Processed feedback from original PR

Processed the feedback given on original PR dev-sec#54

Signed-off-by: Frank van Boven <[email protected]>

Author: fatbasstard

controls/1_1_filesystem_configuration.rb

@@ -237,96 +237,28 @@
   end
 end
 
-# There is a mistake in the official CIS DIL documentaion 1.1.10-1.1.14 are
-# duplicates of 1.1.9. So I used "skipped" to keep the order of the numbering.
-control 'cis-dil-benchmark-1.1.10' do
-  title 'Ensure noexec option set on /var/tmp partition'
-  desc  "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
+control 'cis-dil-benchmark-1.1.15' do
+  title 'Ensure separate partition exists for /var/log'
+  desc  "The /var/log directory is used by system services to store log data .\n\nRationale: There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
   impact 1.0
 
-  tag cis: 'distribution-independent-linux:1.1.10'
-  tag level: 1
-
-  describe 'cis-dil-benchmark-1.1.10' do
-    skip 'Duplicate of cis-dil-benchmark-1.1.9'
-  end
-end
-
-control 'cis-dil-benchmark-1.1.11' do
-  title 'Ensure noexec option set on /var/tmp partition'
-  desc  "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
-  impact 1.0
-
-  tag cis: 'distribution-independent-linux:1.1.11'
-  tag level: 1
-
-  
-  describe 'cis-dil-benchmark-1.1.11' do
-    skip 'Duplicate of cis-dil-benchmark-1.1.9'
-  end
-end
-
-control 'cis-dil-benchmark-1.1.12' do
-  title 'Ensure noexec option set on /var/tmp partition'
-  desc  "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
-  impact 1.0
-
-  tag cis: 'distribution-independent-linux:1.1.12'
-  tag level: 1
-
-  describe 'cis-dil-benchmark-1.1.12' do
-    skip 'Duplicate of cis-dil-benchmark-1.1.9'
-  end
-end
-
-control 'cis-dil-benchmark-1.1.13' do
-  title 'Ensure noexec option set on /var/tmp partition'
-  desc  "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
-  impact 1.0
-
-  tag cis: 'distribution-independent-linux:1.1.13'
-  tag level: 1
-
-  describe 'cis-dil-benchmark-1.1.13' do
-    skip 'Duplicate of cis-dil-benchmark-1.1.9'
-  end
-end
-
-control 'cis-dil-benchmark-1.1.14' do
-  title 'Ensure noexec option set on /var/tmp partition'
-  desc  "The noexec mount option specifies that the filesystem cannot contain executable binaries.\n\nRationale: Since the /var/tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot run executable binaries from /var/tmp."
-  impact 1.0
-
-  tag cis: 'distribution-independent-linux:1.1.14'
-  tag level: 1
-  
-  describe 'cis-dil-benchmark-1.1.14' do
-    skip 'Duplicate of cis-dil-benchmark-1.1.9'
-  end
-end
-
-if cis_level == '2'
-  control 'cis-dil-benchmark-1.1.15' do
-    title 'Ensure separate partition exists for /var/log'
-    desc  "The /var/log directory is used by system services to store log data .\n\nRationale: There are two important reasons to ensure that system logs are stored on a separate partition: protection against resource exhaustion (since logs can grow quite large) and protection of audit data."
-    impact 1.0
+  tag cis: 'distribution-independent-linux:1.1.15'
+  tag level: 2
 
-    tag cis: 'distribution-independent-linux:1.1.15'
-    tag level: 2
+  only_if { cis_level == 2 }
 
   describe mount('/var/log') do
     it { should be_mounted }
   end
-  only_if { cis_level == 2 }
 end
 
-  control 'cis-dil-benchmark-1.1.16' do
-    title 'Ensure separate partition exists for /var/log/audit'
-    desc  "The auditing daemon, auditd, stores log data in the /var/log/audit directory.\n\nRationale: There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired."
-    impact 1.0
+control 'cis-dil-benchmark-1.1.16' do
+  title 'Ensure separate partition exists for /var/log/audit'
+  desc  "The auditing daemon, auditd, stores log data in the /var/log/audit directory.\n\nRationale: There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog) consume space in the same partition as auditd, it may not perform as desired."
+  impact 1.0
 
