Merge pull request #90 from Logicworks/main

CIS DIL Benchmark V2

Author: micheelengronne

.rubocop.yml

@@ -3,6 +3,8 @@ Documentation:
   Enabled: false
 Layout/ParameterAlignment:
   Enabled: true
+Lint/AmbiguousRegexpLiteral:
+  Enabled: false
 HashSyntax:
   Enabled: true
 LineLength:
@@ -14,7 +16,7 @@ MethodLength:
 NumericLiterals:
   MinDigits: 10
 Metrics/BlockLength:
-  Max: 40
+  Max: 45 # needed for 6.1.1
 Metrics/CyclomaticComplexity:
   Max: 10
 Metrics/PerceivedComplexity:

controls/1_1_filesystem_configuration.rb

@@ -123,12 +123,14 @@
   impact 1.0
 
   tag cis: 'distribution-independent-linux:1.1.1.8'
-  tag level: 1
+  tag level: 2
 
   describe kernel_module('vfat') do
     it { should_not be_loaded }
     it { should be_disabled }
   end
+
+  only_if { cis_level == 2 }
 end
 
 control 'cis-dil-benchmark-1.1.2' do
@@ -153,7 +155,7 @@
   tag level: 1
 
   describe mount('/tmp') do
-    its(:options) { should include 'nodev' }
+    its('options') { should include 'nodev' }
   end
 end
 
@@ -166,7 +168,7 @@
   tag level: 1
 
   describe mount('/tmp') do
-    its(:options) { should include 'nosuid' }
+    its('options') { should include 'nosuid' }
   end
 end
 
@@ -179,7 +181,7 @@
   tag level: 1
 
   describe mount('/tmp') do
-    its(:options) { should include 'noexec' }
+    its('options') { should include 'noexec' }
   end
 end
 
@@ -219,9 +221,14 @@
   tag cis: 'distribution-independent-linux:1.1.8'
   tag level: 1
 
+  only_if('/var/tmp is mounted') do
+    mount('/var/tmp').mounted?
+  end
+
   describe mount('/var/tmp') do
-    its(:options) { should include 'nodev' }
+    its('options') { should include 'nodev' }
   end
+
 end
 
 control 'cis-dil-benchmark-1.1.9' do
@@ -232,9 +239,14 @@
   tag cis: 'distribution-independent-linux:1.1.9'
   tag level: 1
 
+  only_if('/var/tmp is mounted') do
+    mount('/var/tmp').mounted?
+  end
+
   describe mount('/var/tmp') do
-    its(:options) { should include 'nosuid' }
+    its('options') { should include 'nosuid' }
   end
+
 end
 
 control 'cis-dil-benchmark-1.1.10' do
@@ -245,9 +257,14 @@
   tag cis: 'distribution-independent-linux:1.1.10'
   tag level: 1
 
+  only_if('/var/tmp is mounted') do
+    mount('/var/tmp').mounted?
+  end
+
   describe mount('/var/tmp') do
-    its(:options) { should include 'noexec' }
+    its('options') { should include 'noexec' }
   end
+
 end
 
 control 'cis-dil-benchmark-1.1.11' do
@@ -302,8 +319,12 @@
   tag cis: 'distribution-independent-linux:1.1.14'
   tag level: 1
 
+  only_if('/home is mounted') do
+    mount('/home').mounted?
+  end
+
   describe mount('/home') do
-    its(:options) { should include 'nodev' }
+    its('options') { should include 'nodev' }
   end
 end
 
@@ -315,8 +336,12 @@
   tag cis: 'distribution-independent-linux:1.1.15'
   tag level: 1
 
+  only_if('/dev/shm is mounted') do
+    mount('/dev/shm').mounted?
+  end
+
   describe mount('/dev/shm') do
-    its(:options) { should include 'nodev' }
+    its('options') { should include 'nodev' }
   end
 end
 
@@ -328,8 +353,12 @@
   tag cis: 'distribution-independent-linux:1.1.16'
   tag level: 1
 
+  only_if('/dev/shm is mounted') do
+    mount('/dev/shm').mounted?
+  end
+
   describe mount('/dev/shm') do
-    its(:options) { should include 'nosuid' }
+    its('options') { should include 'nosuid' }
   end
 end
 
@@ -342,7 +371,11 @@
   tag level: 1
 
   describe mount('/dev/shm') do
-    its(:options) { should include 'noexec' }
+    its('options') { should include 'noexec' }
+  end
+
+  only_if('/dev/shm is mounted') do
+    mount('/dev/shm').mounted?
   end
 end
 
@@ -394,7 +427,7 @@
   tag level: 1
 
   describe command("df --local -P | awk '{ if (NR!=1) print $6 }' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \)") do
-    its(:stdout) { should eq '' }
+    its('stdout') { should cmp '' }
   end
 end
 
@@ -418,3 +451,23 @@
     end
   end
 end
+
+control 'cis-dil-benchmark-1.1.23' do
+  title 'Disable USB Storage'
+  desc  '
+    USB storage provides a means to transfer and store files insuring persistence and availability of the files independent of network connection status.
+    Its popularity and utility has led to USB-based malware being a simple and common means for network infiltration and a first step to establishing
+    a persistent threat within a networked environment.
+  '
+  impact 1.0
+
+  tag cis: 'distribution-independent-linux:1.1.23'
+  tag level: 1
+
+  # kernel modules need to use underscores
+  # ref: https://github.com/inspec/inspec/issues/5190
+  describe kernel_module('usb_storage') do
+    it { should_not be_loaded }
+    it { should be_disabled }
+  end
+end

controls/1_3_filesystem_integrity_checking.rb

@@ -48,14 +48,14 @@
   describe.one do
     %w(/var/spool/cron/crontabs/root /var/spool/cron/root /etc/crontab).each do |f|
       describe file(f) do
-        its(:content) { should match(/aide --check/) }
+        its('content') { should match(/aide (--check|-C)/) }
       end
     end
 
     %w(cron.d cron.hourly cron.daily cron.weekly cron.monthly).each do |f|
       command("find /etc/#{f} -type f").stdout.split.each do |entry|
         describe file(entry) do
-          its(:content) { should match(/aide --check/) }
+          its('content') { should match(/aide (--check|-C)/) }
         end
       end
     end