def check_user_group_modifying_events():
config = '4.1.5 Ensure events that modify user/group information are collected (Scored)'
command = 'sudo grep identity /etc/audit/audit.rules'
output = '-w /etc/group -p wa -k identity ' \
'-w /etc/passwd -p wa -k identity ' \
'-w /etc/gshadow -p wa -k identity ' \
'-w /etc/shadow -p wa -k identity ' \
'-w /etc/security/opasswd -p wa -k identity'
source.output_isIn_terminal_output(config, command, output)
def check_date_time_modifying_events():
config = '4.1.4 Ensure events that modify date and time information are collected (Scored)'
command = 'sudo grep time-change /etc/audit/audit.rules'
arch = source.check_platform()
if arch == '64bit':
output = '-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change ' \
'-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change ' \
'-a always,exit -F arch=b64 -S clock_settime -k time-change ' \
'-a always,exit -F arch=b32 -S clock_settime -k time-change ' \
'-w /etc/localtime -p wa -k time-change'
else:
output = '-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime' \
' -k time-change-a always,exit -F arch=b32 -S clock_settime -k ' \
'time-change-w /etc/localtime -p wa -k time-change'
source.output_isIn_terminal_output(config, command, output)
def check_LDAP_server_is_not_enabled():
config = '2.2.6 Ensure LDAP server is not enabled (Scored)'
command = 'systemctl is-enabled slapd'
output = 'disabled'
source.output_isIn_terminal_output(config, command, output)
def check_auditLogs_not_auto_deleted():
config = '4.1.1.3 Ensure audit logs are not automatically deleted (Scored)'
command = 'sudo grep max_log_file_action /etc/audit/auditd.conf'
output = 'max_log_file_action = keep_logs'
source.output_isIn_terminal_output(config, command, output)
def check_mcstrans_notInstalled():
config = '1.6.1.5 Ensure the MCS Translation Service (mcstrans) is not installed'
command = 'rpm -q mcstrans'
output = 'package mcstrans is not installed'
source.output_isIn_terminal_output(config, command, output)
def check_tcp_SYN_cookies_is_enabled():
config = '3.2.8 Ensure TCP SYN Cookies is enabled (Scored)'
command = 'sysctl net.ipv4.tcp_syncookies'
output = 'net.ipv4.tcp_syncookies = 1'
source.output_isIn_terminal_output(config, command, output)
def check_broadCast_ICMP_request_ignored():
config = '3.2.5 Ensure broadcast ICMP requests are ignored (Scored)'
command = 'sysctl net.ipv4.icmp_echo_ignore_broadcasts'
output = 'net.ipv4.icmp_echo_ignore_broadcasts = 1'
source.output_isIn_terminal_output(config, command, output)
def check_IPv6_is_disabled():
config = '3.3.3 Ensure IPv6 is disabled (Not Scored)'
command = 'modprobe -c | grep ipv6'
output = 'options ipv6 disable=1'
source.output_isIn_terminal_output(config, command, output)
def check_NIS_server_is_not_enabled():
config = '2.2.16 Ensure NIS Server is not enabled (Scored)'
command = 'systemctl is-enabled ypserv'
output = 'disabled'
source.output_isIn_terminal_output(config, command, output)
def check_SNMP_server_not_enabled():
config = '2.2.14 Ensure SNMP Server is not enabled (Scored)'
command = 'systemctl is-enabled snmpd'
output = 'disabled'
source.output_isIn_terminal_output(config, command, output)
def check_http_proxy_is_not_enabled():
config = '2.2.13 Ensure HTTP Proxy Server is not enabled (Scored) '
command = 'systemctl is-enabled squid'
output = 'disabled'
source.output_isIn_terminal_output(config, command, output)
def check_samba_is_not_enabled():
config = '2.2.12 Ensure Samba is not enabled (Scored)'
command = 'systemctl is-enabled smb'
output = 'disabled'
source.output_isIn_terminal_output(config, command, output)
def check_IMAP_and_POP3_server_not_enabled():
config = '2.2.11 Ensure IMAP and POP3 server is not enabled (Scored)'
command = 'systemctl is-enabled dovecot'
output = 'disabled'
source.output_isIn_terminal_output(config, command, output)
