def __init__(self, config, environ, logger, statechglogger):
"""
Constructor
"""
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.rulenumber = 9
self.rulename = 'SystemAccounting'
self.formatDetailedResults("initialize")
self.mandatory = False
self.rootrequired = True
self.sethelptext()
self.guidance = ['CIS 2.4', 'cce-3992-5']
self.applicable = {
'type': 'white',
'family': 'linux',
'os': {
'Mac OS X': ['10.15', 'r', '10.15.10']
}
}
# set up configuration item for this rule
datatype = 'bool'
key = 'SYSTEMACCOUNTING'
instructions = "This is an optional rule and is disabled by default, due to the significant load it can place on the system when enabled. To enable system accounting, set the value of SYSTEMACCOUNTING to True."
default = False
self.ci = self.initCi(datatype, key, instructions, default)
self.ostype = self.environ.getostype()
self.ph = Pkghelper(self.logger, self.environ)
self.ch = CommandHelper(self.logger)
self._set_paths()
def __init__(self, config, environ, logdispatcher, statechglogger):
"""
:param config:
:param environ:
:param logdispatcher:
:param statechglogger:
"""
Rule.__init__(self, config, environ, logdispatcher, statechglogger)
self.logger = logdispatcher
self.rulenumber = 111
self.mandatory = True
self.applicable = {'type': 'white',
'family': ['linux', 'solaris', 'freebsd']}
self.formatDetailedResults("initialize")
self.guidance = ["NSA 2.2.2.6"]
self.rulename = "DisableThumbnailers"
self.rulesuccess = True
self.sethelptext()
datatype = 'bool'
key = 'DISABLETHUMBNAILERS'
instructions = "To disable this rule set the value of DISABLETHUMBNAILERS to False."
default = True
self.ci = self.initCi(datatype, key, instructions, default)
def __init__(self, config, environ, logdispatch, statechglogger):
'''Constructor'''
Rule.__init__(self, config, environ, logdispatch, statechglogger)
self.logger = logdispatch
self.rulenumber = 364
self.rulename = "STIGConfigureApplicationRestrictionsPolicy"
self.formatDetailedResults("initialize")
self.sethelptext()
self.rootrequired = True
self.applicable = {
'type': 'white',
'os': {
'Mac OS X': ['10.15', 'r', '10.15.10']
},
'fisma': 'high'
}
datatype = "bool"
key = "APPRESTRICTIONS"
instructions = "To disable the installation of the application " + \
"restrictions profile set the value of APPRESTRICTIONS to False"
default = True
self.ci = self.initCi(datatype, key, instructions, default)
self.iditerator = 0
self.identifier = "mil.disa.STIG.Application_Restrictions.alacarte"
self.profile = "/Applications/stonix4mac.app/Contents/" + \
"Resources/stonix.app/Contents/MacOS/" + \
"stonix_resources/files/" + \
"U_Apple_OS_X_10-11_V1R1_STIG_Application_Restrictions_Policy.mobileconfig"
'''These directories for testing purposes only'''
def __init__(self, config, enviro, logger, statechglogger):
Rule.__init__(self, config, enviro, logger, statechglogger)
self.logger = logger
self.rulenumber = 244
self.rulename = "RemoveSUIDGames"
self.formatDetailedResults("initialize")
self.mandatory = True
self.sethelptext()
self.applicable = {'type': 'white', 'family': 'linux'}
# Configuration item instantiation
datatype = "bool"
key = "REMOVESUIDGAMES"
instructions = "To disable this rule, set the value of " + \
"REMOVESUIDGAMES to false."
