diff --git a/Gemfile b/Gemfile index c4a4e81bd..2335c485b 100644 --- a/Gemfile +++ b/Gemfile @@ -7,12 +7,11 @@ gem_sources.each { |gem_source| source gem_source } gem 'rake' gem 'simp-rake-helpers', '~> 5.9' -gem 'simp-beaker-helpers', ['>= 1.14.1', '< 2.0.0'] +gem 'simp-beaker-helpers', ['>= 1.15.2', '< 2.0.0'] gem 'beaker-rspec' gem 'highline' gem 'kitchen-puppet' gem 'kitchen-inspec' gem 'kitchen-vagrant' -gem 'inspec', '~> 4.0' gem 'inspec-bin', '~> 4.0' gem 'librarian-puppet' diff --git a/controls/V-71849.rb b/controls/V-71849.rb index 7af466e8a..d860aef95 100644 --- a/controls/V-71849.rb +++ b/controls/V-71849.rb @@ -1,13 +1,13 @@ # encoding: utf-8 # # Support for passed in Atrributes -disable_slow_controls = attribute( +disable_slow_controls = input( 'disable_slow_controls', value: false, description: 'If enabled, this attribute disables this control and other controls that consistently take a long time to complete.' ) -rpm_verify_perms_except = attribute( +rpm_verify_perms_except = input( 'rpm_verify_perms_except', value: [], description: 'This is a list of system files that should be allowed to change @@ -28,7 +28,7 @@ tag "documentable": false tag "nist": ["AU-9", "AU-9 (3)", "Rev_4"] tag "subsystems": [ "permissions", "package", "rpm" ] - tag "check": "Verify the file permissions, ownership, and group membership of + desc "check", "Verify the file permissions, ownership, and group membership of system files and commands match the vendor values. Check the file permissions, ownership, and group membership of system files and @@ -39,7 +39,7 @@ If there is any output from the command indicating that the ownership or group of a system file or command, or a system file, has permissions less restrictive than the default, this is a finding." - tag "fix": "Run the following command to determine which package owns the + desc "fix", "Run the following command to determine which package owns the file: # rpm -qf diff --git a/controls/V-71855.rb b/controls/V-71855.rb index 3825178e9..3c117636d 100644 --- a/controls/V-71855.rb +++ b/controls/V-71855.rb @@ -1,12 +1,12 @@ # encoding: utf-8 # -disable_slow_controls = attribute( +disable_slow_controls = input( 'disable_slow_controls', value: false, description: 'If enabled, this attribute disables this control and other controls that consistently take a long time to complete.') -rpm_verify_integrity_except = attribute( +rpm_verify_integrity_except = input( 'rpm_verify_integrity_except', value: [], description: 'This is a list of system files that should be allowed to change @@ -33,7 +33,7 @@ tag "documentable": false tag "nist": ["SA-7", "Rev_4"] tag "subsystems": ['rpm', 'package'] - tag "check": "Verify the cryptographic hash of system files and commands + desc "check", "Verify the cryptographic hash of system files and commands match the vendor values. Check the cryptographic hash of system files and commands with the following @@ -46,7 +46,7 @@ # rpm -Va | grep '^..5' If there is any output from the command for system binaries, this is a finding." - tag "fix": "Run the following command to determine which package owns the + desc "fix", "Run the following command to determine which package owns the file: # rpm -qf diff --git a/controls/V-71859.rb b/controls/V-71859.rb index 33cf39ca5..8eb42cb80 100644 --- a/controls/V-71859.rb +++ b/controls/V-71859.rb @@ -1,11 +1,11 @@ # encoding: utf-8 # -banner_message_enabled = attribute('banner_message_enabled', value: "true", +banner_message_enabled = input('banner_message_enabled', value: "true", description: 'The banner message must display the Standard Mandatory DoD notice before granting access.') -dconf_user = attribute( +dconf_user = input( 'dconf_user', value: '', description: "User to use to check dconf settings" @@ -74,7 +74,7 @@ tag "documentable": false tag "nist": ["AC-8 a", "Rev_4"] tag "subsystem": [ "gdm" ] - tag "check": "Verify the operating system displays the Standard Mandatory DoD + desc "check", "Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. @@ -89,7 +89,7 @@ If \"banner-message-enable\" is set to \"false\" or is missing, this is a finding." - tag "fix": "Configure the operating system to display the Standard Mandatory + desc "fix", "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. Note: If the system does not have GNOME installed, this requirement is Not diff --git a/controls/V-71861.rb b/controls/V-71861.rb index e71c9259c..e91d3913a 100644 --- a/controls/V-71861.rb +++ b/controls/V-71861.rb @@ -1,6 +1,6 @@ # encoding: utf-8 # -banner_message_text_gui = attribute('banner_message_text_gui', +banner_message_text_gui = input('banner_message_text_gui', value: "You are accessing a U.S. Government (USG) Information System (IS) that is \ provided for USG-authorized use only. By using this IS (which includes any \ @@ -22,7 +22,7 @@ Agreement for details.", description: 'The banner message must display the designated banner before granting access.') -banner_message_text_gui_limited = attribute('banner_message_text_gui_limited', +banner_message_text_gui_limited = input('banner_message_text_gui_limited', value: "I've read & consent to terms in IS user agreem't.", description: 'The banner message must display the designated banner before granting access.') @@ -89,7 +89,7 @@ tag "documentable": false tag "nist": ["AC-8 a", "Rev_4"] tag "subsystems": [ "gdm" ] - tag "check": "Verify the operating system displays the approved Standard + desc "check", "Verify the operating system displays the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a graphical user logon. @@ -127,7 +127,7 @@ If the banner does not match the approved Standard Mandatory DoD Notice and Consent Banner, this is a finding." - tag "fix": "Configure the operating system to display the approved Standard + desc "fix", "Configure the operating system to display the approved Standard Mandatory DoD Notice and Consent Banner before granting access to the system. Note: If the system does not have GNOME installed, this requirement is Not diff --git a/controls/V-71863.rb b/controls/V-71863.rb index cc787ba33..5ae980840 100644 --- a/controls/V-71863.rb +++ b/controls/V-71863.rb @@ -2,7 +2,7 @@ # #TODO: Make sure this is actually an onlyif on the GUI - ssh banner, ftp banner also use /etc/issue -banner_message_text_cli = attribute('banner_message_text_cli', +banner_message_text_cli = input('banner_message_text_cli', value: "You are accessing a U.S. Government (USG) Information System (IS) that is \ provided for USG-authorized use only. By using this IS (which includes any \ @@ -24,7 +24,7 @@ Agreement for details.", description: 'The banner message must display the designated banner before granting access.') -banner_message_text_cli_limited = attribute('banner_message_text_cli_limited', +banner_message_text_cli_limited = input('banner_message_text_cli_limited', value: "I've read & consent to terms in IS user agreem't.", description: 'The banner message must display the designated banner before granting access.') @@ -85,7 +85,7 @@ tag "documentable": false tag "nist": ["AC-8 a", "Rev_4"] tag "subsystems": [ "banner", "/etc/issue" ] - tag "check": "Verify the operating system displays the Standard Mandatory DoD + desc "check", "Verify the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the operating system via a command line user logon. @@ -128,7 +128,7 @@ If the text in the \"/etc/issue\" file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding." - tag "fix": "Configure the operating system to display the Standard Mandatory + desc "fix", "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the command line by editing the \"/etc/issue\" file. diff --git a/controls/V-71891.rb b/controls/V-71891.rb index b67650aef..e004aac5f 100644 --- a/controls/V-71891.rb +++ b/controls/V-71891.rb @@ -30,7 +30,7 @@ tag "documentable": false tag "nist": ["AC-11 b", "Rev_4"] tag "subsystems": [ "session", "lock", "gnome", "screensaver" ] - tag "check": "Verify the operating system enables a user's session lock until + desc "check", "Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures. The screen program must be installed to lock sessions on the console. @@ -45,7 +45,7 @@ If the \"lock-enabled\" setting is missing or is not set to \"true\", this is a finding." - tag "fix": "Configure the operating system to enable a user's session lock + desc "fix", "Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures. diff --git a/controls/V-71893.rb b/controls/V-71893.rb index 04664300e..8349697a7 100644 --- a/controls/V-71893.rb +++ b/controls/V-71893.rb @@ -27,7 +27,7 @@ tag "documentable": false tag "nist": ["AC-11 a", "Rev_4"] tag "subsystems": [ "gnome", "screensaver", "session", "lock" ] - tag "check": "Verify the operating system initiates a screensaver after a + desc "check", "Verify the operating system initiates a screensaver after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console. @@ -42,7 +42,7 @@ If the \"idle-delay\" setting is missing or is not set to \"900\" or less, this is a finding." - tag "fix": "Configure the operating system to initiate a screensaver after a + desc "fix", "Configure the operating system to initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does diff --git a/controls/V-71895.rb b/controls/V-71895.rb index c7091c838..5535b0ff4 100644 --- a/controls/V-71895.rb +++ b/controls/V-71895.rb @@ -43,7 +43,7 @@ tag "cci": "CCI-000057" tag "nist": ["AC-11 a", "Rev_4"] tag "subsystems": ["gnome3"] - tag "check": "Verify the operating system prevents a user from overriding session + desc "check", "Verify the operating system prevents a user from overriding session lock after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console. @@ -66,7 +66,7 @@ /org/gnome/desktop/screensaver/idle-delay If the command does not return a result, this is a finding." - tag "fix": "Configure the operating system to prevent a user from overriding a + desc "fix", "Configure the operating system to prevent a user from overriding a session lock after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does not diff --git a/controls/V-71897.rb b/controls/V-71897.rb index 1c396b027..07792a33c 100644 --- a/controls/V-71897.rb +++ b/controls/V-71897.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AC-11 a", "Rev_4"] tag "subsystems": ["screen", "lock", "session"] - tag "check": "Verify the operating system has the screen package installed. + desc "check", "Verify the operating system has the screen package installed. Check to see if the screen package is installed with the following command: @@ -30,7 +30,7 @@ screen-4.3.1-3-x86_64.rpm If is not installed, this is a finding." - tag "fix": "Install the screen package to allow the initiation a session lock + desc "fix", "Install the screen package to allow the initiation a session lock after a 15-minute period of inactivity for graphical users interfaces. Install the screen program (if it is not on the system) with the following diff --git a/controls/V-71899.rb b/controls/V-71899.rb index 1dae9ae83..37960a2b6 100644 --- a/controls/V-71899.rb +++ b/controls/V-71899.rb @@ -27,7 +27,7 @@ tag "documentable": false tag "nist": ["AC-11 a", "Rev_4"] tag "subsystems": ["gnome3", "session", "lock"] - tag "check": "Verify the operating system initiates a session lock after a + desc "check", "Verify the operating system initiates a session lock after a 15-minute period of inactivity for graphical user interfaces. The screen program must be installed to lock sessions on the console. @@ -40,7 +40,7 @@ idle-activation-enabled=true If \"idle-activation-enabled\" is not set to \"true\", this is a finding." - tag "fix": "Configure the operating system to initiate a session lock after a + desc "fix", "Configure the operating system to initiate a session lock after a 15-minute period of inactivity for graphical user interfaces. Create a database to contain the system-wide screensaver settings (if it does diff --git a/controls/V-71901.rb b/controls/V-71901.rb index cc319b3cd..7d83a1b96 100644 --- a/controls/V-71901.rb +++ b/controls/V-71901.rb @@ -1,7 +1,7 @@ # encoding: utf-8 # -lock_delay = attribute('lock_delay', +lock_delay = input('lock_delay', value: 5, description: 'The scereensaver lock-delay must be less than or equal to the specified value.') @@ -33,7 +33,7 @@ tag "documentable": false tag "nist": ["AC-11 a", "Rev_4"] tag "subsystems": ["gnome3", "screensaver", "lock", "session"] - tag "check": "Verify the operating system initiates a session lock a for + desc "check", "Verify the operating system initiates a session lock a for graphical user interfaces when the screensaver is activated. Note: If the system does not have GNOME installed, this requirement is Not @@ -48,7 +48,7 @@ If the \"lock-delay\" setting is missing, or is not set to \"5\" or less, this is a finding." - tag "fix": "Configure the operating system to initiate a session lock for + desc "fix", "Configure the operating system to initiate a session lock for graphical user interfaces when a screensaver is activated. Create a database to contain the system-wide screensaver settings (if it does diff --git a/controls/V-71903.rb b/controls/V-71903.rb index b3cbba7ad..f0702e431 100644 --- a/controls/V-71903.rb +++ b/controls/V-71903.rb @@ -23,7 +23,7 @@ tag "documentable": false tag "nist": ["IA-5 (1) (a)", "Rev_4"] tag "subsystems": ['pam', 'pwquality', 'password'] - tag "check": "Note: The value to require a number of upper-case characters to + desc "check", "Note: The value to require a number of upper-case characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\". Check the value for \"ucredit\" in \"/etc/security/pwquality.conf\" with the @@ -33,7 +33,7 @@ ucredit = -1 If the value of \"ucredit\" is not set to a negative value, this is a finding." - tag "fix": "Configure the operating system to enforce password complexity by + desc "fix", "Configure the operating system to enforce password complexity by requiring that at least one upper-case character be used by setting the \"ucredit\" option. diff --git a/controls/V-71905.rb b/controls/V-71905.rb index db683cc75..97e2d33ef 100644 --- a/controls/V-71905.rb +++ b/controls/V-71905.rb @@ -22,9 +22,8 @@ tag "cci": ["CCI-000193"] tag "documentable": false tag "nist": ["IA-5 (1) (a)", "Rev_4"] - tag "subsystems": ['pam', 'pwquality', 'password'] - tag "check": "Note: The value to require a number of lower-case characters to + desc "check", "Note: The value to require a number of lower-case characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\". Check the value for \"lcredit\" in \"/etc/security/pwquality.conf\" with the @@ -34,7 +33,7 @@ lcredit = -1 If the value of \"lcredit\" is not set to a negative value, this is a finding." - tag "fix": "Configure the operating system to lock an account for the maximum + desc "fix", "Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made. Modify the first three lines of the \"auth\" section of the diff --git a/controls/V-71907.rb b/controls/V-71907.rb index b26019c5b..c3e383139 100644 --- a/controls/V-71907.rb +++ b/controls/V-71907.rb @@ -23,7 +23,7 @@ tag "documentable": false tag "nist": ["IA-5 (1) (a)", "Rev_4"] tag "subsystems": ['pam', 'pwquality', 'password'] - tag "check": "Note: The value to require a number of numeric characters to be + desc "check", "Note: The value to require a number of numeric characters to be set is expressed as a negative number in \"/etc/security/pwquality.conf\". Check the value for \"dcredit\" in \"/etc/security/pwquality.conf\" with the @@ -33,7 +33,7 @@ dcredit = -1 If the value of \"dcredit\" is not set to a negative value, this is a finding." - tag "fix": "Configure the operating system to enforce password complexity by + desc "fix", "Configure the operating system to enforce password complexity by requiring that at least one numeric character be used by setting the \"dcredit\" option. diff --git a/controls/V-71909.rb b/controls/V-71909.rb index 4879d1740..cf69b5922 100644 --- a/controls/V-71909.rb +++ b/controls/V-71909.rb @@ -23,7 +23,7 @@ tag "documentable": false tag "nist": ["IA-5 (1) (a)", "Rev_4"] tag "subsystems": ['pam', 'pwquality', 'password'] - tag "check": "Verify the operating system enforces password complexity by + desc "check", "Verify the operating system enforces password complexity by requiring that at least one special character be used. Note: The value to require a number of special characters to be set is @@ -36,7 +36,7 @@ ocredit=-1 If the value of \"ocredit\" is not set to a negative value, this is a finding." - tag "fix": "Configure the operating system to enforce password complexity by + desc "fix", "Configure the operating system to enforce password complexity by requiring that at least one special character be used by setting the \"dcredit\" option. diff --git a/controls/V-71911.rb b/controls/V-71911.rb index 8dce08bf0..4006be00e 100644 --- a/controls/V-71911.rb +++ b/controls/V-71911.rb @@ -1,7 +1,7 @@ # encoding: utf-8 # -difok = attribute('difok', value: 8, description: 'The acceptable range of +difok = input('difok', value: 8, description: 'The acceptable range of values for difok which specifies the maximum number of characters that must change when a password is changed.') @@ -28,7 +28,7 @@ tag "documentable": false tag "nist": ["IA-5 (1) (b)", "Rev_4"] tag "subsystems": ['pam', 'pwquality', 'password'] - tag "check": "The \"difok\" option sets the number of characters in a + desc "check", "The \"difok\" option sets the number of characters in a password that must not be present in the old password. Check for the value of the \"difok\" option in \"/etc/security/pwquality.conf\" @@ -38,7 +38,7 @@ difok = 8 If the value of \"difok\" is set to less than \"8\", this is a finding." - tag "fix": "Configure the operating system to require the change of at least + desc "fix", "Configure the operating system to require the change of at least eight of the total number of characters when passwords are changed by setting the \"difok\" option. diff --git a/controls/V-71913.rb b/controls/V-71913.rb index 9dc509198..43bb1428c 100644 --- a/controls/V-71913.rb +++ b/controls/V-71913.rb @@ -26,7 +26,7 @@ tag "documentable": false tag "nist": ["IA-5 (1) (b)", "Rev_4"] tag "subsystems": ['pam', 'pwquality', 'password'] - tag "check": "The \"minclass\" option sets the minimum number of required + desc "check", "The \"minclass\" option sets the minimum number of required classes of characters for the new password (digits, upper-case, lower-case, others). @@ -37,7 +37,7 @@ minclass = 4 If the value of \"minclass\" is set to less than \"4\", this is a finding." - tag "fix": "Configure the operating system to require the change of at least + desc "fix", "Configure the operating system to require the change of at least four character classes when passwords are changed by setting the \"minclass\" option. diff --git a/controls/V-71915.rb b/controls/V-71915.rb index c951b2f14..fd5156ef0 100644 --- a/controls/V-71915.rb +++ b/controls/V-71915.rb @@ -26,7 +26,7 @@ tag "documentable": false tag "nist": ["IA-5 (1) (b)", "Rev_4"] tag "subsystems": ['pam', 'pwquality', 'password'] - tag "check": "The \"maxrepeat\" option sets the maximum number of allowed + desc "check", "The \"maxrepeat\" option sets the maximum number of allowed same consecutive characters in a new password. Check for the value of the \"maxrepeat\" option in @@ -36,7 +36,7 @@ maxrepeat = 3 If the value of \"maxrepeat\" is set to more than \"3\", this is a finding." - tag "fix": "Configure the operating system to require the change of the + desc "fix", "Configure the operating system to require the change of the number of repeating consecutive characters when passwords are changed by setting the \"maxrepeat\" option. diff --git a/controls/V-71917.rb b/controls/V-71917.rb index fd05c0db0..8c2bfe2d3 100644 --- a/controls/V-71917.rb +++ b/controls/V-71917.rb @@ -26,7 +26,7 @@ tag "documentable": false tag "nist": ["IA-5 (1) (b)", "Rev_4"] tag "subsystems": ['pam', 'pwquality', 'password'] - tag "check": "The \"maxclassrepeat\" option sets the maximum number of + desc "check", "The \"maxclassrepeat\" option sets the maximum number of allowed same consecutive characters in the same class in the new password. Check for the value of the \"maxclassrepeat\" option in @@ -37,7 +37,7 @@ If the value of \"maxclassrepeat\" is set to more than \"4\", this is a finding." - tag "fix": "Configure the operating system to require the change of the + desc "fix", "Configure the operating system to require the change of the number of repeating characters of the same character class when passwords are changed by setting the \"maxclassrepeat\" option. diff --git a/controls/V-71919.rb b/controls/V-71919.rb index b25224349..9d961a6ff 100644 --- a/controls/V-71919.rb +++ b/controls/V-71919.rb @@ -20,7 +20,7 @@ tag "documentable": false tag "nist": ["IA-5 (1) (c)", "Rev_4"] tag "subsystems": ['pam', 'password'] - tag "check": "Verify the PAM system service is configured to store only + desc "check", "Verify the PAM system service is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512. @@ -32,7 +32,7 @@ If the \"/etc/pam.d/system-auth-ac\" configuration files allow for password hashes other than SHA512 to be used, this is a finding." - tag "fix": "Configure the operating system to store only SHA512 encrypted + desc "fix", "Configure the operating system to store only SHA512 encrypted representations of passwords. Add the following line in \"/etc/pam.d/system-auth-ac\": diff --git a/controls/V-71921.rb b/controls/V-71921.rb index 2ac9d915b..8e6eb6798 100644 --- a/controls/V-71921.rb +++ b/controls/V-71921.rb @@ -20,7 +20,7 @@ tag "documentable": false tag "nist": ["IA-5 (1) (c)", "Rev_4"] tag "subsystems": ['login_defs', 'password'] - tag "check": "Verify the system's shadow file is configured to store only + desc "check", "Verify the system's shadow file is configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is SHA512. @@ -32,7 +32,7 @@ If the \"/etc/login.defs\" configuration file does not exist or allows for password hashes other than SHA512 to be used, this is a finding." - tag "fix": "Configure the operating system to store only SHA512 encrypted + desc "fix", "Configure the operating system to store only SHA512 encrypted representations of passwords. Add or update the following line in \"/etc/login.defs\": diff --git a/controls/V-71923.rb b/controls/V-71923.rb index 07967f05f..7b21bbbce 100644 --- a/controls/V-71923.rb +++ b/controls/V-71923.rb @@ -20,7 +20,7 @@ tag "documentable": false tag "nist": ["IA-5 (1) (c)", "Rev_4"] tag "subsystems": ['libuser_conf', 'password'] - tag "check": "Verify the user and group account administration utilities are + desc "check", "Verify the user and group account administration utilities are configured to store only encrypted representations of passwords. The strength of encryption that must be used to hash passwords for all accounts is \"SHA512\". @@ -34,7 +34,7 @@ If the \"crypt_style\" variable is not set to \"sha512\", is not in the defaults section, or does not exist, this is a finding." - tag "fix": "Configure the operating system to store only SHA512 encrypted + desc "fix", "Configure the operating system to store only SHA512 encrypted representations of passwords. Add or update the following line in \"/etc/libuser.conf\" in the [defaults] diff --git a/controls/V-71925.rb b/controls/V-71925.rb index 91e744d4c..5ec9fa5a1 100644 --- a/controls/V-71925.rb +++ b/controls/V-71925.rb @@ -20,7 +20,7 @@ tag "documentable": false tag "nist": ["IA-5 (1) (d)", "Rev_4"] tag "subsystems": ['login_defs', 'password'] - tag "check": "Verify the operating system enforces 24 hours/1 day as the + desc "check", "Verify the operating system enforces 24 hours/1 day as the minimum password lifetime for new user accounts. Check for the value of \"PASS_MIN_DAYS\" in \"/etc/login.defs\" with the @@ -31,7 +31,7 @@ If the \"PASS_MIN_DAYS\" parameter value is not \"1\" or greater, or is commented out, this is a finding." - tag "fix": "Configure the operating system to enforce 24 hours/1 day as the + desc "fix", "Configure the operating system to enforce 24 hours/1 day as the minimum password lifetime. Add the following line in \"/etc/login.defs\" (or modify the line to have the diff --git a/controls/V-71927.rb b/controls/V-71927.rb index 387ec0cef..3df8cfbb5 100644 --- a/controls/V-71927.rb +++ b/controls/V-71927.rb @@ -22,14 +22,14 @@ tag "documentable": false tag "nist": ["IA-5 (1) (d)", "Rev_4"] tag "subsystems": ['password', '/etc/shadow'] - tag "check": "Check whether the minimum time period between password changes + desc "check", "Check whether the minimum time period between password changes for each user account is one day or greater. # awk -F: '$4 < 1 {print $1}' /etc/shadow If any results are returned that are not associated with a system account, this is a finding." - tag "fix": "Configure non-compliant accounts to enforce a 24 hours/1 day + desc "fix", "Configure non-compliant accounts to enforce a 24 hours/1 day minimum password lifetime: # chage -m 1 [user]" diff --git a/controls/V-71929.rb b/controls/V-71929.rb index 7d26b6bf2..c3952c89c 100644 --- a/controls/V-71929.rb +++ b/controls/V-71929.rb @@ -20,7 +20,7 @@ tag "documentable": false tag "nist": ["IA-5 (1) (d)", "Rev_4"] tag "subsystems": ['login_defs', 'password'] - tag "check": "Verify the operating system enforces a 60-day maximum password + desc "check", "Verify the operating system enforces a 60-day maximum password lifetime restriction for new user accounts. Check for the value of \"PASS_MAX_DAYS\" in \"/etc/login.defs\" with the @@ -31,7 +31,7 @@ If the \"PASS_MAX_DAYS\" parameter value is not 60 or less, or is commented out, this is a finding." - tag "fix": "Configure the operating system to enforce a 60-day maximum + desc "fix", "Configure the operating system to enforce a 60-day maximum password lifetime restriction. Add the following line in \"/etc/login.defs\" (or modify the line to have the diff --git a/controls/V-71931.rb b/controls/V-71931.rb index a143f869e..e78c0ad13 100644 --- a/controls/V-71931.rb +++ b/controls/V-71931.rb @@ -23,14 +23,14 @@ tag "documentable": false tag "nist": ["IA-5 (1) (d)", "Rev_4"] tag "subsystems": ['password', '/etc/shadow'] - tag "check": "Check whether the maximum time period for existing passwords is + desc "check", "Check whether the maximum time period for existing passwords is restricted to 60 days. # awk -F: '$5 > 60 {print $1}' /etc/shadow If any results are returned that are not associated with a system account, this is a finding." - tag "fix": "Configure non-compliant accounts to enforce a 60-day maximum + desc "fix", "Configure non-compliant accounts to enforce a 60-day maximum password lifetime restriction. # chage -M 60 [user]" diff --git a/controls/V-71933.rb b/controls/V-71933.rb index 194643e31..d52b6a19e 100644 --- a/controls/V-71933.rb +++ b/controls/V-71933.rb @@ -5,7 +5,7 @@ # TODO this can happen if `authconfig` has not been run on the system yet and # TODO the system is still using the `non-ac` versions of the files yet. -min_reuse_generations = attribute('min_reuse_generations', value: 5, +min_reuse_generations = input('min_reuse_generations', value: 5, description: 'The minimum number of generations before a password can be reused.') @@ -26,7 +26,7 @@ tag "documentable": false tag "nist": ["IA-5 (1) (e)", "Rev_4"] tag "subsystems": ['pam', 'password'] - tag "check": "Verify the operating system prohibits password reuse for a + desc "check", "Verify the operating system prohibits password reuse for a minimum of five generations. Check for the value of the \"remember\" argument in @@ -38,7 +38,7 @@ If the line containing the \"pam_unix.so\" line does not have the \"remember\" module argument set, or the value of the \"remember\" module argument is set to less than \"5\", this is a finding." - tag "fix": "Configure the operating system to prohibit password reuse for a + desc "fix", "Configure the operating system to prohibit password reuse for a minimum of five generations. Add the following line in \"/etc/pam.d/system-auth-ac\" (or modify the line to diff --git a/controls/V-71935.rb b/controls/V-71935.rb index e3500f9c6..9cdc79581 100644 --- a/controls/V-71935.rb +++ b/controls/V-71935.rb @@ -4,7 +4,7 @@ # TODO update attrib to use the same `style` as the other PAM/PASSWD attributes # TODO we should also have a PAM_PWQUALITY_PATH attrib I think -min_len = attribute('min_len', value: 15, +min_len = input('min_len', value: 15, description: 'The minimum number of characters for passwords.') control "V-71935" do @@ -29,7 +29,7 @@ tag "documentable": false tag "nist": ["IA-5 (1) (a)", "Rev_4"] tag "subsystems": ['pam', 'pwquality', 'password'] - tag "check": "Verify the operating system enforces a minimum 15-character + desc "check", "Verify the operating system enforces a minimum 15-character password length. The \"minlen\" option sets the minimum number of characters in a new password. @@ -41,7 +41,7 @@ If the command does not return a \"minlen\" value of 15 or greater, this is a finding." - tag "fix": "Configure operating system to enforce a minimum 15-character + desc "fix", "Configure operating system to enforce a minimum 15-character password length. Add the following line to \"/etc/security/pwquality.conf\" (or modify the line diff --git a/controls/V-71937.rb b/controls/V-71937.rb index 2c1464bc9..6a8180032 100644 --- a/controls/V-71937.rb +++ b/controls/V-71937.rb @@ -15,7 +15,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['pam', 'password'] - tag "check": "To verify that null passwords cannot be used, run the following + desc "check", "To verify that null passwords cannot be used, run the following command: # grep nullok /etc/pam.d/system-auth-ac @@ -24,7 +24,7 @@ empty passwords. If null passwords can be used, this is a finding." - tag "fix": "If an account is configured for password authentication but does + desc "fix", "If an account is configured for password authentication but does not have an assigned password, it may be possible to log on to the account without authenticating. diff --git a/controls/V-71939.rb b/controls/V-71939.rb index a0d95d9d3..72c0f965e 