diff --git a/.github/workflows/verify-container.yml b/.github/workflows/verify-container.yml index 281f621..1e7d8cc 100644 --- a/.github/workflows/verify-container.yml +++ b/.github/workflows/verify-container.yml @@ -1,9 +1,9 @@ name: UBI8 Testing Matrix on: - push: - branches-ignore: - - none + # push: + # branches-ignore: + # - none pull_request: jobs: @@ -92,7 +92,7 @@ jobs: if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} continue-on-error: true run: | - curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.PLATFORM }}_${{ matrix.suite }}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_GROUP_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations" + curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.PLATFORM }}_${{ matrix.suite }}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.SAF_HEIMDALL_UPLOAD_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations" - name: Display our ${{ matrix.suite }} results summary if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} diff --git a/.github/workflows/verify-disa-hardened-ec2.yml b/.github/workflows/verify-disa-hardened-ec2.yml index ac3a34e..5c79f4e 100644 --- a/.github/workflows/verify-disa-hardened-ec2.yml +++ b/.github/workflows/verify-disa-hardened-ec2.yml @@ -1,9 +1,9 @@ name: DISA Hardened EC2 Testing Matrix on: - push: - branches-ignore: - - none + # push: + # branches-ignore: + # - none pull_request: jobs: diff --git a/.github/workflows/verify-ec2.yml b/.github/workflows/verify-ec2.yml index 44c8735..dff33b8 100644 --- a/.github/workflows/verify-ec2.yml +++ b/.github/workflows/verify-ec2.yml @@ -1,9 +1,9 @@ name: EC2 Testing Matrix on: - push: - branches-ignore: - - none + # push: + # branches-ignore: + # - none pull_request: jobs: @@ -92,7 +92,7 @@ jobs: if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} continue-on-error: true run: | - curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.PLATFORM }}_${{ matrix.suite }}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_GROUP_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations" + curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.PLATFORM }}_${{ matrix.suite }}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }}" -H "Authorization: Api-Key ${{ secrets.SAF_HEIMDALL_UPLOAD_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations" - name: Display our ${{ matrix.suite }} results summary if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} diff --git a/.github/workflows/verify-rhel-official-hardened-ec2.yml b/.github/workflows/verify-rhel-official-hardened-ec2.yml index 38984df..7b34bd8 100644 --- a/.github/workflows/verify-rhel-official-hardened-ec2.yml +++ b/.github/workflows/verify-rhel-official-hardened-ec2.yml @@ -1,9 +1,9 @@ name: RHEL-Official Hardened EC2 Testing Matrix on: - push: - branches-ignore: - - none + # push: + # branches-ignore: + # - none pull_request: jobs: @@ -91,7 +91,7 @@ jobs: if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} continue-on-error: true run: | - curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.PLATFORM }}_${{ matrix.suite }}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }},'Supplemental Automation Content v1r12'" -H "Authorization: Api-Key ${{ secrets.HEIMDALL_UPLOAD_GROUP_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations" + curl -# -s -F data=@spec/results/${{ env.PLATFORM }}_${{ matrix.suite }}.json -F "filename=${{ env.COMMIT_SHORT_SHA }}-${{ env.PLATFORM }}_${{ matrix.suite }}" -F "public=true" -F "evaluationTags=${{ env.COMMIT_SHORT_SHA }},${{ github.repository }},${{ github.workflow }},'Supplemental Automation Content v1r12'" -H "Authorization: Api-Key ${{ secrets.SAF_HEIMDALL_UPLOAD_KEY }}" "${{ vars.SAF_HEIMDALL_URL }}/evaluations" - name: Display our ${{ matrix.suite }} results summary if: ${{ !contains(steps.commit.outputs.message, 'only-validate-profile') }} diff --git a/Gemfile b/Gemfile index ca5d480..45b8173 100644 --- a/Gemfile +++ b/Gemfile @@ -15,10 +15,8 @@ gem 'kitchen-inspec' gem 'kitchen-sync' gem 'kitchen-vagrant' gem 'parser', '< 3.3.1.0' -gem 'pry-byebug' gem 'rake' gem 'rubocop' gem 'rubocop-rake' gem 'test-kitchen' gem 'train-awsssm' - diff --git a/controls/SV-230226.rb b/controls/SV-230226.rb index c0bd344..2b4d7f3 100644 --- a/controls/SV-230226.rb +++ b/controls/SV-230226.rb @@ -83,7 +83,9 @@ only_if("The system does not have GNOME installed; this requirement is Not Applicable.", impact: 0.0) { package('gnome-desktop3').installed? } - banner = command('grep ^banner-message-text /etc/dconf/db/local.d/*').stdout.gsub(/[\r\n\s]/, '') + banner_message_db = input('banner_message_db') + + banner = command("grep ^banner-message-text /etc/dconf/db/#{banner_message_db}.d/*").stdout.gsub(/[\r\n\s]/, '') expected_banner = input('banner_message_text_gui').gsub(/[\r\n\s]/, '') describe 'The GUI Banner ' do diff --git a/controls/SV-230257.rb b/controls/SV-230257.rb index 7513a8e..a178da7 100644 --- a/controls/SV-230257.rb +++ b/controls/SV-230257.rb @@ -36,7 +36,7 @@ system_command_dirs = input('system_command_dirs').join(' ') failing_files = command("find -L #{system_command_dirs} -perm /0022 -exec ls -l '{}' \\;").stdout.split("\n") - + # failing_files = command("find -L #{input('system_command_dirs').join(' ')} -perm /0022 -exec ls -d '{}'' \\;").stdout.split("\n") describe 'System commands' do diff --git a/controls/SV-230318.rb b/controls/SV-230318.rb index 2e9946d..e44ec6f 100644 --- a/controls/SV-230318.rb +++ b/controls/SV-230318.rb @@ -35,14 +35,21 @@ tag 'host' tag 'container' - partitions = etc_fstab.params.map { |partition| partition['mount_point'] }.uniq + if input('disable_slow_controls') + describe 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute.' do + skip 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute. You must enable this control for a full accredidation for production.' + end + else + + partitions = etc_fstab.params.map { |partition| partition['mount_point'] }.uniq - cmd = "find #{partitions.join(' ')} -xdev -type d -perm -0002 -uid +999 -print" - failing_dirs = command(cmd).stdout.split("\n").uniq + cmd = "find #{partitions.join(' ')} -xdev -type d -perm -0002 -uid +999 -print" + failing_dirs = command(cmd).stdout.split("\n").uniq - describe 'Any world-writeable directories' do - it 'should be owned by system accounts' do - expect(failing_dirs).to be_empty, "Failing directories:\n\t- #{failing_dirs.join("\n\t- ")}" + describe 'Any world-writeable directories' do + it 'should be owned by system accounts' do + expect(failing_dirs).to be_empty, "Failing directories:\n\t- #{failing_dirs.join("\n\t- ")}" + end end end end diff --git a/controls/SV-230319.rb b/controls/SV-230319.rb index b1e93cb..0a77593 100644 --- a/controls/SV-230319.rb +++ b/controls/SV-230319.rb @@ -35,14 +35,21 @@ tag 'host' tag 'container' - partitions = etc_fstab.params.map { |partition| partition['mount_point'] }.uniq + if input('disable_slow_controls') + describe 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute.' do + skip 'This control consistently takes a long to run and has been disabled using the disable_slow_controls attribute. You must enable this control for a full accredidation for production.' + end + else + + partitions = etc_fstab.params.map { |partition| partition['mount_point'] }.uniq - cmd = "find #{partitions.join(' ')} -xdev -type d -perm -0002 -gid +999 -print" - failing_dirs = command(cmd).stdout.split("\n").uniq + cmd = "find #{partitions.join(' ')} -xdev -type d -perm -0002 -gid +999 -print" + failing_dirs = command(cmd).stdout.split("\n").uniq - describe 'Any world-writeable directories' do - it 'should be group-owned by system accounts' do - expect(failing_dirs).to be_empty, "Failing directories:\n\t- #{failing_dirs.join("\n\t- ")}" + describe 'Any world-writeable directories' do + it 'should be group-owned by system accounts' do + expect(failing_dirs).to be_empty, "Failing directories:\n\t- #{failing_dirs.join("\n\t- ")}" + end end end end diff --git a/controls/SV-230530.rb b/controls/SV-230530.rb index 4104854..f258dcd 100644 --- a/controls/SV-230530.rb +++ b/controls/SV-230530.rb @@ -51,8 +51,8 @@ } if package('gnome-desktop3').installed? - describe command('grep logout /etc/dconf/db/local.d/*') do - its('stdout.strip') { should cmp "logout=''" } + describe command('grep ^logout /etc/dconf/db/local.d/*') do + its('stdout.strip') { should match(/logout=''/) } end else impact 0.0 diff --git a/controls/SV-230535.rb b/controls/SV-230535.rb index e5d53e5..a3b7d25 100644 --- a/controls/SV-230535.rb +++ b/controls/SV-230535.rb @@ -95,11 +95,13 @@ sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ') # Search for the kernel parameter in the configuration files - search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") + search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") # Parse the search results into a hash config_values = search_results.each_with_object({}) do |item, results| file, setting = item.split(':') + file = 'grep did not return filename' if file.empty? + results[file] ||= [] results[file] << setting.split('=').last end diff --git a/controls/SV-230536.rb b/controls/SV-230536.rb index eabbab0..ab9fd79 100644 --- a/controls/SV-230536.rb +++ b/controls/SV-230536.rb @@ -95,11 +95,13 @@ sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ') # Search for the kernel parameter in the configuration files - search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") + search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") # Parse the search results into a hash config_values = search_results.each_with_object({}) do |item, results| file, setting = item.split(':') + file = 'grep did not return filename' if file.empty? + results[file] ||= [] results[file] << setting.split('=').last end diff --git a/controls/SV-230537.rb b/controls/SV-230537.rb index 2956ffe..3019d86 100644 --- a/controls/SV-230537.rb +++ b/controls/SV-230537.rb @@ -94,11 +94,13 @@ sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ') # Search for the kernel parameter in the configuration files - search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") + search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") # Parse the search results into a hash config_values = search_results.each_with_object({}) do |item, results| file, setting = item.split(':') + file = 'grep did not return filename' if file.empty? + results[file] ||= [] results[file] << setting.split('=').last end diff --git a/controls/SV-230538.rb b/controls/SV-230538.rb index 3011ea0..676639d 100644 --- a/controls/SV-230538.rb +++ b/controls/SV-230538.rb @@ -94,11 +94,13 @@ sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ') # Search for the kernel parameter in the configuration files - search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") + search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") # Parse the search results into a hash config_values = search_results.each_with_object({}) do |item, results| file, setting = item.split(':') + file = 'grep did not return filename' if file.empty? + results[file] ||= [] results[file] << setting.split('=').last end diff --git a/controls/SV-230539.rb b/controls/SV-230539.rb index 4c6116c..5578f8c 100644 --- a/controls/SV-230539.rb +++ b/controls/SV-230539.rb @@ -94,11 +94,13 @@ sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ') # Search for the kernel parameter in the configuration files - search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") + search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") # Parse the search results into a hash config_values = search_results.each_with_object({}) do |item, results| file, setting = item.split(':') + file = 'grep did not return filename' if file.empty? + results[file] ||= [] results[file] << setting.split('=').last end diff --git a/controls/SV-230540.rb b/controls/SV-230540.rb index fbd7fb7..ae7f287 100644 --- a/controls/SV-230540.rb +++ b/controls/SV-230540.rb @@ -94,11 +94,13 @@ sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ') # Search for the kernel parameter in the configuration files - search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") + search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") # Parse the search results into a hash config_values = search_results.each_with_object({}) do |item, results| file, setting = item.split(':') + file = 'grep did not return filename' if file.empty? + results[file] ||= [] results[file] << setting.split('=').last end diff --git a/controls/SV-230541.rb b/controls/SV-230541.rb index cfef51e..c0f172b 100644 --- a/controls/SV-230541.rb +++ b/controls/SV-230541.rb @@ -96,11 +96,13 @@ sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ') # Search for the kernel parameter in the configuration files - search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") + search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") # Parse the search results into a hash config_values = search_results.each_with_object({}) do |item, results| file, setting = item.split(':') + file = 'grep did not return filename' if file.empty? + results[file] ||= [] results[file] << setting.split('=').last end diff --git a/controls/SV-230542.rb b/controls/SV-230542.rb index b6f33ee..0050de0 100644 --- a/controls/SV-230542.rb +++ b/controls/SV-230542.rb @@ -97,11 +97,13 @@ sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ') # Search for the kernel parameter in the configuration files - search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") + search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") # Parse the search results into a hash config_values = search_results.each_with_object({}) do |item, results| file, setting = item.split(':') + file = 'grep did not return filename' if file.empty? + results[file] ||= [] results[file] << setting.split('=').last end diff --git a/controls/SV-230543.rb b/controls/SV-230543.rb index 861c4c0..562205a 100644 --- a/controls/SV-230543.rb +++ b/controls/SV-230543.rb @@ -95,11 +95,13 @@ sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ') # Search for the kernel parameter in the configuration files - search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") + search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") # Parse the search results into a hash config_values = search_results.each_with_object({}) do |item, results| file, setting = item.split(':') + file = 'grep did not return filename' if file.empty? + results[file] ||= [] results[file] << setting.split('=').last end diff --git a/controls/SV-230544.rb b/controls/SV-230544.rb index 18c37b9..5d5f1ca 100644 --- a/controls/SV-230544.rb +++ b/controls/SV-230544.rb @@ -95,11 +95,13 @@ sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ') # Search for the kernel parameter in the configuration files - search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") + search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") # Parse the search results into a hash config_values = search_results.each_with_object({}) do |item, results| file, setting = item.split(':') + file = 'grep did not return filename' if file.empty? + results[file] ||= [] results[file] << setting.split('=').last end diff --git a/controls/SV-230545.rb b/controls/SV-230545.rb index a137d98..d9d9b02 100644 --- a/controls/SV-230545.rb +++ b/controls/SV-230545.rb @@ -84,11 +84,13 @@ sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ') # Search for the kernel parameter in the configuration files - search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") + search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") # Parse the search results into a hash config_values = search_results.each_with_object({}) do |item, results| file, setting = item.split(':') + file = 'grep did not return filename' if file.empty? + results[file] ||= [] results[file] << setting.split('=').last end diff --git a/controls/SV-230546.rb b/controls/SV-230546.rb index a43a0ba..01ee050 100644 --- a/controls/SV-230546.rb +++ b/controls/SV-230546.rb @@ -83,11 +83,13 @@ sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ') # Search for the kernel parameter in the configuration files - search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") + search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") # Parse the search results into a hash config_values = search_results.each_with_object({}) do |item, results| file, setting = item.split(':') + file = 'grep did not return filename' if file.empty? + results[file] ||= [] results[file] << setting.split('=').last end diff --git a/controls/SV-230547.rb b/controls/SV-230547.rb index 247ea30..eb96c3a 100644 --- a/controls/SV-230547.rb +++ b/controls/SV-230547.rb @@ -83,11 +83,13 @@ sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ') # Search for the kernel parameter in the configuration files - search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") + search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") # Parse the search results into a hash config_values = search_results.each_with_object({}) do |item, results| file, setting = item.split(':') + file = 'grep did not return filename' if file.empty? + results[file] ||= [] results[file] << setting.split('=').last end diff --git a/controls/SV-230548.rb b/controls/SV-230548.rb index 6154641..de3a19a 100644 --- a/controls/SV-230548.rb +++ b/controls/SV-230548.rb @@ -87,11 +87,13 @@ sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ') # Search for the kernel parameter in the configuration files - search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") + search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") # Parse the search results into a hash config_values = search_results.each_with_object({}) do |item, results| file, setting = item.split(':') + file = 'grep did not return filename' if file.empty? + results[file] ||= [] results[file] << setting.split('=').last end diff --git a/controls/SV-230549.rb b/controls/SV-230549.rb index 62e0e9a..e0d35c9 100644 --- a/controls/SV-230549.rb +++ b/controls/SV-230549.rb @@ -88,11 +88,13 @@ sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ') # Search for the kernel parameter in the configuration files - search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") + search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") # Parse the search results into a hash config_values = search_results.each_with_object({}) do |item, results| file, setting = item.split(':') + file = 'grep did not return filename' if file.empty? + results[file] ||= [] results[file] << setting.split('=').last end diff --git a/controls/SV-244550.rb b/controls/SV-244550.rb index 2730326..59c3b01 100644 --- a/controls/SV-244550.rb +++ b/controls/SV-244550.rb @@ -93,11 +93,13 @@ sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ') # Search for the kernel parameter in the configuration files - search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") + search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") # Parse the search results into a hash config_values = search_results.each_with_object({}) do |item, results| file, setting = item.split(':') + file = 'grep did not