def check_user_group_modifying_events(): config = '4.1.5 Ensure events that modify user/group information are collected (Scored)' command = 'sudo grep identity /etc/audit/audit.rules' output = '-w /etc/group -p wa -k identity ' \ '-w /etc/passwd -p wa -k identity ' \ '-w /etc/gshadow -p wa -k identity ' \ '-w /etc/shadow -p wa -k identity ' \ '-w /etc/security/opasswd -p wa -k identity' source.output_isIn_terminal_output(config, command, output)
def check_date_time_modifying_events(): config = '4.1.4 Ensure events that modify date and time information are collected (Scored)' command = 'sudo grep time-change /etc/audit/audit.rules' arch = source.check_platform() if arch == '64bit': output = '-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change ' \ '-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change ' \ '-a always,exit -F arch=b64 -S clock_settime -k time-change ' \ '-a always,exit -F arch=b32 -S clock_settime -k time-change ' \ '-w /etc/localtime -p wa -k time-change' else: output = '-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime' \ ' -k time-change-a always,exit -F arch=b32 -S clock_settime -k ' \ 'time-change-w /etc/localtime -p wa -k time-change' source.output_isIn_terminal_output(config, command, output)
def check_LDAP_server_is_not_enabled(): config = '2.2.6 Ensure LDAP server is not enabled (Scored)' command = 'systemctl is-enabled slapd' output = 'disabled' source.output_isIn_terminal_output(config, command, output)
def check_auditLogs_not_auto_deleted(): config = '4.1.1.3 Ensure audit logs are not automatically deleted (Scored)' command = 'sudo grep max_log_file_action /etc/audit/auditd.conf' output = 'max_log_file_action = keep_logs' source.output_isIn_terminal_output(config, command, output)
def check_mcstrans_notInstalled(): config = '1.6.1.5 Ensure the MCS Translation Service (mcstrans) is not installed' command = 'rpm -q mcstrans' output = 'package mcstrans is not installed' source.output_isIn_terminal_output(config, command, output)
def check_tcp_SYN_cookies_is_enabled(): config = '3.2.8 Ensure TCP SYN Cookies is enabled (Scored)' command = 'sysctl net.ipv4.tcp_syncookies' output = 'net.ipv4.tcp_syncookies = 1' source.output_isIn_terminal_output(config, command, output)
def check_broadCast_ICMP_request_ignored(): config = '3.2.5 Ensure broadcast ICMP requests are ignored (Scored)' command = 'sysctl net.ipv4.icmp_echo_ignore_broadcasts' output = 'net.ipv4.icmp_echo_ignore_broadcasts = 1' source.output_isIn_terminal_output(config, command, output)
def check_IPv6_is_disabled(): config = '3.3.3 Ensure IPv6 is disabled (Not Scored)' command = 'modprobe -c | grep ipv6' output = 'options ipv6 disable=1' source.output_isIn_terminal_output(config, command, output)
def check_NIS_server_is_not_enabled(): config = '2.2.16 Ensure NIS Server is not enabled (Scored)' command = 'systemctl is-enabled ypserv' output = 'disabled' source.output_isIn_terminal_output(config, command, output)
def check_SNMP_server_not_enabled(): config = '2.2.14 Ensure SNMP Server is not enabled (Scored)' command = 'systemctl is-enabled snmpd' output = 'disabled' source.output_isIn_terminal_output(config, command, output)
def check_http_proxy_is_not_enabled(): config = '2.2.13 Ensure HTTP Proxy Server is not enabled (Scored) ' command = 'systemctl is-enabled squid' output = 'disabled' source.output_isIn_terminal_output(config, command, output)
def check_samba_is_not_enabled(): config = '2.2.12 Ensure Samba is not enabled (Scored)' command = 'systemctl is-enabled smb' output = 'disabled' source.output_isIn_terminal_output(config, command, output)
def check_IMAP_and_POP3_server_not_enabled(): config = '2.2.11 Ensure IMAP and POP3 server is not enabled (Scored)' command = 'systemctl is-enabled dovecot' output = 'disabled' source.output_isIn_terminal_output(config, command, output)
