cmedley · October 31, 2018 10:43
diff --git a/.kitchen.yml b/.kitchen.yml
 ---
 driver:
  name: vagrant

 provisioner:
  name: chef_zero
  # You may wish to disable always updating cookbooks in CI or other testing environments.
  # For example:
  #   always_update_cookbooks: <%= !ENV['CI'] %>
  always_update_cookbooks: true

 verifier:
  name: inspec

 platforms:
  - name: centos-7.3

 suites:
  - name: default
    run_list:
      - recipe[os-hardening]
      - recipe[test::default]
    verifier:
      inspec_tests:
        - test/smoke/default
    attributes:
diff --git a/Berksfile b/Berksfile
 source 'https://supermarket.chef.io'

 metadata

 cookbook 'sysctl', github: 'sous-chefs/sysctl', ref: '3bd0913abe693039cf1b291686238cd3f7c9c9bf'
 cookbook 'os-hardening', github: 'dev-sec/chef-os-hardening'
diff --git a/debugging b/debugging
 added a debugging statement to auditd_conf.rb in /opt/chefdk/embedded/lib/ruby/gems/2.3.0  (so you can see the message in the tests below)

 def read_params
  return @params if defined?(@params)

  # read the file
  file = inspec.file(@conf_path)
  puts "Does this file exist? #{file.file?}"
 ======================

 $ inspec supermarket exec dev-sec/linux-baseline  -t ssh://vagrant@127.0.0.1:2200 -i <<private_key>>
 [2017-07-21T11:14:04-04:00] WARN: URL target https://github.com/dev-sec/linux-baseline transformed to https://github.com/dev-sec/linux-baseline/archive/master.tar.gz. Consider using the git fetcher
 [2017-07-21T11:14:04-04:00] WARN: URL target https://github.com/dev-sec/linux-baseline transformed to https://github.com/dev-sec/linux-baseline/archive/master.tar.gz. Consider using the git fetcher
 [DEPRECATION] `contain_duplicates` is deprecated and will be removed in the next major version. See https://github.com/chef/inspec/issues/738 for more details
 [DEPRECATION] `contain_duplicates` is deprecated and will be removed in the next major version. See https://github.com/chef/inspec/issues/738 for more details
 Does this file exist? false

 Profile: DevSec Linux Security Baseline (linux-baseline)
 Version: 2.1.1
 Target:  ssh://vagrant@127.0.0.1:2200

  ✔  os-01: Trusted hosts login
     ✔  File /etc/hosts.equiv should not exist
  ✔  os-02: Check owner and permissions for /etc/shadow
     ✔  File /etc/shadow should exist
     ✔  File /etc/shadow should be file
     ✔  File /etc/shadow should be owned by "root"
     ✔  File /etc/shadow should not be executable
     ✔  File /etc/shadow should be writable by owner
     ✔  File /etc/shadow should be readable by owner
     ✔  File /etc/shadow should not be readable by other
     ✔  File /etc/shadow group should eq "root"
     ✔  File /etc/shadow should not be readable by group
  ✔  os-03: Check owner and permissions for /etc/passwd
     ✔  File /etc/passwd should exist
     ✔  File /etc/passwd should be file
     ✔  File /etc/passwd should be owned by "root"
     ✔  File /etc/passwd should not be executable
     ✔  File /etc/passwd should be writable by owner
     ✔  File /etc/passwd should not be writable by group
     ✔  File /etc/passwd should not be writable by other
     ✔  File /etc/passwd should be readable by owner
     ✔  File /etc/passwd should be readable by group
     ✔  File /etc/passwd should be readable by other
     ✔  File /etc/passwd group should eq "root"
  ✔  os-04: Dot in PATH variable
     ✔  Environment variable PATH split should not include ""
     ✔  Environment variable PATH split should not include "."
  ✔  os-05: Check login.defs
     ✔  File /etc/login.defs should exist
     ✔  File /etc/login.defs should be file
     ✔  File /etc/login.defs should be owned by "root"
     ✔  File /etc/login.defs should not be executable
     ✔  File /etc/login.defs should be readable by owner
     ✔  File /etc/login.defs should be readable by group
     ✔  File /etc/login.defs should be readable by other
     ✔  File /etc/login.defs group should eq "root"
     ✔  login.defs ENV_SUPATH should include "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
     ✔  login.defs ENV_PATH should include "/usr/local/bin:/usr/bin:/bin"
     ✔  login.defs UMASK should include "027"
     ✔  login.defs PASS_MAX_DAYS should eq "60"
     ✔  login.defs PASS_MIN_DAYS should eq "7"
     ✔  login.defs PASS_WARN_AGE should eq "7"
     ✔  login.defs LOGIN_RETRIES should eq "5"
     ✔  login.defs LOGIN_TIMEOUT should eq "60"
     ✔  login.defs UID_MIN should eq "1000"
     ✔  login.defs GID_MIN should eq "1000"
  ✔  os-05b: Check login.defs - RedHat specific
     ✔  File /etc/login.defs should not be writable
     ✔  login.defs SYS_UID_MIN should eq "100"
     ✔  login.defs SYS_UID_MAX should eq "999"
     ✔  login.defs SYS_GID_MIN should eq "100"
     ✔  login.defs SYS_GID_MAX should eq "999"
  ✔  os-06: Check for SUID/ SGID blacklist
     ✔  [] should be empty
  ✔  os-07: Unique uid and gid
     ✔  /etc/passwd uids should not contain duplicates
     ✔  /etc/group gids should not contain duplicates
  ✔  os-08: Entropy
     ✔  2969 should >= 1000
  ✔  os-09: Check for .rhosts and .netrc file
     ✔  [] should be empty
  ✔  os-10: CIS: Disable unused filesystems
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install cramfs /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install freevxfs /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install jffs2 /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install hfs /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install hfsplus /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install squashfs /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install udf /bin/true"
     ✔  File /etc/modprobe.d/dev-sec.conf content should match "install vfat /bin/true"
  ✔  package-01: Do not run deprecated inetd or xinetd
     ✔  System Package inetd should not be installed
     ✔  System Package xinetd should not be installed
  ✔  package-02: Do not install Telnet server
     ✔  System Package telnetd should not be installed
  ✔  package-03: Do not install rsh server
     ✔  System Package telnetd should not be installed
  ✔  package-05: Do not install ypserv server (NIS)
     ✔  System Package ypserv should not be installed
  ✔  package-06: Do not install tftp server
     ✔  System Package tftp-server should not be installed
  ✔  package-07: Install syslog server package
     ✔  System Package rsyslog should be installed
  ×  package-08: Install auditd (11 failed)
     ✔  System Package audit should be installed
     ×  Audit Daemon Config log_file should cmp == "/var/log/audit/audit.log"
     