return filename' if file.empty? + results[file] ||= [] results[file] << setting.split('=').last end diff --git a/controls/SV-244551.rb b/controls/SV-244551.rb index f975a28..32518b9 100644 --- a/controls/SV-244551.rb +++ b/controls/SV-244551.rb @@ -92,11 +92,13 @@ sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ') # Search for the kernel parameter in the configuration files - search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") + search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") # Parse the search results into a hash config_values = search_results.each_with_object({}) do |item, results| file, setting = item.split(':') + file = 'grep did not return filename' if file.empty? + results[file] ||= [] results[file] << setting.split('=').last end diff --git a/controls/SV-244552.rb b/controls/SV-244552.rb index dc5cf14..6becae8 100644 --- a/controls/SV-244552.rb +++ b/controls/SV-244552.rb @@ -92,11 +92,13 @@ sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ') # Search for the kernel parameter in the configuration files - search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") + search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") # Parse the search results into a hash config_values = search_results.each_with_object({}) do |item, results| file, setting = item.split(':') + file = 'grep did not return filename' if file.empty? + results[file] ||= [] results[file] << setting.split('=').last end diff --git a/controls/SV-244553.rb b/controls/SV-244553.rb index 0345ce6..75d31c9 100644 --- a/controls/SV-244553.rb +++ b/controls/SV-244553.rb @@ -92,11 +92,13 @@ sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ') # Search for the kernel parameter in the configuration files - search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") + search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") # Parse the search results into a hash config_values = search_results.each_with_object({}) do |item, results| file, setting = item.split(':') + file = 'grep did not return filename' if file.empty? + results[file] ||= [] results[file] << setting.split('=').last end diff --git a/controls/SV-244554.rb b/controls/SV-244554.rb index 86c2798..8ad6b8d 100644 --- a/controls/SV-244554.rb +++ b/controls/SV-244554.rb @@ -86,11 +86,13 @@ sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ') # Search for the kernel parameter in the configuration files - search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") + search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") # Parse the search results into a hash config_values = search_results.each_with_object({}) do |item, results| file, setting = item.split(':') + file = 'grep did not return filename' if file.empty? + results[file] ||= [] results[file] << setting.split('=').last end diff --git a/controls/SV-250317.rb b/controls/SV-250317.rb index be81f82..a48040f 100644 --- a/controls/SV-250317.rb +++ b/controls/SV-250317.rb @@ -103,11 +103,13 @@ sysctl_config_files = input('sysctl_conf_files').map(&:strip).join(' ') # Search for the kernel parameter in the configuration files - search_results = command("grep -r #{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") + search_results = command("grep -r ^#{parameter} #{sysctl_config_files} {} \;").stdout.split("\n") # Parse the search results into a hash config_values = search_results.each_with_object({}) do |item, results| file, setting = item.split(':') + file = 'grep did not return filename' if file.empty? + results[file] ||= [] results[file] << setting.split('=').last end diff --git a/controls/SV-251714.rb b/controls/SV-251714.rb index 5a09bb0..5435f5f 100644 --- a/controls/SV-251714.rb +++ b/controls/SV-251714.rb @@ -43,7 +43,7 @@ os.release.to_f < 8.4 end - describe pam_auth_files['system-auth'] do + describe pam(pam_auth_files['system-auth']) do its('lines') { should match_pam_rule('.* .* pam_pwquality.so').any_with_integer_arg('retry', '>=', input('min_retry')) } end end diff --git a/controls/SV-251715.rb b/controls/SV-251715.rb index 1ba0e09..8471fbd 100644 --- a/controls/SV-251715.rb +++ b/controls/SV-251715.rb @@ -43,7 +43,7 @@ pam_auth_files = input('pam_auth_files') - describe pam_auth_files['password-auth'] do + describe pam(pam_auth_files['password-auth']) do its('lines') { should match_pam_rule('.* .* pam_pwquality.so').any_with_integer_arg('retry', '>=', input('min_retry')) } end end diff --git a/inspec.yml b/inspec.yml index 9b8f84f..3de2093 100644 --- a/inspec.yml +++ b/inspec.yml @@ -1028,5 +1028,11 @@ inputs: description: The audit rules to be applied to the system type: Hash value: {} + + # SV-230226 + - name: banner_message_db + description: Database where the banner text message is expected to live + type: String + value: 'local' \ No newline at end of file