def check(self):
transport = get_transport('unix')
result = transport.send_command(
'systemctl list-unit-files --plain --no-legend --no-pager')
if result.ExitStatus != 0:
self.control.not_applicable()
service_list = [
item for item in SystemdUnitFiles(result.Output)
if item.Name == 'auditd'
]
if not service_list:
self.control.not_compliance(
result=f'There is not any auditd service')
return
auditd_service = service_list[0]
if auditd_service.State != systemd.ENABLED:
self.control.not_compliance(
result=
f'{auditd_service.UnitName} state is {auditd_service.State}')
return
self.control.compliance(
result=f'{auditd_service.UnitName} state is {auditd_service.State}'
)
def check(self):
transport = get_transport('unix')
result = transport.send_command('mount')
separated = dict((item.Path, item.Device)
for item in MountFinditer(text=result.Output)
if item.Path in self.path_list)
missed_paths = [
path for path in self.path_list if path not in separated
]
results = []
for path, device in sorted(separated.items()):
results.append(f'{path} has been mounted on {device}')
for path in sorted(missed_paths):
results.append(
f'{path} has not been mounted on separate partition')
result = '\n'.join(results)
if not missed_paths:
self.control.compliance(result=result)
else:
self.control.not_compliance(result=result)
def check(self):
transport = get_transport('unix')
lsmod_result = transport.send_command('lsmod')
lsmod = [item.Name for item in LsmodParser(text=lsmod_result.Output)]
is_compliance = True
results = []
for fs in self.file_systems:
if fs in lsmod:
is_compliance = False
results.append(f'{fs} is loaded')
continue
modprobe_status = transport.send_command(f'modprobe -n -v {fs}')
if 'install /bin/true' not in modprobe_status.Output:
is_compliance = False
results.append(f'{fs} is not disabled')
continue
results.append(f'{fs} is disabled')
result = '\n'.join(results)
if is_compliance:
self.control.compliance(result=result)
else:
self.control.not_compliance(result=result)
def check(self):
transport = get_transport('unix')
passwd = transport.get_file_content('/etc/passwd').Output
shadow = transport.get_file_content('/etc/shadow').Output
inittab = transport.get_file_content('/etc/inittab').Output
sysconfig_init = transport.get_file_content(
'/etc/sysconfig/init').Output
errors = []
if not self._root_has_password(passwd, shadow):
errors.append(f'User root does not have password')
if not self._ok_inittab(inittab):
errors.append(f'Inittab does not have correct line')
if not self._ok_sysconfig(sysconfig_init):
errors.append(
f'/etc/sysconfig/init does not have right attribute SINGLE')
if not errors:
self.control.compliance(
result='Single user mode is protected with password')
return
self.control.not_compliance(result='\n'.join(errors))
def detect(self):
transport = get_transport('unix')
result = transport.get_file_content('/etc/os-release')
if not result.Output:
return False
os_release = KeyValueParser(text=result.Output)
return os_release.ID == linux_id.UBUNTU
def detect(self):
transport = get_transport('unix')
command = 'readlink -f /proc/1/exe'
result = transport.send_command(command)
if not result.Output:
return False
return result.Output == '/sbin/init'
def detect(self):
transport = get_transport('unix')
command = 'initctl --version'
result = transport.send_command(command)
if not result.Output:
return False
return 'upstart' in result.Output
def detect(self):
transport = get_transport('unix')
command = 'readlink -f /proc/1/exe'
result = transport.send_command(command)
if not result.Output:
return False
return result.Output in ('/lib/systemd/systemd',
'/usr/lib/systemd/systemd')
def detect(self):
transport = get_transport('ssh')
result = transport.interactive_command('uname -s')
if result.ExitStatus != 0:
return False
if result.Output and unameOS(result.Output) is not None:
return True
return False
def detect(self):
transport = get_transport('unix')
command = 'uname -s'
result = transport.send_command(command)
if result.ExitStatus != 0:
self.logger.error(f'Wrong execution {command!r}: {result.Output}')
return False