-    tag cis: 'distribution-independent-linux:1.1.16'
-    tag level: 2
+  tag cis: 'distribution-independent-linux:1.1.16'
+  tag level: 2
 
   only_if { cis_level == 2 }
 
@@ -335,13 +267,13 @@
   end
 end
 
-  control 'cis-dil-benchmark-1.1.17' do
-    title 'Ensure separate partition exists for /home'
-    desc  "The /home directory is used to support disk storage needs of local users.\n\nRationale: If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
-    impact 1.0
+control 'cis-dil-benchmark-1.1.17' do
+  title 'Ensure separate partition exists for /home'
+  desc  "The /home directory is used to support disk storage needs of local users.\n\nRationale: If the system is intended to support local users, create a separate partition for the /home directory to protect against resource exhaustion and restrict the type of files that can be stored under /home."
+  impact 1.0
 
-    tag cis: 'distribution-independent-linux:1.1.17'
-    tag level: 2
+  tag cis: 'distribution-independent-linux:1.1.17'
+  tag level: 2
 
   only_if { cis_level == 2 }
 

controls/4_1_configure_system_accounting_auditd.rb

@@ -240,16 +240,15 @@
   tag cis: 'distribution-independent-linux:4.1.9'
   tag level: 2
 
-    describe file('/etc/audit/audit.rules') do
-      its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EACCES -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) }
-      its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EPERM -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) }
-    end
+  describe file('/etc/audit/audit.rules') do
+    its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EACCES -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) }
+    its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EPERM -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) }
+  end
 
-    if command('uname -m').stdout.strip == 'x86_64'
-      describe file('/etc/audit/audit.rules') do
-        its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EACCES -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) }
-        its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EPERM -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) }
-      end
+  if command('uname -m').stdout.strip == 'x86_64'
+    describe file('/etc/audit/audit.rules') do
+      its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EACCES -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) }
+      its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 (-S creat -S open -S openat -S truncate -S ftruncate|-S creat,open,openat,open_by_handle_at,truncate,ftruncate) -F exit=-EPERM -F auid>=#{uid_min} -F auid!=4294967295 (-F key=access$|-k access$)/) }
     end
   end
 end
@@ -310,14 +309,13 @@
   tag cis: 'distribution-independent-linux:4.1.12'
   tag level: 2
 
-    describe file('/etc/audit/audit.rules') do
-      its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=#{uid_min} -F auid!=4294967295 (-k delete|-F key=delete)$/) }
-    end
+  describe file('/etc/audit/audit.rules') do
+    its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=#{uid_min} -F auid!=4294967295 (-k delete|-F key=delete)$/) }
+  end
 
-    if command('uname -m').stdout.strip == 'x86_64'
-      describe file('/etc/audit/audit.rules') do
-        its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=#{uid_min} -F auid!=4294967295 (-k delete|-F key=delete)$/) }
-      end
+  if command('uname -m').stdout.strip == 'x86_64'
+    describe file('/etc/audit/audit.rules') do
+      its(:content) { should match(/^-a (always,exit|exit,always) -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=#{uid_min} -F auid!=4294967295 (-k delete|-F key=delete)$/) }
     end
   end
 end

controls/4_2_configure_logging.rb

@@ -52,28 +52,28 @@
   end
 
   describe.one do
-    command('find /etc/rsyslog.d -name "*.conf"').stdout.split.each do |conf_file|      
+    command('find /etc/rsyslog.d -name "*.conf"').stdout.split.each do |conf_file|
       describe file(conf_file) do
-          its(:content) { should match(%r{^\*.emerg(\s)+:omusrmsg:\*}) }
-          its(:content) { should match(%r{^mail.\*(\s)+-/var/log/mail}) }
-          its(:content) { should match(%r{^mail.info(\s)+-/var/log/mail.info}) }
-          its(:content) { should match(%r{^mail.warning(\s)+-/var/log/mail.warn}) }
-          its(:content) { should match(%r{^mail.err(\s)+/var/log/mail.err}) }
-          its(:content) { should match(%r{^news.crit(\s)+-/var/log/news/news.crit}) }
-          its(:content) { should match(%r{^news.crit(\s)+-/var/log/news/news.crit}) }
-          its(:content) { should match(%r{^news.notice(\s)+-/var/log/news/news.notice}) }
-          its(:content) { should match(%r{^\*.=warning;\*.=err(\s)+-/var/log/warn}) }
-          its(:content) { should match(%r{^\*.crit(\s)+/var/log/warn}) }
-          its(:content) { should match(%r{^\*.\*;mail.none;news.none(\s)+-/var/log/messages}) }
-          its(:content) { should match(%r{^local0,local1.\*(\s)+-/var/log/localmessages}) }
-          its(:content) { should match(%r{^local2,local3.\*(\s)+-/var/log/localmessages}) }
-          its(:content) { should match(%r{^local2,local3.\*(\s)+-/var/log/localmessages}) }
-          its(:content) { should match(%r{^local4,local5.\*(\s)+-/var/log/localmessages}) }
-          its(:content) { should match(%r{^local6,local7.\*(\s)+-/var/log/localmessages}) }        
-      end      
+        its(:content) { should match(%r{^\*.emerg(\s)+:omusrmsg:\*}) }
+        its(:content) { should match(%r{^mail.\*(\s)+-/var/log/mail}) }
+        its(:content) { should match(%r{^mail.info(\s)+-/var/log/mail.info}) }
+        its(:content) { should match(%r{^mail.warning(\s)+-/var/log/mail.warn}) }
+        its(:content) { should match(%r{^mail.err(\s)+/var/log/mail.err}) }
+        its(:content) { should match(%r{^news.crit(\s)+-/var/log/news/news.crit}) }
+        its(:content) { should match(%r{^news.crit(\s)+-/var/log/news/news.crit}) }
+        its(:content) { should match(%r{^news.notice(\s)+-/var/log/news/news.notice}) }
+        its(:content) { should match(%r{^\*.=warning;\*.=err(\s)+-/var/log/warn}) }
+        its(:content) { should match(%r{^\*.crit(\s)+/var/log/warn}) }
+        its(:content) { should match(%r{^\*.\*;mail.none;news.none(\s)+-/var/log/messages}) }
+        its(:content) { should match(%r{^local0,local1.\*(\s)+-/var/log/localmessages}) }
+        its(:content) { should match(%r{^local2,local3.\*(\s)+-/var/log/localmessages}) }
+        its(:content) { should match(%r{^local2,local3.\*(\s)+-/var/log/localmessages}) }
+        its(:content) { should match(%r{^local4,local5.\*(\s)+-/var/log/localmessages}) }
+        its(:content) { should match(%r{^local6,local7.\*(\s)+-/var/log/localmessages}) }
+      end
     end
 
