From 1668ef91b716e581a93211a297c9dbf09a7a1f1f Mon Sep 17 00:00:00 2001 From: Craig Poma Date: Fri, 11 Oct 2019 19:09:44 -0400 Subject: [PATCH 01/26] Added some missing tests --- controls/V-81017.rb | 63 +++++++++++++++++++++++++++++++++++++++++++++ controls/V-81019.rb | 51 ++++++++++++++++++++++++++++++++++++ controls/V-81021.rb | 52 +++++++++++++++++++++++++++++++++++++ 3 files changed, 166 insertions(+) create mode 100644 controls/V-81017.rb create mode 100644 controls/V-81019.rb create mode 100644 controls/V-81021.rb diff --git a/controls/V-81017.rb b/controls/V-81017.rb new file mode 100644 index 000000000..b48a74f30 --- /dev/null +++ b/controls/V-81017.rb @@ -0,0 +1,63 @@ +# encoding: utf-8 +# +control "V-81017" do + title "The Red Hat Enterprise Linux operating system must configure the au-remote plugin to off-load audit logs using the audisp-remote daemon." + desc " + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a + common process in information systems with limited audit storage capacity. Without the configuration of the \"au-remote\" + plugin, the audisp-remote daemon will not off load the logs from the system being audited. + " + impact 0.5 + tag "gtitle": "SRG-OS-000342-GPOS-00133" + tag "satisfies": ["SRG-OS-000342-GPOS-00133", "SRG-OS-000479-GPOS-00224"] + tag "gid": "V-81017" + tag "rid": "SV-95729r1_rule" + tag "stig_id": "RHEL-07-030210" + tag "cci": ["CCI-001851"] + tag "documentable": true + tag "nist": ["AU-12 c", "Rev_4"] + tag "subsystems": ["audit"] + tag "check_id": "C-80731r2_chk" + tag "fix_id": "F-87851r2_fix" + desc "check", " + Verify the \"au-remote\" plugin is configured to always off-load audit logs using the audisp-remote daemon: + + # cat /etc/audisp/plugins.d/au-remote.conf | grep -v \"^#\" + + active = yes + direction = out + path = /sbin/audisp-remote + type = always + format = string + + If the \"direction\" setting is not set to \"out\", or the line is commented out, this is a finding. + + If the \"path\" setting is not set to \"/sbin/audisp-remote\", or the line is commented out, this is a finding. + + If the \"type\" setting is not set to \"always\", or the line is commented out, this is a finding. + " + desc "fix", " + Edit the /etc/audisp/plugins.d/au-remote.conf file and add or update the following values: + + direction = out + path = /sbin/audisp-remote + type = always + + The audit daemon must be restarted for changes to take effect: + + # service auditd restart + " + + if file('/etc/audisp/audispd.conf').exist? + describe parse_config_file('/etc/audisp/audispd.conf') do + its('direction') { should match %r{out$} } + its('path') { should match %r{/sbin/audisp-remote$} } + its('type') { should match %r{always$} } + end + else + describe "File '/etc/audisp/audispd.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually" do + skip "File '/etc/audisp/audispd.conf' cannot be found. This check must be performed manually" + end + end + +end diff --git a/controls/V-81019.rb b/controls/V-81019.rb new file mode 100644 index 000000000..070218743 --- /dev/null +++ b/controls/V-81019.rb @@ -0,0 +1,51 @@ +# encoding: utf-8 +# +control "V-81019" do + title "The Red Hat Enterprise Linux operating system must take appropriate action when the audisp-remote buffer is full." + desc " + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a + common process in information systems with limited audit storage capacity. When the remote buffer is full, audit + logs will not be collected and sent to the central log server. + " + impact 0.5 + tag "gtitle": "SRG-OS-000342-GPOS-00133" + tag "satisfies": ["SRG-OS-000342-GPOS-00133", "SRG-OS-000479-GPOS-00224"] + tag "gid": "V-81019" + tag "rid": "SV-95731r1_rule" + tag "stig_id": "RHEL-07-030210" + tag "cci": ["CCI-001851"] + tag "documentable": true + tag "nist": ["AU-12 c", "Rev_4"] + tag "subsystems": ["audit"] + tag "check_id": "C-80735r1_chk" + tag "fix_id": "F-87853r3_fix" + desc "check", " + Verify the audisp daemon is configured to take an appropriate action when the internal queue is full: + + # grep \"overflow_action\" /etc/audisp/audispd.conf + + overflow_action = syslog + + If the \"overflow_action\" option is not \"syslog\", \"single\", or \"halt\", or the line is commented out, this is a finding. + " + desc "fix", " + Edit the /etc/audisp/audispd.conf file and add or update the \"overflow_action\" option: + + overflow_action = syslog + + The audit daemon must be restarted for changes to take effect: + + # service auditd restart + " + + if file('/etc/audisp/audispd.conf').exist? + describe parse_config_file('/etc/audisp/audispd.conf') do + its('overflow_action') { should match %r{syslog$|single$|halt$} } + end + else + describe "File '/etc/audisp/audispd.