示例#1
0
    def __init__(self, config, environ, logger, statechglogger):
        """
        Constructor
        """
        Rule.__init__(self, config, environ, logger, statechglogger)
        self.logger = logger
        self.rulenumber = 9
        self.rulename = 'SystemAccounting'
        self.formatDetailedResults("initialize")
        self.mandatory = False
        self.rootrequired = True
        self.sethelptext()
        self.guidance = ['CIS 2.4', 'cce-3992-5']
        self.applicable = {
            'type': 'white',
            'family': 'linux',
            'os': {
                'Mac OS X': ['10.15', 'r', '10.15.10']
            }
        }

        # set up configuration item for this rule
        datatype = 'bool'
        key = 'SYSTEMACCOUNTING'
        instructions = "This is an optional rule and is disabled by default, due to the significant load it can place on the system when enabled. To enable system accounting, set the value of SYSTEMACCOUNTING to True."
        default = False
        self.ci = self.initCi(datatype, key, instructions, default)

        self.ostype = self.environ.getostype()
        self.ph = Pkghelper(self.logger, self.environ)
        self.ch = CommandHelper(self.logger)
        self._set_paths()
示例#2
0
    def __init__(self, config, environ, logdispatcher, statechglogger):
        """

        :param config:
        :param environ:
        :param logdispatcher:
        :param statechglogger:
        """

        Rule.__init__(self, config, environ, logdispatcher, statechglogger)
        self.logger = logdispatcher
        self.rulenumber = 111
        self.mandatory = True
        self.applicable = {'type': 'white',
                           'family': ['linux', 'solaris', 'freebsd']}
        self.formatDetailedResults("initialize")
        self.guidance = ["NSA 2.2.2.6"]
        self.rulename = "DisableThumbnailers"
        self.rulesuccess = True
        self.sethelptext()

        datatype = 'bool'
        key = 'DISABLETHUMBNAILERS'
        instructions = "To disable this rule set the value of DISABLETHUMBNAILERS to False."
        default = True
        self.ci = self.initCi(datatype, key, instructions, default)
示例#3
0
    def __init__(self, config, environ, logdispatch, statechglogger):
        '''Constructor'''
        Rule.__init__(self, config, environ, logdispatch, statechglogger)

        self.logger = logdispatch
        self.rulenumber = 364
        self.rulename = "STIGConfigureApplicationRestrictionsPolicy"
        self.formatDetailedResults("initialize")
        self.sethelptext()
        self.rootrequired = True
        self.applicable = {
            'type': 'white',
            'os': {
                'Mac OS X': ['10.15', 'r', '10.15.10']
            },
            'fisma': 'high'
        }
        datatype = "bool"
        key = "APPRESTRICTIONS"
        instructions = "To disable the installation of the application " + \
            "restrictions profile set the value of APPRESTRICTIONS to False"
        default = True
        self.ci = self.initCi(datatype, key, instructions, default)
        self.iditerator = 0
        self.identifier = "mil.disa.STIG.Application_Restrictions.alacarte"
        self.profile = "/Applications/stonix4mac.app/Contents/" + \
                     "Resources/stonix.app/Contents/MacOS/" + \
                     "stonix_resources/files/" + \
                     "U_Apple_OS_X_10-11_V1R1_STIG_Application_Restrictions_Policy.mobileconfig"
        '''These directories for testing purposes only'''
示例#4
0
    def __init__(self, config, enviro, logger, statechglogger):
        Rule.__init__(self, config, enviro, logger, statechglogger)
        self.logger = logger
        self.rulenumber = 244
        self.rulename = "RemoveSUIDGames"
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.sethelptext()
        self.applicable = {'type': 'white', 'family': 'linux'}

        # Configuration item instantiation
        datatype = "bool"
        key = "REMOVESUIDGAMES"
        instructions = "To disable this rule, set the value of " + \
                       "REMOVESUIDGAMES to false."
        default = True
        self.ci = self.initCi(datatype, key, instructions, default)

        self.guidance = ["LANL 15.7"]
        self.iditerator = 0
        self.ph = Pkghelper(self.logger, self.environ)

        self.gamelist = [
            'atlantik', 'bomber', 'bovo', 'gnuchess', 'kapman', 'kasteroids',
            'katomic', 'kbackgammon', 'kbattleship', 'kblackbox', 'kblocks',
            'kbounce', 'kbreakout', 'kdiamond', 'kenolaba', 'kfouleggs',
            'kfourinline', 'kgoldrunner', 'killbots', 'kiriki', 'kjumpingcube',
            'klickety', 'klines', 'kmahjongg', 'kmines', 'knetwalk', 'kolf',
            'kollision', 'konquest', 'kpat', 'kpoker', 'kreversi', 'ksame',
            'kshisen', 'ksirk', 'ksirkskineditor', 'ksirtet', 'ksmiletris',
            'ksnake', 'kspaceduel', 'ksquares', 'ksudoku', 'ktron',
            'ktuberling', 'kubrick', 'kwin4', 'kwin4proc', 'lskat',
            'lskatproc', 'gnome-games', 'kdegames', 'gnome-taquin'
        ]
示例#5
0
    def __init__(self, config, environ, logger, statechglogger):
        '''
        Constructor
        '''

