Showing preview only (470K chars total). Download the full file or copy to clipboard to get everything.
Repository: flatcar-linux/Flatcar
Branch: main
Commit: 1eeb0355ca05
Files: 37
Total size: 448.9 KB
Directory structure:
gitextract_vqk6gyzh/
├── .github/
│ └── workflows/
│ └── issue-pr-contrib-metrics.yaml
├── ADOPTERS.md
├── CIS/
│ ├── README.md
│ ├── inspec-report-level1-root-2020-12-08.txt
│ ├── inspec-report-level2-root-2020-12-08.txt
│ └── level1-remediation_notes-2020-12-08.md
├── CODEOWNERS
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── EMERITUS_MAINTAINERS.md
├── LICENSE
├── MAINTAINERS.md
├── ONBOARDING.md
├── README.md
├── RELEASES.md
├── SECURITY.md
├── adding-new-packages.md
├── attic/
│ └── community-meetings/
│ ├── 2021-05-11.md
│ ├── 2021-06-08.md
│ ├── 2021-07-13.md
│ ├── 2021-07-26.md
│ ├── 2021-08-10.md
│ ├── 2021-08-23.md
│ ├── 2021-09-14.md
│ ├── 2021-09-28.md
│ ├── 2021-10-19.md
│ ├── 2021-10-26.md
│ ├── 2021-11-09.md
│ ├── 2021-11-23.md
│ ├── 2021-12-17.md
│ ├── 2022-01-11.md
│ └── README.md
├── governance.md
├── interop-matrix.md
└── sync-maintainers/
├── README
├── requirements.txt
└── sync-maintainers.py
================================================
FILE CONTENTS
================================================
================================================
FILE: .github/workflows/issue-pr-contrib-metrics.yaml
================================================
name: Monthly contributor report
on:
workflow_dispatch:
inputs:
start_date:
type: string
description: |
Custom start date for metrics generation in YYYY-MM-DD format.
required: true
end_date:
type: string
description: |
Custom end date for metrics generation in YYYY-MM-DD format.
required: true
# Run on every 22th of the month. This guarantees that this action runs
# before the Dev Sync (every 4th Tuesday of the month in the afternoon).
schedule:
- cron: '0 0 22 * *'
permissions:
issues: write
jobs:
contributor_report:
name: contributor report
runs-on: ubuntu-latest
steps:
- name: Set the start and end dates
shell: bash
run: |
set -euo pipefail
if [[ -n "${{inputs.start_date}}" && -n "${{inputs.end_date}}" ]] ; then
start_date="${{inputs.start_date}}"
end_date=${{inputs.end_date}}
else
start_date=$(date -d "last month" +%Y-%m-%d)
end_date=$(date -d "yesterday" +%Y-%m-%d)
fi
echo "START_DATE=$start_date" >> "$GITHUB_ENV"
echo "END_DATE=$end_date" >> "$GITHUB_ENV"
#
# Contributors stats
#
- name: Collect contributor metrics
uses: github-community-projects/contributors@v1
env:
GH_TOKEN: ${{ secrets.GH_ACTION_METRICS_ORG_READ }}
START_DATE: ${{ env.START_DATE }}
END_DATE: ${{ env.END_DATE }}
# We explicitly list repos for our metrics here so temporary forks like
# e.g. systemd, gentoo, or udev don't pollute the stats
REPOSITORY: "flatcar/nebraska,flatcar/flatcar-website,flatcar/flatcar-build-scripts,flatcar/baselayout,flatcar/bootengine,flatcar/coreos-cloudinit,flatcar/flatcar-dev-util,flatcar/init,flatcar/locksmith,flatcar/mantle,flatcar/mayday,flatcar/nss-altfiles,flatcar/scripts,flatcar/seismograph,flatcar/shim,flatcar/sysroot-wrappers,flatcar/toolbox,flatcar/torcx,flatcar/update-ssh-keys,flatcar/update_engine,flatcar/updateservicectl,flatcar/Flatcar,flatcar/flatcar-packer-qemu,flatcar/flatcar-ipxe-scripts,flatcar/flatcar-cloud-image-uploader,flatcar/flatcar-linux-update-operator,flatcar/flatcar-release-mirror,flatcar/flatcar-terraform,flatcar/sdnotify-proxy,flatcar/nebraska-update-agent,flatcar/fleetlock,flatcar/flog,flatcar/ign-converter,flatcar/nomad-on-flatcar,flatcar/sysext-bakery,flatcar/reports,flatcar/flatcar-demos,flatcar/jitsi-server,flatcar/flatcar-mastodon,flatcar/ue-rs,flatcar/azure-marketplace-ingestion-api,flatcar/flatcar-tutorial,flatcar/flatcar-app-minecraft,flatcar/garm-provider-linode,flatcar/socials"
SPONSOR_INFO: "false"
#
# Q&A Discussions stats
#
- name: All unanswered Q&A summary metrics
uses: github-community-projects/issue-metrics@v2
env:
GH_TOKEN: ${{ secrets.GH_ACTION_METRICS_ORG_READ }}
SEARCH_QUERY: 'repo:flatcar/Flatcar type:discussions category:Q&A is:unanswered'
# This metric measures items that are still open
HIDE_TIME_TO_CLOSE: true
- name: rename open discussion metrics file
shell: bash
run: |
set -euo pipefail
mv issue_metrics.md discussion_qna_open.md
- name: All answered Q&A Discussions metrics
uses: github-community-projects/issue-metrics@v2
env:
GH_TOKEN: ${{ secrets.GH_ACTION_METRICS_ORG_READ }}
SEARCH_QUERY: 'repo:flatcar/Flatcar type:discussions category:Q&A is:answered'
- name: rename open discussion metrics file
shell: bash
run: |
set -euo pipefail
mv issue_metrics.md discussion_qna_closed.md
- name: New Q&A discussions created metrics
uses: github-community-projects/issue-metrics@v2
env:
GH_TOKEN: ${{ secrets.GH_ACTION_METRICS_ORG_READ }}
SEARCH_QUERY: 'repo:flatcar/Flatcar type:discussions category:Q&A created:${{ env.START_DATE }}..${{ env.END_DATE }}'
- name: rename open discussion metrics file
shell: bash
run: |
set -euo pipefail
mv issue_metrics.md discussion_qna_opened.md
#
# Regular Discussions stats
#
- name: All open Discussions summary metrics
uses: github-community-projects/issue-metrics@v2
env:
GH_TOKEN: ${{ secrets.GH_ACTION_METRICS_ORG_READ }}
SEARCH_QUERY: 'repo:flatcar/Flatcar type:discussions -category:Q&A is:open'
# This metric measures items that are still open
HIDE_TIME_TO_CLOSE: true
- name: rename open discussion metrics file
shell: bash
run: |
set -euo pipefail
mv issue_metrics.md discussion_open.md
- name: New Discussions created metrics
uses: github-community-projects/issue-metrics@v2
env:
GH_TOKEN: ${{ secrets.GH_ACTION_METRICS_ORG_READ }}
SEARCH_QUERY: 'repo:flatcar/Flatcar type:discussions -category:Q&A created:${{ env.START_DATE }}..${{ env.END_DATE }}'
- name: rename open discussion metrics file
shell: bash
run: |
set -euo pipefail
mv issue_metrics.md discussion_opened.md
- name: Discussions closed metrics
uses: github-community-projects/issue-metrics@v2
env:
GH_TOKEN: ${{ secrets.GH_ACTION_METRICS_ORG_READ }}
SEARCH_QUERY: 'repo:flatcar/Flatcar type:discussions -category:Q&A closed:${{ env.START_DATE }}..${{ env.END_DATE }}'
- name: rename open discussion metrics file
shell: bash
run: |
set -euo pipefail
mv issue_metrics.md discussion_closed.md
#
# Issues stats
#
- name: All open Issues summary metrics
uses: github-community-projects/issue-metrics@v2
env:
GH_TOKEN: ${{ secrets.GH_ACTION_METRICS_ORG_READ }}
SEARCH_QUERY: 'org:flatcar is:issue is:open'
# "time to answer" only supported for discussions
HIDE_TIME_TO_ANSWER: true
# This metric measures items that are still open
HIDE_TIME_TO_CLOSE: true
IGNORE_USERS: "flatcar-infra,github-actions[bot],dependabot[bot]"
- name: rename open issues metrics file
shell: bash
run: |
set -euo pipefail
mv issue_metrics.md issues_open.md
- name: New issues created metrics
uses: github-community-projects/issue-metrics@v2
env:
GH_TOKEN: ${{ secrets.GH_ACTION_METRICS_ORG_READ }}
SEARCH_QUERY: 'org:flatcar is:issue created:${{ env.START_DATE }}..${{ env.END_DATE }}'
# "time to answer" only supported for discussions
HIDE_TIME_TO_ANSWER: true
IGNORE_USERS: "flatcar-infra,github-actions[bot],dependabot[bot]"
- name: rename new issues opened metrics file
shell: bash
run: |
set -euo pipefail
mv issue_metrics.md issues_opened.md
- name: Issues closed metrics
uses: github-community-projects/issue-metrics@v2
env:
GH_TOKEN: ${{ secrets.GH_ACTION_METRICS_ORG_READ }}
SEARCH_QUERY: 'org:flatcar is:issue closed:${{ env.START_DATE }}..${{ env.END_DATE }}'
# "time to answer" only supported for discussions
HIDE_TIME_TO_ANSWER: true
IGNORE_USERS: "flatcar-infra,github-actions[bot],dependabot[bot]"
- name: rename issues closed metrics file
shell: bash
run: |
set -euo pipefail
mv issue_metrics.md issues_closed.md
#
# Advisories stats
#
- name: All open Advisories summary metrics
uses: github-community-projects/issue-metrics@v2
env:
GH_TOKEN: ${{ secrets.GH_ACTION_METRICS_ORG_READ }}
SEARCH_QUERY: 'repo:flatcar/Flatcar is:issue is:open label:advisory -status:implemented'
# "time to answer" only supported for discussions
HIDE_TIME_TO_ANSWER: true
# This metric measures items that are still open
HIDE_TIME_TO_CLOSE: true
- name: rename open advisories metrics file
shell: bash
run: |
set -euo pipefail
mv issue_metrics.md advisories_open.md
- name: New advisories created metrics
uses: github-community-projects/issue-metrics@v2
env:
GH_TOKEN: ${{ secrets.GH_ACTION_METRICS_ORG_READ }}
SEARCH_QUERY: 'repo:flatcar/Flatcar is:issue label:advisory created:${{ env.START_DATE }}..${{ env.END_DATE }}'
# "time to answer" only supported for discussions
HIDE_TIME_TO_ANSWER: true
- name: rename new advisories opened metrics file
shell: bash
run: |
set -euo pipefail
mv issue_metrics.md advisories_opened.md
- name: Advisories closed metrics
uses: github-community-projects/issue-metrics@v2
env:
GH_TOKEN: ${{ secrets.GH_ACTION_METRICS_ORG_READ }}
SEARCH_QUERY: 'repo:flatcar/Flatcar is:issue label:advisory closed:${{ env.START_DATE }}..${{ env.END_DATE }}'
# "time to answer" only supported for discussions
HIDE_TIME_TO_ANSWER: true
- name: rename advisories closed metrics file
shell: bash
run: |
set -euo pipefail
mv issue_metrics.md advisories_closed.md
#
# Pull Requests stats
#
- name: All open PRs summary metrics
uses: github-community-projects/issue-metrics@v2
env:
GH_TOKEN: ${{ secrets.GH_ACTION_METRICS_ORG_READ }}
SEARCH_QUERY: 'org:flatcar is:pr is:open -author:flatcar-infra'
# "time to answer" only supported for discussions
HIDE_TIME_TO_ANSWER: true
# This metric measures items that are still open
HIDE_TIME_TO_CLOSE: true
IGNORE_USERS: "flatcar-infra,github-actions[bot],dependabot[bot]"
- name: rename open PR metrics file
shell: bash
run: |
set -euo pipefail
mv issue_metrics.md prs_open.md
- name: New PRs created metrics
uses: github-community-projects/issue-metrics@v2
env:
GH_TOKEN: ${{ secrets.GH_ACTION_METRICS_ORG_READ }}
SEARCH_QUERY: 'org:flatcar is:pr -author:flatcar-infra created:${{ env.START_DATE }}..${{ env.END_DATE }}'
# "time to answer" only supported for discussions
HIDE_TIME_TO_ANSWER: true
IGNORE_USERS: "flatcar-infra,github-actions[bot],dependabot[bot]"
- name: rename new PRs metrics file
shell: bash
run: |
set -euo pipefail
mv issue_metrics.md prs_opened.md
- name: PRs closed metrics
uses: github-community-projects/issue-metrics@v2
env:
GH_TOKEN: ${{ secrets.GH_ACTION_METRICS_ORG_READ }}
SEARCH_QUERY: 'org:flatcar is:pr -author:flatcar-infra closed:${{ env.START_DATE }}..${{ env.END_DATE }}'
# "time to answer" only supported for discussions
HIDE_TIME_TO_ANSWER: true
IGNORE_USERS: "flatcar-infra,github-actions[bot],dependabot[bot]"
- name: rename closed PRs metrics file
shell: bash
run: |
set -euo pipefail
mv issue_metrics.md prs_closed.md
#
# Upload and post-process, create issue
#
- name: Upload individual reports
uses: actions/upload-artifact@v4
with:
retention-days: 32
name: raw-reports
path: |
./*.md
- name: Assemble full report
shell: bash
run: |
set -euo pipefail
echo -e '# Contributions, Discussions, Advisories, and Issues' >> summary_report.md
echo "(See comment below for Pull Request Metrics)" >> summary_report.md
# Create table of contents.
# Anchor targets defined here are created below when the respective section is added.
echo "# Contents" >> summary_report.md
echo "* [Contributors Metrics](#contributors-metrics)" >> summary_report.md
echo "* [Github Discussions Metrics](#discussions-metrics)" >> summary_report.md
echo " * [Questions and Answers Discussions](#discussions-metrics-qna)" >> summary_report.md
echo " * [Other Discussions](#discussions-metrics-other)" >> summary_report.md
echo "* [Advisory Metrics](#advisory-metrics)" >> summary_report.md
echo " * [New Advisories](#advisory-metrics-new)" >> summary_report.md
echo " * [Closed Advisories](#advisory-metrics-closed)" >> summary_report.md
echo " * [All open Advisories](#advisory-metrics-summary)" >> summary_report.md
echo "* [Issue Metrics](#issue-metrics)" >> summary_report.md
echo " * [Summary of all open Issues](#issue-metrics-summary)" >> summary_report.md
echo " * [New Issues](#issue-metrics-new)" >> summary_report.md
echo " * [Closed Issues](#issue-metrics-closed)" >> summary_report.md
#
# Contributors
#
echo -e '\n\n<h1 id="contributors-metrics">Contributors Metrics</h1>' >> summary_report.md
tail --lines=+2 contributors.md >> summary_report.md
#
# Discussions
#
echo -e '\n\n<h1 id="discussions-metrics">Discussions Metrics</h1>' >> summary_report.md
echo -e '\n<h2 id="discussions-metrics-qna">Questions & Answers</h2>' >> summary_report.md
echo -e "\n### Summary of all unanswered Questions" >> summary_report.md
echo "These summary statistics include all currently unanswered Q&A discussions (openend at any point in the past)." \
>> summary_report.md
# remove full discussions list from stats; we only want the summary
tail --lines=+2 discussion_qna_open.md \
| awk '/^\| Title \| URL \| Author \|/{silent=1} {if (silent==0) print $0}' \
>> summary_report.md
echo -e "\n### Summary of all answered Questions" >> summary_report.md
echo -e "\nThese Q&A discussions were openend and also answered between ${{ env.START_DATE }} - ${{ env.END_DATE }}." \
>> summary_report.md
echo -e "(Discussions search is somewhat limited on Github; there's currently no way to search for discussions answered within a given timespan)" \
>> summary_report.md
# remove full discussions list from stats; we only want the summary
tail --lines=+2 discussion_qna_closed.md \
| awk '/^\| Title \| URL \| Author \|/{silent=1} {if (silent==0) print $0}' \
>> summary_report.md
echo -e "\n### New Questions" >> summary_report.md
echo -e "\nThese Q&A discussions were created between ${{ env.START_DATE }} - ${{ env.END_DATE }}." \
>> summary_report.md
tail --lines=+2 discussion_qna_opened.md >> summary_report.md
echo -e '\n<h2 id="discussions-metrics-other">Other Discussions</h2>' >> summary_report.md
echo -e "\n### Summary of open Discussions" >> summary_report.md
echo "These summary statistics include all currently open discussions except Q&A (openend at any point in the past)." \
>> summary_report.md
# remove full discussions list from stats; we only want the summary
tail --lines=+2 discussion_open.md \
| awk '/^\| Title \| URL \| Author \|/{silent=1} {if (silent==0) print $0}' \
>> summary_report.md
echo -e "\n## New discussions" >> summary_report.md
echo -e "\nThese discussions (except Q&A) were created between ${{ env.START_DATE }} - ${{ env.END_DATE }}." \
>> summary_report.md
tail --lines=+2 discussion_opened.md >> summary_report.md
echo -e "\n## Discussions closed" >> summary_report.md
echo -e "\nThese discussions (except Q&A) were opened at any point in the past and closed between ${{ env.START_DATE }} - ${{ env.END_DATE }}." \
>> summary_report.md
tail --lines=+2 discussion_closed.md >> summary_report.md
#
# Advisories
#
echo -e '\n\n<h1 id="advisory-metrics">Advisory Metrics</h1>' >> summary_report.md
echo -e "\n\nNote that advisories are tracked in issues, so the advisories discussed in this section also contribute to the overall issue statistics above.\n\n" \
>> summary_report.md
echo -e '\n<h2 id="advisory-metrics-new">New Advisories</h2>' >> summary_report.md
echo -e "\nThese advisories were created between ${{ env.START_DATE }} - ${{ env.END_DATE }}." \
>> summary_report.md
tail --lines=+2 advisories_opened.md >> summary_report.md
echo -e '\n<h2 id="advisory-metrics-closed">Advisories closed</h2>' >> summary_report.md
echo -e "\nThese advisories were openend at any point in the past and were closed between ${{ env.START_DATE }} - ${{ env.END_DATE }}." \
>> summary_report.md
tail --lines=+2 advisories_closed.md >> summary_report.md
echo -e '\n<h2 id="advisory-metrics-summary">All open Advisoriess</h2>' >> summary_report.md
echo "These statistics cover all open advisories (openend at any point in the past)." \
>> summary_report.md
tail --lines=+2 advisories_open.md >> summary_report.md
#
# Issues
#
echo -e '\n\n<h1 id="issue-metrics">Issue Metrics</h1>' >> summary_report.md
echo -e '\n<h2 id="issue-metrics-summary">Summary of all open Issues</h2>' >> summary_report.md
echo "These summary statistics include all currently open issues (openend at any point in the past)." \
>> summary_report.md
# remove full issues list from stats; we only want the summary
tail --lines=+2 issues_open.md \
| awk '/^\| Title \| URL \| Author \|/{silent=1} {if (silent==0) print $0}' \
>> summary_report.md
echo -e '\n<h2 id="issue-metrics-new">New Issues</h2>' >> summary_report.md
echo -e "\nThese issues were created between ${{ env.START_DATE }} - ${{ env.END_DATE }}." \
>> summary_report.md
tail --lines=+2 issues_opened.md >> summary_report.md
echo -e '\n<h2 id="issue-metrics-closed">Issues closed</h2>' >> summary_report.md
echo -e "\nThese issues were openend at any point in the past and were closed between ${{ env.START_DATE }} - ${{ env.END_DATE }}." \
>> summary_report.md
tail --lines=+2 issues_closed.md >> summary_report.md
#
# Pull Requests
#
echo '# Pull request metrics' >> comment_report.md
echo "(See comment below for Pull Request Metrics)" >> comment_report.md
echo "* [Pull Requests Metrics](#pr-metrics)" >> comment_report.md
echo " * [Summary of all open PRs](#pr-metrics-summary)" >> comment_report.md
echo " * [New PRs](#pr-metrics-new)" >> comment_report.md
echo " * [Closed PRs](#pr-metrics-closed)" >> comment_report.md
echo -e '\n\n<h1 id="pr-metrics">Pull Requests Metrics</h1>' >> comment_report.md
echo -e '\n<h2 id="pr-metrics-summary">Summary of all open PRs</h2>' >> comment_report.md
echo "These summary statistics include all currently open PRs (openend at any point in the past)." \
>> comment_report.md
# remove full PRs list from stats; we only want the summary
tail --lines=+2 prs_open.md \
| awk '/^\| Title \| URL \| Author \|/{silent=1} {if (silent==0) print $0}' \
>> comment_report.md
echo -e '\n<h2 id="pr-metrics-new">New PRs</h2>' >> comment_report.md
echo -e "\nThese PRs were created between ${{ env.START_DATE }} - ${{ env.END_DATE }}." \
>> comment_report.md
tail --lines=+2 prs_opened.md >> comment_report.md
echo -e '\n<h2 id="pr-metrics-closed">PRs closed</h2>' >> comment_report.md
echo -e "\nThese PRs were openend at any point in the past and were closed between ${{ env.START_DATE }} - ${{ env.END_DATE }}." \
>> comment_report.md
tail --lines=+2 prs_closed.md >> comment_report.md
- name: Upload merged report
uses: actions/upload-artifact@v4
with:
retention-days: 32
name: full-report
path: |
./summary_report.md
./comment_report.md
- name: Create issue (1/2 of report)
id: ciss
uses: peter-evans/create-issue-from-file@v5
with:
title: Monthly contributions report ${{ env.START_DATE }} - ${{ env.END_DATE }}
token: ${{ secrets.GITHUB_TOKEN }}
content-filepath: ./summary_report.md
labels: kind/metric
- name: Create comment (2/2 of report)
id: cisc
uses: peter-evans/create-or-update-comment@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
issue-number: ${{ steps.ciss.outputs.issue-number }}
body-path: ./comment_report.md
================================================
FILE: ADOPTERS.md
================================================
Who is using Flatcar?
====================
The following is a list of adopters who have publicly spoken about their use of Flatcar, or who have added themselves to this list.
