🧹 Improving Linux policies to fit for Container images as well (#392)

Signed-off-by: Hossein Rouhani <[email protected]>

.github/actions/spelling/expect.txt

@@ -192,3 +192,6 @@ xts
 XUtn
 yournamespace
 YWQ
+bci
+oraclelinux
+sles

core/mondoo-linux-security.mql.yaml

@@ -149,6 +149,7 @@ policies:
       - title: Logging
         filters: |
           asset.family.contains('linux')
+          asset.kind != "container-image"
         checks:
           - uid: mondoo-linux-security-audit-log-storage-size-is-configured
           - uid: mondoo-linux-security-audit-logs-are-not-automatically-deleted
@@ -199,6 +200,8 @@ queries:
   - uid: mondoo-linux-security-aide-is-installed
     title: Ensure Advanced Intrusion Detection Environment (AIDE) is installed
     impact: 60
+    filters: |
+      asset.kind != "container-image"
     mql: |
       package("aide").installed
     docs:
@@ -238,6 +241,8 @@ queries:
   - uid: mondoo-linux-security-filesystem-integrity-is-regularly-checked
     title: Ensure filesystem integrity is regularly checked
     impact: 50
+    filters: |
+      asset.kind != "container-image"
     mql: |
       file("/etc/default/aide").exists && ["/etc/default/aide"].where(file(_).exists).all(parse.ini(_).params["CRON_DAILY_RUN"] == "yes") ||
       command("crontab -u root -l | grep aide").stdout.lines.where(/^[^#]/).any(_.contains("aide --check")) ||
@@ -303,6 +308,8 @@ queries:
         ```
   - uid: mondoo-linux-security-core-dumps-are-restricted
     title: Ensure core dumps are restricted
+    filters: |
+      asset.kind != "container-image"
     impact: 75
     mql: |
       file("/etc/security/limits.conf").content.lines.where( _ == /^[^#]/ ).where( _.contains("core") ) {
@@ -394,7 +401,7 @@ queries:
     title: Ensure X Window System is not installed
     impact: 100
     mql: |
-      packages.none(name == /^xserver-xorg.*/)
+      packages.none(name == /^xserver-xorg.*/ || name == /^xorg-x11/ || name == /^xserver/)
     docs:
       desc: The X Window System provides a Graphical User Interface (GUI) where users can have multiple windows to run programs and various add-ons. The X Windows system is typically used on workstations where users login, but not on servers where users typically do not login.
       remediation: |-
@@ -412,6 +419,8 @@ queries:
   - uid: mondoo-linux-security-avahi-server-is-not-enabled
     title: Ensure Avahi server is stopped and not enabled
     impact: 100
+    filters: |
+      asset.kind != "container-image"
     mql: |
       service("avahi-daemon").enabled == false
       service("avahi-daemon").running == false
@@ -432,6 +441,8 @@ queries:
   - uid: mondoo-linux-security-cups-is-not-enabled
     title: Ensure CUPS is stopped and not enabled
     impact: 100
+    filters: |
+      asset.kind != "container-image"
     mql: |
       service("cups").enabled == false
       service("cups").running == false
@@ -456,6 +467,8 @@ queries:
   - uid: mondoo-linux-security-dhcp-server-is-not-enabled
     title: Ensure DHCP server is stopped and not enabled
     impact: 100
+    filters: |
+      asset.kind != "container-image"
     mql: |
       service("dhcpd").enabled == false
       service("dhcpd").running == false
@@ -471,6 +484,8 @@ queries:
   - uid: mondoo-linux-security-ldap-server-is-not-enabled
     title: Ensure LDAP server is stopped and not enabled
     impact: 100
+    filters: |
+      asset.kind != "container-image"
     mql: |
       service("slapd").enabled == false
       service("slapd").running == false
@@ -486,6 +501,8 @@ queries:
   - uid: mondoo-linux-security-nfs-and-rpc-are-not-enabled
     title: Ensure NFS and RPC are stopped and not enabled
     impact: 60
+    filters: |
+      asset.kind != "container-image"
     mql: |
       service("nfs").enabled == false
       service("nfs").running == false
@@ -506,6 +523,8 @@ queries:
   - uid: mondoo-linux-security-dns-server-is-not-enabled
     title: Ensure DNS server is stopped and not enabled
     impact: 60
+    filters: |
+      asset.kind != "container-image"
     mql: |
       service("named").enabled == false
       service("named").running == false
@@ -521,6 +540,8 @@ queries:
   - uid: mondoo-linux-security-ftp-server-is-not-enabled
     title: Ensure FTP server is stopped and not enabled
     impact: 60
+    filters: |
+      asset.kind != "container-image"
     mql: |
       service("vsftpd").enabled == false
       service("vsftpd").running == false
@@ -536,6 +557,8 @@ queries:
   - uid: mondoo-linux-security-http-server-is-not-enabled
     title: Ensure HTTP servers are stopped and not enabled
     impact: 60
+    filters: |
+      asset.kind != "container-image"
     mql: |
       service("httpd").enabled == false
       service("httpd").running == false
@@ -561,6 +584,8 @@ queries:
   - uid: mondoo-linux-security-imap-and-pop3-server-is-not-enabled
     title: Ensure IMAP and POP3 server is stopped and not enabled
     impact: 100
+    filters: |
+      asset.kind != "container-image"