-    describe file('/etc/rsyslog.conf') do      
+    describe file('/etc/rsyslog.conf') do
       its(:content) { should match(%r{^\*.emerg(\s)+:omusrmsg:\*}) }
       its(:content) { should match(%r{^mail.\*(\s)+-/var/log/mail}) }
       its(:content) { should match(%r{^mail.info(\s)+-/var/log/mail.info}) }

controls/5_4_user_accounts_and_environments.rb

@@ -27,8 +27,6 @@
 
 time_now = Time.now.to_i
 
-
-
 # The official documentation specifying 365 days in the description but, using
 # 90 as an example settings
 control 'cis-dil-benchmark-5.4.1.1' do
@@ -132,9 +130,9 @@
   tag level: 1
 
   command("cat /etc/shadow | cut -d: -f1").stdout.split.each do |username|
-    describe command('date -d "`export LANG="en_US.UTF-8" ; chage --list root | grep "Last password" | cut -d: -f2`" +%s') do      
+    describe command('date -d "`export LANG="en_US.UTF-8" ; chage --list root | grep "Last password" | cut -d: -f2`" +%s') do
       its(:stdout) { should cmp <= time_now }
-    end        
+    end
   end
 end
 
@@ -201,25 +199,25 @@
   end
 end
 
-if cis_level == '2'
-  control 'cis-dil-benchmark-5.4.5' do
-    title 'Ensure default user shell timeout is 900 seconds or less'
-    desc  "The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds.\n\nRationale: Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening."
-    impact 1.0
+control 'cis-dil-benchmark-5.4.5' do
+  title 'Ensure default user shell timeout is 900 seconds or less'
+  desc  "The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds.\n\nRationale: Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening."
+  impact 1.0
+
+  tag cis: 'distribution-independent-linux:5.4.5'
+  tag level: 2
 
-    tag cis: 'distribution-independent-linux:5.4.5'
-    tag level: 2
+  only_if { cis_level == 2 }
 
-    command("sudo find /etc/  -maxdepth 1 -name *bashrc*").stdout.split.each do |bashrc_file|
-      describe command("grep '^TMOUT' #{bashrc_file} | cut -d= -f2") do
-        its(:stdout) { should cmp <= 900 }
-      end
+  command("sudo find /etc/  -maxdepth 1 -name *bashrc*").stdout.split.each do |bashrc_file|
+    describe command("grep '^TMOUT' #{bashrc_file} | cut -d= -f2") do
+      its(:stdout) { should cmp <= 900 }
     end
+  end
 
-    %w(profile).each do |f|
-      describe command("grep '^TMOUT' /etc/#{f} | cut -d= -f2") do
-        its(:stdout) { should cmp <= 900 }
-      end
+  %w(profile).each do |f|
+    describe command("grep '^TMOUT' /etc/#{f} | cut -d= -f2") do
+      its(:stdout) { should cmp <= 900 }
     end
   end
 end