Adding yourself as a user
-------------------------
If you are using Flatcar, please consider adding yourself as a user with a quick description of your use case by opening a pull request to this file and adding a section describing your usage of Flatcar. If you are open to others contacting you about your use of Flatcar on Slack or Matrix, include your Slack/Matrix nickname or email as well.
* N: Name of user (company or individual)
D: Description
L: Link with further information (optional)
C: Contacts available for questions (optional)
Example entry:
* N: Flatcar Example User Inc.
D: Using Flatcar for running Kubernetes in Azure via Cluster API
L: https://www.exampleuser.com
C: Slack: @slacknick and/or Matrix: @Matrixnick and/or Email: nick [at] exampleuser [dot] com
Requirements to be listed
-------------------------
* You must represent the user listed. Do not add entries on behalf of
other users, unless adding a link to a public announcement / blog post.
* Commercial or production use is not required. A user can be an end user, cloud service provider or consultant as long as it is a permanent deployment and not a trial deployment. A well-done home lab setup can be equally
interesting as a large-scale commercial deployment.
Users
-----
* N: 1&1 Mail & Media (GMX, WEB.DE, mail.com)
D: 1&1 Mail & Media is happily using FlatCar as the underlying OS in their large on-premise bare-metal Kubernetes installation, hosting the majority of services for their >40M users
C: stephan.fudeus [at] 1und1 [dot] de
* N: Adobe
D: Adobe runs Flatcar on over 18,000 nodes in our fleet of Kubernetes clusters across multiple cloud providers and private data centers in 22 different regions worldwide.
C: Mike Tougeron (Slack: @Mike Tougeron) and Tony Gosselin (Slack: @Tony Gosselin).
* N: AloPeyk
D: We are an on-demand delivery business that every day serve millions of requests on a consistent bare metal infrastructure have this concern to choose a reliable and atomic operations system but none of the common OS couldn't satisfy us for such heavy workloads. Since we migrated our production Kubernetes cluster nothing can break this consistent and solid cluster which is powered by amazing Flatcoar OS.
* N: AT&T
L: https://medium.com/cloud-native-the-gathering/certified-kubernetes-administrator-join-our-team-its-a-good-thing-7e27ab34dc88
D: "We are integrating Flatcar Container Linux, Istio, OPA, Multi-Region, KNative, and so many other technologies and concepts it makes the mind hurt a bit."
* N: Atsign
D: Personal Data Services 'atServers' are Dart ahead of time binaries running in containers on Docker Swarm using Flatcar worker nodes.
L: https://twitter.com/cpswan/status/1534481517887512577?s=20&t=ODnO_TPa4nhC62KNAB9Stw
C: Chris Swan [@cpswan](https://github.com/cpswan)
* N: Cloud house
D: Flatcar OS has been useful for us for our on-premise solution to our customers
* N: DeepL
D: We use Flatcar for our on-prem K8s clusters to run everything from CI/CD to performance-sensitive GPU workloads.
L: https://deepl.com/
C: simon.campion [at] deepl [dot] com
* N: Digital Science
L: https://digital-science.com
D: We're running Flatcar on all our self-hosted Kubernetes clusters on AWS, used for all data processing behind Dimensions (https://dimensions.ai). We choose Flatcar for security and simplicity.
C: soren [at] uberresearch.com
* N: Equinix Metal
L: https://kinvolk.io/blog/2021/02/case-study-equinix-metal-builds-on-flatcar/
D: Equinix uses Flatcar as the OS for its bare metal cloud control plane, which runs in Kubernetes
* N: Finleap Connect
D: Finleap Connect - At finleap connect we serve over a million financial transactions per day. As a regulated company using a pure cloud-native stack based on Kubernetes, using Flatcar as our foundational building block for reliable, secure and immutable nodes across the public clouds and on bare-metal deployments was a day one decision we never regretted. Today Flatcar serves all of our 12 production clusters with over 300 nodes on public clouds in 3 countries and on our bare-metal private-cloud setup.
* N: Genesis Cloud
D: Genesis Cloud is using Flatcar Linux as the base for its public cloud offering for instances with GPUs and other accelerators
L: https://genesiscloud.com/
C: Slack: @Philipp Riederer / @Lukas Stockner
* N: Giant Swarm
L: https://www.giantswarm.io/blog/time-to-catch-a-new-train-flatcar-linux
D: Giant Swarm uses Flatcar within their Kubernetes Distribution. Flatcar is used on all providers (Azure, AWS, Google, OpenStack and Vmware). Giant Swarm manages 100s of clusters with 1000s of nodes running on Flatcar across the planet.
* N: Intersys AG
* N: Memzo
D: Kinvolk was a valuable source of knowledge when troubleshooting installation issues with our platform vendor. They were able to join us and the vendor on a call and sort out the issues quickly.The use of the Flatcar Update Server gave us confidence about what software/OS versions were running in each of our environments. This allowed us to better test upgrades before promoting the change to production environments.
* N: Mettle
L https://swade1987.medium.com/upgrading-to-flatcar-linux-746751e89ab4
* N: Norwegian Labor and Welfare Administration (NAV)
D: The largest Norwegian government agency has been using Flatcar since 2021 to run all of their on-prem Kubernetes clusters enabling application teams to become more autonomous and to build better welfare services and deliver them with a higher velocity then before.
L: https://nais.io
C: hans.kristian.flaatten@nav.no
* N: Planetary Quantum GmbH
L: https://www.planetary-quantum.com/
D: Planetary Quantum is a berlin-based provider of Docker-hosting and application hosting. Our sister company Planetary Networks colocates their private cloud in two (fiber-)interconnected datacenters in Berlin and Quantum offers container-based solutions (Docker Swarm and a custom tailored application hosting) on top of Flatcar Linux. Flatcar Linux is a great choice for us because it's a modern Linux, well-suited for Docker and Kubernetes due to recent versions of Kernel, SystemD, immutable root and a well-tested userland. Simple and straight-forward updates of the OS make running Flatcar a no-brainer for us. We currently operate over 50 clusters for our customers in our private cloud — all based on Flatcar Linux.
* N: plusserver GmbH
D: Plus Server is using Flatcar as the basis of its managed Kubernetes offering, plusserver Kubernetes Engine (PSKE). As they state in their blog, "Flatcar is currently one of the most popular operating systems for Kubernetes clusters. With its container-optimized design, strong security, and support from an active open source community, it provides an excellent foundation for all container workloads."
L: https://www.plusserver.com/blog/flatcar/
* N: Qualys, Inc
D: Qualys Gateway Service uses Flatcar Container Linux as a base for its container-based appliance, which is mainly focussed on proxy and caching services, serving other Qualys sensors such as Cloud Agent, Scanner and Passive Sensor. QGS also serves Qualys modules including VMDR, Patch Management, Policy Compliance, EDR, FIM and XDR.
L: https://www.qualys.com/documentation/#qualys-gateway-service
C: jrose@qualys.com
* N: Skilld.cloud
L: https://www.skilld.cloud
D: Flatcar choice was a no-brainer for Skilld: Flatcar is a perfect fit for running Kubernetes workloads. On premise as well as on public clouds. We rely on Flatcar to power up our cutting-edge NRT data-driven ops platforms. A key asset for building distributed & asset management based businesses such as our Community-as-a-service IT platform, or our customers Train fleet's or smart grid's ones.
* N: Spinoco Czech Republic, a.s.
D: Using Flatcar on Bare Metal to run Kubernetes for Spinoco SaaS
L: www.spinoco.com
C: pavel.chlupacek@spinoco.com
* N: Schwarz Digits Cloud GmbH & Co. KG (STACKIT)
D: Flatcar Container Linux is the foundation of our managed Kubernetes offering (SKE), powering over 20,000 nodes. It is our customers' most popular OS choice, and we highly value the vibrant and active Open Source community behind Flatcar, which ensures continuous innovation and stability.
L: https://stackit.com/en/products/runtime/stackit-kubernetes-engine
C: @justrobin:matrix.org / info@stackit.cloud
* N: Wipro
D: Wipro Business Solutions uses Flatcar Linux to power their hybrid/multi-cloud PostgreSQL containerized DBaaS platform. Each provisioned database is running on a dedicated lightweight stack with Flatcar Linux as the foundational OS running on each database VM. In addition the DBaaS API itself and all supporting machines use Flatcar Linux as well. Flatcar Linux has proven to be a well-supported rock solid OS with minimal attack surface, built in update mechanism and integrated docker daemon. Ignition brings in an early boot provisioning utility that perfectly adds to the full automation approach of the PostgreSQL DBaaS platform. We use it at scale on-prem with OpenStack cloud but also with public clouds like Google and Tencent
================================================
FILE: CIS/README.md
================================================
# CIS Benchmarking
These reports are from points in time and have notes with remediation and applicability for Flatcar Container Linux.
The CIS benchmarks are usually tailored to specific Linux distributions, as well as generic Linux hosts.
Flatcar Container Linux being a narrow use-case distribution causes many results to be not applicable.
## Report Generation
After some annoyance dealing with [ruby](https://www.ruby-lang.org/) and [inspec](https://www.inspec.io/downloads/), I was able to run the report. Documenting here what I did and what I got.
1. Installed inspec via gem: `gem install inspec-bin --user-install`
2. Cloned the benchmark repo: `git clone https://github.com/dev-sec/cis-dil-benchmark.git`
3. Started a [Flatcar QEMU image](https://www.flatcar.org/docs/latest/reference/developer-guides/sdk-modifying-flatcar/), copied the authorized keys to root.
4. Ran the test suite in the image, for level 1 and 2 (the default):
```shell
~/.gem/ruby/2.7.0/bin/inspec exec --no-color ./cis-dil-benchmark/ -t ssh://root@localhost:2222 --input=cis_level=1 > ../debug/inspec-report-level1.txt
~/.gem/ruby/2.7.0/bin/inspec exec --no-color ./cis-dil-benchmark/ -t ssh://root@localhost:2222 > ../debug/inspec-report.txt
```
Results:
Level 1:
```text
Profile Summary: 65 successful controls, 83 control failures, 82 controls skipped
Test Summary: 593 successful, 258 failures, 88 skipped
```
Level: 2
```text
Profile Summary: 68 successful controls, 118 control failures, 43 controls skipped
Test Summary: 606 successful, 344 failures, 50 skipped
```
I'm looking at the failures and many of them are rather arbitrary decisions, and we'll need to evaluate which ones we want to consider to adopt in Flatcar. There's a bunch of filesystems that are recommended to be disabled, some of them, we might go ahead and disable (like hfs), others we actually need (like vfat).
But then there are things that should be fixed in the benchmark, because they fail because of our file-system layout. For example:
```text
× File /etc/pam.d/common-password content is expected to match /^password(\s+\S+\s+)+pam_unix\.so\s+(\S+\s+)*sha512/
expected nil to match /^password(\s+\S+\s+)+pam_unix\.so\s+(\S+\s+)*sha512/
```
## Reports
Here the too reports, and the corresponding notes we have produced:
* [2020-12-08 level1 report](./inspec-report-level1-root-2020-12-08.txt) -- [remediation notes](./level1-remediation_notes-2020-12-08.md)
* [2020-12-08 level2 report](./inspec-report-level2-root-2020-12-08.txt) -- _(no remediation notes yet)_
================================================
FILE: CIS/inspec-report-level1-root-2020-12-08.txt
================================================
Profile: CIS Distribution Independent Linux Benchmark Profile (cis-dil-benchmark)
Version: 0.4.4
Target: ssh://root@localhost:2222
× cis-dil-benchmark-1.1.1.1: Ensure mounting of cramfs filesystems is disabled (1 failed)
✔ Kernel Module cramfs is expected not to be loaded
× Kernel Module cramfs is expected to be disabled
expected `Kernel Module cramfs.disabled?` to be truthy, got false
× cis-dil-benchmark-1.1.1.2: Ensure mounting of freevxfs filesystems is disabled (1 failed)
✔ Kernel Module freevxfs is expected not to be loaded
× Kernel Module freevxfs is expected to be disabled
expected `Kernel Module freevxfs.disabled?` to be truthy, got false
× cis-dil-benchmark-1.1.1.3: Ensure mounting of jffs2 filesystems is disabled (1 failed)
✔ Kernel Module jffs2 is expected not to be loaded
× Kernel Module jffs2 is expected to be disabled
expected `Kernel Module jffs2.disabled?` to be truthy, got false
× cis-dil-benchmark-1.1.1.4: Ensure mounting of hfs filesystems is disabled (1 failed)
✔ Kernel Module hfs is expected not to be loaded
× Kernel Module hfs is expected to be disabled
expected `Kernel Module hfs.disabled?` to be truthy, got false
× cis-dil-benchmark-1.1.1.5: Ensure mounting of hfsplus filesystems is disabled (1 failed)
✔ Kernel Module hfsplus is expected not to be loaded
× Kernel Module hfsplus is expected to be disabled
expected `Kernel Module hfsplus.disabled?` to be truthy, got false
× cis-dil-benchmark-1.1.1.6: Ensure mounting of squashfs filesystems is disabled (1 failed)
✔ Kernel Module squashfs is expected not to be loaded
× Kernel Module squashfs is expected to be disabled
expected `Kernel Module squashfs.disabled?` to be truthy, got false
× cis-dil-benchmark-1.1.1.7: Ensure mounting of udf filesystems is disabled (1 failed)
✔ Kernel Module udf is expected not to be loaded
× Kernel Module udf is expected to be disabled
expected `Kernel Module udf.disabled?` to be truthy, got false
↺ cis-dil-benchmark-1.1.1.8: Ensure mounting of FAT filesystems is disabled
↺ Skipped control due to only_if condition.
✔ cis-dil-benchmark-1.1.2: Ensure separate partition exists for /tmp
✔ Mount /tmp is expected to be mounted
✔ cis-dil-benchmark-1.1.3: Ensure nodev option set on /tmp partition
✔ Mount /tmp options is expected to include "nodev"
✔ cis-dil-benchmark-1.1.4: Ensure nosuid option set on /tmp partition
✔ Mount /tmp options is expected to include "nosuid"
× cis-dil-benchmark-1.1.5: Ensure noexec option set on /tmp partition
× Mount /tmp options is expected to include "noexec"
expected ["rw", "nosuid", "nodev", "seclabel", "nr_inodes=409600"] to include "noexec"
↺ cis-dil-benchmark-1.1.6: Ensure separate partition exists for /var
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-1.1.7: Ensure separate partition exists for /var/tmp
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-1.1.8: Ensure nodev option set on /var/tmp partition
↺ Skipped control due to only_if condition: /var/tmp is mounted
↺ cis-dil-benchmark-1.1.9: Ensure nosuid option set on /var/tmp partition
↺ Skipped control due to only_if condition: /var/tmp is mounted
↺ cis-dil-benchmark-1.1.10: Ensure noexec option set on /var/tmp partition
↺ Skipped control due to only_if condition: /var/tmp is mounted
↺ cis-dil-benchmark-1.1.11: Ensure separate partition exists for /var/log
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-1.1.12: Ensure separate partition exists for /var/log/audit
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-1.1.13: Ensure separate partition exists for /home
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-1.1.14: Ensure nodev option set on /home partition
↺ Skipped control due to only_if condition: /home is mounted
✔ cis-dil-benchmark-1.1.15: Ensure nodev option set on /dev/shm partition
✔ Mount /dev/shm options is expected to include "nodev"
✔ cis-dil-benchmark-1.1.16: Ensure nosuid option set on /dev/shm partitionrun
✔ Mount /dev/shm options is expected to include "nosuid"
× cis-dil-benchmark-1.1.17: Ensure noexec option set on /dev/shm partition
× Mount /dev/shm options is expected to include "noexec"
expected ["rw", "nosuid", "nodev", "seclabel"] to include "noexec"
↺ cis-dil-benchmark-1.1.18: Ensure nodev option set on removable media partitions
↺ Not implemented
↺ cis-dil-benchmark-1.1.19: Ensure nosuid option set on removable media partitions
↺ Not implemented
↺ cis-dil-benchmark-1.1.20: Ensure noexec option set on removable media partitions
↺ Not implemented
✔ cis-dil-benchmark-1.1.21: Ensure sticky bit is set on all world-writable directories
✔ Command: `df --local -P | awk '{ if (NR!=1) print $6 }' | xargs -I '{}' find '{}' -xdev -type d ( -perm -0002 -a ! -perm -1000 )` stdout is expected to cmp == ""
✔ cis-dil-benchmark-1.1.22: Disable Automounting
✔ Service autofs is expected not to be enabled
✔ Service autofs is expected not to be running
✔ Service autofs is expected not to be enabled
✔ Service autofs is expected not to be running
× cis-dil-benchmark-1.1.23: Disable USB Storage (1 failed)
✔ Kernel Module usb_storage is expected not to be loaded
× Kernel Module usb_storage is expected to be disabled
expected `Kernel Module usb_storage.disabled?` to be truthy, got false
↺ cis-dil-benchmark-1.2.1: Ensure package manager repositories are configured
↺ Not implemented
↺ cis-dil-benchmark-1.2.2: Ensure GPG keys are configured
↺ Not implemented
× cis-dil-benchmark-1.3.1: Ensure AIDE is installed (2 failed)
× System Package aide is expected to be installed
expected that `System Package aide` is installed
× Command: `aide` is expected to exist
expected Command: `aide` to exist
× cis-dil-benchmark-1.3.2: Ensure filesystem integrity is regularly checked (4 failed)
× File /var/spool/cron/crontabs/root content is expected to match /aide (--check|-C)/
expected nil to match /aide (--check|-C)/
× File /var/spool/cron/root content is expected to match /aide (--check|-C)/
expected nil to match /aide (--check|-C)/
× File /etc/crontab content is expected to match /aide (--check|-C)/
expected nil to match /aide (--check|-C)/
× File /etc/cron.weekly/mdadm content is expected to match /aide (--check|-C)/
expected "#!/bin/sh\n# This requires that AUTOCHECK is true in /etc/default/mdadm\nif [ -x /usr/sbin/checkarray ] && [ $(date +\\%d) -le 7 ]; then\n\t/usr/sbin/checkarray --cron --all --idle --quiet\nfi\n" to match /aide (--check|-C)/
Diff:
@@ -1,5 +1,9 @@
-/aide (--check|-C)/
+#!/bin/sh
+# This requires that AUTOCHECK is true in /etc/default/mdadm
+if [ -x /usr/sbin/checkarray ] && [ $(date +\%d) -le 7 ]; then
+ /usr/sbin/checkarray --cron --all --idle --quiet
+fi
× cis-dil-benchmark-1.4.1: Ensure permissions on bootloader config are configured (22 failed)
× File /boot/grub/grub.conf is expected to exist
expected File /boot/grub/grub.conf to exist
✔ File /boot/grub/grub.conf is expected not to be readable by group
✔ File /boot/grub/grub.conf is expected not to be writable by group
✔ File /boot/grub/grub.conf is expected not to be executable by group
✔ File /boot/grub/grub.conf is expected not to be readable by other
✔ File /boot/grub/grub.conf is expected not to be writable by other
✔ File /boot/grub/grub.conf is expected not to be executable by other
× File /boot/grub/grub.conf gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/grub.conf uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/grub.cfg is expected to exist
expected File /boot/grub/grub.cfg to exist
✔ File /boot/grub/grub.cfg is expected not to be readable by group
✔ File /boot/grub/grub.cfg is expected not to be writable by group
✔ File /boot/grub/grub.cfg is expected not to be executable by group
✔ File /boot/grub/grub.cfg is expected not to be readable by other
✔ File /boot/grub/grub.cfg is expected not to be writable by other
✔ File /boot/grub/grub.cfg is expected not to be executable by other
× File /boot/grub/grub.cfg gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/grub.cfg uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/menu.lst is expected to exist
expected File /boot/grub/menu.lst to exist
✔ File /boot/grub/menu.lst is expected not to be readable by group
✔ File /boot/grub/menu.lst is expected not to be writable by group
✔ File /boot/grub/menu.lst is expected not to be executable by group
✔ File /boot/grub/menu.lst is expected not to be readable by other
✔ File /boot/grub/menu.lst is expected not to be writable by other
✔ File /boot/grub/menu.lst is expected not to be executable by other
× File /boot/grub/menu.lst gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/menu.lst uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/grub.conf is expected to exist
expected File /boot/boot/grub/grub.conf to exist
✔ File /boot/boot/grub/grub.conf is expected not to be readable by group
✔ File /boot/boot/grub/grub.conf is expected not to be writable by group
✔ File /boot/boot/grub/grub.conf is expected not to be executable by group
✔ File /boot/boot/grub/grub.conf is expected not to be readable by other
✔ File /boot/boot/grub/grub.conf is expected not to be writable by other
✔ File /boot/boot/grub/grub.conf is expected not to be executable by other
× File /boot/boot/grub/grub.conf gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/grub.conf uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/grub.cfg is expected to exist
expected File /boot/boot/grub/grub.cfg to exist
✔ File /boot/boot/grub/grub.cfg is expected not to be readable by group
✔ File /boot/boot/grub/grub.cfg is expected not to be writable by group
✔ File /boot/boot/grub/grub.cfg is expected not to be executable by group
✔ File /boot/boot/grub/grub.cfg is expected not to be readable by other
✔ File /boot/boot/grub/grub.cfg is expected not to be writable by other
✔ File /boot/boot/grub/grub.cfg is expected not to be executable by other
× File /boot/boot/grub/grub.cfg gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/grub.cfg uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
✔ File /boot/boot/grub/menu.lst is expected to exist
× File /boot/boot/grub/menu.lst is expected not to be readable by group
expected File /boot/boot/grub/menu.lst not to be readable by group
✔ File /boot/boot/grub/menu.lst is expected not to be writable by group
× File /boot/boot/grub/menu.lst is expected not to be executable by group
expected File /boot/boot/grub/menu.lst not to be executable by group
× File /boot/boot/grub/menu.lst is expected not to be readable by other
expected File /boot/boot/grub/menu.lst not to be readable by other
✔ File /boot/boot/grub/menu.lst is expected not to be writable by other
× File /boot/boot/grub/menu.lst is expected not to be executable by other
expected File /boot/boot/grub/menu.lst not to be executable by other
✔ File /boot/boot/grub/menu.lst gid is expected to cmp == 0
✔ File /boot/boot/grub/menu.lst uid is expected to cmp == 0
× File /boot/grub2/grub.cfg is expected to exist
expected File /boot/grub2/grub.cfg to exist
✔ File /boot/grub2/grub.cfg is expected not to be readable by group
✔ File /boot/grub2/grub.cfg is expected not to be writable by group
✔ File /boot/grub2/grub.cfg is expected not to be executable by group
✔ File /boot/grub2/grub.cfg is expected not to be readable by other
✔ File /boot/grub2/grub.cfg is expected not to be writable by other
✔ File /boot/grub2/grub.cfg is expected not to be executable by other
× File /boot/grub2/grub.cfg gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub2/grub.cfg uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× cis-dil-benchmark-1.4.2: Ensure bootloader password is set (14 failed)
× File /boot/grub/grub.conf content is expected to match /^set superusers/
expected nil to match /^set superusers/
× File /boot/grub/grub.conf content is expected to match /^password/
expected nil to match /^password/
× File /boot/grub/grub.cfg content is expected to match /^set superusers/
expected nil to match /^set superusers/
× File /boot/grub/grub.cfg content is expected to match /^password/
expected nil to match /^password/
× File /boot/grub/menu.lst content is expected to match /^set superusers/
expected nil to match /^set superusers/
× File /boot/grub/menu.lst content is expected to match /^password/
expected nil to match /^password/
× File /boot/boot/grub/grub.conf content is expected to match /^set superusers/
expected nil to match /^set superusers/
× File /boot/boot/grub/grub.conf content is expected to match /^password/
expected nil to match /^password/
× File /boot/boot/grub/grub.cfg content is expected to match /^set superusers/
expected nil to match /^set superusers/
× File /boot/boot/grub/grub.cfg content is expected to match /^password/
expected nil to match /^password/
× File /boot/boot/grub/menu.lst content is expected to match /^set superusers/
expected "timeout 0\ntitle CoreOS GRUB2\nroot (hd0,0)\nkernel /xen/pvboot-x86_64.elf\n" to match /^set superusers/
Diff:
@@ -1,4 +1,7 @@
-/^set superusers/
+timeout 0
+title CoreOS GRUB2
+root (hd0,0)
+kernel /xen/pvboot-x86_64.elf
× File /boot/boot/grub/menu.lst content is expected to match /^password/
expected "timeout 0\ntitle CoreOS GRUB2\nroot (hd0,0)\nkernel /xen/pvboot-x86_64.elf\n" to match /^password/
Diff:
@@ -1,4 +1,7 @@
-/^password/
+timeout 0
+title CoreOS GRUB2
+root (hd0,0)
+kernel /xen/pvboot-x86_64.elf
× File /boot/grub2/grub.cfg content is expected to match /^set superusers/
expected nil to match /^set superusers/
× File /boot/grub2/grub.cfg content is expected to match /^password/
expected nil to match /^password/
× cis-dil-benchmark-1.4.3: Ensure authentication required for single user mode (3 failed)
× /etc/shadow with user == "root" passwords is expected not to include "*"
expected ["*"] not to include "*"
✔ /etc/shadow with user == "root" passwords is expected not to include "!"
