Skip to content
This repository has been archived by the owner on Apr 17, 2023. It is now read-only.

Adding missing tests from RHEL7 STIG v2r4 #113

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Adding missing tests from RHEL7 STIG v2r4 #113

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
5fc9fa6
Merge pull request #1 from simp/master
cpoma Sep 5, 2019
d0d8f3d
Merge pull request #2 from simp/master
cpoma Sep 27, 2019
d5a349e
Merge branch 'master' into master
cpoma Oct 11, 2019
1668ef9
Added some missing tests
cpoma Oct 11, 2019
9ea34a3
Added missing tests
cpoma Oct 11, 2019
0f45a42
Updated file to verify
cpoma Oct 24, 2019
df276a6
Updated file to verify
cpoma Oct 24, 2019
89b2e95
Merge branch 'master' into missingTestsRHELSTIGv2R4
aaronlippold Nov 7, 2019
11e3f8b
Merge branch 'master' into missingTestsRHELSTIGv2R4
aaronlippold Nov 19, 2019
af5f594
Merge branch 'master' into missingTestsRHELSTIGv2R4
trevor-vaughan Dec 24, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions controls/V-81009.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# encoding: utf-8
#
control "V-81009" do
title "The Red Hat Enterprise Linux operating system must mount /dev/shm with the nodev option."
desc "
The \"nodev\" mount option causes the system to not interpret character or block special devices.
Executing character or block special devices from untrusted file systems increases the opportunity
for unprivileged users to attain unauthorized administrative access."
impact 0.5
tag "gtitle": "SRG-OS-000368-GPOS-00154"
tag "gid": "V-81009"
tag "rid": "SV-95721r1_rule "
tag "stig_id": "RHEL-07-021022"
tag "cci": ["CCI-001764"]
tag "documentable": false
tag "nist": ["CM-6 b", "Rev_4"]
tag "subsystems": ['file_system']
desc "check", "
Verify that the \"nodev\" option is configured for /dev/shm.

Check that the operating system is configured to use the \"nodev\" option for /dev/shm with the following command:

# cat /etc/fstab | grep /dev/shm | grep nodev

tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0

If the \"nodev\" option is not present on the line for \"/dev/shm\", this is a finding.

Verify \"/dev/shm\" is mounted with the \"nodev\" option:

# mount | grep \"/dev/shm\" | grep nodev

If no results are returned, this is a finding.
"
desc "fix", "
Configure the \"/etc/fstab\" to use the \"nodev\" option for all lines containing \"/dev/shm\".
"

describe mount('/dev/shm') do
its('options') { should include 'nodev' }
end
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This describe statement only takes into consideration what is currently mounted. It is important to indicate that would be mounted if DR happens (node bounces) and auto-mount procedures take place. We normally weight everything that is configurable upon 2 scales. 1) configuration (what happens when the node is rebooted) and 2) cached (what parameters/settings are currently affecting the node). I think in this case you should include the configuration settings. Here is what that would look like.

  describe etc_fstab.where { mount_point == '/dev/shm' } do
    it { should be_configured }
    its('mount_options.flatten') { should include 'nodev' }
  end

It is also important to note that /etc/mtab also indicates the status of a healthy system. It is wholly possible for mount to not indicate proper settings (unlikely, but possible). In that case you might want to take this file into consideration.

  describe etc_fstab('/etc/mtab') { mount_point == '/dev/shm' } do
    it { should be_configured }
    its('mount_options.flatten') { should include 'nodev' }
  end

The last possible location to look for 'proper working order' is /proc/mounts. Quote from the mount manual:

When the proc filesystem is mounted (say at /proc), the files /etc/mtab and /proc/mounts have very similar contents. The former has somewhat more information, such as the mount options used, but is not necessarily up-to-date.

