Merge pull request #138 from imjoseangel/ISSUE114

rndmh3ro · web-flow · commit f2fad5442b97 · 2020-11-05T10:55:41.000+01:00
feat(osbaseline): support validation for cpu vulnerabilities
diff --git a/controls/os_spec.rb b/controls/os_spec.rb
@@ -37,6 +37,8 @@
   description: 'blacklist of suid/sgid program on system'
 )
 
+cpuvulndir = '/sys/devices/system/cpu/vulnerabilities/'
+
 control 'os-01' do
   impact 1.0
   title 'Trusted hosts login'
@@ -236,3 +238,24 @@
     its(:group) { should match(/^root|syslog$/) }
   end
 end
+
+control 'os-12' do
+  impact 1.0
+  title 'Detect vulnerabilities in the cpu-vulnerability-directory'
+  desc 'Check for known cpu vulnerabilities described here: https://www.kernel.org/doc/html/v5.6/admin-guide/hw-vuln/index.html'
+
+  if file(cpuvulndir).exist?
+    describe file(cpuvulndir) do
+      it { should be_directory }
+    end
+
+    loaded_files = command('find ' + cpuvulndir + ' -type f -maxdepth 1').stdout.split(/\n/).map(&:strip).find_all { |vulnfiles| !vulnfiles.empty? }
+
+    loaded_files.each do |vulnfile|
+      describe file(vulnfile) do
+        its(:content) { should_not match 'vulnerable' }
+        its(:content) { should_not match 'Vulnerable' }
+      end
+    end
+  end
+end