        Rule.__init__(self, config, environ, logger, statechglogger)
        self.logger = logger
        self.rulenumber = 85
        self.rulename = 'NoDirectRootLogin'
        self.formatDetailedResults("initialize")
        self.compliant = False
        self.mandatory = True
        self.sethelptext()
        self.rootrequired = True
        self.guidance = ["CCE-RHEL7-CCE-TBD 2.4.1.1.7"]
        self.applicable = {'type': 'white',
                           'family': ['linux', 'solaris', 'freebsd']}

        # Configuration item instantiation
        datatype = "bool"
        key = "NODIRECTROOTLOGIN"
        instructions = "To disable this rule, set the value of " + \
                       "NODIRECTROOTLOGIN to false."
        default = True
        self.ci = self.initCi(datatype, key, instructions, default)
        
        self.ch = CommandHelper(self.logger)
        self.securettypath = "/etc/securetty"
        self.iditerator = 0
        self.isblank = False
示例#6
0
    def __init__(self, config, environ, logger, statechglogger):
        '''
        Constructor
        '''
        Rule.__init__(self, config, environ, logger, statechglogger)
        self.logger = logger
        self.rulenumber = 4
        self.rulename = 'DisableInactiveAccounts'
        self.compliant = True
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.rootrequired = True
        self.sethelptext()
        self.guidance = ['CNSSI 1253', 'DISA STIG']

        datatype = 'bool'
        key = 'DISABLEINACTIVEACCOUNTS'
        instructions = 'To disable this rule, set the value of ' + \
            'DisableInactiveAccounts to False.'
        default = True
        self.ci = self.initCi(datatype, key, instructions, default)

        self.applicable = {
            'type': 'white',
            'os': {
                'Mac OS X': ['10.15', 'r', '10.15.10']
            },
            'fisma': 'high'
        }

        self.initobjs()
示例#7
0
    def __init__(self, config, enviro, logger, statechglogger):
        Rule.__init__(self, config, enviro, logger, statechglogger)
        self.logger = logger
        self.rulenumber = 124
        self.rulename = "SecureIPV6"
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.sethelptext()
        datatype = "bool"
        key = "SECUREIPV6"
        instructions = '''To disable this rule set the value of SECUREIPV6 to \
False.'''
        default = True
        self.ci = self.initCi(datatype, key, instructions, default)
        self.guidance = ["NSA 2.5.3.2", "CCE 4269-7", "CCE 4291-1",
                         "CCE 4313-3", "CCE 4198-8", "CCE 3842-2",
                         "CCE 4221-8", "CCE 4137-6", "CCE 4159-0",
                         "CCE 3895-0", "CCE 4287-9", "CCE 4058-4",
                         "CCE 4128-5"]
        self.applicable = {'type': 'white',
                           'family': ['linux'],
                           'os': {'Mac OS X': ['10.15', 'r', '10.15.10']}}
        self.iditerator = 0
        # self.editor1: sysctl file editor
        # self.editor2: network file editor
        self.editor1, self.editor2 = "", ""
        self.ch = CommandHelper(self.logger)
示例#8
0
    def __init__(self, config, environ, logger, statechglogger):
        Rule.__init__(self, config, environ, logger, statechglogger)
        self.logger = logger
        self.rulenumber = 123
        self.rulename = "DisableIPV6"
        self.formatDetailedResults("initialize")
        self.guidance = ["NSA 2.5.3.1"]
        self.applicable = {
            'type': 'white',
            'family': ['linux', 'solaris', 'freebsd'],
            'os': {
                'Mac OS X': ['10.15', 'r', '10.15.10']
            }
        }

