Fixes #114 (#131)

* Add Trend AV to V-72213 checks Trend Micro Anti-virus service is named 'ds_agent'. This adds one more type of anti-virus this check can check for. * Updating profile.json in the repository * Fix describe.one formatting for V-72213 * Updating profile.json in the repository * Fixes #114 Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * fixing syntax error Signed-off-by: HackerShark <[email protected]> * Delete profile.json * Fixes #114 Signed-off-by: HackerShark <[email protected]> * fixing syntax error Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Fixes #115, fixes #25 (#124) * Fixes #115, fixes #25 Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Revert "Fixes #111 (#118)" This reverts commit e53c5a4. * Switch over to the official ruby setup since the actions/setup-ruby one is throwing an error * Lock ruby version to 2.6 in order to avoid Puppet load error bundler is installed automatically, no need to install it as part of our steps Release Puppet version lock * Updating profile.json in the repository * Update V-72417.rb bugfix * Add Trend AV to V-72213 checks Trend Micro Anti-virus service is named 'ds_agent'. This adds one more type of anti-virus this check can check for. * Updating profile.json in the repository * Fix describe.one formatting for V-72213 * Updating profile.json in the repository * Fixes #115, fixes #25 Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Fixes #115, fixes #25 Signed-off-by: HackerShark <[email protected]> * rebase, resolve merge conflicts Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Updating profile.json in the repository Co-authored-by: Robert Clark <[email protected]> Co-authored-by: rbclark <[email protected]> Co-authored-by: Maven35 <[email protected]> Co-authored-by: ejaronne <[email protected]> Co-authored-by: ejaronne <[email protected]> * Fixes #114 Signed-off-by: HackerShark <[email protected]> * fixing syntax error Signed-off-by: HackerShark <[email protected]> * Updating profile.json in the repository * Updating profile.json in the repository Co-authored-by: ejaronne <[email protected]> Co-authored-by: ejaronne <[email protected]> Co-authored-by: Robert Clark <[email protected]> Co-authored-by: rbclark <[email protected]> Co-authored-by: Aaron Lippold <[email protected]> Co-authored-by: Maven35 <[email protected]>
mitre · Sep 10, 2020 · cb5e83e · cb5e83e
1 parent f87ee84
commit cb5e83e
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 4 deletions.
diff --git a/controls/V-72259.rb b/controls/V-72259.rb
@@ -45,8 +45,15 @@
 "CCI-001814"]
   tag nist: ["CM-3 f", "CM-6 c", "CM-11 (2)", "CM-5 (1)", "CM-5 (1)", "Rev_4"]
 
-  describe sshd_config do
-    its('GSSAPIAuthentication') { should cmp 'no' }
+  if input('gssapi_approved')
+    describe sshd_config do
+      its('GSSAPIAuthentication') { should cmp 'no' }
+    end
+  else
+    impact 0.0
+    describe "GSSAPI authentication is not approved" do
+      skip "GSSAPI authentication is not approved, this control is Not Applicable."
+    end
   end
 end
 
