chage --list {}| \
grep "^Number of days of warning before password expires"| \
grep -v ": 7$"
""")
#
print_header("7.2 Disable System Accounts (Scored)")
check_empty("""
awk -F: '($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<500 && $7!="/sbin/nologin") {print}' /etc/passwd
""")
#
print_header("7.3 Set Default Group for root Account (Scored)")
check_equal(
"grep ^root /etc/passwd | cut -f4 -d:",
"0"
)
#
print_header("7.4 Set Default umask for Users (Scored)")
check_equal_re("grep 'umask 077' /etc/bashrc", ".*umask 077.*")
check_equal_re("grep 'umask 077' /etc/profile", ".*umask 077.*")
check_equal_re("grep 'umask 077' /etc/csh.cshrc", ".*umask 077.*")
#
print_header("7.5 Lock Inactive User Accounts (Scored)")
check_equal(
"useradd -D | grep INACTIVE",
"INACTIVE=35"
)
from utils import check_empty, check_equal, check_equal_re, check_equals, check_not_empty, check_return_code, print_header, view_output, print_warning, print_info
#
print_header("6 System Access, Authentication and Authorization")
#
print_header("6.1 Configure cron and anacron")
#
print_header("6.1.1 Enable anacron Daemon (Scored)")
check_equal("rpm -q anacron", "package anacron is not installed")
print_info("Not installed syco servers.")
print_header("6.1.2 Enable crond Daemon (Scored)")
check_equal_re(
"chkconfig --list crond",
"crond.*0:off.*1:off.*2:on.*3:on.*4:on.*5:on.*6:off"
)
#
print_header("6.1.3 Set User/Group Owner and Permission on /etc/anacrontab (Scored)")
check_equal('stat -c "%a %u %g" /etc/anacrontab | egrep "600 0 0"', "600 0 0")
#
print_header("6.1.4 Set User/Group Owner and Permission on /etc/crontab (Scored)")
check_equal('stat -c "%a %u %g" /etc/crontab | egrep "600 0 0"', "600 0 0")
#
print_header("6.1.5 Set User/Group Owner and Permission on /etc/cron.hourly (Scored)")
check_equal('stat -c "%a %u %g" /etc/cron.hourly | egrep "600 0 0"', "600 0 0")
#
from utils import check_empty, check_equal, check_equal_re, check_equals, check_not_empty, check_return_code, print_header, view_output, print_warning, print_info
#
print_header("6 System Access, Authentication and Authorization")
#
print_header("6.1 Configure cron and anacron")
#
print_header("6.1.1 Enable anacron Daemon (Scored)")
check_equal("rpm -q anacron", "package anacron is not installed")
print_info("Not installed syco servers.")
print_header("6.1.2 Enable crond Daemon (Scored)")
check_equal_re("chkconfig --list crond",
"crond.*0:off.*1:off.*2:on.*3:on.*4:on.*5:on.*6:off")
#
print_header(
"6.1.3 Set User/Group Owner and Permission on /etc/anacrontab (Scored)")
check_equal('stat -c "%a %u %g" /etc/anacrontab | egrep "600 0 0"', "600 0 0")
#
print_header(
"6.1.4 Set User/Group Owner and Permission on /etc/crontab (Scored)")
check_equal('stat -c "%a %u %g" /etc/crontab | egrep "600 0 0"', "600 0 0")
#
print_header(
"6.1.5 Set User/Group Owner and Permission on /etc/cron.hourly (Scored)")
check_equal('stat -c "%a %u %g" /etc/cron.hourly | egrep "600 0 0"', "600 0 0")
__version__ = "1.0.0"
__status__ = "Production"
from utils import check_empty, check_equal, check_equal_re, check_equals, check_not_empty, check_return_code, print_header, view_output, print_warning, print_info
import config
#
print_header("5 Logging and Auditing")
#
print_header("5.1 Configure Syslog")
#
print_header("5.1.1 Install the rsyslog package (Scored)")
check_equal_re("rpm -q rsyslog", "rsyslog.*")
#
print_header("5.1.2 Activate the rsyslog Service (Scored)")
check_equal("rpm -q syslog", "package syslog is not installed")
check_empty("chkconfig --list | grep syslog")
check_equal_re("chkconfig --list rsyslog",
"rsyslog.*0:off.*1:off.*2:on.*3:on.*4:on.*5:on.*6:off")
#
print_header("5.1.3 Configure /etc/rsyslog.conf (Not Scored)")
print_warning(
"Manually review the contents of the /etc/rsyslog.conf file to ensure appropriate logging is set. "
)
view_output("ls -l /var/log/")
from utils import check_empty, check_equal, check_equal_re, check_equals, check_not_empty, check_return_code, print_header, view_output, print_warning, print_info
import config
#
print_header("5 Logging and Auditing")
#
print_header("5.1 Configure Syslog")
#
print_header("5.1.1 Install the rsyslog package (Scored)")
check_equal_re(
"rpm -q rsyslog",
"rsyslog.*"
)
#
print_header("5.1.2 Activate the rsyslog Service (Scored)")
check_equal(
"rpm -q syslog",
"package syslog is not installed"
)
check_empty("chkconfig --list | grep syslog")
check_equal_re(
"chkconfig --list rsyslog",
"rsyslog.*0:off.*1:off.*2:on.*3:on.*4:on.*5:on.*6:off"
)
#
"grep NETWORKING_IPV6 /etc/sysconfig/network",
"NETWORKING_IPV6=no"
)
check_equal(
"grep IPV6INIT /etc/sysconfig/network",
"IPV6INIT=no"
)
#
print_header("4.5 Install TCP Wrappers")
#
print_header("4.5.1 Install TCP Wrappers (Not Scored)")
check_equal_re(
"rpm -q tcp_wrappers",
"tcp_wrappers-.*"
)
#
print_header("4.5.2 Create /etc/hosts.allow (Not Scored)")
print_warning("Check manually to verify hosts.")
view_output("cat /etc/hosts.allow")
#
print_header("4.5.3 Verify Permissions on /etc/hosts.allow (Scored)")
check_equal(
'stat -c "%a" /etc/hosts.allow | egrep "644"',
"644"
)
#
#
print_header("4.4.2 Disable IPv6 (Not Scored)")
check_equals('grep ipv6 /etc/modprobe.d/*', ('options ipv6 disable=1'))
check_equal('grep net-pf-10 /etc/modprobe.d/*', 'alias net-pf-10 off')
check_equal("grep NETWORKING_IPV6 /etc/sysconfig/network",
"NETWORKING_IPV6=no")
check_equal("grep IPV6INIT /etc/sysconfig/network", "IPV6INIT=no")
#
print_header("4.5 Install TCP Wrappers")
#
print_header("4.5.1 Install TCP Wrappers (Not Scored)")
check_equal_re("rpm -q tcp_wrappers", "tcp_wrappers-.*")
#
print_header("4.5.2 Create /etc/hosts.allow (Not Scored)")
print_warning("Check manually to verify hosts.")
view_output("cat /etc/hosts.allow")
#
print_header("4.5.3 Verify Permissions on /etc/hosts.allow (Scored)")
check_equal('stat -c "%a" /etc/hosts.allow | egrep "644"', "644")
#
print_header("4.5.4 Create /etc/hosts.deny (Not Scored)")
check_equal('grep "ALL: ALL" /etc/hosts.deny', "ALL: ALL")
#