× File /etc/inittab content is expected to match /^~~:S:respawn:\/sbin\/sulogin/
expected nil to match /^~~:S:respawn:\/sbin\/sulogin/
× File /etc/sysconfig/init content is expected to match /^SINGLE=\/sbin\/sulogin$/
expected nil to match /^SINGLE=\/sbin\/sulogin$/
↺ cis-dil-benchmark-1.4.4: Ensure interactive boot is not enabled
↺ Not implemented
× cis-dil-benchmark-1.5.1: Ensure core dumps are restricted (2 failed)
× File /etc/security/limits.conf content is expected to match /^\s*\*\s+hard\s+core\s+0\s*(?:#.*)?$/
expected "# /etc/security/limits.conf\n#\n#Each line describes a limit for a user in the form:\n#\n#<domain> ... hard nproc 0\n\#@student - maxlogins 4\n\n# End of file\n" to match /^\s*\*\s+hard\s+core\s+0\s*(?:#.*)?$/
Diff:
@@ -1,50 +1,99 @@
-/^\s*\*\s+hard\s+core\s+0\s*(?:#.*)?$/
+# /etc/security/limits.conf
+#
+#Each line describes a limit for a user in the form:
+#
+#<domain> <type> <item> <value>
+#
+#Where:
+#<domain> can be:
+# - a user name
+# - a group name, with @group syntax
+# - the wildcard *, for default entry
+# - the wildcard %, can be also used with %group syntax,
+# for maxlogin limit
+#
+#<type> can have the two values:
+# - "soft" for enforcing the soft limits
+# - "hard" for enforcing hard limits
+#
+#<item> can be one of the following:
+# - core - limits the core file size (KB)
+# - data - max data size (KB)
+# - fsize - maximum filesize (KB)
+# - memlock - max locked-in-memory address space (KB)
+# - nofile - max number of open file descriptors
+# - rss - max resident set size (KB)
+# - stack - max stack size (KB)
+# - cpu - max CPU time (MIN)
+# - nproc - max number of processes
+# - as - address space limit (KB)
+# - maxlogins - max number of logins for this user
+# - maxsyslogins - max number of logins on the system
+# - priority - the priority to run user process with
+# - locks - max number of file locks the user can hold
+# - sigpending - max number of pending signals
+# - msgqueue - max memory used by POSIX message queues (bytes)
+# - nice - max nice priority allowed to raise to values: [-20, 19]
+# - rtprio - max realtime priority
+#
+#<domain> <type> <item> <value>
+#
+
+#* soft core 0
+#* hard rss 10000
+#@student hard nproc 20
+#@faculty soft nproc 20
+#@faculty hard nproc 50
+#ftp hard nproc 0
+#@student - maxlogins 4
+
+# End of file
× Kernel Parameter fs.suid_dumpable value is expected to eq 0
expected: 0
got: 2
(compared using ==)
✔ cis-dil-benchmark-1.5.2: Ensure XD/NX support is enabled
✔ Command: `dmesg | grep NX` stdout is expected to match /NX \(Execute Disable\) protection: active/
✔ cis-dil-benchmark-1.5.3: Ensure address space layout randomization (ASLR) is enabled
✔ Kernel Parameter kernel.randomize_va_space value is expected to eq 2
✔ cis-dil-benchmark-1.5.4: Ensure prelink is disabled
✔ System Package prelink is expected not to be installed
✔ Command: `prelink` is expected not to exist
↺ cis-dil-benchmark-1.6.1.1: Ensure SELinux or AppArmor are installed
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-1.6.2.1: Ensure SELinux is not disabled in bootloader configuration
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-1.6.2.2: Ensure the SELinux state is enforcing
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-1.6.2.3: Ensure SELinux policy is configured
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-1.6.2.4: Ensure SETroubleshoot is not installed
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-1.6.2.5: Ensure the MCS Translation Service (mcstrans) is not installed
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-1.6.2.6: Ensure no unconfined daemons exist
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-1.6.3.1: Ensure AppArmor is not disabled in bootloader configuration
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-1.6.3.2: Ensure all AppArmor Profiles are enforcing
↺ Skipped control due to only_if condition.
✔ cis-dil-benchmark-1.7.1.1: Ensure message of the day is configured properly
✔ Command: `grep -E -i '(\v|\r|\m|\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))' /etc/motd` stdout is expected to eq ""
✔ cis-dil-benchmark-1.7.1.2: Ensure local login warning banner is configured properly
✔ Command: `grep -E -i '(\v|\r|\m|\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))' /etc/issue` stdout is expected to eq ""
✔ cis-dil-benchmark-1.7.1.3: Ensure remote login warning banner is configured properly
✔ Command: `grep -E -i '(\v|\r|\m|\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))' /etc/issue.net` stdout is expected to eq ""
✔ cis-dil-benchmark-1.7.1.4: Ensure permissions on /etc/motd are configured
✔ File /etc/motd group is expected to eq "root"
✔ File /etc/motd owner is expected to eq "root"
✔ File /etc/motd mode is expected to cmp == "0644"
✔ cis-dil-benchmark-1.7.1.5: Ensure permissions on /etc/issue are configured
✔ File /etc/issue group is expected to eq "root"
✔ File /etc/issue owner is expected to eq "root"
✔ File /etc/issue mode is expected to cmp == "0644"
× cis-dil-benchmark-1.7.1.6: Ensure permissions on /etc/issue.net are configured (3 failed)
× File /etc/issue.net group is expected to eq "root"
expected: "root"
got: nil
(compared using ==)
× File /etc/issue.net owner is expected to eq "root"
expected: "root"
got: nil
(compared using ==)
× File /etc/issue.net mode is expected to cmp == "0644"
can't convert nil into Integer
↺ cis-dil-benchmark-1.7.2: Ensure GDM login banner is configured
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-1.8: Ensure updates, patches, and additional security software are installed
↺ Not implemented
↺ cis-dil-benchmark-2.1.1: Ensure chargen services are not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.2: Ensure daytime services are not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.3: Ensure discard services are not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.4: Ensure echo services are not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.5: Ensure time services are not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.6: Ensure rsh server is not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.7: Ensure talk server is not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.8: Ensure telnet server is not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.9: Ensure tftp server is not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
✔ cis-dil-benchmark-2.1.10: Ensure xinetd is not enabled
✔ Service xinetd is expected not to be enabled
✔ Service xinetd is expected not to be running
✔ cis-dil-benchmark-2.2.1.1: Ensure time synchronization is in use
✔ Command: `ntpd` is expected to exist
× cis-dil-benchmark-2.2.1.2: Ensure ntp is configured (4 failed)
✔ ntp.conf server is expected not to eq nil
✔ ["default nomodify nopeer noquery notrap limited kod", "127.0.0.1", "[::1]"] is expected to match /default\s+(\S+\s+)*kod(?:\s+|\s?")/
✔ ["default nomodify nopeer noquery notrap limited kod", "127.0.0.1", "[::1]"] is expected to match /default\s+(\S+\s+)*nomodify(?:\s+|\s?")/
✔ ["default nomodify nopeer noquery notrap limited kod", "127.0.0.1", "[::1]"] is expected to match /default\s+(\S+\s+)*notrap(?:\s+|\s?")/
✔ ["default nomodify nopeer noquery notrap limited kod", "127.0.0.1", "[::1]"] is expected to match /default\s+(\S+\s+)*nopeer(?:\s+|\s?")/
✔ ["default nomodify nopeer noquery notrap limited kod", "127.0.0.1", "[::1]"] is expected to match /default\s+(\S+\s+)*noquery(?:\s+|\s?")/
× File /etc/init.d/ntp content is expected to match /^RUNASUSER=ntp\s*(?:#.*)?$/
expected nil to match /^RUNASUSER=ntp\s*(?:#.*)?$/
× File /etc/init.d/ntpd content is expected to match /daemon\s+(\S+\s+)-u ntp:ntp(?:\s+|\s?")/
expected nil to match /daemon\s+(\S+\s+)-u ntp:ntp(?:\s+|\s?")/
× File /etc/sysconfig/ntpd content is expected to match /^OPTIONS="(?:.)?-u ntp:ntp\s*(?:.)?"\s*(?:#.*)?$/
expected nil to match /^OPTIONS="(?:.)?-u ntp:ntp\s*(?:.)?"\s*(?:#.*)?$/
× File /usr/lib/systemd/system/ntpd.service content is expected to match /^ExecStart=\/usr\/s?bin\/ntpd (?:.)?-u ntp:ntp\s*(?:.)?$/
expected "[Unit]\nDescription=Network Time Service\nAfter=ntpdate.service sntp.service\nConflicts=systemd-time...tp/ntp.drift -u ntp:ntp\nPrivateTmp=true\nRestart=always\n\n[Install]\nWantedBy=multi-user.target\n" to match /^ExecStart=\/usr\/s?bin\/ntpd (?:.)?-u ntp:ntp\s*(?:.)?$/
Diff:
@@ -1,12 +1,23 @@
-/^ExecStart=\/usr\/s?bin\/ntpd (?:.)?-u ntp:ntp\s*(?:.)?$/
+[Unit]
+Description=Network Time Service
+After=ntpdate.service sntp.service
+Conflicts=systemd-timesyncd.service
+
+[Service]
+ExecStart=/usr/sbin/ntpd -g -n -f /var/lib/ntp/ntp.drift -u ntp:ntp
+PrivateTmp=true
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
↺ cis-dil-benchmark-2.2.1.3: Ensure chrony is configured
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-2.2.1.4: Ensure systemd-timesyncd is configured
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-2.2.2: Ensure X Window System is not installed (2 skipped)
↺ The packages resource is not yet supported on OS coreos
↺ The packages resource is not yet supported on OS coreos
✔ cis-dil-benchmark-2.2.3: Ensure Avahi Server is not enabled
✔ Service avahi-daemon is expected not to be enabled
✔ Service avahi-daemon is expected not to be running
✔ cis-dil-benchmark-2.2.4: Ensure CUPS is not enabled
✔ Service cups is expected not to be enabled
✔ Service cups is expected not to be running
✔ cis-dil-benchmark-2.2.5: Ensure DHCP Server is not enabled
✔ Service isc-dhcp-server is expected not to be enabled
✔ Service isc-dhcp-server is expected not to be running
✔ Service isc-dhcp-server6 is expected not to be enabled
✔ Service isc-dhcp-server6 is expected not to be running
✔ Service dhcpd is expected not to be enabled
✔ Service dhcpd is expected not to be running
✔ cis-dil-benchmark-2.2.6: Ensure LDAP server is not enabled
✔ Service slapd is expected not to be enabled
✔ Service slapd is expected not to be running
✔ cis-dil-benchmark-2.2.7: Ensure NFS and RPC are not enabled
✔ Service nfs-kernel-server is expected not to be enabled
✔ Service nfs-kernel-server is expected not to be running
✔ Service nfs is expected not to be enabled
✔ Service nfs is expected not to be running
✔ Service rpcbind is expected not to be enabled
✔ Service rpcbind is expected not to be running
✔ cis-dil-benchmark-2.2.8: Ensure DNS Server is not enabled
✔ Service named is expected not to be enabled
✔ Service named is expected not to be running
✔ Service bind is expected not to be enabled
✔ Service bind is expected not to be running
✔ Service bind9 is expected not to be enabled
✔ Service bind9 is expected not to be running
✔ cis-dil-benchmark-2.2.9: Ensure FTP Server is not enabled
✔ Service vsftpd is expected not to be enabled
✔ Service vsftpd is expected not to be running
✔ cis-dil-benchmark-2.2.10: Ensure HTTP server is not enabled
✔ Service apache is expected not to be enabled
✔ Service apache is expected not to be running
✔ Service apache2 is expected not to be enabled
✔ Service apache2 is expected not to be running
✔ Service httpd is expected not to be enabled
✔ Service httpd is expected not to be running
✔ Service lighttpd is expected not to be enabled
✔ Service lighttpd is expected not to be running
✔ Service nginx is expected not to be enabled
✔ Service nginx is expected not to be running
✔ cis-dil-benchmark-2.2.11: Ensure IMAP and POP3 server is not enabled
✔ Service dovecot is expected not to be enabled
✔ Service dovecot is expected not to be running
✔ Service courier-imap is expected not to be enabled
✔ Service courier-imap is expected not to be running
✔ Service cyrus-imap is expected not to be enabled
✔ Service cyrus-imap is expected not to be running
✔ cis-dil-benchmark-2.2.12: Ensure Samba is not enabled
✔ Service samba is expected not to be enabled
✔ Service samba is expected not to be running
✔ Service smb is expected not to be enabled
✔ Service smb is expected not to be running
✔ Service smbd is expected not to be enabled
✔ Service smbd is expected not to be running
✔ cis-dil-benchmark-2.2.13: Ensure HTTP Proxy Server is not enabled
✔ Service squid is expected not to be enabled
✔ Service squid is expected not to be running
✔ Service squid3 is expected not to be enabled
✔ Service squid3 is expected not to be running
✔ cis-dil-benchmark-2.2.14: Ensure SNMP Server is not enabled
✔ Service snmpd is expected not to be enabled
✔ Service snmpd is expected not to be running
✔ cis-dil-benchmark-2.2.15: Ensure mail transfer agent is configured for local-only mode
✔ Port 25 with address !~ /^(127\.0\.0\.1|::1)$/ entries is expected to be empty
✔ cis-dil-benchmark-2.2.16: Ensure rsync service is not enabled
✔ Service rsync is expected not to be enabled
✔ Service rsync is expected not to be running
✔ Service rsyncd is expected not to be enabled
✔ Service rsyncd is expected not to be running
✔ cis-dil-benchmark-2.2.17: Ensure NIS Server is not enabled
✔ Service nis is expected not to be enabled
✔ Service nis is expected not to be running
✔ Service ypserv is expected not to be enabled
✔ Service ypserv is expected not to be running
↺ cis-dil-benchmark-2.3.1: Ensure NIS Client is not installed (2 skipped)
↺ The `package` resource is not supported on your OS yet.
↺ The `package` resource is not supported on your OS yet.
↺ cis-dil-benchmark-2.3.2: Ensure rsh client is not installed (3 skipped)
↺ The `package` resource is not supported on your OS yet.
↺ The `package` resource is not supported on your OS yet.
↺ The `package` resource is not supported on your OS yet.
↺ cis-dil-benchmark-2.3.3: Ensure talk client is not installed
↺ The `package` resource is not supported on your OS yet.
↺ cis-dil-benchmark-2.3.4: Ensure telnet client is not installed
↺ The `package` resource is not supported on your OS yet.
↺ cis-dil-benchmark-2.3.5: Ensure LDAP client is not installed (3 skipped)
↺ The `package` resource is not supported on your OS yet.
↺ The `package` resource is not supported on your OS yet.
↺ The `package` resource is not supported on your OS yet.
× cis-dil-benchmark-3.1.1: Ensure IP forwarding is disabled (1 failed)
✔ Kernel Parameter net.ipv4.ip_forward value is expected not to be nil
× Kernel Parameter net.ipv4.ip_forward value is expected to cmp == 0
expected: 0
got: 1
(compared using `cmp` matcher)
✔ Kernel Parameter net.ipv6.conf.all.forwarding value is expected not to be nil
✔ Kernel Parameter net.ipv6.conf.all.forwarding value is expected to cmp == 0
× cis-dil-benchmark-3.1.2: Ensure packet redirect sending is disabled (2 failed)
✔ Kernel Parameter net.ipv4.conf.all.send_redirects value is expected not to be nil
× Kernel Parameter net.ipv4.conf.all.send_redirects value is expected to cmp == 0
expected: 0
got: 1
(compared using `cmp` matcher)
✔ Kernel Parameter net.ipv4.conf.default.send_redirects value is expected not to be nil
× Kernel Parameter net.ipv4.conf.default.send_redirects value is expected to cmp == 0
expected: 0
got: 1
(compared using `cmp` matcher)
✔ cis-dil-benchmark-3.2.1: Ensure source routed packets are not accepted
✔ Kernel Parameter net.ipv4.conf.all.accept_source_route value is expected not to be nil
✔ Kernel Parameter net.ipv4.conf.all.accept_source_route value is expected to eq 0
✔ Kernel Parameter net.ipv4.conf.default.accept_source_route value is expected not to be nil
✔ Kernel Parameter net.ipv4.conf.default.accept_source_route value is expected to eq 0
✔ Kernel Parameter net.ipv6.conf.all.accept_source_route value is expected not to be nil
✔ Kernel Parameter net.ipv6.conf.all.accept_source_route value is expected to eq 0
✔ Kernel Parameter net.ipv6.conf.default.accept_source_route value is expected not to be nil
✔ Kernel Parameter net.ipv6.conf.default.accept_source_route value is expected to eq 0
× cis-dil-benchmark-3.2.2: Ensure ICMP redirects are not accepted (3 failed)
✔ Kernel Parameter net.ipv4.conf.all.accept_redirects value is expected not to be nil
✔ Kernel Parameter net.ipv4.conf.all.accept_redirects value is expected to eq 0
✔ Kernel Parameter net.ipv4.conf.default.accept_redirects value is expected not to be nil
× Kernel Parameter net.ipv4.conf.default.accept_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
✔ Kernel Parameter net.ipv6.conf.all.accept_redirects value is expected not to be nil
× Kernel Parameter net.ipv6.conf.all.accept_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
✔ Kernel Parameter net.ipv6.conf.default.accept_redirects value is expected not to be nil
× Kernel Parameter net.ipv6.conf.default.accept_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× cis-dil-benchmark-3.2.3: Ensure secure ICMP redirects are not accepted (2 failed)
✔ Kernel Parameter net.ipv4.conf.all.secure_redirects value is expected not to be nil
× Kernel Parameter net.ipv4.conf.all.secure_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
✔ Kernel Parameter net.ipv4.conf.default.secure_redirects value is expected not to be nil
× Kernel Parameter net.ipv4.conf.default.secure_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× cis-dil-benchmark-3.2.4: Ensure suspicious packets are logged (2 failed)
✔ Kernel Parameter net.ipv4.conf.all.log_martians value is expected not to be nil
× Kernel Parameter net.ipv4.conf.all.log_martians value is expected to eq 1
expected: 1
got: 0
(compared using ==)
✔ Kernel Parameter net.ipv4.conf.default.log_martians value is expected not to be nil
× Kernel Parameter net.ipv4.conf.default.log_martians value is expected to eq 1
expected: 1
got: 0
(compared using ==)
✔ cis-dil-benchmark-3.2.5: Ensure broadcast ICMP requests are ignored
✔ Kernel Parameter net.ipv4.icmp_echo_ignore_broadcasts value is expected not to be nil
✔ Kernel Parameter net.ipv4.icmp_echo_ignore_broadcasts value is expected to eq 1
✔ cis-dil-benchmark-3.2.6: Ensure bogus ICMP responses are ignored
✔ Kernel Parameter net.ipv4.icmp_ignore_bogus_error_responses value is expected not to be nil
✔ Kernel Parameter net.ipv4.icmp_ignore_bogus_error_responses value is expected to eq 1
✔ cis-dil-benchmark-3.2.7: Ensure Reverse Path Filtering is enabled
✔ Kernel Parameter net.ipv4.conf.all.rp_filter value is expected not to be nil
✔ Kernel Parameter net.ipv4.conf.all.rp_filter value is expected to eq 1
✔ Kernel Parameter net.ipv4.conf.default.rp_filter value is expected not to be nil
✔ Kernel Parameter net.ipv4.conf.default.rp_filter value is expected to eq 1
✔ cis-dil-benchmark-3.2.8: Ensure TCP SYN Cookies is enabled
✔ Kernel Parameter net.ipv4.tcp_syncookies value is expected not to be nil
✔ Kernel Parameter net.ipv4.tcp_syncookies value is expected to eq 1
× cis-dil-benchmark-3.2.9: Ensure IPv6 router advertisements are not accepted (2 failed)
✔ Kernel Parameter net.ipv6.conf.all.accept_ra value is expected not to be nil
× Kernel Parameter net.ipv6.conf.all.accept_ra value is expected to eq 0
expected: 0
got: 1
(compared using ==)
✔ Kernel Parameter net.ipv6.conf.default.accept_ra value is expected not to be nil
× Kernel Parameter net.ipv6.conf.default.accept_ra value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× cis-dil-benchmark-3.3.1: Ensure TCP Wrappers is installed (2 failed)
× System Package tcpd is expected to be installed
expected that `System Package tcpd` is installed
× System Package tcp_wrappers is expected to be installed
expected that `System Package tcp_wrappers` is installed
× cis-dil-benchmark-3.3.2: Ensure /etc/hosts.allow is configured
× File /etc/hosts.allow is expected to exist
expected File /etc/hosts.allow to exist
× cis-dil-benchmark-3.3.3: Ensure /etc/hosts.deny is configured
× File /etc/hosts.deny content is expected to match /^ALL: ALL/
expected nil to match /^ALL: ALL/
× cis-dil-benchmark-3.3.4: Ensure permissions on /etc/hosts.allow are configured (5 failed)
× File /etc/hosts.allow is expected to exist
expected File /etc/hosts.allow to exist
× File /etc/hosts.allow is expected to be file
expected `File /etc/hosts.allow.file?` to be truthy, got false
× File /etc/hosts.allow owner is expected to cmp == "root"
expected: root
got:
(compared using `cmp` matcher)
× File /etc/hosts.allow group is expected to cmp == "root"
expected: root
got:
(compared using `cmp` matcher)
× File /etc/hosts.allow mode is expected to cmp == "0644"
can't convert nil into Integer
× cis-dil-benchmark-3.3.5: Ensure permissions on /etc/hosts.deny are configured (5 failed)
× File /etc/hosts.deny is expected to exist
expected File /etc/hosts.deny to exist
× File /etc/hosts.deny is expected to be file
expected `File /etc/hosts.deny.file?` to be truthy, got false
× File /etc/hosts.deny owner is expected to cmp == "root"
expected: root
got:
(compared using `cmp` matcher)
× File /etc/hosts.deny group is expected to cmp == "root"
expected: root
got:
(compared using `cmp` matcher)
× File /etc/hosts.deny mode is expected to cmp == "0644"
can't convert nil into Integer
↺ cis-dil-benchmark-3.4.1: Ensure DCCP is disabled
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-3.4.2: Ensure SCTP is disabled
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-3.4.3: Ensure RDS is disabled
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-3.4.4: Ensure TIPC is disabled
↺ Skipped control due to only_if condition.