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually" do + skip "File '/etc/audisp/audispd.conf' cannot be found. This check must be performed manually" + end + end + +end diff --git a/controls/V-81021.rb b/controls/V-81021.rb new file mode 100644 index 000000000..ce059b6cb --- /dev/null +++ b/controls/V-81021.rb @@ -0,0 +1,52 @@ +# encoding: utf-8 +# +control "V-81021" do + title "The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server." + desc " + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + Off-loading is a common process in information systems with limited audit storage capacity. When audit + logs are not labeled before they are sent to a central log server, the audit data will not be able to + be analyzed and tied back to the correct system. + " + impact 0.5 + tag "gtitle": "SRG-OS-000342-GPOS-00133" + tag "satisfies": ["SRG-OS-000342-GPOS-00133", "SRG-OS-000479-GPOS-00224"] + tag "gid": "V-81021" + tag "rid": "SV-95733r1_rule" + tag "stig_id": "RHEL-07-030211" + tag "cci": ["CCI-001851"] + tag "documentable": true + tag "nist": ["AU-12 c", "Rev_4"] + tag "subsystems": ["audit"] + tag "check_id": "C-80737r1_chk" + tag "fix_id": "F-87855r2_fix" + desc "check", " + Verify the audisp daemon is configured to label all off-loaded audit logs: + + # grep \"name_format\" /etc/audisp/audispd.conf + + name_format = hostname + + If the \"name_format\" option is not \"hostname\", \"fqd\", or \"numeric\", or the line is commented out, this is a finding. + " + desc "fix", " + Edit the /etc/audisp/audispd.conf file and add or update the \"name_format\" option: + + name_format = hostname + + The audit daemon must be restarted for changes to take effect: + + # service auditd restart + " + + if file('/etc/audisp/audispd.conf').exist? + describe parse_config_file('/etc/audisp/audispd.conf') do + its('name_format') { should match %r{hostname$|fqd$|\d+} } + end + else + describe "File '/etc/audisp/audispd.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually" do + skip "File '/etc/audisp/audispd.conf' cannot be found. This check must be performed manually" + end + end + +end From 9ea34a39675c8ad5ea535a49b317ff8c8dfc59c6 Mon Sep 17 00:00:00 2001 From: Craig Poma Date: Fri, 11 Oct 2019 19:39:30 -0400 Subject: [PATCH 02/26] Added missing tests --- controls/V-81009.rb | 42 ++++++++++++++++++++++++++++++++++++++++ controls/V-81011.rb | 31 ++++++++++++++++++++++++++++++ controls/V-81013.rb | 31 ++++++++++++++++++++++++++++++ controls/V-81015.rb | 47 +++++++++++++++++++++++++++++++++++++++++++++ controls/V-81017.rb | 2 +- controls/V-81019.rb | 2 +- controls/V-81021.rb | 2 +- 7 files changed, 154 insertions(+), 3 deletions(-) create mode 100644 controls/V-81009.rb create mode 100644 controls/V-81011.rb create mode 100644 controls/V-81013.rb create mode 100644 controls/V-81015.rb diff --git a/controls/V-81009.rb b/controls/V-81009.rb new file mode 100644 index 000000000..c409521f0 --- /dev/null +++ b/controls/V-81009.rb @@ -0,0 +1,42 @@ +# encoding: utf-8 +# +control "V-81009" do + title "The Red Hat Enterprise Linux operating system must mount /dev/shm with the nodev option." + desc " + The \"nodev\" mount option causes the system to not interpret character or block special devices. + Executing character or block special devices from untrusted file systems increases the opportunity + for unprivileged users to attain unauthorized administrative access." + impact 0.5 + tag "gtitle": "SRG-OS-000368-GPOS-00154" + tag "gid": "V-81009" + tag "rid": "SV-95721r1_rule " + tag "stig_id": "RHEL-07-021022" + tag "cci": ["CCI-001764"] + tag "documentable": false + tag "nist": ["CM-6 b", "Rev_4"] + tag "subsystems": ['file_system'] + desc "check", " + Verify that the \"nodev\" option is configured for /dev/shm. + + Check that the operating system is configured to use the \"nodev\" option for /dev/shm with the following command: + + # cat /etc/fstab | grep /dev/shm | grep nodev + + tmpfs /dev/shm tmpfs defaults,nodev,nosuid,noexec 0 0 + + If the \"nodev\" option is not present on the line for \"/dev/shm\", this is a finding. + + Verify \"/dev/shm\" is mounted with the \"nodev\" option: + + # mount | grep \"/dev/shm\" | grep nodev + + If no results are returned, this is a finding. + " + desc "fix", " + Configure the \"/etc/fstab\" to use the \"nodev\" option for all lines containing \"/dev/shm\". + " + + describe mount('/dev/shm') do + its('options') { should include 'nodev' } + end +end diff --git a/controls/V-81011.rb b/controls/V-81011.rb new file mode 100644 index 000000000..5a688109b --- /dev/null +++ b/controls/V-81011.rb @@ -0,0 +1,31 @@ +# encoding: utf-8 +# +control "V-81011" do + title "The Red Hat Enterprise Linux operating system must mount /dev/shm with the nosuid option." + desc " + The \"nosuid\" mount option causes the system to not execute \"setuid\" and \setgid\" files with owner privileges. + This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. + Executing files from untrusted file systems increases the opportunity for unprivileged users to attain + unauthorized administrative access." + impact 0.5 + tag "gtitle": "SRG-OS-000368-GPOS-00154" + tag "gid": "V-81011" + tag "rid": "SV-95723r1_rule" + tag "stig_id": "RHEL-07-021023" + tag "cci": ["CCI-001764"] + tag "documentable": false + tag "nist": ["CM-6 b", "Rev_4"] + tag "subsystems": ['file_system'] + desc "check", " + The \"nosuid\" mount option causes the system to not execute \"setuid\" and \"setgid\" files with owner privileges. + This option must be used for mounting any file system not containing approved \"setuid\" and \"setguid\" files. + Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access. + " + desc "fix", " + Configure the system so that /dev/shm is mounted with the \"nosuid\" option. + " + + describe mount('/dev/shm') do + its('options') { should include 'nosuid' } + end +end diff --git a/controls/V-81013.rb b/controls/V-81013.rb new file mode 100644 index 000000000..a992b278c --- /dev/null +++ b/controls/V-81013.rb @@ -0,0 +1,31 @@ +# encoding: utf-8 +# +control "V-81013" do + title "The Red Hat Enterprise Linux operating system must mount /dev/shm with the noexec option." + desc "The \"noexec\" mount option causes the system to not execute binary files. This option + must be used for mounting any file system not containing approved binary files as they may be + incompatible. Executing files from untrusted file systems increases the opportunity for unprivileged + users to attain unauthorized administrative access." + impact 0.5 + tag "gtitle": "SRG-OS-000368-GPOS-00154" + tag "gid": "V-81013" + tag "rid": "SV-95725r1_rule" + tag "stig_id": "RHEL-07-001764" + tag "cci": ["CCI-000366"] + tag "documentable": false + tag "nist": ["CM-6 b", "Rev_4"] + tag "subsystems": ['file_system'] + desc "check", " + The \"noexec\" mount option causes the system to not execute binary files. This option must be used + for mounting any file system not containing approved binary files as they may be incompatible. Executing + files from untrusted file systems increases the opportunity for unprivileged users to attain + unauthorized administrative access. + " + desc "fix", " + Configure the system so that /dev/shm is mounted with the \"noexec\" option. + " + + describe mount('/dev/shm') do + its('options') { should include 'noexec' } + end +end diff --git a/controls/V-81015.rb b/controls/V-81015.rb new file mode 100644 index 000000000..ddbc9aefd --- /dev/null +++ b/controls/V-81015.rb @@ -0,0 +1,47 @@ +# encoding: utf-8 +# +control "V-81015" do + title "The Red Hat Enterprise Linux operating system must be configured to use the au-remote plugin." + desc " + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is + a common process in information systems with limited audit storage capacity. Without the configuration of + the \"au-remote\" plugin, the audisp-remote daemon will not off-load the logs from the system being audited. + " + impact 0.5 + tag "gtitle": "SRG-OS-000342-GPOS-00133" + tag "satisfies": ["SRG-OS-000342-GPOS-00133", "SRG-OS-000479-GPOS-00224"] + tag "gid": "V-81015" + tag "rid": "SV-95727r1_rule" + tag "stig_id": "RHEL-07-030200" + tag "cci": ["CCI-001851"] + tag "documentable": false + tag "nist": ["AU-12 c", "Rev_4"] + tag "subsystems": ["audit"] + tag "check_id": "C-80729r1_chk" + tag "fix_id": "F-87849r2_fix" + desc "check", " + Information stored in one location is vulnerable to accidental or incidental deletion or alteration. + + Off-loading is a common process in information systems with limited audit storage capacity. + + Without the configuration of the \"au-remote\" plugin, the audisp-remote daemon will not off-load the logs from the system being audited. + " + desc "fix", " + Edit the /etc/audisp/plugins.d/au-remote.conf file and change the value of \"active\" to \"yes\". + + The audit daemon must be restarted for changes to take effect: + + # service auditd restart + " + + if file('/etc/audisp/audispd.conf').exist? + describe parse_config_file('/etc/audisp/audispd.conf') do + its('active') { should match %r{yes$} } + end + else + describe "File '/etc/audisp/audispd.conf' cannot be found. This test cannot be checked in a automated fashion and you must check it manually" do + skip "File '/etc/audisp/audispd.conf' cannot be found. This check must be performed manually" + end + end + +end diff --git a/controls/V-81017.rb b/controls/V-81017.rb index b48a74f30..ddfd198f7 100644 --- a/controls/V-81017.rb +++ b/controls/V-81017.rb @@ -14,7 +14,7 @@ tag "rid": "SV-95729r1_rule" tag "stig_id": "RHEL-07-030210" tag "cci": ["CCI-001851"] - tag "documentable": true + tag "documentable": false tag "nist": ["AU-12 c", "Rev_4"] tag "subsystems": ["audit"] tag "check_id": "C-80731r2_chk" diff --git a/controls/V-81019.rb b/controls/V-81019.rb index 070218743..0c65b4e3e 100644 --- a/controls/V-81019.rb +++ b/controls/V-81019.rb @@ -14,7 +14,7 @@ tag "rid": "SV-95731r1_rule" tag "stig_id": "RHEL-07-030210" tag "cci": ["CCI-001851"] - tag "documentable": true + tag "documentable": false tag "nist": ["AU-12 c", "Rev_4"] tag "subsystems": ["audit"] tag "check_id": "C-80735r1_chk" diff --git a/controls/V-81021.rb b/controls/V-81021.rb index ce059b6cb..6e592d551 100644 --- a/controls/V-81021.rb +++ b/controls/V-81021.rb @@ -15,7 +15,7 @@ tag "rid": "SV-95733r1_rule" tag "stig_id": "RHEL-07-030211" tag "cci": ["CCI-001851"] - tag "documentable": true + tag "documentable": false tag "nist": ["AU-12 c", "Rev_4"] tag "subsystems": ["audit"] tag "check_id": "C-80737r1_chk" From ee40b5e3f1bc952685efb00fdaf54f184edee3c6 Mon Sep 17 00:00:00 2001 From: Craig Poma Date: Sat, 12 Oct 2019 15:39:09 -0400 Subject: [PATCH 03/26] Added ability to skips test that have been deprecated and removed from the STIG. Currently the following have been removed from the Latest STIG RHEL7 V2R4 V-71895 - The operating system must set the idle delay setting for all connection types. V-71981 - The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata. V-72143 - The operating system must generate audit records for all successful/unsuccessful account access count events. V-72169 - All uses of the sudoedit command must be audited. V-72181 - All uses of the pt_chown command must be audited. V-72193 - All uses of the rmmod command must be audited V-72195 - All uses of the modprobe command must be audited. V-72215 - The system must update the virus scan program every seven days or more frequently V-72435 - The operating system must implement smart card logons for multifactor authentication for access to privileged accounts. V-78995 - The operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. --- attributes.yml | 14 +++++++++++ controls/V-71895.rb | 38 ++++++++++++----------------- controls/V-71981.rb | 31 ++++++++++++++++-------- controls/V-72143.rb | 41 +++++++++++++++++++------------ controls/V-72169.rb | 39 +++++++++++++++++++----------- controls/V-72181.rb | 39 +++++++++++++++++++----------- controls/V-72193.rb | 39 +++++++++++++++++++----------- controls/V-72195.rb | 43 +++++++++++++++++++++------------ controls/V-72215.rb | 59 +++++++++++++++++++++++++++------------------ controls/V-72435.rb | 43 ++++++++++++--------------------- controls/V-78995.rb | 24 ++++++++++++------ 11 files changed, 246 insertions(+), 164 deletions(-) diff --git a/attributes.yml b/attributes.yml index 01cb6331c..97fbfdba3 100644 --- a/attributes.yml +++ b/attributes.yml @@ -4,6 +4,20 @@ # Controls that are known to consistently have long run times can be disabled with this attribute disable_slow_controls: false +# Skips test that have been deprecated and removed from the STIG. +# Currently the following have been removed from the Latest STIG RHEL7 V2R4 +# V-71895 - The operating system must set the idle delay setting for all connection types. +# V-71981 - The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata. +# V-72143 - The operating system must generate audit records for all successful/unsuccessful account access count events. +# V-72169 - All uses of the sudoedit command must be audited. +# V-72181 - All uses of the pt_chown command must be audited. +# V-72193 - All uses of the rmmod command must be audited +# V-72195 - All uses of the modprobe command must be audited. +# V-72215 - The system must update the virus scan program every seven days or more frequently +# V-72435 - The operating system must implement smart card logons for multifactor authentication for access to privileged accounts. +# V-78995 - The operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface. +skip_deprecated_test: true + # V-72081 - 'monitor_kernel_log', (bool) # Set this to false if your system availability concern is not documented or # there is no monitoring of the kernel log diff --git a/controls/V-71895.rb b/controls/V-71895.rb index 5535b0ff4..917753fdf 100644 --- a/controls/V-71895.rb +++ b/controls/V-71895.rb @@ -1,24 +1,9 @@ # encoding: utf-8 # -=begin ------------------ -Benchmark: Red Hat Enterprise Linux 7 Security Technical Implementation Guide -Status: Accepted - -This Security Technical Implementation Guide is published as a tool to improve -the security of Department of Defense (DoD) information systems. The -requirements are derived from the National Institute of Standards and -Technology (NIST) 800-53 and related documents. Comments or proposed revisions -to this document should be sent via email to the following address: -disa.stig_spt@mail.mil. - -Release Date: 2017-03-08 -Version: 1 -Publisher: DISA -Source: STIG.DOD.MIL -uri: http://iase.disa.mil ------------------ -=end +skip_deprecated_test = input( + 'skip_deprecated_test', + value: true, + description: 'Skips test that have been deprecated and removed from the STIG.') control "V-71895" do title "The operating system must set the idle delay setting for all connection @@ -82,9 +67,16 @@ /org/gnome/desktop/screensaver/idle-delay" - describe command("grep -i idle-delay /etc/dconf/db/*/locks/*") do - its('stdout.strip') { should_not cmp "" } - its('stderr') { should_not match /.*No such file or directory\n?$/ } + + if skip_deprecated_test + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + end + else + describe command("grep -i idle-delay /etc/dconf/db/*/locks/*") do + its('stdout.strip') { should_not cmp "" } + its('stderr') { should_not match /.*No such file or directory\n?$/ } + end + only_if { package('gnome-desktop3').installed? } end - only_if { package('gnome-desktop3').installed? } end diff --git a/controls/V-71981.rb b/controls/V-71981.rb index d9d582b2e..7d7191fa6 100644 --- a/controls/V-71981.rb +++ b/controls/V-71981.rb @@ -1,5 +1,10 @@ # encoding: utf-8 # +skip_deprecated_test = input( + 'skip_deprecated_test', + value: true, + description: 'Skips test that have been deprecated and removed from the STIG.') + control "V-71981" do title "The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of @@ -52,19 +57,25 @@ repo_gpgcheck=1" tag "fix_id": "F-78333r1_fix" - yum_conf = file('/etc/yum.conf') - - describe yum_conf.path do - context yum_conf do - it { should exist } + if skip_deprecated_test + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" end + else + yum_conf = file('/etc/yum.conf') + + describe yum_conf.path do + context yum_conf do + it { should exist } + end - if yum_conf.exist? - context '[main]' do - context 'repo_gpgcheck' do - it { expect( ini(yum_conf.path)['main'][subject] ).to cmp 1 } + if yum_conf.exist? + context '[main]' do + context 'repo_gpgcheck' do + it { expect( ini(yum_conf.path)['main'][subject] ).to cmp 1 } + end end end end - end + end end diff --git a/controls/V-72143.rb b/controls/V-72143.rb index be8452d8a..95dd82a3b 100644 --- a/controls/V-72143.rb +++ b/controls/V-72143.rb @@ -1,5 +1,10 @@ # encoding: utf-8 # +skip_deprecated_test = input( + 'skip_deprecated_test', + value: true, + description: 'Skips test that have been deprecated and removed from the STIG.') + control "V-72143" do title "The operating system must generate audit records for all successful/unsuccessful account access count events." @@ -51,22 +56,28 @@ impact 0.0 end - describe auditd.file(audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end if file(audit_file).exist? + if skip_deprecated_test + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + end + else + describe auditd.file(audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end if file(audit_file).exist? - # Resource creates data structure including all usages of file - perms = auditd.file(audit_file).permissions + # Resource creates data structure including all usages of file + perms = auditd.file(audit_file).permissions - perms.each do |perm| - describe perm do - it { should include 'w' } - it { should include 'a' } - end - end if file(audit_file).exist? + perms.each do |perm| + describe perm do + it { should include 'w' } + it { should include 'a' } + end + end if file(audit_file).exist? - describe "The #{audit_file} file does not exist" do - skip "The #{audit_file} file does not exist, this requirement is Not Applicable." - end if !file(audit_file).exist? + describe "The #{audit_file} file does not exist" do + skip "The #{audit_file} file does not exist, this requirement is Not Applicable." + end if !file(audit_file).exist? + end end diff --git a/controls/V-72169.rb b/controls/V-72169.rb index 6d06f7c7b..351a78355 100644 --- a/controls/V-72169.rb +++ b/controls/V-72169.rb @@ -1,5 +1,10 @@ # encoding: utf-8 # +skip_deprecated_test = input( + 'skip_deprecated_test', + value: true, + description: 'Skips test that have been deprecated and removed from the STIG.') + control "V-72169" do title "All uses of the sudoedit command must be audited." desc " @@ -51,21 +56,27 @@ impact 0.0 end - describe auditd.file(audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end if file(audit_file).exist? + if skip_deprecated_test + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + end + else + describe auditd.file(audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end if file(audit_file).exist? - # Resource creates data structure including all usages of file - perms = auditd.file(audit_file).permissions + # Resource creates data structure including all usages of file + perms = auditd.file(audit_file).permissions - perms.each do |perm| - describe perm do - it { should include 'x' } - end - end if file(audit_file).exist? + perms.each do |perm| + describe perm do + it { should include 'x' } + end + end if file(audit_file).exist? - describe "The #{audit_file} file does not exist" do - skip "The #{audit_file} file does not exist, this requirement is Not Applicable." - end if !file(audit_file).exist? + describe "The #{audit_file} file does not exist" do + skip "The #{audit_file} file does not exist, this requirement is Not Applicable." + end if !file(audit_file).exist? + end end diff --git a/controls/V-72181.rb b/controls/V-72181.rb index df50b4d97..e73e70533 100644 --- a/controls/V-72181.rb +++ b/controls/V-72181.rb @@ -1,5 +1,10 @@ # encoding: utf-8 # +skip_deprecated_test = input( + 'skip_deprecated_test', + value: true, + description: 'Skips test that have been deprecated and removed from the STIG.') + control "V-72181" do title "All uses of the pt_chown command must be audited." desc " @@ -55,21 +60,27 @@ impact 0.0 end - describe auditd.file(audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end if file(audit_file).exist? + if skip_deprecated_test + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + end + else + describe auditd.file(audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end if file(audit_file).exist? - # Resource creates data structure including all usages of file - perms = auditd.file(audit_file).permissions + # Resource creates data structure including all usages of file + perms = auditd.file(audit_file).permissions - perms.each do |perm| - describe perm do - it { should include 'x' } - end - end if file(audit_file).exist? + perms.each do |perm| + describe perm do + it { should include 'x' } + end + end if file(audit_file).exist? - describe "The #{audit_file} file does not exist" do - skip "The #{audit_file} file does not exist, this requirement is Not Applicable." - end if !file(audit_file).exist? + describe "The #{audit_file} file does not exist" do + skip "The #{audit_file} file does not exist, this requirement is Not Applicable." + end if !file(audit_file).exist? + end end diff --git a/controls/V-72193.rb b/controls/V-72193.rb index fa42be47e..d6a81143d 100644 --- a/controls/V-72193.rb +++ b/controls/V-72193.rb @@ -1,5 +1,10 @@ # encoding: utf-8 # +skip_deprecated_test = input( + 'skip_deprecated_test', + value: true, + description: 'Skips test that have been deprecated and removed from the STIG.') + control "V-72193" do title "All uses of the rmmod command must be audited." desc " @@ -51,21 +56,27 @@ impact 0.0 end - describe auditd.file(audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end if file(audit_file).exist? + if skip_deprecated_test + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + end + else + describe auditd.file(audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end if file(audit_file).exist? - # Resource creates data structure including all usages of file - perms = auditd.file(audit_file).permissions + # Resource creates data structure including all usages of file + perms = auditd.file(audit_file).permissions - perms.each do |perm| - describe perm do - it { should include 'x' } - end - end if file(audit_file).exist? + perms.each do |perm| + describe perm do + it { should include 'x' } + end + end if file(audit_file).exist? - describe "The #{audit_file} file does not exist" do - skip "The #{audit_file} file does not exist, this requirement is Not Applicable." - end if !file(audit_file).exist? + describe "The #{audit_file} file does not exist" do + skip "The #{audit_file} file does not exist, this requirement is Not Applicable." + end if !file(audit_file).exist? + end end diff --git a/controls/V-72195.rb b/controls/V-72195.rb index 938e0dcc5..8599f0150 100644 --- a/controls/V-72195.rb +++ b/controls/V-72195.rb @@ -1,5 +1,10 @@ # encoding: utf-8 # +skip_deprecated_test = input( + 'skip_deprecated_test', + value: true, + description: 'Skips test that have been deprecated and removed from the STIG.') + control "V-72195" do title "All uses of the modprobe command must be audited." desc " @@ -55,21 +60,27 @@ impact 0.0 end - describe auditd.file(audit_file) do - its('permissions') { should_not cmp [] } - its('action') { should_not include 'never' } - end if file(audit_file).exist? - - # Resource creates data structure including all usages of file - perms = auditd.file(audit_file).permissions - - perms.each do |perm| - describe perm do - it { should include 'x' } + if skip_deprecated_test + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" end - end if file(audit_file).exist? - - describe "The #{audit_file} file does not exist" do - skip "The #{audit_file} file does not exist, this requirement is Not Applicable." - end if !file(audit_file).exist? + else + describe auditd.file(audit_file) do + its('permissions') { should_not cmp [] } + its('action') { should_not include 'never' } + end if file(audit_file).exist? + + # Resource creates data structure including all usages of file + perms = auditd.file(audit_file).permissions + + perms.each do |perm| + describe perm do + it { should include 'x' } + end + end if file(audit_file).exist? + + describe "The #{audit_file} file does not exist" do + skip "The #{audit_file} file does not exist, this requirement is Not Applicable." + end if !file(audit_file).exist? + end end diff --git a/controls/V-72215.rb b/controls/V-72215.rb index 80005e3b1..bb707532b 100644 --- a/controls/V-72215.rb +++ b/controls/V-72215.rb @@ -1,5 +1,10 @@ # encoding: utf-8 # +skip_deprecated_test = input( + 'skip_deprecated_test', + value: true, + description: 'Skips test that have been deprecated and removed from the STIG.') + control "V-72215" do title "The system must update the virus scan program every seven days or more frequently." @@ -66,32 +71,38 @@ desc "fix", "Update the virus scan software and virus definition files." tag "fix_id": "F-78569r2_fix" - sec_per_wk = 604800 - - describe.one do - describe systemd_service('nails') do - it { should be_running } - end - describe systemd_service('clamav-daemon.socket') do - it { should be_running } - end - end - - if systemd_service('nails').running? - virus_defs = Dir["/opt/NAI/LinuxShield/engine/dat/*.dat"] - virus_defs.each do |curr_def| - describe file(curr_def).mtime.to_i do - it { should >= Time.now.to_i - sec_per_wk } - end + if skip_deprecated_test + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + end + else + sec_per_wk = 604800 + + describe.one do + describe systemd_service('nails') do + it { should be_running } + end + describe systemd_service('clamav-daemon.socket') do + it { should be_running } + end + end + + if systemd_service('nails').running? + virus_defs = Dir["/opt/NAI/LinuxShield/engine/dat/*.dat"] + virus_defs.each do |curr_def| + describe file(curr_def).mtime.to_i do + it { should >= Time.now.to_i - sec_per_wk } + end + end end - end - if systemd_service('clamav-daemon.socket').running? - cvd_files = Dir["/var/lib/clamav/*.cvd"] - cvd_files.each do |curr_file| - describe file(curr_file).mtime.to_i do - it { should >= Time.now.to_i - sec_per_wk } + if systemd_service('clamav-daemon.socket').running? + cvd_files = Dir["/var/lib/clamav/*.cvd"] + cvd_files.each do |curr_file| + describe file(curr_file).mtime.to_i do + it { should >= Time.now.to_i - sec_per_wk } + end end end - end + end end diff --git a/controls/V-72435.rb b/controls/V-72435.rb index e7820b9da..a1e3c9a69 100644 --- a/controls/V-72435.rb +++ b/controls/V-72435.rb @@ -1,24 +1,9 @@ # encoding: utf-8 # -=begin ------------------ -Benchmark: Red Hat Enterprise Linux 7 Security Technical Implementation Guide -Status: Accepted - -This Security Technical Implementation Guide is published as a tool to improve -the security of Department of Defense (DoD) information systems. The -requirements are derived from the National Institute of Standards and -Technology (NIST) 800-53 and related documents. Comments or proposed revisions -to this document should be sent via email to the following address: -disa.stig_spt@mail.mil. - -Release Date: 2017-03-08 -Version: 1 -Publisher: DISA -Source: STIG.DOD.MIL -uri: http://iase.disa.mil ------------------ -=end +skip_deprecated_test = input( + 'skip_deprecated_test', + value: true, + description: 'Skips test that have been deprecated and removed from the STIG.') control "V-72435" do title "The operating system must implement smart card logons for multifactor @@ -86,13 +71,17 @@ # authconfig --enablesmartcard --smartcardaction=1 --update # authconfig --enablerequiresmartcard --update" - - describe command("authconfig --test | grep -i \"smartcard for login is\" | awk '{ print $NF }'") do - its('stdout.strip') { should eq 'enabled' } - end - - describe command('authconfig --test | grep -i "smartcard removal action" | awk \'{ print $NF }\'') do - its('stdout.strip') { should_not be nil } + if skip_deprecated_test + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + end + else + describe command("authconfig --test | grep -i \"smartcard for login is\" | awk '{ print $NF }'") do + its('stdout.strip') { should eq 'enabled' } + end + + describe command('authconfig --test | grep -i "smartcard removal action" | awk \'{ print $NF }\'') do + its('stdout.strip') { should_not be nil } + end end - end diff --git a/controls/V-78995.rb b/controls/V-78995.rb index 9bad177be..a5fcc19e9 100644 --- a/controls/V-78995.rb +++ b/controls/V-78995.rb @@ -1,5 +1,9 @@ # encoding: utf-8 # +skip_deprecated_test = input( + 'skip_deprecated_test', + value: true, + description: 'Skips test that have been deprecated and removed from the STIG.') control "V-78995" do title "The operating system must prevent a user from overriding the @@ -73,11 +77,17 @@ " tag "fix_id": "F-85745r1_fix" - describe command("gsettings writable org.gnome.desktop.screensaver lock-enabled") do - its('stdout.strip') { should cmp 'false' } - end if package('gnome-desktop3').installed? - - describe "The GNOME desktop is not installed" do - skip "The GNOME desktop is not installed, this control is Not Applicable." - end if !package('gnome-desktop3').installed? + if skip_deprecated_test + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + end + else + describe command("gsettings writable org.gnome.desktop.screensaver lock-enabled") do + its('stdout.strip') { should cmp 'false' } + end if package('gnome-desktop3').installed? + + describe "The GNOME desktop is not installed" do + skip "The GNOME desktop is not installed, this control is Not Applicable." + end if !package('gnome-desktop3').installed? + end end From 746e9bfb266b87d12d5bf82ea66f9ee92650512b Mon Sep 17 00:00:00 2001 From: Danny Haynes Date: Thu, 14 Nov 2019 13:03:03 -0500 Subject: [PATCH 04/26] Update V-71895.rb Fixed some typos. --- controls/V-71895.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/V-71895.rb b/controls/V-71895.rb index 917753fdf..9a61d3eb1 100644 --- a/controls/V-71895.rb +++ b/controls/V-71895.rb @@ -3,7 +3,7 @@ skip_deprecated_test = input( 'skip_deprecated_test', value: true, - description: 'Skips test that have been deprecated and removed from the STIG.') + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-71895" do title "The operating system must set the idle delay setting for all connection @@ -69,8 +69,8 @@ if skip_deprecated_test - describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do - skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end else describe command("grep -i idle-delay /etc/dconf/db/*/locks/*") do From 00f3d5e806795d4818445e3983eed2381bc97648 Mon Sep 17 00:00:00 2001 From: Danny Haynes Date: Thu, 14 Nov 2019 13:03:35 -0500 Subject: [PATCH 05/26] Update V-71981.rb Fixed some typos. --- controls/V-71981.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/V-71981.rb b/controls/V-71981.rb index 7d7191fa6..586f561e1 100644 --- a/controls/V-71981.rb +++ b/controls/V-71981.rb @@ -3,7 +3,7 @@ skip_deprecated_test = input( 'skip_deprecated_test', value: true, - description: 'Skips test that have been deprecated and removed from the STIG.') + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-71981" do title "The operating system must prevent the installation of software, @@ -58,8 +58,8 @@ tag "fix_id": "F-78333r1_fix" if skip_deprecated_test - describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do - skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end else yum_conf = file('/etc/yum.conf') From ab31ab9d73e7b7ffc5132d53a59fab790a9af826 Mon Sep 17 00:00:00 2001 From: Danny Haynes Date: Thu, 14 Nov 2019 13:05:54 -0500 Subject: [PATCH 06/26] Update V-72143.rb Fixed some typos. --- controls/V-72143.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/V-72143.rb b/controls/V-72143.rb index 95dd82a3b..019deb19b 100644 --- a/controls/V-72143.rb +++ b/controls/V-72143.rb @@ -3,7 +3,7 @@ skip_deprecated_test = input( 'skip_deprecated_test', value: true, - description: 'Skips test that have been deprecated and removed from the STIG.') + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-72143" do title "The operating system must generate audit records for all @@ -57,8 +57,8 @@ end if skip_deprecated_test - describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do - skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end else describe auditd.file(audit_file) do From afc403239abf649d8c0bb2ad5ebd87c33568ffc4 Mon Sep 17 00:00:00 2001 From: Danny Haynes Date: Thu, 14 Nov 2019 13:06:35 -0500 Subject: [PATCH 07/26] Update V-72169.rb Fixed some typos. --- controls/V-72169.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/V-72169.rb b/controls/V-72169.rb index 351a78355..63e38c8c3 100644 --- a/controls/V-72169.rb +++ b/controls/V-72169.rb @@ -3,7 +3,7 @@ skip_deprecated_test = input( 'skip_deprecated_test', value: true, - description: 'Skips test that have been deprecated and removed from the STIG.') + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-72169" do title "All uses of the sudoedit command must be audited." @@ -57,8 +57,8 @@ end if skip_deprecated_test - describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do - skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end else describe auditd.file(audit_file) do From 93fc5e9416e34ce4dd32b16593e1d043e190d669 Mon Sep 17 00:00:00 2001 From: Danny Haynes Date: Thu, 14 Nov 2019 13:07:18 -0500 Subject: [PATCH 08/26] Update V-72181.rb Fixed some typos. --- controls/V-72181.