100644 --- a/controls/V-71939.rb +++ b/controls/V-71939.rb @@ -14,7 +14,7 @@ tag "documentable": false tag "nist": ["IA-2 (2)", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "To determine how the SSH daemon's \"PermitEmptyPasswords\" + desc "check", "To determine how the SSH daemon's \"PermitEmptyPasswords\" option is set, run the following command: # grep -i PermitEmptyPasswords /etc/ssh/sshd_config @@ -24,7 +24,7 @@ returned, the required value is set. If the required value is not set, this is a finding." - tag "fix": "To explicitly disallow remote logon from accounts with empty + desc "fix", "To explicitly disallow remote logon from accounts with empty passwords, add or correct the following line in \"/etc/ssh/sshd_config\": PermitEmptyPasswords no diff --git a/controls/V-71941.rb b/controls/V-71941.rb index cf85f99f0..1032428da 100644 --- a/controls/V-71941.rb +++ b/controls/V-71941.rb @@ -1,7 +1,7 @@ # encoding: utf-8 # -days_of_inactivity = attribute('days_of_inactivity', value: 0, description: 'The +days_of_inactivity = input('days_of_inactivity', value: 0, description: 'The number of days of inactivity before an account is disabled.') control "V-71941" do @@ -25,7 +25,7 @@ tag "documentable": false tag "nist": ["IA-4 e", "Rev_4"] tag "subsystems": ['user'] - tag "check": "Verify the operating system disables account identifiers + desc "check", "Verify the operating system disables account identifiers (individuals, groups, roles, and devices) after the password expires with the following command: @@ -34,7 +34,7 @@ If the value is not set to \"0\", is commented out, or is not defined, this is a finding." - tag "fix": "Configure the operating system to disable account identifiers + desc "fix", "Configure the operating system to disable account identifiers (individuals, groups, roles, and devices) after the password expires. Add the following line to \"/etc/default/useradd\" (or modify the line to have @@ -43,6 +43,7 @@ INACTIVE=0" tag "fix_id": "F-78293r1_fix" describe parse_config_file("/etc/default/useradd") do + its('INACTIVE') { should cmp >= 0 } its('INACTIVE') { should cmp <= days_of_inactivity } end end diff --git a/controls/V-71943.rb b/controls/V-71943.rb index 5a7491cca..60bc976ff 100644 --- a/controls/V-71943.rb +++ b/controls/V-71943.rb @@ -1,13 +1,13 @@ # encoding: utf-8 # -unsuccessful_attempts = attribute('unsuccessful_attempts', value: 3, +unsuccessful_attempts = input('unsuccessful_attempts', value: 3, description: 'The account is denied access after the specified number of consecutive failed logon attempts.') -fail_interval = attribute('fail_interval', value: 900, +fail_interval = input('fail_interval', value: 900, description: 'The interval of time in which the consecutive failed logon attempts must occur in order for the account to be locked out (in seconds).') -lockout_time = attribute('lockout_time', value: 604800, +lockout_time = input('lockout_time', value: 604800, description: 'The minimum amount of time that an account must be locked out after the specified number of unsuccessful logon attempts (in seconds). This attribute should never be set greater than 604800.') @@ -28,7 +28,7 @@ tag "documentable": false tag "nist": ["AC-7 b", "Rev_4"] tag "subsystems": ['pam', 'faillock'] - tag "check": "Verify the operating system automatically locks an account for the + desc "check", "Verify the operating system automatically locks an account for the maximum period for which the system can be configured. Check that the system locks an account for the maximum period after three @@ -52,7 +52,7 @@ If the \"unlock_time\" setting is greater than \"604800\" on both lines with the \"pam_faillock.so\" module name or is missing from a line, this is a finding." - tag "fix": "Configure the operating system to lock an account for the maximum + desc "fix", "Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made. Modify the first three lines of the auth section of the diff --git a/controls/V-71945.rb b/controls/V-71945.rb index e66e690e7..202841a9d 100644 --- a/controls/V-71945.rb +++ b/controls/V-71945.rb @@ -16,7 +16,7 @@ tag "documentable": false tag "nist": ["AC-7 b", "Rev_4"] tag "subsystems": ['pam'] - tag "check": "Verify the operating system automatically locks the root + desc "check", "Verify the operating system automatically locks the root account until it is released by an administrator when three unsuccessful logon attempts in 15 minutes are made. @@ -35,7 +35,7 @@ If the \"even_deny_root\" setting is not defined on both lines with the \"pam_faillock.so\" module name, this is a finding." - tag "fix": "Configure the operating system to automatically lock the root + desc "fix", "Configure the operating system to automatically lock the root account until the locked account is released by an administrator when three unsuccessful logon attempts in 15 minutes are made. diff --git a/controls/V-71947.rb b/controls/V-71947.rb index ea5e2937b..1c5e3e8a2 100644 --- a/controls/V-71947.rb +++ b/controls/V-71947.rb @@ -25,7 +25,7 @@ tag "documentable": false tag "nist": ["IA-11", "Rev_4"] tag "subsystems": ['sudo'] - tag "check": "If passwords are not being used for authentication, this is Not + desc "check", "If passwords are not being used for authentication, this is Not Applicable. Verify the operating system requires users to supply a password for privilege @@ -37,7 +37,7 @@ # grep -i nopasswd /etc/sudoers /etc/sudoers.d/* If any uncommented line is found with a \"NOPASSWD\" tag, this is a finding." - tag "fix": "Configure the operating system to require users to supply a + desc "fix", "Configure the operating system to require users to supply a password for privilege escalation. Check the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\" files diff --git a/controls/V-71949.rb b/controls/V-71949.rb index ad9294fa3..877ebfd14 100644 --- a/controls/V-71949.rb +++ b/controls/V-71949.rb @@ -19,7 +19,7 @@ tag "documentable": false tag "nist": ["IA-11", "Rev_4"] tag "subsystems": ['sudo'] - tag "check": "Verify the operating system requires users to reauthenticate + desc "check", "Verify the operating system requires users to reauthenticate for privilege escalation. Check the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\" files @@ -28,7 +28,7 @@ # grep -i authenticate /etc/sudoers /etc/sudoers.d/* If any line is found with a \"!authenticate\" tag, this is a finding." - tag "fix": "Configure the operating system to require users to reauthenticate + desc "fix", "Configure the operating system to require users to reauthenticate for privilege escalation. Check the configuration of the \"/etc/sudoers\" and \"/etc/sudoers.d/*\" files diff --git a/controls/V-71951.rb b/controls/V-71951.rb index e5c4879a2..3114be6ff 100644 --- a/controls/V-71951.rb +++ b/controls/V-71951.rb @@ -30,7 +30,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['login_defs'] - tag "check": "Verify the operating system enforces a delay of at least four + desc "check", "Verify the operating system enforces a delay of at least four seconds between console logon prompts following a failed logon attempt. Check the value of the \"fail_delay\" parameter in the \"/etc/login.defs\" file @@ -41,7 +41,7 @@ If the value of \"FAIL_DELAY\" is not set to \"4\" or greater, this is a finding." - tag "fix": "Configure the operating system to enforce a delay of at least + desc "fix", "Configure the operating system to enforce a delay of at least four seconds between logon prompts following a failed console logon attempt. Modify the \"/etc/login.defs\" file to set the \"FAIL_DELAY\" parameter to diff --git a/controls/V-71953.rb b/controls/V-71953.rb index bb7dea48f..478a711fa 100644 --- a/controls/V-71953.rb +++ b/controls/V-71953.rb @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ["gdm"] - tag "check": "Verify the operating system does not allow an unattended or + desc "check", "Verify the operating system does not allow an unattended or automatic logon to the system via a graphical user interface. Note: If the system does not have GNOME installed, this requirement is Not @@ -35,7 +35,7 @@ If the value of \"AutomaticLoginEnable\" is not set to \"false\", this is a finding." - tag "fix": "Configure the operating system to not allow an unattended or + desc "fix", "Configure the operating system to not allow an unattended or automatic logon to the system via a graphical user interface. Note: If the system does not have GNOME installed, this requirement is Not diff --git a/controls/V-71955.rb b/controls/V-71955.rb index 49a6e7f0b..275dae8d4 100644 --- a/controls/V-71955.rb +++ b/controls/V-71955.rb @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ["gdm"] - tag "check": "Verify the operating system does not allow an unrestricted + desc "check", "Verify the operating system does not allow an unrestricted logon to the system via a graphical user interface. Note: If the system does not have GNOME installed, this requirement is Not @@ -35,7 +35,7 @@ If the value of \"TimedLoginEnable\" is not set to \"false\", this is a finding." - tag "fix": "Configure the operating system to not allow an unrestricted + desc "fix", "Configure the operating system to not allow an unrestricted account to log on to the system via a graphical user interface. Note: If the system does not have GNOME installed, this requirement is Not diff --git a/controls/V-71957.rb b/controls/V-71957.rb index c9fbb0cf7..5c83a4b7f 100644 --- a/controls/V-71957.rb +++ b/controls/V-71957.rb @@ -14,7 +14,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "Verify the operating system does not allow users to override + desc "check", "Verify the operating system does not allow users to override environment variables to the SSH daemon. Check for the value of the \"PermitUserEnvironment\" keyword with the following @@ -25,7 +25,7 @@ If the \"PermitUserEnvironment\" keyword is not set to \"no\", is missing, or is commented out, this is a finding." - tag "fix": "Configure the operating system to not allow users to override + desc "fix", "Configure the operating system to not allow users to override environment variables to the SSH daemon. Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for diff --git a/controls/V-71959.rb b/controls/V-71959.rb index f0ca3db7a..5e808706b 100644 --- a/controls/V-71959.rb +++ b/controls/V-71959.rb @@ -14,7 +14,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "Verify the operating system does not allow a non-certificate + desc "check", "Verify the operating system does not allow a non-certificate trusted host SSH logon to the system. Check for the value of the \"HostbasedAuthentication\" keyword with the @@ -25,7 +25,7 @@ If the \"HostbasedAuthentication\" keyword is not set to \"no\", is missing, or is commented out, this is a finding." - tag "fix": "Configure the operating system to not allow a non-certificate + desc "fix", "Configure the operating system to not allow a non-certificate trusted host SSH logon to the system. Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for diff --git a/controls/V-71961.rb b/controls/V-71961.rb index 0a79ab324..f72661f51 100644 --- a/controls/V-71961.rb +++ b/controls/V-71961.rb @@ -1,17 +1,17 @@ # encoding: utf-8 # -grub_superusers = attribute( +grub_superusers = input( 'grub_superusers', description: 'superusers for grub boot ( array )', value: ['root'] ) -grub_user_boot_files = attribute( +grub_user_boot_files = input( 'grub_user_boot_files', description: 'grub boot config files', value: ['/boot/grub2/user.cfg'] ) -grub_main_cfg = attribute( +grub_main_cfg = input( 'grub_main_cfg', description: 'main grub boot config file', value: '/boot/grub2/grub.cfg' @@ -34,7 +34,7 @@ tag "documentable": false tag "nist": ["AC-3", "Rev_4"] tag "subsystems": ['grub'] - tag "check": "For systems that use UEFI, this is Not Applicable. + desc "check", "For systems that use UEFI, this is Not Applicable. Check to see if an encrypted root password is set. On systems that use a BIOS, use the following command: @@ -47,7 +47,7 @@ finding. If the \"superusers-account\" is not set to \"root\", this is a finding." - tag "fix": "Configure the system to encrypt the boot password for root. + desc "fix", "Configure the system to encrypt the boot password for root. Generate an encrypted grub2 password for root with the following command: diff --git a/controls/V-71963.rb b/controls/V-71963.rb index 6b0397a27..296e605d2 100644 --- a/controls/V-71963.rb +++ b/controls/V-71963.rb @@ -1,17 +1,17 @@ # encoding: utf-8 # -efi_superusers = attribute( +efi_superusers = input( 'efi_superusers', description: 'superusers for efi boot ( array )', value: ['root'] ) -efi_user_boot_files = attribute( +efi_user_boot_files = input( 'efi_user_boot_files', description: 'efi boot config files', value: ['/boot/efi/EFI/redhat/user.cfg'] ) -efi_main_cfg = attribute( +efi_main_cfg = input( 'efi_main_cfg', description: 'main efi boot config file', value: '/boot/efi/EFI/redhat/grub.cfg' @@ -34,7 +34,7 @@ tag "documentable": false tag "nist": ["AC-3", "Rev_4"] tag "subsystems": ['grub'] - tag "check": "For systems that use BIOS, this is Not Applicable. + desc "check", "For systems that use BIOS, this is Not Applicable. Check to see if an encrypted root password is set. On systems that use UEFI, use the following command: @@ -47,7 +47,7 @@ finding. If the \"superusers-account\" is not set to \"root\", this is a finding." - tag "fix": "Configure the system to encrypt the boot password for root. + desc "fix", "Configure the system to encrypt the boot password for root. Generate an encrypted grub2 password for root with the following command: diff --git a/controls/V-71965.rb b/controls/V-71965.rb index ae7610572..aee20f80d 100644 --- a/controls/V-71965.rb +++ b/controls/V-71965.rb @@ -8,7 +8,7 @@ # users may be unable to log into the system. # -smart_card_status = attribute( +smart_card_status = input( 'smart_card_status', value: 'enabled', # values(enabled|disabled) description: 'Smart Card Status' @@ -56,7 +56,7 @@ tag "documentable": false tag "nist": ["IA-2 (2)", "Rev_4"] tag "subsystems": ['pam', 'smartcard'] - tag "check": "Verify the operating system requires multifactor authentication + desc "check", "Verify the operating system requires multifactor authentication to uniquely identify organizational users using multifactor authentication. Check to see if smartcard authentication is enforced on the system: @@ -68,7 +68,7 @@ module and smartcard removal actions must not be blank. If smartcard authentication is disabled or the smartcard and smartcard removal actions are blank, this is a finding." - tag "fix": "Configure the operating system to require individuals to be + desc "fix", "Configure the operating system to require individuals to be authenticated with a multifactor authenticator. Enable smartcard logons with the following commands: diff --git a/controls/V-71967.rb b/controls/V-71967.rb index f3b28d29e..595502faf 100644 --- a/controls/V-71967.rb +++ b/controls/V-71967.rb @@ -30,13 +30,13 @@ tag "documentable": false tag "nist": ["CM-7 a", "Rev_4"] tag "subsystems": ['packages'] - tag "check": "Check to see if the rsh-server package is installed with the + desc "check", "Check to see if the rsh-server package is installed with the following command: # yum list installed rsh-server If the rsh-server package is installed, this is a finding." - tag "fix": "Configure the operating system to disable non-essential + desc "fix", "Configure the operating system to disable non-essential capabilities by removing the rsh-server package from the system with the following command: diff --git a/controls/V-71969.rb b/controls/V-71969.rb index e6ef53244..976eb46be 100644 --- a/controls/V-71969.rb +++ b/controls/V-71969.rb @@ -13,7 +13,7 @@ tag "documentable": false tag "nist": ["CM-7 a", "Rev_4"] tag "subsystems": ['packages'] - tag "check": "The NIS service provides an unencrypted authentication service + desc "check", "The NIS service provides an unencrypted authentication service that does not provide for the confidentiality and integrity of user passwords or the remote session. @@ -22,7 +22,7 @@ # yum list installed ypserv If the \"ypserv\" package is installed, this is a finding." - tag "fix": "Configure the operating system to disable non-essential + desc "fix", "Configure the operating system to disable non-essential capabilities by removing the \"ypserv\" package from the system with the following command: diff --git a/controls/V-71971.rb b/controls/V-71971.rb index ba08add73..d14181310 100644 --- a/controls/V-71971.rb +++ b/controls/V-71971.rb @@ -2,7 +2,7 @@ # # TODO we really do need an `semanage` resource. # Will need to be changed to reflect list of authorized system accounts -admin_logins = attribute( +admin_logins = input( 'admin_logins', value: [], description: "System accounts that support approved system activities." @@ -40,7 +40,7 @@ tag "documentable": false tag "nist": ["AC-3 (4)", "AC-6 (10)", "Rev_4"] tag "subsystems": ["selinux"] - tag "check": "Verify the operating system prevents non-privileged users from + desc "check", "Verify the operating system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. @@ -63,7 +63,7 @@ or the appropriate domain (user_t). If they are not mapped in this way, this is a finding." - tag "fix": "Configure the operating system to prevent non-privileged users + desc "fix", "Configure the operating system to prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. diff --git a/controls/V-71973.rb b/controls/V-71973.rb index b74cb99a6..344e6af22 100644 --- a/controls/V-71973.rb +++ b/controls/V-71973.rb @@ -1,9 +1,9 @@ # encoding: utf-8 # -file_integrity_tool = attribute('file_integrity_tool', value: 'aide', +file_integrity_tool = input('file_integrity_tool', value: 'aide', description: 'Tool used to determine file integrity') -file_integrity_interval = attribute('file_integrity_interval', value: 'weekly', +file_integrity_interval = input('file_integrity_interval', value: 'weekly', description: 'Interval for running the file integrity tool.') control "V-71973" do @@ -31,7 +31,7 @@ tag "documentable": false tag "nist": ["CM-3 (5)", "Rev_4"] tag "subsystems": ['aide'] - tag "check": "Verify the operating system routinely checks the baseline + desc "check", "Verify the operating system routinely checks the baseline configuration for unauthorized changes. Note: A file integrity tool other than Advanced Intrusion Detection Environment @@ -58,7 +58,7 @@ If the file integrity application does not exist, or a \"crontab\" file does not exist in the \"/etc/cron.daily\" or \"/etc/cron.weekly\" subdirectories, this is a finding." - tag "fix": "Configure the file integrity tool to automatically run on the + desc "fix", "Configure the file integrity tool to automatically run on the system at least weekly. The following example output is generic. It will set cron to run AIDE daily, but other file integrity tools may be used: diff --git a/controls/V-71975.rb b/controls/V-71975.rb index 0e662789b..3ac18502a 100644 --- a/controls/V-71975.rb +++ b/controls/V-71975.rb @@ -1,7 +1,7 @@ # encoding: utf-8 # -file_integrity_tool = attribute( +file_integrity_tool = input( 'file_integrity_tool', value: 'aide', description: "Tool used to determine file integrity" @@ -32,7 +32,7 @@ tag "documentable": false tag "nist": ["CM-3 (5)", "Rev_4"] tag "subsystems": ['aide'] - tag "check": "Verify the operating system notifies designated personnel if + desc "check", "Verify the operating system notifies designated personnel if baseline configurations are changed in an unauthorized manner. Note: A file integrity tool other than Advanced Intrusion Detection Environment @@ -66,7 +66,7 @@ If the file integrity application does not notify designated personnel of changes, this is a finding." - tag "fix": "Configure the operating system to notify designated personnel if + desc "fix", "Configure the operating system to notify designated personnel if baseline configurations are changed in an unauthorized manner. The AIDE tool can be configured to email designated personnel through the use of the cron system. diff --git a/controls/V-71977.rb b/controls/V-71977.rb index 674138396..ad8db8aca 100644 --- a/controls/V-71977.rb +++ b/controls/V-71977.rb @@ -32,7 +32,7 @@ tag "documentable": false tag "nist": ["CM-5 (3)", "Rev_4"] tag "subsystems": ['yum'] - tag "check": "Verify the operating system prevents the installation of + desc "check", "Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components from a repository without verification that they have been digitally signed using a certificate that is recognized and approved by the organization. @@ -49,7 +49,7 @@ If there is no process to validate certificates that is approved by the organization, this is a finding." - tag "fix": "Configure the operating system to verify the signature of + desc "fix", "Configure the operating system to verify the signature of packages from a repository prior to install by setting the following option in the \"/etc/yum.conf\" file: diff --git a/controls/V-71979.rb b/controls/V-71979.rb index 64e98ec82..37e8b227a 100644 --- a/controls/V-71979.rb +++ b/controls/V-71979.rb @@ -32,7 +32,7 @@ tag "documentable": false tag "nist": ["CM-5 (3)", "Rev_4"] tag "subsystems": ['yum'] - tag "check": "Verify the operating system prevents the installation of + desc "check", "Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification that they have been digitally signed using a certificate that is recognized and approved by the organization. @@ -49,7 +49,7 @@ If there is no process to validate the signatures of local packages that is approved by the organization, this is a finding." - tag "fix": "Configure the operating system to verify the signature of local + desc "fix", "Configure the operating system to verify the signature of local packages prior to install by setting the following option in the \"/etc/yum.conf\" file: diff --git a/controls/V-71981.rb b/controls/V-71981.rb index eb73e0426..929eda972 100644 --- a/controls/V-71981.rb +++ b/controls/V-71981.rb @@ -37,7 +37,7 @@ tag "documentable": false tag "nist": ["CM-5 (3)", "Rev_4"] tag "subsystems": ['yum'] - tag "check": "Verify the operating system prevents the installation of + desc "check", "Verify the operating system prevents the installation of patches, service packs, device drivers, or operating system components of local packages without verification of the repository metadata. @@ -53,7 +53,7 @@ If there is no process to validate the metadata of packages that is approved by the organization, this is a finding." - tag "fix": "Configure the operating system to verify the repository metadata + desc "fix", "Configure the operating system to verify the repository metadata by setting the following options in the \"/etc/yum.conf\" file: repo_gpgcheck=1" diff --git a/controls/V-71983.rb b/controls/V-71983.rb index 4588b1160..1c3334cf5 100644 --- a/controls/V-71983.rb +++ b/controls/V-71983.rb @@ -16,7 +16,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "IA-3", "IA-3", "Rev_4"] tag "subsystems": ['usb', 'kernel_module'] - tag "check": "If there is an HBSS with a Device Control Module and a Data + desc "check", "If there is an HBSS with a Device Control Module and a Data Loss Prevention mechanism, this requirement is not applicable. Verify the operating system disables the ability to use USB mass storage @@ -31,7 +31,7 @@ usb-storage\", and use of USB storage devices is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding." - tag "fix": "Configure the operating system to disable the ability to use USB + desc "fix", "Configure the operating system to disable the ability to use USB mass storage devices. # vi /etc/modprobe.d/blacklist.conf diff --git a/controls/V-71985.rb b/controls/V-71985.rb index 551b3acfe..a2fad06da 100644 --- a/controls/V-71985.rb +++ b/controls/V-71985.rb @@ -15,7 +15,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "IA-3", "IA-3", "Rev_4"] tag "subsystems": ['file_system', 'nfs', 'autofs'] - tag "check": "Verify the operating system disables the ability to automount + desc "check", "Verify the operating system disables the ability to automount devices. Check to see if automounter service is active with the following command: @@ -28,7 +28,7 @@ If the \"autofs\" status is set to \"active\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding." - tag "fix": "Configure the operating system to disable the ability to + desc "fix", "Configure the operating system to disable the ability to automount devices. Turn off the automount service with the following command: diff --git a/controls/V-71987.rb b/controls/V-71987.rb index 470506a4e..9ac72d475 100644 --- a/controls/V-71987.rb +++ b/controls/V-71987.rb @@ -16,7 +16,7 @@ tag "documentable": false tag "nist": ["SI-2 (6)", "Rev_4"] tag "subsystems": ['yum'] - tag "check": "Verify the operating system removes all software components + desc "check", "Verify the operating system removes all software components after updated versions have been installed. Check if yum is configured to remove unneeded packages with the following @@ -27,7 +27,7 @@ If \"clean_requirements_on_remove\" is not set to \"1\", \"True\", or \"yes\", or is not set in \"/etc/yum.conf\", this is a finding." - tag "fix": "Configure the operating system to remove all software components + desc "fix", "Configure the operating system to remove all software components after updated versions have been installed. Set the \"clean_requirements_on_remove\" option to \"1\" in the diff --git a/controls/V-71989.rb b/controls/V-71989.rb index a58a848c3..c37727e56 100644 --- a/controls/V-71989.rb +++ b/controls/V-71989.rb @@ -25,7 +25,7 @@ tag "documentable": false tag "nist": ["AC-3 (4)", "SI-6 a", "Rev_4"] tag "subsystems": ['selinux'] - tag "check": "Verify the operating system verifies correct operation of all + desc "check", "Verify the operating system verifies correct operation of all security functions. Check if \"SELinux\" is active and in \"Enforcing\" mode with the following @@ -35,7 +35,7 @@ Enforcing If \"SELinux\" is not active and not in \"Enforcing\" mode, this is a finding." - tag "fix": "Configure the operating system to verify correct operation of all + desc "fix", "Configure the operating system to verify correct operation of all security functions. Set the \"SELinux\" status and the \"Enforcing\" mode by modifying the diff --git a/controls/V-71991.rb b/controls/V-71991.rb index 0faf0edbc..1bb93d407 100644 --- a/controls/V-71991.rb +++ b/controls/V-71991.rb @@ -25,7 +25,7 @@ tag "documentable": false tag "nist": ["AC-3 (4)", "SI-6 a", "Rev_4"] tag "subsystems": ['selinux'] - tag "check": "Verify the operating system verifies correct operation of all + desc "check", "Verify the operating system verifies correct operation of all security functions. Check if \"SELinux\" is active and is enforcing the targeted policy with the @@ -55,7 +55,7 @@ If the \"Policy from config file\" is not set to \"targeted\", or the \"Loaded policy name\" is not set to \"targeted\", this is a finding. " - tag "fix": "Configure the operating system to verify correct operation of all + desc "fix", "Configure the operating system to verify correct operation of all security functions. Set the \"SELinuxtype\" to the \"targeted\" policy by modifying the diff --git a/controls/V-71993.rb b/controls/V-71993.rb index 890ccf76a..2592dbb8f 100644 --- a/controls/V-71993.rb +++ b/controls/V-71993.rb @@ -17,7 +17,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ["gnome", "general"] - tag "check": "Verify the operating system is not configured to reboot the + desc "check", "Verify the operating system is not configured to reboot the system when Ctrl-Alt-Delete is pressed. Check that the ctrl-alt-del.service is not active with the following command: @@ -29,7 +29,7 @@ Docs: man:systemd.special(7) If the ctrl-alt-del.service is active, this is a finding." - tag "fix": "Configure the system to disable the Ctrl-Alt_Delete sequence for + desc "fix", "Configure the system to disable the Ctrl-Alt_Delete sequence for the command line with the following command: # systemctl mask ctrl-alt-del.target diff --git a/controls/V-71995.rb b/controls/V-71995.rb index f3c366997..2cdbb9e85 100644 --- a/controls/V-71995.rb +++ b/controls/V-71995.rb @@ -19,7 +19,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['login_defs'] - tag "check": "Verify the operating system defines default permissions for all + desc "check", "Verify the operating system defines default permissions for all authenticated users in such a way that the user can only read and modify their own files. @@ -34,7 +34,7 @@ If the value for the \"UMASK\" parameter is not \"077\", or the \"UMASK\" parameter is missing or is commented out, this is a finding." - tag "fix": "Configure the operating system to define default permissions for + desc "fix", "Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files. diff --git a/controls/V-71997.rb b/controls/V-71997.rb index 7b2e417fb..0ceb99edb 100644 --- a/controls/V-71997.rb +++ b/controls/V-71997.rb @@ -2,10 +2,10 @@ # control "V-71997" do title "The operating system must be a vendor supported release." - desc "An operating system release is considered \"supported\" if the vendor -continues to provide security patches for the product. With an unsupported -release, it will not be possible to resolve security issues discovered in the -system software." + desc "An operating system release is considered \"supported\" if the vendor + continues to provide security patches for the product. With an unsupported + release, it will not be possible to resolve security issues discovered in the + system software." impact 0.7 tag "gtitle": "SRG-OS-000480-GPOS-00227" tag "gid": "V-71997" @@ -14,21 +14,23 @@ tag "cci": ["CCI-000366"] tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] - tag "check": "Verify the version of the operating system is vendor supported. - -Check the version of the operating system with the following command: - -# cat /etc/redhat-release - -Red Hat Enterprise Linux Server release 7.2 (Maipo) - -Current End of Life for RHEL 7.2 is Q4 2020. - -Current End of Life for RHEL 7.3 is 30 June 