dev-sec / linux-patch-baseline Goto Github PK

View Code? Open in Web Editor NEW

84.0 21.0 34.0 289 KB

DevSec Linux Patch Baseline - InSpec Profile

Home Page: http://dev-sec.io

License: Mozilla Public License 2.0

Ruby 100.00%

linux patch inspec baseline devsec security audit hardening

linux-patch-baseline's Introduction

Linux Patch Benchmark

This InSpec profile verifies that all updates have been installed on a RedHat/CentOS/Ubuntu machine. It uses the local package manager to determine the available packages.

Supported Operating Systems

RHEL 6/7
CentOS 6/7
Debian 8/9/10
Ubuntu 12.04+
OpenSUSE, SuSE 11/12

License


Author:	Dominik Richter ([email protected])
Author:	Christoph Hartmann ([email protected])
Copyright:	Dominik Richter ([email protected])
Copyright:	Christoph Hartmann ([email protected])
License:	Mozilla Public License Version 2.0

linux-patch-baseline's People

Contributors

Stargazers

Watchers

linux-patch-baseline's Issues

Amazon Linux Support

Although Amazon Linux can be roughly treated as RHEL / CentOS family, this will not work here, because inspec detects "amazon" instead of "redhat".

Adding another condition to libraries/linux_updates.rb does not work as a quick and dirty trick.

Can you advise please?

Debian 9.8/10 timing out on audits

Describe the bug
I'm using this profile in a testing environment and it was working the last 2 months but it recently stopped working through the Chef Audit cookbook. Other similar Debian machines don't seem to recreate the issue in Kitchen, so I'm looking for any suggestions for debugging.

Expected behavior
The machine in question worked for weeks, then stopped. Manual verification and running "inspec exec" by hand don't recreate the issue.

Actual behavior

From the Automate 2 UI:

