner and permissions for /etc/passwd
✔ File /etc/passwd is expected to exist
✔ File /etc/passwd is expected to be file
✔ File /etc/passwd is expected to be owned by "root"
✔ File /etc/passwd is expected not to be executable
✔ File /etc/passwd is expected to be writable by owner
✔ File /etc/passwd is expected not to be writable by group
✔ File /etc/passwd is expected not to be writable by other
✔ File /etc/passwd is expected to be readable by owner
✔ File /etc/passwd is expected to be readable by group
✔ File /etc/passwd is expected to be readable by other
✔ File /etc/passwd group is expected to eq "root"
✔ os-03b: Check passwords hashes in /etc/passwd
✔ /etc/passwd passwords is expected to be in "x" and "*"
✔ os-04: Dot in PATH variable
✔ Environment variable PATH split is expected not to include ""
✔ Environment variable PATH split is expected not to include "."
× os-05: Check login.defs (3 failed)
✔ File /etc/login.defs is expected to exist
✔ File /etc/login.defs is expected to be file
✔ File /etc/login.defs is expected to be owned by "root"
✔ File /etc/login.defs is expected not to be executable
✔ File /etc/login.defs is expected to be readable by owner
✔ File /etc/login.defs is expected to be readable by group
✔ File /etc/login.defs is expected to be readable by other
✔ File /etc/login.defs group is expected to eq "root"
✔ login.defs ENV_SUPATH is expected to include "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
✔ login.defs ENV_PATH is expected to include "/usr/local/bin:/usr/bin:/bin"
× login.defs UMASK is expected to include "027"
expected "022" to include "027"
× login.defs PASS_MAX_DAYS is expected to eq "60"
expected: "60"
got: "99999"
(compared using ==)
× login.defs PASS_MIN_DAYS is expected to eq "7"
expected: "7"
got: "0"
(compared using ==)
✔ login.defs PASS_WARN_AGE is expected to eq "7"
✔ login.defs LOGIN_RETRIES is expected to eq "5"
✔ login.defs LOGIN_TIMEOUT is expected to eq "60"
✔ login.defs UID_MIN is expected to eq "1000"
✔ login.defs GID_MIN is expected to eq "1000"
↺ os-05b: Check login.defs - RedHat specific
↺ Skipped control due to only_if condition.
✔ os-06: Check for SUID/ SGID blacklist
✔ suid_check diff is expected to be empty
✔ os-07: Unique uid and gid
✔ /etc/passwd uids is expected not to contain duplicates
✔ /etc/group gids is expected not to contain duplicates
✔ os-08: Entropy
✔ 1369 is expected to >= 1000
✔ os-09: Check for .rhosts and .netrc file
✔ [] is expected to be empty
× os-10: CIS: Disable unused filesystems (8 failed)
× File /etc/modprobe.d/dev-sec.conf content is expected to match "install cramfs /bin/true"
expected nil to match "install cramfs /bin/true"
× File /etc/modprobe.d/dev-sec.conf content is expected to match "install freevxfs /bin/true"
expected nil to match "install freevxfs /bin/true"
× File /etc/modprobe.d/dev-sec.conf content is expected to match "install jffs2 /bin/true"
expected nil to match "install jffs2 /bin/true"
× File /etc/modprobe.d/dev-sec.conf content is expected to match "install hfs /bin/true"
expected nil to match "install hfs /bin/true"
× File /etc/modprobe.d/dev-sec.conf content is expected to match "install hfsplus /bin/true"
expected nil to match "install hfsplus /bin/true"
× File /etc/modprobe.d/dev-sec.conf content is expected to match "install squashfs /bin/true"
expected nil to match "install squashfs /bin/true"
× File /etc/modprobe.d/dev-sec.conf content is expected to match "install udf /bin/true"
expected nil to match "install udf /bin/true"
× File /etc/modprobe.d/dev-sec.conf content is expected to match "install vfat /bin/true"
expected nil to match "install vfat /bin/true"
✔ os-11: Protect log-directory
✔ File /var/log is expected to be directory
✔ File /var/log is expected to be owned by "root"
✔ File /var/log group is expected to match /^root|syslog$/
× os-12: Detect vulnerabilities in the cpu-vulnerability-directory (3 failed)
✔ File /sys/devices/system/cpu/vulnerabilities/ is expected to be directory