default = True
self.ci = self.initCi(datatype, key, instructions, default)
self.guidance = ["LANL 15.7"]
self.iditerator = 0
self.ph = Pkghelper(self.logger, self.environ)
self.gamelist = [
'atlantik', 'bomber', 'bovo', 'gnuchess', 'kapman', 'kasteroids',
'katomic', 'kbackgammon', 'kbattleship', 'kblackbox', 'kblocks',
'kbounce', 'kbreakout', 'kdiamond', 'kenolaba', 'kfouleggs',
'kfourinline', 'kgoldrunner', 'killbots', 'kiriki', 'kjumpingcube',
'klickety', 'klines', 'kmahjongg', 'kmines', 'knetwalk', 'kolf',
'kollision', 'konquest', 'kpat', 'kpoker', 'kreversi', 'ksame',
'kshisen', 'ksirk', 'ksirkskineditor', 'ksirtet', 'ksmiletris',
'ksnake', 'kspaceduel', 'ksquares', 'ksudoku', 'ktron',
'ktuberling', 'kubrick', 'kwin4', 'kwin4proc', 'lskat',
'lskatproc', 'gnome-games', 'kdegames', 'gnome-taquin'
]
def __init__(self, config, environ, logger, statechglogger):
'''
Constructor
'''
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.rulenumber = 85
self.rulename = 'NoDirectRootLogin'
self.formatDetailedResults("initialize")
self.compliant = False
self.mandatory = True
self.sethelptext()
self.rootrequired = True
self.guidance = ["CCE-RHEL7-CCE-TBD 2.4.1.1.7"]
self.applicable = {'type': 'white',
'family': ['linux', 'solaris', 'freebsd']}
# Configuration item instantiation
datatype = "bool"
key = "NODIRECTROOTLOGIN"
instructions = "To disable this rule, set the value of " + \
"NODIRECTROOTLOGIN to false."
default = True
self.ci = self.initCi(datatype, key, instructions, default)
self.ch = CommandHelper(self.logger)
self.securettypath = "/etc/securetty"
self.iditerator = 0
self.isblank = False
def __init__(self, config, environ, logger, statechglogger):
'''
Constructor
'''
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.rulenumber = 4
self.rulename = 'DisableInactiveAccounts'
self.compliant = True
self.formatDetailedResults("initialize")
self.mandatory = True
self.rootrequired = True
self.sethelptext()
self.guidance = ['CNSSI 1253', 'DISA STIG']
datatype = 'bool'
key = 'DISABLEINACTIVEACCOUNTS'
instructions = 'To disable this rule, set the value of ' + \
'DisableInactiveAccounts to False.'
default = True
self.ci = self.initCi(datatype, key, instructions, default)
self.applicable = {
'type': 'white',
'os': {
'Mac OS X': ['10.15', 'r', '10.15.10']
},
'fisma': 'high'
}
self.initobjs()
def __init__(self, config, enviro, logger, statechglogger):
Rule.__init__(self, config, enviro, logger, statechglogger)
self.logger = logger
self.rulenumber = 124
self.rulename = "SecureIPV6"
self.formatDetailedResults("initialize")
self.mandatory = True
self.sethelptext()
datatype = "bool"
key = "SECUREIPV6"
instructions = '''To disable this rule set the value of SECUREIPV6 to \
False.'''
default = True
self.ci = self.initCi(datatype, key, instructions, default)
self.guidance = ["NSA 2.5.3.2", "CCE 4269-7", "CCE 4291-1",
"CCE 4313-3", "CCE 4198-8", "CCE 3842-2",
"CCE 4221-8", "CCE 4137-6", "CCE 4159-0",
"CCE 3895-0", "CCE 4287-9", "CCE 4058-4",
"CCE 4128-5"]
self.applicable = {'type': 'white',
'family': ['linux'],
'os': {'Mac OS X': ['10.15', 'r', '10.15.10']}}
self.iditerator = 0
# self.editor1: sysctl file editor
# self.editor2: network file editor
self.editor1, self.editor2 = "", ""
self.ch = CommandHelper(self.logger)
def __init__(self, config, environ, logger, statechglogger):
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.rulenumber = 123
self.rulename = "DisableIPV6"
self.formatDetailedResults("initialize")
self.guidance = ["NSA 2.5.3.1"]
self.applicable = {
'type': 'white',
'family': ['linux', 'solaris', 'freebsd'],
'os': {
'Mac OS X': ['10.15', 'r', '10.15.10']
}
}
# configuration item instantiation
datatype = 'bool'
key = 'DISABLEIPV6'
instructions = "To disable this rule set the value of DISABLEIPV6 " + \
"to False."