2024. - -If the release is not supported by the vendor, this is a finding." - tag "fix": "Upgrade to a supported version of the operating system." tag "fix_id": "F-78349r1_fix" + tag "subsystems": ['redhat_release'] + desc "check", "Verify the version of the operating system is vendor supported. + + Check the version of the operating system with the following command: + + # cat /etc/redhat-release + + Red Hat Enterprise Linux Server release 7.2 (Maipo) + + Current End of Life for RHEL 7.2 is Q4 2020. + + Current End of Life for RHEL 7.3 is 30 June 2024. + + If the release is not supported by the vendor, this is a finding." + + desc "fix", "Upgrade to a supported version of the operating system." # TODO use an array attribute of supported DISTROS and use the be_in matcher? describe file('/etc/redhat-release') do diff --git a/controls/V-71999.rb b/controls/V-71999.rb index b8183a7b6..bf022673b 100644 --- a/controls/V-71999.rb +++ b/controls/V-71999.rb @@ -25,8 +25,10 @@ tag "stig_id": "RHEL-07-020260" tag "cci": ["CCI-000366"] tag "documentable": false + tag "fix_id": "F-78351r1_fix" + tag "subsystems": ['packages'] tag "nist": ["CM-6 b", "Rev_4"] - tag "check": "Verify the operating system security patches and updates are + desc "check", "Verify the operating system security patches and updates are installed and up to date. Updates are required to be applied with a frequency determined by the site or Program Management Office (PMO). @@ -57,9 +59,9 @@ If the operating system is in non-compliance with the Information Assurance Vulnerability Management (IAVM) process, this is a finding." - tag "fix": "Install the operating system patches or updated packages + desc "fix", "Install the operating system patches or updated packages available from Red Hat within 30 days or sooner as local policy dictates." - tag "fix_id": "F-78351r1_fix" + describe.one do describe 'List of out-of-date packages' do subject { linux_update.updates } diff --git a/controls/V-72001.rb b/controls/V-72001.rb index 70938bfc4..8c9ef660f 100644 --- a/controls/V-72001.rb +++ b/controls/V-72001.rb @@ -1,7 +1,7 @@ # encoding: utf-8 # -known_system_accounts = attribute( +known_system_accounts = input( 'known_system_accounts', value: [ 'root', @@ -34,7 +34,7 @@ description: 'System accounts that support approved system activities. (Array)' ) -disallowed_accounts = attribute( +disallowed_accounts = input( 'disallowed_accounts', description: 'Accounts that are not allowed on the system (Array)', value: [ @@ -44,7 +44,7 @@ ] ) -user_accounts = attribute( +user_accounts = input( 'user_accounts', description: 'accounts of known managed users (Array)', value:[] @@ -71,7 +71,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['accounts'] - tag "check": "Verify all accounts on the system are assigned to an active + desc "check", "Verify all accounts on the system are assigned to an active system, application, or user account. Obtain the list of authorized system accounts from the Information System @@ -95,7 +95,7 @@ If the accounts on the system do not match the provided documentation, or accounts that do not support an authorized system function are present, this is a finding." - tag "fix": "Configure the system so all accounts on the system are assigned + desc "fix", "Configure the system so all accounts on the system are assigned to an active system, application, or user account. Remove accounts that do not support approved system activities or that allow diff --git a/controls/V-72003.rb b/controls/V-72003.rb index bd340cc96..458256e04 100644 --- a/controls/V-72003.rb +++ b/controls/V-72003.rb @@ -15,7 +15,7 @@ tag "documentable": false tag "nist": ["IA-2", "Rev_4"] tag "subsystems": ['accounts'] - tag "check": "Verify all GIDs referenced in the \"/etc/passwd\" file are + desc "check", "Verify all GIDs referenced in the \"/etc/passwd\" file are defined in the \"/etc/group\" file. Check that all referenced GIDs exist with the following command: @@ -24,7 +24,7 @@ If GIDs referenced in \"/etc/passwd\" file are returned as not defined in \"/etc/group\" file, this is a finding." - tag "fix": "Configure the system to define all GIDs found in the + desc "fix", "Configure the system to define all GIDs found in the \"/etc/passwd\" file by modifying the \"/etc/group\" file to add any non-existent group referenced in the \"/etc/passwd\" file, or change the GIDs referenced in the \"/etc/passwd\" file to a group that exists in diff --git a/controls/V-72005.rb b/controls/V-72005.rb index e0c012766..248a03bba 100644 --- a/controls/V-72005.rb +++ b/controls/V-72005.rb @@ -17,13 +17,13 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['accounts'] - tag "check": "Check the system for duplicate UID \"0\" assignments with the + desc "check", "Check the system for duplicate UID \"0\" assignments with the following command: # awk -F: '$3 == 0 {print $1}' /etc/passwd If any accounts other than root have a UID of \"0\", this is a finding." - tag "fix": "Change the UID of any account on the system, other than root, + desc "fix", "Change the UID of any account on the system, other than root, that has a UID of \"0\". If the account is associated with system commands or applications, the UID diff --git a/controls/V-72007.rb b/controls/V-72007.rb index 62dc4af91..5823a794d 100644 --- a/controls/V-72007.rb +++ b/controls/V-72007.rb @@ -14,7 +14,7 @@ tag "documentable": false tag "nist": ["AC-3 (4)", "Rev_4"] tag "subsystems": ['file_system', 'users' ,'files'] - tag "check": "Verify all files and directories on the system have a valid + desc "check", "Verify all files and directories on the system have a valid owner. Check the owner of all files and directories with the following command: @@ -25,7 +25,7 @@ # find / -fstype xfs -nouser If any files on the system do not have an assigned owner, this is a finding." - tag "fix": "Either remove all files and directories from the system that do + desc "fix", "Either remove all files and directories from the system that do not have a valid user, or assign a valid user to all unowned files and directories on the system with the \"chown\" command: diff --git a/controls/V-72009.rb b/controls/V-72009.rb index 60daec19c..5a2de977e 100644 --- a/controls/V-72009.rb +++ b/controls/V-72009.rb @@ -17,7 +17,7 @@ tag "documentable": false tag "nist": ["AC-3 (4)", "Rev_4"] tag "subsystems": ['file_system', 'groups' ,'files'] - tag "check": "Verify all files and directories on the system have a valid + desc "check", "Verify all files and directories on the system have a valid group. Check the owner of all files and directories with the following command: @@ -28,7 +28,7 @@ # find / -fstype xfs -nogroup If any files on the system do not have an assigned group, this is a finding." - tag "fix": "Either remove all files and directories from the system that do + desc "fix", "Either remove all files and directories from the system that do not have a valid group, or assign a valid group to all files and directories on the system with the \"chgrp\" command: diff --git a/controls/V-72011.rb b/controls/V-72011.rb index 25737b0a4..f4aa9a7a7 100644 --- a/controls/V-72011.rb +++ b/controls/V-72011.rb @@ -4,13 +4,13 @@ # TODO ENHANCE: 1. this needs to be enhanced, to loop though all the users # TODO 2. drop ones that have `gid` <= 999. I think If I read this right./s -exempt_home_users = attribute( +exempt_home_users = input( 'exempt_home_users', description: 'These are `home dir` exempt interactive accounts', value: [] ) -non_interactive_shells = attribute( +non_interactive_shells = input( 'non_interactive_shells', description: 'These shells do not allow a user to login', value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] @@ -30,7 +30,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['home_dirs'] - tag "check": "Verify local interactive users on the system have a home + desc "check", "Verify local interactive users on the system have a home directory assigned. Check for missing local interactive user home directories with the following @@ -51,7 +51,7 @@ If any interactive users do not have a home directory assigned, this is a finding." - tag "fix": "Assign home directories to all local interactive users that + desc "fix", "Assign home directories to all local interactive users that currently do not have a home directory assigned." tag "fix_id": "F-78363r1_fix" diff --git a/controls/V-72013.rb b/controls/V-72013.rb index 558f01b13..cdeb7e50d 100644 --- a/controls/V-72013.rb +++ b/controls/V-72013.rb @@ -14,7 +14,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['login_defs'] - tag "check": "Verify all local interactive users on the system are assigned a + desc "check", "Verify all local interactive users on the system are assigned a home directory upon creation. Check to see if the system is configured to create home directories for local @@ -25,7 +25,7 @@ If the value for \"CREATE_HOME\" parameter is not set to \"yes\", the line is missing, or the line is commented out, this is a finding." - tag "fix": "Configure the operating system to assign home directories to all + desc "fix", "Configure the operating system to assign home directories to all new local interactive users by setting the \"CREATE_HOME\" parameter in \"/etc/login.defs\" to \"yes\" as follows. diff --git a/controls/V-72015.rb b/controls/V-72015.rb index 6e407bcd9..739b203a3 100644 --- a/controls/V-72015.rb +++ b/controls/V-72015.rb @@ -3,13 +3,13 @@ # TODO ENHANCE: 1. this needs to be enhanced, i.e. to check the right thing. like V-72017 -exempt_home_users = attribute( +exempt_home_users = input( 'exempt_home_users', description: 'These are `home dir` exempt interactive accounts', value: [] ) -non_interactive_shells = attribute( +non_interactive_shells = input( 'non_interactive_shells', description: 'These shells do not allow a user to login', value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] @@ -32,7 +32,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['accounts'] - tag "check": "Verify the assigned home directory of all local interactive + desc "check", "Verify the assigned home directory of all local interactive users on the system exists. Check the home directory assignment for all local interactive non-privileged @@ -52,7 +52,7 @@ If any home directories referenced in \"/etc/passwd\" are returned as not defined, this is a finding." - tag "fix": "Create home directories to all local interactive users that + desc "fix", "Create home directories to all local interactive users that currently do not have a home directory assigned. Use the following commands to create the user home directory assigned in \"/etc/ passwd\": diff --git a/controls/V-72017.rb b/controls/V-72017.rb index 1fe51ecd0..53aca6be6 100644 --- a/controls/V-72017.rb +++ b/controls/V-72017.rb @@ -1,13 +1,13 @@ # encoding: utf-8 # -exempt_home_users = attribute( +exempt_home_users = input( 'exempt_home_users', description: 'These are `home dir` exempt interactive accounts', value: [] ) -non_interactive_shells = attribute( +non_interactive_shells = input( 'non_interactive_shells', description: 'These shells do not allow a user to login', value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] @@ -27,7 +27,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['home_dirs'] - tag "check": "Verify the assigned home directory of all local interactive + desc "check", "Verify the assigned home directory of all local interactive users has a mode of \"0750\" or less permissive. Check the home directory assignment for all non-privileged users on the system @@ -42,7 +42,7 @@ If home directories referenced in \"/etc/passwd\" do not have a mode of \"0750\" or less permissive, this is a finding." - tag "fix": "Change the mode of interactive user’s home directories to + desc "fix", "Change the mode of interactive user’s home directories to \"0750\". To change the mode of a local interactive user’s home directory, use the following command: diff --git a/controls/V-72019.rb b/controls/V-72019.rb index d626630aa..12d952131 100644 --- a/controls/V-72019.rb +++ b/controls/V-72019.rb @@ -1,13 +1,13 @@ # encoding: utf-8 # -exempt_home_users = attribute( +exempt_home_users = input( 'exempt_home_users', description: 'These are `home dir` exempt interactive accounts', value: [] ) -non_interactive_shells = attribute( +non_interactive_shells = input( 'non_interactive_shells', description: 'These shells do not allow a user to login', value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] @@ -28,7 +28,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['home_dirs'] - tag "check": "Verify the assigned home directory of all local interactive + desc "check", "Verify the assigned home directory of all local interactive users on the system exists. Check the home directory assignment for all local interactive users on the @@ -40,7 +40,7 @@ If any home directories referenced in \"/etc/passwd\" are not owned by the interactive user, this is a finding." - tag "fix": "Change the owner of a local interactive user’s home directories + desc "fix", "Change the owner of a local interactive user’s home directories to that owner. To change the owner of a local interactive user’s home directory, use the following command: diff --git a/controls/V-72021.rb b/controls/V-72021.rb index ad897f5fd..f144b26d8 100644 --- a/controls/V-72021.rb +++ b/controls/V-72021.rb @@ -1,13 +1,13 @@ # encoding: utf-8 # -exempt_home_users = attribute( +exempt_home_users = input( 'exempt_home_users', description: 'These are `home dir` exempt interactive accounts', value: [] ) -non_interactive_shells = attribute( +non_interactive_shells = input( 'non_interactive_shells', description: 'These shells do not allow a user to login', value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] @@ -29,7 +29,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['home_dirs'] - tag "check": "Verify the assigned home directory of all local interactive + desc "check", "Verify the assigned home directory of all local interactive users is group-owned by that user’s primary GID. Check the home directory assignment for all local interactive users on the @@ -48,7 +48,7 @@ If the user home directory referenced in \"/etc/passwd\" is not group-owned by that user’s primary GID, this is a finding. " - tag "fix": "Change the group owner of a local interactive user’s home + desc "fix", "Change the group owner of a local interactive user’s home directory to the group found in \"/etc/passwd\". To change the group owner of a local interactive user’s home directory, use the following command: diff --git a/controls/V-72023.rb b/controls/V-72023.rb index d18fd89ce..1b3ea42e5 100644 --- a/controls/V-72023.rb +++ b/controls/V-72023.rb @@ -1,13 +1,13 @@ # encoding: utf-8 # -exempt_home_users = attribute( +exempt_home_users = input( 'exempt_home_users', description: 'These are `home dir` exempt interactive accounts', value: [] ) -non_interactive_shells = attribute( +non_interactive_shells = input( 'non_interactive_shells', description: 'These shells do not allow a user to login', value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] @@ -28,7 +28,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['home_dirs'] - tag "check": "Verify all files and directories in a local interactive user’s + desc "check", "Verify all files and directories in a local interactive user’s home directory are owned by the user. Check the owner of all files and directories in a local interactive user’s home @@ -44,7 +44,7 @@ If any files are found with an owner different than the home directory user, this is a finding." - tag "fix": "Change the owner of a local interactive user’s files and + desc "fix", "Change the owner of a local interactive user’s files and directories to that owner. To change the owner of a local interactive user’s files and directories, use the following command: diff --git a/controls/V-72025.rb b/controls/V-72025.rb index 9eec3d8b0..83248a1c7 100644 --- a/controls/V-72025.rb +++ b/controls/V-72025.rb @@ -1,13 +1,13 @@ # encoding: utf-8 # -exempt_home_users = attribute( +exempt_home_users = input( 'exempt_home_users', description: 'These are `home dir` exempt interactive accounts', value: [] ) -non_interactive_shells = attribute( +non_interactive_shells = input( 'non_interactive_shells', description: 'These shells do not allow a user to login', value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] @@ -28,7 +28,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['home_dirs'] - tag "check": "Verify all files and directories in a local interactive user + desc "check", "Verify all files and directories in a local interactive user home directory are group-owned by a group the user is a member of. Check the group owner of all files and directories in a local interactive @@ -52,7 +52,7 @@ If the user is not a member of a group that group owns file(s) in a local interactive user’s home directory, this is a finding." - tag "fix": "Change the group of a local interactive user’s files and + desc "fix", "Change the group of a local interactive user’s files and directories to a group that the interactive user is a member of. To change the group owner of a local interactive user’s files and directories, use the following command: diff --git a/controls/V-72027.rb b/controls/V-72027.rb index cd23364eb..495c6976c 100644 --- a/controls/V-72027.rb +++ b/controls/V-72027.rb @@ -1,13 +1,13 @@ # encoding: utf-8 # -exempt_home_users = attribute( +exempt_home_users = input( 'exempt_home_users', description: 'These are `home dir` exempt interactive accounts', value: [] ) -non_interactive_shells = attribute( +non_interactive_shells = input( 'non_interactive_shells', description: 'These shells do not allow a user to login', value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] @@ -27,7 +27,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['home_dirs'] - tag "check": "Verify all files and directories contained in a local + desc "check", "Verify all files and directories contained in a local interactive user home directory, excluding local initialization files, have a mode of \"0750\". @@ -46,7 +46,7 @@ If any files are found with a mode more permissive than \"0750\", this is a finding." - tag "fix": "Set the mode on files and directories in the local interactive + desc "fix", "Set the mode on files and directories in the local interactive user home directory with the following command: Note: The example will be for the user smithj, who has a home directory of diff --git a/controls/V-72029.rb b/controls/V-72029.rb index 68c6be7f5..15322ccbd 100644 --- a/controls/V-72029.rb +++ b/controls/V-72029.rb @@ -1,13 +1,13 @@ # encoding: utf-8 # -exempt_home_users = attribute( +exempt_home_users = input( 'exempt_home_users', description: 'These are `home dir` exempt interactive accounts', value: [] ) -non_interactive_shells = attribute( +non_interactive_shells = input( 'non_interactive_shells', description: 'These shells do not allow a user to login', value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] @@ -28,7 +28,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['init_files'] - tag "check": "Verify all local initialization files for interactive users are + desc "check", "Verify all local initialization files for interactive users are owned by the home directory user or root. Check the owner on all local initialization files with the following command: @@ -44,7 +44,7 @@ If any file that sets a local interactive user’s environment variables to override the system is not owned by the home directory owner or root, this is a finding." - tag "fix": "Set the owner of the local initialization files for interactive + desc "fix", "Set the owner of the local initialization files for interactive users to either the directory owner or root with the following command: Note: The example will be for the smithj user, who has a home directory of diff --git a/controls/V-72031.rb b/controls/V-72031.rb index afdbed035..5c23e6da7 100644 --- a/controls/V-72031.rb +++ b/controls/V-72031.rb @@ -1,13 +1,13 @@ # encoding: utf-8 # -exempt_home_users = attribute( +exempt_home_users = input( 'exempt_home_users', description: 'These are `home dir` exempt interactive accounts', value: [] ) -non_interactive_shells = attribute( +non_interactive_shells = input( 'non_interactive_shells', description: 'These shells do not allow a user to login', value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] @@ -28,7 +28,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['init_files'] - tag "check": "Verify the local initialization files of all local interactive + desc "check", "Verify the local initialization files of all local interactive users are group-owned by that user’s primary Group Identifier (GID). Check the home directory assignment for all non-privileged users on the system @@ -57,7 +57,7 @@ If all local interactive users’ initialization files are not group-owned by that user’s primary GID, this is a finding." - tag "fix": "Change the group owner of a local interactive user’s files to the + desc "fix", "Change the group owner of a local interactive user’s files to the group found in \"/etc/passwd\" for the user. To change the group owner of a local interactive user home directory, use the following command: diff --git a/controls/V-72033.rb b/controls/V-72033.rb index 854fd089b..0d02f08c4 100644 --- a/controls/V-72033.rb +++ b/controls/V-72033.rb @@ -1,13 +1,13 @@ # encoding: utf-8 # -exempt_home_users = attribute( +exempt_home_users = input( 'exempt_home_users', description: 'These are `home dir` exempt interactive accounts', value: [] ) -non_interactive_shells = attribute( +non_interactive_shells = input( 'non_interactive_shells', description: 'These shells do not allow a user to login', value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] @@ -27,7 +27,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['init_files'] - tag "check": "Verify that all local initialization files have a mode of + desc "check", "Verify that all local initialization files have a mode of \"0740\" or less permissive. Check the mode on all local initialization files with the following command: @@ -42,7 +42,7 @@ If any local initialization files have a mode more permissive than \"0740\", this is a finding." - tag "fix": "Set the mode of the local initialization files to \"0740\" with + desc "fix", "Set the mode of the local initialization files to \"0740\" with the following command: Note: The example will be for the smithj user, who has a home directory of diff --git a/controls/V-72035.rb b/controls/V-72035.rb index ed4ff8e7e..3e5115e28 100644 --- a/controls/V-72035.rb +++ b/controls/V-72035.rb @@ -1,13 +1,13 @@ # encoding: utf-8 # -exempt_home_users = attribute( +exempt_home_users = input( 'exempt_home_users', description: 'These are `home dir` exempt interactive accounts', value: [] ) -non_interactive_shells = attribute( +non_interactive_shells = input( 'non_interactive_shells', description: 'These shells do not allow a user to login', value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] @@ -35,7 +35,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['init_files'] - tag "check": "Verify that all local interactive user initialization files' + desc "check", "Verify that all local interactive user initialization files' executable search path statements do not contain statements that will reference a working directory other than the users’ home directory. @@ -52,7 +52,7 @@ If any local interactive user initialization files have executable search path statements that include directories outside of their home directory, this is a finding." - tag "fix": "Edit the local interactive user initialization files to change + desc "fix", "Edit the local interactive user initialization files to change any PATH variable statements that reference directories other than their home directory. diff --git a/controls/V-72037.rb b/controls/V-72037.rb index 796fb096a..6d37d7a73 100644 --- a/controls/V-72037.rb +++ b/controls/V-72037.rb @@ -1,19 +1,19 @@ # encoding: utf-8 -disable_slow_controls = attribute( +disable_slow_controls = input( 'disable_slow_controls', value: false, description: 'If enabled, this attribute disables this control and other controls that consistently take a long time to complete.' ) -exempt_home_users = attribute( +exempt_home_users = input( 'exempt_home_users', description: 'These are `home dir` exempt interactive accounts', value: [] ) -non_interactive_shells = attribute( +non_interactive_shells = input( 'non_interactive_shells', description: 'These shells do not allow a user to login', value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] @@ -41,7 +41,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['init_files'] - tag "check": "Verify that local initialization files do not execute + desc "check", "Verify that local initialization files do not execute world-writable programs. Check the system for world-writable files with the following command: @@ -58,7 +58,7 @@ If any local initialization files are found to reference world-writable files, this is a finding." - tag "fix": "Set the mode on files being executed by the local initialization + desc "fix", "Set the mode on files being executed by the local initialization files with the following command: # chmod 0755 " diff --git a/controls/V-72039.rb b/controls/V-72039.rb index eb878ed9c..14114ffd4 100644 --- a/controls/V-72039.rb +++ b/controls/V-72039.rb @@ -1,7 +1,7 @@ # encoding: utf-8 # -virtual_machine = attribute( +virtual_machine = input( 'virtual_machine', value: false, description: 'Is the target expected to be a virtual machine') @@ -20,8 +20,9 @@ tag "cci": ["CCI-000318", "CCI-000368", "CCI-001812", "CCI-001813", "CCI-001814"] tag "documentable": false + tag "subsystems": ['system_device', 'device_files'] tag "nist": ["CM-3 f", "CM-6 c", "CM-11 (2)", "CM-5 (1)", "CM-5 (1)", "Rev_4"] - tag "check": "Verify that all system device files are correctly labeled to + desc "check", "Verify that all system device files are correctly labeled to prevent unauthorized modification. List all device files on the system that are incorrectly labeled with the @@ -43,7 +44,7 @@ If there is output from either of these commands, other than already noted, this is a finding." - tag "fix": "Run the following command to determine which package owns the + desc "fix", "Run the following command to determine which package owns the device file: # rpm -qf @@ -58,6 +59,7 @@ # sudo rpm -Uvh " tag "fix_id": "F-78391r1_fix" + tag "dangerous": { :reason => "Uses global find command" } findings = Set[] diff --git a/controls/V-72041.rb b/controls/V-72041.rb index 7cbb680a9..90fea3b50 100644 --- a/controls/V-72041.rb +++ b/controls/V-72041.rb @@ -17,7 +17,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['home_dirs', 'file_system'] - tag "check": "Verify file systems that contain user home directories are + desc "check", "Verify file systems that contain user home directories are mounted with the \"nosuid\" option. Find the file system(s) that contain the user home directories with the @@ -40,7 +40,7 @@ If a file system found in \"/etc/fstab\" refers to the user home directory file system and it does not have the \"nosuid\" option set, this is a finding." - tag "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file + desc "fix", "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that contain user home directories." tag "fix_id": "F-78393r2_fix" diff --git a/controls/V-72043.rb b/controls/V-72043.rb index 0f26181d8..1cae8ec9d 100644 --- a/controls/V-72043.rb +++ b/controls/V-72043.rb @@ -1,7 +1,7 @@ # encoding: utf-8 # -non_removable_media_fs = attribute( +non_removable_media_fs = input( 'non_removable_media_fs', value: ['xfs', 'ext4', 'swap', 'tmpfs'], description: "File systems that don't correspond to removable media" @@ -24,7 +24,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['file_system', 'removable_media'] - tag "check": "Verify file systems that are used for removable media are + desc "check", "Verify file systems that are used for removable media are mounted with the \"nouid\" option. Check the file systems that are mounted at boot time with the following command: @@ -36,7 +36,7 @@ If a file system found in \"/etc/fstab\" refers to removable media and it does not have the \"nosuid\" option set, this is a finding." - tag "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file + desc "fix", "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that are associated with removable media." tag "fix_id": "F-78395r1_fix" diff --git a/controls/V-72045.rb b/controls/V-72045.rb index 1c2595d3b..f763c2128 100644 --- a/controls/V-72045.rb +++ b/controls/V-72045.rb @@ -18,7 +18,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystem": ['nfs', 'file_system'] - tag "check": "Verify file systems that are being NFS exported are mounted + desc "check", "Verify file systems that are being NFS exported are mounted with the \"nosuid\" option. Find the file system(s) that contain the directories being exported with the @@ -31,7 +31,7 @@ If a file system found in \"/etc/fstab\" refers to NFS and it does not have the \"nosuid\" option set, this is a finding." - tag "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file + desc "fix", "Configure the \"/etc/fstab\" to use the \"nosuid\" option on file systems that are being exported via NFS." tag "fix_id": "F-78397r1_fix" diff --git a/controls/V-72047.rb b/controls/V-72047.rb index 324d22d31..c9ddc7f41 100644 --- a/controls/V-72047.rb +++ b/controls/V-72047.rb @@ -1,7 +1,7 @@ # encoding: utf-8 # -application_groups = attribute( +application_groups = input( 'application_groups', description: 'Known application groups that are allowed to have world-writeable files or directories', value: [] @@ -28,8 +28,9 @@ tag "stig_id": "RHEL-07-021030" tag "cci": ["CCI-000366"] tag "documentable": false + tag "subsystems": ['world_writable', 'ww_dirs'] tag "nist": ["CM-6 b", "Rev_4"] - tag "check": "Verify all world-writable directories are group-owned by root, + desc "check", "Verify all world-writable directories are group-owned by root, sys, bin, or an application group. Check the system for world-writable directories with the following command: @@ -44,7 +45,7 @@ If any world-writable directories are not owned by root, sys, bin, or an application group associated with the directory, this is a finding." - tag "fix": "Change the group of the world-writable directories to root with + desc "fix", "Change the group of the world-writable directories to root with the following command: # chgrp root " diff --git a/controls/V-72049.rb b/controls/V-72049.rb index ba5bc05b9..c6378310f 100644 --- a/controls/V-72049.rb +++ b/controls/V-72049.rb @@ -18,7 +18,7 @@ tag "documentable": false tag "nist": ["CM-3 f", "CM-6 c", "CM-11 (2)", "CM-5 (1)", "CM-5 (1)", "Rev_4"] tag "subsystems": ['init_files', 'home_dirs'] - tag "check": "Verify that the default umask for all local interactive users + desc "check", "Verify that the default umask for all local interactive users is \"077\". Identify the locations of all local interactive user home directories by @@ -34,7 +34,7 @@ If any local interactive user initialization files are found to have a umask statement that has a value less restrictive than \"077\", this is a finding." - tag "fix": "Remove the umask statement from all local interactive users’ + desc "fix", "Remove the umask statement from all local interactive users’ initialization files. If the account is for an application, the requirement for a umask less diff --git a/controls/V-72051.rb b/controls/V-72051.rb index 9d17985cd..ccadce4ef 100644 --- a/controls/V-72051.rb +++ b/controls/V-72051.rb @@ -1,7 +1,7 @@ # encoding: utf-8 # -log_pkg_path = attribute( +log_pkg_path = input( 'log_pkg_path', value: '/etc/rsyslog.conf', description: "The path to the logging package" @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['cron', 'rsyslog'] - tag "check": "Verify that \"rsyslog\" is configured to log cron events. + desc "check", "Verify that \"rsyslog\" is configured to log cron events. Check the configuration of \"/etc/rsyslog.conf\" for the cron facility with the following command: @@ -46,7 +46,7 @@ If the entry is in the \"/etc/rsyslog.conf\" file but is after the entry \"*.