Command timed out after 600s:
Command exceeded allowed execution time, process terminated
---- Begin output of bash -c \#\!/bin/sh'
'DEBIAN_FRONTEND\=noninteractive\ apt-get\ update\ \>/dev/null\ 2\>\&1'
'readlock\(\)\ \{\ cat\ /proc/locks\ \|\ awk\ \'\{print\ \$5\}\'\ \|\ grep\ -v\ \^0\ \|\ xargs\ -I\ \{1\}\ find\ /proc/\{1\}/fd\ -maxdepth\ 1\ -exec\ readlink\ \{\}\ \\\;\ \|\ grep\ \'\^/var/lib/dpkg/lock\$\'\;\ \}'
'while\ test\ -n\ \"\$\(readlock\)\"\;\ do\ sleep\ 1\;\ done'
'echo\ \"\ \"'
'echo\ -n\ \'\{\"available\":\[\''
'DEBIAN_FRONTEND\=noninteractive\ apt-get\ upgrade\ --dry-run\ \|\ grep\ Inst\ \|\ tr\ -d\ \'\[\]\(\)\'\ \|\\'
'\ \ awk\ \'\{\ printf\ \"\{\\\"name\\\":\\\"\"\$2\"\\\",\\\"version\\\":\\\"\"\$4\"\\\",\\\"repo\\\":\\\"\"\$5\"\\\",\\\"arch\\\":\\\"\"\$6\"\\\"\},\"\ \}\'\ \|\ rev\ \|\ cut\ -c\ 2-\ \|\ rev\ \|\ tr\ -d\ \'\\n\''
'echo\ -n\ \'\]\}\''
' ----
STDOUT: 
STDERR: 
---- End output of bash -c \#\!/bin/sh'
'DEBIAN_FRONTEND\=noninteractive\ apt-get\ update\ \>/dev/null\ 2\>\&1'
'readlock\(\)\ \{\ cat\ /proc/locks\ \|\ awk\ \'\{print\ \$5\}\'\ \|\ grep\ -v\ \^0\ \|\ xargs\ -I\ \{1\}\ find\ /proc/\{1\}/fd\ -maxdepth\ 1\ -exec\ readlink\ \{\}\ \\\;\ \|\ grep\ \'\^/var/lib/dpkg/lock\$\'\;\ \}'
'while\ test\ -n\ \"\$\(readlock\)\"\;\ do\ sleep\ 1\;\ done'
'echo\ \"\ \"'
'echo\ -n\ \'\{\"available\":\[\''
'DEBIAN_FRONTEND\=noninteractive\ apt-get\ upgrade\ --dry-run\ \|\ grep\ Inst\ \|\ tr\ -d\ \'\[\]\(\)\'\ \|\\'
'\ \ awk\ \'\{\ printf\ \"\{\\\"name\\\":\\\"\"\$2\"\\\",\\\"version\\\":\\\"\"\$4\"\\\",\\\"repo\\\":\\\"\"\$5\"\\\",\\\"arch\\\":\\\"\"\$6\"\\\"\},\"\ \}\'\ \|\ rev\ \|\ cut\ -c\ 2-\ \|\ rev\ \|\ tr\ -d\ \'\\n\''
'echo\ -n\ \'\]\}\''
' ----
Ran bash -c \#\!/bin/sh'
'DEBIAN_FRONTEND\=noninteractive\ apt-get\ update\ \>/dev/null\ 2\>\&1'
'readlock\(\)\ \{\ cat\ /proc/locks\ \|\ awk\ \'\{print\ \$5\}\'\ \|\ grep\ -v\ \^0\ \|\ xargs\ -I\ \{1\}\ find\ /proc/\{1\}/fd\ -maxdepth\ 1\ -exec\ readlink\ \{\}\ \\\;\ \|\ grep\ \'\^/var/lib/dpkg/lock\$\'\;\ \}'
'while\ test\ -n\ \"\$\(readlock\)\"\;\ do\ sleep\ 1\;\ done'
'echo\ \"\ \"'
'echo\ -n\ \'\{\"available\":\[\''
'DEBIAN_FRONTEND\=noninteractive\ apt-get\ upgrade\ --dry-run\ \|\ grep\ Inst\ \|\ tr\ -d\ \'\[\]\(\)\'\ \|\\'
'\ \ awk\ \'\{\ printf\ \"\{\\\"name\\\":\\\"\"\$2\"\\\",\\\"version\\\":\\\"\"\$4\"\\\",\\\"repo\\\":\\\"\"\$5\"\\\",\\\"arch\\\":\\\"\"\$6\"\\\"\},\"\ \}\'\ \|\ rev\ \|\ cut\ -c\ 2-\ \|\ rev\ \|\ tr\ -d\ \'\\n\''
'echo\ -n\ \'\]\}\''
' returned

OS / Environment
Debian 9.8, Chef 14.10, InSpec 3.6.6.

Inspec Version

3.6.6

Baseline Version
0.4.0 and git master branch have same results

nil exception on scanning CentOS 7.2

Attaching the screenshot received from the user:

I was not able to reproduce on CentOS 6 & 7 and created this profile branch for the user to run and give us more output:
https://github.com/dev-sec/linux-patch-benchmark/tree/ap/nil-fix

Redhat update check only works if user has root access.

These logs are from an amazon-linux system, but i had the same problem on centos.

I was trying to run linux-patch-baseline remotely via ssh as a non-root user.

$ inspec exec supermarket://dev-sec/linux-patch-baseline -t ssh://ec2-user@host -i ~/.ssh/secret.pem
I kept getting a: "Could not determine patch status" error.

so I tried running the commands in the test manually.
I found that the python script got a 'Permission denied' error when run as my ssh user on the /var/cache/yum/ directory.
Interestingly If I ran this python command as root, then ran the inspec test remotely it worked.

Is there a better way to get update status, that non-root users can use?
I found talk of yum-updatesd, but that service doesn't seem to be enabled by default.