     mql: |
       service("dovecot").enabled == false
       service("dovecot").running == false
@@ -576,6 +601,8 @@ queries:
   - uid: mondoo-linux-security-samba-is-not-enabled
     title: Ensure Samba is stopped and not enabled
     impact: 100
+    filters: |
+      asset.kind != "container-image"
     mql: |
       service("smb").enabled == false
       service("smbd").enabled == false
@@ -595,6 +622,8 @@ queries:
   - uid: mondoo-linux-security-http-proxy-server-is-not-enabled
     title: Ensure HTTP Proxy server is stopped and not enabled
     impact: 60
+    filters: |
+      asset.kind != "container-image"
     mql: |
       service("squid").enabled == false
       service("squid").running == false
@@ -615,6 +644,8 @@ queries:
   - uid: mondoo-linux-security-snmp-server-is-not-enabled
     title: Ensure SNMP server is stopped and not enabled
     impact: 100
+    filters: |
+      asset.kind != "container-image"
     mql: |
       service("snmpd").enabled == false
       service("snmpd").running == false
@@ -630,6 +661,8 @@ queries:
   - uid: mondoo-linux-security-mail-transfer-agent-is-configured-for-local-only-mode
     title: Ensure mail transfer agent is configured for local-only mode
     impact: 85
+    filters: |
+      asset.kind != "container-image"
     mql: |
       if( package("postfix").installed && service('postfix').running ) {
         parse.ini("/etc/postfix/main.cf").params["inet_interfaces"] == "localhost" || parse.ini("/etc/postfix/main.cf").params["inet_interfaces"] == "loopback-only"
@@ -655,6 +688,8 @@ queries:
   - uid: mondoo-linux-security-nis-server-is-not-enabled
     title: Ensure NIS server is stopped and not enabled
     impact: 75
+    filters: |
+      asset.kind != "container-image"
     mql: |
       service("ypserv").enabled == false
       service("ypserv").running == false
@@ -670,6 +705,8 @@ queries:
   - uid: mondoo-linux-security-rsh-server-is-not-enabled
     title: Ensure rsh server is stopped and not enabled
     impact: 75
+    filters: |
+      asset.kind != "container-image"
     mql: |
       service("rsh.socket").enabled == false
       service("rlogin.socket").enabled == false
@@ -694,6 +731,8 @@ queries:
   - uid: mondoo-linux-security-telnet-server-is-not-enabled
     title: Ensure telnet server is stopped and not enabled
     impact: 90
+    filters: |
+      asset.kind != "container-image"
     mql: |
       service("telnet.socket").enabled == false
       service("telnet.socket").running == false
@@ -709,6 +748,8 @@ queries:
   - uid: mondoo-linux-security-tftp-server-is-not-enabled
     title: Ensure tftp server is stopped and not enabled
     impact: 100
+    filters: |
+      asset.kind != "container-image"
     mql: |
       service("tftp.socket").enabled == false
       service("tftp.socket").running == false
@@ -724,6 +765,8 @@ queries:
   - uid: mondoo-linux-security-rsync-service-is-not-enabled
     title: Ensure rsync service is stopped and not enabled
     impact: 100
+    filters: |
+      asset.kind != "container-image"
     mql: |
       service("rsyncd").enabled == false
       service("rsyncd").running == false
@@ -739,6 +782,8 @@ queries:
   - uid: mondoo-linux-security-talk-server-is-not-enabled
     title: Ensure talk server is stopped and not enabled
     impact: 100
+    filters: |
+      asset.kind != "container-image"
     mql: |
       service("ntalk").enabled == false
       service("ntalk").running == false
@@ -1189,6 +1234,8 @@ queries:
   - uid: mondoo-linux-security-system-is-disabled-when-audit-logs-are-full
     title: Ensure system is disabled when audit logs are full
     impact: 40
+    filters: |
+      asset.kind != "container-image"
     mql: |
       file("/etc/audit/auditd.conf").exists;
       ["/etc/audit/auditd.conf"].where(file(_).exists) {
@@ -2883,7 +2930,7 @@ queries:
     title: Ensure each user is a member of a group
     impact: 70
     mql: |
-      users.list.all(gid != null)
+      users.list.all(gid != empty)
     docs:
       desc: |
         Each user MUST be a member of at least one group.
@@ -2899,7 +2946,7 @@ queries:
     title: Ensure all GIDs in /etc/passwd exist in /etc/group
     impact: 80
     mql: |
-      users.list.all(group != null)
+      users.list.all(group != empty)
     docs:
       desc: |
         Every GID mentioned in the /etc/passwd file must be defined in the /etc/group file.
@@ -2908,6 +2955,8 @@ queries:
   - uid: mondoo-linux-security-uid-min-is-set-to-1000
     title: Ensure UID_MIN is set to 1000
     impact: 60
+    filters: |
+      asset.kind != "container-image"
     mql: |
       logindefs.params{ _['UID_MIN'] == 1000 }
     docs:
@@ -2978,6 +3027,8 @@ queries:
   - uid: mondoo-linux-security-access-to-the-su-command-is-restricted
     title: Ensure access to the su command is restricted
     impact: 80
+    filters: | 
+      asset.kind != "container-image"
     props:
       - uid: sudoGroup
         title: Define the members of the sudo or wheel group