def run_tests(): console.heading("Packages") yb = yum.YumBase() pass # Verify GPG check # RHEL-06-000013 config = ConfigParser.RawConfigParser() config.read("/etc/yum.conf") gpg_check = config.getint("main", "gpgcheck") if gpg_check == 1: console.ok("GPG checking is enabled in yum") else: console.error("GPG checking is disabled in yum") # Verify GPG check for all repos # RHEL-06-000015 repo_files = os.listdir("/etc/yum.repos.d/") for repo_file in repo_files: repo_file = "/etc/yum.repos.d/" + repo_file repo_config = ConfigParser.RawConfigParser() repo_config.read(repo_file) for section in repo_config.sections(): gpg_check = repo_config.getint(section, 'gpgcheck') if gpg_check != 1: console.error("GPG checking is disabled in yum repo: %s" % section)
def executable_file_tests(): executable_locations = [ "/bin", "/usr/bin", "/usr/local/bin", "/sbin", "/usr/sbin", "/usr/local/sbin" ] # RHEL-06-000047 # next for location in executable_locations: for dirname, dirnames, filenames in os.walk(location): # for subdirname in dirnames: # print os.path.join(dirname, subdirname) for filename in filenames: file_stats = os.stat(os.path.join(dirname, filename)) if is_group_writable(file_stats): console.error( "System executable file %s is group writable!" % os.path.join(dirname, filename)) print oct( stat.S_IMODE( os.stat(os.path.join(dirname, filename)).st_mode)) if is_world_writable(file_stats): console.error( "System executable file %s is world writable!" % os.path.join(dirname, filename)) print oct( stat.S_IMODE( os.stat(os.path.join(dirname, filename)).st_mode))
def run_tests(): console.heading("System Mounts") for mount_point in mount_points: if os.path.ismount(mount_point): console.ok("%s is a mount point" % mount_point) else: console.error("%s is not a mount point" % mount_point)
def check_spece_left_action(self): # RHEL-06-000005 if self.auditd_config['space_left_action'] == "EMAIL": console.ok("Free space warning enabled in auditd") return None elif self.auditd_config['space_left_action'] == "SYSLOG": console.warning( "Free space warning is set to SYSLOG. Make sure this notifies the necessary individuals in a timely manner" ) return None else: console.error("Free space warning not enabled in auditd") return None
def run_tests(): console.heading("Authentication") # Check for Rsh files # RHEL-06-000019 if os.path.isfile("/etc/hosts.equiv"): console.error("/etc/hosts.equiv file exists!") users = pwd.getpwall() for user in users: if os.path.isfile(user.pw_dir + "/.rhosts"): console.error("%s exists!" % (user.pw_dir + "/.rhosts")) # Check for password hashes in the /etc/passed file # RHEL-06-000031 for user in users: if user.pw_passwd != 'x': console.error("User %s has a hashed password in /etc/passwd" % user.pw_name) # Check for users with a UID of 0 other than root # RHEL-06-000032 for user in users: if user.pw_uid == 0: if user.pw_name != 'root': console.error("User %s has a UID of 0" % user.pw_name)
def rsyslog_file_tests(): # RHEL-06-000133 # RHEL-06-000134 # RHEL-06-000135 rsyslog_config_file = "/etc/rsyslog.conf" rsyslog_config = parsing.parse_config_file(rsyslog_config_file, ' ') for k, v in rsyslog_config.iteritems(): # We want the log files so we get rid of other config if k.startswith("$"): continue # emerg.* gets written everywhere if v == "*": continue # Files that don't sync after every log are prefixed with "-" if v.startswith("-"): v = v.lstrip("-") log_stats = os.stat(v) if log_stats.st_uid != 0: console.error("%s is not owned by root!" % v) if log_stats.st_gid != 0: console.error("%s is not group owned by root!" % v) if (get_owner_permissions_int(log_stats) > 6 or get_group_permissions_int(log_stats) > 0 or get_world_permissions_int(log_stats) > 0): console.error("Permissions are too open on %s" % v)
def wrapper(*args, **kwargs): try: res = function(*args, **kwargs) except UnikubeClusterUnavailableError: error("Cannot reach local cluster.") project = ProjectManager().get_active() app = AppManager().get_active() if click.confirm( f"Should we try to \"project up {project.get('name')}\"?"): K3D(project).up(ingress_port=None, workers=None) retry_count = 0 k8s = KubeAPI(project, app) while not k8s.is_available and retry_count <= 30: sleep(0.5) retry_count += 1 if retry_count == 30: error("Could not up project.") exit(1) res = function(*args, **kwargs) else: exit(1) return res
def group_file_tests(): # RHEL-06-000042 group_file = os.stat("/etc/group") if group_file.st_uid != 0: console.error("/etc/group is not owned by root!") # RHEL-06-000043 if group_file.st_gid != 0: console.error("/etc/group is not group owned by root!") # RHEL-06-000044 if oct(stat.S_IMODE(group_file.st_mode)) != oct(0644): console.error("/etc/group is not mode 644!")
def passwd_file_tests(): # RHEL-06-000039 passwd_file = os.stat("/etc/passwd") if passwd_file.st_uid != 0: console.error("/etc/passwd is not owned by root!") # RHEL-06-000040 if passwd_file.st_gid != 0: console.error("/etc/passwd is not group owned by root!") # RHEL-06-000041 if oct(stat.S_IMODE(passwd_file.st_mode)) != oct(0644): console.error("/etc/passwd is not mode 644!")
def gshadow_file_tests(): # RHEL-06-000036 gshadow_file = os.stat("/etc/gshadow") if gshadow_file.st_uid != 0: console.error("/etc/gshadow is not owned by root!") # RHEL-06-000037 if gshadow_file.st_gid != 0: console.error("/etc/gshadow is not group owned by root!") # RHEL-06-000038 if stat.S_IMODE(gshadow_file.st_mode) != 0: console.error("/etc/gshadow is not mode 000!")
def check_suspend_ignore(self, key): if (key not in self.auditd_config.keys() or self.auditd_config[key] == 'SUSPEND' or self.auditd_config[key] == 'IGNORE'): console.error("Auditd %s improperly set!" % key)
def check_value(self, key, value, operator_function): if (key not in self.auditd_config.keys() or not operator_function(self.auditd_config[key], value)): console.error("Auditd %s is not set to %s!" % (key, value))
def check_value(self, key, value): if (key not in self.sshd_config.keys() or self.sshd_config[key] != value): console.error("SSHd %s is not set to %s!" % (key, value))