def check_system_disabled_when_auditLogs_are_full():
config = '4.1.1.2 Ensure system is disabled when audit logs are full (Scored)'
command1 = 'sudo grep space_left_action /etc/audit/auditd.conf'
command2 = 'sudo grep action_mail_acct /etc/audit/auditd.conf'
command3 = 'sudo grep admin_space_left_action /etc/audit/auditd.conf'
output1 = 'space_left_action = email'
output2 = 'action_mail_acct = root'
output3 = 'admin_space_left_action = halt'
print('checking "' + config + '" ..... ')
terminal_variable1 = os.popen(command1)
terminal_output1 = terminal_variable1.read()
terminal_variable2 = os.popen(command2)
terminal_output2 = terminal_variable2.read()
terminal_variable3 = os.popen(command3)
terminal_output3 = terminal_variable3.read()
if (output1 in terminal_output1 and output2 in terminal_output2
and output3 in terminal_output3):
source.return_function(True, config)
else:
source.return_function(False, config)
def check_tftp_server_not_enabled():
config = '2.1.4 Ensure tftp server are not enabled (Scored)'
command = 'chkconfig --list'
output1 = 'tftp::off'
print('checking "' + config + '" ..... ')
terminal_variable = os.popen(command)
terminal_output = terminal_variable.read().replace(' ', '')
if output1 in terminal_output:
source.return_function(True, config)
else:
source.return_function(False, config)
def check_permissions_on_etc_hosts_allow_isConfigured():
config = '3.4.4 Ensure permissions on /etc/hosts.allow are configured (Scored)'
command = 'stat /etc/hosts.allow'
output = 'Access:(0644/-rw-r--r--)Uid:(0/root)Gid:(0/root)'
print('checking "' + config + '" ..... ')
terminal_variable = os.popen(command)
terminal_output = terminal_variable.read().replace(' ', '')
if output in terminal_output:
source.return_function(True, config)
else:
source.return_function(False, config)
def check_aide_installed():
config = ' 1.3.1 Ensure AIDE is installed (Scored)'
command = 'rpm -q aide'
terminal_variable = os.popen(command)
terminal_output = terminal_variable.read()
word = re.compile(r'not installed')
if word.search(terminal_output):
source.return_function(False, config)
else:
source.return_function(True, config)
def check_ntp_configured():
config = '2.2.1.2 Ensure ntp is configured (Scored)'
command1 = 'grep "^restrict" /etc/ntp.conf'
output1 = 'restrict -4 default kod nomodify notrap nopeer noquery'
output2 = 'restrict -6 default kod nomodify notrap nopeer noquery'
print('checking "' + config + '" ..... ')
terminal_variable = os.popen(command1)
terminal_output1 = terminal_variable.read()
if output1 in terminal_output1 and output2 in terminal_output1:
source.return_function(True, config)
else:
source.return_function(False, config)
def check_updates_patches_installed():
config = '1.8 Ensure updates, patches, and additional security software are installed (Not Scored)'
print('checking "' + config + '" ..... ')
command = 'yum check-update'
process = Popen(shlex.split(command), stdout=PIPE)
process.communicate() # execute it, the output goes to the stdout
exit_code = str(process.wait())
if '100' in exit_code:
source.return_function(False, config)
elif '0' in exit_code:
source.return_function(True, config)
else:
print('error')
def check_time_sync_is_used():
config = '2.2.1.1 Ensure time synchronization is in use (Not Scored)'
command1 = 'rpm -q ntp'
command2 = 'rpm -q chrony'
output = 'not installed'
print('checking "' + config + '" ..... ')
terminal_variable = os.popen(command1)
terminal_output1 = terminal_variable.read()
terminal_variable = os.popen(command2)
terminal_output2 = terminal_variable.read()
if output in terminal_output1 and output in terminal_output2:
source.return_function(False, config)
else:
source.return_function(True, config)
def check_NFS_and_RPC_not_installed():
config = '2.2.7 Ensure NFS and RPC are not enabled (Scored)'
command1 = 'systemctl is-enabled nfs'
command2 = 'systemctl is-enabled rpcbind'
output = 'disabled'
print('checking "' + config + '" ..... ')
terminal_variable = os.popen(command1)
terminal_output1 = terminal_variable.read()
terminal_variable = os.popen(command2)
terminal_output2 = terminal_variable.read()
if output in terminal_output1 and output in terminal_output2:
source.return_function(True, config)
else:
source.return_function(False, config)
def check_core_dumps_restricted():
config = '1.5.1 Ensure core dumps are restricted (Scored)'
command1 = 'grep "hard core" /etc/security/limits.conf /etc/security/limits.d/*'
command2 = 'sysctl fs.suid_dumpable'
terminal_variable = os.popen(command1)
terminal_output1 = terminal_variable.read()
