使用https://github.com/dev-sec/linux-baseline的Inspec错误

Question

我正在运行以下命令inspec exec https://github.com/dev-sec/linux-baseline -t ssh://ubuntu@10.0.1.22 -i ~/.ssh/id_rsa --sudo

我的失败是因为

• 检查login.defs (4个失败)
  • 所有这些对撞机看起来都应该通过

• sysctl-29:禁用加载内核模块
  • 我不小心设置了echo "1" > /proc/sys/kernel/modules_disabled，现在我无法将它设置回：

• Packe-07:安装syslog服务器包
  • 我应该安装什么软件包？

• os-06:检查SUID/ SGID黑名单
  • 我能把这个放在哪里？

ubuntu@ip-10-0-1-10:~/.ssh$ inspec exec https://github.com/dev-sec/linux-baseline -t ssh://ubuntu@10.0.1.22 -i ~/.ssh/id_rsa --sudo
/usr/local/rvm/gems/ruby-2.3.1@global/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:679: warning: already initialized constant RSpec::Core::ExampleGroup::INSTANCE_VARIABLE_TO_IGNORE
/usr/local/rvm/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:679: warning: previous definition of INSTANCE_VARIABLE_TO_IGNORE was here
/usr/local/rvm/gems/ruby-2.3.1@global/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:722: warning: already initialized constant RSpec::Core::ExampleGroup::WrongScopeError
/usr/local/rvm/rubies/ruby-2.3.1/lib/ruby/gems/2.3.0/gems/rspec-core-3.8.0/lib/rspec/core/example_group.rb:722: warning: previous definition of WrongScopeError was here
verify_host_key: false is deprecated, use :never
[2020-08-15T21:22:01+00:00] WARN: URL target https://github.com/dev-sec/linux-baseline transformed to https://github.com/dev-sec/linux-baseline/archive/master.tar.gz. Consider using the git fetcher
[2020-08-15T21:22:01+00:00] WARN: Attribute 'login_defs_umask' does not have a value. Use --attrs to provide a value for 'login_defs_umask' or specify a default  value with `attribute('login_defs_umask', default: 'somedefault', ...)`.
[2020-08-15T21:22:01+00:00] WARN: Attribute 'login_defs_passmaxdays' does not have a value. Use --attrs to provide a value for 'login_defs_passmaxdays' or specify a default  value with `attribute('login_defs_passmaxdays', default: 'somedefault', ...)`.
[2020-08-15T21:22:01+00:00] WARN: Attribute 'login_defs_passmindays' does not have a value. Use --attrs to provide a value for 'login_defs_passmindays' or specify a default  value with `attribute('login_defs_passmindays', default: 'somedefault', ...)`.
[2020-08-15T21:22:01+00:00] WARN: Attribute 'login_defs_passwarnage' does not have a value. Use --attrs to provide a value for 'login_defs_passwarnage' or specify a default  value with `attribute('login_defs_passwarnage', default: 'somedefault', ...)`.
[2020-08-15T21:22:02+00:00] WARN: Attribute 'blacklist' does not have a value. Use --attrs to provide a value for 'blacklist' or specify a default  value with `attribute('blacklist', default: 'somedefault', ...)`.
[2020-08-15T21:22:02+00:00] WARN: Attribute 'syslog_pkg' does not have a value. Use --attrs to provide a value for 'syslog_pkg' or specify a default  value with `attribute('syslog_pkg', default: 'somedefault', ...)`.
[2020-08-15T21:22:02+00:00] WARN: Attribute 'sysctl_forwarding' does not have a value. Use --attrs to provide a value for 'sysctl_forwarding' or specify a default  value with `attribute('sysctl_forwarding', default: 'somedefault', ...)`.
[2020-08-15T21:22:02+00:00] WARN: Attribute 'kernel_modules_disabled' does not have a value. Use --attrs to provide a value for 'kernel_modules_disabled' or specify a default  value with `attribute('kernel_modules_disabled', default: 'somedefault', ...)`.

