Deprecated tests

attributes.yml

@@ -4,6 +4,20 @@
 # Controls that are known to consistently have long run times can be disabled with this attribute
 disable_slow_controls: false
 
+# Skips test that have been deprecated and removed from the STIG. 
+# Currently the following have been removed from the Latest STIG RHEL7 V2R4
+#    V-71895 - The operating system must set the idle delay setting for all connection types.
+#    V-71981 - The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata.
+#    V-72143 - The operating system must generate audit records for all successful/unsuccessful account access count events.
+#    V-72169 - All uses of the sudoedit command must be audited.
+#    V-72181 - All uses of the pt_chown command must be audited.
+#    V-72193 - All uses of the rmmod command must be audited
+#    V-72195 - All uses of the modprobe command must be audited.
+#    V-72215 - The system must update the virus scan program every seven days or more frequently
+#    V-72435 - The operating system must implement smart card logons for multifactor authentication for access to privileged accounts.
+#    V-78995 - The operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
+skip_deprecated_test: true
+
 # V-72081 - 'monitor_kernel_log', (bool)
 # Set this to false if your system availability concern is not documented or
 # there is no monitoring of the kernel log

controls/V-71895.rb

@@ -1,24 +1,9 @@
 # encoding: utf-8
 #
-=begin
------------------
-Benchmark: Red Hat Enterprise Linux 7 Security Technical Implementation Guide
-Status: Accepted
-
-This Security Technical Implementation Guide is published as a tool to improve
-the security of Department of Defense (DoD) information systems. The
-requirements are derived from the National Institute of Standards and
-Technology (NIST) 800-53 and related documents. Comments or proposed revisions
-to this document should be sent via email to the following address:
-[email protected].
-
-Release Date: 2017-03-08
-Version: 1
-Publisher: DISA
-Source: STIG.DOD.MIL
-uri: http://iase.disa.mil
------------------
-=end
+skip_deprecated_test = input(
+  'skip_deprecated_test',
+  value: true,
+  description: 'Skips tests that have been deprecated and removed from the STIG.')
 
 control "V-71895" do
   title "The operating system must set the idle delay setting for all connection
@@ -82,9 +67,16 @@
 
 /org/gnome/desktop/screensaver/idle-delay"
 
-  describe command("grep -i idle-delay /etc/dconf/db/*/locks/*") do
-    its('stdout.strip') { should_not cmp "" }
-    its('stderr') { should_not match /.*No such file or directory\n?$/ }
+
+  if skip_deprecated_test
+    describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do
+      skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True"
+    end
+  else
+    describe command("grep -i idle-delay /etc/dconf/db/*/locks/*") do
+      its('stdout.strip') { should_not cmp "" }
+      its('stderr') { should_not match /.*No such file or directory\n?$/ }
+    end
+    only_if { package('gnome-desktop3').installed? }
   end
-  only_if { package('gnome-desktop3').installed? }
 end

controls/V-71981.rb

@@ -1,5 +1,10 @@
 # encoding: utf-8
 #
+skip_deprecated_test = input(
+  'skip_deprecated_test',
+  value: true,
+  description: 'Skips tests that have been deprecated and removed from the STIG.')
+
 control "V-71981" do
   title "The operating system must prevent the installation of software,
 patches, service packs, device drivers, or operating system components of
@@ -52,19 +57,25 @@
 repo_gpgcheck=1"
   tag "fix_id": "F-78333r1_fix"
 
-  yum_conf = file('/etc/yum.conf')
-
-  describe yum_conf.path do
-    context yum_conf do
-      it { should exist }
+  if skip_deprecated_test
+    describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do
+      skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True"
     end
+  else
+    yum_conf = file('/etc/yum.conf')
+
+    describe yum_conf.path do
+      context yum_conf do
+        it { should exist }
+      end
 
-    if yum_conf.exist?
-      context '[main]' do
-        context 'repo_gpgcheck' do
-          it { expect( ini(yum_conf.path)['main'][subject] ).to cmp 1 }
+      if yum_conf.exist?
+        context '[main]' do
+          context 'repo_gpgcheck' do
+            it { expect( ini(yum_conf.path)['main'][subject] ).to cmp 1 }
+          end
         end
       end
     end
-  end
+  end  
 end

controls/V-72143.rb

@@ -1,5 +1,10 @@
 # encoding: utf-8
 #
+skip_deprecated_test = input(
+  'skip_deprecated_test',
+  value: true,
+  description: 'Skips tests that have been deprecated and removed from the STIG.')
+
 control "V-72143" do
   title "The operating system must generate audit records for all
 successful/unsuccessful account access count events."
@@ -51,22 +56,28 @@
     impact 0.0
   end
 