default = False
self.ci = self.initCi(datatype, key, instructions, default)
self.iditerator = 0
self.created = False
self.created2 = False
# self.editor1: sysctl file editor
# self.editor2: network file editor
# self.editor3: sshd file editor
self.editor1, self.editor2, self.editor3 = "", "", ""
self.sh = ServiceHelper(self.environ, self.logger)
self.sethelptext()
def __init__(self, config, enviro, logger, statechglogger):
Rule.__init__(self, config, enviro, logger, statechglogger)
self.logger = logger
self.rulenumber = 132
self.rulename = "DisableUncommonProtocols"
self.formatDetailedResults("initialize")
self.mandatory = False
self.applicable = {'type': 'white', "family": ["linux"]}
# Configuration item instantiation
datatype = "bool"
key = "DISABLEUNCOMMONPROTOCOLS"
instructions = "To disable this rule, set the value of " + \
"DISABLEUNCOMMONPROTOCOLS to false."
default = True
self.ci = self.initCi(datatype, key, instructions, default)
datatype = "list"
key = "PROTOCOLS"
instructions = "List all network protocols to disable"
default = ["dccp", "sctp", "rds", "tipc"]
self.ci2 = self.initCi(datatype, key, instructions, default)
self.guidance = [
"NSA 2.5.7", "CIS 4.6", "CCE-26448-1", "CCE-26410-1",
"CCE-26239-4", "CCE-26696-5", "CCE-26828-4", "CCE-27106-4"
]
self.iditerator = 0
self.ch = CommandHelper(self.logger)
self.sethelptext()
def __init__(self, config, environ, logger, statechglogger):
'''
Constructor
'''
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.rulenumber = 36
self.rulename = 'XinetdAccessControl'
self.formatDetailedResults("initialize")
self.mandatory = True
self.sethelptext()
self.rootrequired = True
self.compliant = False
self.guidance = ['']
self.iditerator = 0
self.applicable = {
'type': 'white',
'family': ['linux', 'solaris', 'freebsd'],
'os': {
'Mac OS X': ['10.15', 'r', '10.15.10']
}
}
# init CIs
datatype = 'bool'
key = 'XINETDACCESSCONTROL'
instructions = "To disable the configuring of the xinetd access " + \
"control mechanism, set the value of XinetdAccessControl to False."
default = True
self.ci = self.initCi(datatype, key, instructions, default)
self.constlist = [XINETDALLOW]
# set up class var's
if self.checkConsts(self.constlist):
self.setvars()
def __init__(self, config, environ, logger, statechglogger):
'''
Constructor
'''
Rule.__init__(self, config, environ, logger, statechglogger)
self.config = config
self.environ = environ
self.logger = logger
self.statechglogger = statechglogger
self.rulenumber = 46
self.rulename = 'ConfigureDotFiles'
self.formatDetailedResults("initialize")
self.mandatory = True
self.sethelptext()
self.rootrequired = False
self.compliant = False
datatype = 'bool'
key = 'CONFIGUREDOTFILES'
instructions = '''To prevent dot files in user home directories from \
being made non-world-writable, set the value of ConfigureDotFiles to False.'''
default = True
self.ConfigureDotFiles = self.initCi(datatype, key, instructions,
default)
self.guidance = ['CIS', 'NSA 2.3.4.3', 'CCE-4561-7']
self.applicable = {
'type': 'white',
'family': ['linux', 'solaris', 'freebsd'],
'os': {
'Mac OS X': ['10.15', 'r', '10.15.10']
}
}
def __init__(self, config, environ, logger, statechglogger):
'''
Constructor
'''
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.rulenumber = 102
self.rulename = 'DisableTouchID'
self.formatDetailedResults("initialize")
self.mandatory = True
self.rootrequired = True
self.environ = environ
self.sethelptext()
self.applicable = {
'type': 'white',
'os': {
'Mac OS X': ['10.15', 'r', '10.15.10']
}
}
datatype = 'bool'
key = 'DISABLETOUCHID'
instructions = "To prevent this rule from running, set the value of DisableTouchID to False."
default = True
self.ci = self.initCi(datatype, key, instructions, default)
self.guidance = ['(None)']
self.initobjs()
def __init__(self, config, environ, logger, statechglogger):
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.rulenumber = 31
self.rulename = "PreventXListen"
self.formatDetailedResults("initialize")
self.mandatory = True
self.sethelptext()
self.guidance = ["NSA 3.6.1.3.2"]
self.applicable = {
'type': 'white',
'family': ['linux', 'solaris', 'freebsd'],
'os': {
'Mac OS X': ['10.15', 'r', '10.15.10']
}
}
datatype = 'bool'
key = 'PREVENTXLISTEN'
instructions = "To disable this rule set the value of " + \
"PREVENTXLISTEN to False."
