#
print_header("6.1.6 Set User/Group Owner and Permission on /etc/cron.daily (Scored)")
check_equal('stat -c "%a %u %g" /etc/cron.daily | egrep "600 0 0"', "600 0 0")
#
print_header("6.1.7 Set User/Group Owner and Permission on /etc/cron.weekly (Scored)")
check_equal('stat -c "%a %u %g" /etc/cron.weekly | egrep "600 0 0"', "600 0 0")
#
print_header("6.1.8 Set User/Group Owner and Permission on /etc/cron.monthly (Scored)")
check_equal('stat -c "%a %u %g" /etc/cron.monthly | egrep "600 0 0"', "600 0 0")
#
print_header("6.1.9 Set User/Group Owner and Permission on /etc/cron.d (Scored)")
check_equal('stat -c "%a %u %g" /etc/cron.d | egrep "700 0 0"', "700 0 0")
check_empty('stat -c "%a %u %g" /etc/cron.d/* | egrep -v "600 0 0"')
#
print_header("6.1.10 Restrict at Daemon (Scored)")
check_equal('ls /etc/at.deny', "ls: cannot access /etc/at.deny: No such file or directory")
check_equal('stat -c "%a %u %g" /etc/at.allow | egrep "600 0 0"', "600 0 0")
#
print_header("6.1.11 Restrict at/cron to Authorized Users (Scored)")
check_equal('ls /etc/cron.deny', "ls: cannot access /etc/cron.deny: No such file or directory")
check_equal('stat -c "%a %u %g" /etc/cron.allow | egrep "600 0 0"', "600 0 0")
#
print_header("6.2 Configure SSH")
#
#
print_header(
"6.1.7 Set User/Group Owner and Permission on /etc/cron.weekly (Scored)")
check_equal('stat -c "%a %u %g" /etc/cron.weekly | egrep "600 0 0"', "600 0 0")
#
print_header(
"6.1.8 Set User/Group Owner and Permission on /etc/cron.monthly (Scored)")
check_equal('stat -c "%a %u %g" /etc/cron.monthly | egrep "600 0 0"',
"600 0 0")
#
print_header(
"6.1.9 Set User/Group Owner and Permission on /etc/cron.d (Scored)")
check_equal('stat -c "%a %u %g" /etc/cron.d | egrep "700 0 0"', "700 0 0")
check_empty('stat -c "%a %u %g" /etc/cron.d/* | egrep -v "600 0 0"')
#
print_header("6.1.10 Restrict at Daemon (Scored)")
check_equal('ls /etc/at.deny',
"ls: cannot access /etc/at.deny: No such file or directory")
check_equal('stat -c "%a %u %g" /etc/at.allow | egrep "600 0 0"', "600 0 0")
#
print_header("6.1.11 Restrict at/cron to Authorized Users (Scored)")
check_equal('ls /etc/cron.deny',
"ls: cannot access /etc/cron.deny: No such file or directory")
check_equal('stat -c "%a %u %g" /etc/cron.allow | egrep "600 0 0"', "600 0 0")
#
print_header("6.2 Configure SSH")
#
print_header("7. User Accounts and Environment")
#
print_header("7.1 Set Shadow Password Suite Parameters (/etc/login.defs)")
#
print_header("7.1.1 Set Password Expiration Days (Scored)")
check_equal(
"grep ^PASS_MAX_DAYS /etc/login.defs",
"PASS_MAX_DAYS\t90"
)
check_empty(
'awk -F: \'($3 > 0) {print $1}\' /etc/passwd | xargs -I {} ' +
'chage --list {}|' +
'grep "^Maximum number of days between password change"|'+
'grep -v ": 99$"'
)
#
print_header("7.1.2 Set Password Change Minimum Number of Days (Scored)")
check_equal(
"grep ^PASS_MIN_DAYS /etc/login.defs",
"PASS_MIN_DAYS\t7"
)
check_empty(
'awk -F: \'($3 > 0) {print $1}\' /etc/passwd | xargs -I {} ' +
'chage --list {}|' +
'grep "^Miniumum number of days between password change"|'+
'grep -v ": 7$"'
