print_info(" TODO: Implement this.") # print_header("6.3.5 Use pam_deny.so to Deny Services (Not Scored)") print_header(" TODO: Implement this.") # print_header("6.3.6 Limit Password Reuse (Scored)") check_equal( "grep 'remember' /etc/pam.d/system-auth", "password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5" ) # print_header("6.4 Restrict root Login to System Console (Not Scored)") check_equal("cat /etc/securetty", "tty1") # print_header("6.5 Restrict Access to the su Command (Scored)") check_equals( 'grep pam_wheel.so /etc/pam.d/su', ( "#auth\t\tsufficient\tpam_wheel.so trust use_uid", "auth\t\trequired\tpam_wheel.so use_uid" ) ) check_equal( "grep wheel /etc/group", "wheel:x:10:" )
check_equal("/sbin/modprobe -n -v hfs", "install /bin/true") check_empty("/sbin/lsmod | grep hfs") # print_header("1.1.22 Disable Mounting of hfsplus Filesystems (Not Scored)") check_equal("/sbin/modprobe -n -v hfsplus", "install /bin/true") check_empty("/sbin/lsmod | grep hfsplus") # print_header("1.1.23 Disable Mounting of squashfs Filesystems (Not Scored)") check_equal("/sbin/modprobe -n -v squashfs", "install /bin/true") check_empty("/sbin/lsmod | grep squashfs") # print_header("1.1.24 Disable Mounting of udf Filesystems (Not Scored)") check_equals('/sbin/modprobe -n -v udf', (None, "install /bin/true")) check_empty("/sbin/lsmod | grep udf") # print_header("1.2 Configure Software Updates") # print_header( "1.2.1 Configure Connection to the RHN RPM Repositories (Not Scored)") check_return_code("yum check-update", 0) print_info("We are using centos and not red hat. Check manually if we are " + "connected to sunet.") # print_header("1.2.2 Verify Red Hat GPG Key is Installed (Scored)") check_equal(
# print_header( "6.3.3 Set Strong Password Creation Policy Using pam_passwdqc (Scored)") print_info("We are using pam_cracklib") # print_header("6.3.4 Set Lockout for Failed Password Attempts (Not Scored)") print_info(" TODO: Implement this.") # print_header("6.3.5 Use pam_deny.so to Deny Services (Not Scored)") print_header(" TODO: Implement this.") # print_header("6.3.6 Limit Password Reuse (Scored)") check_equal( "grep 'remember' /etc/pam.d/system-auth", "password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5" ) # print_header("6.4 Restrict root Login to System Console (Not Scored)") check_equal("cat /etc/securetty", "tty1") # print_header("6.5 Restrict Access to the su Command (Scored)") check_equals('grep pam_wheel.so /etc/pam.d/su', ("#auth\t\tsufficient\tpam_wheel.so trust use_uid", "auth\t\trequired\tpam_wheel.so use_uid")) check_equal("grep wheel /etc/group", "wheel:x:10:")
print_header("5.2.2 Enable auditd Service (Scored)") check_equal_re("rpm -q audit", "audit.*") check_equal_re("chkconfig --list auditd", "auditd.*0:off.*1:off.*2:on.*3:on.*4:on.*5:on.*6:off") # print_header( "5.2.3 Enable Auditing for Processes That Start Prior to auditd (Scored)") check_equal('grep "^[^#]*kernel" /etc/grub.conf|grep "audit=1"', 'audit=1') # print_header( "5.2.4 Record Events That Modify Date and Time Information (Scored)") check_equals('grep time-change /etc/audit/audit.rules', ( "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change", "-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change", "-a always,exit -F arch=b64 -S clock_settime -k time-change", "-a always,exit -F arch=b32 -S clock_settime -k time-change", "-w /etc/localtime -p wa -k time-change")) # print_header("5.2.5 Record Events That Modify User/Group Information (Scored)") check_equals( 'grep identity /etc/audit/audit.rules', ("-w /etc/group -p wa -k identity", "-w /etc/passwd -p wa -k identity", "-w /etc/gshadow -p wa -k identity", "-w /etc/shadow -p wa -k identity", "-w /etc/security/opasswd -p wa -k identity")) # print_header( "5.2.6 Record Events That Modify the System's Network Environment (Scored)" )