default = True
self.ci = self.initCi(datatype, key, instructions, default)
self.properties = {}
self.iditerator = 0
def __init__(self, config, environ, logger, statechglogger):
"""
@param config:
@param environ:
@param logger:
@param statechglogger:
"""
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.rulenumber = 49
self.rulename = "NoCoreDumps"
self.formatDetailedResults("initialize")
self.mandatory = True
self.guidance = ["NSA 2.2.4.2"]
self.applicable = {
'type': 'white',
'family': ['linux'],
'os': {
'Mac OS X': ['10.15', 'r', '10.15.10']
}
}
datatype = 'bool'
key = 'NOCOREDUMPS'
instructions = "To prevent the disabling of core dumps on your system, set the value of NOCOREDUMPS to False."
default = True
self.ci = self.initCi(datatype, key, instructions, default)
self.sethelptext()
def __init__(self, config, environ, logger, statechglogger):
"""
:param config:
:param environ:
:param logger:
:param statechglogger:
"""
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.rulenumber = 56
self.rulename = "ConfigureSudo"
self.formatDetailedResults("initialize")
self.mandatory = True
self.sethelptext()
self.guidance = ["NSA 2.3.1.3"]
self.applicable = {
'type': 'white',
'family': 'linux',
'os': {
'Mac OS X': ['10.15', 'r', '10.15.10']
}
}
datatype2 = 'bool'
key2 = 'CONFIGURESUDO'
instructions2 = """To disable this rule set the value of CONFIGURESUDO to False."""
default2 = True
self.primary_ci = self.initCi(datatype2, key2, instructions2, default2)
self.localization()
def __init__(self, config, environ, logdispatcher, statechglogger):
'''
This rule should normally be a rulekveditor rule, but there has
recently been an issue discovered with subprocess for this
particular rule where a paramaterized list for the command doesn't
behave as would expected which KVADefault class uses when performing
the defaults read command. Can change back if this issue is resolved
with Mac/Python.
'''
Rule.__init__(self, config, environ, logdispatcher, statechglogger)
self.rulenumber = 17
self.rulename = 'ConfigureSpotlight'
self.formatDetailedResults("initialize")
self.mandatory = True
self.sethelptext()
self.rootrequired = False
self.guidance = []
self.applicable = {'type': 'white',
'os': {'Mac OS X': ['10.12', 'r', '10.14.10']}}
datatype1 = "bool"
key1 = "CONFIGURESPOTLIGHT"
instructions1 = "To disable this configuration set the value of " + \
"CONFIGURESPOTLIGHT to False."
default1 = True
self.ci1 = self.initCi(datatype1, key1, instructions1, default1)
datatype2 = "bool"
key2 = "SAFARISEARCH"
instructions2 = "To disable this configuration set the value of " + \
"SAFARISEARCH to False."
default2 = True
self.ci2 = self.initCi(datatype2, key2, instructions2, default2)
def __init__(self, config, environ, logger, statechglogger):
'''
:param config:
:param environ:
:param logger:
:param statechglogger:
'''
Rule.__init__(self, config, environ, logger, statechglogger)
self.rulenumber = 150
self.rulename = "DisableCamera"
self.formatDetailedResults("initialize")
self.mandatory = False
self.rulesuccess = True
self.sethelptext()
self.rootrequired = True
self.guidance = ["CIS 1.2.6"]
self.applicable = {'type': 'white',
'os': {'Mac OS X': ['10.15', 'r', '10.15.10']}}
self.logger = logger
self.iditerator = 0
datatype = 'bool'
key = 'DISABLECAMERA'
instructions = "To disable the built-in iSight camera, set the value of DISABLECAMERA to True."