     expected: "/var/log/audit/audit.log"
          got: 
     
     (compared using `cmp` matcher)
     
     ×  Audit Daemon Config log_format should cmp == "raw"
     
     expected: "raw"
          got: 
     
     (compared using `cmp` matcher)
     
     ×  Audit Daemon Config flush should match /^INCREMENTAL|INCREMENTAL_ASYNC$/
     expected nil to match /^INCREMENTAL|INCREMENTAL_ASYNC$/
     ×  Audit Daemon Config max_log_file_action should cmp == "ROTATE"
     
     expected: "ROTATE"
          got: 
     
     (compared using `cmp` matcher)
     
     ×  Audit Daemon Config space_left should cmp == 75
     
     expected: 75
          got: 
     
     (compared using `cmp` matcher)
     
     ×  Audit Daemon Config action_mail_acct should cmp == "root"
     
     expected: "root"
          got: 
     
     (compared using `cmp` matcher)
     
     ×  Audit Daemon Config space_left_action should cmp == "SYSLOG"
     
     expected: "SYSLOG"
          got: 
     
     (compared using `cmp` matcher)
     
     ×  Audit Daemon Config admin_space_left should cmp == 50
     
     expected: 50
          got: 
     
     (compared using `cmp` matcher)
     
     ×  Audit Daemon Config admin_space_left_action should cmp == "SUSPEND"
     
     expected: "SUSPEND"
          got: 
     
     (compared using `cmp` matcher)
     
     ×  Audit Daemon Config disk_full_action should cmp == "SUSPEND"
     
     expected: "SUSPEND"
          got: 
     
     (compared using `cmp` matcher)
     
     ×  Audit Daemon Config disk_error_action should cmp == "SUSPEND"
     
     expected: "SUSPEND"
          got: 
     
     (compared using `cmp` matcher)
     