-  describe auditd.file(audit_file) do
-    its('permissions') { should_not cmp [] }
-    its('action') { should_not include 'never' }
-  end if file(audit_file).exist?
+  if skip_deprecated_test
+    describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do
+      skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True"
+    end
+  else
+    describe auditd.file(audit_file) do
+      its('permissions') { should_not cmp [] }
+      its('action') { should_not include 'never' }
+    end if file(audit_file).exist?
 
-  # Resource creates data structure including all usages of file
-  perms = auditd.file(audit_file).permissions
+    # Resource creates data structure including all usages of file
+    perms = auditd.file(audit_file).permissions
 
-  perms.each do |perm|
-    describe perm do
-      it { should include 'w' }
-      it { should include 'a' }
-    end
-  end if file(audit_file).exist?
+    perms.each do |perm|
+      describe perm do
+        it { should include 'w' }
+        it { should include 'a' }
+      end
+    end if file(audit_file).exist?
 
-  describe "The #{audit_file} file does not exist" do
-    skip "The #{audit_file} file does not exist, this requirement is Not Applicable."
-  end if !file(audit_file).exist?
+    describe "The #{audit_file} file does not exist" do
+      skip "The #{audit_file} file does not exist, this requirement is Not Applicable."
+    end if !file(audit_file).exist?
+  end  
 end

controls/V-72169.rb

@@ -1,5 +1,10 @@
 # encoding: utf-8
 #
+skip_deprecated_test = input(
+  'skip_deprecated_test',
+  value: true,
+  description: 'Skips tests that have been deprecated and removed from the STIG.')
+
 control "V-72169" do
   title "All uses of the sudoedit command must be audited."
   desc  "
@@ -51,21 +56,27 @@
     impact 0.0
   end
 
-  describe auditd.file(audit_file) do
-    its('permissions') { should_not cmp [] }
-    its('action') { should_not include 'never' }
-  end if file(audit_file).exist?
+  if skip_deprecated_test
+    describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do
+      skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True"
+    end
+  else
+    describe auditd.file(audit_file) do
+      its('permissions') { should_not cmp [] }
+      its('action') { should_not include 'never' }
+    end if file(audit_file).exist?
 
-  # Resource creates data structure including all usages of file
-  perms = auditd.file(audit_file).permissions
+    # Resource creates data structure including all usages of file
+    perms = auditd.file(audit_file).permissions
 
-  perms.each do |perm|
-    describe perm do
-      it { should include 'x' }
-    end
-  end if file(audit_file).exist?
+    perms.each do |perm|
+      describe perm do
+        it { should include 'x' }
+      end
+    end if file(audit_file).exist?
 
-  describe "The #{audit_file} file does not exist" do
-    skip "The #{audit_file} file does not exist, this requirement is Not Applicable."
-  end if !file(audit_file).exist?
+    describe "The #{audit_file} file does not exist" do
+      skip "The #{audit_file} file does not exist, this requirement is Not Applicable."
+    end if !file(audit_file).exist?
+  end  
 end

controls/V-72181.rb

@@ -1,5 +1,10 @@
 # encoding: utf-8
 #
+skip_deprecated_test = input(
+  'skip_deprecated_test',
+  value: true,
+  description: 'Skips tests that have been deprecated and removed from the STIG.')
+
 control "V-72181" do
   title "All uses of the pt_chown command must be audited."
   desc  "
@@ -55,21 +60,27 @@
     impact 0.0
   end
 
-  describe auditd.file(audit_file) do
-    its('permissions') { should_not cmp [] }
-    its('action') { should_not include 'never' }
-  end if file(audit_file).exist?
+  if skip_deprecated_test
+    describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do
+      skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True"
+    end
+  else
+    describe auditd.file(audit_file) do
+      its('permissions') { should_not cmp [] }
+      its('action') { should_not include 'never' }
+    end if file(audit_file).exist?
 
