diff --git a/attributes.yml b/attributes.yml index 01cb6331c..97fbfdba3 100644 --- a/attributes.yml +++ b/attributes.yml @@ -4,6 +4,20 @@ # Controls that are known to consistently have long run times can be disabled with this attribute disable_slow_controls: false +# Skips test that have been deprecated and removed from the STIG. +# Currently the following have been removed from the Latest STIG RHEL7 V2R4 +# V-71895 - The operating system must set the idle delay setting for all connection types. +# V-71981 - The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata. +# V-72143 - The operating system must generate audit records for all successful/unsuccessful account access count events. +# V-72169 - All uses of the sudoedit command must be audited. +# V-72181 - All uses of the pt_chown command must be audited. +# V-72193 - All uses of the rmmod command must be audited +# V-72195 - All uses of the modprobe command must be audited. +# V-72215 - The system must update the virus scan program every seven days or more frequently +# V-72435 - The operating system must implement smart card logons for multifactor authentication for access to privileged accounts. +# V-78995 - The operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. +skip_deprecated_test: true + # V-72081 - 'monitor_kernel_log', (bool) # Set this to false if your system availability concern is not documented or # there is no monitoring of the kernel log diff --git a/controls/V-71895.rb b/controls/V-71895.rb index 5535b0ff4..9a61d3eb1 100644 --- a/controls/V-71895.rb +++ b/controls/V-71895.rb @@ -1,24 +1,9 @@ # encoding: utf-8 # -=begin ------------------ -Benchmark: Red Hat Enterprise Linux 7 Security Technical Implementation Guide -Status: Accepted - -This Security Technical Implementation Guide is published as a tool to improve -the security of Department of Defense (DoD) information systems. The -requirements are derived from the National Institute of Standards and -Technology (NIST) 800-53 and related documents. Comments or proposed revisions -to this document should be sent via email to the following address: -disa.stig_spt@mail.mil. - -Release Date: 2017-03-08 -Version: 1 -Publisher: DISA -Source: STIG.DOD.MIL -uri: http://iase.disa.mil ------------------ -=end +skip_deprecated_test = input( + 'skip_deprecated_test', + value: true, + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-71895" do title "The operating system must set the idle delay setting for all connection @@ -82,9 +67,16 @@ /org/gnome/desktop/screensaver/idle-delay" - describe command("grep -i idle-delay /etc/dconf/db/*/locks/*") do - its('stdout.strip') { should_not cmp "" } - its('stderr') { should_not match /.*No such file or directory\n?$/ } + + if skip_deprecated_test + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" + end + else + describe command("grep -i idle-delay /etc/dconf/db/*/locks/*") do + its('stdout.strip') { should_not cmp "" } + its('stderr') { should_not match /.*No such file or directory\n?$/ } + end + only_if { package('gnome-desktop3').installed? } end - only_if { package('gnome-desktop3').installed? } end diff --git a/controls/V-71981.rb b/controls/V-71981.rb index d9d582b2e..586f561e1 100644 --- a/controls/V-71981.rb +++ b/controls/V-71981.rb @@ -1,5 +1,10 @@ # encoding: utf-8 # +skip_deprecated_test = input( + 'skip_deprecated_test', + value: true, + description: 'Skips tests that have been deprecated and removed from the STIG.') + control "V-71981" do title "The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of @@ -52,19 +57,25 @@ repo_gpgcheck=1" tag "fix_id": "F-78333r1_fix" - yum_conf = file('/etc/yum.conf') - - describe yum_conf.path do - context yum_conf do - it { should exist } + if skip_deprecated_test + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end + else + yum_conf = file('/etc/yum.conf') + + describe yum_conf.path do + context yum_conf do + it { should exist } + end - if yum_conf.exist? - context '[main]' do - context 'repo_gpgcheck' do - it { expect( ini(yum_conf.path)['main'][subject] ).to cmp 1 } + if yum_conf.exist? + context '[main]' do + context 'repo_gpgcheck' do + it { expect( ini(yum_conf.path)['main'][subject] ).to cmp 1 } + end end end end - end + end end