× cis-dil-benchmark-3.5.1.1: Ensure IPv6 default deny firewall policy (3 failed)
× Ip6tables is expected to have rule "-P INPUT DROP"
expected Ip6tables to have rule "-P INPUT DROP"
× Ip6tables is expected to have rule "-P OUTPUT DROP"
expected Ip6tables to have rule "-P OUTPUT DROP"
× Ip6tables is expected to have rule "-P FORWARD DROP"
expected Ip6tables to have rule "-P FORWARD DROP"
× cis-dil-benchmark-3.5.1.2: Ensure IPv6 loopback traffic is configured (9 failed)
× -P INPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
expected "-P INPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
+"-P OUTPUT ACCEPT"
× -P INPUT ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
expected "-P INPUT ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
+"-P OUTPUT ACCEPT"
× -P INPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/
expected "-P INPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-s ::1)(?=.*-j DROP)/
+"-P OUTPUT ACCEPT"
× cis-dil-benchmark-3.5.1.3: Ensure IPv6 outbound and established connections are configured (18 failed)
× -P INPUT ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P INPUT ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
+"-P OUTPUT ACCEPT"
× -P INPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-p tcp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P INPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-p tcp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-p tcp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-p tcp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A INPUT)(?=.*-p tcp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-p tcp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-p tcp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-p tcp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-p tcp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
+"-P OUTPUT ACCEPT"
× -P INPUT ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-p udp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P INPUT ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-p udp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-p udp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-p udp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-p udp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-p udp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-p udp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-p udp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-p udp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
+"-P OUTPUT ACCEPT"
× -P INPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-p udp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P INPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-p udp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-p udp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-p udp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A INPUT)(?=.*-p udp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-p udp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-p udp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-p udp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-p udp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
+"-P OUTPUT ACCEPT"
× -P INPUT ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-p icmp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P INPUT ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-p icmp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-p icmp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-p icmp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-p icmp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-p icmp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-p icmp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-p icmp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-p icmp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
+"-P OUTPUT ACCEPT"
× -P INPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-p icmp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P INPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-p icmp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-p icmp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-p icmp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A INPUT)(?=.*-p icmp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-p icmp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-p icmp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-p icmp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-p icmp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
+"-P OUTPUT ACCEPT"
× cis-dil-benchmark-3.5.1.4: Ensure IPv6 firewall rules exist for all open ports (2 failed)
× Firewall rule should exist for port 68 is expected to equal true
expected true
got false
× Firewall rule should exist for port 22 is expected to equal true
expected true
got false
× cis-dil-benchmark-3.5.2.1: Ensure default deny firewall policy (3 failed)
× Iptables is expected to have rule "-P INPUT DROP"
expected Iptables to have rule "-P INPUT DROP"
× Iptables is expected to have rule "-P OUTPUT DROP"
expected Iptables to have rule "-P OUTPUT DROP"
× Iptables is expected to have rule "-P FORWARD DROP"
expected Iptables to have rule "-P FORWARD DROP"
× cis-dil-benchmark-3.5.2.2: Ensure loopback traffic is configured (9 failed)
× -P INPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
expected "-P INPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-i lo)(?=.*-j ACCEPT)/
+"-P OUTPUT ACCEPT"
× -P INPUT ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
expected "-P INPUT ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-o lo)(?=.*-j ACCEPT)/
+"-P OUTPUT ACCEPT"
× -P INPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-s 127\.0\.0\.0\/8)(?=.*-j DROP)/
expected "-P INPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-s 127\.0\.0\.0\/8)(?=.*-j DROP)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-s 127\.0\.0\.0\/8)(?=.*-j DROP)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-s 127\.0\.0\.0\/8)(?=.*-j DROP)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A INPUT)(?=.*-s 127\.0\.0\.0\/8)(?=.*-j DROP)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-s 127\.0\.0\.0\/8)(?=.*-j DROP)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-s 127\.0\.0\.0\/8)(?=.*-j DROP)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-s 127\.0\.0\.0\/8)(?=.*-j DROP)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-s 127\.0\.0\.0\/8)(?=.*-j DROP)/
+"-P OUTPUT ACCEPT"
× cis-dil-benchmark-3.5.2.3: Ensure outbound and established connections are configured (18 failed)
× -P INPUT ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P INPUT ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-p tcp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
+"-P OUTPUT ACCEPT"
× -P INPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-p tcp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P INPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-p tcp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-p tcp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-p tcp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A INPUT)(?=.*-p tcp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-p tcp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-p tcp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-p tcp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-p tcp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
+"-P OUTPUT ACCEPT"
× -P INPUT ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-p udp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P INPUT ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-p udp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-p udp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-p udp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-p udp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-p udp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-p udp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-p udp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-p udp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
+"-P OUTPUT ACCEPT"
× -P INPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-p udp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P INPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-p udp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-p udp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-p udp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A INPUT)(?=.*-p udp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-p udp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-p udp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-p udp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-p udp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
+"-P OUTPUT ACCEPT"
× -P INPUT ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-p icmp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P INPUT ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-p icmp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-p icmp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-p icmp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-p icmp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-p icmp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A OUTPUT)(?=.*-p icmp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A OUTPUT)(?=.*-p icmp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A OUTPUT)(?=.*-p icmp)(?=.*-m state --state NEW,ESTABLISHED)(?=.*-j ACCEPT)/
+"-P OUTPUT ACCEPT"
× -P INPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-p icmp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P INPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-p icmp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-p icmp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
+"-P INPUT ACCEPT"
× -P FORWARD ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-p icmp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P FORWARD ACCEPT" to match /(?=.*-A INPUT)(?=.*-p icmp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-p icmp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
+"-P FORWARD ACCEPT"
× -P OUTPUT ACCEPT is expected to match /(?=.*-A INPUT)(?=.*-p icmp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
expected "-P OUTPUT ACCEPT" to match /(?=.*-A INPUT)(?=.*-p icmp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
Diff:
@@ -1 +1 @@
-/(?=.*-A INPUT)(?=.*-p icmp)(?=.*-m state --state ESTABLISHED)(?=.*-j ACCEPT)/
+"-P OUTPUT ACCEPT"
× cis-dil-benchmark-3.5.2.4: Ensure firewall rules exist for all open ports (2 failed)
× Firewall rule should exist for port 68 is expected to equal true
expected true
got false
× Firewall rule should exist for port 22 is expected to equal true
expected true
got false
↺ cis-dil-benchmark-3.5.3: Ensure iptables is installed
↺ The `package` resource is not supported on your OS yet.
↺ cis-dil-benchmark-3.6: Ensure wireless interfaces are disabled
↺ Not implemented
↺ cis-dil-benchmark-3.7: Disable IPv6
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.1.1.1: Ensure audit log storage size is configured
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.1.1.2: Ensure system is disabled when audit logs are full
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.1.1.3: Ensure audit logs are not automatically deleted
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.1.2: Ensure auditd is installed
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.1.3: Ensure auditd service is enabled
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.1.4: Ensure auditing for processes that start prior to auditd is enabled
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.1.5: Ensure events that modify date and time information are collected
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.1.6: Ensure events that modify user/group information are collected
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.1.7: Ensure events that modify the system's network environment are collected
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.1.8: Ensure events that modify the system's Mandatory Access Controls are collected
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.1.9: Ensure login and logout events are collected
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.1.10: Ensure session initiation information is collected
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.1.11: Ensure discretionary access control permission modification events are collected
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.1.12: Ensure unsuccessful unauthorized file access attempts are collected
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.1.13: Ensure use of privileged commands is collected
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.1.14: Ensure successful file system mounts are collected
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.1.15: Ensure file deletion events by users are collected
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.1.16: Ensure changes to system administration scope (sudoers) is collected
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.1.17: Ensure system administrator actions (sudolog) are collected
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.1.18: Ensure kernel module loading and unloading is collected
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.1.19: Ensure the audit configuration is immutable
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-4.2.1.1: Ensure rsyslog Service is insalled
↺ The `package` resource is not supported on your OS yet.
× cis-dil-benchmark-4.2.1.2: Ensure rsyslog Service is enabled (2 failed)
× Service rsyslog is expected to be enabled
expected that `Service rsyslog` is enabled
× Service rsyslog is expected to be running
expected that `Service rsyslog` is running
× cis-dil-benchmark-4.2.1.3: Ensure logging is configured
× File /etc/rsyslog.conf is expected to exist
expected File /etc/rsyslog.conf to exist
× cis-dil-benchmark-4.2.1.4: Ensure rsyslog default file permissions configured
× File /etc/rsyslog.conf content is expected to match /^\$FileCreateMode\s+0[0-6][0-4]0/
expected nil to match /^\$FileCreateMode\s+0[0-6][0-4]0/
× cis-dil-benchmark-4.2.1.5: Ensure rsyslog is configured to send logs to a remote log host
× File /etc/rsyslog.conf content is expected to match /^\s*\*\.\*\s+@/
expected nil to match /^\s*\*\.\*\s+@/
↺ cis-dil-benchmark-4.2.1.6: Ensure remote rsyslog messages are only accepted on designated log hosts.
↺ Not implemented
× cis-dil-benchmark-4.2.2.1: Ensure journald is configured to send logs to rsyslog
× Parse Config File /etc/systemd/journald.conf Journal is expected to include {"ForwardToSyslog" => "yes"}
expected {} to include {"ForwardToSyslog" => "yes"}
Diff:
@@ -1,2 +1 @@
-"ForwardToSyslog" => "yes",
× cis-dil-benchmark-4.2.2.2: Ensure journald is configured to compress large log files
× Parse Config File /etc/systemd/journald.conf Journal is expected to include {"Compress" => "yes"}
expected {} to include {"Compress" => "yes"}
Diff:
@@ -1,2 +1 @@
-"Compress" => "yes",
× cis-dil-benchmark-4.2.2.3: Ensure journald is configured to write logfiles to persistent disk
× Parse Config File /etc/systemd/journald.conf Journal is expected to include {"Storage" => "persistent"}
expected {} to include {"Storage" => "persistent"}
Diff:
@@ -1,2 +1 @@
-"Storage" => "persistent",
× cis-dil-benchmark-4.2.3: Ensure permissions on all logfiles are configured (2 failed)
✔ File /var/log/tallylog is expected not to be writable by group
✔ File /var/log/tallylog is expected not to be executable by group
✔ File /var/log/tallylog is expected not to be readable by other
✔ File /var/log/tallylog is expected not to be writable by other
✔ File /var/log/tallylog is expected not to be executable by other
✔ File /var/log/faillog is expected not to be writable by group
✔ File /var/log/faillog is expected not to be executable by group
× File /var/log/faillog is expected not to be readable by other
expected File /var/log/faillog not to be readable by other
✔ File /var/log/faillog is expected not to be writable by other
✔ File /var/log/faillog is expected not to be executable by other
✔ File /var/log/journal/e6d76ebe5f4d487aa425a47165856433/system.journal is expected not to be writable by group
✔ File /var/log/journal/e6d76ebe5f4d487aa425a47165856433/system.journal is expected not to be executable by group
✔ File /var/log/journal/e6d76ebe5f4d487aa425a47165856433/system.journal is expected not to be readable by other
✔ File /var/log/journal/e6d76ebe5f4d487aa425a47165856433/system.journal is expected not to be writable by other
✔ File /var/log/journal/e6d76ebe5f4d487aa425a47165856433/system.journal is expected not to be executable by other
× File /var/log/btmp is expected not to be writable by group
expected File /var/log/btmp not to be writable by group
✔ File /var/log/btmp is expected not to be executable by group
✔ File /var/log/btmp is expected not to be readable by other
✔ File /var/log/btmp is expected not to be writable by other
✔ File /var/log/btmp is expected not to be executable by other
✔ File /var/log/lastlog is expected not to be executable by group
✔ File /var/log/lastlog is expected not to be writable by other
✔ File /var/log/lastlog is expected not to be executable by other
✔ File /var/log/wtmp is expected not to be executable by group
✔ File /var/log/wtmp is expected not to be writable by other
✔ File /var/log/wtmp is expected not to be executable by other
↺ cis-dil-benchmark-4.3: Ensure logrotate is configured
↺ Not implemented
× cis-dil-benchmark-5.1.1: Ensure cron daemon is enabled (4 failed)
× Service cron is expected to be enabled
expected that `Service cron` is enabled
× Service cron is expected to be running
expected that `Service cron` is running
× Service crond is expected to be enabled
expected that `Service crond` is enabled
× Service crond is expected to be running
expected that `Service crond` is running
× cis-dil-benchmark-5.1.2: Ensure permissions on /etc/crontab are configured (3 failed)
× File /etc/crontab is expected to exist
expected File /etc/crontab to exist
✔ File /etc/crontab is expected not to be readable by group
✔ File /etc/crontab is expected not to be writable by group
✔ File /etc/crontab is expected not to be executable by group
✔ File /etc/crontab is expected not to be readable by other
✔ File /etc/crontab is expected not to be writable by other
✔ File /etc/crontab is expected not to be executable by other
× File /etc/crontab uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /etc/crontab gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× cis-dil-benchmark-5.1.3: Ensure permissions on /etc/cron.hourly are configured (3 failed)
× File /etc/cron.hourly is expected to exist
expected File /etc/cron.hourly to exist
✔ File /etc/cron.hourly is expected not to be readable by group
✔ File /etc/cron.hourly is expected not to be writable by group
✔ File /etc/cron.hourly is expected not to be executable by group
✔ File /etc/cron.hourly is expected not to be readable by other
✔ File /etc/cron.hourly is expected not to be writable by other
✔ File /etc/cron.hourly is expected not to be executable by other
× File /etc/cron.hourly uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /etc/cron.hourly gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× cis-dil-benchmark-5.1.4: Ensure permissions on /etc/cron.daily are configured (3 failed)
× File /etc/cron.daily is expected to exist
expected File /etc/cron.daily to exist
✔ File /etc/cron.daily is expected not to be readable by group
✔ File /etc/cron.daily is expected not to be writable by group
✔ File /etc/cron.daily is expected not to be executable by group
✔ File /etc/cron.daily is expected not to be readable by other
✔ File /etc/cron.daily is expected not to be writable by other
✔ File /etc/cron.daily is expected not to be executable by other
× File /etc/cron.daily uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /etc/cron.daily gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× cis-dil-benchmark-5.1.5: Ensure permissions on /etc/cron.weekly are configured (4 failed)
✔ File /etc/cron.weekly is expected to exist
× File /etc/cron.weekly is expected not to be readable by group
expected File /etc/cron.weekly not to be readable by group
✔ File /etc/cron.weekly is expected not to be writable by group
× File /etc/cron.weekly is expected not to be executable by group
expected File /etc/cron.weekly not to be executable by group
× File /etc/cron.weekly is expected not to be readable by other
expected File /etc/cron.weekly not to be readable by other
✔ File /etc/cron.weekly is expected not to be writable by other
× File /etc/cron.weekly is expected not to be executable by other
expected File /etc/cron.weekly not to be executable by other
✔ File /etc/cron.weekly uid is expected to cmp == 0
✔ File /etc/cron.weekly gid is expected to cmp == 0
× cis-dil-benchmark-5.1.6: Ensure permissions on /etc/cron.monthly are configured (3 failed)
× File /etc/cron.monthly is expected to exist
expected File /etc/cron.monthly to exist
✔ File /etc/cron.monthly is expected not to be readable by group
✔ File /etc/cron.monthly is expected not to be writable by group
✔ File /etc/cron.monthly is expected not to be executable by group
✔ File /etc/cron.monthly is expected not to be readable by other
✔ File /etc/cron.monthly is expected not to be writable by other
✔ File /etc/cron.monthly is expected not to be executable by other
× File /etc/cron.monthly uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /etc/cron.monthly gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× cis-dil-benchmark-5.1.7: Ensure permissions on /etc/cron.d are configured (3 failed)
× File /etc/cron.d is expected to exist
expected File /etc/cron.d to exist
✔ File /etc/cron.d is expected not to be readable by group
✔ File /etc/cron.d is expected not to be writable by group
✔ File /etc/cron.d is expected not to be executable by group
✔ File /etc/cron.d is expected not to be readable by other
✔ File /etc/cron.d is expected not to be writable by other
✔ File /etc/cron.d is expected not to be executable by other