default = False
self.ci = self.initCi(datatype, key, instructions, default)
self.setvars()
def __init__(self, config, environ, logger, statechglogger):
"""Constructor"""
Rule.__init__(self, config, environ, logger, statechglogger)
self.config = config
self.environ = environ
self.logger = logger
self.statechglogger = statechglogger
self.rulenumber = 230
self.rulename = 'InstalledSoftwareVerification'
self.formatDetailedResults("initialize")
self.mandatory = True
self.rootrequired = True
self.guidance = [
'NSA 2.1.3.2', 'CCE 14931-0', 'CCE-RHEL7-CCE-TBD 2.1.3.2.1'
]
self.applicable = {
'type': 'white',
'os': {
'Red Hat Enterprise Linux': ['6.0', '+'],
'CentOS Linux': ['7.0', '+']
}
}
datatype = 'bool'
key = 'FIXPERMISSIONS'
instructions = 'If set to True, this rule will fix the permissions \
of the package for any file which has a permission deviation from the vendor \
default.'
default = True
self.fixPermsCi = self.initCi(datatype, key, instructions, default)
self.sethelptext()
def __init__(self, config, environ, logdispatch, statechglogger):
'''
Constructor
'''
Rule.__init__(self, config, environ, logdispatch, statechglogger)
self.logger = logdispatch
self.rulenumber = 151
self.rulename = 'ReduceSudoTimeout'
self.formatDetailedResults("initialize")
self.sethelptext()
self.guidance = ['N/A']
self.applicable = {'type': 'white',
'family': ['linux', 'solaris', 'freebsd'],
'os': {'Mac OS X': ['10.15', 'r', '10.15.10']}}
datatype = "bool"
key = "REDUCESUDOTIMEOUT"
instructions = "If set to true, the REDUCESUDOTIMEOUT " + \
"variable will set the sudo timeout to 0, requiring a password " + \
"for each sudo call."
if self.environ.getostype() == 'Mac OS X':
self.mandatory = True
default = True
else:
default = False
self.ci = self.initCi(datatype, key, instructions, default)
self.iditerator = 0
todatatype = "string"
tokey = "TIMEOUTMINUTES"
toinstructions = "Enter the value (in minutes) you want each sudo authentication to last. Acceptable values are from 0 to 15."
todefault = ""
self.timeoutCI = self.initCi(todatatype, tokey, toinstructions, todefault)
def __init__(self, config, enviro, logger, statechglogger):
Rule.__init__(self, config, enviro, logger, statechglogger)
self.logger = logger
self.rulenumber = 89
self.rulename = "DisablePrelinking"
self.sethelptext()
self.formatDetailedResults("initialize")
self.mandatory = True
self.applicable = {'type': 'white', 'family': ['linux']}
# Configuration item instantiation
datatype = "bool"
key = "DISABLEPRELINKING"
instructions = "To disable this rule, set the value of " + \
"DISABLEPRELINKING to false."
default = True
self.ci = self.initCi(datatype, key, instructions, default)
self.guidance = ["CCE-RHEL7-CCE-TBA 2.1.3.1.2"]
self.iditerator = 0
self.ch = CommandHelper(self.logger)
if re.search("debian|ubuntu", self.environ.getostype().lower()):
self.isDebian = True
else:
self.isDebian = False
def __init__(self, config, environ, logger, statechglogger):
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.rulenumber = 30
self.rulename = "DisableWeakAuthentication"
self.mandatory = True
self.formatDetailedResults("initialize")
self.guidance = ["NSA 3.2.3.1"]
self.applicable = {
'type': 'white',
'family': ['linux', 'solaris', 'freebsd']
}
# Configuration item instantiation
datatype = 'bool'
key = 'DISABLEWEAKAUTHENTICATION'
instructions = "To prevent the disabling of services using weak " + \
"authentication set DISABLEWEAKAUTHENTICATION to False."
default = True
self.ci = self.initCi(datatype, key, instructions, default)
self.rsh = ["rshell", "rsh-client", "rsh-server", "rsh", "SUNWrcmdc"]
self.pams = [
"/etc/pam.conf", "/etc/pam_ldap.conf", "/etc/pam.conf-winbind"
]
self.incorrects = []
self.iditerator = 0
self.sethelptext()
def __init__(self, config, environ, logger, statechglogger):
'''
:param config:
:param environ:
:param logger:
:param statechglogger:
'''
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.environ = environ
self.rulenumber = 311
self.rulename = "DisableUbuntuDataCollection"
self.mandatory = True
self.rootrequired = True
self.formatDetailedResults("initialize")
self.guidance = []
self.applicable = {'type': 'white', 'os': {'Ubuntu': ['16.04', '+']}}
self.sethelptext()
datatype = "bool"
key = "DISABLEUBUNTUDATACOLLECTION"
instructions = """To prevent the diabling of data collection from this system, set the value of DISABLEUBUNTUDATACOLLECTION to False."""