diff --git a/controls/V-72143.rb b/controls/V-72143.rb index be8452d8a..019deb19b 100644 --- a/controls/V-72143.rb +++ b/controls/V-72143.rb @@ -1,5 +1,10 @@ # encoding: utf-8 # +skip_deprecated_test = input( + 'skip_deprecated_test', + value: true, + description: 'Skips tests that have been deprecated and removed from the STIG.') + control "V-72143" do title "The operating system must generate audit records for all successful/unsuccessful account access count events." @@ -51,22 +56,28 @@ impact 0.0 end - describe auditd.file(audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end if file(audit_file).exist? + if skip_deprecated_test + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" + end + else + describe auditd.file(audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end if file(audit_file).exist? - # Resource creates data structure including all usages of file - perms = auditd.file(audit_file).permissions + # Resource creates data structure including all usages of file + perms = auditd.file(audit_file).permissions - perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } - end - end if file(audit_file).exist? + perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end if file(audit_file).exist? - describe "The #{audit_file} file does not exist" do - skip "The #{audit_file} file does not exist, this requirement is Not Applicable." - end if !file(audit_file).exist? + describe "The #{audit_file} file does not exist" do + skip "The #{audit_file} file does not exist, this requirement is Not Applicable." + end if !file(audit_file).exist? + end end diff --git a/controls/V-72169.rb b/controls/V-72169.rb index 6d06f7c7b..63e38c8c3 100644 --- a/controls/V-72169.rb +++ b/controls/V-72169.rb @@ -1,5 +1,10 @@ # encoding: utf-8 # +skip_deprecated_test = input( + 'skip_deprecated_test', + value: true, + description: 'Skips tests that have been deprecated and removed from the STIG.') + control "V-72169" do title "All uses of the sudoedit command must be audited." desc " @@ -51,21 +56,27 @@ impact 0.0 end - describe auditd.file(audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end if file(audit_file).exist? + if skip_deprecated_test + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" + end + else + describe auditd.file(audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end if file(audit_file).exist? - # Resource creates data structure including all usages of file - perms = auditd.file(audit_file).permissions + # Resource creates data structure including all usages of file + perms = auditd.file(audit_file).permissions - perms.each do |perm| - describe perm do - it { should include 'x' } - end - end if file(audit_file).exist? + perms.each do |perm| + describe perm do + it { should include 'x' } + end + end if file(audit_file).exist? - describe "The #{audit_file} file does not exist" do - skip "The #{audit_file} file does not exist, this requirement is Not Applicable." - end if !file(audit_file).exist? + describe "The #{audit_file} file does not exist" do + skip "The #{audit_file} file does not exist, this requirement is Not Applicable." + end if !file(audit_file).exist? + end end diff --git a/controls/V-72181.rb b/controls/V-72181.rb index df50b4d97..5d74b56a7 100644 --- a/controls/V-72181.rb +++ b/controls/V-72181.rb @@ -1,5 +1,10 @@ # encoding: utf-8 # +skip_deprecated_test = input( + 'skip_deprecated_test', + value: true, + description: 'Skips tests that have been deprecated and removed from the STIG.') + control "V-72181" do title "All uses of the pt_chown command must be audited." desc " @@ -55,21 +60,27 @@ impact 0.0 end - describe auditd.file(audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end if file(audit_file).exist? + if skip_deprecated_test + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" + end + else + describe auditd.file(audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end if file(audit_file).exist? - # Resource creates data structure including all usages of file - perms = auditd.file(audit_file).permissions + # Resource creates data structure including all usages of file + perms = auditd.file(audit_file).permissions - perms.each do |perm| - describe perm do - it { should include 'x' } - end - end if