Profile: DevSec Linux Security Baseline (linux-baseline)
Version: 2.4.6
Target:  ssh://ubuntu@10.0.1.22:22

  ✔  os-01: Trusted hosts login
     ✔  File /etc/hosts.equiv should not exist
  ✔  os-02: Check owner and permissions for /etc/shadow
     ✔  File /etc/shadow should exist
     ✔  File /etc/shadow should be file
     ✔  File /etc/shadow should be owned by "root"
     ✔  File /etc/shadow should not be executable
     ✔  File /etc/shadow should not be readable by other
     ✔  File /etc/shadow group should eq "shadow"
     ✔  File /etc/shadow should be writable by owner
     ✔  File /etc/shadow should be readable by owner
     ✔  File /etc/shadow should be readable by group
  ✔  os-03: Check owner and permissions for /etc/passwd
     ✔  File /etc/passwd should exist
     ✔  File /etc/passwd should be file
     ✔  File /etc/passwd should be owned by "root"
     ✔  File /etc/passwd should not be executable
     ✔  File /etc/passwd should be writable by owner
     ✔  File /etc/passwd should not be writable by group
     ✔  File /etc/passwd should not be writable by other
     ✔  File /etc/passwd should be readable by owner
     ✔  File /etc/passwd should be readable by group
     ✔  File /etc/passwd should be readable by other
     ✔  File /etc/passwd group should eq "root"
  ✔  os-03b: Check passwords hashes in /etc/passwd
     ✔  /etc/passwd passwords should be in "x" and "*"
  ✔  os-04: Dot in PATH variable
     ✔  Environment variable PATH split should not include ""
     ✔  Environment variable PATH split should not include "."
  ×  os-05: Check login.defs (4 failed)
     ✔  File /etc/login.defs should exist
     ✔  File /etc/login.defs should be file
     ✔  File /etc/login.defs should be owned by "root"
     ✔  File /etc/login.defs should not be executable
     ✔  File /etc/login.defs should be readable by owner
     ✔  File /etc/login.defs should be readable by group
     ✔  File /etc/login.defs should be readable by other
     ✔  File /etc/login.defs group should eq "root"
     ✔  login.defs ENV_SUPATH should include "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
     ✔  login.defs ENV_PATH should include "/usr/local/bin:/usr/bin:/bin"
     ×  login.defs UMASK should include #
     can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to String (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_str gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
     ×  login.defs PASS_MAX_DAYS should eq #
     can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to Array (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_ary gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
     ×  login.defs PASS_MIN_DAYS should eq #
     can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to Array (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_ary gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
     ×  login.defs PASS_WARN_AGE should eq #
     can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to Array (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_ary gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
     ✔  login.defs LOGIN_RETRIES should eq "5"
     ✔  login.defs LOGIN_TIMEOUT should eq "60"
     ✔  login.defs UID_MIN should eq "1000"
     ✔  login.defs GID_MIN should eq "1000"
  ↺  os-05b: Check login.defs - RedHat specific
     ↺  Skipped control due to only_if condition.
  ×  os-06: Check for SUID/ SGID blacklist
     ×  suid_check diff
     can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to Array (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_ary gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
  ✔  os-07: Unique uid and gid
     ✔  /etc/passwd uids should not contain duplicates
     ✔  /etc/group gids should not contain duplicates
  ✔  os-08: Entropy
     ✔  3092 should >= 1000
  ✔  os-09: Check for .rhosts and .netrc file