) # print_header("5.2.3 Enable Auditing for Processes That Start Prior to auditd (Scored)") check_equal( 'grep "^[^#]*kernel" /etc/grub.conf|grep "audit=1"', 'audit=1' ) # print_header("5.2.4 Record Events That Modify Date and Time Information (Scored)") check_equals( 'grep time-change /etc/audit/audit.rules', ( "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change", "-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change", "-a always,exit -F arch=b64 -S clock_settime -k time-change", "-a always,exit -F arch=b32 -S clock_settime -k time-change", "-w /etc/localtime -p wa -k time-change" ) ) # print_header("5.2.5 Record Events That Modify User/Group Information (Scored)") check_equals( 'grep identity /etc/audit/audit.rules', ( "-w /etc/group -p wa -k identity", "-w /etc/passwd -p wa -k identity", "-w /etc/gshadow -p wa -k identity", "-w /etc/shadow -p wa -k identity", "-w /etc/security/opasswd -p wa -k identity"
# print_header("4.4.1.2 Disable IPv6 Redirect Acceptance (Not Scored)") check_equal( "/sbin/sysctl net.ipv6.conf.all.accept_redirects", 'error: "net.ipv6.conf.all.accept_redirects" is an unknown key' ) check_equal( "/sbin/sysctl net.ipv6.conf.default.accept_redirects", 'error: "net.ipv6.conf.default.accept_redirects" is an unknown key' ) # print_header("4.4.2 Disable IPv6 (Not Scored)") check_equals( 'grep ipv6 /etc/modprobe.d/*', ( 'options ipv6 disable=1' ) ) check_equal('grep net-pf-10 /etc/modprobe.d/*', 'alias net-pf-10 off') check_equal( "grep NETWORKING_IPV6 /etc/sysconfig/network", "NETWORKING_IPV6=no" ) check_equal( "grep IPV6INIT /etc/sysconfig/network", "IPV6INIT=no" ) # print_header("4.5 Install TCP Wrappers")
check_equal("/sbin/sysctl net.ipv6.conf.all.accept_ra", 'error: "net.ipv6.conf.all.accept_ra" is an unknown key') check_equal("/sbin/sysctl net.ipv6.conf.default.accept_ra", 'error: "net.ipv6.conf.default.accept_ra" is an unknown key') # print_header("4.4.1.2 Disable IPv6 Redirect Acceptance (Not Scored)") check_equal("/sbin/sysctl net.ipv6.conf.all.accept_redirects", 'error: "net.ipv6.conf.all.accept_redirects" is an unknown key') check_equal( "/sbin/sysctl net.ipv6.conf.default.accept_redirects", 'error: "net.ipv6.conf.default.accept_redirects" is an unknown key') # print_header("4.4.2 Disable IPv6 (Not Scored)") check_equals('grep ipv6 /etc/modprobe.d/*', ('options ipv6 disable=1')) check_equal('grep net-pf-10 /etc/modprobe.d/*', 'alias net-pf-10 off') check_equal("grep NETWORKING_IPV6 /etc/sysconfig/network", "NETWORKING_IPV6=no") check_equal("grep IPV6INIT /etc/sysconfig/network", "IPV6INIT=no") # print_header("4.5 Install TCP Wrappers") # print_header("4.5.1 Install TCP Wrappers (Not Scored)") check_equal_re("rpm -q tcp_wrappers", "tcp_wrappers-.*") # print_header("4.5.2 Create /etc/hosts.allow (Not Scored)")
check_equal("/sbin/modprobe -n -v hfs", "install /bin/true") check_empty("/sbin/lsmod | grep hfs") # print_header("1.1.22 Disable Mounting of hfsplus Filesystems (Not Scored)") check_equal("/sbin/modprobe -n -v hfsplus", "install /bin/true") check_empty("/sbin/lsmod | grep hfsplus") # print_header("1.1.23 Disable Mounting of squashfs Filesystems (Not Scored)") check_equal("/sbin/modprobe -n -v squashfs", "install /bin/true") check_empty("/sbin/lsmod | grep squashfs") # print_header("1.1.24 Disable Mounting of udf Filesystems (Not Scored)") check_equals("/sbin/modprobe -n -v udf", (None, "install /bin/true")) check_empty("/sbin/lsmod | grep udf") # print_header("1.2 Configure Software Updates") # print_header("1.2.1 Configure Connection to the RHN RPM Repositories (Not Scored)") check_return_code("yum check-update", 0) print_info("We are using centos and not red hat. Check manually if we are " + "connected to sunet.") # print_header("1.2.2 Verify Red Hat GPG Key is Installed (Scored)") check_equal( 'rpm -q --queryformat "%{SUMMARY}\\n" gpg-pubkey', "gpg(CentOS-6 Key (CentOS 6 Official Signing Key) <*****@*****.**>)",