Merge "Add option to disable automatic write of sysfs attributes"
diff --git a/.travis.yml b/.travis.yml
index 78246a5..fac2153 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,3 +1,6 @@
+language: python
+python:
+- "2.7.13"
sudo: required
services:
- docker
diff --git a/linux/system/grub.sls b/linux/system/grub.sls
index 74ea553..49277ff 100644
--- a/linux/system/grub.sls
+++ b/linux/system/grub.sls
@@ -7,6 +7,7 @@
- makedirs: True
{%- if grains['os_family'] == 'RedHat' %}
+ {%- set boot_grub_cfg = '/boot/grub2/grub.cfg' %}
/etc/default/grub:
file.append:
- text:
@@ -14,14 +15,26 @@
grub_update:
cmd.wait:
- - name: grub2-mkconfig -o /boot/grub2/grub.cfg
+ - name: grub2-mkconfig -o {{ boot_grub_cfg }}
{%- else %}
+ {%- set boot_grub_cfg = '/boot/grub/grub.cfg' %}
-{%- if grains.get('virtual_subtype', None) not in ['Docker', 'LXC'] %}
grub_update:
cmd.wait:
- name: update-grub
-{%- endif %}
+ {%- if grains.get('virtual_subtype') in ['Docker', 'LXC'] %}
+ - onlyif: /bin/false
+ {%- endif %}
{%- endif %}
+
+grub_cfg_permissions:
+ file.managed:
+ - name: {{ boot_grub_cfg }}
+ - user: 'root'
+ - owner: 'root'
+ - mode: '400'
+ - onlyif: test -f {{ boot_grub_cfg }}
+ - require:
+ - cmd: grub_update
diff --git a/metadata/service/system/cis/cis-1-1-21.yml b/metadata/service/system/cis/cis-1-1-21.yml
new file mode 100644
index 0000000..da84f49
--- /dev/null
+++ b/metadata/service/system/cis/cis-1-1-21.yml
@@ -0,0 +1,53 @@
+# CIS 1.1.21 Disable Automounting
+#
+# Description
+# ===========
+# autofs allows automatic mounting of devices, typically including CD/DVDs
+# and USB drives.
+#
+# Rationale
+# =========
+# With automounting enabled anyone with physical access could attach a USB
+# drive or disc and have its contents available in system even if they lacked
+# permissions to mount it themselves.
+#
+# Audit
+# =====
+# Run the following command to verify autofs is not enabled:
+#
+# # systemctl is-enabled autofs
+# disabled
+#
+# Verify result is not "enabled".
+#
+# Remediation
+# ===========
+#
+# Run the following command to disable autofs :
+#
+# # systemctl disable autofs
+#
+# Impact
+# ======
+# The use portable hard drives is very common for workstation users. If your
+# organization allows the use of portable storage or media on workstations
+# and physical access controls to workstations is considered adequate there
+# is little value add in turning off automounting.
+#
+# Notes
+# =====
+# This control should align with the tolerance of the use of portable drives
+# and optical media in the organization. On a server requiring an admin to
+# manually mount media can be part of defense-in-depth to reduce the risk of
+# unapproved software or information being introduced or proprietary software
+# or information being exfiltrated. If admins commonly use flash drives and
+# Server access has sufficient physical controls, requiring manual mounting
+# may not increase security.
+#
+parameters:
+ linux:
+ system:
+ service:
+ autofs:
+ status: disabled
+
diff --git a/metadata/service/system/cis/init.yml b/metadata/service/system/cis/init.yml
index 5e50262..5f27e22 100644
--- a/metadata/service/system/cis/init.yml
+++ b/metadata/service/system/cis/init.yml
@@ -1,5 +1,4 @@
classes:
-- service.linux.system.cis.cis-1-1-14_15_16
- service.linux.system.cis.cis-1-1-1-1
- service.linux.system.cis.cis-1-1-1-2
- service.linux.system.cis.cis-1-1-1-3
@@ -8,6 +7,8 @@
- service.linux.system.cis.cis-1-1-1-6
- service.linux.system.cis.cis-1-1-1-7
- service.linux.system.cis.cis-1-1-1-8
+- service.linux.system.cis.cis-1-1-14_15_16
+- service.linux.system.cis.cis-1-1-21
- service.linux.system.cis.cis-1-5-1
- service.linux.system.cis.cis-1-5-3
- service.linux.system.cis.cis-1-5-4