chage --list {}| \ grep "^Number of days of warning before password expires"| \ grep -v ": 7$" """) # print_header("7.2 Disable System Accounts (Scored)") check_empty(""" awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<500 && $7!="/sbin/nologin") {print}' /etc/passwd """) # print_header("7.3 Set Default Group for root Account (Scored)") check_equal( "grep ^root /etc/passwd | cut -f4 -d:", "0" ) # print_header("7.4 Set Default umask for Users (Scored)") check_equal_re("grep 'umask 077' /etc/bashrc", ".*umask 077.*") check_equal_re("grep 'umask 077' /etc/profile", ".*umask 077.*") check_equal_re("grep 'umask 077' /etc/csh.cshrc", ".*umask 077.*") # print_header("7.5 Lock Inactive User Accounts (Scored)") check_equal( "useradd -D | grep INACTIVE", "INACTIVE=35" )
from utils import check_empty, check_equal, check_equal_re, check_equals, check_not_empty, check_return_code, print_header, view_output, print_warning, print_info # print_header("6 System Access, Authentication and Authorization") # print_header("6.1 Configure cron and anacron") # print_header("6.1.1 Enable anacron Daemon (Scored)") check_equal("rpm -q anacron", "package anacron is not installed") print_info("Not installed syco servers.") print_header("6.1.2 Enable crond Daemon (Scored)") check_equal_re( "chkconfig --list crond", "crond.*0:off.*1:off.*2:on.*3:on.*4:on.*5:on.*6:off" ) # print_header("6.1.3 Set User/Group Owner and Permission on /etc/anacrontab (Scored)") check_equal('stat -c "%a %u %g" /etc/anacrontab | egrep "600 0 0"', "600 0 0") # print_header("6.1.4 Set User/Group Owner and Permission on /etc/crontab (Scored)") check_equal('stat -c "%a %u %g" /etc/crontab | egrep "600 0 0"', "600 0 0") # print_header("6.1.5 Set User/Group Owner and Permission on /etc/cron.hourly (Scored)") check_equal('stat -c "%a %u %g" /etc/cron.hourly | egrep "600 0 0"', "600 0 0") #
from utils import check_empty, check_equal, check_equal_re, check_equals, check_not_empty, check_return_code, print_header, view_output, print_warning, print_info # print_header("6 System Access, Authentication and Authorization") # print_header("6.1 Configure cron and anacron") # print_header("6.1.1 Enable anacron Daemon (Scored)") check_equal("rpm -q anacron", "package anacron is not installed") print_info("Not installed syco servers.") print_header("6.1.2 Enable crond Daemon (Scored)") check_equal_re("chkconfig --list crond", "crond.*0:off.*1:off.*2:on.*3:on.*4:on.*5:on.*6:off") # print_header( "6.1.3 Set User/Group Owner and Permission on /etc/anacrontab (Scored)") check_equal('stat -c "%a %u %g" /etc/anacrontab | egrep "600 0 0"', "600 0 0") # print_header( "6.1.4 Set User/Group Owner and Permission on /etc/crontab (Scored)") check_equal('stat -c "%a %u %g" /etc/crontab | egrep "600 0 0"', "600 0 0") # print_header( "6.1.5 Set User/Group Owner and Permission on /etc/cron.hourly (Scored)") check_equal('stat -c "%a %u %g" /etc/cron.hourly | egrep "600 0 0"', "600 0 0")
__version__ = "1.0.0" __status__ = "Production" from utils import check_empty, check_equal, check_equal_re, check_equals, check_not_empty, check_return_code, print_header, view_output, print_warning, print_info import config # print_header("5 Logging and Auditing") # print_header("5.1 Configure Syslog") # print_header("5.1.1 Install the rsyslog package (Scored)") check_equal_re("rpm -q rsyslog", "rsyslog.*") # print_header("5.1.2 Activate the rsyslog Service (Scored)") check_equal("rpm -q syslog", "package syslog is not installed") check_empty("chkconfig --list | grep syslog") check_equal_re("chkconfig --list rsyslog", "rsyslog.*0:off.*1:off.*2:on.*3:on.*4:on.*5:on.*6:off") # print_header("5.1.3 Configure /etc/rsyslog.conf (Not Scored)") print_warning( "Manually review the contents of the /etc/rsyslog.conf file to ensure appropriate logging is set. " ) view_output("ls -l /var/log/")
from utils import check_empty, check_equal, check_equal_re, check_equals, check_not_empty, check_return_code, print_header, view_output, print_warning, print_info import config # print_header("5 Logging and Auditing") # print_header("5.1 Configure Syslog") # print_header("5.1.1 Install the rsyslog package (Scored)") check_equal_re( "rpm -q rsyslog", "rsyslog.*" ) # print_header("5.1.2 Activate the rsyslog Service (Scored)") check_equal( "rpm -q syslog", "package syslog is not installed" ) check_empty("chkconfig --list | grep syslog") check_equal_re( "chkconfig --list rsyslog", "rsyslog.*0:off.*1:off.*2:on.*3:on.*4:on.*5:on.*6:off" ) #
"grep NETWORKING_IPV6 /etc/sysconfig/network", "NETWORKING_IPV6=no" ) check_equal( "grep IPV6INIT /etc/sysconfig/network", "IPV6INIT=no" ) # print_header("4.5 Install TCP Wrappers") # print_header("4.5.1 Install TCP Wrappers (Not Scored)") check_equal_re( "rpm -q tcp_wrappers", "tcp_wrappers-.*" ) # print_header("4.5.2 Create /etc/hosts.allow (Not Scored)") print_warning("Check manually to verify hosts.") view_output("cat /etc/hosts.allow") # print_header("4.5.3 Verify Permissions on /etc/hosts.allow (Scored)") check_equal( 'stat -c "%a" /etc/hosts.allow | egrep "644"', "644" ) #
# print_header("4.4.2 Disable IPv6 (Not Scored)") check_equals('grep ipv6 /etc/modprobe.d/*', ('options ipv6 disable=1')) check_equal('grep net-pf-10 /etc/modprobe.d/*', 'alias net-pf-10 off') check_equal("grep NETWORKING_IPV6 /etc/sysconfig/network", "NETWORKING_IPV6=no") check_equal("grep IPV6INIT /etc/sysconfig/network", "IPV6INIT=no") # print_header("4.5 Install TCP Wrappers") # print_header("4.5.1 Install TCP Wrappers (Not Scored)") check_equal_re("rpm -q tcp_wrappers", "tcp_wrappers-.*") # print_header("4.5.2 Create /etc/hosts.allow (Not Scored)") print_warning("Check manually to verify hosts.") view_output("cat /etc/hosts.allow") # print_header("4.5.3 Verify Permissions on /etc/hosts.allow (Scored)") check_equal('stat -c "%a" /etc/hosts.allow | egrep "644"', "644") # print_header("4.5.4 Create /etc/hosts.deny (Not Scored)") check_equal('grep "ALL: ALL" /etc/hosts.deny', "ALL: ALL") #