|
26 | 26 | elsif os.debian? |
27 | 27 | shadow_group = 'shadow' |
28 | 28 | end |
29 | | -blacklist = attribute('blacklist', |
| 29 | +blacklist = attribute( |
| 30 | + 'blacklist', |
30 | 31 | default: [ |
31 | 32 | # blacklist as provided by NSA |
32 | 33 | '/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh', |
|
54 | 55 | '/usr/lib/pt_chown', # pseudo-tty, needed? |
55 | 56 | '/usr/lib/eject/dmcrypt-get-device', |
56 | 57 | '/usr/lib/mc/cons.saver' # midnight commander screensaver |
57 | | - # from Ubuntu xenial, need to investigate |
58 | | - # '/sbin/unix_chkpwd', |
59 | | - # '/sbin/pam_extrausers_chkpwd', |
60 | | - # '/usr/lib/x86_64-linux-gnu/utempter/utempter', |
61 | | - # '/usr/sbin/postdrop', |
62 | | - # '/usr/sbin/postqueue', |
63 | | - # '/usr/bin/ssh-agent', |
64 | | - # '/usr/bin/mlocate', |
65 | | - # '/usr/bin/crontab', |
66 | | - # '/usr/bin/screen', |
67 | | - # '/usr/bin/expiry', |
68 | | - # '/usr/bin/wall', |
69 | | - # '/usr/bin/chage', |
| 58 | + # from Ubuntu xenial, need to investigate |
| 59 | + # '/sbin/unix_chkpwd', |
| 60 | + # '/sbin/pam_extrausers_chkpwd', |
| 61 | + # '/usr/lib/x86_64-linux-gnu/utempter/utempter', |
| 62 | + # '/usr/sbin/postdrop', |
| 63 | + # '/usr/sbin/postqueue', |
| 64 | + # '/usr/bin/ssh-agent', |
| 65 | + # '/usr/bin/mlocate', |
| 66 | + # '/usr/bin/crontab', |
| 67 | + # '/usr/bin/screen', |
| 68 | + # '/usr/bin/expiry', |
| 69 | + # '/usr/bin/wall', |
| 70 | + # '/usr/bin/chage', |
70 | 71 | # '/usr/bin/bsd-write' |
71 | | - ], description: 'blacklist of suid/sgid program on system' |
| 72 | + ], |
| 73 | + description: 'blacklist of suid/sgid program on system' |
72 | 74 | ) |
73 | 75 |
|
74 | 76 | control 'os-01' do |
|
0 commit comments