*\", this is a finding." - tag "fix": "Configure \"rsyslog\" to log all cron messages by adding or + desc "fix", "Configure \"rsyslog\" to log all cron messages by adding or updating the following line to \"/etc/rsyslog.conf\": cron.* /var/log/cron.log diff --git a/controls/V-72053.rb b/controls/V-72053.rb index d1ba085ea..174085317 100644 --- a/controls/V-72053.rb +++ b/controls/V-72053.rb @@ -14,7 +14,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['cron'] - tag "check": "Verify that the \"cron.allow\" file is owned by root. + desc "check", "Verify that the \"cron.allow\" file is owned by root. Check the owner of the \"cron.allow\" file with the following command: @@ -23,7 +23,7 @@ If the \"cron.allow\" file exists and has an owner other than root, this is a finding." - tag "fix": "Set the owner on the \"/etc/cron.allow\" file to root with the + desc "fix", "Set the owner on the \"/etc/cron.allow\" file to root with the following command: # chown root /etc/cron.allow" diff --git a/controls/V-72055.rb b/controls/V-72055.rb index 6edca419d..7e8268333 100644 --- a/controls/V-72055.rb +++ b/controls/V-72055.rb @@ -13,7 +13,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['cron'] - tag "check": "Verify that the \"cron.allow\" file is group-owned by root. + desc "check", "Verify that the \"cron.allow\" file is group-owned by root. Check the group owner of the \"cron.allow\" file with the following command: @@ -22,7 +22,7 @@ If the \"cron.allow\" file exists and has a group owner other than root, this is a finding." - tag "fix": "Set the group owner on the \"/etc/cron.allow\" file to root with + desc "fix", "Set the group owner on the \"/etc/cron.allow\" file to root with the following command: # chgrp root /etc/cron.allow" diff --git a/controls/V-72057.rb b/controls/V-72057.rb index 45890e517..e5a0aea6b 100644 --- a/controls/V-72057.rb +++ b/controls/V-72057.rb @@ -14,7 +14,8 @@ tag "cci": ["CCI-000366"] tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] - tag "check": "Verify that kernel core dumps are disabled unless needed. + tag "subsystems": ['kdump', 'kernel'] + desc "check", "Verify that kernel core dumps are disabled unless needed. Check the status of the \"kdump\" service with the following command: @@ -30,7 +31,7 @@ Officer (ISSO). If the service is active and is not documented, this is a finding." - tag "fix": "If kernel core dumps are not required, disable the \"kdump\" + desc "fix", "If kernel core dumps are not required, disable the \"kdump\" service with the following command: # systemctl disable kdump.service diff --git a/controls/V-72059.rb b/controls/V-72059.rb index 9768466f3..429b6dbcc 100644 --- a/controls/V-72059.rb +++ b/controls/V-72059.rb @@ -1,13 +1,13 @@ # encoding: utf-8 # -exempt_home_users = attribute( +exempt_home_users = input( 'exempt_home_users', description: 'These are `home dir` exempt interactive accounts', value: [] ) -non_interactive_shells = attribute( +non_interactive_shells = input( 'non_interactive_shells', description: 'These shells do not allow a user to login', value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] @@ -27,7 +27,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['home_dirs', 'file_system'] - tag "check": "Verify that a separate file system/partition has been created + desc "check", "Verify that a separate file system/partition has been created for non-privileged local interactive user home directories. Check the home directory assignment for all non-privileged users (those with a @@ -55,7 +55,7 @@ If a separate entry for the file system/partition that contains the non-privileged interactive users' home directories does not exist, this is a finding." - tag "fix": "Migrate the \"/home\" directory onto a separate file + desc "fix", "Migrate the \"/home\" directory onto a separate file system/partition." tag "fix_id": "F-78411r1_fix" diff --git a/controls/V-72061.rb b/controls/V-72061.rb index b71b377fa..7ff135edc 100644 --- a/controls/V-72061.rb +++ b/controls/V-72061.rb @@ -3,7 +3,7 @@ control "V-72061" do title "The system must use a separate file system for /var." desc "The use of separate file systems for different paths can protect the -system from failures resulting from a file system becoming full or failing." + system from failures resulting from a file system becoming full or failing." impact 0.3 tag "gtitle": "SRG-OS-000480-GPOS-00227" tag "gid": "V-72061" @@ -11,19 +11,22 @@ tag "stig_id": "RHEL-07-021320" tag "cci": ["CCI-000366"] tag "documentable": false + tag "fix_id": "F-78413r1_fix" + tag "subsystems": ['/var', 'file_system'] tag "nist": ["CM-6 b", "Rev_4"] - tag "check": "Verify that a separate file system/partition has been created -for \"/var\". + desc "check", "Verify that a separate file system/partition has been created + for \"/var\". -Check that a file system/partition has been created for \"/var\" with the -following command: + Check that a file system/partition has been created for \"/var\" with the + following command: -# grep /var /etc/fstab -UUID=c274f65f /var ext4 noatime,nobarrier 1 2 + # grep /var /etc/fstab + + UUID=c274f65f /var ext4 noatime,nobarrier 1 2 -If a separate entry for \"/var\" is not in use, this is a finding." - tag "fix": "Migrate the \"/var\" path onto a separate file system." - tag "fix_id": "F-78413r1_fix" + If a separate entry for \"/var\" is not in use, this is a finding." + + desc "fix", "Migrate the \"/var\" path onto a separate file system." describe mount('/var') do it { should be_mounted } diff --git a/controls/V-72063.rb b/controls/V-72063.rb index 2e6982f3e..065c2b98b 100644 --- a/controls/V-72063.rb +++ b/controls/V-72063.rb @@ -13,15 +13,16 @@ tag "cci": ["CCI-000366"] tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] - tag "check": "Determine if the \"/var/log/audit\" path is a separate file -system. + tag "subsystems": ['file_system'] + tag "fix_id": "F-78415r1_fix" + desc "check", "Determine if the \"/var/log/audit\" path is a separate file + system. -# grep /var/log/audit /etc/fstab + # grep /var/log/audit /etc/fstab -If no result is returned, \"/var/log/audit\" is not on a separate file system, -and this is a finding." - tag "fix": "Migrate the system audit data path onto a separate file system." - tag "fix_id": "F-78415r1_fix" + If no result is returned, \"/var/log/audit\" is not on a separate file system, + and this is a finding." + desc "fix", "Migrate the system audit data path onto a separate file system." describe mount('/var/log/audit') do it {should be_mounted} diff --git a/controls/V-72065.rb b/controls/V-72065.rb index 606cfa4b3..ba6cfe4ab 100644 --- a/controls/V-72065.rb +++ b/controls/V-72065.rb @@ -5,6 +5,7 @@ desc "The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing." impact 0.3 + tag "gtitle": "SRG-OS-000480-GPOS-00227" tag "gid": "V-72065" tag "rid": "SV-86689r1_rule" @@ -12,20 +13,23 @@ tag "cci": ["CCI-000366"] tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] - tag "check": "Verify that a separate file system/partition has been created -for \"/tmp\". + tag "subsystems": ['file_system', 'tmp'] + tag "fix_id": "F-78417r1_fix" + + desc "check", "Verify that a separate file system/partition has been created + for \"/tmp\". -Check that a file system/partition has been created for \"/tmp\" with the -following command: + Check that a file system/partition has been created for \"/tmp\" with the + following command: -# systemctl is-enabled tmp.mount -enabled + # systemctl is-enabled tmp.mount + enabled -If the \"tmp.mount\" service is not enabled, this is a finding." - tag "fix": "Start the \"tmp.mount\" service with the following command: + If the \"tmp.mount\" service is not enabled, this is a finding." -# systemctl enable tmp.mount" - tag "fix_id": "F-78417r1_fix" + desc "fix", "Start the \"tmp.mount\" service with the following command: + + # systemctl enable tmp.mount" describe systemd_service('tmp.mount') do it { should be_enabled } diff --git a/controls/V-72067.rb b/controls/V-72067.rb index 5e93eeeb9..19855d7ad 100644 --- a/controls/V-72067.rb +++ b/controls/V-72067.rb @@ -23,7 +23,7 @@ tag "documentable": false tag "nist": ["AC-17 (2)", "SC-28", "SC-13", "SC-28 (1)", "Rev_4"] tag "subsystems": ['fips'] - tag "check": "Verify the operating system implements DoD-approved encryption + desc "check", "Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions. Check to see if the \"dracut-fips\" package is installed with the following @@ -54,7 +54,7 @@ If a \"dracut-fips\" package is not installed, the kernel command line does not have a fips entry, or the system has a value of \"0\" for \"fips_enabled\" in \"/proc/sys/crypto\", this is a finding." - tag "fix": "Configure the operating system to implement DoD-approved + desc "fix", "Configure the operating system to implement DoD-approved encryption by installing the dracut-fips package. To enable strict FIPS compliance, the fips=1 kernel option needs to be added to diff --git a/controls/V-72069.rb b/controls/V-72069.rb index 81584bcd8..e583c0d0a 100644 --- a/controls/V-72069.rb +++ b/controls/V-72069.rb @@ -14,7 +14,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['aide'] - tag "check": "Verify the file integrity tool is configured to verify ACLs. + desc "check", "Verify the file integrity tool is configured to verify ACLs. Check to see if Advanced Intrusion Detection Environment (AIDE) is installed on the system with the following command: @@ -46,7 +46,7 @@ If the \"acl\" rule is not being used on all selection lines in the \"/etc/aide.conf\" file, or ACLs are not being checked by another file integrity tool, this is a finding." - tag "fix": "Configure the file integrity tool to check file and directory + desc "fix", "Configure the file integrity tool to check file and directory ACLs. If AIDE is installed, ensure the \"acl\" rule is present on all file and diff --git a/controls/V-72071.rb b/controls/V-72071.rb index 875aa4984..91fda589d 100644 --- a/controls/V-72071.rb +++ b/controls/V-72071.rb @@ -14,7 +14,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['aide'] - tag "check": "Verify the file integrity tool is configured to verify extended + desc "check", "Verify the file integrity tool is configured to verify extended attributes. Check to see if Advanced Intrusion Detection Environment (AIDE) is installed on @@ -47,7 +47,7 @@ If the \"xattrs\" rule is not being used on all selection lines in the \"/etc/aide.conf\" file, or extended attributes are not being checked by another file integrity tool, this is a finding." - tag "fix": "Configure the file integrity tool to check file and directory + desc "fix", "Configure the file integrity tool to check file and directory extended attributes. If AIDE is installed, ensure the \"xattrs\" rule is present on all file and diff --git a/controls/V-72073.rb b/controls/V-72073.rb index 7829f9de3..e0c924039 100644 --- a/controls/V-72073.rb +++ b/controls/V-72073.rb @@ -15,7 +15,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['aide'] - tag "check": "Verify the file integrity tool is configured to use FIPS 140-2 + desc "check", "Verify the file integrity tool is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories. Note: If RHEL-07-021350 is a finding, this is automatically a finding as the @@ -52,7 +52,7 @@ \"/etc/aide.conf\" file, or another file integrity tool is not using FIPS 140-2 approved cryptographic hashes for validating file contents and directories, this is a finding." - tag "fix": "Configure the file integrity tool to use FIPS 140-2 cryptographic + desc "fix", "Configure the file integrity tool to use FIPS 140-2 cryptographic hashes for validating file and directory contents. If AIDE is installed, ensure the \"sha512\" rule is present on all file and diff --git a/controls/V-72075.rb b/controls/V-72075.rb index d02c7ac7c..25cbbba09 100644 --- a/controls/V-72075.rb +++ b/controls/V-72075.rb @@ -17,7 +17,7 @@ tag "documentable": false tag "nist": ["CM-3 f", "CM-6 c", "CM-11 (2)", "CM-5 (1)", "CM-5 (1)", "Rev_4"] tag "subsystems": ['grub'] - tag "check": "Verify the system is not configured to use a boot loader on + desc "check", "Verify the system is not configured to use a boot loader on removable media. Note: GRUB 2 reads its configuration from the \"/boot/grub2/grub.cfg\" file on @@ -46,7 +46,7 @@ If the system is using an alternate boot loader on removable media, and documentation does not exist approving the alternate configuration, this is a finding." - tag "fix": "Remove alternate methods of booting the system from removable + desc "fix", "Remove alternate methods of booting the system from removable media or document the configuration to boot from removable media with the ISSO." tag "fix_id": "F-78427r1_fix" diff --git a/controls/V-72077.rb b/controls/V-72077.rb index 292344254..9778502c7 100644 --- a/controls/V-72077.rb +++ b/controls/V-72077.rb @@ -28,7 +28,7 @@ tag "documentable": false tag "nist": ["CM-7 a", "Rev_4"] tag "subsystems": ['packages'] - tag "check": "Verify the operating system is configured to disable + desc "check", "Verify the operating system is configured to disable non-essential capabilities. The most secure way of ensuring a non-essential capability is disabled is to not have the capability installed. @@ -45,7 +45,7 @@ # yum list installed | grep telnet-server If the telnet-server package is installed, this is a finding." - tag "fix": "Configure the operating system to disable non-essential + desc "fix", "Configure the operating system to disable non-essential capabilities by removing the telnet-server package from the system with the following command: diff --git a/controls/V-72079.rb b/controls/V-72079.rb index 8c2361a9f..f45edb28f 100644 --- a/controls/V-72079.rb +++ b/controls/V-72079.rb @@ -34,7 +34,7 @@ tag "documentable": false tag "nist": ["AU-2 d", "AU-3", "Rev_4"] tag "subsystems": ['audit', 'auditd'] - tag "check": "Verify the operating system produces audit records containing + desc "check", "Verify the operating system produces audit records containing information to establish when (date and time) the events occurred. Check to see if auditing is active by issuing the following command: @@ -43,7 +43,7 @@ Active: active (running) since Tue 2015-01-27 19:41:23 EST; 22h ago If the \"auditd\" status is not active, this is a finding." - tag "fix": "Configure the operating system to produce audit records + desc "fix", "Configure the operating system to produce audit records containing information to establish when (date and time) the events occurred. Enable the auditd service with the following command: diff --git a/controls/V-72081.rb b/controls/V-72081.rb index 161e3b1d4..86d739469 100644 --- a/controls/V-72081.rb +++ b/controls/V-72081.rb @@ -1,7 +1,7 @@ # encoding: utf-8 # -monitor_kernel_log = attribute( +monitor_kernel_log = input( 'monitor_kernel_log', description: 'Set this to false if your system availability concern is not documented or there is no monitoring of the kernel log', @@ -46,7 +46,7 @@ tag "documentable": false tag "nist": ["AU-5 a", "Rev_4"] tag "subsystems": ['audit', 'auditd'] - tag "check": "Confirm the audit configuration regarding how auditing processing + desc "check", "Confirm the audit configuration regarding how auditing processing failures are handled. Check to see what level \"auditctl\" is set to with following command: @@ -70,7 +70,7 @@ documented or there is no monitoring of the kernel log, this is a CAT III finding. " - tag "fix": "Configure the operating system to shut down in the event of an + desc "fix", "Configure the operating system to shut down in the event of an audit processing failure. Add or correct the option to shut down the operating system with the following diff --git a/controls/V-72083.rb b/controls/V-72083.rb index 47a2b3fae..1b41e5abc 100644 --- a/controls/V-72083.rb +++ b/controls/V-72083.rb @@ -20,7 +20,7 @@ tag "documentable": false tag "nist": ["AU-4 (1)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audisp'] - tag "check": "Verify the operating system off-loads audit records onto a different + desc "check", "Verify the operating system off-loads audit records onto a different system or media from the system being audited. To determine the remote server that the records are being sent to, use the @@ -35,7 +35,7 @@ If there is no evidence that the audit logs are being off-loaded to another system or media, this is a finding." - tag "fix": "Configure the operating system to off-load audit records onto a + desc "fix", "Configure the operating system to off-load audit records onto a different system or media from the system being audited. Set the remote server option in \"/etc/audisp/audisp-remote.conf\" with the IP diff --git a/controls/V-72085.rb b/controls/V-72085.rb index 5167a8853..ddf6e4850 100644 --- a/controls/V-72085.rb +++ b/controls/V-72085.rb @@ -20,7 +20,7 @@ tag "documentable": false tag "nist": ["AU-4 (1)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audisp'] - tag "check": "Verify the operating system encrypts audit records off-loaded + desc "check", "Verify the operating system encrypts audit records off-loaded onto a different system or media from the system being audited. To determine if the transfer is encrypted, use the following command: @@ -34,7 +34,7 @@ If there is no evidence that the transfer of the audit logs being off-loaded to another system or media is encrypted, this is a finding." - tag "fix": "Configure the operating system to encrypt the transfer of + desc "fix", "Configure the operating system to encrypt the transfer of off-loaded audit records onto a different system or media from the system being audited. diff --git a/controls/V-72087.rb b/controls/V-72087.rb index 7d65917be..c328280f5 100644 --- a/controls/V-72087.rb +++ b/controls/V-72087.rb @@ -14,7 +14,7 @@ tag "documentable": false tag "nist": ["AU-4 (1)", "Rev_4"] tag "subsystems": ['audit', 'auditd'] - tag "check": "Verify the action the operating system takes if the disk the audit + desc "check", "Verify the action the operating system takes if the disk the audit records are written to becomes full. To determine the action that takes place if the disk is full on the remote @@ -34,7 +34,7 @@ If the value of the \"disk_full_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out, this is a finding." - tag "fix": "Configure the action the operating system takes if the disk the + desc "fix", "Configure the action the operating system takes if the disk the audit records are written to becomes full. Uncomment or edit the \"disk_full_action\" option in diff --git a/controls/V-72089.rb b/controls/V-72089.rb index e2746cc18..4425052e6 100644 --- a/controls/V-72089.rb +++ b/controls/V-72089.rb @@ -17,7 +17,7 @@ tag "documentable": false tag "nist": ["AU-5 (1)", "Rev_4"] tag "subsystems": ['auditd'] - tag "check": "Verify the operating system immediately notifies the SA and + desc "check", "Verify the operating system immediately notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. @@ -49,7 +49,7 @@ If the value of the \"space_left\" keyword is not set to 25 percent of the total partition size, this is a finding." - tag "fix": "Configure the operating system to immediately notify the SA and + desc "fix", "Configure the operating system to immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. diff --git a/controls/V-72091.rb b/controls/V-72091.rb index 3393246a0..31e0bcb8d 100644 --- a/controls/V-72091.rb +++ b/controls/V-72091.rb @@ -17,7 +17,7 @@ tag "documentable": false tag "nist": ["AU-5 (1)", "Rev_4"] tag "subsystems": ['audit', 'auditd'] - tag "check": "Verify the operating system immediately notifies the SA and + desc "check", "Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. @@ -30,7 +30,7 @@ If the value of the \"space_left_action\" keyword is not set to \"email\", this is a finding." - tag "fix": "Configure the operating system to immediately notify the SA and + desc "fix", "Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. diff --git a/controls/V-72093.rb b/controls/V-72093.rb index a51cde3bb..4f272668c 100644 --- a/controls/V-72093.rb +++ b/controls/V-72093.rb @@ -16,7 +16,7 @@ tag "documentable": false tag "nist": ["AU-5 (1)", "Rev_4"] tag "subsystems": ['audit', 'auditd'] - tag "check": "Verify the operating system immediately notifies the SA and + desc "check", "Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached. @@ -29,7 +29,7 @@ If the value of the \"action_mail_acct\" keyword is not set to \"root\" and other accounts for security personnel, this is a finding." - tag "fix": "Configure the operating system to immediately notify the SA and + desc "fix", "Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. diff --git a/controls/V-72095.rb b/controls/V-72095.rb index 1ea979dd5..a8fe208e4 100644 --- a/controls/V-72095.rb +++ b/controls/V-72095.rb @@ -18,7 +18,7 @@ tag "nist": ["AC-6 (9)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] tag "filesystem_heavy": true - tag "check": "Verify the operating system audits the execution of privileged + desc "check", "Verify the operating system audits the execution of privileged functions. To find relevant setuid and setgid programs, use the following command once for @@ -38,7 +38,7 @@ If all \"setuid\"/\"setgid\" files on the system do not have audit rule coverage, this is a finding." - tag "fix": "Configure the operating system to audit the execution of + desc "fix", "Configure the operating system to audit the execution of privileged functions. To find the relevant \"setuid\"/\"setgid\" programs, run the following command diff --git a/controls/V-72097.rb b/controls/V-72097.rb index d815e78dd..4b21d80b9 100644 --- a/controls/V-72097.rb +++ b/controls/V-72097.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-2 d", "AU-12 c", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chown\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -41,7 +41,7 @@ If there are no audit rules defined for the \"chown\" command, this is a finding. " - tag "fix": "Add or update the following rule in + desc "fix", "Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": Note: The rules are duplicated to cover both 32-bit and 64-bit architectures. diff --git a/controls/V-72099.rb b/controls/V-72099.rb index 50db2e5da..ba53bb9a1 100644 --- a/controls/V-72099.rb +++ b/controls/V-72099.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-2 d", "AU-12 c", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fchown\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -41,7 +41,7 @@ If there are no audit rules defined for the \"fchown\" command, this is a finding. " - tag "fix": "Add or update the following rule in + desc "fix", "Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": Note: The rules are duplicated to cover both 32-bit and 64-bit architectures. diff --git a/controls/V-72101.rb b/controls/V-72101.rb index 9d10b0d67..85163dd6b 100644 --- a/controls/V-72101.rb +++ b/controls/V-72101.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-2 d", "AU-12 c", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"lchown\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -40,7 +40,7 @@ If there are no audit rules defined for the \"lchown\" command, this is a finding." - tag "fix": "Add or update the following rule in + desc "fix", "Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": Note: The rules are duplicated to cover both 32-bit and 64-bit architectures. diff --git a/controls/V-72103.rb b/controls/V-72103.rb index 693578f78..f2619cb23 100644 --- a/controls/V-72103.rb +++ b/controls/V-72103.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-2 d", "AU-12 c", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fchownat\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -41,7 +41,7 @@ If there are no audit rules defined for the \"fchownat\" command, this is a finding. " - tag "fix": "Add or update the following rule in + desc "fix", "Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": Note: The rules are duplicated to cover both 32-bit and 64-bit architectures. diff --git a/controls/V-72105.rb b/controls/V-72105.rb index 75eb82188..bf3cde692 100644 --- a/controls/V-72105.rb +++ b/controls/V-72105.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chmod\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -40,7 +40,7 @@ If there are no audit rules defined for the \"chmod\" command, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chmod\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72107.rb b/controls/V-72107.rb index b2f5f6e28..2aacc1353 100644 --- a/controls/V-72107.rb +++ b/controls/V-72107.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fchmod\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -40,7 +40,7 @@ If there are no audit rules defined for the \"fchmod\" command, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"fchmod\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72109.rb b/controls/V-72109.rb index e64f35a0b..8f6f54308 100644 --- a/controls/V-72109.rb +++ b/controls/V-72109.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fchmodat\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -39,7 +39,7 @@ If there are no audit rules defined for the \"fchmodat\" command, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"fchmodat\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72111.rb b/controls/V-72111.rb index 5edf6d949..0eaf40d45 100644 --- a/controls/V-72111.rb +++ b/controls/V-72111.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"setxattr\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -41,7 +41,7 @@ If there are no audit rules defined for the \"setxattr\" command, this is a finding. " - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"setxattr\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72113.rb b/controls/V-72113.rb index d1f63c20e..f1c4d0d13 100644 --- a/controls/V-72113.rb +++ b/controls/V-72113.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fsetxattr\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -40,7 +40,7 @@ If there are no audit rules defined for the \"fsetxattr\" command, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"fsetxattr\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72115.rb b/controls/V-72115.rb index 0699ef018..3a05819aa 100644 --- a/controls/V-72115.rb +++ b/controls/V-72115.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"lsetxattr\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -41,7 +41,7 @@ If there are no audit rules defined for the \"lsetxattr\" command, this is a finding. " - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"lsetxattr\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72117.rb b/controls/V-72117.rb index a5df9b3bb..5f50694e5 100644 --- a/controls/V-72117.rb +++ b/controls/V-72117.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"removexattr\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -40,7 +40,7 @@ If there are no audit rules defined for the \"removexattr\" command, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"removexattr\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72119.rb b/controls/V-72119.rb index 19147eabe..874582e99 100644 --- a/controls/V-72119.rb +++ b/controls/V-72119.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"fremovexattr\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -40,7 +40,7 @@ If there are no audit rules defined for the \"fremovexattr\" command, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"fremovexattr\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72121.rb b/controls/V-72121.rb index c2e18cac6..bbf7f61c6 100644 --- a/controls/V-72121.rb +++ b/controls/V-72121.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"lremovexattr\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -40,7 +40,7 @@ If there are no audit rules defined for the \"lremovexattr\" command, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"lremovexattr\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72123.rb b/controls/V-72123.rb index 82ae3a4c0..d7e7b17d6 100644 --- a/controls/V-72123.rb +++ b/controls/V-72123.