file(audit_file).exist? + perms.each do |perm| + describe perm do + it { should include 'x' } + end + end if file(audit_file).exist? - describe "The #{audit_file} file does not exist" do - skip "The #{audit_file} file does not exist, this requirement is Not Applicable." - end if !file(audit_file).exist? + describe "The #{audit_file} file does not exist" do + skip "The #{audit_file} file does not exist, this requirement is Not Applicable." + end if !file(audit_file).exist? + end end diff --git a/controls/V-72193.rb b/controls/V-72193.rb index fa42be47e..20e78237e 100644 --- a/controls/V-72193.rb +++ b/controls/V-72193.rb @@ -1,5 +1,10 @@ # encoding: utf-8 # +skip_deprecated_test = input( + 'skip_deprecated_test', + value: true, + description: 'Skips tests that have been deprecated and removed from the STIG.') + control "V-72193" do title "All uses of the rmmod command must be audited." desc " @@ -51,21 +56,27 @@ impact 0.0 end - describe auditd.file(audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end if file(audit_file).exist? + if skip_deprecated_test + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" + end + else + describe auditd.file(audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end if file(audit_file).exist? - # Resource creates data structure including all usages of file - perms = auditd.file(audit_file).permissions + # Resource creates data structure including all usages of file + perms = auditd.file(audit_file).permissions - perms.each do |perm| - describe perm do - it { should include 'x' } - end - end if file(audit_file).exist? + perms.each do |perm| + describe perm do + it { should include 'x' } + end + end if file(audit_file).exist? - describe "The #{audit_file} file does not exist" do - skip "The #{audit_file} file does not exist, this requirement is Not Applicable." - end if !file(audit_file).exist? + describe "The #{audit_file} file does not exist" do + skip "The #{audit_file} file does not exist, this requirement is Not Applicable." + end if !file(audit_file).exist? + end end diff --git a/controls/V-72195.rb b/controls/V-72195.rb index 938e0dcc5..570f19e4a 100644 --- a/controls/V-72195.rb +++ b/controls/V-72195.rb @@ -1,5 +1,10 @@ # encoding: utf-8 # +skip_deprecated_test = input( + 'skip_deprecated_test', + value: true, + description: 'Skips tests that have been deprecated and removed from the STIG.') + control "V-72195" do title "All uses of the modprobe command must be audited." desc " @@ -55,21 +60,27 @@ impact 0.0 end - describe auditd.file(audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end if file(audit_file).exist? - - # Resource creates data structure including all usages of file - perms = auditd.file(audit_file).permissions - - perms.each do |perm| - describe perm do - it { should include 'x' } + if skip_deprecated_test + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end - end if file(audit_file).exist? - - describe "The #{audit_file} file does not exist" do - skip "The #{audit_file} file does not exist, this requirement is Not Applicable." - end if !file(audit_file).exist? + else + describe auditd.file(audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end if file(audit_file).exist? + + # Resource creates data structure including all usages of file + perms = auditd.file(audit_file).permissions + + perms.each do |perm| + describe perm do + it { should include 'x' } + end + end if file(audit_file).exist? + + describe "The #{audit_file} file does not exist" do + skip "The #{audit_file} file does not exist, this requirement is Not Applicable." + end if !file(audit_file).exist? + end end diff --git a/controls/V-72215.rb b/controls/V-72215.rb index 80005e3b1..3e76e873d 100644 --- a/controls/V-72215.rb +++ b/controls/V-72215.rb @@ -1,5 +1,10 @@ # encoding: utf-8 # +skip_deprecated_test = input( + 'skip_deprecated_test', + value: true, + description: 'Skips tests that have been deprecated and removed from the STIG.') + control "V-72215" do title "The system must update the virus scan program every seven days or more frequently." @@ -66,32 +71,38 @@ desc "fix", "Update the virus scan software and virus definition files." tag "fix_id": "F-78569r2_fix" - sec_per_wk = 604800 - - describe.one do - describe