✔ File /sys/devices/system/cpu/vulnerabilities/spectre_v2 content is expected not to match "vulnerable"
✔ File /sys/devices/system/cpu/vulnerabilities/spectre_v2 content is expected not to match "Vulnerable"
✔ File /sys/devices/system/cpu/vulnerabilities/itlb_multihit content is expected not to match "vulnerable"
× File /sys/devices/system/cpu/vulnerabilities/itlb_multihit content is expected not to match "Vulnerable"
expected "KVM: Vulnerable\n" not to match "Vulnerable"
Diff:
@@ -1,2 +1,2 @@
-Vulnerable
+KVM: Vulnerable
✔ File /sys/devices/system/cpu/vulnerabilities/mds content is expected not to match "vulnerable"
× File /sys/devices/system/cpu/vulnerabilities/mds content is expected not to match "Vulnerable"
expected "Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown\n" not to match "Vulnerable"
Diff:
@@ -1,2 +1,2 @@
-Vulnerable
+Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown
✔ File /sys/devices/system/cpu/vulnerabilities/l1tf content is expected not to match "vulnerable"
✔ File /sys/devices/system/cpu/vulnerabilities/l1tf content is expected not to match "Vulnerable"
✔ File /sys/devices/system/cpu/vulnerabilities/spec_store_bypass content is expected not to match "vulnerable"
× File /sys/devices/system/cpu/vulnerabilities/spec_store_bypass content is expected not to match "Vulnerable"
expected "Vulnerable\n" not to match "Vulnerable"
✔ File /sys/devices/system/cpu/vulnerabilities/tsx_async_abort content is expected not to match "vulnerable"
✔ File /sys/devices/system/cpu/vulnerabilities/tsx_async_abort content is expected not to match "Vulnerable"
✔ File /sys/devices/system/cpu/vulnerabilities/spectre_v1 content is expected not to match "vulnerable"
✔ File /sys/devices/system/cpu/vulnerabilities/spectre_v1 content is expected not to match "Vulnerable"
✔ File /sys/devices/system/cpu/vulnerabilities/srbds content is expected not to match "vulnerable"
✔ File /sys/devices/system/cpu/vulnerabilities/srbds content is expected not to match "Vulnerable"
✔ File /sys/devices/system/cpu/vulnerabilities/meltdown content is expected not to match "vulnerable"
✔ File /sys/devices/system/cpu/vulnerabilities/meltdown content is expected not to match "Vulnerable"
× os-13: Protect cron directories and files (12 failed)
✔ File /etc/crontab is expected to be owned by "root"
✔ File /etc/crontab is expected not to be writable by group
✔ File /etc/crontab is expected not to be writable by other
× File /etc/crontab is expected not to be readable by group
expected File /etc/crontab not to be readable by group
× File /etc/crontab is expected not to be readable by other
expected File /etc/crontab not to be readable by other
✔ File /etc/cron.hourly is expected to be owned by "root"
✔ File /etc/cron.hourly is expected not to be writable by group
✔ File /etc/cron.hourly is expected not to be writable by other
× File /etc/cron.hourly is expected not to be readable by group
expected File /etc/cron.hourly not to be readable by group
× File /etc/cron.hourly is expected not to be readable by other
expected File /etc/cron.hourly not to be readable by other
✔ File /etc/cron.daily is expected to be owned by "root"
✔ File /etc/cron.daily is expected not to be writable by group
✔ File /etc/cron.daily is expected not to be writable by other
× File /etc/cron.daily is expected not to be readable by group
expected File /etc/cron.daily not to be readable by group
× File /etc/cron.daily is expected not to be readable by other
expected File /etc/cron.daily not to be readable by other
✔ File /etc/cron.weekly is expected to be owned by "root"
✔ File /etc/cron.weekly is expected not to be writable by group
✔ File /etc/cron.weekly is expected not to be writable by other
× File /etc/cron.weekly is expected not to be readable by group
expected File /etc/cron.weekly not to be readable by group
× File /etc/cron.weekly is expected not to be readable by other
expected File /etc/cron.weekly not to be readable by other
