def run_tests():
console.heading("Packages")
yb = yum.YumBase()
pass
# Verify GPG check
# RHEL-06-000013
config = ConfigParser.RawConfigParser()
config.read("/etc/yum.conf")
gpg_check = config.getint("main", "gpgcheck")
if gpg_check == 1:
console.ok("GPG checking is enabled in yum")
else:
console.error("GPG checking is disabled in yum")
# Verify GPG check for all repos
# RHEL-06-000015
repo_files = os.listdir("/etc/yum.repos.d/")
for repo_file in repo_files:
repo_file = "/etc/yum.repos.d/" + repo_file
repo_config = ConfigParser.RawConfigParser()
repo_config.read(repo_file)
for section in repo_config.sections():
gpg_check = repo_config.getint(section, 'gpgcheck')
if gpg_check != 1:
console.error("GPG checking is disabled in yum repo: %s" %
section)
def executable_file_tests():
executable_locations = [
"/bin", "/usr/bin", "/usr/local/bin", "/sbin", "/usr/sbin",
"/usr/local/sbin"
]
# RHEL-06-000047
# next
for location in executable_locations:
for dirname, dirnames, filenames in os.walk(location):
# for subdirname in dirnames:
# print os.path.join(dirname, subdirname)
for filename in filenames:
file_stats = os.stat(os.path.join(dirname, filename))
if is_group_writable(file_stats):
console.error(
"System executable file %s is group writable!" %
os.path.join(dirname, filename))
print oct(
stat.S_IMODE(
os.stat(os.path.join(dirname, filename)).st_mode))
if is_world_writable(file_stats):
console.error(
"System executable file %s is world writable!" %
os.path.join(dirname, filename))
print oct(
stat.S_IMODE(
os.stat(os.path.join(dirname, filename)).st_mode))
def run_tests():
console.heading("System Mounts")
for mount_point in mount_points:
if os.path.ismount(mount_point):
console.ok("%s is a mount point" % mount_point)
else:
console.error("%s is not a mount point" % mount_point)
def check_spece_left_action(self):
# RHEL-06-000005
if self.auditd_config['space_left_action'] == "EMAIL":
console.ok("Free space warning enabled in auditd")
return None
elif self.auditd_config['space_left_action'] == "SYSLOG":
console.warning(
"Free space warning is set to SYSLOG. Make sure this notifies the necessary individuals in a timely manner"
)
return None
else:
console.error("Free space warning not enabled in auditd")
return None
def run_tests():
console.heading("Authentication")
# Check for Rsh files
# RHEL-06-000019
if os.path.isfile("/etc/hosts.equiv"):
console.error("/etc/hosts.equiv file exists!")
users = pwd.getpwall()
for user in users:
if os.path.isfile(user.pw_dir + "/.rhosts"):
console.error("%s exists!" % (user.pw_dir + "/.rhosts"))
# Check for password hashes in the /etc/passed file
# RHEL-06-000031
for user in users:
if user.pw_passwd != 'x':
console.error("User %s has a hashed password in /etc/passwd" %
user.pw_name)
# Check for users with a UID of 0 other than root
# RHEL-06-000032
for user in users:
if user.pw_uid == 0:
if user.pw_name != 'root':
console.error("User %s has a UID of 0" % user.pw_name)
def rsyslog_file_tests():
# RHEL-06-000133
# RHEL-06-000134
# RHEL-06-000135
rsyslog_config_file = "/etc/rsyslog.conf"
rsyslog_config = parsing.parse_config_file(rsyslog_config_file, ' ')
for k, v in rsyslog_config.iteritems():
# We want the log files so we get rid of other config
if k.startswith("$"):
continue
# emerg.* gets written everywhere
if v == "*":
continue
# Files that don't sync after every log are prefixed with "-"
if v.startswith("-"):
v = v.lstrip("-")
log_stats = os.stat(v)
if log_stats.st_uid != 0:
console.error("%s is not owned by root!" % v)
if log_stats.st_gid != 0:
console.error("%s is not group owned by root!" % v)
if (get_owner_permissions_int(log_stats) > 6
or get_group_permissions_int(log_stats) > 0
or get_world_permissions_int(log_stats) > 0):
console.error("Permissions are too open on %s" % v)
def wrapper(*args, **kwargs):
try:
res = function(*args, **kwargs)
except UnikubeClusterUnavailableError:
error("Cannot reach local cluster.")
project = ProjectManager().get_active()
app = AppManager().get_active()
if click.confirm(
f"Should we try to \"project up {project.get('name')}\"?"):
K3D(project).up(ingress_port=None, workers=None)
retry_count = 0
k8s = KubeAPI(project, app)
while not k8s.is_available and retry_count <= 30:
sleep(0.5)
retry_count += 1
if retry_count == 30:
error("Could not up project.")
exit(1)
res = function(*args, **kwargs)
else:
exit(1)
return res
def group_file_tests():
# RHEL-06-000042
group_file = os.stat("/etc/group")
if group_file.st_uid != 0:
console.error("/etc/group is not owned by root!")
# RHEL-06-000043
if group_file.st_gid != 0:
console.error("/etc/group is not group owned by root!")
# RHEL-06-000044
if oct(stat.S_IMODE(group_file.st_mode)) != oct(0644):
console.error("/etc/group is not mode 644!")
def passwd_file_tests():
# RHEL-06-000039
passwd_file = os.stat("/etc/passwd")
if passwd_file.st_uid != 0:
console.error("/etc/passwd is not owned by root!")
# RHEL-06-000040
if passwd_file.st_gid != 0:
console.error("/etc/passwd is not group owned by root!")
# RHEL-06-000041
if oct(stat.S_IMODE(passwd_file.st_mode)) != oct(0644):
console.error("/etc/passwd is not mode 644!")
def gshadow_file_tests():
# RHEL-06-000036
gshadow_file = os.stat("/etc/gshadow")
if gshadow_file.st_uid != 0:
console.error("/etc/gshadow is not owned by root!")
# RHEL-06-000037
if gshadow_file.st_gid != 0:
console.error("/etc/gshadow is not group owned by root!")
# RHEL-06-000038
if stat.S_IMODE(gshadow_file.st_mode) != 0:
console.error("/etc/gshadow is not mode 000!")
def check_suspend_ignore(self, key):
if (key not in self.auditd_config.keys()
or self.auditd_config[key] == 'SUSPEND'
or self.auditd_config[key] == 'IGNORE'):
console.error("Auditd %s improperly set!" % key)
def check_value(self, key, value, operator_function):
if (key not in self.auditd_config.keys()
or not operator_function(self.auditd_config[key], value)):
console.error("Auditd %s is not set to %s!" % (key, value))
def check_value(self, key, value):
if (key not in self.sshd_config.keys()
or self.sshd_config[key] != value):
console.error("SSHd %s is not set to %s!" % (key, value))