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"creat\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -49,7 +49,7 @@ If the output does not produce a rule containing \"-F exit=-EACCES\", this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"creat\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules: diff --git a/controls/V-72125.rb b/controls/V-72125.rb index adab10f00..dfa1eec78 100644 --- a/controls/V-72125.rb +++ b/controls/V-72125.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"open\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -49,7 +49,7 @@ If the output does not produce a rule containing \"-F exit=-EACCES\", this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"open\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72127.rb b/controls/V-72127.rb index 552235e34..fd50849b3 100644 --- a/controls/V-72127.rb +++ b/controls/V-72127.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"openat\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -49,7 +49,7 @@ If the output does not produce a rule containing \"-F exit=-EACCES\", this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"openat\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72129.rb b/controls/V-72129.rb index 5f9042e52..c84b3c7e9 100644 --- a/controls/V-72129.rb +++ b/controls/V-72129.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"open_by_handle_at\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -50,7 +50,7 @@ If the output does not produce a rule containing \"-F exit=-EACCES\", this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"open_by_handle_at\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72131.rb b/controls/V-72131.rb index a4c0be975..567411d6a 100644 --- a/controls/V-72131.rb +++ b/controls/V-72131.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"truncate\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -50,7 +50,7 @@ If the output does not produce a rule containing \"-F exit=-EACCES\", this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"truncate\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72133.rb b/controls/V-72133.rb index 63b34ce20..5f5d13d50 100644 --- a/controls/V-72133.rb +++ b/controls/V-72133.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"ftruncate\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -50,7 +50,7 @@ If the output does not produce a rule containing \"-F exit=-EACCES\", this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"ftruncate\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72135.rb b/controls/V-72135.rb index 998b73896..1797375d8 100644 --- a/controls/V-72135.rb +++ b/controls/V-72135.rb @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"semanage\" command occur. Check the file system rule in \"/etc/audit/audit.rules\" with the following @@ -32,7 +32,7 @@ -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"semanage\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72137.rb b/controls/V-72137.rb index fb2d3d274..058ecd4da 100644 --- a/controls/V-72137.rb +++ b/controls/V-72137.rb @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"setsebool\" command occur. Check the file system rule in \"/etc/audit/audit.rules\" with the following @@ -32,7 +32,7 @@ -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"setsebool\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72139.rb b/controls/V-72139.rb index 29e7f367f..8e3e5c112 100644 --- a/controls/V-72139.rb +++ b/controls/V-72139.rb @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chcon\" command occur. Check the file system rule in \"/etc/audit/audit.rules\" with the following @@ -32,7 +32,7 @@ -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chcon\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72141.rb b/controls/V-72141.rb index 55733342f..e3ea64ad7 100644 --- a/controls/V-72141.rb +++ b/controls/V-72141.rb @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"setfiles\" command occur. Check the file system rule in \"/etc/audit/audit.rules\" with the following @@ -32,7 +32,7 @@ -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=4294967295 -k -F privileged-priv_change If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"setfiles\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72143.rb b/controls/V-72143.rb index c6da77a54..be8452d8a 100644 --- a/controls/V-72143.rb +++ b/controls/V-72143.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-2 d", "AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful account access count events occur. Check the file system rule in \"/etc/audit/audit.rules\" with the following @@ -33,7 +33,7 @@ -w /var/log/tallylog -p wa -k logins If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful account access count events occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72145.rb b/controls/V-72145.rb index 6a95ef5aa..96b5c18c1 100644 --- a/controls/V-72145.rb +++ b/controls/V-72145.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-2 d", "AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when unsuccessful account access events occur. Check the file system rule in \"/etc/audit/audit.rules\" with the following @@ -33,7 +33,7 @@ -w /var/run/faillock -p wa -k logins If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when unsuccessful account access events occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72147.rb b/controls/V-72147.rb index b17be5b27..cd3bf9c92 100644 --- a/controls/V-72147.rb +++ b/controls/V-72147.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-2 d", "AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when successful + desc "check", "Verify the operating system generates audit records when successful account access events occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -33,7 +33,7 @@ -w /var/log/lastlog -p wa -k logins If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful account access events occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72149.rb b/controls/V-72149.rb index 49e55df72..e3a127b97 100644 --- a/controls/V-72149.rb +++ b/controls/V-72149.rb @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["AU-3 (1)", "AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"passwd\" command occur. Check the file system rule in \"/etc/audit/audit.rules\" with the following @@ -32,7 +32,7 @@ -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"passwd\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72151.rb b/controls/V-72151.rb index c6abbb398..60155c412 100644 --- a/controls/V-72151.rb +++ b/controls/V-72151.rb @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["AU-3 (1)", "AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"unix_chkpwd\" command occur. Check the file system rule in \"/etc/audit/audit.rules\" with the following @@ -32,7 +32,7 @@ -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"unix_chkpwd\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72153.rb b/controls/V-72153.rb index dcc2ce952..818228229 100644 --- a/controls/V-72153.rb +++ b/controls/V-72153.rb @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["AU-3 (1)", "AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"gpasswd\" command occur. Check the file system rule in \"/etc/audit/audit.rules\" with the following @@ -32,7 +32,7 @@ -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"gpasswd\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72155.rb b/controls/V-72155.rb index b2a32ecb4..6b979c90c 100644 --- a/controls/V-72155.rb +++ b/controls/V-72155.rb @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["AU-3 (1)", "AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chage\" command occur. Check the file system rule in \"/etc/audit/audit.rules\" with the following @@ -32,7 +32,7 @@ -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chage\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72157.rb b/controls/V-72157.rb index 68db2586a..54bb0185b 100644 --- a/controls/V-72157.rb +++ b/controls/V-72157.rb @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["AU-3 (1)", "AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"userhelper\" command occur. Check the file system rule in \"/etc/audit/audit.rules\" with the following @@ -33,7 +33,7 @@ auid!=4294967295 -k privileged-passwd If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"userhelper\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72159.rb b/controls/V-72159.rb index 9fbdee23c..7ed336f25 100644 --- a/controls/V-72159.rb +++ b/controls/V-72159.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-3", "AU-3 (1)", "AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"su\" command occur. Check for the following system call being audited by performing the following @@ -33,7 +33,7 @@ -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"su\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72161.rb b/controls/V-72161.rb index d464c169f..6c3d4e860 100644 --- a/controls/V-72161.rb +++ b/controls/V-72161.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-3", "AU-3 (1)", "AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"sudo\" command occur. Check for the following system calls being audited by performing the following @@ -33,7 +33,7 @@ -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"sudo\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72163.rb b/controls/V-72163.rb index 5aed4d69d..eea1687f0 100644 --- a/controls/V-72163.rb +++ b/controls/V-72163.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-3", "AU-3 (1)", "AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"sudoer\" command occur. Check for modification of the following files being audited by performing the @@ -39,7 +39,7 @@ If the commands do not return output that does not match the examples, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"sudoer\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72165.rb b/controls/V-72165.rb index fa0d35d12..bd386644b 100644 --- a/controls/V-72165.rb +++ b/controls/V-72165.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-3", "AU-3 (1)", "AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"newgrp\" command occur. Check for the following system call being audited by performing the following @@ -33,7 +33,7 @@ -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"newgrp\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72167.rb b/controls/V-72167.rb index 92bbe5bd8..819e7770d 100644 --- a/controls/V-72167.rb +++ b/controls/V-72167.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-3", "AU-3 (1)", "AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"chsh\" command occur. Check for the following system call being audited by performing the following @@ -33,7 +33,7 @@ -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"chsh\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72169.rb b/controls/V-72169.rb index dabc9962a..6d06f7c7b 100644 --- a/controls/V-72169.rb +++ b/controls/V-72169.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AU-3", "AU-3 (1)", "AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"sudoedit\" command occur. Check for the following system calls being audited by performing the following @@ -33,7 +33,7 @@ -a always,exit -F path=/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"sudoedit\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72171.rb b/controls/V-72171.rb index 21fc4c5d7..025590690 100644 --- a/controls/V-72171.rb +++ b/controls/V-72171.rb @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["AU-3 (1)", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"mount\" command occur. Check for the following system calls being audited by performing the following @@ -43,7 +43,7 @@ -a always,exit -F arch=b64 -F path=/usr/bin/mount -F auid>=1000 -F auid!=4294967295 -k privileged-mount If all uses of the mount command are not being audited, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"mount\" command occur. Add or update the following rules in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72173.rb b/controls/V-72173.rb index 48ae8d3a7..24c9add2e 100644 --- a/controls/V-72173.rb +++ b/controls/V-72173.rb @@ -20,7 +20,7 @@ tag "documentable": false tag "nist": ["AU-3 (1)", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"umount\" command occur. Check for the following system calls being audited by performing the following @@ -32,7 +32,7 @@ -a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"umount\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72175.rb b/controls/V-72175.rb index 83a76fcf9..4337e72ed 100644 --- a/controls/V-72175.rb +++ b/controls/V-72175.rb @@ -20,7 +20,7 @@ tag "documentable": false tag "nist": ["AU-3 (1)", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"postdrop\" command occur. Check for the following system call being audited by performing the following @@ -31,7 +31,7 @@ -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"postdrop\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72177.rb b/controls/V-72177.rb index c2e65a716..fd1aa20f2 100644 --- a/controls/V-72177.rb +++ b/controls/V-72177.rb @@ -20,7 +20,7 @@ tag "documentable": false tag "nist": ["AU-3 (1)", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"postqueue\" command occur. Check for the following system call being audited by performing the following @@ -31,7 +31,7 @@ -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-postfix If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"postqueue\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72179.rb b/controls/V-72179.rb index 89c7968d4..4477a0466 100644 --- a/controls/V-72179.rb +++ b/controls/V-72179.rb @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["AU-3 (1)", "AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"ssh-keysign\" command occur. Check for the following system call being audited by performing the following @@ -32,7 +32,7 @@ -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"ssh-keysign\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72181.rb b/controls/V-72181.rb index c67b699d1..df50b4d97 100644 --- a/controls/V-72181.rb +++ b/controls/V-72181.rb @@ -25,7 +25,7 @@ tag "cci": "CCI-002884" tag "nist": ["MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"pt_chown\" command occur. Check for the following system call being audited by performing the following @@ -37,7 +37,7 @@ auid!=4294967295 -k privileged_terminal If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"pt_chown\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72183.rb b/controls/V-72183.rb index ba16a32a4..e65ab5cda 100644 --- a/controls/V-72183.rb +++ b/controls/V-72183.rb @@ -20,7 +20,7 @@ tag "documentable": false tag "nist": ["AU-3 (1)", "AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"crontab\" command occur. Check for the following system call being audited by performing the following @@ -31,7 +31,7 @@ -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"crontab\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72185.rb b/controls/V-72185.rb index d75a194c8..7cf78c7ca 100644 --- a/controls/V-72185.rb +++ b/controls/V-72185.rb @@ -14,7 +14,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"pam_timestamp_check\" command occur. @@ -26,7 +26,7 @@ -a always,exit -F path=/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"pam_timestamp_check\" command occur. diff --git a/controls/V-72187.rb b/controls/V-72187.rb index 2e0e38986..e061f77ec 100644 --- a/controls/V-72187.rb +++ b/controls/V-72187.rb @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"init_module\" command occur. Check the auditing rules in \"/etc/audit/audit.rules\" with the following @@ -41,7 +41,7 @@ -a always,exit -F arch=b64 -S init_module -k module-change If there are no audit rules defined for \"init_module\", this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"init_module\" command occur. Add or update the following rules in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72189.rb b/controls/V-72189.rb index cc6d83187..b51db6e0e 100644 --- a/controls/V-72189.rb +++ b/controls/V-72189.rb @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"delete_module\" command occur. Check the auditing rules in \"/etc/audit/audit.rules\" with the following @@ -41,7 +41,7 @@ -a always,exit -F arch=b64 -S delete_module -k module-change If there are no audit rules defined for \"delete_module\", this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"delete_module\" command occur. Add or update the following rules in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72191.rb b/controls/V-72191.rb index 525318996..18e411ff3 100644 --- a/controls/V-72191.rb +++ b/controls/V-72191.rb @@ -20,7 +20,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"insmod\" command occur. Check the auditing rules in \"/etc/audit/audit.rules\" with the following @@ -33,7 +33,7 @@ -w /sbin/insmod -p x -F auid!=4294967295 -k module-change If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"insmod\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72193.rb b/controls/V-72193.rb index 82693bff5..fa42be47e 100644 --- a/controls/V-72193.rb +++ b/controls/V-72193.rb @@ -20,7 +20,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"rmmod\" command occur. Check the auditing rules in \"/etc/audit/audit.rules\" with the following @@ -33,7 +33,7 @@ -w /sbin/rmmod -p x -F auid!=4294967295 -k module-change If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"rmmod\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72195.rb b/controls/V-72195.rb index 35a4e362f..938e0dcc5 100644 --- a/controls/V-72195.rb +++ b/controls/V-72195.rb @@ -20,7 +20,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"modprobe\" command occur. Check the auditing rules in \"/etc/audit/audit.rules\" with the following @@ -37,7 +37,7 @@ -w /sbin/modprobe -p x -F auid!=4294967295 -k module-change If the command does not return any output, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"modprobe\" command occur. Add or update the following rule in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72197.rb b/controls/V-72197.rb index 552fa01e1..e7fce6698 100644 --- a/controls/V-72197.rb +++ b/controls/V-72197.rb @@ -24,7 +24,7 @@ tag "documentable": false tag "nist": ["AC-2 (4)", "AU-12 c", "AC-2 (4)", "AC-2 (4)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system must generate audit records for all + desc "check", "Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/passwd\". @@ -37,7 +37,7 @@ If the command does not return a line, or the line is commented out, this is a finding." - tag "fix": "Configure the operating system to generate audit records for all + desc "fix", "Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/passwd\". diff --git a/controls/V-72199.rb b/controls/V-72199.rb index 0e54a5df6..570c0e849 100644 --- a/controls/V-72199.rb +++ b/controls/V-72199.rb @@ -16,7 +16,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"rename\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -34,7 +34,7 @@ If there are no audit rules defined for the \"rename\" command, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"rename\" command occur. Add the following rules in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72201.rb b/controls/V-72201.rb index 5560e58e8..e34b6b9e4 100644 --- a/controls/V-72201.rb +++ b/controls/V-72201.rb @@ -16,7 +16,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"renameat\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -34,7 +34,7 @@ If there are no audit rules defined for the \"renameat\" command, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"renameat\" command occur. Add the following rules in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72203.rb b/controls/V-72203.rb index 1b7d6024f..289f6ba65 100644 --- a/controls/V-72203.rb +++ b/controls/V-72203.rb @@ -16,7 +16,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"rmdir\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -34,7 +34,7 @@ If there are no audit rules defined for the \"rmdir\" command, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"rmdir\" command occur. Add the following rules in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72205.rb b/controls/V-72205.rb index 4ff439a23..7141b70ff 100644 --- a/controls/V-72205.rb +++ b/controls/V-72205.rb @@ -16,7 +16,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"unlink\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -34,7 +34,7 @@ If there are no audit rules defined for the \"unlink\" command, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"unlink\" command occur. Add the following rules in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72207.rb b/controls/V-72207.rb index 3e0d7e422..c7c259cac 100644 --- a/controls/V-72207.rb +++ b/controls/V-72207.rb @@ -16,7 +16,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "MA-4 (1) (a)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"unlinkat\" command occur. Check the file system rules in \"/etc/audit/audit.rules\" with the following @@ -34,7 +34,7 @@ If there are no audit rules defined for the \"unlinkat\" command, this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"unlinkat\" command occur. Add the following rules in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-72209.rb b/controls/V-72209.rb index 42b17da30..c60cf95cb 100644 --- a/controls/V-72209.rb +++ b/controls/V-72209.rb @@ -1,7 +1,7 @@ # encoding: utf-8 # -log_pkg_path = attribute( +log_pkg_path = input( 'log_pkg_path', value: '/etc/rsyslog.conf', description: "The path to the logging package" @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'rsyslog'] - tag "check": "Verify \"rsyslog\" is configured to send all messages to a log + desc "check", "Verify \"rsyslog\" is configured to send all messages to a log aggregation server. Check the configuration of \"rsyslog\" with the following command: @@ -40,7 +40,7 @@ If there is no evidence that the audit logs are being sent to another system, this is a finding." - tag "fix": "Modify the \"/etc/rsyslog.conf\" file to contain a configuration + desc "fix", "Modify the \"/etc/rsyslog.conf\" file to contain a configuration line to send all \"rsyslog\" output to a log aggregation system: *.* @@" diff --git a/controls/V-72211.rb b/controls/V-72211.rb index abc59d1fe..885d9afbb 100644 --- a/controls/V-72211.rb +++ b/controls/V-72211.rb @@ -1,7 +1,7 @@ # encoding: utf-8 # -log_aggregation_server = attribute( +log_aggregation_server = input( 'log_aggregation_server', description: 'The system is intented to be a log aggregation server.', value: false @@ -32,7 +32,7 @@ tag "documentable": false tag "nist": ["CM-3 f", "CM-6 c", "CM-11 (2)", "CM-5 (1)", "CM-5 (1)", "Rev_4"] tag "subsystems": ['rsyslog'] - tag "check": "Verify that the system is not accepting \"rsyslog\" messages + desc "check", "Verify that the system is not accepting \"rsyslog\" messages from other systems unless it is documented as a log aggregation server. Check the configuration of \"rsyslog\" with the following command: @@ -45,7 +45,7 @@ If the documentation does not exist, or does not specify the server as a log aggregation system, this is a finding." - tag "fix": "Modify the \"/etc/rsyslog.conf\" file to remove the \"ModLoad + desc "fix", "Modify the \"/etc/rsyslog.conf\" file to remove the \"ModLoad imtcp\" configuration line, or document the system as being used for log aggregation." tag "fix_id": "F-78565r1_fix" diff --git a/controls/V-72213.rb b/controls/V-72213.rb index 7f28f6c99..adcdf4f1b 100644 --- a/controls/V-72213.rb +++ b/controls/V-72213.rb @@ -29,7 +29,7 @@ tag "documentable": false tag "nist": ["SI-3 a", "Rev_4"] tag "subsystems": ['clamav', 'nails', 'virus_scan'] - tag "check": "Verify the system is using a virus scan program. + desc "check", "Verify the system is using a virus scan program. Check for the presence of \"McAfee VirusScan Enterprise for Linux\" with the following command: @@ -55,7 +55,7 @@ system. If no antivirus scan program is active on the system, this is a finding." - tag "fix": "Install an antivirus solution on the system." + desc "fix", "Install an antivirus solution on the system." tag "fix_id": "F-78567r2_fix" if ignore_virus_software_running diff --git a/controls/V-72215.rb b/controls/V-72215.rb index b8f4df7aa..774514769 100644 --- a/controls/V-72215.rb +++ b/controls/V-72215.rb @@ -27,7 +27,7 @@ tag "documentable": false tag "nist": ["SI-3 a", "Rev_4"] tag "subsystems": ['clamav', 'nails', 'virus_scan'] - tag "check": "Verify the system is using a virus scan program and the virus + desc "check", "Verify the system is using a virus scan program and the virus definition file is less than seven days old. Check for the presence of \"McAfee VirusScan Enterprise for Linux\" with the @@ -69,7 +69,7 @@ If the database file has a date older than seven days from the current date, this is a finding." - tag "fix": "Update the virus scan software and virus definition files." + desc "fix", "Update the virus scan software and virus definition files." tag "fix_id": "F-78569r2_fix" sec_per_wk = 604800 diff --git a/controls/V-72217.rb b/controls/V-72217.rb index 1f2960976..9e5ae84ae 100644 --- a/controls/V-72217.rb +++ b/controls/V-72217.rb @@ -23,7 +23,7 @@ tag "documentable": false tag "nist": ["AC-10", "Rev_4"] tag "subsystems": ['session'] - tag "check": "Verify the operating system limits the number of concurrent + desc "check", "Verify the operating system limits the number of concurrent sessions to \"10\" for all accounts and/or account types by issuing the following command: @@ -35,7 +35,7 @@ If the \"maxlogins\" item is missing or the value is not set to \"10\" or less for all domains that have the \"maxlogins\" item assigned, this is a finding." - tag "fix": "Configure the operating system to limit the number of concurrent + desc "fix", "Configure the operating system to limit the number of concurrent sessions to \"10\" for all accounts and/or account types. Add the following line to the top of the /etc/security/limits.conf: diff --git a/controls/V-72219.rb b/controls/V-72219.rb index aa9153b43..140f66af5 100644 --- a/controls/V-72219.rb +++ b/controls/V-72219.rb @@ -37,7 +37,7 @@ tag "documentable": false tag "nist": ["CM-7 b", "AC-17 (1)", "Rev_4"] tag "subsystems": ['firewall', 'manual'] - tag "check": "Inspect the firewall configuration and running services to + desc "check", "Inspect the firewall configuration and running services to verify that it is configured to prohibit or restrict the use of functions, ports, protocols, and/or services that are unnecessary or prohibited. @@ -60,7 +60,7 @@ If there are additional ports, protocols, or services that are not in the PPSM CLSA, or there are ports, protocols, or services that are prohibited by the PPSM Category Assurance List (CAL), this is a finding." - tag "fix": "Update the host's firewall settings and/or running services to + desc "fix", "Update the host's firewall settings and/or running services to comply with the PPSM CLSA for the site or program and the PPSM CAL." tag "fix_id": "F-78573r1_fix" diff --git a/controls/V-72221.rb b/controls/V-72221.rb index 831e44f3e..d628b5cad 100644 --- a/controls/V-72221.rb +++ b/controls/V-72221.rb @@ -28,7 +28,7 @@ module are not verified and therefore cannot be relied upon to provide tag "documentable": false tag "nist": ["AC-17 (2)", "CM-6 b", "IA-7", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "Verify the operating system uses mechanisms meeting the + desc "check", "Verify the operating system uses mechanisms meeting the requirements of applicable federal laws, Executive orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module. @@ -47,7 +47,7 @@ module are not verified and therefore cannot be relied upon to provide If any ciphers other than \"aes128-ctr\", \"aes192-ctr\", or \"aes256-ctr\" are listed, the \"Ciphers\" keyword is missing, or the retuned line is commented out, this is a finding." - tag "fix": "Configure SSH to use FIPS 140-2 approved cryptographic algorithms. + desc "fix", "Configure SSH to use FIPS 140-2 approved cryptographic algorithms. Add the following line (or modify the line to have the required value) to the \"/etc/ssh/sshd_config\" file (this file may be named differently or be in a diff --git a/controls/V-72223.rb b/controls/V-72223.rb index ce01bbc70..27f5f3aa2 100644 --- a/controls/V-72223.rb +++ b/controls/V-72223.rb @@ -1,7 +1,7 @@ # encoding: utf-8 # -system_activity_timeout = attribute( +system_activity_timeout = input( 'system_activity_timeout', value: 600, description: 'The length of inactivity from the user in which the network connections associated with a session in terminated.' @@ -36,7 +36,7 @@ tag "documentable": false tag "nist": ["SC-10", "AC-12", "Rev_4"] tag "subsystems": ['user_profile'] - tag "check": "Verify the operating system terminates all network connections + desc "check", "Verify the operating system terminates all network connections associated with a communications session at the end of the session or based on inactivity. @@ -48,7 +48,7 @@ If \"TMOUT\" is not set to \"600\" or less in \"/etc/bashrc\" or in a script created to enforce session termination after inactivity, this is a finding." - tag "fix": "Configure the operating system to terminate all network + desc "fix", "Configure the operating system to terminate all network connections associated with a communications session at the end of the session or after a period of inactivity. diff --git a/controls/V-72225.rb b/controls/V-72225.rb index a489179d2..7a1127556 100644 --- a/controls/V-72225.rb +++ b/controls/V-72225.rb @@ -1,7 +1,7 @@ # encoding: utf-8 # -banner_message_text_ral = attribute('banner_message_text_ral', +banner_message_text_ral = input('banner_message_text_ral', value: "You are accessing a U.S. Government (USG) Information System (IS) that is \ provided for USG-authorized use only. By using this IS (which includes any \ @@ -23,7 +23,7 @@ Agreement for details.", description: 'The banner message must display the designated banner before granting access.') -banner_message_text_ral_limited = attribute('banner_message_text_ral_limited', +banner_message_text_ral_limited = input('banner_message_text_ral_limited', value: "I've read & consent to terms in IS user agreem't.", description: 'The banner message must display the designated banner before granting access.') @@ -83,7 +83,7 @@ tag "nist": ["AC-8 a", "AC-8 b", "AC-8 c 1", "AC-8 c 2", "AC-8 c 2", "AC-8 c 2", "AC-8 c 3", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "Verify any publicly accessible connection to the operating + desc "check", "Verify any publicly accessible connection to the operating system displays the Standard Mandatory DoD Notice and Consent Banner before granting access to the system. @@ -131,7 +131,7 @@ If the text in the file does not match the Standard Mandatory DoD Notice and Consent Banner, this is a finding." - tag "fix": "Configure the operating system to display the Standard Mandatory + desc "fix", "Configure the operating system to display the Standard Mandatory DoD Notice and Consent Banner before granting access to the system via the ssh. Edit the \"/etc/ssh/sshd_config\" file to uncomment the banner keyword and diff --git a/controls/V-72227.rb b/controls/V-72227.rb index d0ba30a53..5b9f811ed 100644 --- a/controls/V-72227.rb +++ b/controls/V-72227.