     ✔  [] should be empty
  ✔  os-10: CIS: Disable unused filesystems
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install cramfs /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install freevxfs /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install jffs2 /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install hfs /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install hfsplus /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install squashfs /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install udf /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install vfat /bin/true"
  ✔  os-11: Protect log-directory
     ✔  File /var/log should be directory
     ✔  File /var/log should be owned by "root"
     ✔  File /var/log group should match /^root|syslog$/
  ✔  package-01: Do not run deprecated inetd or xinetd
     ✔  System Package inetd should not be installed
     ✔  System Package xinetd should not be installed
  ✔  package-02: Do not install Telnet server
     ✔  System Package telnetd should not be installed
  ✔  package-03: Do not install rsh server
     ✔  System Package rsh-server should not be installed
  ✔  package-05: Do not install ypserv server (NIS)
     ✔  System Package ypserv should not be installed
  ✔  package-06: Do not install tftp server
     ✔  System Package tftp-server should not be installed
  ×  package-07: Install syslog server package
     ×  System Package Attribute 'syslog_pkg' does not have a value. Skipping test. should be installed
     expected that `System Package Attribute 'syslog_pkg' does not have a value. Skipping test.` is installed
  ✔  package-08: Install auditd
     ✔  System Package auditd should be installed
     ✔  Audit Daemon Config log_file should cmp == "/var/log/audit/audit.log"
     ✔  Audit Daemon Config log_format should cmp == "raw"
     ✔  Audit Daemon Config flush should match /^incremental|INCREMENTAL|incremental_async|INCREMENTAL_ASYNC$/
     ✔  Audit Daemon Config max_log_file_action should cmp == "keep_logs"
     ✔  Audit Daemon Config space_left should cmp == 75
     ✔  Audit Daemon Config action_mail_acct should cmp == "root"
     ✔  Audit Daemon Config space_left_action should cmp == "SYSLOG"
     ✔  Audit Daemon Config admin_space_left should cmp == 50
     ✔  Audit Daemon Config admin_space_left_action should cmp == "SUSPEND"
     ✔  Audit Daemon Config disk_full_action should cmp == "SUSPEND"
     ✔  Audit Daemon Config disk_error_action should cmp == "SUSPEND"
  ✔  package-09: CIS: Additional process hardening
     ✔  System Package prelink should not be installed
  ↺  sysctl-01: IPv4 Forwarding
     ↺  Skipped control due to only_if condition.
  ✔  sysctl-02: Reverse path filtering
     ✔  Kernel Parameter net.ipv4.conf.all.rp_filter value should eq 1
     ✔  Kernel Parameter net.ipv4.conf.default.rp_filter value should eq 1
  ✔  sysctl-03: ICMP ignore bogus error responses
     ✔  Kernel Parameter net.ipv4.icmp_ignore_bogus_error_responses value should eq 1
  ✔  sysctl-04: ICMP echo ignore broadcasts
     ✔  Kernel Parameter net.ipv4.icmp_echo_ignore_broadcasts value should eq 1
  ✔  sysctl-05: ICMP ratelimit
     ✔  Kernel Parameter net.ipv4.icmp_ratelimit value should eq 100
  ✔  sysctl-06: ICMP ratemask
     ✔  Kernel Parameter net.ipv4.icmp_ratemask value should eq 88089
  ✔  sysctl-07: TCP timestamps
     ✔  Kernel Parameter net.ipv4.tcp_timestamps value should eq 0
  ✔  sysctl-08: ARP ignore
     ✔  Kernel Parameter net.ipv4.conf.all.arp_ignore value should eq 1
  ✔  sysctl-09: ARP announce
     ✔  Kernel Parameter net.ipv4.conf.all.arp_announce value should eq 2
  ✔  sysctl-10: TCP RFC1337 Protect Against TCP Time-Wait
     ✔  Kernel Parameter net.ipv4.tcp_rfc1337 value should eq 1
  ✔  sysctl-11: Protection against SYN flood attacks
