|
26 | 26 | elsif os.debian? |
27 | 27 | shadow_group = 'shadow' |
28 | 28 | end |
29 | | -blacklist = attribute('blacklist', default: [ |
30 | | - # blacklist as provided by NSA |
31 | | - '/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh', |
32 | | - # sshd must not use host-based authentication (see ssh cookbook) |
33 | | - '/usr/libexec/openssh/ssh-keysign', |
34 | | - '/usr/lib/openssh/ssh-keysign', |
35 | | - # misc others |
36 | | - '/sbin/netreport', # not normally required for user |
37 | | - '/usr/sbin/usernetctl', # modify interfaces via functional accounts |
38 | | - # connecting to ... |
39 | | - '/usr/sbin/userisdnctl', # no isdn... |
40 | | - '/usr/sbin/pppd', # no ppp / dsl ... |
41 | | - # lockfile |
42 | | - '/usr/bin/lockfile', |
43 | | - '/usr/bin/mail-lock', |
44 | | - '/usr/bin/mail-unlock', |
45 | | - '/usr/bin/mail-touchlock', |
46 | | - '/usr/bin/dotlockfile', |
47 | | - # need more investigation, blacklist for now |
48 | | - '/usr/bin/arping', |
49 | | - '/usr/sbin/arping', |
50 | | - '/usr/sbin/uuidd', |
51 | | - '/usr/bin/mtr', # investigate current state... |
52 | | - '/usr/lib/evolution/camel-lock-helper-1.2', # investigate current state... |
53 | | - '/usr/lib/pt_chown', # pseudo-tty, needed? |
54 | | - '/usr/lib/eject/dmcrypt-get-device', |
55 | | - '/usr/lib/mc/cons.saver' # midnight commander screensaver |
56 | | - # from Ubuntu xenial, need to investigate |
57 | | - # '/sbin/unix_chkpwd', |
58 | | - # '/sbin/pam_extrausers_chkpwd', |
59 | | - # '/usr/lib/x86_64-linux-gnu/utempter/utempter', |
60 | | - # '/usr/sbin/postdrop', |
61 | | - # '/usr/sbin/postqueue', |
62 | | - # '/usr/bin/ssh-agent', |
63 | | - # '/usr/bin/mlocate', |
64 | | - # '/usr/bin/crontab', |
65 | | - # '/usr/bin/screen', |
66 | | - # '/usr/bin/expiry', |
67 | | - # '/usr/bin/wall', |
68 | | - # '/usr/bin/chage', |
69 | | - # '/usr/bin/bsd-write' |
70 | | - ], description: 'blacklist of suid/sgid program on system') |
| 29 | +blacklist = attribute('blacklist', |
| 30 | + default: [ |
| 31 | + # blacklist as provided by NSA |
| 32 | + '/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh', |
| 33 | + # sshd must not use host-based authentication (see ssh cookbook) |
| 34 | + '/usr/libexec/openssh/ssh-keysign', |
| 35 | + '/usr/lib/openssh/ssh-keysign', |
| 36 | + # misc others |
| 37 | + '/sbin/netreport', # not normally required for user |
| 38 | + '/usr/sbin/usernetctl', # modify interfaces via functional accounts |
| 39 | + # connecting to ... |
| 40 | + '/usr/sbin/userisdnctl', # no isdn... |
| 41 | + '/usr/sbin/pppd', # no ppp / dsl ... |
| 42 | + # lockfile |
| 43 | + '/usr/bin/lockfile', |
| 44 | + '/usr/bin/mail-lock', |
| 45 | + '/usr/bin/mail-unlock', |
| 46 | + '/usr/bin/mail-touchlock', |
| 47 | + '/usr/bin/dotlockfile', |
| 48 | + # need more investigation, blacklist for now |
| 49 | + '/usr/bin/arping', |
| 50 | + '/usr/sbin/arping', |
| 51 | + '/usr/sbin/uuidd', |
| 52 | + '/usr/bin/mtr', # investigate current state... |
| 53 | + '/usr/lib/evolution/camel-lock-helper-1.2', # investigate current state... |
| 54 | + '/usr/lib/pt_chown', # pseudo-tty, needed? |
| 55 | + '/usr/lib/eject/dmcrypt-get-device', |
| 56 | + '/usr/lib/mc/cons.saver' # midnight commander screensaver |
| 57 | + # from Ubuntu xenial, need to investigate |
| 58 | + # '/sbin/unix_chkpwd', |
| 59 | + # '/sbin/pam_extrausers_chkpwd', |
| 60 | + # '/usr/lib/x86_64-linux-gnu/utempter/utempter', |
| 61 | + # '/usr/sbin/postdrop', |
| 62 | + # '/usr/sbin/postqueue', |
| 63 | + # '/usr/bin/ssh-agent', |
| 64 | + # '/usr/bin/mlocate', |
| 65 | + # '/usr/bin/crontab', |
| 66 | + # '/usr/bin/screen', |
| 67 | + # '/usr/bin/expiry', |
| 68 | + # '/usr/bin/wall', |
| 69 | + # '/usr/bin/chage', |
| 70 | + # '/usr/bin/bsd-write' |
| 71 | + ], description: 'blacklist of suid/sgid program on system' |
| 72 | + ) |
71 | 73 |
|
72 | 74 | control 'os-01' do |
73 | 75 | impact 1.0 |
|
0 commit comments