  ✔  package-09: CIS: Additional process hardening
     ✔  System Package prelink should not be installed
  ✔  sysctl-01: IPv4 Forwarding
     ✔  Kernel Parameter net.ipv4.ip_forward value should eq 0
     ✔  Kernel Parameter net.ipv4.conf.all.forwarding value should eq 0
  ✔  sysctl-02: Reverse path filtering
     ✔  Kernel Parameter net.ipv4.conf.all.rp_filter value should eq 1
     ✔  Kernel Parameter net.ipv4.conf.default.rp_filter value should eq 1
  ✔  sysctl-03: ICMP ignore bogus error responses
     ✔  Kernel Parameter net.ipv4.icmp_ignore_bogus_error_responses value should eq 1
  ✔  sysctl-04: ICMP echo ignore broadcasts
     ✔  Kernel Parameter net.ipv4.icmp_echo_ignore_broadcasts value should eq 1
  ✔  sysctl-05: ICMP ratelimit
     ✔  Kernel Parameter net.ipv4.icmp_ratelimit value should eq 100
  ✔  sysctl-06: ICMP ratemask
     ✔  Kernel Parameter net.ipv4.icmp_ratemask value should eq 88089
  ✔  sysctl-07: TCP timestamps
     ✔  Kernel Parameter net.ipv4.tcp_timestamps value should eq 0
  ✔  sysctl-08: ARP ignore
     ✔  Kernel Parameter net.ipv4.conf.all.arp_ignore value should eq 1
  ✔  sysctl-09: ARP announce
     ✔  Kernel Parameter net.ipv4.conf.all.arp_announce value should eq 2
  ✔  sysctl-10: TCP RFC1337 Protect Against TCP Time-Wait
     ✔  Kernel Parameter net.ipv4.tcp_rfc1337 value should eq 1
  ✔  sysctl-11: Protection against SYN flood attacks
     ✔  Kernel Parameter net.ipv4.tcp_syncookies value should eq 1
  ✔  sysctl-12: Shared Media IP Architecture
     ✔  Kernel Parameter net.ipv4.conf.all.shared_media value should eq 1
     ✔  Kernel Parameter net.ipv4.conf.default.shared_media value should eq 1
  ✔  sysctl-13: Disable Source Routing
     ✔  Kernel Parameter net.ipv4.conf.all.accept_source_route value should eq 0
     ✔  Kernel Parameter net.ipv4.conf.default.accept_source_route value should eq 0
  ✔  sysctl-14: Disable acceptance of all IPv4 redirected packets
     ✔  Kernel Parameter net.ipv4.conf.default.accept_redirects value should eq 0
     ✔  Kernel Parameter net.ipv4.conf.all.accept_redirects value should eq 0
  ✔  sysctl-15: Disable acceptance of all secure redirected packets
     ✔  Kernel Parameter net.ipv4.conf.all.secure_redirects value should eq 0
     ✔  Kernel Parameter net.ipv4.conf.default.secure_redirects value should eq 0
  ✔  sysctl-16: Disable sending of redirects packets
     ✔  Kernel Parameter net.ipv4.conf.default.send_redirects value should eq 0
     ✔  Kernel Parameter net.ipv4.conf.all.send_redirects value should eq 0
  ✔  sysctl-17: Disable log martians
     ✔  Kernel Parameter net.ipv4.conf.all.log_martians value should eq 1
     ✔  Kernel Parameter net.ipv4.conf.default.log_martians value should eq 1
  ✔  sysctl-18: Disable IPv6 if it is not needed
     ✔  Kernel Parameter net.ipv6.conf.all.disable_ipv6 value should eq 1
  ✔  sysctl-19: IPv6 Forwarding
     ✔  Kernel Parameter net.ipv6.conf.all.forwarding value should eq 0
  ✔  sysctl-20: Disable acceptance of all IPv6 redirected packets
     ✔  Kernel Parameter net.ipv6.conf.default.accept_redirects value should eq 0
     ✔  Kernel Parameter net.ipv6.conf.all.accept_redirects value should eq 0
  ✔  sysctl-21: Disable acceptance of IPv6 router solicitations messages
     ✔  Kernel Parameter net.ipv6.conf.default.router_solicitations value should eq 0
  ✔  sysctl-22: Disable Accept Router Preference from router advertisement
     ✔  Kernel Parameter net.ipv6.conf.default.accept_ra_rtr_pref value should eq 0
  ✔  sysctl-23: Disable learning Prefix Information from router advertisement
     ✔  Kernel Parameter net.ipv6.conf.default.accept_ra_pinfo value should eq 0
  ✔  sysctl-24: Disable learning Hop limit from router advertisement
     ✔  Kernel Parameter net.ipv6.conf.default.accept_ra_defrtr value should eq 0
  ✔  sysctl-25: Disable the system`s acceptance of router advertisement
     ✔  Kernel Parameter net.ipv6.conf.all.accept_ra value should eq 0
     ✔  Kernel Parameter net.ipv6.conf.default.accept_ra value should eq 0
  ✔  sysctl-26: Disable IPv6 autoconfiguration
     ✔  Kernel Parameter net.ipv6.conf.default.autoconf value should eq 0
  ✔  sysctl-27: Disable neighbor solicitations to send out per address
     ✔  Kernel Parameter net.ipv6.conf.default.dad_transmits value should eq 0
  ✔  sysctl-28: Assign one global unicast IPv6 addresses to each interface
     ✔  Kernel Parameter net.ipv6.conf.default.max_addresses value should eq 1
  ✔  sysctl-29: Disable loading kernel modules
     ✔  Kernel Parameter kernel.modules_disabled value should eq 0
  ✔  sysctl-30: Magic SysRq
     ✔  Kernel Parameter kernel.sysrq value should eq 0
  ✔  sysctl-31a: Secure Core Dumps - dump settings
     ✔  Kernel Parameter fs.suid_dumpable value should cmp == /(0|2)/
  ↺  sysctl-31b: Secure Core Dumps - dump path
     ↺  Skipped control due to only_if condition.
  ✔  sysctl-32: kernel.randomize_va_space
     ✔  Kernel Parameter kernel.randomize_va_space value should eq 2
  ✔  sysctl-33: CPU No execution Flag or Kernel ExecShield
     ✔  /proc/cpuinfo Flags should include NX

 Profile Summary: 51 successful, 1 failures, 1 skipped
 Test Summary: 111 successful, 11 failures, 1 skipped




 ==================================================
 Just running kitchen verify (copying the tests that were failing using inspect supermarket exec)


