__version__ = "1.0.0" __status__ = "Production" from utils import check_empty, check_equal, check_equal_re, check_equals, check_not_empty, check_return_code, print_header, view_output, print_warning, print_info # print_header("9 System Maintenance") # print_header("9.1 Verify System File Permissions)") # print_header("9.1.1 Verify System File Permissions (Not Scored)") print_warning("Check manually for changed files.") view_output("rpm -Va --nomtime --nosize --nomd5 --nolinkto") # print_header("9.1.2 Verify Permissions on /etc/passwd (Scored)") check_equal('stat -c "%a %u %g" /etc/passwd | egrep "644 0 0"', "644 0 0") # print_header("9.1.3 Verify Permissions on /etc/shadow (Scored)") check_equal('stat -c "%a %u %g" /etc/shadow | egrep "0 0 0"', "0 0 0") # print_header("9.1.4 Verify Permissions on /etc/gshadow (Scored)") check_equal('stat -c "%a %u %g" /etc/gshadow | egrep "0 0 0"', "0 0 0") # print_header("9.1.5 Verify Permissions on /etc/group (Scored)")
check_equal("grep '/var/log/audit ' /etc/fstab", "/var/log/audit") # print_header("1.1.9 Create Separate Partition for /home (Scored)") check_equal("grep '/home ' /etc/fstab", "/home") # print_header("1.1.10 Add nodev Option to /home (Scored)") check_equal("grep /home /etc/fstab", "nodev") check_equal("mount | grep /home", "nodev") # print_header( "1.1.11 Add nodev Option to Removable Media Partitions (Not Scored)") print_warning("Check manually for nodev on removable media.") view_output("cat /etc/fstab") # print_header( "1.1.12 Add noexec Option to Removable Media Partitions (Not Scored)") print_warning("Check manually for noexec on removable media.") view_output("cat /etc/fstab") # print_header( "1.1.13 Add nosuid Option to Removable Media Partitions (Not Scored)") print_warning("Check manually for nosuid on removable media.") view_output("cat /etc/fstab") # print_header("1.1.14 Add nodev Option to /dev/shm Partition (Scored)")
print_header("5.1.1 Install the rsyslog package (Scored)") check_equal_re("rpm -q rsyslog", "rsyslog.*") # print_header("5.1.2 Activate the rsyslog Service (Scored)") check_equal("rpm -q syslog", "package syslog is not installed") check_empty("chkconfig --list | grep syslog") check_equal_re("chkconfig --list rsyslog", "rsyslog.*0:off.*1:off.*2:on.*3:on.*4:on.*5:on.*6:off") # print_header("5.1.3 Configure /etc/rsyslog.conf (Not Scored)") print_warning( "Manually review the contents of the /etc/rsyslog.conf file to ensure appropriate logging is set. " ) view_output("ls -l /var/log/") # print_header("5.1.4 Create and Set Permissions on rsyslog Log Files (Scored)") print_header(" TODO - Ensure that the log files are logging information") # print_header( "5.1.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored)") expect = "^*.*[^I][^I]*@{0}".format(config.general.get_log_server_hostname1()) check_equal("grep '%s' /etc/rsyslog.conf" % expect, expect) expect = "^*.*[^I][^I]*@{0}".format(config.general.get_log_server_hostname2()) check_equal("grep '%s' /etc/rsyslog.conf" % expect, expect) # check_empty('rpm -q rsyslog|grep "package rsyslog is not installed"')
# print_header("5.1.2 Activate the rsyslog Service (Scored)") check_equal( "rpm -q syslog", "package syslog is not installed" ) check_empty("chkconfig --list | grep syslog") check_equal_re( "chkconfig --list rsyslog", "rsyslog.*0:off.*1:off.*2:on.*3:on.*4:on.*5:on.*6:off" ) # print_header("5.1.3 Configure /etc/rsyslog.conf (Not Scored)") print_warning("Manually review the contents of the /etc/rsyslog.conf file to ensure appropriate logging is set. ") view_output("ls -l /var/log/") # print_header("5.1.4 Create and Set Permissions on rsyslog Log Files (Scored)") print_header(" TODO - Ensure that the log files are logging information") # print_header("5.1.5 Configure rsyslog to Send Logs to a Remote Log Host (Scored)") expect = "^*.*[^I][^I]*@{0}".format(config.general.get_log_server_hostname1()) check_equal( "grep '%s' /etc/rsyslog.conf" % expect, expect ) expect = "^*.*[^I][^I]*@{0}".format(config.general.get_log_server_hostname2()) check_equal(
) # print_header("4.2.8 Enable TCP SYN Cookies (Scored)") check_equal( "/sbin/sysctl net.ipv4.tcp_syncookies", "net.ipv4.tcp_syncookies = 1" ) # print_header("4.3 Wireless Networking") # print_header("4.3.1 Deactivate Wireless Interfaces (Not Scored)") print_warning("Check manually for wireless interfaces.") view_output("ifconfig -a") # print_header("4.4 Disable IPv6") # print_header("4.4.1 Configure IPv6") # print_header("4.4.1.1 Disable IPv6 Router Advertisements (Not Scored)") check_equal( "/sbin/sysctl net.ipv6.conf.all.accept_ra", 'error: "net.ipv6.conf.all.accept_ra" is an unknown key' ) check_equal( "/sbin/sysctl net.ipv6.conf.default.accept_ra",
"net.ipv4.conf.all.rp_filter = 1") check_equal("/sbin/sysctl net.ipv4.conf.default.rp_filter", "net.ipv4.conf.default.rp_filter = 1") # print_header("4.2.8 Enable TCP SYN Cookies (Scored)") check_equal("/sbin/sysctl net.ipv4.tcp_syncookies", "net.ipv4.tcp_syncookies = 1") # print_header("4.3 Wireless Networking") # print_header("4.3.1 Deactivate Wireless Interfaces (Not Scored)") print_warning("Check manually for wireless interfaces.") view_output("ifconfig -a") # print_header("4.4 Disable IPv6") # print_header("4.4.1 Configure IPv6") # print_header("4.4.1.1 Disable IPv6 Router Advertisements (Not Scored)") check_equal("/sbin/sysctl net.ipv6.conf.all.accept_ra", 'error: "net.ipv6.conf.all.accept_ra" is an unknown key') check_equal("/sbin/sysctl net.ipv6.conf.default.accept_ra", 'error: "net.ipv6.conf.default.accept_ra" is an unknown key') #
print_header("1.1.8 Create Separate Partition for /var/log/audit (Scored)") check_equal("grep '/var/log/audit ' /etc/fstab", "/var/log/audit") # print_header("1.1.9 Create Separate Partition for /home (Scored)") check_equal("grep '/home ' /etc/fstab", "/home") # print_header("1.1.10 Add nodev Option to /home (Scored)") check_equal("grep /home /etc/fstab", "nodev") check_equal("mount | grep /home", "nodev") # print_header("1.1.11 Add nodev Option to Removable Media Partitions (Not Scored)") print_warning("Check manually for nodev on removable media.") view_output("cat /etc/fstab") # print_header("1.1.12 Add noexec Option to Removable Media Partitions (Not Scored)") print_warning("Check manually for noexec on removable media.") view_output("cat /etc/fstab") # print_header("1.1.13 Add nosuid Option to Removable Media Partitions (Not Scored)") print_warning("Check manually for nosuid on removable media.") view_output("cat /etc/fstab") # print_header("1.1.14 Add nodev Option to /dev/shm Partition (Scored)") check_equal("grep /dev/shm /etc/fstab | grep nodev", "nodev") check_equal("mount | grep /dev/shm | grep nodev", "nodev")