        # configuration item instantiation
        datatype = 'bool'
        key = 'DISABLEIPV6'
        instructions = "To disable this rule set the value of DISABLEIPV6 " + \
            "to False."
        default = False
        self.ci = self.initCi(datatype, key, instructions, default)

        self.iditerator = 0
        self.created = False
        self.created2 = False
        # self.editor1: sysctl file editor
        # self.editor2: network file editor
        # self.editor3: sshd file editor
        self.editor1, self.editor2, self.editor3 = "", "", ""
        self.sh = ServiceHelper(self.environ, self.logger)
        self.sethelptext()
    def __init__(self, config, enviro, logger, statechglogger):
        Rule.__init__(self, config, enviro, logger, statechglogger)
        self.logger = logger
        self.rulenumber = 132
        self.rulename = "DisableUncommonProtocols"
        self.formatDetailedResults("initialize")
        self.mandatory = False
        self.applicable = {'type': 'white', "family": ["linux"]}

        # Configuration item instantiation
        datatype = "bool"
        key = "DISABLEUNCOMMONPROTOCOLS"
        instructions = "To disable this rule, set the value of " + \
                       "DISABLEUNCOMMONPROTOCOLS to false."
        default = True
        self.ci = self.initCi(datatype, key, instructions, default)

        datatype = "list"
        key = "PROTOCOLS"
        instructions = "List all network protocols to disable"
        default = ["dccp", "sctp", "rds", "tipc"]
        self.ci2 = self.initCi(datatype, key, instructions, default)

        self.guidance = [
            "NSA 2.5.7", "CIS 4.6", "CCE-26448-1", "CCE-26410-1",
            "CCE-26239-4", "CCE-26696-5", "CCE-26828-4", "CCE-27106-4"
        ]
        self.iditerator = 0
        self.ch = CommandHelper(self.logger)
        self.sethelptext()
示例#10
0
    def __init__(self, config, environ, logger, statechglogger):
        '''
        Constructor
        '''
        Rule.__init__(self, config, environ, logger, statechglogger)
        self.logger = logger
        self.rulenumber = 36
        self.rulename = 'XinetdAccessControl'
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.sethelptext()
        self.rootrequired = True
        self.compliant = False
        self.guidance = ['']
        self.iditerator = 0
        self.applicable = {
            'type': 'white',
            'family': ['linux', 'solaris', 'freebsd'],
            'os': {
                'Mac OS X': ['10.15', 'r', '10.15.10']
            }
        }
        # init CIs
        datatype = 'bool'
        key = 'XINETDACCESSCONTROL'
        instructions = "To disable the configuring of the xinetd access " + \
            "control mechanism, set the value of XinetdAccessControl to False."
        default = True
        self.ci = self.initCi(datatype, key, instructions, default)

        self.constlist = [XINETDALLOW]

        # set up class var's
        if self.checkConsts(self.constlist):
            self.setvars()
示例#11
0
    def __init__(self, config, environ, logger, statechglogger):
        '''
        Constructor
        '''

        Rule.__init__(self, config, environ, logger, statechglogger)
        self.config = config
        self.environ = environ
        self.logger = logger
        self.statechglogger = statechglogger
        self.rulenumber = 46
        self.rulename = 'ConfigureDotFiles'
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.sethelptext()
        self.rootrequired = False
        self.compliant = False
        datatype = 'bool'
        key = 'CONFIGUREDOTFILES'
        instructions = '''To prevent dot files in user home directories from \
being made non-world-writable, set the value of ConfigureDotFiles to False.'''
        default = True
        self.ConfigureDotFiles = self.initCi(datatype, key, instructions,
                                             default)
        self.guidance = ['CIS', 'NSA 2.3.4.3', 'CCE-4561-7']
        self.applicable = {
            'type': 'white',
            'family': ['linux', 'solaris', 'freebsd'],
            'os': {
                'Mac OS X': ['10.15', 'r', '10.15.10']
            }
        }
示例#12
0
    def __init__(self, config, environ, logger, statechglogger):
        '''
        Constructor
        '''
        Rule.__init__(self, config, environ, logger, statechglogger)
        self.logger = logger
        self.rulenumber = 102
        self.rulename = 'DisableTouchID'
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.rootrequired = True
        self.environ = environ
        self.sethelptext()
        self.applicable = {
            'type': 'white',
            'os': {
                'Mac OS X': ['10.15', 'r', '10.15.10']
            }
        }
        datatype = 'bool'
        key = 'DISABLETOUCHID'
        instructions = "To prevent this rule from running, set the value of DisableTouchID to False."
        default = True
        self.ci = self.initCi(datatype, key, instructions, default)
        self.guidance = ['(None)']

        self.initobjs()
示例#13
0
    def __init__(self, config, environ, logger, statechglogger):
        Rule.__init__(self, config, environ, logger, statechglogger)
        self.logger = logger
        self.rulenumber = 31
        self.rulename = "PreventXListen"
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.sethelptext()
        self.guidance = ["NSA 3.6.1.3.2"]
        self.applicable = {
            'type': 'white',
            'family': ['linux', 'solaris', 'freebsd'],
            'os': {
                'Mac OS X': ['10.15', 'r', '10.15.10']
            }
        }

        datatype = 'bool'
        key = 'PREVENTXLISTEN'
        instructions = "To disable this rule set the value of " + \
        "PREVENTXLISTEN to False."
        default = True
        self.ci = self.initCi(datatype, key, instructions, default)

        self.properties = {}
        self.iditerator = 0
示例#14
0
    def __init__(self, config, environ, logger, statechglogger):
        """