 $ (git::master) kitchen verify
 -----> Starting Kitchen (v1.16.0)
 WARN: Unresolved specs during Gem::Specification.reset:
      rake (>= 0)
 WARN: Clearing out unresolved specs.
 Please report a bug if this causes problems.
 -----> Verifying <default-centos-73>...
       Loaded tests from test/smoke/default 
 Does this file exist? true

 Profile: tests from test/smoke/default
 Version: (not specified)
 Target:  ssh://vagrant@127.0.0.1:2202


  Audit Daemon
     ✔  Config log_file should cmp == "/var/log/audit/audit.log"
     ✔  Config log_format should cmp == "raw"
     ✔  Config flush should match /^INCREMENTAL|INCREMENTAL_ASYNC$/
     ✔  Config max_log_file_action should cmp == "ROTATE"
     ✔  Config space_left should cmp == 75
     ✔  Config action_mail_acct should cmp == "root"
     ✔  Config space_left_action should cmp == "SYSLOG"
     ✔  Config admin_space_left should cmp == 50
     ✔  Config admin_space_left_action should cmp == "SUSPEND"
     ✔  Config disk_full_action should cmp == "SUSPEND"
     ✔  Config disk_error_action should cmp == "SUSPEND"

 Test Summary: 11 successful, 0 failures, 0 skipped
       Finished verifying <default-centos-73> (0m0.48s).
 -----> Kitchen is finished. (0m2.26s)
diff --git a/metadata.rb b/metadata.rb
 name 'test'
 maintainer 'The Authors'
 maintainer_email 'you@example.com'
 license 'All Rights Reserved'
 description 'Installs/Configures test'
 long_description 'Installs/Configures test'
 version '0.1.0'
 chef_version '>= 12.1' if respond_to?(:chef_version)

 # The `issues_url` points to the location where issues for this cookbook are
 # tracked.  A `View Issues` link will be displayed on this cookbook's page when
 # uploaded to a Supermarket.
 #
 # issues_url 'https://github.com/<insert_org_here>/test/issues'

 # The `source_url` points to the development reposiory for this cookbook.  A
 # `View Source` link will be displayed on this cookbook's page when uploaded to
 # a Supermarket.
 #
 # source_url 'https://github.com/<insert_org_here>/test'

 depend 'chef-os-hardening'
diff --git a/recipes::default.rb b/recipes::default.rb

 include_recipe 'sysctl::default'

 template '/etc/sysctl.conf' do
  source 'sysctl.conf.erb'
  owner 'root'
  group 'root'
  mode '0640'
 end

 template '/etc/audit/auditd.conf' do
  source 'auditd.conf.erb'
  owner 'root'
  group 'root'
  mode '0640'
 end

 include_recipe 'sysctl::apply'

 template '/etc/modprobe.d/dev-sec.conf' do
  source 'dev-sec.conf.erb'
  owner 'root'
  group 'root'
  mode '0755'
 end

 package 'rng-tools'

 bash 'start rngd' do
  code <<-SH
     sudo service rngd start
  SH
 end

 bash 'restart sysctl' do
  code <<-SH
     sudo /sbin/sysctl -p
  SH
 end
diff --git a/templates::auditd.conf.erb b/templates::auditd.conf.erb
 #
 # This file controls the configuration of the audit daemon
 #

 log_file = /var/log/audit/audit.log
 log_format = RAW
 log_group = root
 priority_boost = 4
 flush = INCREMENTAL
 freq = 20
 num_logs = 4
 disp_qos = lossy
 dispatcher = /usr/sbin/audispd
 name_format = NONE
 #name = mydomain
 max_log_file = 5
 max_log_file_action = ROTATE
 space_left = 75
 space_left_action = SYSLOG
 action_mail_acct = root
 admin_space_left = 50
 admin_space_left_action = SUSPEND
 disk_full_action = SUSPEND
 disk_error_action = SUSPEND
 #tcp_listen_port =
 tcp_listen_queue = 5
 #tcp_client_ports = 1024-65535
 tcp_client_max_idle = 0
diff --git a/templates::dev-sec.conf.erb b/templates::dev-sec.conf.erb
 install cramfs /bin/true
 install freevxfs /bin/true
 install jffs2 /bin/true
 install hfs /bin/true
 install hfsplus /bin/true
 install squashfs /bin/true
 install udf /bin/true
 install vfat /bin/true
diff --git a/templates::sysctl.conf.erb b/templates::sysctl.conf.erb
 net.ipv4.ip_forward = 0
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.all.forwarding = 0
 net.ipv6.conf.all.forwarding = 0
diff --git a/test::smoke::default::default_test.rb b/test::smoke::default::default_test.rb

 describe auditd_conf do
    its('log_file') { should cmp '/var/log/audit/audit.log' }
    its('log_format') { should cmp 'raw' }
    its('flush') { should match(/^INCREMENTAL|INCREMENTAL_ASYNC$/) }
    its('max_log_file_action') { should cmp 'ROTATE' }
    its('space_left') { should cmp 75 }
    its('action_mail_acct') { should cmp 'root' }
    its('space_left_action') { should cmp 'SYSLOG' }
    its('admin_space_left') { should cmp 50 }
    its('admin_space_left_action') { should cmp 'SUSPEND' }
    its('disk_full_action') { should cmp 'SUSPEND' }
    its('disk_error_action') { should cmp 'SUSPEND' }
  end
	---
	driver:
	name: vagrant