✔ File /etc/cron.monthly is expected to be owned by "root"
✔ File /etc/cron.monthly is expected not to be writable by group
✔ File /etc/cron.monthly is expected not to be writable by other
× File /etc/cron.monthly is expected not to be readable by group
expected File /etc/cron.monthly not to be readable by group
× File /etc/cron.monthly is expected not to be readable by other
expected File /etc/cron.monthly not to be readable by other
✔ File /etc/cron.d is expected to be owned by "root"
✔ File /etc/cron.d is expected not to be writable by group
✔ File /etc/cron.d is expected not to be writable by other
× File /etc/cron.d is expected not to be readable by group
expected File /etc/cron.d not to be readable by group
× File /etc/cron.d is expected not to be readable by other
expected File /etc/cron.d not to be readable by other
✔ package-01: Do not run deprecated inetd or xinetd
✔ System Package inetd is expected not to be installed
✔ System Package xinetd is expected not to be installed
✔ package-02: Do not install Telnet server
✔ System Package telnetd is expected not to be installed
✔ package-03: Do not install rsh server
✔ System Package rsh-server is expected not to be installed
✔ package-05: Do not install ypserv server (NIS)
✔ System Package ypserv is expected not to be installed
✔ package-06: Do not install tftp server
✔ System Package tftp-server is expected not to be installed
↺ package-08: Install auditd (1 failed) (1 skipped)
× System Package auditd is expected to be installed
expected that `System Package auditd` is installed
↺ Can't find file: /etc/audit/auditd.conf
✔ package-09: CIS: Additional process hardening
✔ System Package prelink is expected not to be installed
× sysctl-01: IPv4 Forwarding (2 failed)
× Kernel Parameter net.ipv4.ip_forward value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× Kernel Parameter net.ipv4.conf.all.forwarding value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× sysctl-02: Reverse path filtering (2 failed)
× Kernel Parameter net.ipv4.conf.all.rp_filter value is expected to eq 1
expected: 1
got: 2
(compared using ==)
× Kernel Parameter net.ipv4.conf.default.rp_filter value is expected to eq 1
expected: 1
got: 2
(compared using ==)
✔ sysctl-03: ICMP ignore bogus error responses
✔ Kernel Parameter net.ipv4.icmp_ignore_bogus_error_responses value is expected to eq 1
✔ sysctl-04: ICMP echo ignore broadcasts
✔ Kernel Parameter net.ipv4.icmp_echo_ignore_broadcasts value is expected to eq 1
× sysctl-05: ICMP ratelimit
× Kernel Parameter net.ipv4.icmp_ratelimit value is expected to eq 100
expected: 100
got: 1000
(compared using ==)
× sysctl-06: ICMP ratemask
× Kernel Parameter net.ipv4.icmp_ratemask value is expected to eq 88089
expected: 88089
got: 6168
(compared using ==)
× sysctl-07: TCP timestamps
× Kernel Parameter net.ipv4.tcp_timestamps value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× sysctl-08: ARP ignore
× Kernel Parameter net.ipv4.conf.all.arp_ignore value is expected to cmp == /(1|2)/
expected: (?-mix:(1|2))
got: 0
(compared using `cmp` matcher)
× sysctl-09: ARP announce
× Kernel Parameter net.ipv4.conf.all.arp_announce value is expected to eq 2
expected: 2
got: 0
(compared using ==)
× sysctl-10: TCP RFC1337 Protect Against TCP Time-Wait
× Kernel Parameter net.ipv4.tcp_rfc1337 value is expected to eq 1
expected: 1
got: 0
(compared using ==)
✔ sysctl-11: Protection against SYN flood attacks
✔ Kernel Parameter net.ipv4.tcp_syncookies value is expected to eq 1
✔ sysctl-12: Shared Media IP Architecture
✔ Kernel Parameter net.ipv4.conf.all.shared_media value is expected to eq 1
✔ Kernel Parameter net.ipv4.conf.default.shared_media value is expected to eq 1
× sysctl-13: Disable Source Routing (1 failed)
✔ Kernel Parameter net.ipv4.conf.all.accept_source_route value is expected to eq 0
× Kernel Parameter net.ipv4.conf.default.accept_source_route value is expected to eq 0
expected: 0
got: 1
(compared using ==)
✔ Kernel Parameter net.ipv6.conf.all.accept_source_route value is expected to eq 0
