def check_system_disabled_when_auditLogs_are_full(): config = '4.1.1.2 Ensure system is disabled when audit logs are full (Scored)' command1 = 'sudo grep space_left_action /etc/audit/auditd.conf' command2 = 'sudo grep action_mail_acct /etc/audit/auditd.conf' command3 = 'sudo grep admin_space_left_action /etc/audit/auditd.conf' output1 = 'space_left_action = email' output2 = 'action_mail_acct = root' output3 = 'admin_space_left_action = halt' print('checking "' + config + '" ..... ') terminal_variable1 = os.popen(command1) terminal_output1 = terminal_variable1.read() terminal_variable2 = os.popen(command2) terminal_output2 = terminal_variable2.read() terminal_variable3 = os.popen(command3) terminal_output3 = terminal_variable3.read() if (output1 in terminal_output1 and output2 in terminal_output2 and output3 in terminal_output3): source.return_function(True, config) else: source.return_function(False, config)
def check_tftp_server_not_enabled(): config = '2.1.4 Ensure tftp server are not enabled (Scored)' command = 'chkconfig --list' output1 = 'tftp::off' print('checking "' + config + '" ..... ') terminal_variable = os.popen(command) terminal_output = terminal_variable.read().replace(' ', '') if output1 in terminal_output: source.return_function(True, config) else: source.return_function(False, config)
def check_permissions_on_etc_hosts_allow_isConfigured(): config = '3.4.4 Ensure permissions on /etc/hosts.allow are configured (Scored)' command = 'stat /etc/hosts.allow' output = 'Access:(0644/-rw-r--r--)Uid:(0/root)Gid:(0/root)' print('checking "' + config + '" ..... ') terminal_variable = os.popen(command) terminal_output = terminal_variable.read().replace(' ', '') if output in terminal_output: source.return_function(True, config) else: source.return_function(False, config)
def check_aide_installed(): config = ' 1.3.1 Ensure AIDE is installed (Scored)' command = 'rpm -q aide' terminal_variable = os.popen(command) terminal_output = terminal_variable.read() word = re.compile(r'not installed') if word.search(terminal_output): source.return_function(False, config) else: source.return_function(True, config)
def check_ntp_configured(): config = '2.2.1.2 Ensure ntp is configured (Scored)' command1 = 'grep "^restrict" /etc/ntp.conf' output1 = 'restrict -4 default kod nomodify notrap nopeer noquery' output2 = 'restrict -6 default kod nomodify notrap nopeer noquery' print('checking "' + config + '" ..... ') terminal_variable = os.popen(command1) terminal_output1 = terminal_variable.read() if output1 in terminal_output1 and output2 in terminal_output1: source.return_function(True, config) else: source.return_function(False, config)
def check_updates_patches_installed(): config = '1.8 Ensure updates, patches, and additional security software are installed (Not Scored)' print('checking "' + config + '" ..... ') command = 'yum check-update' process = Popen(shlex.split(command), stdout=PIPE) process.communicate() # execute it, the output goes to the stdout exit_code = str(process.wait()) if '100' in exit_code: source.return_function(False, config) elif '0' in exit_code: source.return_function(True, config) else: print('error')
def check_time_sync_is_used(): config = '2.2.1.1 Ensure time synchronization is in use (Not Scored)' command1 = 'rpm -q ntp' command2 = 'rpm -q chrony' output = 'not installed' print('checking "' + config + '" ..... ') terminal_variable = os.popen(command1) terminal_output1 = terminal_variable.read() terminal_variable = os.popen(command2) terminal_output2 = terminal_variable.read() if output in terminal_output1 and output in terminal_output2: source.return_function(False, config) else: source.return_function(True, config)
def check_NFS_and_RPC_not_installed(): config = '2.2.7 Ensure NFS and RPC are not enabled (Scored)' command1 = 'systemctl is-enabled nfs' command2 = 'systemctl is-enabled rpcbind' output = 'disabled' print('checking "' + config + '" ..... ') terminal_variable = os.popen(command1) terminal_output1 = terminal_variable.read() terminal_variable = os.popen(command2) terminal_output2 = terminal_variable.read() if output in terminal_output1 and output in terminal_output2: source.return_function(True, config) else: source.return_function(False, config)