It is also possible that you want to check the cached value in /proc/mounts in newer and newer OS versions due to the adoption of systemd *.mounts files.

end
31 changes: 31 additions & 0 deletions controls/V-81011.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# encoding: utf-8
#
control "V-81011" do
title "The Red Hat Enterprise Linux operating system must mount /dev/shm with the nosuid option."
desc "
The \"nosuid\" mount option causes the system to not execute \"setuid\" and \setgid\" files with owner privileges.
This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files.
Executing files from untrusted file systems increases the opportunity for unprivileged users to attain
unauthorized administrative access."
impact 0.5
tag "gtitle": "SRG-OS-000368-GPOS-00154"
tag "gid": "V-81011"
tag "rid": "SV-95723r1_rule"
tag "stig_id": "RHEL-07-021023"
tag "cci": ["CCI-001764"]
tag "documentable": false
tag "nist": ["CM-6 b", "Rev_4"]
tag "subsystems": ['file_system']
desc "check", "
The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner privileges.
This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files.
Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access.
"
desc "fix", "
Configure the system so that /dev/shm is mounted with the \"nosuid\" option.
"

describe mount('/dev/shm') do
its('options') { should include 'nosuid' }
end
Comment on lines +28 to +30
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, but using 'nosuid'

end
31 changes: 31 additions & 0 deletions controls/V-81013.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# encoding: utf-8
#
control "V-81013" do
title "The Red Hat Enterprise Linux operating system must mount /dev/shm with the noexec option."
desc "The \"noexec\" mount option causes the system to not execute binary files. This option
must be used for mounting any file system not containing approved binary files as they may be
incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged
users to attain unauthorized administrative access."
impact 0.5
tag "gtitle": "SRG-OS-000368-GPOS-00154"
tag "gid": "V-81013"
tag "rid": "SV-95725r1_rule"
tag "stig_id": "RHEL-07-001764"
tag "cci": ["CCI-000366"]
tag "documentable": false
tag "nist": ["CM-6 b", "Rev_4"]
tag "subsystems": ['file_system']
desc "check", "
The \"noexec\" mount option causes the system to not execute binary files. This option must be used
for mounting any file system not containing approved binary files as they may be incompatible. Executing
files from untrusted file systems increases the opportunity for unprivileged users to attain
unauthorized administrative access.
"
desc "fix", "
Configure the system so that /dev/shm is mounted with the \"noexec\" option.
"

describe mount('/dev/shm') do
its('options') { should include 'noexec' }
end
Comment on lines +28 to +30
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

end
47 changes: 47 additions & 0 deletions controls/V-81015.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# encoding: utf-8
#
control "V-81015" do
title "The Red Hat Enterprise Linux operating system must be configured to use the au-remote plugin."
desc "
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is
a common process in information systems with limited audit storage capacity. Without the configuration of
the \"au-remote\" plugin, the audisp-remote daemon will not off-load the logs from the system being audited.
"
impact 0.5
tag "gtitle": "SRG-OS-000342-GPOS-00133"
tag "satisfies": ["SRG-OS-000342-GPOS-00133", "SRG-OS-000479-GPOS-00224"]
tag "gid": "V-81015"
tag "rid": "SV-95727r1_rule"
tag "stig_id": "RHEL-07-030200"
tag "cci": ["CCI-001851"]
tag "documentable": false
tag "nist": ["AU-12 c", "Rev_4"]
tag "subsystems": ["audit"]
tag "check_id": "C-80729r1_chk"
tag "fix_id": "F-87849r2_fix"
desc "check", "
Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Off-loading is a common process in information systems with limited audit storage capacity.

Without the configuration of the \"au-remote\" plugin, the audisp-remote daemon will not off-load the logs from the system being audited.
"
desc "fix", "
Edit the /etc/audisp/plugins.d/au-remote.conf file and change the value of \"active\" to \"yes\".

The audit daemon must be restarted for changes to take effect:

# service auditd restart
"

if file('/etc/audisp/plugins.d/au-remote.conf').exist?
describe parse_config_file('/etc/audisp/plugins.d/au-remote.conf') do
its('active') { should match %r{yes$} }
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

using regex here is a bit unneeded. You should trust the parse_config_file, or supply the regex (options + assignment_regex) to extract the exact piece you are looking for. In your case match %r{yes$} is unneeded. Use a more simpler approach, cmp 'yes'

end
else
describe "File '/etc/audisp/plugins.d/au-remote.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually" do
skip "File '/etc/audisp/plugins.d/au-remote.conf' cannot be found. This check must be performed manually"
end
Comment on lines +41 to +44
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be interesting to see what additional behavior is acceptable, in this case. The STIG does not allow for additional behavior, so I am uncertain why you are coding manual review as optional. This appears to be a clear pass/fail check. I would remove the if/else control structure and just search for the file.