systemd_service('nails') do - it { should be_running } - end - describe systemd_service('clamav-daemon.socket') do - it { should be_running } - end - end - - if systemd_service('nails').running? - virus_defs = Dir["/opt/NAI/LinuxShield/engine/dat/*.dat"] - virus_defs.each do |curr_def| - describe file(curr_def).mtime.to_i do - it { should >= Time.now.to_i - sec_per_wk } - end + if skip_deprecated_test + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" + end + else + sec_per_wk = 604800 + + describe.one do + describe systemd_service('nails') do + it { should be_running } + end + describe systemd_service('clamav-daemon.socket') do + it { should be_running } + end + end + + if systemd_service('nails').running? + virus_defs = Dir["/opt/NAI/LinuxShield/engine/dat/*.dat"] + virus_defs.each do |curr_def| + describe file(curr_def).mtime.to_i do + it { should >= Time.now.to_i - sec_per_wk } + end + end end - end - if systemd_service('clamav-daemon.socket').running? - cvd_files = Dir["/var/lib/clamav/*.cvd"] - cvd_files.each do |curr_file| - describe file(curr_file).mtime.to_i do - it { should >= Time.now.to_i - sec_per_wk } + if systemd_service('clamav-daemon.socket').running? + cvd_files = Dir["/var/lib/clamav/*.cvd"] + cvd_files.each do |curr_file| + describe file(curr_file).mtime.to_i do + it { should >= Time.now.to_i - sec_per_wk } + end end end - end + end end diff --git a/controls/V-72435.rb b/controls/V-72435.rb index e7820b9da..3f926c388 100644 --- a/controls/V-72435.rb +++ b/controls/V-72435.rb @@ -1,24 +1,9 @@ # encoding: utf-8 # -=begin ------------------ -Benchmark: Red Hat Enterprise Linux 7 Security Technical Implementation Guide -Status: Accepted - -This Security Technical Implementation Guide is published as a tool to improve -the security of Department of Defense (DoD) information systems. The -requirements are derived from the National Institute of Standards and -Technology (NIST) 800-53 and related documents. Comments or proposed revisions -to this document should be sent via email to the following address: -disa.stig_spt@mail.mil. - -Release Date: 2017-03-08 -Version: 1 -Publisher: DISA -Source: STIG.DOD.MIL -uri: http://iase.disa.mil ------------------ -=end +skip_deprecated_test = input( + 'skip_deprecated_test', + value: true, + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-72435" do title "The operating system must implement smart card logons for multifactor @@ -86,13 +71,17 @@ # authconfig --enablesmartcard --smartcardaction=1 --update # authconfig --enablerequiresmartcard --update" - - describe command("authconfig --test | grep -i \"smartcard for login is\" | awk '{ print $NF }'") do - its('stdout.strip') { should eq 'enabled' } - end - - describe command('authconfig --test | grep -i "smartcard removal action" | awk \'{ print $NF }\'') do - its('stdout.strip') { should_not be nil } + if skip_deprecated_test + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" + end + else + describe command("authconfig --test | grep -i \"smartcard for login is\" | awk '{ print $NF }'") do + its('stdout.strip') { should eq 'enabled' } + end + + describe command('authconfig --test | grep -i "smartcard removal action" | awk \'{ print $NF }\'') do + its('stdout.strip') { should_not be nil } + end end - end diff --git a/controls/V-78995.rb b/controls/V-78995.rb index 9bad177be..a61c86532 100644 --- a/controls/V-78995.rb +++ b/controls/V-78995.rb @@ -1,5 +1,9 @@ # encoding: utf-8 # +skip_deprecated_test = input( + 'skip_deprecated_test', + value: true, + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-78995" do title "The operating system must prevent a user from overriding the @@ -73,11 +77,17 @@ " tag "fix_id": "F-85745r1_fix" - describe command("gsettings writable org.gnome.desktop.screensaver lock-enabled") do - its('stdout.strip') { should cmp 'false' } - end if package('gnome-desktop3').installed? - - describe "The GNOME desktop is not installed" do - skip "The GNOME desktop is not installed, this control is Not Applicable." - end if !package('gnome-desktop3').installed? + if skip_deprecated_test + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" + end + else + describe command("gsettings writable org.gnome.desktop.screensaver lock-enabled") do + its('stdout.strip') { should cmp 'false' } + end if package('gnome-desktop3').installed? + + describe "The GNOME desktop is not installed" do + skip "The GNOME desktop is not installed, this control is Not Applicable." + end if !package('gnome-desktop3').installed? + end end diff --git a/controls/V-81009.rb b/controls/V-81009.rb new file mode 100644 index 000000000..c409521f0 --- /dev/null +++ b/controls/V-81009.rb @@ -0,0 +1,42 @@ +# encoding: utf-8 +# +control "V-81009" do + title "The Red Hat Enterprise Linux operating system must mount /dev/shm with the nodev option." + desc " + The \"nodev\" mount option causes the system to not interpret character or block special devices. + Executing character or block special devices from untrusted file systems increases the opportunity + for unprivileged users to attain unauthorized administrative access." + impact 0.5 + tag "gtitle": "SRG-OS-000368-GPOS-00154" + tag "gid": "V-81009" + tag "rid": "SV-95721r1_rule " + tag "stig_id": "RHEL-07-021022" + tag "cci": ["CCI-001764"] + tag "documentable": false + tag "nist": ["CM-6 b", "Rev_4"] + tag "subsystems": ['file_system'] + desc "check", " + Verify that the \"nodev\" option is configured for /dev/shm. + + Check that the operating system is configured to use the \"nodev\" option for /dev/shm with the following command: + + # cat /etc/fstab | grep /dev/shm | grep nodev + + tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 + + If the \"nodev\" option is not present on the line for \"/dev/shm\", this is a finding. + + Verify \"/dev/shm\" is mounted with the \"nodev\" option: + + # mount | grep \"/dev/shm\" | grep nodev + + If no results are returned, this is a finding. + " + desc "fix", " + Configure the \"/etc/fstab\" to use the \"nodev\" option for all lines containing \"/dev/shm\". + " + + describe mount('/dev/shm') do + its('options') { should include 'nodev' } + end +end diff --git a/controls/V-81011.rb b/controls/V-81011.rb new file mode 100644 index 000000000..5a688109b --- /dev/null +++ b/controls/V-81011.rb @@ -0,0 +1,31 @@ +# encoding: utf-8 +# +control "V-81011" do + title "The Red Hat Enterprise Linux operating system must mount /dev/shm with the nosuid option." + desc " + The \"nosuid\" mount option causes the system to not execute \"setuid\" and \setgid\" files with owner privileges. + This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. + Executing files from untrusted file systems increases the opportunity for unprivileged users to attain + unauthorized administrative access." + impact 0.5 + tag "gtitle": "SRG-OS-000368-GPOS-00154" + tag "gid": "V-81011" + tag "rid": "SV-95723r1_rule" + tag "stig_id": "RHEL-07-021023" + tag "cci": ["CCI-001764"] + tag "documentable": false + tag "nist": ["CM-6 b", "Rev_4"] + tag "subsystems": ['file_system'] + desc "check", " + The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner privileges. + This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. + Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + " + desc "fix", " + Configure the system so that /dev/shm is mounted with the \"nosuid\" option. + " + + describe mount('/dev/shm') do + its('options') { should include 'nosuid' } + end +end diff --git a/controls/V-81013.rb b/controls/V-81013.rb new file mode 100644 index 000000000..a992b278c --- /dev/null +++ b/controls/V-81013.rb @@ -0,0 +1,31 @@ +# encoding: utf-8 +# +control "V-81013" do + title "The Red Hat Enterprise Linux operating system must mount /dev/shm with the noexec option." + desc "The \"noexec\" mount option causes the system to not execute binary files. This option + must be used for mounting any file system not containing approved binary files as they may be + incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged + users to attain unauthorized administrative access." + impact 0.5 + tag "gtitle": "SRG-OS-000368-GPOS-00154" + tag "gid": "V-81013" + tag "rid": "SV-95725r1_rule" + tag "stig_id": "RHEL-07-001764" + tag "cci": ["CCI-000366"] + tag "documentable": false + tag "nist": ["CM-6 b", "Rev_4"] + tag "subsystems": ['file_system'] + desc "check", " + The \"noexec\" mount option causes the system to not execute binary files. This option must be used + for mounting any file