× File /etc/cron.d uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /etc/cron.d gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× cis-dil-benchmark-5.1.8: Ensure at/cron is restricted to authorized users (6 failed)
✔ File /etc/cron.deny is expected not to exist
× File /etc/cron.allow is expected to exist
expected File /etc/cron.allow to exist
✔ File /etc/cron.allow is expected not to be readable by group
✔ File /etc/cron.allow is expected not to be writable by group
✔ File /etc/cron.allow is expected not to be executable by group
✔ File /etc/cron.allow is expected not to be readable by other
✔ File /etc/cron.allow is expected not to be writable by other
✔ File /etc/cron.allow is expected not to be executable by other
× File /etc/cron.allow uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /etc/cron.allow gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
✔ File /etc/at.deny is expected not to exist
× File /etc/at.allow is expected to exist
expected File /etc/at.allow to exist
✔ File /etc/at.allow is expected not to be readable by group
✔ File /etc/at.allow is expected not to be writable by group
✔ File /etc/at.allow is expected not to be executable by group
✔ File /etc/at.allow is expected not to be readable by other
✔ File /etc/at.allow is expected not to be writable by other
✔ File /etc/at.allow is expected not to be executable by other
× File /etc/at.allow uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /etc/at.allow gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
✔ cis-dil-benchmark-5.2.1: Ensure permissions on /etc/ssh/sshd_config are configured (Scored)
✔ File /etc/ssh/sshd_config is expected to exist
✔ File /etc/ssh/sshd_config is expected not to be readable by group
✔ File /etc/ssh/sshd_config is expected not to be writable by group
✔ File /etc/ssh/sshd_config is expected not to be executable by group
✔ File /etc/ssh/sshd_config is expected not to be readable by other
✔ File /etc/ssh/sshd_config is expected not to be writable by other
✔ File /etc/ssh/sshd_config is expected not to be executable by other
✔ File /etc/ssh/sshd_config uid is expected to cmp == 0
✔ File /etc/ssh/sshd_config gid is expected to cmp == 0
✔ cis-dil-benchmark-5.2.2: Ensure permissions on SSH private host key files are configured (Scored)
✔ File /etc/ssh/ssh_host_ed25519_key is expected not to be readable by group
✔ File /etc/ssh/ssh_host_ed25519_key is expected not to be writable by group
✔ File /etc/ssh/ssh_host_ed25519_key is expected not to be executable by group
✔ File /etc/ssh/ssh_host_ed25519_key is expected not to be readable by other
✔ File /etc/ssh/ssh_host_ed25519_key is expected not to be writable by other
✔ File /etc/ssh/ssh_host_ed25519_key is expected not to be executable by other
✔ File /etc/ssh/ssh_host_ed25519_key gid is expected to cmp == 0
✔ File /etc/ssh/ssh_host_ed25519_key uid is expected to cmp == 0
✔ File /etc/ssh/ssh_host_rsa_key is expected not to be readable by group
✔ File /etc/ssh/ssh_host_rsa_key is expected not to be writable by group
✔ File /etc/ssh/ssh_host_rsa_key is expected not to be executable by group
✔ File /etc/ssh/ssh_host_rsa_key is expected not to be readable by other
✔ File /etc/ssh/ssh_host_rsa_key is expected not to be writable by other
✔ File /etc/ssh/ssh_host_rsa_key is expected not to be executable by other
✔ File /etc/ssh/ssh_host_rsa_key gid is expected to cmp == 0
✔ File /etc/ssh/ssh_host_rsa_key uid is expected to cmp == 0
✔ File /etc/ssh/ssh_host_ecdsa_key is expected not to be readable by group
✔ File /etc/ssh/ssh_host_ecdsa_key is expected not to be writable by group
✔ File /etc/ssh/ssh_host_ecdsa_key is expected not to be executable by group
✔ File /etc/ssh/ssh_host_ecdsa_key is expected not to be readable by other
✔ File /etc/ssh/ssh_host_ecdsa_key is expected not to be writable by other
✔ File /etc/ssh/ssh_host_ecdsa_key is expected not to be executable by other
✔ File /etc/ssh/ssh_host_ecdsa_key gid is expected to cmp == 0
✔ File /etc/ssh/ssh_host_ecdsa_key uid is expected to cmp == 0
✔ File /etc/ssh/ssh_host_dsa_key is expected not to be readable by group
✔ File /etc/ssh/ssh_host_dsa_key is expected not to be writable by group
✔ File /etc/ssh/ssh_host_dsa_key is expected not to be executable by group
✔ File /etc/ssh/ssh_host_dsa_key is expected not to be readable by other
✔ File /etc/ssh/ssh_host_dsa_key is expected not to be writable by other
✔ File /etc/ssh/ssh_host_dsa_key is expected not to be executable by other
✔ File /etc/ssh/ssh_host_dsa_key gid is expected to cmp == 0
✔ File /etc/ssh/ssh_host_dsa_key uid is expected to cmp == 0
✔ cis-dil-benchmark-5.2.3: Ensure permissions on SSH public host key files are configured (Scored)
✔ File /etc/ssh/ssh_host_dsa_key.pub is expected to be readable by group
✔ File /etc/ssh/ssh_host_dsa_key.pub is expected not to be writable by group
✔ File /etc/ssh/ssh_host_dsa_key.pub is expected not to be executable by group
✔ File /etc/ssh/ssh_host_dsa_key.pub is expected to be readable by other
✔ File /etc/ssh/ssh_host_dsa_key.pub is expected not to be writable by other
✔ File /etc/ssh/ssh_host_dsa_key.pub is expected not to be executable by other
✔ File /etc/ssh/ssh_host_dsa_key.pub gid is expected to cmp == 0
✔ File /etc/ssh/ssh_host_dsa_key.pub uid is expected to cmp == 0
✔ File /etc/ssh/ssh_host_rsa_key.pub is expected to be readable by group
✔ File /etc/ssh/ssh_host_rsa_key.pub is expected not to be writable by group
✔ File /etc/ssh/ssh_host_rsa_key.pub is expected not to be executable by group
✔ File /etc/ssh/ssh_host_rsa_key.pub is expected to be readable by other
✔ File /etc/ssh/ssh_host_rsa_key.pub is expected not to be writable by other
✔ File /etc/ssh/ssh_host_rsa_key.pub is expected not to be executable by other
✔ File /etc/ssh/ssh_host_rsa_key.pub gid is expected to cmp == 0
✔ File /etc/ssh/ssh_host_rsa_key.pub uid is expected to cmp == 0
✔ File /etc/ssh/ssh_host_ed25519_key.pub is expected to be readable by group
✔ File /etc/ssh/ssh_host_ed25519_key.pub is expected not to be writable by group
✔ File /etc/ssh/ssh_host_ed25519_key.pub is expected not to be executable by group
✔ File /etc/ssh/ssh_host_ed25519_key.pub is expected to be readable by other
✔ File /etc/ssh/ssh_host_ed25519_key.pub is expected not to be writable by other
✔ File /etc/ssh/ssh_host_ed25519_key.pub is expected not to be executable by other
✔ File /etc/ssh/ssh_host_ed25519_key.pub gid is expected to cmp == 0
✔ File /etc/ssh/ssh_host_ed25519_key.pub uid is expected to cmp == 0
✔ File /etc/ssh/ssh_host_ecdsa_key.pub is expected to be readable by group
✔ File /etc/ssh/ssh_host_ecdsa_key.pub is expected not to be writable by group
✔ File /etc/ssh/ssh_host_ecdsa_key.pub is expected not to be executable by group
✔ File /etc/ssh/ssh_host_ecdsa_key.pub is expected to be readable by other
✔ File /etc/ssh/ssh_host_ecdsa_key.pub is expected not to be writable by other
✔ File /etc/ssh/ssh_host_ecdsa_key.pub is expected not to be executable by other
✔ File /etc/ssh/ssh_host_ecdsa_key.pub gid is expected to cmp == 0
✔ File /etc/ssh/ssh_host_ecdsa_key.pub uid is expected to cmp == 0
× cis-dil-benchmark-5.2.4: Ensure SSH Protocol is set to 2 (Scored)
× SSHD Configuration Protocol is expected to cmp == 2
expected: 2
got:
(compared using `cmp` matcher)
× cis-dil-benchmark-5.2.5: Ensure SSH LogLevel is appropriate (Scored)
× SSHD Configuration LogLevel is expected to eq "VERBOSE"
expected: "VERBOSE"
got: nil
(compared using ==)
× cis-dil-benchmark-5.2.6: Ensure SSH X11 forwarding is disabled (Scored)
× SSHD Configuration X11Forwarding is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× cis-dil-benchmark-5.2.7: Ensure SSH MaxAuthTries is set to 4 or less (Scored)
× SSHD Configuration MaxAuthTries is expected to cmp <= 4
expected it to be <= 4
got:
(compared using `cmp` matcher)
× cis-dil-benchmark-5.2.8: Ensure SSH IgnoreRhosts is enabled (Scored)
× SSHD Configuration IgnoreRhosts is expected to eq "yes"
expected: "yes"
got: nil
(compared using ==)
× cis-dil-benchmark-5.2.9: Ensure SSH HostbasedAuthentication is disabled (Scored)
× SSHD Configuration HostbasedAuthentication is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× cis-dil-benchmark-5.2.10: Ensure SSH root login is disabled (Scored)
× SSHD Configuration PermitRootLogin is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× cis-dil-benchmark-5.2.11: Ensure SSH PermitEmptyPasswords is disabled (Scored)
× SSHD Configuration PermitEmptyPasswords is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× cis-dil-benchmark-5.2.12: Ensure SSH PermitUserEnvironment is disabled (Scored)
× SSHD Configuration PermitUserEnvironment is expected to eq "no"
expected: "no"
got: nil
(compared using ==)
× cis-dil-benchmark-5.2.13: Ensure only strong Ciphers are used (Scored)
× SSHD Configuration Ciphers is expected not to be nil
expected: not nil
got: nil
× cis-dil-benchmark-5.2.14: Ensure only strong MAC algorithms are used (Scored)
× SSHD Configuration MACs is expected not to be nil
expected: not nil
got: nil
× cis-dil-benchmark-5.2.15: Ensure only strong Key Exchange algorithms are used (Scored)
× SSHD Configuration KexAlgorithms is expected not to be nil
expected: not nil
got: nil
× cis-dil-benchmark-5.2.16: Ensure SSH Idle Timeout Interval is configured (Scored) (1 failed)
✔ SSHD Configuration ClientAliveInterval is expected to cmp <= 300
× SSHD Configuration ClientAliveCountMax is expected to cmp <= 0
expected it to be <= 0
got:
(compared using `cmp` matcher)
× cis-dil-benchmark-5.2.17: Ensure SSH LoginGraceTime is set to one minute or less (Scored)
× SSHD Configuration LoginGraceTime is expected to satisfy expression `x == '1m' || ((matches = x.match(/(?<secs>[0-9]+)s?/)) && Integer(matches[:secs]) <= 60)`
undefined method `match' for nil:NilClass
× cis-dil-benchmark-5.2.18: Ensure SSH access is limited (Scored) (4 failed)
× SSHD Configuration AllowUsers is expected not to be nil
expected: not nil
got: nil
× SSHD Configuration AllowGroups is expected not to be nil
expected: not nil
got: nil
× SSHD Configuration DenyUsers is expected not to be nil
expected: not nil
got: nil
× SSHD Configuration DenyGroups is expected not to be nil
expected: not nil
got: nil
× cis-dil-benchmark-5.2.19: Ensure SSH warning banner is configured (Scored)
× SSHD Configuration Banner is expected not to be nil
expected: not nil
got: nil
✔ cis-dil-benchmark-5.2.20: Ensure SSH PAM is enabled (Scored)
✔ SSHD Configuration UsePAM is expected to eq "yes"
↺ cis-dil-benchmark-5.2.21: Ensure SSH AllowTcpForwarding is disabled (Scored)
↺ Skipped control due to only_if condition.
× cis-dil-benchmark-5.2.22: Ensure SSH MaxStartups is configured (Scored)
× SSHD Configuration MaxStartups is expected to eq "10:30:60"
expected: "10:30:60"
got: nil
(compared using ==)
× cis-dil-benchmark-5.2.23: Ensure SSH MaxSessions is set to 4 or less (Scored)
× SSHD Configuration MaxSessions is expected to cmp <= 4
expected it to be <= 4
got:
(compared using `cmp` matcher)
↺ cis-dil-benchmark-5.3.2: Ensure lockout for failed password attempts is configured
↺ Not implemented
× cis-dil-benchmark-5.3.3: Ensure password reuse is limited (4 failed)
× File /etc/pam.d/common-password content is expected to match /^password\s+(\S+\s+)+pam_unix\.so (\S+\s+)*remember=([56789]|[1-9][0-9]+)/
expected nil to match /^password\s+(\S+\s+)+pam_unix\.so (\S+\s+)*remember=([56789]|[1-9][0-9]+)/
× File /etc/pam.d/common-password content is expected to match /^password\s+(\S+\s+)+pam_pwhistory\.so (\S+\s+)*remember=([56789]|[1-9][0-9]+)/
expected nil to match /^password\s+(\S+\s+)+pam_pwhistory\.so (\S+\s+)*remember=([56789]|[1-9][0-9]+)/
× File /etc/pam.d/system-auth content is expected to match /^password\s+(\S+\s+)+pam_unix\.so (\S+\s+)*remember=([56789]|[1-9][0-9]+)/
expected nil to match /^password\s+(\S+\s+)+pam_unix\.so (\S+\s+)*remember=([56789]|[1-9][0-9]+)/
× File /etc/pam.d/system-auth content is expected to match /^password\s+(\S+\s+)+pam_pwhistory\.so (\S+\s+)*remember=([56789]|[1-9][0-9]+)/
expected nil to match /^password\s+(\S+\s+)+pam_pwhistory\.so (\S+\s+)*remember=([56789]|[1-9][0-9]+)/
× cis-dil-benchmark-5.3.4: Ensure password hashing algorithm is SHA-512 (3 failed)
× File /etc/pam.d/common-password content is expected to match /^password(\s+\S+\s+)+pam_unix\.so\s+(\S+\s+)*sha512/
expected nil to match /^password(\s+\S+\s+)+pam_unix\.so\s+(\S+\s+)*sha512/
× File /etc/pam.d/system-auth content is expected to match /^password(\s+\S+\s+)+pam_unix\.so\s+(\S+\s+)*sha512/
expected nil to match /^password(\s+\S+\s+)+pam_unix\.so\s+(\S+\s+)*sha512/
× File /etc/pam.d/password-auth content is expected to match /^password(\s+\S+\s+)+pam_unix\.so\s+(\S+\s+)*sha512/
expected nil to match /^password(\s+\S+\s+)+pam_unix\.so\s+(\S+\s+)*sha512/
× cis-dil-benchmark-5.4.1.1: Ensure password expiration is 365 days or less
× login.defs PASS_MAX_DAYS is expected to cmp <= 365
expected it to be <= 365
got: 99999
(compared using `cmp` matcher)
× cis-dil-benchmark-5.4.1.2: Ensure minimum days between password changes is 7 or more
× login.defs PASS_MIN_DAYS is expected to cmp >= 7
expected it to be >= 7
got: 0
(compared using `cmp` matcher)
✔ cis-dil-benchmark-5.4.1.3: Ensure password expiration warning days is 7 or more
✔ login.defs PASS_WARN_AGE is expected to cmp >= 7
× cis-dil-benchmark-5.4.1.4: Ensure inactive password lock is 30 days or less
× Command: `useradd -D` stdout is expected to match /^INACTIVE=(30|[1-2][0-9]|[1-9])$/
expected "GROUP=100\nHOME=/home\nINACTIVE=-1\nEXPIRE=\nSHELL=/bin/bash\nSKEL=/etc/skel\nCREATE_MAIL_SPOOL=no\n" to match /^INACTIVE=(30|[1-2][0-9]|[1-9])$/
Diff:
@@ -1,7 +1,13 @@
-/^INACTIVE=(30|[1-2][0-9]|[1-9])$/
+GROUP=100
+HOME=/home
+INACTIVE=-1
+EXPIRE=
+SHELL=/bin/bash
+SKEL=/etc/skel
+CREATE_MAIL_SPOOL=no
× cis-dil-benchmark-5.4.2: Ensure system accounts are secured (26 failed)
× /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
expected "/bin/bash" to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
Diff:
@@ -1 +1 @@
-/(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
+"/bin/bash"
✔ /etc/shadow with user == "core" passwords is expected to cmp == /^[*!]/
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
✔ /etc/shadow with user == "systemd-timesync" passwords is expected to cmp == /^[*!]/
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
✔ /etc/shadow with user == "systemd-coredump" passwords is expected to cmp == /^[*!]/
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "bin" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "daemon" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "adm" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "lp" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "news" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "uucp" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "operator" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "man" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "messagebus" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "syslog" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "ntp" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "sshd" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "tcpdump" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "dhcp" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "etcd" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "docker" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "tlsdate" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "polkitd" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "tss" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "systemd-journal-remote" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "systemd-network" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "systemd-resolve" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "systemd-bus-proxy" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
✔ /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
× /etc/shadow with user == "portage" passwords is expected to cmp == /^[*!]/
expected: (?-mix:^[*!])
got: []
(compared using `cmp` matcher)
× /etc/passwd with uid to_i < 1000 one entry shell is expected to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
expected "/bin/bash" to match /(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
Diff:
@@ -1 +1 @@
-/(\/usr\/sbin\/nologin|\/sbin\/nologin|\/bin\/false)/
+"/bin/bash"
✔ /etc/shadow with user == "core" passwords is expected to cmp == /^[*!]/
✔ cis-dil-benchmark-5.4.3: Ensure default group for the root account is GID 0
✔ /etc/passwd with user == "root" gids is expected to cmp == 0
× cis-dil-benchmark-5.4.4: Ensure default user umask is 027 or more restrictive (2 failed)
× File /etc/profile content is expected not to match /^\s*umask [0-7](0[1-7]|[1-7][1-6])\s*(?:#.*)?$/
expected "# /etc/profile: login shell setup\n#\n# That this file is used by any Bourne-shell derivative to set... \"$sh\"\ndone\nfor sh in /etc/profile.d/*.sh ; do\n\t[ -r \"$sh\" ] && . \"$sh\"\ndone\nunset sh\n" not to match /^\s*umask [0-7](0[1-7]|[1-7][1-6])\s*(?:#.*)?$/
Diff:
@@ -1,59 +1,117 @@
-/^\s*umask [0-7](0[1-7]|[1-7][1-6])\s*(?:#.*)?$/
+# /etc/profile: login shell setup
+#
+# That this file is used by any Bourne-shell derivative to setup the
+# environment for login shells.
+#
+
+# Load environment settings from profile.env, which is created by
+# env-update from the files in /etc/env.d
+if [ -e /etc/profile.env ] ; then
+ . /etc/profile.env
+elif [ -e /usr/share/baselayout/profile.env ] ; then
+ . /usr/share/baselayout/profile.env
+fi
+
+# You should override these in your ~/.bashrc (or equivalent) for per-user
+# settings. For system defaults, you can add a new file in /etc/profile.d/.
+export EDITOR=${EDITOR:-/usr/bin/vim}
+export PAGER=${PAGER:-/usr/bin/less}
+
+# 077 would be more secure, but 022 is generally quite realistic
+umask 022
+
+# Set up PATH, all users get both bin and sbin to keep things simple.
+# Gentoo normally splits this up which is why the variable is called ROOTPATH
+export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin${ROOTPATH:+:}${ROOTPATH-}"
+unset ROOTPATH
+
+if [ -n "${BASH_VERSION-}" ] ; then
+ # Newer bash ebuilds include /etc/bash/bashrc which will setup PS1
+ # including color. We leave out color here because not all
+ # terminals support it.
+ if [ -f /etc/bash/bashrc ] ; then
+ # Bash login shells run only /etc/profile
+ # Bash non-login shells run only /etc/bash/bashrc
+ # Since we want to run /etc/bash/bashrc regardless, we source it
+ # from here. It is unfortunate that there is no way to do
+ # this *after* the user's .bash_profile runs (without putting
+ # it in the user's dot-files), but it shouldn't make any
+ # difference.
+ . /etc/bash/bashrc
+ elif [ -f /usr/share/bash/bashrc ] ; then
+ . /usr/share/bash/bashrc
+ else
+ PS1='\u@\h \w \$ '
+ fi
+else
+ # Setup a bland default prompt. Since this prompt should be useable
+ # on color and non-color terminals, as well as shells that don't
+ # understand sequences such as \h, don't put anything special in it.
+ PS1="${USER:-$(whoami 2>/dev/null)}@$(uname -n 2>/dev/null) \$ "
+fi
+
+for sh in /usr/share/profile.d/*.sh ; do
+ [ -r "$sh" ] && . "$sh"
+done
+for sh in /etc/profile.d/*.sh ; do
+ [ -r "$sh" ] && . "$sh"
+done
+unset sh
× File /etc/profile content is expected to match /^\s*umask [0-7][2367]7\s*(?:#.*)?$/
expected "# /etc/profile: login shell setup\n#\n# That this file is used by any Bourne-shell derivative to set... \"$sh\"\ndone\nfor sh in /etc/profile.d/*.sh ; do\n\t[ -r \"$sh\" ] && . \"$sh\"\ndone\nunset sh\n" to match /^\s*umask [0-7][2367]7\s*(?:#.*)?$/
Diff:
@@ -1,59 +1,117 @@
-/^\s*umask [0-7][2367]7\s*(?:#.*)?$/
+# /etc/profile: login shell setup
+#
+# That this file is used by any Bourne-shell derivative to setup the
+# environment for login shells.
+#
+
+# Load environment settings from profile.env, which is created by
+# env-update from the files in /etc/env.d
+if [ -e /etc/profile.env ] ; then
+ . /etc/profile.env
+elif [ -e /usr/share/baselayout/profile.env ] ; then
+ . /usr/share/baselayout/profile.env
+fi
+
+# You should override these in your ~/.bashrc (or equivalent) for per-user
+# settings. For system defaults, you can add a new file in /etc/profile.d/.
+export EDITOR=${EDITOR:-/usr/bin/vim}
+export PAGER=${PAGER:-/usr/bin/less}
+
+# 077 would be more secure, but 022 is generally quite realistic
+umask 022
+
+# Set up PATH, all users get both bin and sbin to keep things simple.
+# Gentoo normally splits this up which is why the variable is called ROOTPATH
+export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin${ROOTPATH:+:}${ROOTPATH-}"
+unset ROOTPATH
+
+if [ -n "${BASH_VERSION-}" ] ; then
+ # Newer bash ebuilds include /etc/bash/bashrc which will setup PS1
+ # including color. We leave out color here because not all
+ # terminals support it.
+ if [ -f /etc/bash/bashrc ] ; then
+ # Bash login shells run only /etc/profile
+ # Bash non-login shells run only /etc/bash/bashrc
+ # Since we want to run /etc/bash/bashrc regardless, we source it
+ # from here. It is unfortunate that there is no way to do
+ # this *after* the user's .bash_profile runs (without putting
+ # it in the user's dot-files), but it shouldn't make any
+ # difference.
+ . /etc/bash/bashrc
+ elif [ -f /usr/share/bash/bashrc ] ; then
+ . /usr/share/bash/bashrc
+ else
+ PS1='\u@\h \w \$ '
+ fi
+else
+ # Setup a bland default prompt. Since this prompt should be useable
+ # on color and non-color terminals, as well as shells that don't
+ # understand sequences such as \h, don't put anything special in it.
+ PS1="${USER:-$(whoami 2>/dev/null)}@$(uname -n 2>/dev/null) \$ "
+fi
+
+for sh in /usr/share/profile.d/*.sh ; do
+ [ -r "$sh" ] && . "$sh"
+done
+for sh in /etc/profile.d/*.sh ; do
+ [ -r "$sh" ] && . "$sh"
+done
+unset sh
↺ cis-dil-benchmark-5.4.5: Ensure default user shell timeout is 900 seconds or less
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-5.5: Ensure root login is restricted to system console
↺ Not implemented
× cis-dil-benchmark-5.6: Ensure access to the su command is restricted (1 failed)
× File /etc/pam.d/su content is expected to match /^auth\s+required\s+pam_wheel.so use_uid$/
expected nil to match /^auth\s+required\s+pam_wheel.so use_uid$/
✔ Groups with name == "wheel" is expected to exist
↺ cis-dil-benchmark-6.1.1: Audit system file permissions
↺ Skipped control due to only_if condition.