diff --git a/inspec.yml b/inspec.yml
@@ -563,3 +563,8 @@ inputs:
   description: 'An alternate method is used for logs than rsyslog'
   type: Boolean
   value: false
+
+- name: gssapi_approved
+  description: 'is GSSAPI authentication approved'
+  type: Boolean
+  value: true
diff --git a/profile.json b/profile.json
@@ -4585,7 +4585,7 @@
           "Rev_4"
         ]
       },
-      "code": "control \"V-72259\" do\n  title \"The Red Hat Enterprise Linux operating system must be configured so\nthat the SSH daemon does not permit Generic Security Service Application\nProgram Interface (GSSAPI) authentication unless needed.\"\n  desc  \"GSSAPI authentication is used to provide additional authentication\nmechanisms to applications. Allowing GSSAPI authentication through SSH exposes\nthe system's GSSAPI to remote hosts, increasing the attack surface of the\nsystem. GSSAPI authentication must be disabled unless needed.\"\n  desc  \"rationale\", \"\"\n  desc  \"check\", \"\n    Verify the SSH daemon does not permit GSSAPI authentication unless approved.\n\n    Check that the SSH daemon does not permit GSSAPI authentication with the\nfollowing command:\n\n    # grep -i gssapiauth /etc/ssh/sshd_config\n    GSSAPIAuthentication no\n\n    If the \\\"GSSAPIAuthentication\\\" keyword is missing, is set to \\\"yes\\\" and\nis not documented with the Information System Security Officer (ISSO), or the\nreturned line is commented out, this is a finding.\n  \"\n  desc  \"fix\", \"\n    Uncomment the \\\"GSSAPIAuthentication\\\" keyword in \\\"/etc/ssh/sshd_config\\\"\n(this file may be named differently or be in a different location if using a\nversion of SSH that is provided by a third-party vendor) and set the value to\n\\\"no\\\":\n\n    GSSAPIAuthentication no\n\n    The SSH service must be restarted for changes to take effect.\n\n    If GSSAPI authentication is required, it must be documented, to include the\nlocation of the configuration file, with the ISSO.\n  \"\n  impact 0.5\n  tag severity: nil\n  tag gtitle: \"SRG-OS-000364-GPOS-00151\"\n  tag gid: \"V-72259\"\n  tag rid: \"SV-86883r3_rule\"\n  tag stig_id: \"RHEL-07-040430\"\n  tag fix_id: \"F-78613r2_fix\"\n  tag cci: [\"CCI-000318\", \"CCI-000368\", \"CCI-001812\", \"CCI-001813\",\n\"CCI-001814\"]\n  tag nist: [\"CM-3 f\", \"CM-6 c\", \"CM-11 (2)\", \"CM-5 (1)\", \"CM-5 (1)\", \"Rev_4\"]\n\n  describe sshd_config do\n    its('GSSAPIAuthentication') { should cmp 'no' }\n  end\nend\n",
+      "code": "control \"V-72259\" do\n  title \"The Red Hat Enterprise Linux operating system must be configured so\nthat the SSH daemon does not permit Generic Security Service Application\nProgram Interface (GSSAPI) authentication unless needed.\"\n  desc  \"GSSAPI authentication is used to provide additional authentication\nmechanisms to applications. Allowing GSSAPI authentication through SSH exposes\nthe system's GSSAPI to remote hosts, increasing the attack surface of the\nsystem. GSSAPI authentication must be disabled unless needed.\"\n  desc  \"rationale\", \"\"\n  desc  \"check\", \"\n    Verify the SSH daemon does not permit GSSAPI authentication unless approved.\n\n    Check that the SSH daemon does not permit GSSAPI authentication with the\nfollowing command:\n\n    # grep -i gssapiauth /etc/ssh/sshd_config\n    GSSAPIAuthentication no\n\n    If the \\\"GSSAPIAuthentication\\\" keyword is missing, is set to \\\"yes\\\" and\nis not documented with the Information System Security Officer (ISSO), or the\nreturned line is commented out, this is a finding.\n  \"\n  desc  \"fix\", \"\n    Uncomment the \\\"GSSAPIAuthentication\\\" keyword in \\\"/etc/ssh/sshd_config\\\"\n(this file may be named differently or be in a different location if using a\nversion of SSH that is provided by a third-party vendor) and set the value to\n\\\"no\\\":\n\n    GSSAPIAuthentication no\n\n    The SSH service must be restarted for changes to take effect.\n\n    If GSSAPI authentication is required, it must be documented, to include the\nlocation of the configuration file, with the ISSO.\n  \"\n  impact 0.5\n  tag severity: nil\n  tag gtitle: \"SRG-OS-000364-GPOS-00151\"\n  tag gid: \"V-72259\"\n  tag rid: \"SV-86883r3_rule\"\n  tag stig_id: \"RHEL-07-040430\"\n  tag fix_id: \"F-78613r2_fix\"\n  tag cci: [\"CCI-000318\", \"CCI-000368\", \"CCI-001812\", \"CCI-001813\",\n\"CCI-001814\"]\n  tag nist: [\"CM-3 f\", \"CM-6 c\", \"CM-11 (2)\", \"CM-5 (1)\", \"CM-5 (1)\", \"Rev_4\"]\n\n  if input('gssapi_approved')\n    describe sshd_config do\n      its('GSSAPIAuthentication') { should cmp 'no' }\n    end\n  else\n    impact 0.0\n    describe \"GSSAPI authentication is not approved\" do\n      skip \"GSSAPI authentication is not approved, this control is Not Applicable.\"\n    end\n  end\nend\n",
       "source_location": {
         "ref": "./controls/V-72259.rb",
         "line": 2
@@ -10631,7 +10631,7 @@
       "id": "controls/V-71955.rb"
     }
   ],
-  "sha256": "f4cc4faa47753c6e405956da0d742fbda68354dc8e225ede764e17db6150515d",
+  "sha256": "84467c6ef80fdbf5cbb02001268a2657d7f98e29d9a74f4a3932acc9d8cbe666",
   "status_message": "",
   "status": "loaded",
   "generator": {