Now the question is, if what you are intending is valid. That is, are there secondary approved options. If this is the case, I would just say implement them here. Give an attribute in that control structure to require organizational documentation stating why this option is valid for their use case. In the end, I would say this is unneeded. What I would expect is exceptions, the likes of which you are allowing to be manually reviewed, to be overridden by organizational inheritance.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree on this one. The STIG should be modeled exactly. There is no contingency for the file not being there. If it does not exist or does not contain the prescribed value this is a fail.

end

end
63 changes: 63 additions & 0 deletions controls/V-81017.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
# encoding: utf-8
#
control "V-81017" do
title "The Red Hat Enterprise Linux operating system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon."
desc "
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a
common process in information systems with limited audit storage capacity. Without the configuration of the \"au-remote\"
plugin, the audisp-remote daemon will not off load the logs from the system being audited.
"
impact 0.5
tag "gtitle": "SRG-OS-000342-GPOS-00133"
tag "satisfies": ["SRG-OS-000342-GPOS-00133", "SRG-OS-000479-GPOS-00224"]
tag "gid": "V-81017"
tag "rid": "SV-95729r1_rule"
tag "stig_id": "RHEL-07-030210"
tag "cci": ["CCI-001851"]
tag "documentable": false
tag "nist": ["AU-12 c", "Rev_4"]
tag "subsystems": ["audit"]
tag "check_id": "C-80731r2_chk"
tag "fix_id": "F-87851r2_fix"
desc "check", "
Verify the \"au-remote\" plugin is configured to always off-load audit logs using the audisp-remote daemon:

# cat /etc/audisp/plugins.d/au-remote.conf | grep -v \"^#\"

active = yes
direction = out
path = /sbin/audisp-remote
type = always
format = string

If the \"direction\" setting is not set to \"out\", or the line is commented out, this is a finding.

If the \"path\" setting is not set to \"/sbin/audisp-remote\", or the line is commented out, this is a finding.

If the \"type\" setting is not set to \"always\", or the line is commented out, this is a finding.
"
desc "fix", "
Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values:

direction = out
path = /sbin/audisp-remote
type = always

The audit daemon must be restarted for changes to take effect:

# service auditd restart
"

if file('/etc/audisp/plugins.d/au-remote.conf').exist?
describe parse_config_file('/etc/audisp/plugins.d/au-remote.conf') do
its('direction') { should match %r{out$} }
its('path') { should match %r{/sbin/audisp-remote$} }
its('type') { should match %r{always$} }
end
Comment on lines +52 to +56
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above...

Plus, the STIG specifically calls out direction, path and type, as I see you have noticed and implemented. It also makes mention of type and format. As it wouldn't hurt to include these, for completeness I would implement them as well. This is only a suggestion and not a must. We normally ask that each control can stand alone. So, consider that 'V-81017' is not being used to audit the system.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you mean it also lists active and format. However, it only prescribes specific values for the three under test here. If there is no direction we can't arbitrarily supply values. Also, if you look at the text of the check they are using cat to show the contents of the file but only asking you to validate the three settings. The others are just incidental in the output from cat.

else
describe "File '/etc/audisp/plugins.d/au-remote.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually" do
skip "File '/etc/audisp/plugins.d/au-remote.conf' cannot be found. This check must be performed manually"
end
Comment on lines +58 to +60
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as V-81015, this control structure is not needed.