-  # Resource creates data structure including all usages of file
-  perms = auditd.file(audit_file).permissions
+    # Resource creates data structure including all usages of file
+    perms = auditd.file(audit_file).permissions
 
-  perms.each do |perm|
-    describe perm do
-      it { should include 'x' }
-    end
-  end if file(audit_file).exist?
+    perms.each do |perm|
+      describe perm do
+        it { should include 'x' }
+      end
+    end if file(audit_file).exist?
 
-  describe "The #{audit_file} file does not exist" do
-    skip "The #{audit_file} file does not exist, this requirement is Not Applicable."
-  end if !file(audit_file).exist?
+    describe "The #{audit_file} file does not exist" do
+      skip "The #{audit_file} file does not exist, this requirement is Not Applicable."
+    end if !file(audit_file).exist?
+  end  
 end

controls/V-72193.rb

@@ -1,5 +1,10 @@
 # encoding: utf-8
 #
+skip_deprecated_test = input(
+  'skip_deprecated_test',
+  value: true,
+  description: 'Skips tests that have been deprecated and removed from the STIG.')
+
 control "V-72193" do
   title "All uses of the rmmod command must be audited."
   desc  "
@@ -51,21 +56,27 @@
     impact 0.0
   end
 
-  describe auditd.file(audit_file) do
-    its('permissions') { should_not cmp [] }
-    its('action') { should_not include 'never' }
-  end if file(audit_file).exist?
+  if skip_deprecated_test
+    describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do
+      skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True"
+    end
+  else
+    describe auditd.file(audit_file) do
+      its('permissions') { should_not cmp [] }
+      its('action') { should_not include 'never' }
+    end if file(audit_file).exist?
 
-  # Resource creates data structure including all usages of file
-  perms = auditd.file(audit_file).permissions
+    # Resource creates data structure including all usages of file
+    perms = auditd.file(audit_file).permissions
 
-  perms.each do |perm|
-    describe perm do
-      it { should include 'x' }
-    end
-  end if file(audit_file).exist?
+    perms.each do |perm|
+      describe perm do
+        it { should include 'x' }
+      end
+    end if file(audit_file).exist?
 
-  describe "The #{audit_file} file does not exist" do
-    skip "The #{audit_file} file does not exist, this requirement is Not Applicable."
-  end if !file(audit_file).exist?
+    describe "The #{audit_file} file does not exist" do
+      skip "The #{audit_file} file does not exist, this requirement is Not Applicable."
+    end if !file(audit_file).exist?
+  end  
 end

controls/V-72195.rb

@@ -1,5 +1,10 @@
 # encoding: utf-8
 #
+skip_deprecated_test = input(
+  'skip_deprecated_test',
+  value: true,
+  description: 'Skips tests that have been deprecated and removed from the STIG.')
+
 control "V-72195" do
   title "All uses of the modprobe command must be audited."
   desc  "
@@ -55,21 +60,27 @@
     impact 0.0
   end
 
-  describe auditd.file(audit_file) do
-    its('permissions') { should_not cmp [] }
-    its('action') { should_not include 'never' }
-  end if file(audit_file).exist?
-
-  # Resource creates data structure including all usages of file
-  perms = auditd.file(audit_file).permissions
-
-  perms.each do |perm|
-    describe perm do
-      it { should include 'x' }
+  if skip_deprecated_test
+    describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do
+      skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True"
     end
-  end if file(audit_file).exist?
-
-  describe "The #{audit_file} file does not exist" do
-    skip "The #{audit_file} file does not exist, this requirement is Not Applicable."
-  end if !file(audit_file).exist?
+  else
+    describe auditd.file(audit_file) do
+      its('permissions') { should_not cmp [] }
+      its('action') { should_not include 'never' }
+    end if file(audit_file).exist?
+
+    # Resource creates data structure including all usages of file
+    perms = auditd.file(audit_file).permissions
+
+    perms.each do |perm|
+      describe perm do
+        it { should include 'x' }
+      end
+    end if file(audit_file).exist?
+
+    describe "The #{audit_file} file does not exist" do
+      skip "The #{audit_file} file does not exist, this requirement is Not Applicable."
+    end if !file(audit_file).exist?
+  end  
 end