	provisioner:
	name: chef_zero
	# You may wish to disable always updating cookbooks in CI or other testing environments.
	# For example:
	# always_update_cookbooks: <%= !ENV['CI'] %>
	always_update_cookbooks: true

	verifier:
	name: inspec

	platforms:
	- name: centos-7.3

	suites:
	- name: default
	run_list:
	- recipe[os-hardening]
	- recipe[test::default]
	verifier:
	inspec_tests:
	- test/smoke/default
	attributes:
	source 'https://supermarket.chef.io'

	metadata

	cookbook 'sysctl', github: 'sous-chefs/sysctl', ref: '3bd0913abe693039cf1b291686238cd3f7c9c9bf'
	cookbook 'os-hardening', github: 'dev-sec/chef-os-hardening'
	added a debugging statement to auditd_conf.rb in /opt/chefdk/embedded/lib/ruby/gems/2.3.0 (so you can see the message in the tests below)

	def read_params
	return @params if defined?(@params)

	# read the file
	file = inspec.file(@conf_path)
	puts "Does this file exist? #{file.file?}"
	======================

	$ inspec supermarket exec dev-sec/linux-baseline -t ssh://vagrant@127.0.0.1:2200 -i <<private_key>>
	[2017-07-21T11:14:04-04:00] WARN: URL target https://github.com/dev-sec/linux-baseline transformed to https://github.com/dev-sec/linux-baseline/archive/master.tar.gz. Consider using the git fetcher
	[2017-07-21T11:14:04-04:00] WARN: URL target https://github.com/dev-sec/linux-baseline transformed to https://github.com/dev-sec/linux-baseline/archive/master.tar.gz. Consider using the git fetcher
	[DEPRECATION] `contain_duplicates` is deprecated and will be removed in the next major version. See https://github.com/chef/inspec/issues/738 for more details
	[DEPRECATION] `contain_duplicates` is deprecated and will be removed in the next major version. See https://github.com/chef/inspec/issues/738 for more details
	Does this file exist? false

	Profile: DevSec Linux Security Baseline (linux-baseline)
	Version: 2.1.1
	Target: ssh://vagrant@127.0.0.1:2200

	✔ os-01: Trusted hosts login
	✔ File /etc/hosts.equiv should not exist
	✔ os-02: Check owner and permissions for /etc/shadow
	✔ File /etc/shadow should exist
	✔ File /etc/shadow should be file
	✔ File /etc/shadow should be owned by "root"
	✔ File /etc/shadow should not be executable
	✔ File /etc/shadow should be writable by owner
	✔ File /etc/shadow should be readable by owner
	✔ File /etc/shadow should not be readable by other
	✔ File /etc/shadow group should eq "root"
	✔ File /etc/shadow should not be readable by group
	✔ os-03: Check owner and permissions for /etc/passwd
	✔ File /etc/passwd should exist
	✔ File /etc/passwd should be file
	✔ File /etc/passwd should be owned by "root"
	✔ File /etc/passwd should not be executable
	✔ File /etc/passwd should be writable by owner
	✔ File /etc/passwd should not be writable by group
	✔ File /etc/passwd should not be writable by other
	✔ File /etc/passwd should be readable by owner
	✔ File /etc/passwd should be readable by group
	✔ File /etc/passwd should be readable by other
	✔ File /etc/passwd group should eq "root"
	✔ os-04: Dot in PATH variable
	✔ Environment variable PATH split should not include ""
	✔ Environment variable PATH split should not include "."
	✔ os-05: Check login.defs
	✔ File /etc/login.defs should exist
	✔ File /etc/login.defs should be file
	✔ File /etc/login.defs should be owned by "root"
	✔ File /etc/login.defs should not be executable
	✔ File /etc/login.defs should be readable by owner
	✔ File /etc/login.defs should be readable by group
	✔ File /etc/login.defs should be readable by other
	✔ File /etc/login.defs group should eq "root"
	✔ login.defs ENV_SUPATH should include "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
	✔ login.defs ENV_PATH should include "/usr/local/bin:/usr/bin:/bin"
	✔ login.defs UMASK should include "027"
	✔ login.defs PASS_MAX_DAYS should eq "60"
	✔ login.defs PASS_MIN_DAYS should eq "7"
	✔ login.defs PASS_WARN_AGE should eq "7"
	✔ login.defs LOGIN_RETRIES should eq "5"
	✔ login.defs LOGIN_TIMEOUT should eq "60"
	✔ login.defs UID_MIN should eq "1000"
	✔ login.defs GID_MIN should eq "1000"
	✔ os-05b: Check login.defs - RedHat specific
	✔ File /etc/login.defs should not be writable
	✔ login.defs SYS_UID_MIN should eq "100"
	✔ login.defs SYS_UID_MAX should eq "999"
	✔ login.defs SYS_GID_MIN should eq "100"
	✔ login.defs SYS_GID_MAX should eq "999"
	✔ os-06: Check for SUID/ SGID blacklist
	✔ [] should be empty
	✔ os-07: Unique uid and gid
	✔ /etc/passwd uids should not contain duplicates
	✔ /etc/group gids should not contain duplicates
	✔ os-08: Entropy
	✔ 2969 should >= 1000
	✔ os-09: Check for .rhosts and .netrc file
	✔ [] should be empty
	✔ os-10: CIS: Disable unused filesystems
	✔ File /etc/modprobe.d/dev-sec.conf content should match "install cramfs /bin/true"
	✔ File /etc/modprobe.d/dev-sec.conf content should match "install freevxfs /bin/true"
	✔ File /etc/modprobe.d/dev-sec.conf content should match "install jffs2 /bin/true"
	✔ File /etc/modprobe.d/dev-sec.conf content should match "install hfs /bin/true"
	✔ File /etc/modprobe.d/dev-sec.conf content should match "install hfsplus /bin/true"
	✔ File /etc/modprobe.d/dev-sec.conf content should match "install squashfs /bin/true"
	✔ File /etc/modprobe.d/dev-sec.conf content should match "install udf /bin/true"
	✔ File /etc/modprobe.d/dev-sec.conf content should match "install vfat /bin/true"
	✔ package-01: Do not run deprecated inetd or xinetd
	✔ System Package inetd should not be installed
	✔ System Package xinetd should not be installed
	✔ package-02: Do not install Telnet server
	✔ System Package telnetd should not be installed
	✔ package-03: Do not install rsh server
	✔ System Package telnetd should not be installed
	✔ package-05: Do not install ypserv server (NIS)
	✔ System Package ypserv should not be installed
	✔ package-06: Do not install tftp server
	✔ System Package tftp-server should not be installed
	✔ package-07: Install syslog server package
	✔ System Package rsyslog should be installed
	× package-08: Install auditd (11 failed)
	✔ System Package audit should be installed
	× Audit Daemon Config log_file should cmp == "/var/log/audit/audit.log"