✔ cis-dil-benchmark-6.1.2: Ensure permissions on /etc/passwd are configured
✔ File /etc/passwd is expected to exist
✔ File /etc/passwd mode is expected to cmp == "0644"
✔ File /etc/passwd uid is expected to cmp == 0
✔ File /etc/passwd gid is expected to cmp == 0
✔ File /etc/passwd sticky is expected to equal false
✔ File /etc/passwd suid is expected to equal false
✔ File /etc/passwd sgid is expected to equal false
✔ File /usr/share/baselayout/passwd is expected to exist
✔ File /usr/share/baselayout/passwd mode is expected to cmp == "0644"
✔ File /usr/share/baselayout/passwd uid is expected to cmp == 0
✔ File /usr/share/baselayout/passwd gid is expected to cmp == 0
✔ File /usr/share/baselayout/passwd sticky is expected to equal false
✔ File /usr/share/baselayout/passwd suid is expected to equal false
✔ File /usr/share/baselayout/passwd sgid is expected to equal false
✔ cis-dil-benchmark-6.1.3: Ensure permissions on /etc/shadow are configured
✔ File /etc/shadow is expected to exist
✔ File /etc/shadow is expected not to be more permissive than "0644"
✔ File /etc/shadow uid is expected to cmp == 0
✔ File /etc/shadow gid is expected to cmp == 0
✔ File /usr/share/baselayout/shadow is expected to exist
✔ File /usr/share/baselayout/shadow is expected not to be more permissive than "0644"
✔ File /usr/share/baselayout/shadow uid is expected to cmp == 0
✔ File /usr/share/baselayout/shadow gid is expected to cmp == 0
✔ cis-dil-benchmark-6.1.4: Ensure permissions on /etc/group are configured
✔ File /etc/group is expected to exist
✔ File /etc/group mode is expected to cmp == "0644"
✔ File /etc/group uid is expected to cmp == 0
✔ File /etc/group gid is expected to cmp == 0
✔ File /usr/share/baselayout/group is expected to exist
✔ File /usr/share/baselayout/group mode is expected to cmp == "0644"
✔ File /usr/share/baselayout/group uid is expected to cmp == 0
✔ File /usr/share/baselayout/group gid is expected to cmp == 0
✔ cis-dil-benchmark-6.1.5: Ensure permissions on /etc/gshadow are configured
✔ File /etc/gshadow is expected to exist
✔ File /etc/gshadow is expected not to be more permissive than "0640"
✔ File /etc/gshadow uid is expected to cmp == 0
✔ File /etc/gshadow gid is expected to cmp == 0
× cis-dil-benchmark-6.1.6: Ensure permissions on /etc/passwd- are configured (1 failed)
✔ File /etc/passwd- is expected to exist
× File /etc/passwd- is expected not to be more permissive than "0600"
expected `File /etc/passwd-.more_permissive_than?("0600")` to be falsey, got true
✔ File /etc/passwd- uid is expected to cmp == 0
✔ File /etc/passwd- gid is expected to cmp == 0
✔ cis-dil-benchmark-6.1.7: Ensure permissions on /etc/shadow- are configured
✔ File /etc/shadow- is expected to exist
✔ File /etc/shadow- is expected not to be more permissive than "0640"
✔ File /etc/shadow- uid is expected to cmp == 0
✔ File /etc/shadow- gid is expected to cmp == 0
✔ cis-dil-benchmark-6.1.8: Ensure permissions on /etc/group- are configured
✔ File /etc/group- is expected to exist
✔ File /etc/group- is expected not to be more permissive than "0644"
✔ File /etc/group- uid is expected to cmp == 0
✔ File /etc/group- gid is expected to cmp == 0
✔ cis-dil-benchmark-6.1.9: Ensure permissions on /etc/gshadow- are configured
✔ File /etc/gshadow- is expected to exist
✔ File /etc/gshadow- is expected not to be more permissive than "0640"
✔ File /etc/gshadow- uid is expected to cmp == 0
✔ File /etc/gshadow- gid is expected to cmp == 0
✔ cis-dil-benchmark-6.1.10: Ensure no world writable files exist
✔ Command: `df --local -P | awk '{ if (NR!=1) print $6 }' | xargs -I '{}' find '{}' -xdev -type f -perm -0002` stdout is expected to cmp == ""
× cis-dil-benchmark-6.1.11: Ensure no unowned files or directories exist
× Command: `df --local -P | awk '{ if (NR!=1) print $6 }' | xargs -I '{}' find '{}' -xdev -nouser` stdout is expected to cmp == ""
expected:
got: /media/configvirtfs
/media/configvirtfs
/media/configvirtfs/openstack
/media/configvirtfs/openstack/latest
/media/configvirtfs/openstack/latest/user_data
(compared using `cmp` matcher)
× cis-dil-benchmark-6.1.12: Ensure no ungrouped files or directories exist
× Command: `df --local -P | awk '{ if (NR!=1) print $6 }' | xargs -I '{}' find '{}' -xdev -nogroup` stdout is expected to cmp == ""
expected:
got: /media/configvirtfs
/media/configvirtfs
/media/configvirtfs/openstack
/media/configvirtfs/openstack/latest
/media/configvirtfs/openstack/latest/user_data
(compared using `cmp` matcher)
↺ cis-dil-benchmark-6.1.13: Audit SUID executables
↺ Not implemented
↺ cis-dil-benchmark-6.1.14: Audit SGID executables
↺ Not implemented
✔ cis-dil-benchmark-6.2.1: Ensure password fields are not empty
✔ /etc/shadow passwords is expected not to include ""
✔ /usr/share/baselayout/shadow passwords is expected not to include ""
✔ cis-dil-benchmark-6.2.2: Ensure no legacy "+" entries exist in /etc/passwd
✔ /etc/passwd users is expected not to include "+"
✔ /etc/passwd users is expected not to include "+"
✔ cis-dil-benchmark-6.2.3: Ensure no legacy "+" entries exist in /etc/shadow
✔ /etc/shadow users is expected not to include "+"
✔ /usr/share/baselayout/shadow users is expected not to include "+"
✔ cis-dil-benchmark-6.2.4: Ensure no legacy "+" entries exist in /etc/group
✔ /etc/group groups is expected not to include "+"
✔ /etc/group groups is expected not to include "+"
✔ cis-dil-benchmark-6.2.5: Ensure root is the only UID 0 account
✔ /etc/passwd with uid == 0 users is expected to cmp == ["root"]
✔ /etc/passwd with uid == 0 users is expected to cmp == ["root"]
✔ cis-dil-benchmark-6.2.6: Ensure root PATH Integrity
✔ ["/usr/bin", "/bin", "/usr/sbin", "/sbin"] is expected not to be empty
✔ ["/usr/bin", "/bin", "/usr/sbin", "/sbin"] is expected not to include ""
✔ ["/usr/bin", "/bin", "/usr/sbin", "/sbin"] is expected not to include "."
✔ File /usr/bin is expected to be directory
✔ File /usr/bin is expected not to be writable by group
✔ File /usr/bin is expected not to be writable by other
✔ File /usr/bin uid is expected to cmp == 0
✔ File /bin is expected to be directory
✔ File /bin is expected not to be writable by group
✔ File /bin is expected not to be writable by other
✔ File /bin uid is expected to cmp == 0
✔ File /usr/sbin is expected to be directory
✔ File /usr/sbin is expected not to be writable by group
✔ File /usr/sbin is expected not to be writable by other
✔ File /usr/sbin uid is expected to cmp == 0
✔ File /sbin is expected to be directory
✔ File /sbin is expected not to be writable by group
✔ File /sbin is expected not to be writable by other
✔ File /sbin uid is expected to cmp == 0
✔ cis-dil-benchmark-6.2.11: Ensure no users have .forward files
✔ File /root/.forward is expected not to exist
✔ File /home/core/.forward is expected not to exist
✔ File //.forward is expected not to exist
✔ File //.forward is expected not to exist
✔ File /root/.forward is expected not to exist
✔ File /bin/.forward is expected not to exist
✔ File /sbin/.forward is expected not to exist
✔ File /var/adm/.forward is expected not to exist
✔ File /var/spool/lpd/.forward is expected not to exist
✔ File /sbin/.forward is expected not to exist
✔ File /sbin/.forward is expected not to exist
✔ File /sbin/.forward is expected not to exist
✔ File /var/spool/news/.forward is expected not to exist
✔ File /var/spool/uucp/.forward is expected not to exist
✔ File /root/.forward is expected not to exist
✔ File /usr/share/man/.forward is expected not to exist
✔ File /dev/null/.forward is expected not to exist
✔ File /dev/null/.forward is expected not to exist
✔ File /dev/null/.forward is expected not to exist
✔ File /var/empty/.forward is expected not to exist
✔ File /dev/null/.forward is expected not to exist
✔ File /var/lib/dhcpcd/.forward is expected not to exist
✔ File /dev/null/.forward is expected not to exist
✔ File /dev/null/.forward is expected not to exist
✔ File /dev/null/.forward is expected not to exist
✔ File /var/lib/polkit-1/.forward is expected not to exist
✔ File /dev/null/.forward is expected not to exist
✔ File /dev/null/.forward is expected not to exist
✔ File /dev/null/.forward is expected not to exist
✔ File /dev/null/.forward is expected not to exist
✔ File /dev/null/.forward is expected not to exist
✔ File /var/tmp/portage/.forward is expected not to exist
✔ File /home/core/.forward is expected not to exist
✔ File /var/empty/.forward is expected not to exist
✔ cis-dil-benchmark-6.2.12: Ensure no users have .netrc files
✔ File /root/.netrc is expected not to exist
✔ File /home/core/.netrc is expected not to exist
✔ File //.netrc is expected not to exist
✔ File //.netrc is expected not to exist
✔ File /root/.netrc is expected not to exist
✔ File /bin/.netrc is expected not to exist
✔ File /sbin/.netrc is expected not to exist
✔ File /var/adm/.netrc is expected not to exist
✔ File /var/spool/lpd/.netrc is expected not to exist
✔ File /sbin/.netrc is expected not to exist
✔ File /sbin/.netrc is expected not to exist
✔ File /sbin/.netrc is expected not to exist
✔ File /var/spool/news/.netrc is expected not to exist
✔ File /var/spool/uucp/.netrc is expected not to exist
✔ File /root/.netrc is expected not to exist
✔ File /usr/share/man/.netrc is expected not to exist
✔ File /dev/null/.netrc is expected not to exist
✔ File /dev/null/.netrc is expected not to exist
✔ File /dev/null/.netrc is expected not to exist
✔ File /var/empty/.netrc is expected not to exist
✔ File /dev/null/.netrc is expected not to exist
✔ File /var/lib/dhcpcd/.netrc is expected not to exist
✔ File /dev/null/.netrc is expected not to exist
✔ File /dev/null/.netrc is expected not to exist
✔ File /dev/null/.netrc is expected not to exist
✔ File /var/lib/polkit-1/.netrc is expected not to exist
✔ File /dev/null/.netrc is expected not to exist
✔ File /dev/null/.netrc is expected not to exist
✔ File /dev/null/.netrc is expected not to exist
✔ File /dev/null/.netrc is expected not to exist
✔ File /dev/null/.netrc is expected not to exist
✔ File /var/tmp/portage/.netrc is expected not to exist
✔ File /home/core/.netrc is expected not to exist
✔ File /var/empty/.netrc is expected not to exist
✔ cis-dil-benchmark-6.2.14: Ensure no users have .rhosts files
✔ File /root/.rhosts is expected not to exist
✔ File /home/core/.rhosts is expected not to exist
✔ File //.rhosts is expected not to exist
✔ File //.rhosts is expected not to exist
✔ File /root/.rhosts is expected not to exist
✔ File /bin/.rhosts is expected not to exist
✔ File /sbin/.rhosts is expected not to exist
✔ File /var/adm/.rhosts is expected not to exist
✔ File /var/spool/lpd/.rhosts is expected not to exist
✔ File /sbin/.rhosts is expected not to exist
✔ File /sbin/.rhosts is expected not to exist
✔ File /sbin/.rhosts is expected not to exist
✔ File /var/spool/news/.rhosts is expected not to exist
✔ File /var/spool/uucp/.rhosts is expected not to exist
✔ File /root/.rhosts is expected not to exist
✔ File /usr/share/man/.rhosts is expected not to exist
✔ File /dev/null/.rhosts is expected not to exist
✔ File /dev/null/.rhosts is expected not to exist
✔ File /dev/null/.rhosts is expected not to exist
✔ File /var/empty/.rhosts is expected not to exist
✔ File /dev/null/.rhosts is expected not to exist
✔ File /var/lib/dhcpcd/.rhosts is expected not to exist
✔ File /dev/null/.rhosts is expected not to exist
✔ File /dev/null/.rhosts is expected not to exist
✔ File /dev/null/.rhosts is expected not to exist
✔ File /var/lib/polkit-1/.rhosts is expected not to exist
✔ File /dev/null/.rhosts is expected not to exist
✔ File /dev/null/.rhosts is expected not to exist
✔ File /dev/null/.rhosts is expected not to exist
✔ File /dev/null/.rhosts is expected not to exist
✔ File /dev/null/.rhosts is expected not to exist
✔ File /var/tmp/portage/.rhosts is expected not to exist
✔ File /home/core/.rhosts is expected not to exist
✔ File /var/empty/.rhosts is expected not to exist
× cis-dil-benchmark-6.2.15: Ensure all groups in /etc/passwd exist in /etc/group (2 failed)
✔ /etc/group gids is expected to include 0
✔ /etc/group gids is expected to include 0
✔ /etc/group gids is expected to include 500
✔ /etc/group gids is expected to include 500
✔ /etc/group gids is expected to include 998
✔ /etc/group gids is expected to include 997
✔ /etc/group gids is expected to include 0
✔ /etc/group gids is expected to include 0
✔ /etc/group gids is expected to include 1
✔ /etc/group gids is expected to include 2
✔ /etc/group gids is expected to include 4
✔ /etc/group gids is expected to include 7
✔ /etc/group gids is expected to include 0
✔ /etc/group gids is expected to include 0
✔ /etc/group gids is expected to include 0
✔ /etc/group gids is expected to include 0
✔ /etc/group gids is expected to include 0
✔ /etc/group gids is expected to include 0
✔ /etc/group gids is expected to include 13
✔ /etc/group gids is expected to include 14
✔ /etc/group gids is expected to include 0
✔ /etc/group gids is expected to include 0
✔ /etc/group gids is expected to include 15
✔ /etc/group gids is expected to include 201
✔ /etc/group gids is expected to include 202
✔ /etc/group gids is expected to include 203
✔ /etc/group gids is expected to include 204
✔ /etc/group gids is expected to include 215
✔ /etc/group gids is expected to include 224
✔ /etc/group gids is expected to include 232
✔ /etc/group gids is expected to include 233
✔ /etc/group gids is expected to include 233
✔ /etc/group gids is expected to include 234
✔ /etc/group gids is expected to include 235
× /etc/group gids is expected to include 236
expected [0, 10, 150, 233, 500, 999, 251, 998, 997] to include 236
× /etc/group gids is expected to include 236
expected [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 14, 15, 17, 18, 19, 26, 27, 28, 29, 30, 78, 80, 85, 100, 1..., 204, 215, 224, 232, 233, 234, 235, 242, 244, 245, 246, 248, 249, 250, 252, 406, 500, 65533, 65534] to include 236
✔ /etc/group gids is expected to include 242
✔ /etc/group gids is expected to include 244
✔ /etc/group gids is expected to include 245
✔ /etc/group gids is expected to include 246
✔ /etc/group gids is expected to include 250
✔ /etc/group gids is expected to include 500
✔ /etc/group gids is expected to include 500
✔ /etc/group gids is expected to include 65534
✔ cis-dil-benchmark-6.2.16: Ensure no duplicate UIDs exist
✔ is expected to be nil
✔ is expected to be nil
✔ cis-dil-benchmark-6.2.17: Ensure no duplicate GIDs exist
✔ is expected to be nil
✔ is expected to be nil
✔ cis-dil-benchmark-6.2.18: Ensure no duplicate user names exist
✔ is expected to be nil
✔ is expected to be nil
✔ cis-dil-benchmark-6.2.19: Ensure no duplicate group names exist
✔ is expected to be nil
✔ is expected to be nil
✔ cis-dil-benchmark-6.2.20: Ensure shadow group is empty
✔ #<Inspec::Resources::EtcGroupView:0x00005653ef65b8e8> users is expected to be empty
✔ #<Inspec::Resources::EtcGroupView:0x00005653ef8865f0> users is expected to be empty
Profile Summary: 65 successful controls, 83 control failures, 82 controls skipped
Test Summary: 593 successful, 258 failures, 88 skipped
================================================
FILE: CIS/inspec-report-level2-root-2020-12-08.txt
================================================
Profile: CIS Distribution Independent Linux Benchmark Profile (cis-dil-benchmark)
Version: 0.4.4
Target: ssh://root@localhost:2222
× cis-dil-benchmark-1.1.1.1: Ensure mounting of cramfs filesystems is disabled (1 failed)
✔ Kernel Module cramfs is expected not to be loaded
× Kernel Module cramfs is expected to be disabled
expected `Kernel Module cramfs.disabled?` to be truthy, got false
× cis-dil-benchmark-1.1.1.2: Ensure mounting of freevxfs filesystems is disabled (1 failed)
✔ Kernel Module freevxfs is expected not to be loaded
× Kernel Module freevxfs is expected to be disabled
expected `Kernel Module freevxfs.disabled?` to be truthy, got false
× cis-dil-benchmark-1.1.1.3: Ensure mounting of jffs2 filesystems is disabled (1 failed)
✔ Kernel Module jffs2 is expected not to be loaded
× Kernel Module jffs2 is expected to be disabled
expected `Kernel Module jffs2.disabled?` to be truthy, got false
× cis-dil-benchmark-1.1.1.4: Ensure mounting of hfs filesystems is disabled (1 failed)
✔ Kernel Module hfs is expected not to be loaded
× Kernel Module hfs is expected to be disabled
expected `Kernel Module hfs.disabled?` to be truthy, got false
× cis-dil-benchmark-1.1.1.5: Ensure mounting of hfsplus filesystems is disabled (1 failed)
✔ Kernel Module hfsplus is expected not to be loaded
× Kernel Module hfsplus is expected to be disabled
expected `Kernel Module hfsplus.disabled?` to be truthy, got false
× cis-dil-benchmark-1.1.1.6: Ensure mounting of squashfs filesystems is disabled (1 failed)
✔ Kernel Module squashfs is expected not to be loaded
× Kernel Module squashfs is expected to be disabled
expected `Kernel Module squashfs.disabled?` to be truthy, got false
× cis-dil-benchmark-1.1.1.7: Ensure mounting of udf filesystems is disabled (1 failed)
✔ Kernel Module udf is expected not to be loaded
× Kernel Module udf is expected to be disabled
expected `Kernel Module udf.disabled?` to be truthy, got false
× cis-dil-benchmark-1.1.1.8: Ensure mounting of FAT filesystems is disabled (2 failed)
× Kernel Module vfat is expected not to be loaded
expected `Kernel Module vfat.loaded?` to be falsey, got true
× Kernel Module vfat is expected to be disabled
expected `Kernel Module vfat.disabled?` to be truthy, got false
✔ cis-dil-benchmark-1.1.2: Ensure separate partition exists for /tmp
✔ Mount /tmp is expected to be mounted
✔ cis-dil-benchmark-1.1.3: Ensure nodev option set on /tmp partition
✔ Mount /tmp options is expected to include "nodev"
✔ cis-dil-benchmark-1.1.4: Ensure nosuid option set on /tmp partition
✔ Mount /tmp options is expected to include "nosuid"
× cis-dil-benchmark-1.1.5: Ensure noexec option set on /tmp partition
× Mount /tmp options is expected to include "noexec"
expected ["rw", "nosuid", "nodev", "seclabel", "nr_inodes=409600"] to include "noexec"
× cis-dil-benchmark-1.1.6: Ensure separate partition exists for /var
× Mount /var is expected to be mounted
Mount /var is not mounted
× cis-dil-benchmark-1.1.7: Ensure separate partition exists for /var/tmp
× Mount /var/tmp is expected to be mounted
Mount /var/tmp is not mounted
↺ cis-dil-benchmark-1.1.8: Ensure nodev option set on /var/tmp partition
↺ Skipped control due to only_if condition: /var/tmp is mounted
↺ cis-dil-benchmark-1.1.9: Ensure nosuid option set on /var/tmp partition
↺ Skipped control due to only_if condition: /var/tmp is mounted
↺ cis-dil-benchmark-1.1.10: Ensure noexec option set on /var/tmp partition
↺ Skipped control due to only_if condition: /var/tmp is mounted
× cis-dil-benchmark-1.1.11: Ensure separate partition exists for /var/log
× Mount /var/log is expected to be mounted
Mount /var/log is not mounted
× cis-dil-benchmark-1.1.12: Ensure separate partition exists for /var/log/audit
× Mount /var/log/audit is expected to be mounted
Mount /var/log/audit is not mounted
× cis-dil-benchmark-1.1.13: Ensure separate partition exists for /home
× Mount /home is expected to be mounted
Mount /home is not mounted
↺ cis-dil-benchmark-1.1.14: Ensure nodev option set on /home partition
↺ Skipped control due to only_if condition: /home is mounted
✔ cis-dil-benchmark-1.1.15: Ensure nodev option set on /dev/shm partition
✔ Mount /dev/shm options is expected to include "nodev"
✔ cis-dil-benchmark-1.1.16: Ensure nosuid option set on /dev/shm partitionrun
✔ Mount /dev/shm options is expected to include "nosuid"
× cis-dil-benchmark-1.1.17: Ensure noexec option set on /dev/shm partition
× Mount /dev/shm options is expected to include "noexec"
expected ["rw", "nosuid", "nodev", "seclabel"] to include "noexec"
↺ cis-dil-benchmark-1.1.18: Ensure nodev option set on removable media partitions
↺ Not implemented
↺ cis-dil-benchmark-1.1.19: Ensure nosuid option set on removable media partitions
↺ Not implemented
↺ cis-dil-benchmark-1.1.20: Ensure noexec option set on removable media partitions
↺ Not implemented
✔ cis-dil-benchmark-1.1.21: Ensure sticky bit is set on all world-writable directories
✔ Command: `df --local -P | awk '{ if (NR!=1) print $6 }' | xargs -I '{}' find '{}' -xdev -type d ( -perm -0002 -a ! -perm -1000 )` stdout is expected to cmp == ""
✔ cis-dil-benchmark-1.1.22: Disable Automounting
✔ Service autofs is expected not to be enabled
✔ Service autofs is expected not to be running
✔ Service autofs is expected not to be enabled
✔ Service autofs is expected not to be running
× cis-dil-benchmark-1.1.23: Disable USB Storage (1 failed)
✔ Kernel Module usb_storage is expected not to be loaded
× Kernel Module usb_storage is expected to be disabled
expected `Kernel Module usb_storage.disabled?` to be truthy, got false
↺ cis-dil-benchmark-1.2.1: Ensure package manager repositories are configured
↺ Not implemented
↺ cis-dil-benchmark-1.2.2: Ensure GPG keys are configured
↺ Not implemented
× cis-dil-benchmark-1.3.1: Ensure AIDE is installed (2 failed)
× System Package aide is expected to be installed
expected that `System Package aide` is installed
× Command: `aide` is expected to exist
expected Command: `aide` to exist
× cis-dil-benchmark-1.3.2: Ensure filesystem integrity is regularly checked (4 failed)
× File /var/spool/cron/crontabs/root content is expected to match /aide (--check|-C)/
expected nil to match /aide (--check|-C)/
× File /var/spool/cron/root content is expected to match /aide (--check|-C)/
expected nil to match /aide (--check|-C)/
× File /etc/crontab content is expected to match /aide (--check|-C)/