# "id:3:initdefault"
# )
# Syco hardened servers use this.
check_equal('grep "^\~\~\:S\:wait\:\/sbin\/sulogin" /etc/inittab',
"~~:S:wait:/sbin/sulogin")
result = x('yum grouplist "X Window System"')
max_lines = len(result)
assert_contains(result[max_lines - 3], "Available Groups:")
assert_contains(result[max_lines - 2], " X Window System")
assert_contains(result[max_lines - 1], "Done")
#
print_header("3.3 Disable Avahi Server (Scored)")
check_equal("rpm -q avahi", "package avahi is not installed")
check_empty("chkconfig --list | grep avahi")
#
print_header("3.4 Disable Print Server - CUPS (Not Scored)")
check_equal("rpm -q cups", "package cups is not installed")
check_empty("chkconfig --list | grep cups")
#
print_header("3.5 Remove DHCP Server (Scored)")
check_equal("rpm -q dhcp", "package dhcp is not installed")
check_empty("chkconfig --list | grep dhcp")
#
print_header("3.6 Configure Network Time Protocol (NTP) (Scored)")
# Original CIS looks for
# restrict default kod nomodify notrap nopeer noquery
check_equal("mount | grep /dev/shm | grep nodev", "nodev")
#
print_header("1.1.15 Add nosuid Option to /dev/shm Partition (Scored)")
check_equal("grep /dev/shm /etc/fstab | grep nosuid", "nosuid")
check_equal("mount | grep /dev/shm | grep nosuid", "nosuid")
#
print_header("1.1.16 Add noexec Option to /dev/shm Partition (Scored)")
check_equal("grep /dev/shm /etc/fstab | grep noexec", "noexec")
check_equal("mount | grep /dev/shm | grep noexec", "noexec")
#
print_header(
"1.1.17 Set Sticky Bit on All World-Writable Directories (Scored)")
check_empty("find / -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null")
#
print_header("1.1.18 Disable Mounting of cramfs Filesystems (Not Scored)")
check_equal("/sbin/modprobe -n -v cramfs", "install /bin/true")
check_empty("/sbin/lsmod | grep cramfs")
#
print_header("1.1.19 Disable Mounting of freevxfs Filesystems (Not Scored)")
check_equal("/sbin/modprobe -n -v freevxfs", "install /bin/true")
check_empty("/sbin/lsmod | grep freexvfs")
#
print_header("1.1.20 Disable Mounting of jffs2 Filesystems (Not Scored)")
check_equal("/sbin/modprobe -n -v jffs2", "install /bin/true")
check_empty("/sbin/lsmod | grep jffs2")
import config
#
print_header("5 Logging and Auditing")
#
print_header("5.1 Configure Syslog")
#
print_header("5.1.1 Install the rsyslog package (Scored)")
check_equal_re("rpm -q rsyslog", "rsyslog.*")
#
print_header("5.1.2 Activate the rsyslog Service (Scored)")
check_equal("rpm -q syslog", "package syslog is not installed")
check_empty("chkconfig --list | grep syslog")
check_equal_re("chkconfig --list rsyslog",
"rsyslog.*0:off.*1:off.*2:on.*3:on.*4:on.*5:on.*6:off")
#
print_header("5.1.3 Configure /etc/rsyslog.conf (Not Scored)")
print_warning(
"Manually review the contents of the /etc/rsyslog.conf file to ensure appropriate logging is set. "
)
view_output("ls -l /var/log/")
#
print_header("5.1.4 Create and Set Permissions on rsyslog Log Files (Scored)")
print_header(" TODO - Ensure that the log files are logging information")
#
#
print_header("9.1.7 Verify User/Group Ownership on /etc/shadow (Scored)")
check_equal('stat -c "%a %u %g" /etc/shadow | egrep "0 0 0"', "0 0 0")
#
print_header("9.1.8 Verify User/Group Ownership on /etc/gshadow (Scored)")
check_equal('stat -c "%a %u %g" /etc/gshadow | egrep "0 0 0"', "0 0 0")
#
print_header("9.1.9 Verify User/Group Ownership on /etc/group (Scored)")
check_equal('stat -c "%a %u %g" /etc/group | egrep "644 0 0"', "644 0 0")
#
print_header("9.1.10 Find World Writable Files (Not Scored)")
check_empty(
"df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002 -print"
)
#
print_header("9.1.11 Find Un-owned Files and Directories (Scored)")
check_empty(
"df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nouser -ls"
)
#
print_header("9.1.12 Find Un-grouped Files and Directories (Scored)")