terminal_variable = os.popen(command2)
terminal_output2 = terminal_variable.read()
expected_output1 = re.compile(r'hard core 0')
expected_output2 = re.compile(r'fs.suid_dumpable = 0')
if (expected_output1.search(terminal_output1)
and expected_output2.search(terminal_output2)):
source.return_function(True, config)
else:
source.return_function(False, config)
def check_tcp_wrappers_is_installed():
config = 'Ensure TCP Wrappers is installed (Scored)'
command1 = 'rpm -q tcp_wrappers'
command2 = 'rpm -q tcp_wrappers-libs'
output = 'not installed'
print('checking "' + config + '" ..... ')
terminal_variable = os.popen(command1)
terminal_output1 = terminal_variable.read()
terminal_variable = os.popen(command2)
terminal_output2 = terminal_variable.read()
if output in terminal_output1 and output in terminal_output2:
source.return_function(False, config)
else:
source.return_function(True, config)
def check_source_routed_packets_not_accepted():
config = '3.2.1 Ensure source routed packets are not accepted (Scored)'
command1 = 'sysctl net.ipv4.conf.all.accept_source_route'
output1 = 'net.ipv4.conf.all.accept_source_route = 0'
command2 = 'sysctl net.ipv4.conf.default.accept_source_route'
output2 = 'net.ipv4.conf.default.accept_source_route = 0'
print('checking "' + config + '" ..... ')
terminal_variable = os.popen(command1)
terminal_output1 = terminal_variable.read()
terminal_variable = os.popen(command2)
terminal_output2 = terminal_variable.read()
if output1 in terminal_output1 and output2 in terminal_output2:
source.return_function(True, config)
else:
source.return_function(False, config)
def check_secure_ICMP_redirect_are_not_accepted():
config = '3.2.3 Ensure secure ICMP redirects are not accepted (Scored)'
command1 = 'sysctl net.ipv4.conf.all.secure_redirects'
output1 = 'net.ipv4.conf.all.secure_redirects = 0'
command2 = 'sysctl net.ipv4.conf.default.secure_redirects'
output2 = 'net.ipv4.conf.default.secure_redirects = 0'
print('checking "' + config + '" ..... ')
terminal_variable = os.popen(command1)
terminal_output1 = terminal_variable.read()
terminal_variable = os.popen(command2)
terminal_output2 = terminal_variable.read()
if output1 in terminal_output1 and output2 in terminal_output2:
source.return_function(True, config)
else:
source.return_function(False, config)
def check_reverse_path_filtering_enabled():
config = '3.2.7 Ensure Reverse Path Filtering is enabled (Scored)'
command1 = 'sysctl net.ipv4.conf.all.rp_filter'
output1 = 'net.ipv4.conf.all.rp_filter = 1'
command2 = 'sysctl net.ipv4.conf.default.rp_filter'
output2 = 'net.ipv4.conf.default.rp_filter = 1'
print('checking "' + config + '" ..... ')
terminal_variable = os.popen(command1)
terminal_output1 = terminal_variable.read()
terminal_variable = os.popen(command2)
terminal_output2 = terminal_variable.read()
if output1 in terminal_output1 and output2 in terminal_output2:
source.return_function(True, config)
else:
source.return_function(False, config)
def check_rds_is_disabled():
config = '3.5.3 Ensure rds is disabled (Not Scored)'
command1 = 'modprobe -n -v rds'
output1 = 'install /bin/true'
command2 = 'lsmod | grep rds'
output2 = ''
print('checking "' + config + '" ..... ')
terminal_variable = os.popen(command1)
terminal_output1 = terminal_variable.read()
terminal_variable = os.popen(command2)
terminal_output2 = terminal_variable.read()
if output1 in terminal_output1 and output2 == terminal_output2:
source.return_function(True, config)
else:
source.return_function(False, config)
def check_suspicious_packets_are_logged():
config = '3.2.4 Ensure suspicious packets are logged (Scored)'
command1 = 'sysctl net.ipv4.conf.all.log_martians'
output1 = 'net.ipv4.conf.all.log_martians = 1'
command2 = 'sysctl net.ipv4.conf.default.log_martians'
output2 = 'net.ipv4.conf.default.log_martians = 1'
print('checking "' + config + '" ..... ')
terminal_variable = os.popen(command1)
terminal_output1 = terminal_variable.read()
terminal_variable = os.popen(command2)
terminal_output2 = terminal_variable.read()
if output1 in terminal_output1 and output2 in terminal_output2:
source.return_function(True, config)
else:
source.return_function(False, config)
def check_IPv6_router_ads_not_accepted():
config = '3.3.1 Ensure IPv6 router advertisements are not accepted (Scored)'
command1 = 'sysctl net.ipv6.conf.all.accept_ra'
output1 = 'net.ipv6.conf.all.accept_ra = 0'
command2 = 'sysctl net.ipv6.conf.default.accept_ra'
output2 = 'net.ipv6.conf.default.accept_ra = 0'
print('checking "' + config + '" ..... ')
