print_info(" TODO: Implement this.")
#
print_header("6.3.5 Use pam_deny.so to Deny Services (Not Scored)")
print_header(" TODO: Implement this.")
#
print_header("6.3.6 Limit Password Reuse (Scored)")
check_equal(
"grep 'remember' /etc/pam.d/system-auth",
"password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5"
)
#
print_header("6.4 Restrict root Login to System Console (Not Scored)")
check_equal("cat /etc/securetty", "tty1")
#
print_header("6.5 Restrict Access to the su Command (Scored)")
check_equals(
'grep pam_wheel.so /etc/pam.d/su',
(
"#auth\t\tsufficient\tpam_wheel.so trust use_uid",
"auth\t\trequired\tpam_wheel.so use_uid"
)
)
check_equal(
"grep wheel /etc/group",
"wheel:x:10:"
)
check_equal("/sbin/modprobe -n -v hfs", "install /bin/true")
check_empty("/sbin/lsmod | grep hfs")
#
print_header("1.1.22 Disable Mounting of hfsplus Filesystems (Not Scored)")
check_equal("/sbin/modprobe -n -v hfsplus", "install /bin/true")
check_empty("/sbin/lsmod | grep hfsplus")
#
print_header("1.1.23 Disable Mounting of squashfs Filesystems (Not Scored)")
check_equal("/sbin/modprobe -n -v squashfs", "install /bin/true")
check_empty("/sbin/lsmod | grep squashfs")
#
print_header("1.1.24 Disable Mounting of udf Filesystems (Not Scored)")
check_equals('/sbin/modprobe -n -v udf', (None, "install /bin/true"))
check_empty("/sbin/lsmod | grep udf")
#
print_header("1.2 Configure Software Updates")
#
print_header(
"1.2.1 Configure Connection to the RHN RPM Repositories (Not Scored)")
check_return_code("yum check-update", 0)
print_info("We are using centos and not red hat. Check manually if we are " +
"connected to sunet.")
#
print_header("1.2.2 Verify Red Hat GPG Key is Installed (Scored)")
check_equal(
#
print_header(
"6.3.3 Set Strong Password Creation Policy Using pam_passwdqc (Scored)")
print_info("We are using pam_cracklib")
#
print_header("6.3.4 Set Lockout for Failed Password Attempts (Not Scored)")
print_info(" TODO: Implement this.")
#
print_header("6.3.5 Use pam_deny.so to Deny Services (Not Scored)")
print_header(" TODO: Implement this.")
#
print_header("6.3.6 Limit Password Reuse (Scored)")
check_equal(
"grep 'remember' /etc/pam.d/system-auth",
"password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5"
)
#
print_header("6.4 Restrict root Login to System Console (Not Scored)")
check_equal("cat /etc/securetty", "tty1")
#
print_header("6.5 Restrict Access to the su Command (Scored)")
check_equals('grep pam_wheel.so /etc/pam.d/su',
("#auth\t\tsufficient\tpam_wheel.so trust use_uid",
"auth\t\trequired\tpam_wheel.so use_uid"))
check_equal("grep wheel /etc/group", "wheel:x:10:")
print_header("5.2.2 Enable auditd Service (Scored)")
check_equal_re("rpm -q audit", "audit.*")
check_equal_re("chkconfig --list auditd",
"auditd.*0:off.*1:off.*2:on.*3:on.*4:on.*5:on.*6:off")
#
print_header(
"5.2.3 Enable Auditing for Processes That Start Prior to auditd (Scored)")
check_equal('grep "^[^#]*kernel" /etc/grub.conf|grep "audit=1"', 'audit=1')
#
print_header(
"5.2.4 Record Events That Modify Date and Time Information (Scored)")
check_equals('grep time-change /etc/audit/audit.rules', (
"-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change",
"-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change",
"-a always,exit -F arch=b64 -S clock_settime -k time-change",
"-a always,exit -F arch=b32 -S clock_settime -k time-change",
"-w /etc/localtime -p wa -k time-change"))
#
print_header("5.2.5 Record Events That Modify User/Group Information (Scored)")
check_equals(
'grep identity /etc/audit/audit.rules',
("-w /etc/group -p wa -k identity", "-w /etc/passwd -p wa -k identity",
"-w /etc/gshadow -p wa -k identity", "-w /etc/shadow -p wa -k identity",
"-w /etc/security/opasswd -p wa -k identity"))
#
print_header(
"5.2.6 Record Events That Modify the System's Network Environment (Scored)"
)
)
#
print_header("5.2.3 Enable Auditing for Processes That Start Prior to auditd (Scored)")