def check_http_server_not_enabled():
config = '2.2.10 Ensure HTTP server is not enabled (Scored)'
command = 'systemctl is-enabled httpd'
output = 'disabled'
source.output_isIn_terminal_output(config, command, output)
def check_DNS_server_not_enabled():
config = '2.2.8 Ensure DNS Server is not enabled (Scored)'
command = 'systemctl is-enabled named'
output = 'disabled'
source.output_isIn_terminal_output(config, command, output)
def check_prelink_disabled():
config = '1.5.4 Ensure prelink is disabled (Scored)'
command = 'rpm -q prelink'
output = 'package prelink is not installed'
source.output_isIn_terminal_output(config, command, output)
def check_automounting_disabled():
conf = '1.1.22 Disable Automounting (Scored)'
cmd = 'systemctl is-enabled autofs'
output = 'disabled'
source.output_isIn_terminal_output(conf, cmd, output)
def check_talk_server_is_not_enabled():
config = '2.2.18 Ensure talk server is not enabled (Scored)'
command = 'systemctl is-enabled ntalk'
output = 'disabled'
source.output_isIn_terminal_output(config, command, output)
def check_ip_forwarding_is_disabled():
config = '3.1.1 Ensure IP forwarding is disabled (Scored)'
command = 'sysctl net.ipv4.ip_forward'
output = 'net.ipv4.ip_forward = 0'
source.output_isIn_terminal_output(config, command, output)
def check_tftp_server_not_enabled():
config = '2.2.20 Ensure tftp server is not enabled (Scored)'
command = 'systemctl is-enabled tftp.socket'
output = 'disabled'
source.output_isIn_terminal_output(config, command, output)
def check_bogus_icmp_requests_ignored():
config = '3.2.6 Ensure bogus ICMP responses are ignored (Scored)'
command = 'sysctl net.ipv4.icmp_ignore_bogus_error_responses'
output = 'net.ipv4.icmp_ignore_bogus_error_responses = 1'
source.output_isIn_terminal_output(config, command, output)
def check_rsync_server_is_not_enabled():
config = '2.2.21 Ensure rsync service is not enabled (Scored)'
command = 'systemctl is-enabled rsyncd'
output = 'disabled'
source.output_isIn_terminal_output(config, command, output)
def check_etc_hosts_deny_is_configured():
config = '3.4.3 Ensure /etc/hosts.deny is configured (Scored)'
command = 'cat /etc/hosts.deny'
output = 'ALL: ALL'
source.output_isIn_terminal_output(config, command, output)
def check_Avahi_server_not_enabled():
config = '2.2.3 Ensure Avahi Server is not enabled (Scored)'
command = 'systemctl is-enabled avahi-daemon'
output = 'disabled'
source.output_isIn_terminal_output(config, command, output)
def check_setTroubleShoot_notInstalled():
config = '1.6.1.4 Ensure SETroubleshoot is not installed (Scored)'
command = 'rpm -q setroubleshoot'
output = 'package setroubleshoot is not installed'
source.output_isIn_terminal_output(config, command, output)
def check_CUPS_is_not_enabled():
config = '2.2.4 Ensure CUPS is not enabled (Scored)'
command = 'systemctl is-enabled cups'
output = 'disabled'
source.output_isIn_terminal_output(config, command, output)
def check_NX_XD_support_enabled():
config = '1.5.2 Ensure XD/NX support is enabled (Not Scored)'
command = 'dmesg | grep NX'
output = 'NX (Execute Disable) protection: active'
source.output_isIn_terminal_output(config, command, output)
def check_ASLR():
config = '1.5.3 Ensure address space layout randomization (ASLR) is enabled '
command = 'sysctl kernel.randomize_va_space'
output = 'kernel.randomize_va_space = 2'
source.output_isIn_terminal_output(config, command, output)
def check_xinetd_not_enabled():
config = '2.1.7 Ensure xinetd is not enabled (Scored)'
command = 'systemctl is-enabled xinetd'
output = 'disabled'
source.output_isIn_terminal_output(config, command, output)
def check_DHCP_server_is_not_enabled():
config = '2.2.5 Ensure DHCP Server is not enabled (Scored)'
command = 'systemctl is-enabled dhcpd'
output = 'disabled'
source.output_isIn_terminal_output(config, command, output)