end

end
51 changes: 51 additions & 0 deletions controls/V-81019.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# encoding: utf-8
#
control "V-81019" do
title "The Red Hat Enterprise Linux operating system must take appropriate action when the audisp-remote buffer is full."
desc "
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a
common process in information systems with limited audit storage capacity. When the remote buffer is full, audit
logs will not be collected and sent to the central log server.
"
impact 0.5
tag "gtitle": "SRG-OS-000342-GPOS-00133"
tag "satisfies": ["SRG-OS-000342-GPOS-00133", "SRG-OS-000479-GPOS-00224"]
tag "gid": "V-81019"
tag "rid": "SV-95731r1_rule"
tag "stig_id": "RHEL-07-030210"
tag "cci": ["CCI-001851"]
tag "documentable": false
tag "nist": ["AU-12 c", "Rev_4"]
tag "subsystems": ["audit"]
tag "check_id": "C-80735r1_chk"
tag "fix_id": "F-87853r3_fix"
desc "check", "
Verify the audisp daemon is configured to take an appropriate action when the internal queue is full:

# grep \"overflow_action\" /etc/audisp/audispd.conf

overflow_action = syslog

If the \"overflow_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out, this is a finding.
"
desc "fix", "
Edit the /etc/audisp/audispd.conf file and add or update the \"overflow_action\" option:

overflow_action = syslog

The audit daemon must be restarted for changes to take effect:

# service auditd restart
"

if file('/etc/audisp/audispd.conf').exist?
describe parse_config_file('/etc/audisp/audispd.conf') do
its('overflow_action') { should match %r{syslog$|single$|halt$} }
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be more clear to use arrays here vs regex.

its('overflow_action') { should be_in %w(syslog single halt) }

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this control also needs to check if the line is commented out.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does the parse_config_file resource act when the line is commented out and you attempt to match a value? Does it just return null? What the STIG does not say explicitly is that if it is not present at all this is a finding but I'd say we can infer that from the spirit of this control. Therefore, if checking for a value its('param') returns null we can assume that it is either some other value, it's commented out or simply not present. In any case the output will likewise indicate its actual value or the fact that it is null. All of which are findings. I don't see a reason to check for specific cases when we've already effectively accounted for them.

end
else
describe "File '/etc/audisp/audispd.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually" do
skip "File '/etc/audisp/audispd.conf' cannot be found. This check must be performed manually"
end
Comment on lines +46 to +48
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above...unneeded control structure.

end

end
52 changes: 52 additions & 0 deletions controls/V-81021.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
# encoding: utf-8
#
control "V-81021" do
title "The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server."
desc "
Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information systems with limited audit storage capacity. When audit
logs are not labeled before they are sent to a central log server, the audit data will not be able to
be analyzed and tied back to the correct system.
"
impact 0.5
tag "gtitle": "SRG-OS-000342-GPOS-00133"
tag "satisfies": ["SRG-OS-000342-GPOS-00133", "SRG-OS-000479-GPOS-00224"]
tag "gid": "V-81021"
tag "rid": "SV-95733r1_rule"
tag "stig_id": "RHEL-07-030211"
tag "cci": ["CCI-001851"]
tag "documentable": false
tag "nist": ["AU-12 c", "Rev_4"]
tag "subsystems": ["audit"]
tag "check_id": "C-80737r1_chk"
tag "fix_id": "F-87855r2_fix"
desc "check", "
Verify the audisp daemon is configured to label all off-loaded audit logs:

# grep \"name_format\" /etc/audisp/audispd.conf

name_format = hostname

If the \"name_format\" option is not \"hostname\", \"fqd\", or \"numeric\", or the line is commented out, this is a finding.
"
desc "fix", "
Edit the /etc/audisp/audispd.conf file and add or update the \"name_format\" option:

name_format = hostname

The audit daemon must be restarted for changes to take effect:

# service auditd restart
"

if file('/etc/audisp/audispd.conf').exist?
describe parse_config_file('/etc/audisp/audispd.conf') do
its('name_format') { should match %r{hostname$|fqd$|\d+} }
end
else
describe "File '/etc/audisp/audispd.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually" do
skip "File '/etc/audisp/audispd.conf' cannot be found. This check must be performed manually"
end
Comment on lines +47 to +49
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above....unneeded control structure.

end

end