default = True
self.enabledCI = self.initCi(datatype, key, instructions, default)
def __init__(self, config, environ, logger, statechglogger):
'''
Constructor
'''
Rule.__init__(self, config, environ, logger, statechglogger)
self.rulenumber = 208
self.rulename = 'DisableWebSharing'
self.formatDetailedResults("initialize")
self.mandatory = True
self.compliant = False
self.rootrequired = True
self.guidance = ['CIS 1.4.14.6']
self.applicable = {
'type': 'white',
'os': {
'Mac OS X': ['10.15', 'r', '10.15.10']
}
}
self.logger = logger
# set up CIs
datatype = 'bool'
key = 'DISABLEWEBSHARING'
instructions = 'To prevent web sharing from being disabled, set the value of DisableWebSharing to False.'
default = True
self.disableWebSharing = self.initCi(datatype, key, instructions,
default)
# set up class var's
self.maclongname = '/System/Library/LaunchDaemons/org.apache.httpd.plist'
self.macshortname = 'org.apache.httpd'
self.svchelper = ServiceHelper(self.environ, self.logger)
self.cmhelper = CommandHelper(self.logger)
self.sethelptext()
def __init__(self, config, environ, logger, statechglogger):
'''
@param config:
@param environ:
@param logger:
@param statechglogger:
'''
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.rulenumber = 45
self.rulename = "SecureHomeDir"
self.formatDetailedResults("initialize")
self.mandatory = True
self.rootrequired = False
datatype = 'bool'
key = 'SECUREHOME'
instructions = '''To disable this rule set the value of SECUREHOME to False.'''
default = True
self.ci = self.initCi(datatype, key, instructions, default)
self.guidance = ['NSA 2.3.4.2']
self.applicable = {'type': 'white',
'family': ['linux', 'solaris', 'freebsd'],
'os': {'Mac OS X': ['10.15', 'r', '10.15.10']}}
self.sethelptext()
def __init__(self, config, environ, logger, statechglogger):
'''
Constructor
'''
Rule.__init__(self, config, environ, logger, statechglogger)
self.rulenumber = 63
self.rulename = 'ExecShield'
self.formatDetailedResults("initialize")
self.mandatory = False
self.rootrequired = True
self.rulesuccess = True
self.comment = re.compile('^#|^;')
self.sysctlconf = '/etc/sysctl.conf'
self.tmpPath = '/etc/sysctl.conf.tmp'
self.comment = re.compile('^#|^;')
self.guidance = ['CCE-27007-4', 'CCE-26999-3']
self.applicable = {'type': 'white',
'family': ['linux']}
self.varandomcompliant = False
self.shieldprocpath = '/proc/sys/kernel/exec-shield'
if os.path.exists(self.shieldprocpath):
self.execshieldapplies = True
self.directives = {'kernel.exec-shield': '1',
'kernel.randomize_va_space': '2'}
else:
self.execshieldapplies = False
self.directives = {'kernel.randomize_va_space': '2'}
self.execshieldcompliant = False
self.ExecCI = self.__initializeExecShield()
self.sethelptext()
def __init__(self, config, environ, logger, statechglogger):
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.rulenumber = 107
self.rulename = 'ConfigureMACPolicy'
self.formatDetailedResults("initialize")
self.mandatory = True
self.sethelptext()
self.guidance = ['NSA(2.1.1.6)(2.4.2)', 'CCE-3977-6', 'CCE-3999-0',
'CCE-3624-4', 'CIS 1.7']
self.applicable = {'type': 'white',
'family': ['linux']}
datatype = "bool"
key = "CONFIGUREMAC"
instructions = "To prevent the configuration of a mandatory " + \
"access control policy, set the value of CONFIGUREMAC to " + \
"False. Note: The 'mandatory access control' is either SELinux " + \
"or AppArmor, depending on what is available to your current system."
