Browse Source

Merge branch 'stretch' of ssh://code.freedombone.net:2222/bashrc/freedombone into buster

Bob Mottram 2 months ago
parent
commit
88cf749408
4 changed files with 45 additions and 1 deletions
  1. 1 1
      src/freedombone-app-pleroma
  2. 26 0
      src/freedombone-tests
  3. 13 0
      tests/check-nc.sh
  4. 5 0
      tests/output.sh

+ 1 - 1
src/freedombone-app-pleroma

@@ -40,7 +40,7 @@ PLEROMA_CODE=
 PLEROMA_PORT=4000
 PLEROMA_ONION_PORT=8011
 PLEROMA_REPO="https://git.pleroma.social/pleroma/pleroma.git"
-PLEROMA_COMMIT='91ac8b075b0a8c82b5e8a9d3316724e534486932'
+PLEROMA_COMMIT='e706b42f519fe754af980fc758be492b24e3ccde'
 PLEROMA_ADMIN_PASSWORD=
 PLEROMA_DIR=/etc/pleroma
 PLEROMA_SECRET_KEY=""

+ 26 - 0
src/freedombone-tests

@@ -240,10 +240,29 @@ function disallow_package {
     fi
 }
 
+function remove_netcat {
+    # shellcheck disable=SC2230
+    netcat_command="$(which nc)"
+    if [[ "$netcat_command" ]]; then
+	if [ -f "$netcat_command" ]; then
+	    # store the details for investigation
+	    ls -l "$netcat_command" > /root/.netcat
+	    file "$netcat_command" >> /root/.netcat
+            ${PROJECT_NAME}-notification -s "[${PROJECT_NAME}] netcat" -m "$(cat /root/.netcat)"
+	    $REMOVE_PACKAGES_PURGE netcat
+            $REMOVE_UNUSED_PACKAGES
+	    if [ -f "$netcat_command" ]; then
+		rm -f "$netcat_command"
+	    fi
+	fi
+    fi
+}
+
 function fix_stig {
     if [[ $RUN_STIG != 'fix' ]]; then
         return
     fi
+    remove_netcat
     disallow_package xinetd
     lockdown_permissions
 }
@@ -527,6 +546,13 @@ function test_stig {
     output "V-38576" $? ${SETLANG}
     ################
 
+    ##netcat must not be installed
+    bash $STIG_TESTS_DIR/check-nc.sh > /dev/null 2>&1 &
+
+    stig_spinner $!
+    output "V-78252" $? ${SETLANG}
+    ################
+    
     ##RHEL-06-000064
     ##The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).
 

+ 13 - 0
tests/check-nc.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+if [ -f /bin/nc ];then
+    exit 1
+fi
+
+if [ -f /usr/bin/nc ];then
+    exit 1
+fi
+
+if [[ "$(which nc)" ]]; then
+    exit 1
+fi

+ 5 - 0
tests/output.sh

@@ -643,6 +643,11 @@ time, are stored in the following directories by default:\n\n/lib\n/lib64\n/usr/
                   printf '\n######################\n\nSTIG-ID:RHEL-06-000064\n\nVulnerability Discussion: Using a stronger hashing algorithm makes password cracking attacks more difficult.\n\nFix text: In "/etc/libuser.conf", add or correct the following line in its "[defaults]" section to ensure the system will use the SHA-512 algorithm for password hashing:\n\ncrypt_style = sha512  \n\n######################\n\n' >> $LOG
               fi
               ;;
+    V-78252)  log_msg $2 'netcat (nc) should not be installed on this system'
+              if [ $2 -ne 0 ];then
+                  printf '\n######################\n\nSTIG-ID:WTF-05-000179\n\nHaving netcat present makes life extra convenient for anyone breaking into your system.\nMake them do the work of installing it or downloading it, which increases the defensive possibilities.\n\n######################\n\n' >> $LOG
+              fi
+              ;;
     V-38579)  if [ "$3" = "en" ]; then
                   log_msg $2 'The system boot loader configuration file(s) must be owned by root.'
               else