terminal_variable = os.popen(command1)
terminal_output1 = terminal_variable.read()
terminal_variable = os.popen(command2)
terminal_output2 = terminal_variable.read()
if output1 in terminal_output1 and output2 in terminal_output2:
source.return_function(True, config)
else:
source.return_function(False, config)
def check_packet_redirect_sending_is_disabled():
config = '3.1.2 Ensure packet redirect sending is disabled (Scored)'
command1 = 'sysctl net.ipv4.conf.all.send_redirects'
output1 = 'net.ipv4.conf.all.send_redirects = 0'
command2 = 'sysctl net.ipv4.conf.default.send_redirects'
output2 = 'net.ipv4.conf.default.send_redirects = 0'
print('checking "' + config + '" ..... ')
terminal_variable = os.popen(command1)
terminal_output1 = terminal_variable.read()
terminal_variable = os.popen(command2)
terminal_output2 = terminal_variable.read()
if output1 in terminal_output1 and output2 in terminal_output2:
source.return_function(True, config)
else:
source.return_function(False, config)
def check_default_deny_firewall_policy():
config = 'Ensure default deny firewall policy (Scored)'
command = 'sudo iptables -L'
print('checking "' + config + '" ..... ')
output1 = 'Chain INPUT (policy DROP)'
output2 = 'Chain FORWARD (policy DROP)'
output3 = 'Chain OUTPUT (policy DROP)'
terminal_variable = os.popen(command)
terminal_output = terminal_variable.read()
if (output1 in terminal_output and output2 in terminal_output
and output3 in terminal_output):
source.return_function(True, config)
else:
source.return_function(False, config)
def check_rsh_server_not_enabled():
config = '2.2.17 Ensure rsh server is not enabled (Scored)'
command1 = 'systemctl is-enabled rsh.socket'
command2 = 'systemctl is-enabled rlogin.socket'
command3 = 'systemctl is-enabled rexec.socket'
output = 'disabled'
terminal_variable = os.popen(command1)
terminal_output1 = terminal_variable.read()
terminal_variable = os.popen(command2)
terminal_output2 = terminal_variable.read()
terminal_variable = os.popen(command3)
terminal_output3 = terminal_variable.read()
if output in terminal_output1 and output in terminal_output2 and output in terminal_output3:
source.return_function(True, config)
else:
source.return_function(False, config)
def check_chrony_is_configured():
config = '2.2.1.3 Ensure chrony is configured (Scored)'
command1 = 'grep "^server" /etc/chrony.conf | wc -l'
command2 = 'grep ^OPTIONS /etc/sysconfig/chronyd'
output1 = 1
output2 = 'OPTIONS="-u chrony"'
terminal_variable = os.popen(command1)
terminal_output1 = terminal_variable.read().split('\n')
if int(terminal_output1[0]) > output1:
result = True
else:
result = False
terminal_variable = os.popen(command2)
terminal_output2 = terminal_variable.read()
if output2 in terminal_output2 and result:
source.return_function(True, config)
else:
source.return_function(False, config)
def check_singleUserMode_authentication():
config = '1.4.3 Ensure authentication required for single user mode (Not Scored)'
command1 = 'grep /sbin/sulogin /usr/lib/systemd/system/rescue.service'
command2 = 'grep /sbin/sulogin /usr/lib/systemd/system/emergency.service'
terminal_variable = os.popen(command1)
terminal_output1 = terminal_variable.read()
terminal_variable = os.popen(command2)
terminal_output2 = terminal_variable.read()
expected_output = re.compile(
r'ExecStart=-/bin/sh -c "/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block default'
)
if expected_output.search(terminal_output1) and expected_output.search(
terminal_output2):
source.return_function(True, config)
else:
source.return_function(False, config)
def check_gdm_login_banner_configured():
config = '1.7.2 Ensure GDM login banner is configured (Scored)'
print('checking "' + config + '" ..... ')
gdm_file_exits = check_file_exits()
gdm_file_contents = check_file_contents()
if (gdm_file_exits == False):
print('gdm file does not exist')
source.return_function(False, config)
else:
if (gdm_file_contents == False):
source.return_function(False, config)
else:
source.return_function(True, config)
def check_time_services_not_enabled():
config = '2.1.4 Ensure time services are not enabled (Scored)'
command = 'chkconfig --list'
output1 = 'time-dgram:off'
output2 = 'time-stream:off'
print('checking "' + config + '" ..... ')
terminal_variable = os.popen(command)
terminal_output = terminal_variable.read().replace(' ', '')
if output1 in terminal_output:
if output2 in terminal_output:
source.return_function(True, config)
else:
source.return_function(False, config)
else:
source.return_function(False, config)