default = True
self.ConfigureMAC = self.initCi(datatype, key, instructions, default)
datatype2 = "string"
key2 = "MODE"
default2 = "permissive"
instructions2 = "Valid modes for SELinux are: permissive or " + \
"enforcing\nValid modes for AppArmor are: complain or enforce"
self.modeci = self.initCi(datatype2, key2, instructions2, default2)
def __init__(self, config, enviro, logger, statechglogger):
Rule.__init__(self, config, enviro, logger, statechglogger)
self.logger = logger
self.rulenumber = 143
self.rulename = "SecureSquidProxy"
self.formatDetailedResults("initialize")
self.mandatory = True
self.sethelptext()
datatype1 = "bool"
key1 = "SECURESQUIDPROXY"
instructions1 = "To disable this rule set the value of " + \
"SECURESQUIDPROXY to False. MinimizeServices rule disables " + \
"squid by default however this rule will still configure it " + \
"if installed"
default1 = True
self.ci = self.initCi(datatype1, key1, instructions1, default1)
self.guidance = ["NSA 3.19", "CCE 4454-5", "CCE 4353-9", "CCE 4503-9",
"CCE 3585-7", "CCE 4419-8", "CCE 3692-1",
"CCE 4459-4", "CCE 4476-8", "CCE 4181-4",
"CCE 4577-3", "CCE 4344-8", "CCE 4494-1",
"CCE 4511-2", "CCE 4529-4", "CCE 3610-3",
"CCE 4466-9", "CCE 4607-8", "CCE 4255-6",
"CCE 4127-7", "CCE 4519-5", "CCE 4413-1",
"CCE 4373-7"]
self.applicable = {"type": "white",
"family": ["linux"]}
self.iditerator = 0
def __init__(self, config, environ, logger, statechglogger):
"""
Constructor
"""
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.rulenumber = 8
self.rulename = 'SecureSSH'
self.formatDetailedResults("initialize")
self.mandatory = True
self.environ = environ
self.sethelptext()
self.applicable = {'type': 'white',
'family': ['linux', 'solaris', 'freebsd'],
'os': {'Mac OS X': ['10.15', 'r', '10.15.10']}}
datatype = 'bool'
key = 'SECURESSH'
instructions = "To disable this rule set the value " + \
"of SECURESSH to False"
default = True
self.ci = self.initCi(datatype, key, instructions, default)
self.guidance = ['CIS, NSA(3.5.2.1)', 'CCE 4325-7', 'CCE 4726-6',
'CCE 4475-0', 'CCE 4370-3', 'CCE 4387-7',
'CCE 3660-8', 'CCE 4431-3', 'CCE 14716-5',
'CCE 14491-5']
self.ed1, self.ed2 = "", ""
self.osname = self.environ.getosname()
if self.osname == "Mac OS":
mpa_datatype = "bool"
mpa_key = "ENABLEMACPIVAUTHSSH"
mpa_instructions = "To enable piv authentication over ssh, on Mac OS, set the value of ENABLEMACPIVAUTHSSH to True"
mpa_default = False
self.mac_piv_auth_CI = self.initCi(mpa_datatype, mpa_key, mpa_instructions, mpa_default)
def __init__(self, config, environ, logger, statechglogger):
"""
private method to initialize module
:param config: configuration object instance
:param environ: environment object instance
:param logger: logdispatcher object instance
:param statechglogger: statechglogger object instance
"""
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.environ = environ
self.rulenumber = 62
self.rulename = 'AuditSSHKeys'
self.formatDetailedResults("initialize")
self.mandatory = True
self.sethelptext()
self.rootrequired = True
self.guidance = ['LANL CAP', 'OpenSSH Security Best Practices']
self.applicable = {'type': 'white',
'family': ['linux', 'solaris', 'freebsd'],
'os': {'Mac OS X': ['10.15', 'r', '10.15.10']}}
datatype = 'bool'
key = 'AUDITSSHKEYS'
instructions = "To prevent this rule from modifying permissions on ssh keys, set the value of AUDITSSHKEYS to False."