✔ Kernel Parameter net.ipv6.conf.default.accept_source_route value is expected to eq 0
× sysctl-14: Disable acceptance of all IPv4 redirected packets (1 failed)
× Kernel Parameter net.ipv4.conf.default.accept_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
✔ Kernel Parameter net.ipv4.conf.all.accept_redirects value is expected to eq 0
× sysctl-15: Disable acceptance of all secure redirected packets (2 failed)
× Kernel Parameter net.ipv4.conf.all.secure_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× Kernel Parameter net.ipv4.conf.default.secure_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× sysctl-16: Disable sending of redirects packets (2 failed)
× Kernel Parameter net.ipv4.conf.default.send_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× Kernel Parameter net.ipv4.conf.all.send_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× sysctl-17: Disable log martians (2 failed)
× Kernel Parameter net.ipv4.conf.all.log_martians value is expected to eq 1
expected: 1
got: 0
(compared using ==)
× Kernel Parameter net.ipv4.conf.default.log_martians value is expected to eq 1
expected: 1
got: 0
(compared using ==)
✔ sysctl-19: IPv6 Forwarding
✔ Kernel Parameter net.ipv6.conf.all.forwarding value is expected to eq 0
× sysctl-20: Disable acceptance of all IPv6 redirected packets (2 failed)
× Kernel Parameter net.ipv6.conf.default.accept_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× Kernel Parameter net.ipv6.conf.all.accept_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× sysctl-21: Disable acceptance of IPv6 router solicitations messages
× Kernel Parameter net.ipv6.conf.default.router_solicitations value is expected to eq 0
expected: 0
got: "-1"
(compared using ==)
× sysctl-22: Disable Accept Router Preference from router advertisement
× Kernel Parameter net.ipv6.conf.default.accept_ra_rtr_pref value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× sysctl-23: Disable learning Prefix Information from router advertisement
× Kernel Parameter net.ipv6.conf.default.accept_ra_pinfo value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× sysctl-24: Disable learning Hop limit from router advertisement
× Kernel Parameter net.ipv6.conf.default.accept_ra_defrtr value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× sysctl-25: Disable the system`s acceptance of router advertisement (2 failed)
× Kernel Parameter net.ipv6.conf.all.accept_ra value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× Kernel Parameter net.ipv6.conf.default.accept_ra value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× sysctl-26: Disable IPv6 autoconfiguration
× Kernel Parameter net.ipv6.conf.default.autoconf value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× sysctl-27: Disable neighbor solicitations to send out per address
× Kernel Parameter net.ipv6.conf.default.dad_transmits value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× sysctl-28: Assign one global unicast IPv6 addresses to each interface
× Kernel Parameter net.ipv6.conf.default.max_addresses value is expected to eq 1
expected: 1
got: 16
(compared using ==)
✔ sysctl-29: Disable loading kernel modules
✔ Kernel Parameter kernel.modules_disabled value is expected to eq 0
× sysctl-30: Magic SysRq
× Kernel Parameter kernel.sysrq value is expected to eq 0
expected: 0
got: 176
(compared using ==)
✔ sysctl-31a: Secure Core Dumps - dump settings
✔ Kernel Parameter fs.suid_dumpable value is expected to cmp == /(0|2)/
✔ sysctl-31b: Secure Core Dumps - dump path
✔ Kernel Parameter kernel.core_pattern value is expected to match /^\|?\/.*/
✔ sysctl-32: kernel.randomize_va_space
✔ Kernel Parameter kernel.randomize_va_space value is expected to eq 2
✔ sysctl-33: CPU No execution Flag or Kernel ExecShield
✔ /proc/cpuinfo Flags should include NX
Profile Summary: 26 successful controls, 28 control failures, 1 control skipped
Test Summary: 103 successful, 57 failures, 2 skipped
See also[edit]
Advertising:
