Closed rjschwei closed 9 months ago
We need additional tests for hardened images. The following tests should be integrated in img-proof
1: all entries in /etc/shadow should life limit $ sudo awk -F: '{print $1 " " $5}' /etc/shadow root 60 messagebus 60 systemd-network 60 systemd-timesync 60 not: ec2-user@wsalp:~/ansible-container> sudo awk -F: '{print $1 " " $5}' /etc/shadow root systemd-timesync messagebus nobody sshd
2:/etc/audit/rules.d/access.rules should exist with content like: a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key =access -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key =access -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key= access -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key= access -a always,exit -F arch=b32 -S rename -S renameat -S renameat2 -S unlink -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S rename -S renameat -S renameat2 -S unlink -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S rename -S renameat -S renameat2 -S unlink -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S rename -S renameat -S renameat2 -S unlink -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
3: /etc/audit/rules.d/delete.rules should exist and have something like: /etc/audit/rules.d/delete.rules:-a always,exit -F arch=b32 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete /etc/audit/rules.d/delete.rules:-a always,exit -F arch=b64 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete
We need additional tests for hardened images. The following tests should be integrated in img-proof
1: all entries in /etc/shadow should life limit $ sudo awk -F: '{print $1 " " $5}' /etc/shadow root 60 messagebus 60 systemd-network 60 systemd-timesync 60 not: ec2-user@wsalp:~/ansible-container> sudo awk -F: '{print $1 " " $5}' /etc/shadow root systemd-timesync messagebus nobody sshd
2:/etc/audit/rules.d/access.rules should exist with content like: a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key =access -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key =access -a always,exit -F arch=b32 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key= access -a always,exit -F arch=b64 -S creat -S ftruncate -S open -S open_by_handle_at -S openat -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key= access -a always,exit -F arch=b32 -S rename -S renameat -S renameat2 -S unlink -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S rename -S renameat -S renameat2 -S unlink -S unlinkat -F exit=-EACCES -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b32 -S rename -S renameat -S renameat2 -S unlink -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access -a always,exit -F arch=b64 -S rename -S renameat -S renameat2 -S unlink -S unlinkat -F exit=-EPERM -F auid>=1000 -F auid!=unset -F key=access
3: /etc/audit/rules.d/delete.rules should exist and have something like: /etc/audit/rules.d/delete.rules:-a always,exit -F arch=b32 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete /etc/audit/rules.d/delete.rules:-a always,exit -F arch=b64 -S rename -S renameat -S unlink -S unlinkat -F auid>=1000 -F auid!=unset -F key=delete