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AC-17 (2)", "Rev_4"] tag "subsystems": ['sssd', 'ldap'] - tag "check": "Verify the operating system implements cryptography to protect + desc "check", "Verify the operating system implements cryptography to protect the integrity of remote LDAP authentication sessions. To determine if LDAP is being used for authentication, use the following @@ -38,7 +38,7 @@ ssl start_tls If the \"ssl\" option is not \"start_tls\", this is a finding." - tag "fix": "Configure the operating system to implement cryptography to + desc "fix", "Configure the operating system to implement cryptography to protect the integrity of LDAP authentication sessions. Set the USELDAPAUTH=yes in \"/etc/sysconfig/authconfig\". diff --git a/controls/V-72229.rb b/controls/V-72229.rb index 0b1033331..922608633 100644 --- a/controls/V-72229.rb +++ b/controls/V-72229.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AC-17 (2)", "Rev_4"] tag "subsystems": ['sssd', 'ldap'] - tag "check": "Verify the operating system implements cryptography to protect + desc "check", "Verify the operating system implements cryptography to protect the integrity of remote LDAP access sessions. To determine if LDAP is being used for authentication, use the following @@ -43,7 +43,7 @@ If the directory does not exist or the option is commented out, this is a finding." - tag "fix": "Configure the operating system to implement cryptography to + desc "fix", "Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions. Set the \"tls_cacertdir\" option in \"/etc/pam_ldap.conf\" to point to the diff --git a/controls/V-72231.rb b/controls/V-72231.rb index d11cfc45a..e3679615e 100644 --- a/controls/V-72231.rb +++ b/controls/V-72231.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["AC-17 (2)", "Rev_4"] tag "subsystems": ['sssd', 'ldap'] - tag "check": "Verify the operating system implements cryptography to protect + desc "check", "Verify the operating system implements cryptography to protect the integrity of remote ldap access sessions. To determine if LDAP is being used for authentication, use the following @@ -44,7 +44,7 @@ If this file does not exist, or the option is commented out or missing, this is a finding." - tag "fix": "Configure the operating system to implement cryptography to + desc "fix", "Configure the operating system to implement cryptography to protect the integrity of LDAP remote access sessions. Set the \"tls_cacertfile\" option in \"/etc/pam_ldap.conf\" to point to the diff --git a/controls/V-72233.rb b/controls/V-72233.rb index b4f621566..16ff46486 100644 --- a/controls/V-72233.rb +++ b/controls/V-72233.rb @@ -31,7 +31,7 @@ tag "documentable": false tag "nist": ["SC-8", "SC-8 (2)", "SC-8 (1)", "SC-8 (2)", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "Check to see if sshd is installed with the following command: + desc "check", "Check to see if sshd is installed with the following command: # yum list installed | grep ssh libssh2.x86_64 1.4.3-8.el7 @anaconda/7.1 @@ -42,7 +42,7 @@ If the \"SSH server\" package is not installed, this is a finding. If the \"SSH client\" package is not installed, this is a finding." - tag "fix": "Install SSH packages onto the host with the following commands: + desc "fix", "Install SSH packages onto the host with the following commands: # yum install openssh-clients.x86_64 # yum install openssh-server.x86_64 diff --git a/controls/V-72235.rb b/controls/V-72235.rb index 068a24cc1..1a899c0c6 100644 --- a/controls/V-72235.rb +++ b/controls/V-72235.rb @@ -33,7 +33,7 @@ tag "documentable": false tag "nist": ["SC-8", "SC-8 (2)", "SC-8 (1)", "SC-8 (2)", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "Verify SSH is loaded and active with the following command: + desc "check", "Verify SSH is loaded and active with the following command: # systemctl status sshd sshd.service - OpenSSH server daemon @@ -46,7 +46,7 @@ If \"sshd\" does not show a status of \"active\" and \"running\", this is a finding." - tag "fix": "Configure the SSH service to automatically start after reboot + desc "fix", "Configure the SSH service to automatically start after reboot with the following command: # systemctl enable sshd ln -s '/usr/lib/systemd/system/sshd.service' diff --git a/controls/V-72237.rb b/controls/V-72237.rb index 94c8431f0..897462ab4 100644 --- a/controls/V-72237.rb +++ b/controls/V-72237.rb @@ -1,7 +1,7 @@ # encoding: utf-8 # -client_alive_interval = attribute('client_alive_interval', value: 600, +client_alive_interval = input('client_alive_interval', value: 600, description: "Value expected for ClientAliveInterval in sshd_config") control "V-72237" do @@ -33,7 +33,7 @@ tag "documentable": false tag "nist": ["SC-10", "AC-12", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "Verify the operating system automatically terminates a user + desc "check", "Verify the operating system automatically terminates a user session after inactivity time-outs have expired. Check for the value of the \"ClientAliveInterval\" keyword with the following @@ -49,7 +49,7 @@ If \"ClientAliveInterval\" has a value that is greater than \"600\" and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding." - tag "fix": "Configure the operating system to automatically terminate a user + desc "fix", "Configure the operating system to automatically terminate a user session after inactivity time-outs have expired or at shutdown. Add the following line (or modify the line to have the required value) to the diff --git a/controls/V-72239.rb b/controls/V-72239.rb index adddb45a7..6e2a0a4b2 100644 --- a/controls/V-72239.rb +++ b/controls/V-72239.rb @@ -15,7 +15,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "Verify the SSH daemon does not allow authentication using RSA + desc "check", "Verify the SSH daemon does not allow authentication using RSA rhosts authentication. To determine how the SSH daemon's \"RhostsRSAAuthentication\" option is set, @@ -26,7 +26,7 @@ If the value is returned as \"yes\", the returned line is commented out, or no output is returned, this is a finding." - tag "fix": "Configure the SSH daemon to not allow authentication using RSA + desc "fix", "Configure the SSH daemon to not allow authentication using RSA rhosts authentication. Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line and diff --git a/controls/V-72241.rb b/controls/V-72241.rb index 01a2efafd..f6b3671cc 100644 --- a/controls/V-72241.rb +++ b/controls/V-72241.rb @@ -28,7 +28,7 @@ tag "documentable": false tag "nist": ["SC-10", "AC-12", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "Check the version of the operating system with the following + desc "check", "Check the version of the operating system with the following command: # cat /etc/redhat-release @@ -46,7 +46,7 @@ If \"ClientAliveCountMax\" is not set to \"0\" in \"/etc/ ssh/sshd_config\", this is a finding." - tag "fix": "Configure the operating system to automatically terminate a user + desc "fix", "Configure the operating system to automatically terminate a user session after inactivity time-outs have expired or at shutdown. Add the following line (or modify the line to have the required value) to the diff --git a/controls/V-72243.rb b/controls/V-72243.rb index cc31a30e5..72467979b 100644 --- a/controls/V-72243.rb +++ b/controls/V-72243.rb @@ -15,7 +15,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "Verify the SSH daemon does not allow authentication using known + desc "check", "Verify the SSH daemon does not allow authentication using known hosts authentication. To determine how the SSH daemon's \"IgnoreRhosts\" option is set, run the @@ -27,7 +27,7 @@ If the value is returned as \"no\", the returned line is commented out, or no output is returned, this is a finding." - tag "fix": "Configure the SSH daemon to not allow authentication using known + desc "fix", "Configure the SSH daemon to not allow authentication using known hosts authentication. Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line and diff --git a/controls/V-72245.rb b/controls/V-72245.rb index 62f89662b..f37f31997 100644 --- a/controls/V-72245.rb +++ b/controls/V-72245.rb @@ -15,7 +15,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['pam', 'ssh', 'lastlog'] - tag "check": "Verify SSH provides users with feedback on when account + desc "check", "Verify SSH provides users with feedback on when account accesses last occurred. Check that \"PrintLastLog\" keyword in the sshd daemon configuration file is @@ -26,7 +26,7 @@ If the \"PrintLastLog\" keyword is set to \"no\", is missing, or is commented out, this is a finding." - tag "fix": "Configure SSH to provide users with feedback on when account + desc "fix", "Configure SSH to provide users with feedback on when account accesses last occurred by setting the required configuration options in \"/etc/pam.d/sshd\" or in the \"sshd_config\" file used by the system (\"/etc/ssh/sshd_config\" will be used in the example) (this file may be named diff --git a/controls/V-72247.rb b/controls/V-72247.rb index b5df93629..325d0a1f6 100644 --- a/controls/V-72247.rb +++ b/controls/V-72247.rb @@ -16,7 +16,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "Verify remote access using SSH prevents users from logging on + desc "check", "Verify remote access using SSH prevents users from logging on directly as root. Check that SSH prevents users from logging on directly as root with the @@ -27,7 +27,7 @@ If the \"PermitRootLogin\" keyword is set to \"yes\", is missing, or is commented out, this is a finding." - tag "fix": "Configure SSH to stop users from logging on remotely as the root + desc "fix", "Configure SSH to stop users from logging on remotely as the root user. Edit the appropriate \"/etc/ssh/sshd_config\" file to uncomment or add the diff --git a/controls/V-72249.rb b/controls/V-72249.rb index 0554a44e8..7f55d9b37 100644 --- a/controls/V-72249.rb +++ b/controls/V-72249.rb @@ -15,7 +15,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "Verify the SSH daemon does not allow authentication using known + desc "check", "Verify the SSH daemon does not allow authentication using known hosts authentication. To determine how the SSH daemon's \"IgnoreUserKnownHosts\" option is set, run @@ -27,7 +27,7 @@ If the value is returned as \"no\", the returned line is commented out, or no output is returned, this is a finding." - tag "fix": "Configure the SSH daemon to not allow authentication using known + desc "fix", "Configure the SSH daemon to not allow authentication using known hosts authentication. Add the following line in \"/etc/ssh/sshd_config\", or uncomment the line and diff --git a/controls/V-72251.rb b/controls/V-72251.rb index 99e91c3e7..b041b1131 100644 --- a/controls/V-72251.rb +++ b/controls/V-72251.rb @@ -15,7 +15,7 @@ tag "documentable": false tag "nist": ["IA-5 (1) (c)", "CM-6 b", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "Check the version of the operating system with the following + desc "check", "Check the version of the operating system with the following command: # cat /etc/redhat-release @@ -33,7 +33,7 @@ If any protocol line other than \"Protocol 2\" is uncommented, this is a finding." - tag "fix": "Remove all Protocol lines that reference version \"1\" in + desc "fix", "Remove all Protocol lines that reference version \"1\" in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor). The \"Protocol\" line must be as follows: diff --git a/controls/V-72253.rb b/controls/V-72253.rb index c1010091c..113a01391 100644 --- a/controls/V-72253.rb +++ b/controls/V-72253.rb @@ -16,7 +16,7 @@ tag "nist": ["AC-17 (2)", "Rev_4"] tag "subsystems": ["ssh"] tag "fix_id": "F-78607r2_fix" - tag "check": "Verify the SSH daemon is configured to only use MACs employing + desc "check", "Verify the SSH daemon is configured to only use MACs employing FIPS 140-2-approved ciphers. Note: If RHEL-07-021350 is a finding, this is automatically a finding as the @@ -30,7 +30,7 @@ If any ciphers other than \"hmac-sha2-256\" or \"hmac-sha2-512\" are listed or the retuned line is commented out, this is a finding." - tag "fix": "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the + desc "fix", "Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"MACs\" keyword and set its value to \"hmac-sha2-256\" and/or \"hmac-sha2-512\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor): diff --git a/controls/V-72255.rb b/controls/V-72255.rb index 14a3bf163..b0cf8eef7 100644 --- a/controls/V-72255.rb +++ b/controls/V-72255.rb @@ -13,7 +13,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "Verify the SSH public host key files have mode \"0644\" or less + desc "check", "Verify the SSH public host key files have mode \"0644\" or less permissive. Note: SSH public key files may be found in other directories on the system @@ -28,7 +28,7 @@ -rw-r--r-- 1 root wheel 238 Nov 28 06:43 ssh_host_rsa_key.pub If any file has a mode more permissive than \"0644\", this is a finding." - tag "fix": "Note: SSH public key files may be found in other directories on + desc "fix", "Note: SSH public key files may be found in other directories on the system depending on the installation. Change the mode of public host key files under \"/etc/ssh\" to \"0644\" with diff --git a/controls/V-72257.rb b/controls/V-72257.rb index 4842ab524..91db87030 100644 --- a/controls/V-72257.rb +++ b/controls/V-72257.rb @@ -13,7 +13,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "Verify the SSH private host key files have mode \"0600\" or + desc "check", "Verify the SSH private host key files have mode \"0600\" or less permissive. The following command will find all SSH private key files on the system: @@ -29,7 +29,7 @@ -rw------- 1 root wheel 887 Nov 28 06:43 ssh_host_rsa_key If any file has a mode more permissive than \"0600\", this is a finding." - tag "fix": "Configure the mode of SSH private host key files under + desc "fix", "Configure the mode of SSH private host key files under \"/etc/ssh\" to \"0600\" with the following command: # chmod 0600 /etc/ssh/ssh_host*key" diff --git a/controls/V-72259.rb b/controls/V-72259.rb index 5d48db5bd..1350c26d6 100644 --- a/controls/V-72259.rb +++ b/controls/V-72259.rb @@ -17,7 +17,7 @@ tag "documentable": false tag "nist": ["CM-3 f", "CM-6 c", "CM-11 (2)", "CM-5 (1)", "CM-5 (1)", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "Verify the SSH daemon does not permit GSSAPI authentication + desc "check", "Verify the SSH daemon does not permit GSSAPI authentication unless approved. Check that the SSH daemon does not permit GSSAPI authentication with the @@ -29,7 +29,7 @@ If the \"GSSAPIAuthentication\" keyword is missing, is set to \"yes\" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding." - tag "fix": "Uncomment the \"GSSAPIAuthentication\" keyword in + desc "fix", "Uncomment the \"GSSAPIAuthentication\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to \"no\": diff --git a/controls/V-72261.rb b/controls/V-72261.rb index c96995168..8d8455bf8 100644 --- a/controls/V-72261.rb +++ b/controls/V-72261.rb @@ -19,7 +19,7 @@ tag "documentable": false tag "nist": ["CM-3 f", "CM-6 c", "CM-11 (2)", "CM-5 (1)", "CM-5 (1)", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "Verify the SSH daemon does not permit Kerberos to authenticate + desc "check", "Verify the SSH daemon does not permit Kerberos to authenticate passwords unless approved. Check that the SSH daemon does not permit Kerberos to authenticate passwords @@ -31,7 +31,7 @@ If the \"KerberosAuthentication\" keyword is missing, or is set to \"yes\" and is not documented with the Information System Security Officer (ISSO), or the returned line is commented out, this is a finding." - tag "fix": "Uncomment the \"KerberosAuthentication\" keyword in + desc "fix", "Uncomment the \"KerberosAuthentication\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to \"no\": diff --git a/controls/V-72263.rb b/controls/V-72263.rb index 0a0fd75ca..59feca5c5 100644 --- a/controls/V-72263.rb +++ b/controls/V-72263.rb @@ -14,7 +14,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "Verify the SSH daemon performs strict mode checking of home + desc "check", "Verify the SSH daemon performs strict mode checking of home directory configuration files. The location of the \"sshd_config\" file may vary if a different daemon is in @@ -28,7 +28,7 @@ If \"StrictModes\" is set to \"no\", is missing, or the returned line is commented out, this is a finding." - tag "fix": "Uncomment the \"StrictModes\" keyword in \"/etc/ssh/sshd_config\" + desc "fix", "Uncomment the \"StrictModes\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to \"yes\": diff --git a/controls/V-72265.rb b/controls/V-72265.rb index 27da75d9e..c9c2515c2 100644 --- a/controls/V-72265.rb +++ b/controls/V-72265.rb @@ -14,7 +14,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "Verify the SSH daemon performs privilege separation. + desc "check", "Verify the SSH daemon performs privilege separation. Check that the SSH daemon performs privilege separation with the following command: @@ -25,7 +25,7 @@ If the \"UsePrivilegeSeparation\" keyword is set to \"no\", is missing, or the retuned line is commented out, this is a finding." - tag "fix": "Uncomment the \"UsePrivilegeSeparation\" keyword in + desc "fix", "Uncomment the \"UsePrivilegeSeparation\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) and set the value to \"sandbox\" or \"yes\": diff --git a/controls/V-72267.rb b/controls/V-72267.rb index 70cb1af7b..965856496 100644 --- a/controls/V-72267.rb +++ b/controls/V-72267.rb @@ -16,7 +16,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "Verify the SSH daemon performs compression after a user + desc "check", "Verify the SSH daemon performs compression after a user successfully authenticates. Check that the SSH daemon performs compression after a user successfully @@ -27,7 +27,7 @@ If the \"Compression\" keyword is set to \"yes\", is missing, or the retuned line is commented out, this is a finding." - tag "fix": "Uncomment the \"Compression\" keyword in \"/etc/ssh/sshd_config\" + desc "fix", "Uncomment the \"Compression\" keyword in \"/etc/ssh/sshd_config\" (this file may be named differently or be in a different location if using a version of SSH that is provided by a third-party vendor) on the system and set the value to \"delayed\" or \"no\": diff --git a/controls/V-72269.rb b/controls/V-72269.rb index 107372651..2e54e7297 100644 --- a/controls/V-72269.rb +++ b/controls/V-72269.rb @@ -21,6 +21,7 @@ endpoints). " impact 0.5 + tag "gtitle": "SRG-OS-000355-GPOS-00143" tag "satisfies": ["SRG-OS-000355-GPOS-00143", "SRG-OS-000356-GPOS-00144"] tag "gid": "V-72269" @@ -28,46 +29,49 @@ tag "stig_id": "RHEL-07-040500" tag "cci": ["CCI-001891", "CCI-002046"] tag "documentable": false + tag "subsystems": ['ntp'] tag "nist": ["AU-8 (1) (a)", "AU-8 (1) (b)", "Rev_4"] - tag "check": "Check to see if NTP is running in continuous mode. + tag "fix_id": "F-78623r3_fix" -# ps -ef | grep ntp + desc "check", "Check to see if NTP is running in continuous mode. -If NTP is not running, this is a finding. + # ps -ef | grep ntp -If the process is found, then check the \"ntp.conf\" file for the \"maxpoll\" -option setting: + If NTP is not running, this is a finding. -# grep maxpoll /etc/ntp.conf + If the process is found, then check the \"ntp.conf\" file for the \"maxpoll\" + option setting: -maxpoll 17 + # grep maxpoll /etc/ntp.conf -If the option is set to \"17\" or is not set, this is a finding. + maxpoll 17 -If the file does not exist, check the \"/etc/cron.daily\" subdirectory for a -crontab file controlling the execution of the \"ntpdate\" command. + If the option is set to \"17\" or is not set, this is a finding. -# grep –l ntpdate /etc/cron.daily + If the file does not exist, check the \"/etc/cron.daily\" subdirectory for a + crontab file controlling the execution of the \"ntpdate\" command. -# ls -al /etc/cron.* | grep ntp -ntp + # grep –l ntpdate /etc/cron.daily -If a crontab file does not exist in the \"/etc/cron.daily\" that executes the -\"ntpdate\" file, this is a finding." - tag "fix": "Edit the \"/etc/ntp.conf\" file and add or update an entry to -define \"maxpoll\" to \"10\" as follows: + # ls -al /etc/cron.* | grep ntp + ntp -maxpoll 10 + If a crontab file does not exist in the \"/etc/cron.daily\" that executes the + \"ntpdate\" file, this is a finding." + + desc "fix", "Edit the \"/etc/ntp.conf\" file and add or update an entry to + define \"maxpoll\" to \"10\" as follows: -If NTP was running and \"maxpoll\" was updated, the NTP service must be -restarted: + maxpoll 10 -# systemctl restart ntpd + If NTP was running and \"maxpoll\" was updated, the NTP service must be + restarted: -If NTP was not running, it must be started: + # systemctl restart ntpd -# systemctl start ntpd" - tag "fix_id": "F-78623r3_fix" + If NTP was not running, it must be started: + + # systemctl start ntpd" describe service('ntpd') do it { should be_running } diff --git a/controls/V-72271.rb b/controls/V-72271.rb index 40c477b50..90e2356fc 100644 --- a/controls/V-72271.rb +++ b/controls/V-72271.rb @@ -27,7 +27,7 @@ tag "documentable": false tag "nist": ["SC-5", "Rev_4"] tag "subsystems": ['firewalld', 'iptables'] - tag "check": "Verify the operating system protects against or limits the + desc "check", "Verify the operating system protects against or limits the effects of DoS attacks by ensuring the operating system is implementing rate-limiting measures on impacted network interfaces. @@ -40,7 +40,7 @@ If a rule with both the limit and limit-burst arguments parameters does not exist, this is a finding." - tag "fix": "Create a direct firewall rule to protect against DoS attacks with + desc "fix", "Create a direct firewall rule to protect against DoS attacks with the following command: Note: The command is to add a rule to the public zone. diff --git a/controls/V-72273.rb b/controls/V-72273.rb index 98dabb262..cb266142d 100644 --- a/controls/V-72273.rb +++ b/controls/V-72273.rb @@ -17,7 +17,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['firewalld', 'iptables'] - tag "check": "Verify the operating system enabled an application firewall. + desc "check", "Verify the operating system enabled an application firewall. Check to see if \"firewalld\" is installed with the following command: @@ -46,7 +46,7 @@ running If \"firewalld\" does not show a state of \"running\", this is a finding." - tag "fix": "Ensure the operating system's application firewall is enabled. + desc "fix", "Ensure the operating system's application firewall is enabled. Install the \"firewalld\" package, if it is not on the system, with the following command: diff --git a/controls/V-72275.rb b/controls/V-72275.rb index f236be51b..aa29f72b9 100644 --- a/controls/V-72275.rb +++ b/controls/V-72275.rb @@ -14,7 +14,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['pam', 'lastlog', 'ssh'] - tag "check": "Verify users are provided with feedback on when account + desc "check", "Verify users are provided with feedback on when account accesses last occurred. Check that \"pam_lastlog\" is used and not silent with the following command: @@ -31,7 +31,7 @@ If \"pam_lastlog\" is missing from \"/etc/pam.d/postlogin-ac\" file, or the silent option is present and PrintLastLog is missing from or set to \"no\" in the \"/etc/ssh/sshd_config\" file this is a finding." - tag "fix": "Configure the operating system to provide users with feedback on + desc "fix", "Configure the operating system to provide users with feedback on when account accesses last occurred by setting the required configuration options in \"/etc/pam.d/postlogin-ac\". diff --git a/controls/V-72277.rb b/controls/V-72277.rb index 7d067240e..486a685c8 100644 --- a/controls/V-72277.rb +++ b/controls/V-72277.rb @@ -16,14 +16,14 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['ssh'] - tag "check": "Verify there are no \".shosts\" files on the system. + desc "check", "Verify there are no \".shosts\" files on the system. Check the system for the existence of these files with the following command: # find / -name '*.shosts' If any \".shosts\" files are found on the system, this is a finding." - tag "fix": "Remove any found \".shosts\" files from the system. + desc "fix", "Remove any found \".shosts\" files from the system. # rm /[path]/[to]/[file]/.shosts" tag "fix_id": "F-78631r1_fix" diff --git a/controls/V-72279.rb b/controls/V-72279.rb index 8aefe2c49..159390edd 100644 --- a/controls/V-72279.rb +++ b/controls/V-72279.rb @@ -16,14 +16,14 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['ssh'] - tag "check": "Verify there are no \"shosts.equiv\" files on the system. + desc "check", "Verify there are no \"shosts.equiv\" files on the system. Check the system for the existence of these files with the following command: # find / -name shosts.equiv If any \"shosts.equiv\" files are found on the system, this is a finding." - tag "fix": "Remove any found \"shosts.equiv\" files from the system. + desc "fix", "Remove any found \"shosts.equiv\" files from the system. # rm /[path]/[to]/[file]/shosts.equiv" tag "fix_id": "F-78633r1_fix" diff --git a/controls/V-72281.rb b/controls/V-72281.rb index d41ba4488..8c426d7cf 100644 --- a/controls/V-72281.rb +++ b/controls/V-72281.rb @@ -16,7 +16,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['dns', 'resolv'] - tag "check": "Determine whether the system is using local or DNS name + desc "check", "Determine whether the system is using local or DNS name resolution with the following command: # grep hosts /etc/nsswitch.conf @@ -45,7 +45,7 @@ If less than two lines are returned that are not commented out, this is a finding." - tag "fix": "Configure the operating system to use two or more name servers + desc "fix", "Configure the operating system to use two or more name servers for DNS resolution. Edit the \"/etc/resolv.conf\" file to uncomment or add the two or more diff --git a/controls/V-72283.rb b/controls/V-72283.rb index 28e1b3032..785084e49 100644 --- a/controls/V-72283.rb +++ b/controls/V-72283.rb @@ -17,7 +17,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['kernel_parameter'] - tag "check": "Verify the system does not accept IPv4 source-routed packets. + desc "check", "Verify the system does not accept IPv4 source-routed packets. Check the value of the accept source route variable with the following command: @@ -26,7 +26,7 @@ If the returned line does not have a value of \"0\", a line is not returned, or the returned line is commented out, this is a finding." - tag "fix": "Set the system to the required kernel parameter by adding the + desc "fix", "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" (or modify the line to have the required value): diff --git a/controls/V-72285.rb b/controls/V-72285.rb index e40f89c5e..7283b183d 100644 --- a/controls/V-72285.rb +++ b/controls/V-72285.rb @@ -17,7 +17,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['kernel_parameter'] - tag "check": "Verify the system does not accept IPv4 source-routed packets by + desc "check", "Verify the system does not accept IPv4 source-routed packets by default. Check the value of the accept source route variable with the following command: @@ -27,7 +27,7 @@ If the returned line does not have a value of \"0\", a line is not returned, or the returned line is commented out, this is a finding." - tag "fix": "Set the system to the required kernel parameter by adding the + desc "fix", "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" (or modify the line to have the required value): diff --git a/controls/V-72287.rb b/controls/V-72287.rb index 34a5e2594..101d7c5d3 100644 --- a/controls/V-72287.rb +++ b/controls/V-72287.rb @@ -14,7 +14,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['kernel_parameter'] - tag "check": "Verify the system does not respond to IPv4 ICMP echoes sent to + desc "check", "Verify the system does not respond to IPv4 ICMP echoes sent to a broadcast address. Check the value of the \"icmp_echo_ignore_broadcasts\" variable with the @@ -25,7 +25,7 @@ If the returned line does not have a value of \"1\", a line is not returned, or the retuned line is commented out, this is a finding." - tag "fix": "Set the system to the required kernel parameter by adding the + desc "fix", "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" (or modify the line to have the required value): diff --git a/controls/V-72289.rb b/controls/V-72289.rb index b4dab3081..922f3ea22 100644 --- a/controls/V-72289.rb +++ b/controls/V-72289.rb @@ -16,7 +16,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['kernel_parameter'] - tag "check": "Verify the system will not accept IPv4 ICMP redirect messages. + desc "check", "Verify the system will not accept IPv4 ICMP redirect messages. Check the value of the default \"accept_redirects\" variables with the following command: @@ -26,7 +26,7 @@ If the returned line does not have a value of \"0\", or a line is not returned, this is a finding." - tag "fix": "Set the system to not accept IPv4 ICMP redirect messages by + desc "fix", "Set the system to not accept IPv4 ICMP redirect messages by adding the following line to \"/etc/sysctl.conf\" (or modify the line to have the required value): diff --git