     ✔  Kernel Parameter net.ipv4.tcp_syncookies value should eq 1
  ✔  sysctl-12: Shared Media IP Architecture
     ✔  Kernel Parameter net.ipv4.conf.all.shared_media value should eq 1
     ✔  Kernel Parameter net.ipv4.conf.default.shared_media value should eq 1
  ✔  sysctl-13: Disable Source Routing
     ✔  Kernel Parameter net.ipv4.conf.all.accept_source_route value should eq 0
     ✔  Kernel Parameter net.ipv4.conf.default.accept_source_route value should eq 0
  ✔  sysctl-14: Disable acceptance of all IPv4 redirected packets
     ✔  Kernel Parameter net.ipv4.conf.default.accept_redirects value should eq 0
     ✔  Kernel Parameter net.ipv4.conf.all.accept_redirects value should eq 0
  ✔  sysctl-15: Disable acceptance of all secure redirected packets
     ✔  Kernel Parameter net.ipv4.conf.all.secure_redirects value should eq 0
     ✔  Kernel Parameter net.ipv4.conf.default.secure_redirects value should eq 0
  ✔  sysctl-16: Disable sending of redirects packets
     ✔  Kernel Parameter net.ipv4.conf.default.send_redirects value should eq 0
     ✔  Kernel Parameter net.ipv4.conf.all.send_redirects value should eq 0
  ✔  sysctl-17: Disable log martians
     ✔  Kernel Parameter net.ipv4.conf.all.log_martians value should eq 1
     ✔  Kernel Parameter net.ipv4.conf.default.log_martians value should eq 1
  ✔  sysctl-18: Disable IPv6 if it is not needed
     ✔  Kernel Parameter net.ipv6.conf.all.disable_ipv6 value should eq 1
  ↺  sysctl-19: IPv6 Forwarding
     ↺  Skipped control due to only_if condition.
  ✔  sysctl-20: Disable acceptance of all IPv6 redirected packets
     ✔  Kernel Parameter net.ipv6.conf.default.accept_redirects value should eq 0
     ✔  Kernel Parameter net.ipv6.conf.all.accept_redirects value should eq 0
  ✔  sysctl-21: Disable acceptance of IPv6 router solicitations messages
     ✔  Kernel Parameter net.ipv6.conf.default.router_solicitations value should eq 0
  ✔  sysctl-22: Disable Accept Router Preference from router advertisement
     ✔  Kernel Parameter net.ipv6.conf.default.accept_ra_rtr_pref value should eq 0
  ✔  sysctl-23: Disable learning Prefix Information from router advertisement
     ✔  Kernel Parameter net.ipv6.conf.default.accept_ra_pinfo value should eq 0
  ✔  sysctl-24: Disable learning Hop limit from router advertisement
     ✔  Kernel Parameter net.ipv6.conf.default.accept_ra_defrtr value should eq 0
  ✔  sysctl-25: Disable the system`s acceptance of router advertisement
     ✔  Kernel Parameter net.ipv6.conf.all.accept_ra value should eq 0
     ✔  Kernel Parameter net.ipv6.conf.default.accept_ra value should eq 0
  ✔  sysctl-26: Disable IPv6 autoconfiguration
     ✔  Kernel Parameter net.ipv6.conf.default.autoconf value should eq 0
  ✔  sysctl-27: Disable neighbor solicitations to send out per address
     ✔  Kernel Parameter net.ipv6.conf.default.dad_transmits value should eq 0
  ✔  sysctl-28: Assign one global unicast IPv6 addresses to each interface
     ✔  Kernel Parameter net.ipv6.conf.default.max_addresses value should eq 1
  ×  sysctl-29: Disable loading kernel modules
     ×  Kernel Parameter kernel.modules_disabled value should eq #
     can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to Array (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_ary gives Inspec::Attribute::DEFAULT_ATTRIBUTE)
  ✔  sysctl-30: Magic SysRq
     ✔  Kernel Parameter kernel.sysrq value should eq 0
  ✔  sysctl-31a: Secure Core Dumps - dump settings
     ✔  Kernel Parameter fs.suid_dumpable value should cmp == /(0|2)/
  ✔  sysctl-31b: Secure Core Dumps - dump path
     ✔  Kernel Parameter kernel.core_pattern value should match /^\|?\/.*/
  ✔  sysctl-32: kernel.randomize_va_space
     ✔  Kernel Parameter kernel.randomize_va_space value should eq 2
  ✔  sysctl-33: CPU No execution Flag or Kernel ExecShield
     ✔  /proc/cpuinfo Flags should include NX