	expected: "/var/log/audit/audit.log"
	got:

	(compared using `cmp` matcher)

	× Audit Daemon Config log_format should cmp == "raw"

	expected: "raw"
	got:

	(compared using `cmp` matcher)

	× Audit Daemon Config flush should match /^INCREMENTAL\|INCREMENTAL_ASYNC$/
	expected nil to match /^INCREMENTAL\|INCREMENTAL_ASYNC$/
	× Audit Daemon Config max_log_file_action should cmp == "ROTATE"

	expected: "ROTATE"
	got:

	(compared using `cmp` matcher)

	× Audit Daemon Config space_left should cmp == 75

	expected: 75
	got:

	(compared using `cmp` matcher)

	× Audit Daemon Config action_mail_acct should cmp == "root"

	expected: "root"
	got:

	(compared using `cmp` matcher)

	× Audit Daemon Config space_left_action should cmp == "SYSLOG"

	expected: "SYSLOG"
	got:

	(compared using `cmp` matcher)

	× Audit Daemon Config admin_space_left should cmp == 50

	expected: 50
	got:

	(compared using `cmp` matcher)

	× Audit Daemon Config admin_space_left_action should cmp == "SUSPEND"

	expected: "SUSPEND"
	got:

	(compared using `cmp` matcher)

	× Audit Daemon Config disk_full_action should cmp == "SUSPEND"

	expected: "SUSPEND"
	got:

	(compared using `cmp` matcher)

	× Audit Daemon Config disk_error_action should cmp == "SUSPEND"

	expected: "SUSPEND"
	got:

	(compared using `cmp` matcher)

