From bb7c532f0f20dc88de3cd6e4e54414031b94f7ef Mon Sep 17 00:00:00 2001
From: Christoph Hartmann <chris@lollyrock.com>
Date: Fri, 29 Apr 2016 15:16:57 +0200
Subject: [PATCH] bug fix cpu flags and change default for
 net.ipv4.conf.all.log_martians

---
 controls/sysctl_spec.rb | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/controls/sysctl_spec.rb b/controls/sysctl_spec.rb
index a5cd7c2..ef66b6a 100644
--- a/controls/sysctl_spec.rb
+++ b/controls/sysctl_spec.rb
@@ -188,7 +188,7 @@
   title 'Disable log martians'
   desc 'log_martians can cause a denial of service attack to the host'
   describe kernel_parameter('net.ipv4.conf.all.log_martians') do
-    its(:value) { should eq 0 }
+    its(:value) { should eq 1 }
   end
 end
 
@@ -338,17 +338,17 @@
   title 'CPU No execution Flag or Kernel ExecShield'
   desc 'Kernel features and CPU flags provide a protection against buffer overflows. The CPU NX Flag and the kernel parameter exec-shield prevents code execution on a per memory page basis. If the CPU supports the NX-Flag then this should be used instead of the kernel parameter exec-shield.'
 
+  # parse for cpu flags
+  flags = parse_config_file('/proc/cpuinfo', assignment_re: /^([^:]*?)\s+:\s+(.*?)$/).flags
+  flags ||= ''
+  flags = flags.split(' ')
+
   describe '/proc/cpuinfo' do
     it 'Flags should include NX' do
       expect(flags).to include('nx')
     end
   end
 
-  # parse for cpu flags
-  flags = parse_config_file('/proc/cpuinfo', assignment_re: /^([^:]*?)\s+:\s+(.*?)$/).flags
-  flags ||= ''
-  flags = flags.split(' ')
-
   unless flags.include?('nx')
     # if no nx flag is present, we require exec-shield
     describe kernel_parameter('kernel.exec-shield') do