sh-4.2$ python -c 'import sys; sys.path.insert(0, "/usr/share/yum-cli"); import cli; list = cli.YumBaseCli().returnPkgLists(["updates"]);'
Loaded plugins: fastestmirror, priorities, update-motd, upgrade-helper
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/share/yum-cli/cli.py", line 1401, in returnPkgLists
    ignore_case=True, repoid=repoid)
  File "/usr/lib/python2.7/dist-packages/yum/__init__.py", line 2998, in doPackageLists
    for (n,a,e,v,r) in self.up.getUpdatesList():
  File "/usr/lib/python2.7/dist-packages/yum/__init__.py", line 1091, in <lambda>
    up = property(fget=lambda self: self._getUpdates(),
  File "/usr/lib/python2.7/dist-packages/yum/__init__.py", line 836, in _getUpdates
    self._up = rpmUtils.updates.Updates(self.rpmdb.simplePkgList(), self.pkgSack.simplePkgList())
  File "/usr/lib/python2.7/dist-packages/yum/__init__.py", line 1072, in <lambda>
    pkgSack = property(fget=lambda self: self._getSacks(),
  File "/usr/lib/python2.7/dist-packages/yum/__init__.py", line 776, in _getSacks
    self.repos.populateSack(which=repos)
  File "/usr/lib/python2.7/dist-packages/yum/repos.py", line 347, in populateSack
    self.doSetup()
  File "/usr/lib/python2.7/dist-packages/yum/repos.py", line 157, in doSetup
    self.retrieveAllMD()
  File "/usr/lib/python2.7/dist-packages/yum/repos.py", line 88, in retrieveAllMD
    dl = repo._async and repo._commonLoadRepoXML(repo)
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 1509, in _commonLoadRepoXML
    if self._latestRepoXML(local):
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 1478, in _latestRepoXML
    oxml = self._saveOldRepoXML(local)
  File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 1336, in _saveOldRepoXML
    shutil.copy2(local, old_local)
  File "/usr/lib64/python2.7/shutil.py", line 130, in copy2
    copyfile(src, dst)
  File "/usr/lib64/python2.7/shutil.py", line 83, in copyfile
    with open(dst, 'wb') as fdst:
IOError: [Errno 13] Permission denied: '/var/cache/yum/x86_64/latest/amzn-main/repomd.xml.old.tmp'

sh-4.2$ sudo python -c 'import sys; sys.path.insert(0, "/usr/share/yum-cli"); import cli; list = cli.YumBaseCli().returnPkgLists(["updates"]);'
Loaded plugins: fastestmirror, priorities, update-motd, upgrade-helper
Loading mirror speeds from cached hostfile
 * amzn-main: packages.ap-northeast-1.amazonaws.com
 * amzn-updates: packages.ap-northeast-1.amazonaws.com
 * epel: s3-mirror-ap-northeast-1.fedoraproject.org
1045 packages excluded due to repository priority protections

HTML report generated for InSpec Profile contains error

HTML report generated using the inspec CLI flag --reporter for the inspec profile linux-patch-baseline, linux-baseline etc contains error message and need re-styling.

Example: report generated using linux-patch-baseline inspec profile but similar error face with dev-sec/nginx-baseline, dev-sec/linux-patch-baseline

Though in the normal CLI output there is no error.

inspec exec /home/admchef/inspec/linux-patch-baseline/ -t ssh://user:password@target --reporter html:ubuntu.html

Version 8 Does not work with baseline

Hello Dev_Sec Team,

can i know by when the support for the RHEL/CentOS 8 will be available ?

Regards
Amit

[Security] Workflow release.yml is using vulnerable action mikefarah/yq

The workflow release.yml is referencing action mikefarah/yq using references 3.2.1. However this reference is missing the commit 989b11764dd33fcb1f86c799cdfa34df727b12be which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.

Version 0.6.2 Release Package

Don't think the CI bumped the version

Describe the bug
inspec.yml

---
name: linux-patch-baseline
title: DevSec Linux Patch Benchmark
summary: Verifies that all patches have been applied
version: 0.6.1
maintainer: Christoph Hartmann
copyright: Christoph Hartmann
copyright_email: [email protected]
license: MPL-2.0
supports:
  - os-family: linux

Expected behavior

version: 0.6.2

Move the control examples out of the resource pack

When this is used as a resource pack but the controls are not used it populates the output data with extra data. I think we should split this into a proper resource pack and then an example repo that depends on the resource pack and put the control tests in the example.

better test coverage

enable travis
enable kitchen verify in test-kitchen
errors in test kitchen verify are not an error for this profile, because they reflect a finding
we need to inspect the inspec report
add rubocop