def check_core_dumps_restricted(): config = '1.5.1 Ensure core dumps are restricted (Scored)' command1 = 'grep "hard core" /etc/security/limits.conf /etc/security/limits.d/*' command2 = 'sysctl fs.suid_dumpable' terminal_variable = os.popen(command1) terminal_output1 = terminal_variable.read() terminal_variable = os.popen(command2) terminal_output2 = terminal_variable.read() expected_output1 = re.compile(r'hard core 0') expected_output2 = re.compile(r'fs.suid_dumpable = 0') if (expected_output1.search(terminal_output1) and expected_output2.search(terminal_output2)): source.return_function(True, config) else: source.return_function(False, config)
def check_tcp_wrappers_is_installed(): config = 'Ensure TCP Wrappers is installed (Scored)' command1 = 'rpm -q tcp_wrappers' command2 = 'rpm -q tcp_wrappers-libs' output = 'not installed' print('checking "' + config + '" ..... ') terminal_variable = os.popen(command1) terminal_output1 = terminal_variable.read() terminal_variable = os.popen(command2) terminal_output2 = terminal_variable.read() if output in terminal_output1 and output in terminal_output2: source.return_function(False, config) else: source.return_function(True, config)
def check_source_routed_packets_not_accepted(): config = '3.2.1 Ensure source routed packets are not accepted (Scored)' command1 = 'sysctl net.ipv4.conf.all.accept_source_route' output1 = 'net.ipv4.conf.all.accept_source_route = 0' command2 = 'sysctl net.ipv4.conf.default.accept_source_route' output2 = 'net.ipv4.conf.default.accept_source_route = 0' print('checking "' + config + '" ..... ') terminal_variable = os.popen(command1) terminal_output1 = terminal_variable.read() terminal_variable = os.popen(command2) terminal_output2 = terminal_variable.read() if output1 in terminal_output1 and output2 in terminal_output2: source.return_function(True, config) else: source.return_function(False, config)
def check_secure_ICMP_redirect_are_not_accepted(): config = '3.2.3 Ensure secure ICMP redirects are not accepted (Scored)' command1 = 'sysctl net.ipv4.conf.all.secure_redirects' output1 = 'net.ipv4.conf.all.secure_redirects = 0' command2 = 'sysctl net.ipv4.conf.default.secure_redirects' output2 = 'net.ipv4.conf.default.secure_redirects = 0' print('checking "' + config + '" ..... ') terminal_variable = os.popen(command1) terminal_output1 = terminal_variable.read() terminal_variable = os.popen(command2) terminal_output2 = terminal_variable.read() if output1 in terminal_output1 and output2 in terminal_output2: source.return_function(True, config) else: source.return_function(False, config)
def check_reverse_path_filtering_enabled(): config = '3.2.7 Ensure Reverse Path Filtering is enabled (Scored)' command1 = 'sysctl net.ipv4.conf.all.rp_filter' output1 = 'net.ipv4.conf.all.rp_filter = 1' command2 = 'sysctl net.ipv4.conf.default.rp_filter' output2 = 'net.ipv4.conf.default.rp_filter = 1' print('checking "' + config + '" ..... ') terminal_variable = os.popen(command1) terminal_output1 = terminal_variable.read() terminal_variable = os.popen(command2) terminal_output2 = terminal_variable.read() if output1 in terminal_output1 and output2 in terminal_output2: source.return_function(True, config) else: source.return_function(False, config)
def check_rds_is_disabled(): config = '3.5.3 Ensure rds is disabled (Not Scored)' command1 = 'modprobe -n -v rds' output1 = 'install /bin/true' command2 = 'lsmod | grep rds' output2 = '' print('checking "' + config + '" ..... ') terminal_variable = os.popen(command1) terminal_output1 = terminal_variable.read() terminal_variable = os.popen(command2) terminal_output2 = terminal_variable.read() if output1 in terminal_output1 and output2 == terminal_output2: source.return_function(True, config) else: source.return_function(False, config)
def check_suspicious_packets_are_logged(): config = '3.2.4 Ensure suspicious packets are logged (Scored)' command1 = 'sysctl net.ipv4.conf.all.log_martians' output1 = 'net.ipv4.conf.all.log_martians = 1' command2 = 'sysctl net.ipv4.conf.default.log_martians' output2 = 'net.ipv4.conf.default.log_martians = 1' print('checking "' + config + '" ..... ') terminal_variable = os.popen(command1) terminal_output1 = terminal_variable.read() terminal_variable = os.popen(command2) terminal_output2 = terminal_variable.read() if output1 in terminal_output1 and output2 in terminal_output2: source.return_function(True, config) else: source.return_function(False, config)
