def check(self): transport = get_transport('unix') result = transport.send_command( 'systemctl list-unit-files --plain --no-legend --no-pager') if result.ExitStatus != 0: self.control.not_applicable() service_list = [ item for item in SystemdUnitFiles(result.Output) if item.Name == 'auditd' ] if not service_list: self.control.not_compliance( result=f'There is not any auditd service') return auditd_service = service_list[0] if auditd_service.State != systemd.ENABLED: self.control.not_compliance( result= f'{auditd_service.UnitName} state is {auditd_service.State}') return self.control.compliance( result=f'{auditd_service.UnitName} state is {auditd_service.State}' )
def check(self): transport = get_transport('unix') result = transport.send_command('mount') separated = dict((item.Path, item.Device) for item in MountFinditer(text=result.Output) if item.Path in self.path_list) missed_paths = [ path for path in self.path_list if path not in separated ] results = [] for path, device in sorted(separated.items()): results.append(f'{path} has been mounted on {device}') for path in sorted(missed_paths): results.append( f'{path} has not been mounted on separate partition') result = '\n'.join(results) if not missed_paths: self.control.compliance(result=result) else: self.control.not_compliance(result=result)
def check(self): transport = get_transport('unix') lsmod_result = transport.send_command('lsmod') lsmod = [item.Name for item in LsmodParser(text=lsmod_result.Output)] is_compliance = True results = [] for fs in self.file_systems: if fs in lsmod: is_compliance = False results.append(f'{fs} is loaded') continue modprobe_status = transport.send_command(f'modprobe -n -v {fs}') if 'install /bin/true' not in modprobe_status.Output: is_compliance = False results.append(f'{fs} is not disabled') continue results.append(f'{fs} is disabled') result = '\n'.join(results) if is_compliance: self.control.compliance(result=result) else: self.control.not_compliance(result=result)
def check(self): transport = get_transport('unix') passwd = transport.get_file_content('/etc/passwd').Output shadow = transport.get_file_content('/etc/shadow').Output inittab = transport.get_file_content('/etc/inittab').Output sysconfig_init = transport.get_file_content( '/etc/sysconfig/init').Output errors = [] if not self._root_has_password(passwd, shadow): errors.append(f'User root does not have password') if not self._ok_inittab(inittab): errors.append(f'Inittab does not have correct line') if not self._ok_sysconfig(sysconfig_init): errors.append( f'/etc/sysconfig/init does not have right attribute SINGLE') if not errors: self.control.compliance( result='Single user mode is protected with password') return self.control.not_compliance(result='\n'.join(errors))
def detect(self): transport = get_transport('unix') result = transport.get_file_content('/etc/os-release') if not result.Output: return False os_release = KeyValueParser(text=result.Output) return os_release.ID == linux_id.UBUNTU
def detect(self): transport = get_transport('unix') command = 'readlink -f /proc/1/exe' result = transport.send_command(command) if not result.Output: return False return result.Output == '/sbin/init'
def detect(self): transport = get_transport('unix') command = 'initctl --version' result = transport.send_command(command) if not result.Output: return False return 'upstart' in result.Output
def detect(self): transport = get_transport('unix') command = 'readlink -f /proc/1/exe' result = transport.send_command(command) if not result.Output: return False return result.Output in ('/lib/systemd/systemd', '/usr/lib/systemd/systemd')
def detect(self): transport = get_transport('ssh') result = transport.interactive_command('uname -s') if result.ExitStatus != 0: return False if result.Output and unameOS(result.Output) is not None: return True return False
def detect(self): transport = get_transport('unix') command = 'uname -s' result = transport.send_command(command) if result.ExitStatus != 0: self.logger.error(f'Wrong execution {command!r}: {result.Output}') return False if result.Output and unameOS(result.Output) == os.SOLARIS: return True return False
def check(self): transport = get_transport('unix') file_contents = {} for file, path in product(sorted(self.files), systemd.UNIT_PATHS): if file in file_contents: continue result = transport.get_file_content( str(Path(path, self.files[file]))) if result.ExitStatus != 0: continue if not result.Output: continue file_contents[file] = SystemdUnitParser(result.Output).get_dict() if not file_contents: self.control.not_compliance( result=f'There are not files {", ".join(self.files.values())}') return errors = [] rights_value = [] for file, config in file_contents.items(): file = self.files[file] value = config.get('Service', {}).get('ExecStart', None) if value is None: errors.append(f'{file} does not have ' f'"ExecStart" in section "Service"') continue right = next( (val for val in value if 'systemd-sulogin-shell' in val or '/sbin/sulogin' in val), None) if right is None: errors.append( f'{file} has wrong "ExecStart" value = "{value[0]}"') continue rights_value.append(f'{file} has right value = "{right}"') result = '\n'.join(chain(rights_value, errors)) if not errors: self.control.compliance(result=result) else: self.control.not_compliance(result=result)
def check(self): transport = get_transport('unix') result = transport.get_file_content('/etc/passwd') user_list = [ item.Name for item in PasswdParser(content=result.Output) if item.UID < 1000 if item.Name not in ['root', 'sync', 'shutdown', 'halt'] if item.Shell != '/usr/sbin/nologin' ] if len(user_list) > 0: self.control.not_compliance( result= f'{len(user_list)} system accounts are not protected: {",".join(user_list)}' ) return self.control.compliance(result=f'System accounts are secured')
def check(self): transport = get_transport('unix') stat_result = transport.stat_file(' '.join(map(quote, self.file_paths))) is_compliance = True results = [] for item in sorted( StatsParser(stat_result.Output), key=attrgetter('Name')): if item.Type != file_type.FILE: continue results.append( f'{item.Name} {item.Owner}:{item.GroupOwner} ' f'{item.Permissions:o}') if item.Permissions != 0o600: is_compliance = False if item.Owner != 'root': is_compliance = False if item.GroupOwner != 'root': is_compliance = False result = '\n'.join(results) if not result: self.control.not_applicable() return if is_compliance: self.control.compliance( result=result ) else: self.control.not_compliance( result=result )
def check(self): transport = get_transport('unix') boot_configs = {} for file in self.file_paths: result = transport.get_file_content(file) if result.ExitStatus != 0: continue boot_configs[file] = result.Output if not boot_configs: self.control.not_applicable() is_compliance = False results = [] for file_name, content in boot_configs.items(): if not content: continue lines = [ f'{file_name}:{number}:{line}' for number, line in enumerate( map(str.strip, content.splitlines()), 1) if line.startswith(self.password_strings) ] if not lines: continue results.extend(lines) is_compliance = True result = '\n'.join(results) if is_compliance: self.control.compliance(result=result) else: self.control.not_compliance(result='The password is not set up')
def check(self): transport = get_transport('unix') result = transport.send_command('mount') separated = { item.Path: item.Options for item in MountFinditer(text=result.Output) if item.Path in self.partitions } results = [] status = ControlStatus.Compliance for path, options in self.partitions.items(): if path not in separated: status = ControlStatus.NotCompliance results.append( f'{path} has not been mounted on separated partition') continue missing_options = ','.join(opt for opt in options if opt not in separated[path]) needed_options = ','.join(options) if not missing_options: results.append( f'{path} has been mounted with options "{needed_options}"') else: status = ControlStatus.NotCompliance results.append( f'{path} has been mounted without options "{missing_options}"' ) self.control.result = '\n'.join(results) self.control.status = status