check_empty(
"df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -nogroup -ls"
)
#
print_header("5.1 Configure Syslog")
#
print_header("5.1.1 Install the rsyslog package (Scored)")
check_equal_re(
"rpm -q rsyslog",
"rsyslog.*"
)
#
print_header("5.1.2 Activate the rsyslog Service (Scored)")
check_equal(
"rpm -q syslog",
"package syslog is not installed"
)
check_empty("chkconfig --list | grep syslog")
check_equal_re(
"chkconfig --list rsyslog",
"rsyslog.*0:off.*1:off.*2:on.*3:on.*4:on.*5:on.*6:off"
)
#
print_header("5.1.3 Configure /etc/rsyslog.conf (Not Scored)")
print_warning("Manually review the contents of the /etc/rsyslog.conf file to ensure appropriate logging is set. ")
view_output("ls -l /var/log/")
#
print_header("5.1.4 Create and Set Permissions on rsyslog Log Files (Scored)")
print_header(" TODO - Ensure that the log files are logging information")
#
def one_player(self, board):
"""
Play with the computer
"""
keyboardIndexMapping = constants.keyboardIndexMapping
computerChar, playerChar, displayWinChance, whichPlayerFirst = utils.getSinglePlayerDetails(
)
if whichPlayerFirst == 1:
utils.clearScreen()
utils.display_board(board)
while utils.check_win(board, computerChar, playerChar)[0] == 0:
if utils.check_empty(board):
tut = [0, 0, 0, 0, 0, 0, 0, 0, 0]
else:
tut = [
-i for i in self.minimax(board, playerChar,
computerChar, playerChar)
]
if displayWinChance == 1:
utils.clearScreen()
utils.display_tutorial_board(board, tut)
index = int(input())
if index > 9 or index < 1:
utils.clearScreen()
utils.display_board(board)
if displayWinChance == 1:
utils.clearScreen()
utils.display_tutorial_board(board, tut)
continue
index = keyboardIndexMapping[index]
# cant use already used index
if board[index] != '-':
utils.clearScreen()
utils.display_board(board)
if displayWinChance == 1:
utils.clearScreen()
utils.display_tutorial_board(board, tut)
continue
board[index] = playerChar
utils.clearScreen()
utils.display_board(board)
if displayWinChance == 1:
utils.clearScreen()
utils.display_tutorial_board(board, tut)
if utils.check_win(board, computerChar, playerChar)[0] != 0:
break
ret = self.minimax(board, computerChar, computerChar,
playerChar)
# chose move for computer
board[utils.the_move(board, ret)] = computerChar
utils.clearScreen()
utils.display_board(board)
if utils.check_win(board, computerChar, playerChar)[0] == 1:
print("You lost!!")
else:
print("It's a draw!")
if whichPlayerFirst == 2:
while utils.check_win(board, computerChar, playerChar)[0] == 0:
if utils.check_empty(board):
board[random.randrange(0, 9)] = computerChar
else:
ret = self.minimax(board, computerChar, computerChar,
playerChar)
# chose move for computer
board[utils.the_move(board, ret)] = computerChar
utils.clearScreen()
utils.display_board(board)
if utils.check_win(board, computerChar, playerChar)[0] != 0:
break
# index already used can't be reused
flag = 0
while flag == 0:
tut = [
-i for i in self.minimax(board, playerChar,
computerChar, playerChar)
]
utils.clearScreen()
utils.display_board(board)
if displayWinChance == 1:
utils.clearScreen()
utils.display_tutorial_board(board, tut)
index = int(input())
if index > 9 or index < 1:
utils.clearScreen()
utils.display_board(board)
if displayWinChance == 1:
utils.clearScreen()
utils.display_tutorial_board(board, tut)
continue
index = keyboardIndexMapping[index]
if board[index] == '-':
flag = 1
board[index] = playerChar
utils.clearScreen()
utils.display_board(board)
if displayWinChance == 1:
utils.clearScreen()
utils.display_tutorial_board(board, tut)
else:
utils.clearScreen()
utils.display_board(board)
if displayWinChance == 1:
utils.clearScreen()
utils.display_tutorial_board(board, tut)
if utils.check_win(board, computerChar, playerChar)[0] == 1:
print("You lost!!")
else:
print("It's a draw!")