	✔ package-09: CIS: Additional process hardening
	✔ System Package prelink should not be installed
	✔ sysctl-01: IPv4 Forwarding
	✔ Kernel Parameter net.ipv4.ip_forward value should eq 0
	✔ Kernel Parameter net.ipv4.conf.all.forwarding value should eq 0
	✔ sysctl-02: Reverse path filtering
	✔ Kernel Parameter net.ipv4.conf.all.rp_filter value should eq 1
	✔ Kernel Parameter net.ipv4.conf.default.rp_filter value should eq 1
	✔ sysctl-03: ICMP ignore bogus error responses
	✔ Kernel Parameter net.ipv4.icmp_ignore_bogus_error_responses value should eq 1
	✔ sysctl-04: ICMP echo ignore broadcasts
	✔ Kernel Parameter net.ipv4.icmp_echo_ignore_broadcasts value should eq 1
	✔ sysctl-05: ICMP ratelimit
	✔ Kernel Parameter net.ipv4.icmp_ratelimit value should eq 100
	✔ sysctl-06: ICMP ratemask
	✔ Kernel Parameter net.ipv4.icmp_ratemask value should eq 88089
	✔ sysctl-07: TCP timestamps
	✔ Kernel Parameter net.ipv4.tcp_timestamps value should eq 0
	✔ sysctl-08: ARP ignore
	✔ Kernel Parameter net.ipv4.conf.all.arp_ignore value should eq 1
	✔ sysctl-09: ARP announce
	✔ Kernel Parameter net.ipv4.conf.all.arp_announce value should eq 2
	✔ sysctl-10: TCP RFC1337 Protect Against TCP Time-Wait
	✔ Kernel Parameter net.ipv4.tcp_rfc1337 value should eq 1
	✔ sysctl-11: Protection against SYN flood attacks
	✔ Kernel Parameter net.ipv4.tcp_syncookies value should eq 1
	✔ sysctl-12: Shared Media IP Architecture
	✔ Kernel Parameter net.ipv4.conf.all.shared_media value should eq 1
	✔ Kernel Parameter net.ipv4.conf.default.shared_media value should eq 1
	✔ sysctl-13: Disable Source Routing
	✔ Kernel Parameter net.ipv4.conf.all.accept_source_route value should eq 0
	✔ Kernel Parameter net.ipv4.conf.default.accept_source_route value should eq 0
	✔ sysctl-14: Disable acceptance of all IPv4 redirected packets
	✔ Kernel Parameter net.ipv4.conf.default.accept_redirects value should eq 0
	✔ Kernel Parameter net.ipv4.conf.all.accept_redirects value should eq 0
	✔ sysctl-15: Disable acceptance of all secure redirected packets
	✔ Kernel Parameter net.ipv4.conf.all.secure_redirects value should eq 0
	✔ Kernel Parameter net.ipv4.conf.default.secure_redirects value should eq 0
	✔ sysctl-16: Disable sending of redirects packets
	✔ Kernel Parameter net.ipv4.conf.default.send_redirects value should eq 0
	✔ Kernel Parameter net.ipv4.conf.all.send_redirects value should eq 0
	✔ sysctl-17: Disable log martians
	✔ Kernel Parameter net.ipv4.conf.all.log_martians value should eq 1
	✔ Kernel Parameter net.ipv4.conf.default.log_martians value should eq 1
	✔ sysctl-18: Disable IPv6 if it is not needed
	✔ Kernel Parameter net.ipv6.conf.all.disable_ipv6 value should eq 1
	✔ sysctl-19: IPv6 Forwarding
	✔ Kernel Parameter net.ipv6.conf.all.forwarding value should eq 0
	✔ sysctl-20: Disable acceptance of all IPv6 redirected packets
	✔ Kernel Parameter net.ipv6.conf.default.accept_redirects value should eq 0
	✔ Kernel Parameter net.ipv6.conf.all.accept_redirects value should eq 0
	✔ sysctl-21: Disable acceptance of IPv6 router solicitations messages
	✔ Kernel Parameter net.ipv6.conf.default.router_solicitations value should eq 0
	✔ sysctl-22: Disable Accept Router Preference from router advertisement
	✔ Kernel Parameter net.ipv6.conf.default.accept_ra_rtr_pref value should eq 0
	✔ sysctl-23: Disable learning Prefix Information from router advertisement
	✔ Kernel Parameter net.ipv6.conf.default.accept_ra_pinfo value should eq 0
	✔ sysctl-24: Disable learning Hop limit from router advertisement
	✔ Kernel Parameter net.ipv6.conf.default.accept_ra_defrtr value should eq 0
	✔ sysctl-25: Disable the system`s acceptance of router advertisement
	✔ Kernel Parameter net.ipv6.conf.all.accept_ra value should eq 0
	✔ Kernel Parameter net.ipv6.conf.default.accept_ra value should eq 0
	✔ sysctl-26: Disable IPv6 autoconfiguration
	✔ Kernel Parameter net.ipv6.conf.default.autoconf value should eq 0
	✔ sysctl-27: Disable neighbor solicitations to send out per address
	✔ Kernel Parameter net.ipv6.conf.default.dad_transmits value should eq 0
	✔ sysctl-28: Assign one global unicast IPv6 addresses to each interface
	✔ Kernel Parameter net.ipv6.conf.default.max_addresses value should eq 1
	✔ sysctl-29: Disable loading kernel modules
	✔ Kernel Parameter kernel.modules_disabled value should eq 0
	✔ sysctl-30: Magic SysRq
	✔ Kernel Parameter kernel.sysrq value should eq 0
	✔ sysctl-31a: Secure Core Dumps - dump settings
	✔ Kernel Parameter fs.suid_dumpable value should cmp == /(0\|2)/
	↺ sysctl-31b: Secure Core Dumps - dump path
	↺ Skipped control due to only_if condition.
	✔ sysctl-32: kernel.randomize_va_space
	✔ Kernel Parameter kernel.randomize_va_space value should eq 2
	✔ sysctl-33: CPU No execution Flag or Kernel ExecShield
	✔ /proc/cpuinfo Flags should include NX

	Profile Summary: 51 successful, 1 failures, 1 skipped
	Test Summary: 111 successful, 11 failures, 1 skipped