expected nil to match /aide (--check|-C)/
× File /etc/cron.weekly/mdadm content is expected to match /aide (--check|-C)/
expected "#!/bin/sh\n# This requires that AUTOCHECK is true in /etc/default/mdadm\nif [ -x /usr/sbin/checkarray ] && [ $(date +\\%d) -le 7 ]; then\n\t/usr/sbin/checkarray --cron --all --idle --quiet\nfi\n" to match /aide (--check|-C)/
Diff:
@@ -1,5 +1,9 @@
-/aide (--check|-C)/
+#!/bin/sh
+# This requires that AUTOCHECK is true in /etc/default/mdadm
+if [ -x /usr/sbin/checkarray ] && [ $(date +\%d) -le 7 ]; then
+ /usr/sbin/checkarray --cron --all --idle --quiet
+fi
× cis-dil-benchmark-1.4.1: Ensure permissions on bootloader config are configured (22 failed)
× File /boot/grub/grub.conf is expected to exist
expected File /boot/grub/grub.conf to exist
✔ File /boot/grub/grub.conf is expected not to be readable by group
✔ File /boot/grub/grub.conf is expected not to be writable by group
✔ File /boot/grub/grub.conf is expected not to be executable by group
✔ File /boot/grub/grub.conf is expected not to be readable by other
✔ File /boot/grub/grub.conf is expected not to be writable by other
✔ File /boot/grub/grub.conf is expected not to be executable by other
× File /boot/grub/grub.conf gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/grub.conf uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/grub.cfg is expected to exist
expected File /boot/grub/grub.cfg to exist
✔ File /boot/grub/grub.cfg is expected not to be readable by group
✔ File /boot/grub/grub.cfg is expected not to be writable by group
✔ File /boot/grub/grub.cfg is expected not to be executable by group
✔ File /boot/grub/grub.cfg is expected not to be readable by other
✔ File /boot/grub/grub.cfg is expected not to be writable by other
✔ File /boot/grub/grub.cfg is expected not to be executable by other
× File /boot/grub/grub.cfg gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/grub.cfg uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/menu.lst is expected to exist
expected File /boot/grub/menu.lst to exist
✔ File /boot/grub/menu.lst is expected not to be readable by group
✔ File /boot/grub/menu.lst is expected not to be writable by group
✔ File /boot/grub/menu.lst is expected not to be executable by group
✔ File /boot/grub/menu.lst is expected not to be readable by other
✔ File /boot/grub/menu.lst is expected not to be writable by other
✔ File /boot/grub/menu.lst is expected not to be executable by other
× File /boot/grub/menu.lst gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub/menu.lst uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/grub.conf is expected to exist
expected File /boot/boot/grub/grub.conf to exist
✔ File /boot/boot/grub/grub.conf is expected not to be readable by group
✔ File /boot/boot/grub/grub.conf is expected not to be writable by group
✔ File /boot/boot/grub/grub.conf is expected not to be executable by group
✔ File /boot/boot/grub/grub.conf is expected not to be readable by other
✔ File /boot/boot/grub/grub.conf is expected not to be writable by other
✔ File /boot/boot/grub/grub.conf is expected not to be executable by other
× File /boot/boot/grub/grub.conf gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/grub.conf uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/grub.cfg is expected to exist
expected File /boot/boot/grub/grub.cfg to exist
✔ File /boot/boot/grub/grub.cfg is expected not to be readable by group
✔ File /boot/boot/grub/grub.cfg is expected not to be writable by group
✔ File /boot/boot/grub/grub.cfg is expected not to be executable by group
✔ File /boot/boot/grub/grub.cfg is expected not to be readable by other
✔ File /boot/boot/grub/grub.cfg is expected not to be writable by other
✔ File /boot/boot/grub/grub.cfg is expected not to be executable by other
× File /boot/boot/grub/grub.cfg gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/boot/grub/grub.cfg uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
✔ File /boot/boot/grub/menu.lst is expected to exist
× File /boot/boot/grub/menu.lst is expected not to be readable by group
expected File /boot/boot/grub/menu.lst not to be readable by group
✔ File /boot/boot/grub/menu.lst is expected not to be writable by group
× File /boot/boot/grub/menu.lst is expected not to be executable by group
expected File /boot/boot/grub/menu.lst not to be executable by group
× File /boot/boot/grub/menu.lst is expected not to be readable by other
expected File /boot/boot/grub/menu.lst not to be readable by other
✔ File /boot/boot/grub/menu.lst is expected not to be writable by other
× File /boot/boot/grub/menu.lst is expected not to be executable by other
expected File /boot/boot/grub/menu.lst not to be executable by other
✔ File /boot/boot/grub/menu.lst gid is expected to cmp == 0
✔ File /boot/boot/grub/menu.lst uid is expected to cmp == 0
× File /boot/grub2/grub.cfg is expected to exist
expected File /boot/grub2/grub.cfg to exist
✔ File /boot/grub2/grub.cfg is expected not to be readable by group
✔ File /boot/grub2/grub.cfg is expected not to be writable by group
✔ File /boot/grub2/grub.cfg is expected not to be executable by group
✔ File /boot/grub2/grub.cfg is expected not to be readable by other
✔ File /boot/grub2/grub.cfg is expected not to be writable by other
✔ File /boot/grub2/grub.cfg is expected not to be executable by other
× File /boot/grub2/grub.cfg gid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× File /boot/grub2/grub.cfg uid is expected to cmp == 0
expected: 0
got:
(compared using `cmp` matcher)
× cis-dil-benchmark-1.4.2: Ensure bootloader password is set (14 failed)
× File /boot/grub/grub.conf content is expected to match /^set superusers/
expected nil to match /^set superusers/
× File /boot/grub/grub.conf content is expected to match /^password/
expected nil to match /^password/
× File /boot/grub/grub.cfg content is expected to match /^set superusers/
expected nil to match /^set superusers/
× File /boot/grub/grub.cfg content is expected to match /^password/
expected nil to match /^password/
× File /boot/grub/menu.lst content is expected to match /^set superusers/
expected nil to match /^set superusers/
× File /boot/grub/menu.lst content is expected to match /^password/
expected nil to match /^password/
× File /boot/boot/grub/grub.conf content is expected to match /^set superusers/
expected nil to match /^set superusers/
× File /boot/boot/grub/grub.conf content is expected to match /^password/
expected nil to match /^password/
× File /boot/boot/grub/grub.cfg content is expected to match /^set superusers/
expected nil to match /^set superusers/
× File /boot/boot/grub/grub.cfg content is expected to match /^password/
expected nil to match /^password/
× File /boot/boot/grub/menu.lst content is expected to match /^set superusers/
expected "timeout 0\ntitle CoreOS GRUB2\nroot (hd0,0)\nkernel /xen/pvboot-x86_64.elf\n" to match /^set superusers/
Diff:
@@ -1,4 +1,7 @@
-/^set superusers/
+timeout 0
+title CoreOS GRUB2
+root (hd0,0)
+kernel /xen/pvboot-x86_64.elf
× File /boot/boot/grub/menu.lst content is expected to match /^password/
expected "timeout 0\ntitle CoreOS GRUB2\nroot (hd0,0)\nkernel /xen/pvboot-x86_64.elf\n" to match /^password/
Diff:
@@ -1,4 +1,7 @@
-/^password/
+timeout 0
+title CoreOS GRUB2
+root (hd0,0)
+kernel /xen/pvboot-x86_64.elf
× File /boot/grub2/grub.cfg content is expected to match /^set superusers/
expected nil to match /^set superusers/
× File /boot/grub2/grub.cfg content is expected to match /^password/
expected nil to match /^password/
× cis-dil-benchmark-1.4.3: Ensure authentication required for single user mode (3 failed)
× /etc/shadow with user == "root" passwords is expected not to include "*"
expected ["*"] not to include "*"
✔ /etc/shadow with user == "root" passwords is expected not to include "!"
× File /etc/inittab content is expected to match /^~~:S:respawn:\/sbin\/sulogin/
expected nil to match /^~~:S:respawn:\/sbin\/sulogin/
× File /etc/sysconfig/init content is expected to match /^SINGLE=\/sbin\/sulogin$/
expected nil to match /^SINGLE=\/sbin\/sulogin$/
↺ cis-dil-benchmark-1.4.4: Ensure interactive boot is not enabled
↺ Not implemented
× cis-dil-benchmark-1.5.1: Ensure core dumps are restricted (2 failed)
× File /etc/security/limits.conf content is expected to match /^\s*\*\s+hard\s+core\s+0\s*(?:#.*)?$/
expected "# /etc/security/limits.conf\n#\n#Each line describes a limit for a user in the form:\n#\n#<domain> ... hard nproc 0\n\#@student - maxlogins 4\n\n# End of file\n" to match /^\s*\*\s+hard\s+core\s+0\s*(?:#.*)?$/
Diff:
@@ -1,50 +1,99 @@
-/^\s*\*\s+hard\s+core\s+0\s*(?:#.*)?$/
+# /etc/security/limits.conf
+#
+#Each line describes a limit for a user in the form:
+#
+#<domain> <type> <item> <value>
+#
+#Where:
+#<domain> can be:
+# - a user name
+# - a group name, with @group syntax
+# - the wildcard *, for default entry
+# - the wildcard %, can be also used with %group syntax,
+# for maxlogin limit
+#
+#<type> can have the two values:
+# - "soft" for enforcing the soft limits
+# - "hard" for enforcing hard limits
+#
+#<item> can be one of the following:
+# - core - limits the core file size (KB)
+# - data - max data size (KB)
+# - fsize - maximum filesize (KB)
+# - memlock - max locked-in-memory address space (KB)
+# - nofile - max number of open file descriptors
+# - rss - max resident set size (KB)
+# - stack - max stack size (KB)
+# - cpu - max CPU time (MIN)
+# - nproc - max number of processes
+# - as - address space limit (KB)
+# - maxlogins - max number of logins for this user
+# - maxsyslogins - max number of logins on the system
+# - priority - the priority to run user process with
+# - locks - max number of file locks the user can hold
+# - sigpending - max number of pending signals
+# - msgqueue - max memory used by POSIX message queues (bytes)
+# - nice - max nice priority allowed to raise to values: [-20, 19]
+# - rtprio - max realtime priority
+#
+#<domain> <type> <item> <value>
+#
+
+#* soft core 0
+#* hard rss 10000
+#@student hard nproc 20
+#@faculty soft nproc 20
+#@faculty hard nproc 50
+#ftp hard nproc 0
+#@student - maxlogins 4
+
+# End of file
× Kernel Parameter fs.suid_dumpable value is expected to eq 0
expected: 0
got: 2
(compared using ==)
✔ cis-dil-benchmark-1.5.2: Ensure XD/NX support is enabled
✔ Command: `dmesg | grep NX` stdout is expected to match /NX \(Execute Disable\) protection: active/
✔ cis-dil-benchmark-1.5.3: Ensure address space layout randomization (ASLR) is enabled
✔ Kernel Parameter kernel.randomize_va_space value is expected to eq 2
✔ cis-dil-benchmark-1.5.4: Ensure prelink is disabled
✔ System Package prelink is expected not to be installed
✔ Command: `prelink` is expected not to exist
× cis-dil-benchmark-1.6.1.1: Ensure SELinux or AppArmor are installed (3 failed)
× System Package libselinux is expected to be installed
expected that `System Package libselinux` is installed
× System Package libselinux1 is expected to be installed
expected that `System Package libselinux1` is installed
× System Package apparmor is expected to be installed
expected that `System Package apparmor` is installed
✔ cis-dil-benchmark-1.6.2.1: Ensure SELinux is not disabled in bootloader configuration
✔ File /boot/grub2/grub.cfg content is expected not to match /selinux=0/
✔ File /boot/grub2/grub.cfg content is expected not to match /enforcing=0/
✔ File /boot/grub/menu.lst content is expected not to match /selinux=0/
✔ File /boot/grub/menu.lst content is expected not to match /enforcing=0/
× cis-dil-benchmark-1.6.2.2: Ensure the SELinux state is enforcing (3 failed)
× File /etc/selinux/config content is expected to match /^SELINUX=enforcing\s*(?:#.*)?$/
expected "# This file controls the state of SELinux on the system on boot.\n\n# SELINUX can take one of these ...th Multi-Category Security \n#\t (mls, but only one sensitivity level)\nSELINUXTYPE=mcs\n" to match /^SELINUX=enforcing\s*(?:#.*)?$/
Diff:
@@ -1,15 +1,29 @@
-/^SELINUX=enforcing\s*(?:#.*)?$/
+# This file controls the state of SELinux on the system on boot.
+
+# SELINUX can take one of these three values:
+# enforcing - SELinux security policy is enforced.
+# permissive - SELinux prints warnings instead of enforcing.
+# disabled - No SELinux policy is loaded.
+SELINUX=permissive
+
+# SELINUXTYPE can take one of these four values:
+# targeted - Only targeted network daemons are protected.
+# strict - Full SELinux protection.
+# mls - Full SELinux protection with Multi-Level Security
+# mcs - Full SELinux protection with Multi-Category Security
+# (mls, but only one sensitivity level)
+SELINUXTYPE=mcs
✔ Command: `sestatus` stdout is expected to match /SELinux status:\s+enabled/
× Command: `sestatus` stdout is expected to match /Current mode:\s+enforcing/
expected "SELinux status: enabled\nSELinuxfs mount: /sys/fs/selinux\nSELinux ro... enabled\nPolicy deny_unknown status: allowed\nMax kernel policy version: 31\n" to match /Current mode:\s+enforcing/
Diff:
@@ -1,9 +1,17 @@
-/Current mode:\s+enforcing/
+SELinux status: enabled
+SELinuxfs mount: /sys/fs/selinux
+SELinux root directory: /etc/selinux
+Loaded policy name: mcs
+Current mode: permissive
+Mode from config file: permissive
+Policy MLS status: enabled
+Policy deny_unknown status: allowed
+Max kernel policy version: 31
× Command: `sestatus` stdout is expected to match /Mode from config file:\s+enforcing/
expected "SELinux status: enabled\nSELinuxfs mount: /sys/fs/selinux\nSELinux ro... enabled\nPolicy deny_unknown status: allowed\nMax kernel policy version: 31\n" to match /Mode from config file:\s+enforcing/
Diff:
@@ -1,9 +1,17 @@
-/Mode from config file:\s+enforcing/
+SELinux status: enabled
+SELinuxfs mount: /sys/fs/selinux
+SELinux root directory: /etc/selinux
+Loaded policy name: mcs
+Current mode: permissive
+Mode from config file: permissive
+Policy MLS status: enabled
+Policy deny_unknown status: allowed
+Max kernel policy version: 31
× cis-dil-benchmark-1.6.2.3: Ensure SELinux policy is configured (2 failed)
× File /etc/selinux/config content is expected to match /^SELINUXTYPE=(targeted|mls)\s*(?:#.*)?$/
expected "# This file controls the state of SELinux on the system on boot.\n\n# SELINUX can take one of these ...th Multi-Category Security \n#\t (mls, but only one sensitivity level)\nSELINUXTYPE=mcs\n" to match /^SELINUXTYPE=(targeted|mls)\s*(?:#.*)?$/
Diff:
@@ -1,15 +1,29 @@
-/^SELINUXTYPE=(targeted|mls)\s*(?:#.*)?$/
+# This file controls the state of SELinux on the system on boot.
+
+# SELINUX can take one of these three values:
+# enforcing - SELinux security policy is enforced.
+# permissive - SELinux prints warnings instead of enforcing.
+# disabled - No SELinux policy is loaded.
+SELINUX=permissive
+
+# SELINUXTYPE can take one of these four values:
+# targeted - Only targeted network daemons are protected.
+# strict - Full SELinux protection.
+# mls - Full SELinux protection with Multi-Level Security
+# mcs - Full SELinux protection with Multi-Category Security
+# (mls, but only one sensitivity level)
+SELINUXTYPE=mcs
× Command: `sestatus` stdout is expected to match /Policy from config file:\s+(targeted|mls)/
expected "SELinux status: enabled\nSELinuxfs mount: /sys/fs/selinux\nSELinux ro... enabled\nPolicy deny_unknown status: allowed\nMax kernel policy version: 31\n" to match /Policy from config file:\s+(targeted|mls)/
Diff:
@@ -1,9 +1,17 @@
-/Policy from config file:\s+(targeted|mls)/
+SELinux status: enabled
+SELinuxfs mount: /sys/fs/selinux
+SELinux root directory: /etc/selinux
+Loaded policy name: mcs
+Current mode: permissive
+Mode from config file: permissive
+Policy MLS status: enabled
+Policy deny_unknown status: allowed
+Max kernel policy version: 31
↺ cis-dil-benchmark-1.6.2.4: Ensure SETroubleshoot is not installed (1 skipped)
↺ The `package` resource is not supported on your OS yet.
✔ Command: `setroubleshoot` is expected not to exist
↺ cis-dil-benchmark-1.6.2.5: Ensure the MCS Translation Service (mcstrans) is not installed (1 failed) (1 skipped)
↺ The `package` resource is not supported on your OS yet.
× Command: `mcstransd` is expected not to exist
expected Command: `mcstransd` not to exist
✔ cis-dil-benchmark-1.6.2.6: Ensure no unconfined daemons exist
✔ Command: `ps -eZ | grep -E "initrc" | grep -E -v -w "tr|ps|grep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'` stdout is expected to eq ""
↺ cis-dil-benchmark-1.6.3.1: Ensure AppArmor is not disabled in bootloader configuration
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-1.6.3.2: Ensure all AppArmor Profiles are enforcing
↺ Skipped control due to only_if condition.
✔ cis-dil-benchmark-1.7.1.1: Ensure message of the day is configured properly
✔ Command: `grep -E -i '(\v|\r|\m|\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))' /etc/motd` stdout is expected to eq ""
✔ cis-dil-benchmark-1.7.1.2: Ensure local login warning banner is configured properly
✔ Command: `grep -E -i '(\v|\r|\m|\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))' /etc/issue` stdout is expected to eq ""
✔ cis-dil-benchmark-1.7.1.3: Ensure remote login warning banner is configured properly
✔ Command: `grep -E -i '(\v|\r|\m|\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))' /etc/issue.net` stdout is expected to eq ""
✔ cis-dil-benchmark-1.7.1.4: Ensure permissions on /etc/motd are configured
✔ File /etc/motd group is expected to eq "root"
✔ File /etc/motd owner is expected to eq "root"
✔ File /etc/motd mode is expected to cmp == "0644"
✔ cis-dil-benchmark-1.7.1.5: Ensure permissions on /etc/issue are configured
✔ File /etc/issue group is expected to eq "root"
✔ File /etc/issue owner is expected to eq "root"
✔ File /etc/issue mode is expected to cmp == "0644"
× cis-dil-benchmark-1.7.1.6: Ensure permissions on /etc/issue.net are configured (3 failed)
× File /etc/issue.net group is expected to eq "root"
expected: "root"
got: nil
(compared using ==)
× File /etc/issue.net owner is expected to eq "root"
expected: "root"
got: nil
(compared using ==)
× File /etc/issue.net mode is expected to cmp == "0644"
can't convert nil into Integer
↺ cis-dil-benchmark-1.7.2: Ensure GDM login banner is configured
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-1.8: Ensure updates, patches, and additional security software are installed
↺ Not implemented
↺ cis-dil-benchmark-2.1.1: Ensure chargen services are not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.2: Ensure daytime services are not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.3: Ensure discard services are not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.4: Ensure echo services are not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.5: Ensure time services are not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.6: Ensure rsh server is not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.7: Ensure talk server is not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.8: Ensure telnet server is not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
↺ cis-dil-benchmark-2.1.9: Ensure tftp server is not enabled
↺ Skipped control due to only_if condition: inetd/xinetd config exists
✔ cis-dil-benchmark-2.1.10: Ensure xinetd is not enabled
✔ Service xinetd is expected not to be enabled
✔ Service xinetd is expected not to be running
✔ cis-dil-benchmark-2.2.1.1: Ensure time synchronization is in use
✔ Command: `ntpd` is expected to exist
× cis-dil-benchmark-2.2.1.2: Ensure ntp is configured (4 failed)
✔ ntp.conf server is expected not to eq nil
✔ ["default nomodify nopeer noquery notrap limited kod", "127.0.0.1", "[::1]"] is expected to match /default\s+(\S+\s+)*kod(?:\s+|\s?")/
✔ ["default nomodify nopeer noquery notrap limited kod", "127.0.0.1", "[::1]"] is expected to match /default\s+(\S+\s+)*nomodify(?:\s+|\s?")/
✔ ["default nomodify nopeer noquery notrap limited kod", "127.0.0.1", "[::1]"] is expected to match /default\s+(\S+\s+)*notrap(?:\s+|\s?")/
✔ ["default nomodify nopeer noquery notrap limited kod", "127.0.0.1", "[::1]"] is expected to match /default\s+(\S+\s+)*nopeer(?:\s+|\s?")/
✔ ["default nomodify nopeer noquery notrap limited kod", "127.0.0.1", "[::1]"] is expected to match /default\s+(\S+\s+)*noquery(?:\s+|\s?")/
× File /etc/init.d/ntp content is expected to match /^RUNASUSER=ntp\s*(?:#.*)?$/
expected nil to match /^RUNASUSER=ntp\s*(?:#.*)?$/
× File /etc/init.d/ntpd content is expected to match /daemon\s+(\S+\s+)-u ntp:ntp(?:\s+|\s?")/
expected nil to match /daemon\s+(\S+\s+)-u ntp:ntp(?:\s+|\s?")/
× File /etc/sysconfig/ntpd content is expected to match /^OPTIONS="(?:.)?-u ntp:ntp\s*(?:.)?"\s*(?:#.*)?$/
expected nil to match /^OPTIONS="(?:.)?-u ntp:ntp\s*(?:.)?"\s*(?:#.*)?$/
× File /usr/lib/systemd/system/ntpd.service content is expected to match /^ExecStart=\/usr\/s?bin\/ntpd (?:.)?-u ntp:ntp\s*(?:.)?$/
expected "[Unit]\nDescription=Network Time Service\nAfter=ntpdate.service sntp.service\nConflicts=systemd-time...tp/ntp.drift -u ntp:ntp\nPrivateTmp=true\nRestart=always\n\n[Install]\nWantedBy=multi-user.target\n" to match /^ExecStart=\/usr\/s?bin\/ntpd (?:.)?-u ntp:ntp\s*(?:.)?$/
Diff:
@@ -1,12 +1,23 @@
-/^ExecStart=\/usr\/s?bin\/ntpd (?:.)?-u ntp:ntp\s*(?:.)?$/
+[Unit]
+Description=Network Time Service
+After=ntpdate.service sntp.service
+Conflicts=systemd-timesyncd.service
+
+[Service]
+ExecStart=/usr/sbin/ntpd -g -n -f /var/lib/ntp/ntp.drift -u ntp:ntp
+PrivateTmp=true
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
↺ cis-dil-benchmark-2.2.1.3: Ensure chrony is configured
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-2.2.1.4: Ensure systemd-timesyncd is configured
↺ Skipped control due to only_if condition.