#
print_header("4.5.5 Verify Permissions on /etc/hosts.deny (Scored)")
check_equal(
'stat -c "%a" /etc/hosts.deny | egrep "644"',
"644"
)
#
print_header("4.6 Uncommon Network Protocols")
#
print_header("4.6.1 Disable DCCP (Not Scored)")
check_equal('grep "install dccp /bin/true" /etc/modprobe.d/*', 'install dccp /bin/true')
check_equal("/sbin/modprobe -n -v dccp", "install /bin/true")
check_empty("/sbin/lsmod | grep dccp")
#
print_header("4.6.2 Disable SCTP (Not Scored)")
check_equal('grep "install sctp /bin/true" /etc/modprobe.d/*', 'install sctp /bin/true')
check_equals(
'/sbin/modprobe -n -v sctp',
(
None,
None,
"install /bin/true"
)
)
check_empty("/sbin/lsmod | grep sctp")
#
print_header("4.5.4 Create /etc/hosts.deny (Not Scored)")
check_equal('grep "ALL: ALL" /etc/hosts.deny', "ALL: ALL")
#
print_header("4.5.5 Verify Permissions on /etc/hosts.deny (Scored)")
check_equal('stat -c "%a" /etc/hosts.deny | egrep "644"', "644")
#
print_header("4.6 Uncommon Network Protocols")
#
print_header("4.6.1 Disable DCCP (Not Scored)")
check_equal('grep "install dccp /bin/true" /etc/modprobe.d/*',
'install dccp /bin/true')
check_equal("/sbin/modprobe -n -v dccp", "install /bin/true")
check_empty("/sbin/lsmod | grep dccp")
#
print_header("4.6.2 Disable SCTP (Not Scored)")
check_equal('grep "install sctp /bin/true" /etc/modprobe.d/*',
'install sctp /bin/true')
check_equals('/sbin/modprobe -n -v sctp', (None, None, "install /bin/true"))
check_empty("/sbin/lsmod | grep sctp")
#
print_header("4.6.3 Disable RDS (Not Scored)")
check_equal('grep "install rds /bin/true" /etc/modprobe.d/*',
'install rds /bin/true')
check_equal("/sbin/modprobe -n -v rds", "install /bin/true")
check_empty("/sbin/lsmod | grep rds")
"~~:S:wait:/sbin/sulogin"
)
result = x('yum grouplist "X Window System"')
max_lines = len(result)
assert_contains(result[max_lines-3], "Available Groups:")
assert_contains(result[max_lines-2], " X Window System")
assert_contains(result[max_lines-1], "Done")
#
print_header("3.3 Disable Avahi Server (Scored)")
check_equal(
"rpm -q avahi",
"package avahi is not installed"
)
check_empty("chkconfig --list | grep avahi")
#
print_header("3.4 Disable Print Server - CUPS (Not Scored)")
check_equal(
"rpm -q cups",
"package cups is not installed"
)
check_empty("chkconfig --list | grep cups")
#
print_header("3.5 Remove DHCP Server (Scored)")
check_equal(
"rpm -q dhcp",
"package dhcp is not installed"
)
check_equal("grep /dev/shm /etc/fstab | grep nodev", "nodev")
check_equal("mount | grep /dev/shm | grep nodev", "nodev")
#
print_header("1.1.15 Add nosuid Option to /dev/shm Partition (Scored)")
check_equal("grep /dev/shm /etc/fstab | grep nosuid", "nosuid")
check_equal("mount | grep /dev/shm | grep nosuid", "nosuid")
#
print_header("1.1.16 Add noexec Option to /dev/shm Partition (Scored)")
check_equal("grep /dev/shm /etc/fstab | grep noexec", "noexec")
check_equal("mount | grep /dev/shm | grep noexec", "noexec")
#
print_header("1.1.17 Set Sticky Bit on All World-Writable Directories (Scored)")
check_empty("find / -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null")
#
print_header("1.1.18 Disable Mounting of cramfs Filesystems (Not Scored)")
check_equal("/sbin/modprobe -n -v cramfs", "install /bin/true")
check_empty("/sbin/lsmod | grep cramfs")
#
print_header("1.1.19 Disable Mounting of freevxfs Filesystems (Not Scored)")
check_equal("/sbin/modprobe -n -v freevxfs", "install /bin/true")
check_empty("/sbin/lsmod | grep freexvfs")
#
print_header("1.1.20 Disable Mounting of jffs2 Filesystems (Not Scored)")
check_equal("/sbin/modprobe -n -v jffs2", "install /bin/true")
check_empty("/sbin/lsmod | grep jffs2")
__email__ = "*****@*****.**"
__credits__ = ["???"]
__license__ = "???"
__version__ = "1.0.0"
__status__ = "Production"
from utils import check_empty, check_equal, check_equal_re, check_equals, check_not_empty, check_return_code, print_header, view_output, print_warning, print_info
import app
#
print_header("8 Warning Banners")
#
print_header("8.1 Set Warning Banner for Standard Login Services (Scored)")
check_empty("diff %s/hardening/issue.net /etc/motd" % app.SYCO_VAR_PATH)
check_empty("diff %s/hardening/issue.net /etc/issue" % app.SYCO_VAR_PATH)
check_empty("diff %s/hardening/issue.net /etc/issue.net" % app.SYCO_VAR_PATH)
check_equal('stat -c "%a %u %g" /etc/motd | egrep "644 0 0"', "644 0 0")
check_equal('stat -c "%a %u %g" /etc/issue | egrep "644 0 0"', "644 0 0")
check_equal('stat -c "%a %u %g" /etc/issue.net | egrep "644 0 0"', "644 0 0")
#
print_header("8.2 Remove OS Information from Login Warning Banners (Scored)")
check_empty("egrep '(\\\\v|\\\\r|\\\\m|\\\\s)' /etc/issue")
check_empty("egrep '(\\\\v|\\\\r|\\\\m|\\\\s)' /etc/motd")
check_empty("egrep '(\\\\v|\\\\r|\\\\m|\\\\s)' /etc/issue.net")
#
print_header("8.3 Set GNOME Warning Banner (Not Scored)")