        @param config: 
        @param environ: 
        @param logger: 
        @param statechglogger: 
        """

        Rule.__init__(self, config, environ, logger, statechglogger)
        self.logger = logger
        self.rulenumber = 49
        self.rulename = "NoCoreDumps"
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.guidance = ["NSA 2.2.4.2"]
        self.applicable = {
            'type': 'white',
            'family': ['linux'],
            'os': {
                'Mac OS X': ['10.15', 'r', '10.15.10']
            }
        }

        datatype = 'bool'
        key = 'NOCOREDUMPS'
        instructions = "To prevent the disabling of core dumps on your system, set the value of NOCOREDUMPS to False."
        default = True
        self.ci = self.initCi(datatype, key, instructions, default)
        self.sethelptext()
示例#15
0
    def __init__(self, config, environ, logger, statechglogger):
        """

        :param config:
        :param environ:
        :param logger:
        :param statechglogger:
        """
        Rule.__init__(self, config, environ, logger, statechglogger)
        self.logger = logger
        self.rulenumber = 56
        self.rulename = "ConfigureSudo"
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.sethelptext()
        self.guidance = ["NSA 2.3.1.3"]
        self.applicable = {
            'type': 'white',
            'family': 'linux',
            'os': {
                'Mac OS X': ['10.15', 'r', '10.15.10']
            }
        }

        datatype2 = 'bool'
        key2 = 'CONFIGURESUDO'
        instructions2 = """To disable this rule set the value of CONFIGURESUDO to False."""
        default2 = True
        self.primary_ci = self.initCi(datatype2, key2, instructions2, default2)

        self.localization()
示例#16
0
    def __init__(self, config, environ, logdispatcher, statechglogger):
        '''
        This rule should normally be a rulekveditor rule, but there has
        recently been an issue discovered with subprocess for this
        particular rule where a paramaterized list for the command doesn't
        behave as would expected which KVADefault class uses when performing
        the defaults read command.  Can change back if this issue is resolved
        with Mac/Python.
        '''
        Rule.__init__(self, config, environ, logdispatcher, statechglogger)
        self.rulenumber = 17
        self.rulename = 'ConfigureSpotlight'
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.sethelptext()
        self.rootrequired = False
        self.guidance = []
        self.applicable = {'type': 'white',
                           'os': {'Mac OS X': ['10.12', 'r', '10.14.10']}}

        datatype1 = "bool"
        key1 = "CONFIGURESPOTLIGHT"
        instructions1 = "To disable this configuration set the value of " + \
            "CONFIGURESPOTLIGHT to False."
        default1 = True
        self.ci1 = self.initCi(datatype1, key1, instructions1, default1)

        datatype2 = "bool"
        key2 = "SAFARISEARCH"
        instructions2 = "To disable this configuration set the value of " + \
            "SAFARISEARCH to False."
        default2 = True
        self.ci2 = self.initCi(datatype2, key2, instructions2, default2)
示例#17
0
    def __init__(self, config, environ, logger, statechglogger):
        '''
        :param config:
        :param environ:
        :param logger:
        :param statechglogger:
        '''

        Rule.__init__(self, config, environ, logger, statechglogger)
        self.rulenumber = 150
        self.rulename = "DisableCamera"
        self.formatDetailedResults("initialize")
        self.mandatory = False
        self.rulesuccess = True
        self.sethelptext()
        self.rootrequired = True
        self.guidance = ["CIS 1.2.6"]
        self.applicable = {'type': 'white',
                           'os': {'Mac OS X': ['10.15', 'r', '10.15.10']}}
        self.logger = logger
        self.iditerator = 0
        datatype = 'bool'
        key = 'DISABLECAMERA'
        instructions = "To disable the built-in iSight camera, set the value of DISABLECAMERA to True."
        default = False
        self.ci = self.initCi(datatype, key, instructions, default)
        self.setvars()
    def __init__(self, config, environ, logger, statechglogger):
        """Constructor"""
        Rule.__init__(self, config, environ, logger, statechglogger)
        self.config = config
        self.environ = environ
        self.logger = logger
        self.statechglogger = statechglogger
        self.rulenumber = 230
        self.rulename = 'InstalledSoftwareVerification'
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.rootrequired = True
        self.guidance = [
            'NSA 2.1.3.2', 'CCE 14931-0', 'CCE-RHEL7-CCE-TBD 2.1.3.2.1'
        ]
        self.applicable = {
            'type': 'white',
            'os': {
                'Red Hat Enterprise Linux': ['6.0', '+'],
                'CentOS Linux': ['7.0', '+']
            }
        }

        datatype = 'bool'
        key = 'FIXPERMISSIONS'
        instructions = 'If set to True, this rule will fix the permissions \
of the package for any file which has a permission deviation from the vendor \
default.'

