|
62 | 62 | end |
63 | 63 |
|
64 | 64 | # GIS: Req 3.21-12 |
65 | | -describe 'SUID/ SGID whitelist check' do |
66 | | - it 'found only whitelist suid/sgid' do |
67 | | - whitelist = [ |
68 | | - # whitelist as provided by NSA |
69 | | - '/bin/mount', '/bin/ping', '/bin/su', '/bin/umount', '/sbin/pam_timestamp_check', |
70 | | - '/sbin/unix_chkpwd', '/usr/bin/at', '/usr/bin/gpasswd', '/usr/bin/locate', |
71 | | - '/usr/bin/newgrp', '/usr/bin/passwd', '/usr/bin/ssh-agent', '/usr/libexec/utempter/utempter', '/usr/sbin/lockdev', |
72 | | - '/usr/sbin/sendmail.sendmail', '/usr/bin/expiry', |
73 | | - # whitelist ipv6 |
74 | | - '/bin/ping6', '/usr/bin/traceroute6.iputils', |
75 | | - # whitelist nfs |
76 | | - '/sbin/mount.nfs', '/sbin/umount.nfs', |
77 | | - # whitelist nfs4 |
78 | | - '/sbin/mount.nfs4', '/sbin/umount.nfs4', |
79 | | - # whitelist cron |
80 | | - '/usr/bin/crontab', |
81 | | - # whitelist consolemssaging |
82 | | - '/usr/bin/wall', '/usr/bin/write', |
83 | | - # whitelist: only SGID with utmp group for multi-session access |
84 | | - # impact is limited; installation/usage has some remaining risk |
85 | | - '/usr/bin/screen', |
86 | | - # whitelist locate |
87 | | - '/usr/bin/mlocate', |
88 | | - # whitelist usermanagement |
89 | | - '/usr/bin/chage', '/usr/bin/chfn', '/usr/bin/chsh', |
90 | | - # whitelist fuse |
91 | | - '/bin/fusermount', |
92 | | - # whitelist pkexec |
93 | | - '/usr/bin/pkexec', |
94 | | - # whitelist sudo |
95 | | - '/usr/bin/sudo', '/usr/bin/sudoedit', |
96 | | - # whitelist postfix |
97 | | - '/usr/sbin/postdrop', '/usr/sbin/postqueue', |
98 | | - # whitelist apache |
99 | | - '/usr/sbin/suexec', |
100 | | - # whitelist squid |
101 | | - '/usr/lib/squid/ncsa_auth', '/usr/lib/squid/pam_auth', |
102 | | - # whitelist kerberos |
103 | | - '/usr/kerberos/bin/ksu', |
104 | | - # whitelist pam_caching |
105 | | - '/usr/sbin/ccreds_validate', |
106 | | - # whitelist Xorg |
107 | | - '/usr/bin/Xorg', # xorg |
108 | | - '/usr/bin/X', # xorg |
109 | | - '/usr/lib/dbus-1.0/dbus-daemon-launch-helper', # freedesktop ipc |
110 | | - '/usr/lib/vte/gnome-pty-helper', # gnome |
111 | | - '/usr/lib/libvte9/gnome-pty-helper', # gnome |
112 | | - '/usr/lib/libvte-2.90-9/gnome-pty-helper' # gnome |
| 65 | +describe 'SUID/ SGID blacklist check' do |
| 66 | + it 'found no blacklisted suid/sgid' do |
| 67 | + blacklist = [ |
| 68 | + # blacklist as provided by NSA |
| 69 | + '/usr/bin/rcp', '/usr/bin/rlogin', '/usr/bin/rsh', |
| 70 | + # sshd must not use host-based authentication (see ssh cookbook) |
| 71 | + '/usr/libexec/openssh/ssh-keysign', |
| 72 | + '/usr/lib/openssh/ssh-keysign', |
| 73 | + # misc others |
| 74 | + '/sbin/netreport', # not normally required for user |
| 75 | + '/usr/sbin/usernetctl', # modify interfaces via functional accounts |
| 76 | + # connecting to ... |
| 77 | + '/usr/sbin/userisdnctl', # no isdn... |
| 78 | + '/usr/sbin/pppd', # no ppp / dsl ... |
| 79 | + # lockfile |
| 80 | + '/usr/bin/lockfile', |
| 81 | + '/usr/bin/mail-lock', |
| 82 | + '/usr/bin/mail-unlock', |
| 83 | + '/usr/bin/mail-touchlock', |
| 84 | + '/usr/bin/dotlockfile', |
| 85 | + # need more investigation, blacklist for now |
| 86 | + '/usr/bin/arping', |
| 87 | + '/usr/sbin/uuidd', |
| 88 | + '/usr/bin/mtr', # investigate current state... |
| 89 | + '/usr/lib/evolution/camel-lock-helper-1.2', # investigate current state... |
| 90 | + '/usr/lib/pt_chown', # pseudo-tty, needed? |
| 91 | + '/usr/lib/eject/dmcrypt-get-device', |
| 92 | + '/usr/lib/mc/cons.saver' # midnight commander screensaver |
113 | 93 | ] |
| 94 | + |
114 | 95 | actual = command('find / -perm -4000 -o -perm -2000 -type f ! -path \'/proc/*\' -print 2>/dev/null | grep -v \'^find:\'').stdout.split(/\r?\n/) |
115 | | - (actual - whitelist).count.should be 0 |
| 96 | + (actual & blacklist).count.should be 0 |
116 | 97 | end |
117 | 98 | end |
118 | 99 |
|
|
0 commit comments