↺ cis-dil-benchmark-2.2.2: Ensure X Window System is not installed (2 skipped)
↺ The packages resource is not yet supported on OS coreos
↺ The packages resource is not yet supported on OS coreos
✔ cis-dil-benchmark-2.2.3: Ensure Avahi Server is not enabled
✔ Service avahi-daemon is expected not to be enabled
✔ Service avahi-daemon is expected not to be running
✔ cis-dil-benchmark-2.2.4: Ensure CUPS is not enabled
✔ Service cups is expected not to be enabled
✔ Service cups is expected not to be running
✔ cis-dil-benchmark-2.2.5: Ensure DHCP Server is not enabled
✔ Service isc-dhcp-server is expected not to be enabled
✔ Service isc-dhcp-server is expected not to be running
✔ Service isc-dhcp-server6 is expected not to be enabled
✔ Service isc-dhcp-server6 is expected not to be running
✔ Service dhcpd is expected not to be enabled
✔ Service dhcpd is expected not to be running
✔ cis-dil-benchmark-2.2.6: Ensure LDAP server is not enabled
✔ Service slapd is expected not to be enabled
✔ Service slapd is expected not to be running
✔ cis-dil-benchmark-2.2.7: Ensure NFS and RPC are not enabled
✔ Service nfs-kernel-server is expected not to be enabled
✔ Service nfs-kernel-server is expected not to be running
✔ Service nfs is expected not to be enabled
✔ Service nfs is expected not to be running
✔ Service rpcbind is expected not to be enabled
✔ Service rpcbind is expected not to be running
✔ cis-dil-benchmark-2.2.8: Ensure DNS Server is not enabled
✔ Service named is expected not to be enabled
✔ Service named is expected not to be running
✔ Service bind is expected not to be enabled
✔ Service bind is expected not to be running
✔ Service bind9 is expected not to be enabled
✔ Service bind9 is expected not to be running
✔ cis-dil-benchmark-2.2.9: Ensure FTP Server is not enabled
✔ Service vsftpd is expected not to be enabled
✔ Service vsftpd is expected not to be running
✔ cis-dil-benchmark-2.2.10: Ensure HTTP server is not enabled
✔ Service apache is expected not to be enabled
✔ Service apache is expected not to be running
✔ Service apache2 is expected not to be enabled
✔ Service apache2 is expected not to be running
✔ Service httpd is expected not to be enabled
✔ Service httpd is expected not to be running
✔ Service lighttpd is expected not to be enabled
✔ Service lighttpd is expected not to be running
✔ Service nginx is expected not to be enabled
✔ Service nginx is expected not to be running
✔ cis-dil-benchmark-2.2.11: Ensure IMAP and POP3 server is not enabled
✔ Service dovecot is expected not to be enabled
✔ Service dovecot is expected not to be running
✔ Service courier-imap is expected not to be enabled
✔ Service courier-imap is expected not to be running
✔ Service cyrus-imap is expected not to be enabled
✔ Service cyrus-imap is expected not to be running
✔ cis-dil-benchmark-2.2.12: Ensure Samba is not enabled
✔ Service samba is expected not to be enabled
✔ Service samba is expected not to be running
✔ Service smb is expected not to be enabled
✔ Service smb is expected not to be running
✔ Service smbd is expected not to be enabled
✔ Service smbd is expected not to be running
✔ cis-dil-benchmark-2.2.13: Ensure HTTP Proxy Server is not enabled
✔ Service squid is expected not to be enabled
✔ Service squid is expected not to be running
✔ Service squid3 is expected not to be enabled
✔ Service squid3 is expected not to be running
✔ cis-dil-benchmark-2.2.14: Ensure SNMP Server is not enabled
✔ Service snmpd is expected not to be enabled
✔ Service snmpd is expected not to be running
✔ cis-dil-benchmark-2.2.15: Ensure mail transfer agent is configured for local-only mode
✔ Port 25 with address !~ /^(127\.0\.0\.1|::1)$/ entries is expected to be empty
✔ cis-dil-benchmark-2.2.16: Ensure rsync service is not enabled
✔ Service rsync is expected not to be enabled
✔ Service rsync is expected not to be running
✔ Service rsyncd is expected not to be enabled
✔ Service rsyncd is expected not to be running
✔ cis-dil-benchmark-2.2.17: Ensure NIS Server is not enabled
✔ Service nis is expected not to be enabled
✔ Service nis is expected not to be running
✔ Service ypserv is expected not to be enabled
✔ Service ypserv is expected not to be running
↺ cis-dil-benchmark-2.3.1: Ensure NIS Client is not installed (2 skipped)
↺ The `package` resource is not supported on your OS yet.
↺ The `package` resource is not supported on your OS yet.
↺ cis-dil-benchmark-2.3.2: Ensure rsh client is not installed (3 skipped)
↺ The `package` resource is not supported on your OS yet.
↺ The `package` resource is not supported on your OS yet.
↺ The `package` resource is not supported on your OS yet.
↺ cis-dil-benchmark-2.3.3: Ensure talk client is not installed
↺ The `package` resource is not supported on your OS yet.
↺ cis-dil-benchmark-2.3.4: Ensure telnet client is not installed
↺ The `package` resource is not supported on your OS yet.
↺ cis-dil-benchmark-2.3.5: Ensure LDAP client is not installed (3 skipped)
↺ The `package` resource is not supported on your OS yet.
↺ The `package` resource is not supported on your OS yet.
↺ The `package` resource is not supported on your OS yet.
× cis-dil-benchmark-3.1.1: Ensure IP forwarding is disabled (1 failed)
✔ Kernel Parameter net.ipv4.ip_forward value is expected not to be nil
× Kernel Parameter net.ipv4.ip_forward value is expected to cmp == 0
expected: 0
got: 1
(compared using `cmp` matcher)
✔ Kernel Parameter net.ipv6.conf.all.forwarding value is expected not to be nil
✔ Kernel Parameter net.ipv6.conf.all.forwarding value is expected to cmp == 0
× cis-dil-benchmark-3.1.2: Ensure packet redirect sending is disabled (2 failed)
✔ Kernel Parameter net.ipv4.conf.all.send_redirects value is expected not to be nil
× Kernel Parameter net.ipv4.conf.all.send_redirects value is expected to cmp == 0
expected: 0
got: 1
(compared using `cmp` matcher)
✔ Kernel Parameter net.ipv4.conf.default.send_redirects value is expected not to be nil
× Kernel Parameter net.ipv4.conf.default.send_redirects value is expected to cmp == 0
expected: 0
got: 1
(compared using `cmp` matcher)
✔ cis-dil-benchmark-3.2.1: Ensure source routed packets are not accepted
✔ Kernel Parameter net.ipv4.conf.all.accept_source_route value is expected not to be nil
✔ Kernel Parameter net.ipv4.conf.all.accept_source_route value is expected to eq 0
✔ Kernel Parameter net.ipv4.conf.default.accept_source_route value is expected not to be nil
✔ Kernel Parameter net.ipv4.conf.default.accept_source_route value is expected to eq 0
✔ Kernel Parameter net.ipv6.conf.all.accept_source_route value is expected not to be nil
✔ Kernel Parameter net.ipv6.conf.all.accept_source_route value is expected to eq 0
✔ Kernel Parameter net.ipv6.conf.default.accept_source_route value is expected not to be nil
✔ Kernel Parameter net.ipv6.conf.default.accept_source_route value is expected to eq 0
× cis-dil-benchmark-3.2.2: Ensure ICMP redirects are not accepted (3 failed)
✔ Kernel Parameter net.ipv4.conf.all.accept_redirects value is expected not to be nil
✔ Kernel Parameter net.ipv4.conf.all.accept_redirects value is expected to eq 0
✔ Kernel Parameter net.ipv4.conf.default.accept_redirects value is expected not to be nil
× Kernel Parameter net.ipv4.conf.default.accept_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
✔ Kernel Parameter net.ipv6.conf.all.accept_redirects value is expected not to be nil
× Kernel Parameter net.ipv6.conf.all.accept_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
✔ Kernel Parameter net.ipv6.conf.default.accept_redirects value is expected not to be nil
× Kernel Parameter net.ipv6.conf.default.accept_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× cis-dil-benchmark-3.2.3: Ensure secure ICMP redirects are not accepted (2 failed)
✔ Kernel Parameter net.ipv4.conf.all.secure_redirects value is expected not to be nil
× Kernel Parameter net.ipv4.conf.all.secure_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
✔ Kernel Parameter net.ipv4.conf.default.secure_redirects value is expected not to be nil
× Kernel Parameter net.ipv4.conf.default.secure_redirects value is expected to eq 0
expected: 0
got: 1
(compared using ==)
× cis-dil-benchmark-3.2.4: Ensure suspicious packets are logged (2 failed)
✔ Kernel Parameter net.ipv4.conf.all.log_martians value is expected not to be nil
× Kernel Parameter net.ipv4.conf.all.log_martians value is expected to eq 1
expected: 1
got: 0
(compared using ==)
✔ Kernel Parameter net.ipv4.conf.default.log_martians value is expected not to be nil
× Kernel Parameter net.ipv4.conf.default.log_martians value is expected to eq 1
expected: 1
got: 0
(compared using ==)
✔ cis-dil-benchmark-3.2.5: Ensure broadcast ICMP requests are ignored
✔ Kernel Parameter net.ipv4.icmp_echo_ignore_broadcasts value is expected not to be nil
✔ Kernel Parameter net.ipv4.icmp
gitextract_vqk6gyzh/
├── .github/
│ └── workflows/
│ └── issue-pr-contrib-metrics.yaml
├── ADOPTERS.md
├── CIS/
│ ├── README.md
│ ├── inspec-report-level1-root-2020-12-08.txt
│ ├── inspec-report-level2-root-2020-12-08.txt
│ └── level1-remediation_notes-2020-12-08.md
├── CODEOWNERS
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── EMERITUS_MAINTAINERS.md
├── LICENSE
├── MAINTAINERS.md
├── ONBOARDING.md
├── README.md
├── RELEASES.md
├── SECURITY.md
├── adding-new-packages.md
├── attic/
│ └── community-meetings/
│ ├── 2021-05-11.md
│ ├── 2021-06-08.md
│ ├── 2021-07-13.md
│ ├── 2021-07-26.md
│ ├── 2021-08-10.md
│ ├── 2021-08-23.md
│ ├── 2021-09-14.md
│ ├── 2021-09-28.md
│ ├── 2021-10-19.md
│ ├── 2021-10-26.md
│ ├── 2021-11-09.md
│ ├── 2021-11-23.md
│ ├── 2021-12-17.md
│ ├── 2022-01-11.md
│ └── README.md
├── governance.md
├── interop-matrix.md
└── sync-maintainers/
├── README
├── requirements.txt
└── sync-maintainers.py
SYMBOL INDEX (15 symbols across 1 files) FILE: sync-maintainers/sync-maintainers.py function parse (line 10) | def parse(m): function write_maintainers_file (line 43) | def write_maintainers_file(repo_name, paragraph, maintainers): function checkout_branch (line 56) | def checkout_branch(repo_name): function commit (line 63) | def commit(repo_name): function push (line 78) | def push(repo_name): function parse_maintainers (line 84) | def parse_maintainers(repo=None): function main_repo (line 95) | def main_repo(args): function prepare_req (line 106) | def prepare_req(repo, token, api): function get_pr (line 116) | def get_pr(repo, token): function get_default_branch (line 122) | def get_default_branch(repo, token): function create_pr (line 128) | def create_pr(repo, token, base): function update_assignees (line 138) | def update_assignees(repo, token, pr, assignees): function get_assignees (line 144) | def get_assignees(maintainers): function main_github (line 149) | def main_github(args): function main_list (line 169) | def main_list(args):
Condensed preview — 37 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (479K chars).
[
{
"path": ".github/workflows/issue-pr-contrib-metrics.yaml",
"chars": 21506,
"preview": "name: Monthly contributor report\non:\n workflow_dispatch:\n inputs:\n start_date:\n type: string\n des"
},
{
"path": "ADOPTERS.md",
"chars": 9729,
"preview": "Who is using Flatcar?\n====================\n\nThe following is a list of adopters who have publicly spoken about their use"
},
{
"path": "CIS/README.md",
"chars": 2563,
"preview": "# CIS Benchmarking\n\nThese reports are from points in time and have notes with remediation and applicability for Flatcar "
},
{
"path": "CIS/inspec-report-level1-root-2020-12-08.txt",
"chars": 122696,
"preview": "\nProfile: CIS Distribution Independent Linux Benchmark Profile (cis-dil-benchmark)\nVersion: 0.4.4\nTarget: ssh://root@lo"
},
{
"path": "CIS/inspec-report-level2-root-2020-12-08.txt",
"chars": 176142,
"preview": "\nProfile: CIS Distribution Independent Linux Benchmark Profile (cis-dil-benchmark)\nVersion: 0.4.4\nTarget: ssh://root@lo"
},
{
"path": "CIS/level1-remediation_notes-2020-12-08.md",
"chars": 15956,
"preview": "# CIS review\n\n## Level 1\n\n### Level 1 benchmark feedback\n\n* 1.1.1.1 - cramfs: is not disabled, because it is not even "
},
{
"path": "CODEOWNERS",
"chars": 258,
"preview": "# CODEOWNERS file for Flatcar\n# This file defines who is responsible for code review\n# See: https://docs.github.com/en/r"
},
{
"path": "CODE_OF_CONDUCT.md",
"chars": 281,
"preview": "# Code of Conduct\n\nWe follow the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md)"
},
{
"path": "CONTRIBUTING.md",
"chars": 11952,
"preview": "# Contributing Guide\n\nWelcome! We're so glad you're here and interested in contributing to Flatcar! 💖\n\n## Table of Conte"
},
{
"path": "EMERITUS_MAINTAINERS.md",
"chars": 288,
"preview": "# Flatcar Container Linux Emeritus Maintainers\r\n\r\nThis file lists contributors to the Flatcar project whose maintainersh"
},
{
"path": "LICENSE",
"chars": 11357,
"preview": " Apache License\n Version 2.0, January 2004\n "
},
{
"path": "MAINTAINERS.md",
"chars": 8237,
"preview": "# Maintainers\n\nSee [Governance](https://github.com/flatcar/Flatcar/blob/main/governance.md) for governance, access, and "
},
{
"path": "ONBOARDING.md",
"chars": 6946,
"preview": "# Maintainer Onboarding Checklist\n\nWelcome to the Flatcar maintainer team! 🎉\n\nThis document is a **template** for onboar"
},
{
"path": "README.md",
"chars": 16525,
"preview": "<div style=\"text-align: center\">\n\n[![Flatcar OS](https://img.shields.io/badge/Flatcar-Website-blue?logo=data:image/svg+x"
},
{
"path": "RELEASES.md",
"chars": 3296,
"preview": "# Flatcar Releases\n\nFlatcar Container Linux uses **automatic, atomic updates** to keep your system secure and up-to-date"
},
{
"path": "SECURITY.md",
"chars": 2549,
"preview": "# Flatcar Security\nTo keep Flatcar secure, the maintainers put a strong focus on tracking new and existing security issu"
},
{
"path": "adding-new-packages.md",
"chars": 1632,
"preview": "# Proposing new packages for inclusion into Flatcar Container Linux\n\nFlatcar Container Linux is a modern Linux distribut"
},
{
"path": "attic/community-meetings/2021-05-11.md",
"chars": 6892,
"preview": "# Flatcar community call Tuesday, 11th of May, 17:30 CEST\n\n- [Slide deck](2021-05-11-slides.pdf)\n- Youtube recording: [h"
},
{
"path": "attic/community-meetings/2021-06-08.md",
"chars": 1059,
"preview": "# Flatcar community call Tuesday, 8th of June, 17:30 CEST\n\n- [Slide deck](2021-06-08-slides.pdf)\n- Youtube recording: [h"
},
{
"path": "attic/community-meetings/2021-07-13.md",
"chars": 4438,
"preview": "# Agenda for the Flatcar community call on Tuesday, 13th of July, 17:30 CEST\n\n## Links for participants\n- [Slide deck](2"
},
{
"path": "attic/community-meetings/2021-07-26.md",
"chars": 762,
"preview": "# Agenda for the Flatcar Release Planning call on Monday, 26th of July, 17:30 CEST\n\n## Links for participants\n- Call (fo"
},
{
"path": "attic/community-meetings/2021-08-10.md",
"chars": 1229,
"preview": "# Flatcar community call Tuesday, 10th of August, 5:30 pm CEST\n\n- [Slide deck](2021-08-10-slides.pdf)\n- Youtube recordin"
},
{
"path": "attic/community-meetings/2021-08-23.md",
"chars": 699,
"preview": "# Agenda for the Flatcar Release Planning call on Monday, August of 23rd, 17:30 CEST\n\n## Links for participants\n- Call ("
},
{
"path": "attic/community-meetings/2021-09-14.md",
"chars": 1328,
"preview": "# Flatcar community call Tuesday, 14th of September, 5:30pm CEST / 9pm IST / 3:30pm GMT / 11:30am EDT / 8:30am PST\n\n- [S"
},
{
"path": "attic/community-meetings/2021-09-28.md",
"chars": 867,
"preview": "# Agenda for the Flatcar Release Team call on Tuesday, September 28th, 5:30pm CEST / 9pm IST / 3:30pm GMT / 11:30am EDT "
},
{
"path": "attic/community-meetings/2021-10-19.md",
"chars": 1148,
"preview": "# Flatcar community call Tuesday, 19th of October, 5:30pm CEST / 9pm IST / 3:30pm GMT / 11:30am EDT / 8:30am PST\n\n- [Sli"
},
{
"path": "attic/community-meetings/2021-10-26.md",
"chars": 867,
"preview": "# Agenda for the Flatcar Release Team call on Tuesday, October 26th, 5:30pm CEST / 9pm IST / 3:30pm GMT / 11:30am EDT / "
},
{
"path": "attic/community-meetings/2021-11-09.md",
"chars": 1447,
"preview": "# Flatcar community call Tuesday, 9th of November, 5:30pm CET / 10pm IST / 4:30pm GMT / 11:30am EST / 8:30am PST\n\n- Zoom"
},
{
"path": "attic/community-meetings/2021-11-23.md",
"chars": 871,
"preview": "# Agenda for the Flatcar Release Team call on Tuesday, 23rd of November 5:30pm CET / 10pm IST / 4:30pm GMT / 11:30am EST"
},
{
"path": "attic/community-meetings/2021-12-17.md",
"chars": 644,
"preview": "# Agenda for the Flatcar community call on Friday, 17th of December 5:30pm CET / 10pm IST / 4:30pm GMT / 11:30am EST / 8"
},
{
"path": "attic/community-meetings/2022-01-11.md",
"chars": 1255,
"preview": "# Agenda for the Flatcar community call on Tuesday, 11th of January 5:30pm CET / 10pm IST / 4:30pm GMT / 11:30am EST / 8"
},
{
"path": "attic/community-meetings/README.md",
"chars": 423,
"preview": "# Old-style community meeting agendas and presentation slides\n\nCommunity meeting planning / agendas has moved to [Github"
},
{
"path": "governance.md",
"chars": 10868,
"preview": "# Flatcar Project Governance\n\n\nFlatcar is a community based project, anyone who wants to participate is welcomed.\nWe ado"
},
{
"path": "interop-matrix.md",
"chars": 7091,
"preview": "# Flatcar inter-operation matrix\n\nThis document tracks Flatcar inter-operability across environments.\n\nOwnership of an i"
},
{
"path": "sync-maintainers/README",
"chars": 276,
"preview": "A personal access token with public_repo scope is needed.\nUsage:\n\n```\npython3 -m venv venv\n. venv/bin/activate\npip insta"
},
{
"path": "sync-maintainers/requirements.txt",
"chars": 15,
"preview": "requests\nblack\n"
},
{
"path": "sync-maintainers/sync-maintainers.py",
"chars": 5562,
"preview": "#!/usr/bin/env python3\nimport requests\nimport json\nimport subprocess\nimport os\nimport sys\nimport argparse\n\n\ndef parse(m)"
}
]
About this extraction
This page contains the full source code of the flatcar-linux/Flatcar GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 37 files (448.9 KB), approximately 131.9k tokens, and a symbol index with 15 extracted functions, classes, methods, constants, and types. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.