        default = True
        self.fixPermsCi = self.initCi(datatype, key, instructions, default)
        self.sethelptext()
示例#19
0
    def __init__(self, config, environ, logdispatch, statechglogger):
        '''
        Constructor
        '''

        Rule.__init__(self, config, environ, logdispatch, statechglogger)

        self.logger = logdispatch
        self.rulenumber = 151
        self.rulename = 'ReduceSudoTimeout'
        self.formatDetailedResults("initialize")
        self.sethelptext()
        self.guidance = ['N/A']
        self.applicable = {'type': 'white',
                           'family': ['linux', 'solaris', 'freebsd'],
                           'os': {'Mac OS X': ['10.15', 'r', '10.15.10']}}
        datatype = "bool"
        key = "REDUCESUDOTIMEOUT"
        instructions = "If set to true, the REDUCESUDOTIMEOUT " + \
            "variable will set the sudo timeout to 0, requiring a password " + \
            "for each sudo call."
        if self.environ.getostype() == 'Mac OS X':
            self.mandatory = True
            default = True
        else:
            default = False
        self.ci = self.initCi(datatype, key, instructions, default)
        self.iditerator = 0

        todatatype = "string"
        tokey = "TIMEOUTMINUTES"
        toinstructions = "Enter the value (in minutes) you want each sudo authentication to last. Acceptable values are from 0 to 15."
        todefault = ""
        self.timeoutCI = self.initCi(todatatype, tokey, toinstructions, todefault)
示例#20
0
    def __init__(self, config, enviro, logger, statechglogger):
        Rule.__init__(self, config, enviro, logger, statechglogger)
        self.logger = logger
        self.rulenumber = 89
        self.rulename = "DisablePrelinking"
        self.sethelptext()
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.applicable = {'type': 'white', 'family': ['linux']}

        # Configuration item instantiation
        datatype = "bool"
        key = "DISABLEPRELINKING"
        instructions = "To disable this rule, set the value of " + \
                       "DISABLEPRELINKING to false."
        default = True
        self.ci = self.initCi(datatype, key, instructions, default)

        self.guidance = ["CCE-RHEL7-CCE-TBA 2.1.3.1.2"]
        self.iditerator = 0

        self.ch = CommandHelper(self.logger)
        if re.search("debian|ubuntu", self.environ.getostype().lower()):
            self.isDebian = True
        else:
            self.isDebian = False
示例#21
0
    def __init__(self, config, environ, logger, statechglogger):
        Rule.__init__(self, config, environ, logger, statechglogger)
        self.logger = logger
        self.rulenumber = 30
        self.rulename = "DisableWeakAuthentication"
        self.mandatory = True
        self.formatDetailedResults("initialize")
        self.guidance = ["NSA 3.2.3.1"]
        self.applicable = {
            'type': 'white',
            'family': ['linux', 'solaris', 'freebsd']
        }

        # Configuration item instantiation
        datatype = 'bool'
        key = 'DISABLEWEAKAUTHENTICATION'
        instructions = "To prevent the disabling of services using weak " + \
                       "authentication set DISABLEWEAKAUTHENTICATION to False."
        default = True
        self.ci = self.initCi(datatype, key, instructions, default)

        self.rsh = ["rshell", "rsh-client", "rsh-server", "rsh", "SUNWrcmdc"]
        self.pams = [
            "/etc/pam.conf", "/etc/pam_ldap.conf", "/etc/pam.conf-winbind"
        ]
        self.incorrects = []
        self.iditerator = 0
        self.sethelptext()
    def __init__(self, config, environ, logger, statechglogger):
        '''

        :param config:
        :param environ:
        :param logger:
        :param statechglogger:

        '''