a/controls/V-72291.rb b/controls/V-72291.rb index 3f0a4cdd9..9d6d7861e 100644 --- a/controls/V-72291.rb +++ b/controls/V-72291.rb @@ -16,7 +16,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['kernel_parameter'] - tag "check": "Verify the system does not allow interfaces to perform IPv4 + desc "check", "Verify the system does not allow interfaces to perform IPv4 ICMP redirects by default. Check the value of the \"default send_redirects\" variables with the following @@ -28,7 +28,7 @@ If the returned line does not have a value of \"0\", or a line is not returned, this is a finding." - tag "fix": "Configure the system to not allow interfaces to perform IPv4 ICMP + desc "fix", "Configure the system to not allow interfaces to perform IPv4 ICMP redirects by default. Set the system to the required kernel parameter by adding the following line to diff --git a/controls/V-72293.rb b/controls/V-72293.rb index fcc6c3767..302ecf5be 100644 --- a/controls/V-72293.rb +++ b/controls/V-72293.rb @@ -16,7 +16,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['kernel_parameter'] - tag "check": "Verify the system does not send IPv4 ICMP redirect messages. + desc "check", "Verify the system does not send IPv4 ICMP redirect messages. Check the value of the \"all send_redirects\" variables with the following command: @@ -27,7 +27,7 @@ If the returned line does not have a value of \"0\", or a line is not returned, this is a finding." - tag "fix": "Configure the system to not allow interfaces to perform IPv4 ICMP + desc "fix", "Configure the system to not allow interfaces to perform IPv4 ICMP redirects. Set the system to the required kernel parameter by adding the following line to diff --git a/controls/V-72295.rb b/controls/V-72295.rb index a28e3a0ac..32e17f469 100644 --- a/controls/V-72295.rb +++ b/controls/V-72295.rb @@ -13,6 +13,7 @@ Officer (ISSO) and restricted to only authorized personnel. " impact 0.5 + tag "gtitle": "SRG-OS-000480-GPOS-00227" tag "gid": "V-72295" tag "rid": "SV-86919r1_rule" @@ -20,22 +21,25 @@ tag "cci": ["CCI-000366"] tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] - tag "check": "Verify network interfaces are not in promiscuous mode unless -approved by the ISSO and documented. + tag "subsystems": ['network', 'ip_link'] + tag "fix_id": "F-78649r1_fix" -Check for the status with the following command: + desc "check", "Verify network interfaces are not in promiscuous mode unless + approved by the ISSO and documented. -# ip link | grep -i promisc + Check for the status with the following command: -If network interfaces are found on the system in promiscuous mode and their use -has not been approved by the ISSO and documented, this is a finding." - tag "fix": "Configure network interfaces to turn off promiscuous mode unless -approved by the ISSO and documented. + # ip link | grep -i promisc -Set the promiscuous mode of an interface to off with the following command: + If network interfaces are found on the system in promiscuous mode and their use + has not been approved by the ISSO and documented, this is a finding." + + desc "fix", "Configure network interfaces to turn off promiscuous mode unless + approved by the ISSO and documented. -#ip link set dev multicast off promisc off" - tag "fix_id": "F-78649r1_fix" + Set the promiscuous mode of an interface to off with the following command: + + #ip link set dev multicast off promisc off" # @todo - test against list of approved interfaces describe command("ip link | grep -i promisc") do diff --git a/controls/V-72297.rb b/controls/V-72297.rb index bc4d2dca0..6bec2928e 100644 --- a/controls/V-72297.rb +++ b/controls/V-72297.rb @@ -18,7 +18,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['postfix'] - tag "check": "Verify the system is configured to prevent unrestricted mail + desc "check", "Verify the system is configured to prevent unrestricted mail relaying. Determine if \"postfix\" is installed with the following commands: @@ -36,7 +36,7 @@ If the \"smtpd_client_restrictions\" parameter contains any entries other than \"permit_mynetworks\" and \"reject\", this is a finding." - tag "fix": "If \"postfix\" is installed, modify the \"/etc/postfix/main.cf\" + desc "fix", "If \"postfix\" is installed, modify the \"/etc/postfix/main.cf\" file to restrict client connections to the local network with the following command: diff --git a/controls/V-72299.rb b/controls/V-72299.rb index 8565f855c..ea961b259 100644 --- a/controls/V-72299.rb +++ b/controls/V-72299.rb @@ -17,7 +17,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['vsftpd'] - tag "check": "Verify an FTP server has not been installed on the system. + desc "check", "Verify an FTP server has not been installed on the system. Check to see if an FTP server has been installed with the following commands: @@ -28,7 +28,7 @@ If \"vsftpd\" is installed and is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding. " - tag "fix": "Document the \"vsftpd\" package with the ISSO as an operational + desc "fix", "Document the \"vsftpd\" package with the ISSO as an operational requirement or remove it from the system with the following command: # yum remove vsftpd diff --git a/controls/V-72301.rb b/controls/V-72301.rb index eef041fc3..2526805bd 100644 --- a/controls/V-72301.rb +++ b/controls/V-72301.rb @@ -17,7 +17,7 @@ tag "documentable": false tag "nist": ["CM-3 f", "CM-6 c", "CM-11 (2)", "CM-5 (1)", "CM-5 (1)", "Rev_4"] tag "subsystems": ['tftp'] - tag "check": "Verify a TFTP server has not been installed on the system. + desc "check", "Verify a TFTP server has not been installed on the system. Check to see if a TFTP server has been installed with the following command: @@ -26,7 +26,7 @@ If TFTP is installed and the requirement for TFTP is not documented with the ISSO, this is a finding." - tag "fix": "Remove the TFTP package from the system with the following + desc "fix", "Remove the TFTP package from the system with the following command: # yum remove tftp" diff --git a/controls/V-72303.rb b/controls/V-72303.rb index 473ad5495..ae92721cf 100644 --- a/controls/V-72303.rb +++ b/controls/V-72303.rb @@ -13,7 +13,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ["ssh"] - tag "check": "Verify remote X connections for interactive users are encrypted. + desc "check", "Verify remote X connections for interactive users are encrypted. Check that remote X connections are encrypted with the following command: @@ -23,7 +23,7 @@ If the \"X11Forwarding\" keyword is set to \"no\", is missing, or is commented out, this is a finding." - tag "fix": "Configure SSH to encrypt connections for interactive users. + desc "fix", "Configure SSH to encrypt connections for interactive users. Edit the \"/etc/ssh/sshd_config\" file to uncomment or add the line for the \"X11Forwarding\" keyword and set its value to \"yes\" (this file may be named diff --git a/controls/V-72305.rb b/controls/V-72305.rb index 50adb04d7..c9f311643 100644 --- a/controls/V-72305.rb +++ b/controls/V-72305.rb @@ -18,7 +18,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['tftp'] - tag "check": "Verify the TFTP daemon is configured to operate in secure mode. + desc "check", "Verify the TFTP daemon is configured to operate in secure mode. Check to see if a TFTP server has been installed with the following commands: @@ -35,7 +35,7 @@ If the \"server_args\" line does not have a \"-s\" option and a subdirectory is not assigned, this is a finding." - tag "fix": "Configure the TFTP daemon to operate in secure mode by adding the + desc "fix", "Configure the TFTP daemon to operate in secure mode by adding the following line to \"/etc/xinetd.d/tftp\" (or modify the line to have the required value): diff --git a/controls/V-72307.rb b/controls/V-72307.rb index c00818d61..3f49a4b36 100644 --- a/controls/V-72307.rb +++ b/controls/V-72307.rb @@ -3,7 +3,7 @@ # TODO this needs to be reworked to allow `X11_NEEDED` attribute -x11_enabled = attribute( +x11_enabled = input( 'x11_enabled', description: 'Set to `true` if a GUI or X11 is needed on the system', value: false @@ -24,7 +24,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['packages'] - tag "check": "Verify that if the system has X Windows System installed, it is + desc "check", "Verify that if the system has X Windows System installed, it is authorized. Check for the X11 package with the following command: @@ -36,7 +36,7 @@ If the use of X Windows on the system is not documented with the Information System Security Officer (ISSO), this is a finding." - tag "fix": "Document the requirement for an X Windows server with the ISSO or + desc "fix", "Document the requirement for an X Windows server with the ISSO or remove the related packages with the following commands: # rpm -e xorg-x11-server-common" diff --git a/controls/V-72309.rb b/controls/V-72309.rb index b03c33cfe..e396fa98b 100644 --- a/controls/V-72309.rb +++ b/controls/V-72309.rb @@ -19,7 +19,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['kernel_parameter'] - tag "check": "Verify the system is not performing packet forwarding, unless + desc "check", "Verify the system is not performing packet forwarding, unless the system is a router. Check to see if IP forwarding is enabled using the following command: @@ -29,7 +29,7 @@ If IP forwarding value is \"1\" and the system is hosting any application, database, or web servers, this is a finding." - tag "fix": "Set the system to the required kernel parameter by adding the + desc "fix", "Set the system to the required kernel parameter by adding the following line to \"/etc/sysctl.conf\" (or modify the line to have the required value): diff --git a/controls/V-72311.rb b/controls/V-72311.rb index 5a141ba21..6aba5125c 100644 --- a/controls/V-72311.rb +++ b/controls/V-72311.rb @@ -16,7 +16,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['nfs'] - tag "check": "Verify \"AUTH_GSS\" is being used to authenticate NFS mounts. + desc "check", "Verify \"AUTH_GSS\" is being used to authenticate NFS mounts. To check if the system is importing an NFS file system, look for any entries in the \"/etc/fstab\" file that have a file system type of \"nfs\" with the @@ -28,7 +28,7 @@ If the system is mounting file systems via NFS and has the sec option without the \"krb5:krb5i:krb5p\" settings, the \"sec\" option has the \"sys\" setting, or the \"sec\" option is missing, this is a finding." - tag "fix": "Update the \"/etc/fstab\" file so the option \"sec\" is defined + desc "fix", "Update the \"/etc/fstab\" file so the option \"sec\" is defined for each NFS mounted file system and the \"sec\" option does not have the \"sys\" setting. diff --git a/controls/V-72313.rb b/controls/V-72313.rb index e6d76f4fc..055e99149 100644 --- a/controls/V-72313.rb +++ b/controls/V-72313.rb @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['snmp'] - tag "check": "Verify that a system using SNMP is not using default community + desc "check", "Verify that a system using SNMP is not using default community strings. Check to see if the \"/etc/snmp/snmpd.conf\" file exists with the following @@ -40,7 +40,7 @@ # grep private /etc/snmp/snmpd.conf If either of these commands returns any output, this is a finding." - tag "fix": "If the \"/etc/snmp/snmpd.conf\" file exists, modify any lines + desc "fix", "If the \"/etc/snmp/snmpd.conf\" file exists, modify any lines that contain a community string value of \"public\" or \"private\" to another string value." tag "fix_id": "F-78667r1_fix" diff --git a/controls/V-72315.rb b/controls/V-72315.rb index 3fd860f33..67fc39330 100644 --- a/controls/V-72315.rb +++ b/controls/V-72315.rb @@ -18,7 +18,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ["iptables", 'firewall'] - tag "check": "If the \"firewalld\" package is not installed, ask the System + desc "check", "If the \"firewalld\" package is not installed, ask the System Administrator (SA) if another firewall application (such as iptables) is installed. If an application firewall is not installed, this is a finding. @@ -69,7 +69,7 @@ If \"firewalld\" is active and is not configured to grant access to specific hosts or \"tcpwrappers\" is not configured to grant or deny access to specific hosts, this is a finding." - tag "fix": "If \"firewalld\" is installed and active on the system, configure + desc "fix", "If \"firewalld\" is installed and active on the system, configure rules for allowing specific services and hosts. If \"firewalld\" is not \"active\", enable \"tcpwrappers\" by configuring @@ -77,7 +77,7 @@ specific hosts. " tag "fix_id": "F-78669r2_fix" - describe "This control must be reviewd manually" do + describe "This control must be reviewed manually" do skip "You must review this control manually." end end diff --git a/controls/V-72317.rb b/controls/V-72317.rb index 5ccb67bd6..0f9f3cb37 100644 --- a/controls/V-72317.rb +++ b/controls/V-72317.rb @@ -1,7 +1,7 @@ # encoding: utf-8 # -approved_tunnels = attribute( +approved_tunnels = input( 'approved_tunnels', value: [ # Example @@ -28,7 +28,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['libreswan', 'ipsec'] - tag "check": "Verify the system does not have unauthorized IP tunnels + desc "check", "Verify the system does not have unauthorized IP tunnels configured. Check to see if \"libreswan\" is installed with the following command: @@ -57,7 +57,7 @@ ask the System Administrator if the tunnel is documented with the ISSO. If \"libreswan\" is installed, \"IPsec\" is active, and an undocumented tunnel is active, this is a finding." - tag "fix": "Remove all unapproved tunnels from the system, or document them + desc "fix", "Remove all unapproved tunnels from the system, or document them with the ISSO." tag "fix_id": "F-78671r1_fix" diff --git a/controls/V-72319.rb b/controls/V-72319.rb index c1a44b00e..528347990 100644 --- a/controls/V-72319.rb +++ b/controls/V-72319.rb @@ -20,7 +20,7 @@ tag "nist": ["CM-6 b", "Rev_4"] tag "networking","kernel" tag "subsystems": ['kernel_parameter'] - tag "check": "Verify the system does not accept IPv6 source-routed packets. + desc "check", "Verify the system does not accept IPv6 source-routed packets. Note: If IPv6 is not enabled, the key will not exist, and this is not a finding. @@ -31,7 +31,7 @@ If the returned lines do not have a value of \"0\", or a line is not returned, this is a finding." - tag "fix": "Set the system to the required kernel parameter, if IPv6 is + desc "fix", "Set the system to the required kernel parameter, if IPv6 is enabled, by adding the following line to \"/etc/sysctl.conf\" (or modify the line to have the required value): diff --git a/controls/V-72417.rb b/controls/V-72417.rb index 4e67c24c3..15fad05ab 100644 --- a/controls/V-72417.rb +++ b/controls/V-72417.rb @@ -1,7 +1,7 @@ # encoding: utf-8 # -mfa_pkg_list = attribute( +mfa_pkg_list = input( 'mfa_pkg_list', description: 'The list of packages needed for MFA on RHEL', value: [ @@ -10,7 +10,7 @@ 'authconfig-gtk', ]) -smart_card_status = attribute( +smart_card_status = input( 'smart_card_status', value: 'enabled', # values(enabled|disabled) description: 'Smart Card Status' @@ -62,7 +62,7 @@ tag "nist": ["IA-2 (11)", "IA-2 (12)", "IA-2 (12)", "Rev_4"] tag "subsystems": ['pki', 'pam', 'MFA', 'pkcs11', 'smartcard'] tag "pki","MFA","pam","pkcs11","networking" - tag "check": "Verify the operating system has the packages required for + desc "check", "Verify the operating system has the packages required for multifactor authentication installed. Check for the presence of the packages required to support multifactor @@ -79,7 +79,7 @@ If the \"esc\", \"pam_pkcs11\", and \"authconfig-gtk\" packages are not installed, this is a finding." - tag "fix": "Configure the operating system to implement multifactor + desc "fix", "Configure the operating system to implement multifactor authentication by installing the required packages. Install the \"esc\", \"pam_pkcs11\", \"authconfig\", and \"authconfig-gtk\" diff --git a/controls/V-72427.rb b/controls/V-72427.rb index 7951f52b9..875dbcef8 100644 --- a/controls/V-72427.rb +++ b/controls/V-72427.rb @@ -46,7 +46,7 @@ tag "nist": ["IA-2 (11)", "IA-2 (12)", "IA-2 (12)", "Rev_4"] tag "subsystems": ['pam', 'nss', 'MFA', 'pki', 'sssd'] tag "pam","nss","MFA","pki" - tag "check": "Verify the operating system implements multifactor + desc "check", "Verify the operating system implements multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM). @@ -58,7 +58,7 @@ services = nss, pam If the \"pam\" service is not present, this is a finding." - tag "fix": "Configure the operating system to implement multifactor + desc "fix", "Configure the operating system to implement multifactor authentication for remote access to privileged accounts via pluggable authentication modules (PAM). @@ -68,16 +68,22 @@ # its('services") doesn't appear to be working properly # added a test with grep to make sure one will pass if pam exists. - sssd_files = command("find /etc/sssd -name *.conf").stdout.split("\n") - sssd_files.each do |file| - describe.one do - describe parse_config_file(file) do - its('services') { should include 'pam' } + if (!(sssd_files = command("find /etc/sssd -name *.conf").stdout.split("\n")).empty?) + sssd_files.each do |file| + describe.one do + describe parse_config_file(file) do + its('services') { should include 'pam' } + end if package('sssd').installed? + describe command("grep -i -E 'services(\s)*=(\s)*(.+*)pam' #{file}") do + its('stdout.strip') { should include 'pam' } + end if package('sssd').installed? end if package('sssd').installed? - describe command("grep -i -E 'services(\s)*=(\s)*(.+*)pam' #{file}") do - its('stdout.strip') { should include 'pam' } - end if package('sssd').installed? - end if package('sssd').installed? + end + else + describe "The set of SSSD configuration files" do + subject { sssd_files.to_a } + it { should_not be_empty } + end end describe "The SSSD Package is not installed on the system" do skip "This control is Not Appliciable without the SSSD Package installed." diff --git a/controls/V-72433.rb b/controls/V-72433.rb index 9319613a1..0bc203448 100644 --- a/controls/V-72433.rb +++ b/controls/V-72433.rb @@ -1,7 +1,7 @@ # encoding: utf-8 # -smart_card_status = attribute( +smart_card_status = input( 'smart_card_status', value: 'enabled', # values(enabled|disabled) description: 'Smart Card Status' @@ -52,7 +52,7 @@ tag "documentable": false tag "nist": ["IA-2 (11)", "IA-2 (12)", "IA-2 (12)", "Rev_4"] tag "subsystems": ['pam_pkcs11', 'pam' , 'pkcs11'] - tag "check": "Verify the operating system implements certificate status + desc "check", "Verify the operating system implements certificate status checking for PKI authentication. Check to see if Online Certificate Status Protocol (OCSP) is enabled on the @@ -70,22 +70,37 @@ If \"oscp_on\" is not present in all \"cert_policy\" lines in \"/etc/pam_pkcs11/pam_pkcs11.conf\", this is a finding. " - tag "fix": "Configure the operating system to do certificate status checking + desc "fix", "Configure the operating system to do certificate status checking for PKI authentication. Modify all of the \"cert_policy\" lines in \"/etc/pam_pkcs11/pam_pkcs11.conf\" to include \"ocsp_on\"." tag "fix_id": "F-78785r3_fix" - describe command("grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf") do - its('stdout') { should include 'ocsp_on' } - end if smart_card_status.eql?('enabled') - - describe command("grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | wc -l") do - its('stdout.strip.to_i') { should cmp >= 3 } - end if smart_card_status.eql?('enabled') - - describe "The system is not smartcard enabled" do - skip "The system is not using Smartcards / PIVs to fulfil the MFA requirement, this control is Not Applicable." - end if !smart_card_status.eql?('enabled') + if smart_card_status.eql?('enabled') + if ((pam_file = file('/etc/pam_pkcs11/pam_pkcs11.conf')).exist?) + cert_policy_lines = (pam_file.content.nil?)?[]: + pam_file.content.lines.grep(%r{^(?!.+#).*cert_policy}i) + if (cert_policy_lines.length < 3) + describe "should contain at least 3 cert policy lines" do + subject { cert_policy_lines.length } + it { should >= 3 } + end + else + describe "each cert policy line should include oscp_on" do + cert_policy_lines.each do |line| + line.should match %r{=[^;]*ocsp_on}i + end + end + end + else + describe pam_file do + it { should exist } + end + end + else + describe "The system is not smartcard enabled" do + skip "The system is not using Smartcards / PIVs to fulfil the MFA requirement, this control is Not Applicable." + end + end end diff --git a/controls/V-72435.rb b/controls/V-72435.rb index 2a3431ae3..0e6ad2617 100644 --- a/controls/V-72435.rb +++ b/controls/V-72435.rb @@ -70,7 +70,7 @@ tag "cci": "CCI-001954" tag "nist": ["IA-2 (12)", "Rev_4"] tag "subsystems": ['smartcard', 'MFA'] - tag "check": "Verify the operating system requires smart card logons for + desc "check", "Verify the operating system requires smart card logons for multifactor authentication to uniquely identify privileged users. Check to see if smartcard authentication is enforced on the system with the @@ -84,7 +84,7 @@ If smartcard authentication is disabled or the smartcard and smartcard removal actions are blank, this is a finding." - tag "fix": "Configure the operating system to implement smart card logon for + desc "fix", "Configure the operating system to implement smart card logon for multifactor authentication to uniquely identify privileged users. Enable smart card logons with the following commands: diff --git a/controls/V-73155.rb b/controls/V-73155.rb index 438f94bc2..d4f419c9d 100644 --- a/controls/V-73155.rb +++ b/controls/V-73155.rb @@ -28,7 +28,7 @@ tag "documentable": false tag "nist": ["AC-11 a", "Rev_4"] tag "subsystems": ["gnome3"] - tag "check": "Verify the operating system prevents a user from overriding a + desc "check", "Verify the operating system prevents a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. @@ -52,7 +52,7 @@ /org/gnome/desktop/screensaver/lock-delay If the command does not return a result, this is a finding." - tag "fix": "Configure the operating system to prevent a user from overriding + desc "fix", "Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. diff --git a/controls/V-73157.rb b/controls/V-73157.rb index d7d9d7467..51d1685f7 100644 --- a/controls/V-73157.rb +++ b/controls/V-73157.rb @@ -28,7 +28,7 @@ tag "documentable": false tag "nist": ["AC-11 a", "Rev_4"] tag "subsystems": ['gnome3'] - tag "check": "Verify the operating system prevents a user from overriding + desc "check", "Verify the operating system prevents a user from overriding session idle delay after a 15-minute period of inactivity for graphical user interfaces. @@ -52,7 +52,7 @@ /org/gnome/desktop/session/idle-delay If the command does not return a result, this is a finding." - tag "fix": "Configure the operating system to prevent a user from overriding + desc "fix", "Configure the operating system to prevent a user from overriding a session lock after a 15-minute period of inactivity for graphical user interfaces. diff --git a/controls/V-73159.rb b/controls/V-73159.rb index c6acb40ba..007c94a2b 100644 --- a/controls/V-73159.rb +++ b/controls/V-73159.rb @@ -1,6 +1,6 @@ # encoding: utf-8 # -max_retry = attribute('max_retry', value: 3, +max_retry = input('max_retry', value: 3, description: 'The operating system must limit password failures.') @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["IA-5 (1) (a)", "Rev_4"] tag "subsystems": ['pam', 'pwquality', 'password'] - tag "check": "Verify the operating system uses \"pwquality\" to enforce the + desc "check", "Verify the operating system uses \"pwquality\" to enforce the password complexity rules. Check for the use of \"pwquality\" with the following command: @@ -34,7 +34,7 @@ \"pam_pwquality.so\", this is a finding. If the value of \"retry\" is set to \"0\" or greater than \"3\", this is a finding." - tag "fix": "Configure the operating system to use \"pwquality\" to enforce + desc "fix", "Configure the operating system to use \"pwquality\" to enforce password complexity rules. Add the following line to \"/etc/pam.d/passwd\" (or modify the line to have the diff --git a/controls/V-73161.rb b/controls/V-73161.rb index 171741603..5d80a40b7 100644 --- a/controls/V-73161.rb +++ b/controls/V-73161.rb @@ -17,7 +17,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['nfs'] - tag "check": "Verify file systems that are being NFS exported are mounted + desc "check", "Verify file systems that are being NFS exported are mounted with the \"noexec\" option. Find the file system(s) that contain the directories being exported with the @@ -31,7 +31,7 @@ \"noexec\" option set, and use of NFS exported binaries is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding." - tag "fix": "Configure the \"/etc/fstab\" to use the \"noexec\" option on file + desc "fix", "Configure the \"/etc/fstab\" to use the \"noexec\" option on file systems that are being exported via NFS." tag "fix_id": "F-79607r1_fix" diff --git a/controls/V-73163.rb b/controls/V-73163.rb index 90fcc5e37..67679c3d0 100644 --- a/controls/V-73163.rb +++ b/controls/V-73163.rb @@ -14,7 +14,7 @@ tag "documentable": false tag "nist": ["AU-4 (1)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audisp'] - tag "check": "Verify the action the operating system takes if there is an + desc "check", "Verify the action the operating system takes if there is an error sending audit records to a remote system. Check the action that takes place if there is an error sending audit records to @@ -25,7 +25,7 @@ If the value of the \"network_failure_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out, this is a finding." - tag "fix": "Configure the action the operating system takes if there is an + desc "fix", "Configure the action the operating system takes if there is an error sending audit records to a remote system. Uncomment the \"network_failure_action\" option in diff --git a/controls/V-73165.rb b/controls/V-73165.rb index a91c291b9..9986c2000 100644 --- a/controls/V-73165.rb +++ b/controls/V-73165.rb @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["AC-2 (4)", "AU-12 c", "AC-2 (4)", "AC-2 (4)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system must generate audit records for all + desc "check", "Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/group\". @@ -34,7 +34,7 @@ If the command does not return a line, or the line is commented out, this is a finding." - tag "fix": "Configure the operating system to generate audit records for all + desc "fix", "Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/group\". diff --git a/controls/V-73167.rb b/controls/V-73167.rb index 2b11eeedf..7396058fb 100644 --- a/controls/V-73167.rb +++ b/controls/V-73167.rb @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["AC-2 (4)", "AU-12 c", "AC-2 (4)", "AC-2 (4)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule', 'gshadow'] - tag "check": "Verify the operating system must generate audit records for all + desc "check", "Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/gshadow\". @@ -34,7 +34,7 @@ If the command does not return a line, or the line is commented out, this is a finding." - tag "fix": "Configure the operating system to generate audit records for all + desc "fix", "Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect \"/etc/gshadow\". diff --git a/controls/V-73171.rb b/controls/V-73171.rb index 3d0da061e..f2399816b 100644 --- a/controls/V-73171.rb +++ b/controls/V-73171.rb @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["AC-2 (4)", "AU-12 c", "AC-2 (4)", "AC-2 (4)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule'] - tag "check": "Verify the operating system must generate audit records for all + desc "check", "Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. @@ -34,7 +34,7 @@ If the command does not return a line, or the line is commented out, this is a finding." - tag "fix": "Configure the operating system to generate audit records for all + desc "fix", "Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. diff --git a/controls/V-73173.rb b/controls/V-73173.rb index bf6b4573a..f119eae2b 100644 --- a/controls/V-73173.rb +++ b/controls/V-73173.rb @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["AC-2 (4)", "AU-12 c", "AC-2 (4)", "AC-2 (4)", "Rev_4"] tag "subsystems": ['audit', 'auditd', 'audit_rule', 'opasswd'] - tag "check": "Verify the operating system must generate audit records for all + desc "check", "Verify the operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. @@ -34,7 +34,7 @@ If the command does not return a line, or the line is commented out, this is a finding." - tag "fix": "Configure the operating system to generate audit records for all + desc "fix", "Configure the operating system to generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd. diff --git a/controls/V-73175.rb b/controls/V-73175.rb index f292906da..8f7fc26a2 100644 --- a/controls/V-73175.rb +++ b/controls/V-73175.rb @@ -17,7 +17,7 @@ tag "nist": ["CM-6 b", "Rev_4"] tag "networking","kernel" tag "subsystems": ['kernel_parameter'] - tag "check": "Verify the system ignores IPv4 ICMP redirect messages. + desc "check", "Verify the system ignores IPv4 ICMP redirect messages. Check the value of the \"accept_redirects\" variables with the following command: @@ -28,7 +28,7 @@ If the returned line does not have a value of \"0\", or a line is not returned, this is a finding." - tag "fix": "Set the system to ignore IPv4 ICMP redirect messages by adding + desc "fix", "Set the system to ignore IPv4 ICMP redirect messages by adding the following line to \"/etc/sysctl.conf\" (or modify the line to have the required value): diff --git a/controls/V-73177.rb b/controls/V-73177.rb index c9f41d0bc..443348834 100644 --- a/controls/V-73177.rb +++ b/controls/V-73177.rb @@ -17,28 +17,31 @@ tag "cci": ["CCI-001443", "CCI-001444", "CCI-002418"] tag "documentable": false tag "nist": ["AC-18 (1)", "AC-18 (1)", "SC-8", "Rev_4"] + tag "subsystems": ['network', 'wifi', 'nmcli'] + tag "fix_id": "F-79623r1_fix" tag "networking","wifi" - tag "check": "Verify that there are no wireless interfaces configured on the -system. -This is N/A for systems that do not have