if result.Output and unameOS(result.Output) == os.SOLARIS:
return True
return False
def check(self):
transport = get_transport('unix')
file_contents = {}
for file, path in product(sorted(self.files), systemd.UNIT_PATHS):
if file in file_contents:
continue
result = transport.get_file_content(
str(Path(path, self.files[file])))
if result.ExitStatus != 0:
continue
if not result.Output:
continue
file_contents[file] = SystemdUnitParser(result.Output).get_dict()
if not file_contents:
self.control.not_compliance(
result=f'There are not files {", ".join(self.files.values())}')
return
errors = []
rights_value = []
for file, config in file_contents.items():
file = self.files[file]
value = config.get('Service', {}).get('ExecStart', None)
if value is None:
errors.append(f'{file} does not have '
f'"ExecStart" in section "Service"')
continue
right = next(
(val for val in value
if 'systemd-sulogin-shell' in val or '/sbin/sulogin' in val),
None)
if right is None:
errors.append(
f'{file} has wrong "ExecStart" value = "{value[0]}"')
continue
rights_value.append(f'{file} has right value = "{right}"')
result = '\n'.join(chain(rights_value, errors))
if not errors:
self.control.compliance(result=result)
else:
self.control.not_compliance(result=result)
def check(self):
transport = get_transport('unix')
result = transport.get_file_content('/etc/passwd')
user_list = [
item.Name for item in PasswdParser(content=result.Output)
if item.UID < 1000
if item.Name not in ['root', 'sync', 'shutdown', 'halt']
if item.Shell != '/usr/sbin/nologin'
]
if len(user_list) > 0:
self.control.not_compliance(
result=
f'{len(user_list)} system accounts are not protected: {",".join(user_list)}'
)
return
self.control.compliance(result=f'System accounts are secured')
def check(self):
transport = get_transport('unix')
stat_result = transport.stat_file(' '.join(map(quote, self.file_paths)))
is_compliance = True
results = []
for item in sorted(
StatsParser(stat_result.Output),
key=attrgetter('Name')):
if item.Type != file_type.FILE:
continue
results.append(
f'{item.Name} {item.Owner}:{item.GroupOwner} '
f'{item.Permissions:o}')
if item.Permissions != 0o600:
is_compliance = False
if item.Owner != 'root':
is_compliance = False
if item.GroupOwner != 'root':
is_compliance = False
result = '\n'.join(results)
if not result:
self.control.not_applicable()
return
if is_compliance:
self.control.compliance(
result=result
)
else:
self.control.not_compliance(
result=result
)
def check(self):
transport = get_transport('unix')
boot_configs = {}
for file in self.file_paths:
result = transport.get_file_content(file)
if result.ExitStatus != 0:
continue
boot_configs[file] = result.Output
if not boot_configs:
self.control.not_applicable()
is_compliance = False
results = []
for file_name, content in boot_configs.items():
if not content:
continue
lines = [
f'{file_name}:{number}:{line}' for number, line in enumerate(
map(str.strip, content.splitlines()), 1)
if line.startswith(self.password_strings)
]
if not lines:
continue
results.extend(lines)
is_compliance = True
result = '\n'.join(results)
if is_compliance:
self.control.compliance(result=result)
else:
self.control.not_compliance(result='The password is not set up')
def check(self):
transport = get_transport('unix')
result = transport.send_command('mount')
separated = {
item.Path: item.Options
for item in MountFinditer(text=result.Output)
if item.Path in self.partitions
}
results = []
status = ControlStatus.Compliance
for path, options in self.partitions.items():
if path not in separated:
status = ControlStatus.NotCompliance
results.append(
f'{path} has not been mounted on separated partition')
continue
missing_options = ','.join(opt for opt in options
if opt not in separated[path])
needed_options = ','.join(options)
if not missing_options:
results.append(
f'{path} has been mounted with options "{needed_options}"')
else:
status = ControlStatus.NotCompliance
results.append(
f'{path} has been mounted without options "{missing_options}"'
)
self.control.result = '\n'.join(results)
self.control.status = status