        Rule.__init__(self, config, environ, logger, statechglogger)
        self.logger = logger
        self.environ = environ
        self.rulenumber = 311
        self.rulename = "DisableUbuntuDataCollection"
        self.mandatory = True
        self.rootrequired = True
        self.formatDetailedResults("initialize")
        self.guidance = []
        self.applicable = {'type': 'white', 'os': {'Ubuntu': ['16.04', '+']}}
        self.sethelptext()

        datatype = "bool"
        key = "DISABLEUBUNTUDATACOLLECTION"
        instructions = """To prevent the diabling of data collection from this system, set the value of DISABLEUBUNTUDATACOLLECTION to False."""
        default = True
        self.enabledCI = self.initCi(datatype, key, instructions, default)
示例#23
0
    def __init__(self, config, environ, logger, statechglogger):
        '''
        Constructor
        '''
        Rule.__init__(self, config, environ, logger, statechglogger)
        self.rulenumber = 208
        self.rulename = 'DisableWebSharing'
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.compliant = False
        self.rootrequired = True
        self.guidance = ['CIS 1.4.14.6']
        self.applicable = {
            'type': 'white',
            'os': {
                'Mac OS X': ['10.15', 'r', '10.15.10']
            }
        }
        self.logger = logger
        # set up CIs
        datatype = 'bool'
        key = 'DISABLEWEBSHARING'
        instructions = 'To prevent web sharing from being disabled, set the value of DisableWebSharing to False.'
        default = True
        self.disableWebSharing = self.initCi(datatype, key, instructions,
                                             default)

        # set up class var's
        self.maclongname = '/System/Library/LaunchDaemons/org.apache.httpd.plist'
        self.macshortname = 'org.apache.httpd'
        self.svchelper = ServiceHelper(self.environ, self.logger)
        self.cmhelper = CommandHelper(self.logger)
        self.sethelptext()
示例#24
0
    def __init__(self, config, environ, logger, statechglogger):
        '''

        @param config:
        @param environ:
        @param logger:
        @param statechglogger:
        '''

        Rule.__init__(self, config, environ, logger, statechglogger)
        self.logger = logger
        self.rulenumber = 45
        self.rulename = "SecureHomeDir"
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.rootrequired = False
        datatype = 'bool'
        key = 'SECUREHOME'
        instructions = '''To disable this rule set the value of SECUREHOME to False.'''
        default = True
        self.ci = self.initCi(datatype, key, instructions, default)
        self.guidance = ['NSA 2.3.4.2']
        self.applicable = {'type': 'white',
                           'family': ['linux', 'solaris', 'freebsd'],
                           'os': {'Mac OS X': ['10.15', 'r', '10.15.10']}}
        self.sethelptext()
示例#25
0
 def __init__(self, config, environ, logger, statechglogger):
     '''
     Constructor
     '''
     Rule.__init__(self, config, environ, logger, statechglogger)
     self.rulenumber = 63
     self.rulename = 'ExecShield'
     self.formatDetailedResults("initialize")
     self.mandatory = False
     self.rootrequired = True
     self.rulesuccess = True
     self.comment = re.compile('^#|^;')
     self.sysctlconf = '/etc/sysctl.conf'
     self.tmpPath = '/etc/sysctl.conf.tmp'
     self.comment = re.compile('^#|^;')
     self.guidance = ['CCE-27007-4', 'CCE-26999-3']
     self.applicable = {'type': 'white',
                        'family': ['linux']}
     self.varandomcompliant = False
     self.shieldprocpath = '/proc/sys/kernel/exec-shield'
     if os.path.exists(self.shieldprocpath):
         self.execshieldapplies = True
         self.directives = {'kernel.exec-shield': '1',
                            'kernel.randomize_va_space': '2'}
     else:
         self.execshieldapplies = False
         self.directives = {'kernel.randomize_va_space': '2'}
     self.execshieldcompliant = False
     self.ExecCI = self.__initializeExecShield()
     self.sethelptext()
示例#26
0
    def __init__(self, config, environ, logger, statechglogger):
        Rule.__init__(self, config, environ, logger, statechglogger)
        self.logger = logger
        self.rulenumber = 107
        self.rulename = 'ConfigureMACPolicy'
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.sethelptext()
        self.guidance = ['NSA(2.1.1.6)(2.4.2)', 'CCE-3977-6', 'CCE-3999-0',
                         'CCE-3624-4', 'CIS 1.7']
        self.applicable = {'type': 'white',
                           'family': ['linux']}

        datatype = "bool"
        key = "CONFIGUREMAC"
        instructions = "To prevent the configuration of a mandatory " + \
            "access control policy, set the value of CONFIGUREMAC to " + \
            "False. Note: The 'mandatory access control' is either SELinux " + \
            "or AppArmor, depending on what is available to your current system."
        default = True
        self.ConfigureMAC = self.initCi(datatype, key, instructions, default)