def check_IPv6_router_ads_not_accepted(): config = '3.3.1 Ensure IPv6 router advertisements are not accepted (Scored)' command1 = 'sysctl net.ipv6.conf.all.accept_ra' output1 = 'net.ipv6.conf.all.accept_ra = 0' command2 = 'sysctl net.ipv6.conf.default.accept_ra' output2 = 'net.ipv6.conf.default.accept_ra = 0' print('checking "' + config + '" ..... ') terminal_variable = os.popen(command1) terminal_output1 = terminal_variable.read() terminal_variable = os.popen(command2) terminal_output2 = terminal_variable.read() if output1 in terminal_output1 and output2 in terminal_output2: source.return_function(True, config) else: source.return_function(False, config)
def check_packet_redirect_sending_is_disabled(): config = '3.1.2 Ensure packet redirect sending is disabled (Scored)' command1 = 'sysctl net.ipv4.conf.all.send_redirects' output1 = 'net.ipv4.conf.all.send_redirects = 0' command2 = 'sysctl net.ipv4.conf.default.send_redirects' output2 = 'net.ipv4.conf.default.send_redirects = 0' print('checking "' + config + '" ..... ') terminal_variable = os.popen(command1) terminal_output1 = terminal_variable.read() terminal_variable = os.popen(command2) terminal_output2 = terminal_variable.read() if output1 in terminal_output1 and output2 in terminal_output2: source.return_function(True, config) else: source.return_function(False, config)
def check_default_deny_firewall_policy(): config = 'Ensure default deny firewall policy (Scored)' command = 'sudo iptables -L' print('checking "' + config + '" ..... ') output1 = 'Chain INPUT (policy DROP)' output2 = 'Chain FORWARD (policy DROP)' output3 = 'Chain OUTPUT (policy DROP)' terminal_variable = os.popen(command) terminal_output = terminal_variable.read() if (output1 in terminal_output and output2 in terminal_output and output3 in terminal_output): source.return_function(True, config) else: source.return_function(False, config)
def check_rsh_server_not_enabled(): config = '2.2.17 Ensure rsh server is not enabled (Scored)' command1 = 'systemctl is-enabled rsh.socket' command2 = 'systemctl is-enabled rlogin.socket' command3 = 'systemctl is-enabled rexec.socket' output = 'disabled' terminal_variable = os.popen(command1) terminal_output1 = terminal_variable.read() terminal_variable = os.popen(command2) terminal_output2 = terminal_variable.read() terminal_variable = os.popen(command3) terminal_output3 = terminal_variable.read() if output in terminal_output1 and output in terminal_output2 and output in terminal_output3: source.return_function(True, config) else: source.return_function(False, config)
def check_chrony_is_configured(): config = '2.2.1.3 Ensure chrony is configured (Scored)' command1 = 'grep "^server" /etc/chrony.conf | wc -l' command2 = 'grep ^OPTIONS /etc/sysconfig/chronyd' output1 = 1 output2 = 'OPTIONS="-u chrony"' terminal_variable = os.popen(command1) terminal_output1 = terminal_variable.read().split('\n') if int(terminal_output1[0]) > output1: result = True else: result = False terminal_variable = os.popen(command2) terminal_output2 = terminal_variable.read() if output2 in terminal_output2 and result: source.return_function(True, config) else: source.return_function(False, config)
def check_singleUserMode_authentication(): config = '1.4.3 Ensure authentication required for single user mode (Not Scored)' command1 = 'grep /sbin/sulogin /usr/lib/systemd/system/rescue.service' command2 = 'grep /sbin/sulogin /usr/lib/systemd/system/emergency.service' terminal_variable = os.popen(command1) terminal_output1 = terminal_variable.read() terminal_variable = os.popen(command2) terminal_output2 = terminal_variable.read() expected_output = re.compile( r'ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default' ) if expected_output.search(terminal_output1) and expected_output.search( terminal_output2): source.return_function(True, config) else: source.return_function(False, config)
def check_gdm_login_banner_configured(): config = '1.7.2 Ensure GDM login banner is configured (Scored)' print('checking "' + config + '" ..... ') gdm_file_exits = check_file_exits() gdm_file_contents = check_file_contents() if (gdm_file_exits == False): print('gdm file does not exist') source.return_function(False, config) else: if (gdm_file_contents == False): source.return_function(False, config) else: source.return_function(True, config)
def check_time_services_not_enabled(): config = '2.1.4 Ensure time services are not enabled (Scored)' command = 'chkconfig --list' output1 = 'time-dgram:off' output2 = 'time-stream:off' print('checking "' + config + '" ..... ') terminal_variable = os.popen(command) terminal_output = terminal_variable.read().replace(' ', '') if output1 in terminal_output: if output2 in terminal_output: source.return_function(True, config) else: source.return_function(False, config) else: source.return_function(False, config)