default = True
self.ci = self.initCi(datatype, key, instructions, default)
self.localize()
def __init__(self, config, environ, logger, statechglogger):
"""
:param config:
:param environ:
:param logger:
:param statechglogger:
"""
Rule.__init__(self, config, environ, logger, statechglogger)
self.logger = logger
self.rootrequired = True
self.rulenumber = 98
self.rulename = 'SetTFTPDSecureMode'
self.formatDetailedResults("initialize")
self.mandatory = True
self.sethelptext()
datatype = 'bool'
key = 'SETTFTPDSECUREMODE'
instructions = "To disable this rule set the value of " + \
"SETTFTPDSECUREMODE to False"
default = True
self.tftpdci = self.initCi(datatype, key, instructions, default)
self.guidance = ["NSA 3.1.5.4"]
self.iditerator = 0
self.editor = ""
self.applicable = {
'type': 'white',
'family': ['linux', 'solaris', 'freebsd']
}
def __init__(self, d, sip, sp, dip, dp, p, i, action, style, ts=None, flag="None"):
Rule.__init__(self, d, sip, sp, dip, dp, p, i, action, style, ts, flag)
self.action = "block"
self.numPortsScanned = len(self.dPorts.elements)
sortedValues = self.dPorts.elements.values()
sortedValues.sort()
self.startPort = sortedValues[0]
self.endPort = sortedValues[self.numPortsScanned-1]
def __init__(self, service_get_caps_uri):
#
# Rule details
#
self.rule_id = 'web_service_name'
self.rule_name = 'Web Service Name'
self.rule_business_definition = 'The name is a summarised title (see above) of the service.\n' + \
'The primary purpose of service name is to support machine-to-machine communications.\n' + \
'Where possible, the service name should be meaningful to humans.\n' + \
'The name should be a reflection of the service title (see above), sanitized to be machine readable.\n' + \
'Describes the Service, not the data.\n' + \
'Acronyms are allowed ONLY if they are a widely understood standard or an official name (e.g. DEM).\n' + \
'New service names should be consistent with existing service names.\n' + \
'Must not duplicate an existing GA web service name.\n'
self.rule_authority = 'http://pid-dev.ga.gov.au/organisation/ga'
self.rule_functional_definition = '120 character limit\n' +\
'alphanumeric characters and underscores only\n' +\
'machine-readable reflection of the web service title\n' + \
'acronyms from controlled list only\n' + \
'not a duplicate of existing name'
self.component_name = 'string'
self.passed = True
self.fail_reasons = []
self.components_total_count = 1
self.components_failed_count = 0
self.failed_components = None
#
# Rule code
#
# get the name, from where?
#
# Call the base Rule constructor
#
Rule.__init__(self,
self.rule_id,
self.rule_name,
self.rule_business_definition,
self.rule_authority,
self.rule_functional_definition,
self.component_name,
self.passed,
self.fail_reasons,
self.components_total_count,
self.components_failed_count,
self.failed_components)
def __init__(self, service_get_caps_uri):
#
# Rule details
#
self.rule_id = 'web_service_title'
self.rule_name = 'Web Service Title'
self.rule_business_definition = '250 characters or less.\n' + \
'No tabs, indents, line feeds or carriage returns.\n' + \
'No unsafe or reserved characters.\n' + \
'Acronyms are allowed ONLY if they are a widely understood standard or an official name (e.g. DEM).\n' + \
'Acronyms to be included in parenthesis after the full text.\n' + \
'Must not duplicate an existing GA web service title.\n'
self.rule_authority = 'GA'
self.rule_functional_definition = 'Title must have... (no underscores)'
self.component_name = 'Web Service title'
self.passed = True
self.fail_reasons = []
self.components_total_count = 1
self.components_failed_count = 0
self.failed_components = None
#
# Rule code
#
import requests
r = requests.get(service_get_caps_uri)
if r.status_code != 200:
self.passed = False
self.fail_reasons.append('Web Service not online')
if "text/xml" not in r.headers["Content-Type"]:
self.passed = False
self.fail_reasons.append('Web Service does not return XML')
#from lxml import etree
import re
m = re.search("<ows:Title>(.*)</ows:Title>", r.text)
if len(m.group(1)) < 5:
self.passed = False
self.fail_reasons.append('No title found')
title = m.group(1)
# dummy rule 1
if '_' in title:
self.passed = False
self.fail_reasons.append('Title must not contain underscores')
#
# Call the base Rule constructor
#
Rule.__init__(self,
self.rule_id,
self.rule_name,
self.rule_business_definition,
self.rule_authority,
self.rule_functional_definition,
self.component_name,
self.passed,
self.fail_reasons,
self.components_total_count,
self.components_failed_count,
self.failed_components)