        datatype2 = "string"
        key2 = "MODE"
        default2 = "permissive"
        instructions2 = "Valid modes for SELinux are: permissive or " + \
            "enforcing\nValid modes for AppArmor are: complain or enforce"
        self.modeci = self.initCi(datatype2, key2, instructions2, default2)
示例#27
0
    def __init__(self, config, enviro, logger, statechglogger):
        Rule.__init__(self, config, enviro, logger, statechglogger)
        self.logger = logger
        self.rulenumber = 143
        self.rulename = "SecureSquidProxy"
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.sethelptext()
        datatype1 = "bool"
        key1 = "SECURESQUIDPROXY"
        instructions1 = "To disable this rule set the value of " + \
            "SECURESQUIDPROXY to False.  MinimizeServices rule disables " + \
            "squid by default however this rule will still configure it " + \
            "if installed"
        default1 = True
        self.ci = self.initCi(datatype1, key1, instructions1, default1)

        self.guidance = ["NSA 3.19", "CCE 4454-5", "CCE 4353-9", "CCE 4503-9",
                         "CCE 3585-7", "CCE 4419-8", "CCE 3692-1",
                         "CCE 4459-4", "CCE 4476-8", "CCE 4181-4",
                         "CCE 4577-3", "CCE 4344-8", "CCE 4494-1",
                         "CCE 4511-2", "CCE 4529-4", "CCE 3610-3",
                         "CCE 4466-9", "CCE 4607-8", "CCE 4255-6",
                         "CCE 4127-7", "CCE 4519-5", "CCE 4413-1",
                         "CCE 4373-7"]

        self.applicable = {"type": "white",
                           "family": ["linux"]}
        self.iditerator = 0
示例#28
0
    def __init__(self, config, environ, logger, statechglogger):
        """
        Constructor
        """
        Rule.__init__(self, config, environ, logger, statechglogger)
        self.logger = logger
        self.rulenumber = 8
        self.rulename = 'SecureSSH'
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.environ = environ
        self.sethelptext()
        self.applicable = {'type': 'white',
                           'family': ['linux', 'solaris', 'freebsd'],
                           'os': {'Mac OS X': ['10.15', 'r', '10.15.10']}}
        datatype = 'bool'
        key = 'SECURESSH'
        instructions = "To disable this rule set the value " + \
                       "of SECURESSH to False"
        default = True
        self.ci = self.initCi(datatype, key, instructions, default)
        self.guidance = ['CIS, NSA(3.5.2.1)', 'CCE 4325-7', 'CCE 4726-6',
                         'CCE 4475-0', 'CCE 4370-3', 'CCE 4387-7',
                         'CCE 3660-8', 'CCE 4431-3', 'CCE 14716-5',
                         'CCE 14491-5']
        self.ed1, self.ed2 = "", ""

        self.osname = self.environ.getosname()
        if self.osname == "Mac OS":
            mpa_datatype = "bool"
            mpa_key = "ENABLEMACPIVAUTHSSH"
            mpa_instructions = "To enable piv authentication over ssh, on Mac OS, set the value of ENABLEMACPIVAUTHSSH to True"
            mpa_default = False
            self.mac_piv_auth_CI = self.initCi(mpa_datatype, mpa_key, mpa_instructions, mpa_default)
示例#29
0
    def __init__(self, config, environ, logger, statechglogger):
        """
        private method to initialize module

        :param config: configuration object instance
        :param environ: environment object instance
        :param logger: logdispatcher object instance
        :param statechglogger: statechglogger object instance
        """

        Rule.__init__(self, config, environ, logger, statechglogger)
        self.logger = logger
        self.environ = environ
        self.rulenumber = 62
        self.rulename = 'AuditSSHKeys'
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.sethelptext()
        self.rootrequired = True
        self.guidance = ['LANL CAP', 'OpenSSH Security Best Practices']
        self.applicable = {'type': 'white',
                           'family': ['linux', 'solaris', 'freebsd'],
                           'os': {'Mac OS X': ['10.15', 'r', '10.15.10']}}
        datatype = 'bool'
        key = 'AUDITSSHKEYS'
        instructions = "To prevent this rule from modifying permissions on ssh keys, set the value of AUDITSSHKEYS to False."
        default = True
        self.ci = self.initCi(datatype, key, instructions, default)
        self.localize()
示例#30
0
    def __init__(self, config, environ, logger, statechglogger):
        """

        :param config:
        :param environ:
        :param logger:
        :param statechglogger:
        """