	==================================================
	Just running kitchen verify (copying the tests that were failing using inspect supermarket exec)


	$ (git::master) kitchen verify
	-----> Starting Kitchen (v1.16.0)
	WARN: Unresolved specs during Gem::Specification.reset:
	rake (>= 0)
	WARN: Clearing out unresolved specs.
	Please report a bug if this causes problems.
	-----> Verifying <default-centos-73>...
	Loaded tests from test/smoke/default
	Does this file exist? true

	Profile: tests from test/smoke/default
	Version: (not specified)
	Target: ssh://vagrant@127.0.0.1:2202


	Audit Daemon
	✔ Config log_file should cmp == "/var/log/audit/audit.log"
	✔ Config log_format should cmp == "raw"
	✔ Config flush should match /^INCREMENTAL\|INCREMENTAL_ASYNC$/
	✔ Config max_log_file_action should cmp == "ROTATE"
	✔ Config space_left should cmp == 75
	✔ Config action_mail_acct should cmp == "root"
	✔ Config space_left_action should cmp == "SYSLOG"
	✔ Config admin_space_left should cmp == 50
	✔ Config admin_space_left_action should cmp == "SUSPEND"
	✔ Config disk_full_action should cmp == "SUSPEND"
	✔ Config disk_error_action should cmp == "SUSPEND"

	Test Summary: 11 successful, 0 failures, 0 skipped
	Finished verifying <default-centos-73> (0m0.48s).
	-----> Kitchen is finished. (0m2.26s)
	name 'test'
	maintainer 'The Authors'
	maintainer_email 'you@example.com'
	license 'All Rights Reserved'
	description 'Installs/Configures test'
	long_description 'Installs/Configures test'
	version '0.1.0'
	chef_version '>= 12.1' if respond_to?(:chef_version)

	# The `issues_url` points to the location where issues for this cookbook are
	# tracked. A `View Issues` link will be displayed on this cookbook's page when
	# uploaded to a Supermarket.
	#
	# issues_url 'https://github.com/<insert_org_here>/test/issues'

	# The `source_url` points to the development reposiory for this cookbook. A
	# `View Source` link will be displayed on this cookbook's page when uploaded to
	# a Supermarket.
	#
	# source_url 'https://github.com/<insert_org_here>/test'

	depend 'chef-os-hardening'

	include_recipe 'sysctl::default'

	template '/etc/sysctl.conf' do
	source 'sysctl.conf.erb'
	owner 'root'
	group 'root'
	mode '0640'
	end

	template '/etc/audit/auditd.conf' do
	source 'auditd.conf.erb'
	owner 'root'
	group 'root'
	mode '0640'
	end

	include_recipe 'sysctl::apply'

	template '/etc/modprobe.d/dev-sec.conf' do
	source 'dev-sec.conf.erb'
	owner 'root'
	group 'root'
	mode '0755'
	end

	package 'rng-tools'

	bash 'start rngd' do
	code <<-SH
	sudo service rngd start
	SH
	end

	bash 'restart sysctl' do
	code <<-SH
	sudo /sbin/sysctl -p
	SH
	end
	#
	# This file controls the configuration of the audit daemon
	#

	log_file = /var/log/audit/audit.log
	log_format = RAW
	log_group = root
	priority_boost = 4
	flush = INCREMENTAL
	freq = 20
	num_logs = 4
	disp_qos = lossy
	dispatcher = /usr/sbin/audispd
	name_format = NONE
	#name = mydomain
	max_log_file = 5
	max_log_file_action = ROTATE
	space_left = 75
	space_left_action = SYSLOG
	action_mail_acct = root
	admin_space_left = 50
	admin_space_left_action = SUSPEND
	disk_full_action = SUSPEND
	disk_error_action = SUSPEND
	#tcp_listen_port =
	tcp_listen_queue = 5
	#tcp_client_ports = 1024-65535
	tcp_client_max_idle = 0
	install cramfs /bin/true
	install freevxfs /bin/true
	install jffs2 /bin/true
	install hfs /bin/true
	install hfsplus /bin/true
	install squashfs /bin/true
	install udf /bin/true
	install vfat /bin/true
	net.ipv4.ip_forward = 0
	net.ipv4.conf.all.accept_redirects = 0
	net.ipv4.conf.all.forwarding = 0
	net.ipv6.conf.all.forwarding = 0

	describe auditd_conf do
	its('log_file') { should cmp '/var/log/audit/audit.log' }
	its('log_format') { should cmp 'raw' }
	its('flush') { should match(/^INCREMENTAL\|INCREMENTAL_ASYNC$/) }
	its('max_log_file_action') { should cmp 'ROTATE' }
	its('space_left') { should cmp 75 }
	its('action_mail_acct') { should cmp 'root' }
	its('space_left_action') { should cmp 'SYSLOG' }
	its('admin_space_left') { should cmp 50 }
	its('admin_space_left_action') { should cmp 'SUSPEND' }
	its('disk_full_action') { should cmp 'SUSPEND' }
	its('disk_error_action') { should cmp 'SUSPEND' }
	end