check_equal(
'grep "^[^#]*kernel" /etc/grub.conf|grep "audit=1"',
'audit=1'
)
#
print_header("5.2.4 Record Events That Modify Date and Time Information (Scored)")
check_equals(
'grep time-change /etc/audit/audit.rules',
(
"-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change",
"-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change",
"-a always,exit -F arch=b64 -S clock_settime -k time-change",
"-a always,exit -F arch=b32 -S clock_settime -k time-change",
"-w /etc/localtime -p wa -k time-change"
)
)
#
print_header("5.2.5 Record Events That Modify User/Group Information (Scored)")
check_equals(
'grep identity /etc/audit/audit.rules',
(
"-w /etc/group -p wa -k identity",
"-w /etc/passwd -p wa -k identity",
"-w /etc/gshadow -p wa -k identity",
"-w /etc/shadow -p wa -k identity",
"-w /etc/security/opasswd -p wa -k identity"
#
print_header("4.4.1.2 Disable IPv6 Redirect Acceptance (Not Scored)")
check_equal(
"/sbin/sysctl net.ipv6.conf.all.accept_redirects",
'error: "net.ipv6.conf.all.accept_redirects" is an unknown key'
)
check_equal(
"/sbin/sysctl net.ipv6.conf.default.accept_redirects",
'error: "net.ipv6.conf.default.accept_redirects" is an unknown key'
)
#
print_header("4.4.2 Disable IPv6 (Not Scored)")
check_equals(
'grep ipv6 /etc/modprobe.d/*',
(
'options ipv6 disable=1'
)
)
check_equal('grep net-pf-10 /etc/modprobe.d/*', 'alias net-pf-10 off')
check_equal(
"grep NETWORKING_IPV6 /etc/sysconfig/network",
"NETWORKING_IPV6=no"
)
check_equal(
"grep IPV6INIT /etc/sysconfig/network",
"IPV6INIT=no"
)
#
print_header("4.5 Install TCP Wrappers")
check_equal("/sbin/sysctl net.ipv6.conf.all.accept_ra",
'error: "net.ipv6.conf.all.accept_ra" is an unknown key')
check_equal("/sbin/sysctl net.ipv6.conf.default.accept_ra",
'error: "net.ipv6.conf.default.accept_ra" is an unknown key')
#
print_header("4.4.1.2 Disable IPv6 Redirect Acceptance (Not Scored)")
check_equal("/sbin/sysctl net.ipv6.conf.all.accept_redirects",
'error: "net.ipv6.conf.all.accept_redirects" is an unknown key')
check_equal(
"/sbin/sysctl net.ipv6.conf.default.accept_redirects",
'error: "net.ipv6.conf.default.accept_redirects" is an unknown key')
#
print_header("4.4.2 Disable IPv6 (Not Scored)")
check_equals('grep ipv6 /etc/modprobe.d/*', ('options ipv6 disable=1'))
check_equal('grep net-pf-10 /etc/modprobe.d/*', 'alias net-pf-10 off')
check_equal("grep NETWORKING_IPV6 /etc/sysconfig/network",
"NETWORKING_IPV6=no")
check_equal("grep IPV6INIT /etc/sysconfig/network", "IPV6INIT=no")
#
print_header("4.5 Install TCP Wrappers")
#
print_header("4.5.1 Install TCP Wrappers (Not Scored)")
check_equal_re("rpm -q tcp_wrappers", "tcp_wrappers-.*")
#
print_header("4.5.2 Create /etc/hosts.allow (Not Scored)")
check_equal("/sbin/modprobe -n -v hfs", "install /bin/true")
check_empty("/sbin/lsmod | grep hfs")
#
print_header("1.1.22 Disable Mounting of hfsplus Filesystems (Not Scored)")
check_equal("/sbin/modprobe -n -v hfsplus", "install /bin/true")
check_empty("/sbin/lsmod | grep hfsplus")
#
print_header("1.1.23 Disable Mounting of squashfs Filesystems (Not Scored)")
check_equal("/sbin/modprobe -n -v squashfs", "install /bin/true")
check_empty("/sbin/lsmod | grep squashfs")
#
print_header("1.1.24 Disable Mounting of udf Filesystems (Not Scored)")
check_equals("/sbin/modprobe -n -v udf", (None, "install /bin/true"))
check_empty("/sbin/lsmod | grep udf")
#
print_header("1.2 Configure Software Updates")
#
print_header("1.2.1 Configure Connection to the RHN RPM Repositories (Not Scored)")
check_return_code("yum check-update", 0)
print_info("We are using centos and not red hat. Check manually if we are " + "connected to sunet.")
#
print_header("1.2.2 Verify Red Hat GPG Key is Installed (Scored)")
check_equal(
'rpm -q --queryformat "%{SUMMARY}\\n" gpg-pubkey',
"gpg(CentOS-6 Key (CentOS 6 Official Signing Key) <*****@*****.**>)",