system not containing approved binary files as they may be incompatible. Executing + files from untrusted file systems increases the opportunity for unprivileged users to attain + unauthorized administrative access. + " + desc "fix", " + Configure the system so that /dev/shm is mounted with the \"noexec\" option. + " + + describe mount('/dev/shm') do + its('options') { should include 'noexec' } + end +end diff --git a/controls/V-81015.rb b/controls/V-81015.rb new file mode 100644 index 000000000..ddbc9aefd --- /dev/null +++ b/controls/V-81015.rb @@ -0,0 +1,47 @@ +# encoding: utf-8 +# +control "V-81015" do + title "The Red Hat Enterprise Linux operating system must be configured to use the au-remote plugin." + desc " + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is + a common process in information systems with limited audit storage capacity. Without the configuration of + the \"au-remote\" plugin, the audisp-remote daemon will not off-load the logs from the system being audited. + " + impact 0.5 + tag "gtitle": "SRG-OS-000342-GPOS-00133" + tag "satisfies": ["SRG-OS-000342-GPOS-00133", "SRG-OS-000479-GPOS-00224"] + tag "gid": "V-81015" + tag "rid": "SV-95727r1_rule" + tag "stig_id": "RHEL-07-030200" + tag "cci": ["CCI-001851"] + tag "documentable": false + tag "nist": ["AU-12 c", "Rev_4"] + tag "subsystems": ["audit"] + tag "check_id": "C-80729r1_chk" + tag "fix_id": "F-87849r2_fix" + desc "check", " + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit storage capacity. + + Without the configuration of the \"au-remote\" plugin, the audisp-remote daemon will not off-load the logs from the system being audited. + " + desc "fix", " + Edit the /etc/audisp/plugins.d/au-remote.conf file and change the value of \"active\" to \"yes\". + + The audit daemon must be restarted for changes to take effect: + + # service auditd restart + " + + if file('/etc/audisp/audispd.conf').exist? + describe parse_config_file('/etc/audisp/audispd.conf') do + its('active') { should match %r{yes$} } + end + else + describe "File '/etc/audisp/audispd.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually" do + skip "File '/etc/audisp/audispd.conf' cannot be found. This check must be performed manually" + end + end + +end diff --git a/controls/V-81017.rb b/controls/V-81017.rb new file mode 100644 index 000000000..ddfd198f7 --- /dev/null +++ b/controls/V-81017.rb @@ -0,0 +1,63 @@ +# encoding: utf-8 +# +control "V-81017" do + title "The Red Hat Enterprise Linux operating system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon." + desc " + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a + common process in information systems with limited audit storage capacity. Without the configuration of the \"au-remote\" + plugin, the audisp-remote daemon will not off load the logs from the system being audited. + " + impact 0.5 + tag "gtitle": "SRG-OS-000342-GPOS-00133" + tag "satisfies": ["SRG-OS-000342-GPOS-00133", "SRG-OS-000479-GPOS-00224"] + tag "gid": "V-81017" + tag "rid": "SV-95729r1_rule" + tag "stig_id": "RHEL-07-030210" + tag "cci": ["CCI-001851"] + tag "documentable": false + tag "nist": ["AU-12 c", "Rev_4"] + tag "subsystems": ["audit"] + tag "check_id": "C-80731r2_chk" + tag "fix_id": "F-87851r2_fix" + desc "check", " + Verify the \"au-remote\" plugin is configured to always off-load audit logs using the audisp-remote daemon: + + # cat /etc/audisp/plugins.d/au-remote.conf | grep -v \"^#\" + + active = yes + direction = out + path = /sbin/audisp-remote + type = always + format = string + + If the \"direction\" setting is not set to \"out\", or the line is commented out, this is a finding. + + If the \"path\" setting is not set to \"/sbin/audisp-remote\", or the line is commented out, this is a finding. + + If the \"type\" setting is not set to \"always\", or the line is commented out, this is a finding. + " + desc "fix", " + Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values: + + direction = out + path = /sbin/audisp-remote + type = always + + The audit daemon must be restarted for changes to take effect: + + # service auditd restart + " + + if file('/etc/audisp/audispd.conf').exist? + describe parse_config_file('/etc/audisp/audispd.conf') do + its('direction') { should match %r{out$} } + its('path') { should match %r{/sbin/audisp-remote$} } + its('type') { should match %r{always$} } + end + else + describe "File '/etc/audisp/audispd.