        Rule.__init__(self, config, environ, logger, statechglogger)
        self.logger = logger
        self.rootrequired = True
        self.rulenumber = 98
        self.rulename = 'SetTFTPDSecureMode'
        self.formatDetailedResults("initialize")
        self.mandatory = True
        self.sethelptext()
        datatype = 'bool'
        key = 'SETTFTPDSECUREMODE'
        instructions = "To disable this rule set the value of " + \
            "SETTFTPDSECUREMODE to False"
        default = True
        self.tftpdci = self.initCi(datatype, key, instructions, default)

        self.guidance = ["NSA 3.1.5.4"]
        self.iditerator = 0
        self.editor = ""
        self.applicable = {
            'type': 'white',
            'family': ['linux', 'solaris', 'freebsd']
        }
示例#31
0
    def __init__(self, d, sip, sp, dip, dp, p, i, action, style, ts=None, flag="None"):

        Rule.__init__(self, d, sip, sp, dip, dp, p, i, action, style, ts, flag)
        self.action = "block"
        self.numPortsScanned = len(self.dPorts.elements)
        sortedValues = self.dPorts.elements.values()
        sortedValues.sort()
        self.startPort = sortedValues[0]
        self.endPort = sortedValues[self.numPortsScanned-1]
    def __init__(self, service_get_caps_uri):
        #
        #   Rule details
        #
        self.rule_id = 'web_service_name'
        self.rule_name = 'Web Service Name'
        self.rule_business_definition = 'The name is a summarised title (see above) of the service.\n' + \
            'The primary purpose of service name is to support machine-to-machine communications.\n' + \
            'Where possible, the service name should be meaningful to humans.\n' + \
            'The name should be a reflection of the service title (see above), sanitized to be machine readable.\n' + \
            'Describes the Service, not the data.\n' + \
            'Acronyms are allowed ONLY if they are a widely understood standard or an official name (e.g. DEM).\n' + \
            'New service names should be consistent with existing service names.\n' + \
            'Must not duplicate an existing GA web service name.\n'
        self.rule_authority = 'http://pid-dev.ga.gov.au/organisation/ga'
        self.rule_functional_definition = '120 character limit\n' +\
            'alphanumeric characters and underscores only\n' +\
            'machine-readable reflection of the web service title\n' + \
            'acronyms from controlled list only\n' + \
            'not a duplicate of existing name'
        self.component_name = 'string'
        self.passed = True
        self.fail_reasons = []
        self.components_total_count = 1
        self.components_failed_count = 0
        self.failed_components = None

        #
        #   Rule code
        #

        # get the name, from where?

        #
        #   Call the base Rule constructor
        #
        Rule.__init__(self,
                      self.rule_id,
                      self.rule_name,
                      self.rule_business_definition,
                      self.rule_authority,
                      self.rule_functional_definition,
                      self.component_name,
                      self.passed,
                      self.fail_reasons,
                      self.components_total_count,
                      self.components_failed_count,
                      self.failed_components)
    def __init__(self, service_get_caps_uri):
        #
        #   Rule details
        #
        self.rule_id = 'web_service_title'
        self.rule_name = 'Web Service Title'
        self.rule_business_definition = '250 characters or less.\n' + \
            'No tabs, indents, line feeds or carriage returns.\n' + \
            'No unsafe or reserved characters.\n' + \
            'Acronyms are allowed ONLY if they are a widely understood standard or an official name (e.g. DEM).\n' + \
            'Acronyms to be included in parenthesis after the full text.\n' + \
            'Must not duplicate an existing GA web service title.\n'
        self.rule_authority = 'GA'
        self.rule_functional_definition = 'Title must have... (no underscores)'
        self.component_name = 'Web Service title'
        self.passed = True
        self.fail_reasons = []
        self.components_total_count = 1
        self.components_failed_count = 0
        self.failed_components = None

        #
        #   Rule code
        #
        import requests
        r = requests.get(service_get_caps_uri)
        if r.status_code != 200:
            self.passed = False
            self.fail_reasons.append('Web Service not online')

        if "text/xml" not in r.headers["Content-Type"]:
            self.passed = False
            self.fail_reasons.append('Web Service does not return XML')


        #from lxml import etree
        import re
        m = re.search("<ows:Title>(.*)</ows:Title>", r.text)
        if len(m.group(1)) < 5:
            self.passed = False
            self.fail_reasons.append('No title found')

        title = m.group(1)

        # dummy rule 1
        if '_' in title:
            self.passed = False
            self.fail_reasons.append('Title must not contain underscores')

        #
        #   Call the base Rule constructor
        #
        Rule.__init__(self,
                      self.rule_id,
                      self.rule_name,
                      self.rule_business_definition,
                      self.rule_authority,
                      self.rule_functional_definition,
                      self.component_name,
                      self.passed,
                      self.fail_reasons,
                      self.components_total_count,
                      self.components_failed_count,
                      self.failed_components)