Profile Summary: 48 successful controls, 4 control failures, 3 controls skipped
Test Summary: 112 successful, 7 failures, 3 skipped

Answer 1

关于后世的几点初步评论：

1. 通过查看源代码，您可以准确地检查控件断言的内容。
2. 通过检查Dev-Sec的不可接受的角色，您可以看到补救应该是什么
3. 大多数问题似乎与缺少或不正确的输入变量有关。请参阅关于这个主题的Inspec文档

你提出的具体问题：

检查login.defs (4失败)

这来自于控件os-5：

control 'os-05' do
  impact 1.0
  title 'Check login.defs'
  desc 'Check owner and permissions for login.defs. Also check the configured PATH variable and umask in login.defs'
  describe file('/etc/login.defs') do
    it { should exist }
    it { should be_file }
    it { should be_owned_by 'root' }
    its('group') { should eq 'root' }
    it { should_not be_executable }
    it { should be_readable.by('owner') }
    it { should be_readable.by('group') }
    it { should be_readable.by('other') }
  end
  describe login_defs do
    its('ENV_SUPATH') { should include('/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin') }
    its('ENV_PATH') { should include('/usr/local/bin:/usr/bin:/bin') }
    its('UMASK') { should include(login_defs_umask) }
    its('PASS_MAX_DAYS') { should eq login_defs_passmaxdays }
    its('PASS_MIN_DAYS') { should eq login_defs_passmindays }
    its('PASS_WARN_AGE') { should eq login_defs_passwarnage }
    its('LOGIN_RETRIES') { should eq '5' }
    its('LOGIN_TIMEOUT') { should eq '60' }
    its('UID_MIN') { should eq '1000' }
    its('GID_MIN') { should eq '1000' }
  end
end

失败的具体断言涉及：

• 乌木斯克
• 密码年龄(最低/最长天数，警告)

这些使用属性(即Inspec输入值)，这些属性被读取为在控制的更高处：

login_defs_umask = attribute('login_defs_umask', value: os.redhat? ? '077' : '027', description: 'Default umask to set in login.defs')

login_defs_passmaxdays = attribute('login_defs_passmaxdays', value: '60', description: 'Default password maxdays to set in login.defs')
login_defs_passmindays = attribute('login_defs_passmindays', value: '7', description: 'Default password mindays to set in login.defs')
login_defs_passwarnage = attribute('login_defs_passwarnage', value: '7', description: 'Default password warnage (days) to set in login.defs')

您所得到的错误：

login.defs UMASK should include #
     can't convert Inspec::Attribute::DEFAULT_ATTRIBUTE to String (Inspec::Attribute::DEFAULT_ATTRIBUTE#to_str gives Inspec::Attribute::DEFAULT_ATTRIBUTE)

考虑到之前的警告Inspec告诉您：

WARN: Attribute 'login_defs_umask' does not have a value. Use --attrs to provide a value for 'login_defs_umask' or specify a default  value with `attribute('login_defs_umask', default: 'somedefault', ...)`

或者您有一个Inspec的旧版本，其中没有设置默认值，或者您传递了一组没有设置这些值的输入变量。

os-06:检查SUID/ SGID黑名单

这个控制检查黑名单的suid。它使用自定义资源 suid_check。它本质上发现了具有某些特征的文件：

def permissions
    output = inspec.command('find / -perm -4000 -o -perm -2000 -type f ! -path \'/proc/*\' ! -path \'/var/lib/lxd/containers/*\' -print 2>/dev/null | grep -v \'^find:\'')
    output.stdout.split(/\r?\n/)
end

由于某些文件与黑名单匹配，因此diff失败，黑名单再次设置为属性：

blacklist = attribute(
  'blacklist',
  value: suid_blacklist.default,
  description: 'blacklist of suid/sgid program on system'
)

它是默认设置，它有一个包含大量路径列表的方法default。您可以通过在输入文件中设置黑名单来传递自己的黑名单。

sysctl-29:禁用加载内核模块

我意外地设置回显"1“>/proc/sys/内核/模块_禁用，现在无法将其设置回原来的位置。

内核文档说：

一旦为真，模块既不能加载也不能卸载，并且不能将切换设置为false。

你可能得重新启动机器。

包-07:安装syslog服务器包

控制对一个包进行断言：

describe package(val_syslog_pkg) do

其中val_syslog_pkg是作为输入变量传递的属性：

val_syslog_pkg = attribute('syslog_pkg', value: 'rsyslog', description: 'syslog package to ensure present (default: rsyslog, alternative: syslog-ng...')

在Ubuntu中，这个包名是syslog-ng。