wireless network adapters. + desc "check", "Verify that there are no wireless interfaces configured on the + system. -Check for the presence of active wireless interfaces with the following command: + This is N/A for systems that do not have wireless network adapters. -# nmcli device -DEVICE TYPE STATE -eth0 ethernet connected -wlp3s0 wifi disconnected -lo loopback unmanaged + Check for the presence of active wireless interfaces with the following command: -If a wireless interface is configured and its use on the system is not -documented with the Information System Security Officer (ISSO), this is a -finding." - tag "fix": "Configure the system to disable all wireless network interfaces -with the following command: + # nmcli device + DEVICE TYPE STATE + eth0 ethernet connected + wlp3s0 wifi disconnected + lo loopback unmanaged -#nmcli radio wifi off" - tag "fix_id": "F-79623r1_fix" + If a wireless interface is configured and its use on the system is not + documented with the Information System Security Officer (ISSO), this is a + finding." + + desc "fix", "Configure the system to disable all wireless network interfaces + with the following command: + + # nmcli radio wifi off" describe command('nmcli device') do its('stdout.strip') { should_not match %r{wifi connected} } diff --git a/controls/V-77819.rb b/controls/V-77819.rb index 5feae542c..231514d2c 100644 --- a/controls/V-77819.rb +++ b/controls/V-77819.rb @@ -1,13 +1,13 @@ # encoding: utf-8 # -multifactor_enabled = attribute( +multifactor_enabled = input( 'multifactor_enabled', value: 'true', description: "Should dconf have smart card authentication" ) -dconf_user = attribute( +dconf_user = input( 'dconf_user', value: '', description: "User to use to check dconf settings" @@ -41,7 +41,7 @@ tag "documentable": false tag "nist": ["IA-2 (11)", "IA-2 (12)", "IA-2 (12)", "Rev_4"] tag "subsystems": ["gnome3"] - tag "check": "Verify the operating system uniquely identifies and + desc "check", "Verify the operating system uniquely identifies and authenticates users using multifactor authentication via a graphical user logon. Note: If the system does not have GNOME installed, this requirement is Not @@ -63,7 +63,7 @@ If \"enable-smartcard-authentication\" is set to \"false\" or the keyword is missing, this is a finding." - tag "fix": "Configure the operating system to uniquely identify and + desc "fix", "Configure the operating system to uniquely identify and authenticate users using multifactor authentication via a graphical user logon. Note: If the system does not have GNOME installed, this requirement is Not diff --git a/controls/V-77821.rb b/controls/V-77821.rb index b936a897f..b8c009664 100644 --- a/controls/V-77821.rb +++ b/controls/V-77821.rb @@ -14,7 +14,7 @@ tag "documentable": false tag "nist": ["IA-3", "Rev_4"] tag "subsystems": ['dccp', 'kernel_module'] - tag "check": "Verify the operating system disables the ability to load the + desc "check", "Verify the operating system disables the ability to load the DCCP kernel module. Check to see if the DCCP kernel module is disabled with the following command: @@ -26,7 +26,7 @@ If the command does not return any output, or the line is commented out, and use of DCCP is not documented with the Information System Security Officer (ISSO) as an operational requirement, this is a finding." - tag "fix": "Configure the operating system to disable the ability to use the + desc "fix", "Configure the operating system to disable the ability to use the DCCP kernel module. Create a file under \"/etc/modprobe.d\" with the following command: diff --git a/controls/V-77823.rb b/controls/V-77823.rb index 215f24f67..03007295d 100644 --- a/controls/V-77823.rb +++ b/controls/V-77823.rb @@ -2,11 +2,12 @@ # control "V-77823" do title "The operating system must require authentication upon booting into -single-user and maintenance modes." + single-user and maintenance modes." desc "If the system does not require valid root authentication before it -boots into single-user or maintenance mode, anyone who invokes single-user or -maintenance mode is granted privileged access to all files on the system." + boots into single-user or maintenance mode, anyone who invokes single-user or + maintenance mode is granted privileged access to all files on the system." impact 0.5 + tag "gtitle": "SRG-OS-000080-GPOS-00048" tag "gid": "V-77823" tag "rid": "SV-92519r1_rule" @@ -14,30 +15,32 @@ tag "cci": ["CCI-000213"] tag "documentable": false tag "nist": ["AC-3", "Rev_4"] - tag "check": "Verify the operating system must require authentication upon -booting into single-user and maintenance modes. + tag "subsystems": ['root', 'sulogin'] + tag "fix_id": "F-84523r1_fix" -Check that the operating system requires authentication upon booting into -single-user mode with the following command: + desc "check", "Verify the operating system must require authentication upon + booting into single-user and maintenance modes. -# grep -i execstart /usr/lib/systemd/system/rescue.service + Check that the operating system requires authentication upon booting into + single-user mode with the following command: -ExecStart=-/bin/sh -c \"/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block -default\" + # grep -i execstart /usr/lib/systemd/system/rescue.service -If \"ExecStart\" does not have \"/usr/sbin/sulogin\" as an option, this is a -finding. -" - tag "fix": "Configure the operating system to require authentication upon -booting into single-user and maintenance modes. + ExecStart=-/bin/sh -c \"/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block + default\" -Add or modify the \"ExecStart\" line in -\"/usr/lib/systemd/system/rescue.service\" to include \"/usr/sbin/sulogin\": + If \"ExecStart\" does not have \"/usr/sbin/sulogin\" as an option, this is a + finding. + " + desc "fix", "Configure the operating system to require authentication upon + booting into single-user and maintenance modes. -ExecStart=-/bin/sh -c \"/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block -default\" -" - tag "fix_id": "F-84523r1_fix" + Add or modify the \"ExecStart\" line in + \"/usr/lib/systemd/system/rescue.service\" to include \"/usr/sbin/sulogin\": + + ExecStart=-/bin/sh -c \"/usr/sbin/sulogin; /usr/bin/systemctl --fail --no-block + default\" + " describe command("grep -i execstart /usr/lib/systemd/system/rescue.service") do its('stdout.strip') { should match %r{/usr/sbin/sulogin} } diff --git a/controls/V-77825.rb b/controls/V-77825.rb index a5e85086c..6d6646592 100644 --- a/controls/V-77825.rb +++ b/controls/V-77825.rb @@ -1,6 +1,6 @@ # encoding: utf-8 # -randomize_va_space = attribute('randomize_va_space', value: 2, +randomize_va_space = input('randomize_va_space', value: 2, description: 'The value for the randomize virtual address space kernel parameter.') @@ -22,7 +22,7 @@ tag "documentable": false tag "nist": ["CM-6 b", "Rev_4"] tag "subsystems": ['ASLR', 'kernel_parameter'] - tag "check": "Verify the operating system implements virtual address space + desc "check", "Verify the operating system implements virtual address space randomization. Check that the operating system implements virtual address space randomization @@ -34,7 +34,7 @@ If \"kernel.randomize_va_space\" does not have a value of \"2\", this is a finding." - tag "fix": "Configure the operating system implement virtual address space + desc "fix", "Configure the operating system implement virtual address space randomization. Set the system to the required kernel parameter by adding the following line to diff --git a/controls/V-78995.rb b/controls/V-78995.rb index 246034a08..9bad177be 100644 --- a/controls/V-78995.rb +++ b/controls/V-78995.rb @@ -30,7 +30,7 @@ tag "documentable": false tag "nist": ["AC-11 a", "Rev_4"] tag "subsystems": ['gnome', 'gnome3'] - tag "check": "Verify the operating system prevents a user from overriding the + desc "check", "Verify the operating system prevents a user from overriding the screensaver lock-enabled setting for the graphical user interface. Note: If the system does not have GNOME installed, this requirement is Not @@ -54,7 +54,7 @@ If the command does not return a result, this is a finding. " - tag "fix": "Configure the operating system to prevent a user from overriding + desc "fix", "Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. diff --git a/controls/V-78997.rb b/controls/V-78997.rb index dee7228af..8b76551a1 100644 --- a/controls/V-78997.rb +++ b/controls/V-78997.rb @@ -29,7 +29,7 @@ tag "documentable": false tag "nist": ["AC-11 a", "Rev_4"] tag "subsystems": ["gnome3"] - tag "check": "Verify the operating system prevents a user from overriding the + desc "check", "Verify the operating system prevents a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface. Note: If the system does not have GNOME installed, this requirement is Not @@ -52,7 +52,7 @@ /org/gnome/desktop/screensaver/idle-activation-enabled If the command does not return a result, this is a finding." - tag "fix": "Configure the operating system to prevent a user from overriding + desc "fix", "Configure the operating system to prevent a user from overriding a screensaver lock after a 15-minute period of inactivity for graphical user interfaces. diff --git a/controls/V-78999.rb b/controls/V-78999.rb index 23acc8d08..087cf9a0e 100644 --- a/controls/V-78999.rb +++ b/controls/V-78999.rb @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "Rev_4"] tag "subsystems": ["audit"] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"create_module\" command occur. Check the auditing rules in \"/etc/audit/audit.rules\" with the following @@ -41,7 +41,7 @@ -a always,exit -F arch=b64 -S create_module -k module-change If there are no audit rules defined for \"create_module\", this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"create_module\" command occur. Add or update the following rules in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-79001.rb b/controls/V-79001.rb index de2f872f7..69f25df1c 100644 --- a/controls/V-79001.rb +++ b/controls/V-79001.rb @@ -21,7 +21,7 @@ tag "documentable": false tag "nist": ["AU-12 c", "Rev_4"] tag "subsystems": ["audit"] - tag "check": "Verify the operating system generates audit records when + desc "check", "Verify the operating system generates audit records when successful/unsuccessful attempts to use the \"finit_module\" command occur. Check the auditing rules in \"/etc/audit/audit.rules\" with the following @@ -41,7 +41,7 @@ -a always,exit -F arch=b64 -S finit_module -k module-change If there are no audit rules defined for \"finit_module\", this is a finding." - tag "fix": "Configure the operating system to generate audit records when + desc "fix", "Configure the operating system to generate audit records when successful/unsuccessful attempts to use the \"finit_module\" command occur. Add or update the following rules in \"/etc/audit/rules.d/audit.rules\": diff --git a/controls/V-81009.rb b/controls/V-81009.rb new file mode 100644 index 000000000..c409521f0 --- /dev/null +++ b/controls/V-81009.rb @@ -0,0 +1,42 @@ +# encoding: utf-8 +# +control "V-81009" do + title "The Red Hat Enterprise Linux operating system must mount /dev/shm with the nodev option." + desc " + The \"nodev\" mount option causes the system to not interpret character or block special devices. + Executing character or block special devices from untrusted file systems increases the opportunity + for unprivileged users to attain unauthorized administrative access." + impact 0.5 + tag "gtitle": "SRG-OS-000368-GPOS-00154" + tag "gid": "V-81009" + tag "rid": "SV-95721r1_rule " + tag "stig_id": "RHEL-07-021022" + tag "cci": ["CCI-001764"] + tag "documentable": false + tag "nist": ["CM-6 b", "Rev_4"] + tag "subsystems": ['file_system'] + desc "check", " + Verify that the \"nodev\" option is configured for /dev/shm. + + Check that the operating system is configured to use the \"nodev\" option for /dev/shm with the following command: + + # cat /etc/fstab | grep /dev/shm | grep nodev + + tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 + + If the \"nodev\" option is not present on the line for \"/dev/shm\", this is a finding. + + Verify \"/dev/shm\" is mounted with the \"nodev\" option: + + # mount | grep \"/dev/shm\" | grep nodev + + If no results are returned, this is a finding. + " + desc "fix", " + Configure the \"/etc/fstab\" to use the \"nodev\" option for all lines containing \"/dev/shm\". + " + + describe mount('/dev/shm') do + its('options') { should include 'nodev' } + end +end diff --git a/controls/V-81011.rb b/controls/V-81011.rb new file mode 100644 index 000000000..5a688109b --- /dev/null +++ b/controls/V-81011.rb @@ -0,0 +1,31 @@ +# encoding: utf-8 +# +control "V-81011" do + title "The Red Hat Enterprise Linux operating system must mount /dev/shm with the nosuid option." + desc " + The \"nosuid\" mount option causes the system to not execute \"setuid\" and \setgid\" files with owner privileges. + This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. + Executing files from untrusted file systems increases the opportunity for unprivileged users to attain + unauthorized administrative access." + impact 0.5 + tag "gtitle": "SRG-OS-000368-GPOS-00154" + tag "gid": "V-81011" + tag "rid": "SV-95723r1_rule" + tag "stig_id": "RHEL-07-021023" + tag "cci": ["CCI-001764"] + tag "documentable": false + tag "nist": ["CM-6 b", "Rev_4"] + tag "subsystems": ['file_system'] + desc "check", " + The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner privileges. + This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. + Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + " + desc "fix", " + Configure the system so that /dev/shm is mounted with the \"nosuid\" option. + " + + describe mount('/dev/shm') do + its('options') { should include 'nosuid' } + end +end diff --git a/controls/V-81013.rb b/controls/V-81013.rb new file mode 100644 index 000000000..a992b278c --- /dev/null +++ b/controls/V-81013.rb @@ -0,0 +1,31 @@ +# encoding: utf-8 +# +control "V-81013" do + title "The Red Hat Enterprise Linux operating system must mount /dev/shm with the noexec option." + desc "The \"noexec\" mount option causes the system to not execute binary files. This option + must be used for mounting any file system not containing approved binary files as they may be + incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged + users to attain unauthorized administrative access." + impact 0.5 + tag "gtitle": "SRG-OS-000368-GPOS-00154" + tag "gid": "V-81013" + tag "rid": "SV-95725r1_rule" + tag "stig_id": "RHEL-07-001764" + tag "cci": ["CCI-000366"] + tag "documentable": false + tag "nist": ["CM-6 b", "Rev_4"] + tag "subsystems": ['file_system'] + desc "check", " + The \"noexec\" mount option causes the system to not execute binary files. This option must be used + for mounting any file system not containing approved binary files as they may be incompatible. Executing + files from untrusted file systems increases the opportunity for unprivileged users to attain + unauthorized administrative access. + " + desc "fix", " + Configure the system so that /dev/shm is mounted with the \"noexec\" option. + " + + describe mount('/dev/shm') do + its('options') { should include 'noexec' } + end +end diff --git a/controls/V-81015.rb b/controls/V-81015.rb new file mode 100644 index 000000000..ddbc9aefd --- /dev/null +++ b/controls/V-81015.rb @@ -0,0 +1,47 @@ +# encoding: utf-8 +# +control "V-81015" do + title "The Red Hat Enterprise Linux operating system must be configured to use the au-remote plugin." + desc " + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is + a common process in information systems with limited audit storage capacity. Without the configuration of + the \"au-remote\" plugin, the audisp-remote daemon will not off-load the logs from the system being audited. + " + impact 0.5 + tag "gtitle": "SRG-OS-000342-GPOS-00133" + tag "satisfies": ["SRG-OS-000342-GPOS-00133", "SRG-OS-000479-GPOS-00224"] + tag "gid": "V-81015" + tag "rid": "SV-95727r1_rule" + tag "stig_id": "RHEL-07-030200" + tag "cci": ["CCI-001851"] + tag "documentable": false + tag "nist": ["AU-12 c", "Rev_4"] + tag "subsystems": ["audit"] + tag "check_id": "C-80729r1_chk" + tag "fix_id": "F-87849r2_fix" + desc "check", " + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit storage capacity. + + Without the configuration of the \"au-remote\" plugin, the audisp-remote daemon will not off-load the logs from the system being audited. + " + desc "fix", " + Edit the /etc/audisp/plugins.d/au-remote.conf file and change the value of \"active\" to \"yes\". + + The audit daemon must be restarted for changes to take effect: + + # service auditd restart + " + + if file('/etc/audisp/audispd.conf').exist? + describe parse_config_file('/etc/audisp/audispd.conf') do + its('active') { should match %r{yes$} } + end + else + describe "File '/etc/audisp/audispd.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually" do + skip "File '/etc/audisp/audispd.conf' cannot be found. This check must be performed manually" + end + end + +end diff --git a/controls/V-81017.rb b/controls/V-81017.rb new file mode 100644 index 000000000..ddfd198f7 --- /dev/null +++ b/controls/V-81017.rb @@ -0,0 +1,63 @@ +# encoding: utf-8 +# +control "V-81017" do + title "The Red Hat Enterprise Linux operating system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon." + desc " + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a + common process in information systems with limited audit storage capacity. Without the configuration of the \"au-remote\" + plugin, the audisp-remote daemon will not off load the logs from the system being audited. + " + impact 0.5 + tag "gtitle": "SRG-OS-000342-GPOS-00133" + tag "satisfies": ["SRG-OS-000342-GPOS-00133", "SRG-OS-000479-GPOS-00224"] + tag "gid": "V-81017" + tag "rid": "SV-95729r1_rule" + tag "stig_id": "RHEL-07-030210" + tag "cci": ["CCI-001851"] + tag "documentable": false + tag "nist": ["AU-12 c", "Rev_4"] + tag "subsystems": ["audit"] + tag "check_id": "C-80731r2_chk" + tag "fix_id": "F-87851r2_fix" + desc "check", " + Verify the \"au-remote\" plugin is configured to always off-load audit logs using the audisp-remote daemon: + + # cat /etc/audisp/plugins.d/au-remote.conf | grep -v \"^#\" + + active = yes + direction = out + path = /sbin/audisp-remote + type = always + format = string + + If the \"direction\" setting is not set to \"out\", or the line is commented out, this is a finding. + + If the \"path\" setting is not set to \"/sbin/audisp-remote\", or the line is commented out, this is a finding. + + If the \"type\" setting is not set to \"always\", or the line is commented out, this is a finding. + " + desc "fix", " + Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values: + + direction = out + path = /sbin/audisp-remote + type = always + + The audit daemon must be restarted for changes to take effect: + + # service auditd restart + " + + if file('/etc/audisp/audispd.conf').exist? + describe parse_config_file('/etc/audisp/audispd.conf') do + its('direction') { should match %r{out$} } + its('path') { should match %r{/sbin/audisp-remote$} } + its('type') { should match %r{always$} } + end + else + describe "File '/etc/audisp/audispd.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually" do + skip "File '/etc/audisp/audispd.conf' cannot be found. This check must be performed manually" + end + end + +end diff --git a/controls/V-81019.rb b/controls/V-81019.rb new file mode 100644 index 000000000..0c65b4e3e --- /dev/null +++ b/controls/V-81019.rb @@ -0,0 +1,51 @@ +# encoding: utf-8 +# +control "V-81019" do + title "The Red Hat Enterprise Linux operating system must take appropriate action when the audisp-remote buffer is full." + desc " + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a + common process in information systems with limited audit storage capacity. When the remote buffer is full, audit + logs will not be collected and sent to the central log server. + " + impact 0.5 + tag "gtitle": "SRG-OS-000342-GPOS-00133" + tag "satisfies": ["SRG-OS-000342-GPOS-00133", "SRG-OS-000479-GPOS-00224"] + tag "gid": "V-81019" + tag "rid": "SV-95731r1_rule" + tag "stig_id": "RHEL-07-030210" + tag "cci": ["CCI-001851"] + tag "documentable": false + tag "nist": ["AU-12 c", "Rev_4"] + tag "subsystems": ["audit"] + tag "check_id": "C-80735r1_chk" + tag "fix_id": "F-87853r3_fix" + desc "check", " + Verify the audisp daemon is configured to take an appropriate action when the internal queue is full: + + # grep \"overflow_action\" /etc/audisp/audispd.conf + + overflow_action = syslog + + If the \"overflow_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out, this is a finding. + " + desc "fix", " + Edit the /etc/audisp/audispd.conf file and add or update the \"overflow_action\" option: + + overflow_action = syslog + + The audit daemon must be restarted for changes to take effect: + + # service auditd restart + " + + if file('/etc/audisp/audispd.conf').exist? + describe parse_config_file('/etc/audisp/audispd.conf') do + its('overflow_action') { should match %r{syslog$|single$|halt$} } + end + else + describe "File '/etc/audisp/audispd.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually" do + skip "File '/etc/audisp/audispd.conf' cannot be found. This check must be performed manually" + end + end + +end diff --git a/controls/V-81021.rb b/controls/V-81021.rb new file mode 100644 index 000000000..6e592d551 --- /dev/null +++ b/controls/V-81021.rb @@ -0,0 +1,52 @@ +# encoding: utf-8 +# +control "V-81021" do + title "The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server." + desc " + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + Off-loading is a common process in information systems with limited audit storage capacity. When audit + logs are not labeled before they are sent to a central log server, the audit data will not be able to + be analyzed and tied back to the correct system. + " + impact 0.5 + tag "gtitle": "SRG-OS-000342-GPOS-00133" + tag "satisfies": ["SRG-OS-000342-GPOS-00133", "SRG-OS-000479-GPOS-00224"] + tag "gid": "V-81021" + tag "rid": "SV-95733r1_rule" + tag "stig_id": "RHEL-07-030211" + tag "cci": ["CCI-001851"] + tag "documentable": false + tag "nist": ["AU-12 c", "Rev_4"] + tag "subsystems": ["audit"] + tag "check_id": "C-80737r1_chk" + tag "fix_id": "F-87855r2_fix" + desc "check", " + Verify the audisp daemon is configured to label all off-loaded audit logs: + + # grep \"name_format\" /etc/audisp/audispd.conf + + name_format = hostname + + If the \"name_format\" option is not \"hostname\", \"fqd\", or \"numeric\", or the line is commented out, this is a finding. + " + desc "fix", " + Edit the /etc/audisp/audispd.conf file and add or update the \"name_format\" option: + + name_format = hostname + + The audit daemon must be restarted for changes to take effect: + + # service auditd restart + " + + if file('/etc/audisp/audispd.conf').exist? + describe parse_config_file('/etc/audisp/audispd.conf') do + its('name_format') { should match %r{hostname$|fqd$|\d+} } + end + else + describe "File '/etc/audisp/audispd.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually" do + skip "File '/etc/audisp/audispd.conf' cannot be found. This check must be performed manually" + end + end + +end diff --git a/spec/acceptance/suites/default/00_default_spec.rb b/spec/acceptance/suites/default/00_default_spec.rb index 508957544..58a1d47b7 100644 --- a/spec/acceptance/suites/default/00_default_spec.rb +++ b/spec/acceptance/suites/default/00_default_spec.rb @@ -11,19 +11,31 @@ profiles_to_validate.each do |profile| context "for profile #{profile}" do context "on #{host}" do - before(:all) do - @inspec = Simp::BeakerHelpers::Inspec.new(host, profile) - end + profile_path = File.join( + fixtures_path, + 'inspec_profiles', + "#{fact_on(host, 'operatingsystem')}-#{fact_on(host, 'operatingsystemmajrelease')}-#{profile}" + ) - it 'should run inspec' do - @inspec.run - end + unless File.exist?(profile_path) + it 'should run inspec' do + skip("No matching profile available at #{profile_path}") + end + else + before(:all) do + @inspec = Simp::BeakerHelpers::Inspec.new(host, profile) + end + + it 'should run inspec' do + @inspec.run + end - it 'should have an inspec report' do - inspec_report = @inspec.process_inspec_results + it 'should have an inspec report' do + inspec_report = @inspec.process_inspec_results - if inspec_report[:failed] > 0 - puts inspec_report[:report] + if inspec_report[:failed] > 0 + puts inspec_report[:report] + end end end end diff --git a/spec/acceptance/suites/default/05_inheritance_spec.rb b/spec/acceptance/suites/default/05_inheritance_spec.rb index 91f9fb8dd..94791e81b 100644 --- a/spec/acceptance/suites/default/05_inheritance_spec.rb +++ b/spec/acceptance/suites/default/05_inheritance_spec.rb @@ -1,9 +1,9 @@ require 'spec_helper_acceptance' require 'json' -test_name 'Validate Inspec Inheritance' +test_name 'Inheritance Test' -describe 'Ensure that inheritance works' do +describe 'inheritance test' do profiles_to_validate = ['inheritance_test'] @@ -11,19 +11,53 @@ profiles_to_validate.each do |profile| context "for profile #{profile}" do context "on #{host}" do - before(:all) do - @inspec = Simp::BeakerHelpers::Inspec.new(host, profile) - end + profile_path = File.join( + fixtures_path, + 'inspec_profiles', + "#{fact_on(host, 'operatingsystem')}-#{fact_on(host, 'operatingsystemmajrelease')}-#{profile}" + ) - it 'should run inspec' do - @inspec.run - end + unless File.exist?(profile_path) + it 'should run inspec' do + skip("No matching profile available at #{profile_path}") + end + else + before(:all) do + @inspec = Simp::BeakerHelpers::Inspec.new(host, profile) + @inspec_report = {:data => nil} + end + + it 'should run inspec' do + @inspec.run + end + + it 'should have an inspec report' do + @inspec_report[:data] = @inspec.process_inspec_results + + info = [ + 'Results:', + " * Passed: #{@inspec_report[:data][:passed]}", + " * Failed: #{@inspec_report[:data][:failed]}", + " * Skipped: #{@inspec_report[:data][:skipped]}" + ] + + puts info.join("\n") + + @inspec.write_report(@inspec_report[:data]) + end + + it 'should have run some tests' do + + expect(@inspec_report[:data][:failed] + @inspec_report[:data][:passed]).to be > 0 + end - it 'should have an inspec report' do - inspec_report = @inspec.process_inspec_results + it 'should not have any failing tests' do + pending 'the base system has not been hardened' - if inspec_report[:failed] > 0 - puts inspec_report[:report] + if @inspec_report[:data][:failed] > 0 + puts @inspec_report[:data][:report] + end + expect( @inspec_report[:data][:failed] ).to eq(0) end end end diff --git a/spec/acceptance/suites/default/10_ssh_apply_spec.rb b/spec/acceptance/suites/default/10_oscap_apply_spec.rb similarity index 71% rename from spec/acceptance/suites/default/10_ssh_apply_spec.rb rename to spec/acceptance/suites/default/10_oscap_apply_spec.rb index 3a935289f..c56e5b9ba 100644 --- a/spec/acceptance/suites/default/10_ssh_apply_spec.rb +++ b/spec/acceptance/suites/default/10_oscap_apply_spec.rb @@ -15,11 +15,21 @@ hosts.each do |host| context "on #{host}" do before(:all) do - @ssg = Simp::BeakerHelpers::SSG.new(host) + @os_str = fact_on(host, 'operatingsystem') + ' ' + fact_on(host, 'operatingsystemrelease') + + @ssg_supported = true + + begin + @ssg = Simp::BeakerHelpers::SSG.new(host) + rescue + @ssg_supported = false + end end it 'should remediate the system against the SSG' do + pending("SSG support for #{@os_str}") unless @ssg_supported + # Were accepting all exit codes here because there have occasionally been # failures in the SSG content and we're not testing that. diff --git a/spec/acceptance/suites/default/20_post_remediation_check_spec.rb b/spec/acceptance/suites/default/20_post_remediation_check_spec.rb index 560ce5f61..430d66a8d 100644 --- a/spec/acceptance/suites/default/20_post_remediation_check_spec.rb +++ b/spec/acceptance/suites/default/20_post_remediation_check_spec.rb @@ -11,42 +11,54 @@ profiles_to_validate.each do |profile| context "for profile #{profile}" do context "on #{host}" do - before(:all) do - @inspec = Simp::BeakerHelpers::Inspec.new(host, profile) - @inspec_report = {:data => nil} - end - - it 'should run inspec' do - @inspec.run - end + profile_path = File.join( + fixtures_path, + 'inspec_profiles', + "#{fact_on(host, 'operatingsystem')}-#{fact_on(host, 'operatingsystemmajrelease')}-#{profile}" + ) - it 'should have an inspec report' do - @inspec_report[:data] = @inspec.process_inspec_results + unless File.exist?(profile_path) + it 'should run inspec' do + skip("No matching profile available at #{profile_path}") + end + else + before(:all) do + @inspec = Simp::BeakerHelpers::Inspec.new(host, profile) + @inspec_report = {:data => nil} + end - info = [ - 'Results:', - " * Passed: #{@inspec_report[:data][:passed]}", - " * Failed: #{@inspec_report[:data][:failed]}", - " * Skipped: #{@inspec_report[:data][:skipped]}" - ] + it 'should run inspec' do + @inspec.run + end - puts info.join("\n") + it 'should have an inspec report' do + @inspec_report[:data] = @inspec.process_inspec_results - @inspec.write_report(@inspec_report[:data]) - end + info = [ + 'Results:', + " * Passed: #{@inspec_report[:data][:passed]}", + " * Failed: #{@inspec_report[:data][:failed]}", + " * Skipped: #{@inspec_report[:data][:skipped]}" + ] - it 'should have run some tests' do - expect(@inspec_report[:data][:failed] + @inspec_report[:data][:passed]).to be > 0 - end + puts info.join("\n") - it 'should not have any failing tests' do - if @inspec_report[:data][:failed] > 0 - puts @inspec_report[:data][:report] + @inspec.write_report(@inspec_report[:data]) + end - skip 'The SSG does not provide 100% remediation' + it 'should have run some tests' do + expect(@inspec_report[:data][:failed] + @inspec_report[:data][:passed]).to be > 0 end - expect( @inspec_report[:data][:failed] ).to eq(0) + it 'should not have any failing tests' do + pending 'The SSG does not provide 100% remediation' + + if @inspec_report[:data][:failed] > 0 + puts @inspec_report[:data][:report] + end + + expect( @inspec_report[:data][:failed] ).to eq(0) + end end end end