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually" do + skip "File '/etc/audisp/audispd.conf' cannot be found. This check must be performed manually" + end + end + +end diff --git a/controls/V-81019.rb b/controls/V-81019.rb new file mode 100644 index 000000000..0c65b4e3e --- /dev/null +++ b/controls/V-81019.rb @@ -0,0 +1,51 @@ +# encoding: utf-8 +# +control "V-81019" do + title "The Red Hat Enterprise Linux operating system must take appropriate action when the audisp-remote buffer is full." + desc " + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a + common process in information systems with limited audit storage capacity. When the remote buffer is full, audit + logs will not be collected and sent to the central log server. + " + impact 0.5 + tag "gtitle": "SRG-OS-000342-GPOS-00133" + tag "satisfies": ["SRG-OS-000342-GPOS-00133", "SRG-OS-000479-GPOS-00224"] + tag "gid": "V-81019" + tag "rid": "SV-95731r1_rule" + tag "stig_id": "RHEL-07-030210" + tag "cci": ["CCI-001851"] + tag "documentable": false + tag "nist": ["AU-12 c", "Rev_4"] + tag "subsystems": ["audit"] + tag "check_id": "C-80735r1_chk" + tag "fix_id": "F-87853r3_fix" + desc "check", " + Verify the audisp daemon is configured to take an appropriate action when the internal queue is full: + + # grep \"overflow_action\" /etc/audisp/audispd.conf + + overflow_action = syslog + + If the \"overflow_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out, this is a finding. + " + desc "fix", " + Edit the /etc/audisp/audispd.conf file and add or update the \"overflow_action\" option: + + overflow_action = syslog + + The audit daemon must be restarted for changes to take effect: + + # service auditd restart + " + + if file('/etc/audisp/audispd.conf').exist? + describe parse_config_file('/etc/audisp/audispd.conf') do + its('overflow_action') { should match %r{syslog$|single$|halt$} } + end + else + describe "File '/etc/audisp/audispd.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually" do + skip "File '/etc/audisp/audispd.conf' cannot be found. This check must be performed manually" + end + end + +end diff --git a/controls/V-81021.rb b/controls/V-81021.rb new file mode 100644 index 000000000..6e592d551 --- /dev/null +++ b/controls/V-81021.rb @@ -0,0 +1,52 @@ +# encoding: utf-8 +# +control "V-81021" do + title "The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server." + desc " + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + Off-loading is a common process in information systems with limited audit storage capacity. When audit + logs are not labeled before they are sent to a central log server, the audit data will not be able to + be analyzed and tied back to the correct system. + " + impact 0.5 + tag "gtitle": "SRG-OS-000342-GPOS-00133" + tag "satisfies": ["SRG-OS-000342-GPOS-00133", "SRG-OS-000479-GPOS-00224"] + tag "gid": "V-81021" + tag "rid": "SV-95733r1_rule" + tag "stig_id": "RHEL-07-030211" + tag "cci": ["CCI-001851"] + tag "documentable": false + tag "nist": ["AU-12 c", "Rev_4"] + tag "subsystems": ["audit"] + tag "check_id": "C-80737r1_chk" + tag "fix_id": "F-87855r2_fix" + desc "check", " + Verify the audisp daemon is configured to label all off-loaded audit logs: + + # grep \"name_format\" /etc/audisp/audispd.conf + + name_format = hostname + + If the \"name_format\" option is not \"hostname\", \"fqd\", or \"numeric\", or the line is commented out, this is a finding. + " + desc "fix", " + Edit the /etc/audisp/audispd.conf file and add or update the \"name_format\" option: + + name_format = hostname + + The audit daemon must be restarted for changes to take effect: + + # service auditd restart + " + + if file('/etc/audisp/audispd.conf').exist? + describe parse_config_file('/etc/audisp/audispd.conf') do + its('name_format') { should match %r{hostname$|fqd$|\d+} } + end + else + describe "File '/etc/audisp/audispd.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually" do + skip "File '/etc/audisp/audispd.conf' cannot be found. This check must be performed manually" + end + end + +end