def check_http_server_not_enabled(): config = '2.2.10 Ensure HTTP server is not enabled (Scored)' command = 'systemctl is-enabled httpd' output = 'disabled' source.output_isIn_terminal_output(config, command, output)
def check_DNS_server_not_enabled(): config = '2.2.8 Ensure DNS Server is not enabled (Scored)' command = 'systemctl is-enabled named' output = 'disabled' source.output_isIn_terminal_output(config, command, output)
def check_prelink_disabled(): config = '1.5.4 Ensure prelink is disabled (Scored)' command = 'rpm -q prelink' output = 'package prelink is not installed' source.output_isIn_terminal_output(config, command, output)
def check_automounting_disabled(): conf = '1.1.22 Disable Automounting (Scored)' cmd = 'systemctl is-enabled autofs' output = 'disabled' source.output_isIn_terminal_output(conf, cmd, output)
def check_talk_server_is_not_enabled(): config = '2.2.18 Ensure talk server is not enabled (Scored)' command = 'systemctl is-enabled ntalk' output = 'disabled' source.output_isIn_terminal_output(config, command, output)
def check_ip_forwarding_is_disabled(): config = '3.1.1 Ensure IP forwarding is disabled (Scored)' command = 'sysctl net.ipv4.ip_forward' output = 'net.ipv4.ip_forward = 0' source.output_isIn_terminal_output(config, command, output)
def check_tftp_server_not_enabled(): config = '2.2.20 Ensure tftp server is not enabled (Scored)' command = 'systemctl is-enabled tftp.socket' output = 'disabled' source.output_isIn_terminal_output(config, command, output)
def check_bogus_icmp_requests_ignored(): config = '3.2.6 Ensure bogus ICMP responses are ignored (Scored)' command = 'sysctl net.ipv4.icmp_ignore_bogus_error_responses' output = 'net.ipv4.icmp_ignore_bogus_error_responses = 1' source.output_isIn_terminal_output(config, command, output)
def check_rsync_server_is_not_enabled(): config = '2.2.21 Ensure rsync service is not enabled (Scored)' command = 'systemctl is-enabled rsyncd' output = 'disabled' source.output_isIn_terminal_output(config, command, output)
def check_etc_hosts_deny_is_configured(): config = '3.4.3 Ensure /etc/hosts.deny is configured (Scored)' command = 'cat /etc/hosts.deny' output = 'ALL: ALL' source.output_isIn_terminal_output(config, command, output)
def check_Avahi_server_not_enabled(): config = '2.2.3 Ensure Avahi Server is not enabled (Scored)' command = 'systemctl is-enabled avahi-daemon' output = 'disabled' source.output_isIn_terminal_output(config, command, output)
def check_setTroubleShoot_notInstalled(): config = '1.6.1.4 Ensure SETroubleshoot is not installed (Scored)' command = 'rpm -q setroubleshoot' output = 'package setroubleshoot is not installed' source.output_isIn_terminal_output(config, command, output)
def check_CUPS_is_not_enabled(): config = '2.2.4 Ensure CUPS is not enabled (Scored)' command = 'systemctl is-enabled cups' output = 'disabled' source.output_isIn_terminal_output(config, command, output)
def check_NX_XD_support_enabled(): config = '1.5.2 Ensure XD/NX support is enabled (Not Scored)' command = 'dmesg | grep NX' output = 'NX (Execute Disable) protection: active' source.output_isIn_terminal_output(config, command, output)
def check_ASLR(): config = '1.5.3 Ensure address space layout randomization (ASLR) is enabled ' command = 'sysctl kernel.randomize_va_space' output = 'kernel.randomize_va_space = 2' source.output_isIn_terminal_output(config, command, output)
def check_xinetd_not_enabled(): config = '2.1.7 Ensure xinetd is not enabled (Scored)' command = 'systemctl is-enabled xinetd' output = 'disabled' source.output_isIn_terminal_output(config, command, output)
def check_DHCP_server_is_not_enabled(): config = '2.2.5 Ensure DHCP Server is not enabled (Scored)' command = 'systemctl is-enabled dhcpd' output = 'disabled' source.output_isIn_terminal_output(config, command, output)