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/V-72181.rb b/controls/V-72181.rb index e73e70533..5d74b56a7 100644 --- a/controls/V-72181.rb +++ b/controls/V-72181.rb @@ -3,7 +3,7 @@ skip_deprecated_test = input( 'skip_deprecated_test', value: true, - description: 'Skips test that have been deprecated and removed from the STIG.') + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-72181" do title "All uses of the pt_chown command must be audited." @@ -61,8 +61,8 @@ end if skip_deprecated_test - describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do - skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end else describe auditd.file(audit_file) do From d87c9098de2ef157c5d534e13a3c92ff4f93e315 Mon Sep 17 00:00:00 2001 From: Danny Haynes Date: Thu, 14 Nov 2019 13:08:24 -0500 Subject: [PATCH 09/26] Update V-72193.rb Fixed some typos. --- controls/V-72193.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/V-72193.rb b/controls/V-72193.rb index d6a81143d..20e78237e 100644 --- a/controls/V-72193.rb +++ b/controls/V-72193.rb @@ -3,7 +3,7 @@ skip_deprecated_test = input( 'skip_deprecated_test', value: true, - description: 'Skips test that have been deprecated and removed from the STIG.') + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-72193" do title "All uses of the rmmod command must be audited." @@ -57,8 +57,8 @@ end if skip_deprecated_test - describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do - skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end else describe auditd.file(audit_file) do From 8734a31a0eb81cc272a676049dca12af22cf86b8 Mon Sep 17 00:00:00 2001 From: Danny Haynes Date: Thu, 14 Nov 2019 13:09:17 -0500 Subject: [PATCH 10/26] Update V-72195.rb --- controls/V-72195.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/V-72195.rb b/controls/V-72195.rb index 8599f0150..570f19e4a 100644 --- a/controls/V-72195.rb +++ b/controls/V-72195.rb @@ -3,7 +3,7 @@ skip_deprecated_test = input( 'skip_deprecated_test', value: true, - description: 'Skips test that have been deprecated and removed from the STIG.') + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-72195" do title "All uses of the modprobe command must be audited." @@ -61,8 +61,8 @@ end if skip_deprecated_test - describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do - skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end else describe auditd.file(audit_file) do From 66ae13d88fd78677c1a6d6cbcc291b580720f4a7 Mon Sep 17 00:00:00 2001 From: Danny Haynes Date: Thu, 14 Nov 2019 13:10:48 -0500 Subject: [PATCH 11/26] Update V-72215.rb Fixed some typos. --- controls/V-72215.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/V-72215.rb b/controls/V-72215.rb index bb707532b..3e76e873d 100644 --- a/controls/V-72215.rb +++ b/controls/V-72215.rb @@ -3,7 +3,7 @@ skip_deprecated_test = input( 'skip_deprecated_test', value: true, - description: 'Skips test that have been deprecated and removed from the STIG.') + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-72215" do title "The system must update the virus scan program every seven days or more @@ -72,8 +72,8 @@ tag "fix_id": "F-78569r2_fix" if skip_deprecated_test - describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do - skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end else sec_per_wk = 604800 From 9564b2caf73d58763d39c6672c3a049ea4a0ffe3 Mon Sep 17 00:00:00 2001 From: Danny Haynes Date: Thu, 14 Nov 2019 13:11:49 -0500 Subject: [PATCH 12/26] Update V-72435.rb Fixed some typos. --- controls/V-72435.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/V-72435.rb b/controls/V-72435.rb index a1e3c9a69..3f926c388 100644 --- a/controls/V-72435.rb +++ b/controls/V-72435.rb @@ -3,7 +3,7 @@ skip_deprecated_test = input( 'skip_deprecated_test', value: true, - description: 'Skips test that have been deprecated and removed from the STIG.') + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-72435" do title "The operating system must implement smart card logons for multifactor @@ -72,8 +72,8 @@ # authconfig --enablerequiresmartcard --update" if skip_deprecated_test - describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do - skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end else describe command("authconfig --test | grep -i \"smartcard for login is\" | awk '{ print $NF }'") do From f221a934e4894270423ef98f577d6d6756cd1ed1 Mon Sep 17 00:00:00 2001 From: Danny Haynes Date: Thu, 14 Nov 2019 13:12:32 -0500 Subject: [PATCH 13/26] Update V-78995.rb Fixed some typos. --- controls/V-78995.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/V-78995.rb b/controls/V-78995.rb index a5fcc19e9..a61c86532 100644 --- a/controls/V-78995.rb +++ b/controls/V-78995.rb @@ -3,7 +3,7 @@ skip_deprecated_test = input( 'skip_deprecated_test', value: true, - description: 'Skips test that have been deprecated and removed from the STIG.') + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-78995" do title "The operating system must prevent a user from overriding the @@ -78,8 +78,8 @@ tag "fix_id": "F-85745r1_fix" if skip_deprecated_test - describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do - skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end else describe command("gsettings writable org.gnome.desktop.screensaver lock-enabled") do From 4a2ffad9cdaca6edab10c694e717c2b5f099d518 Mon Sep 17 00:00:00 2001 From: Danny Haynes Date: Thu, 14 Nov 2019 13:03:03 -0500 Subject: [PATCH 14/26] Update V-71895.rb Fixed some typos. --- controls/V-71895.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/V-71895.rb b/controls/V-71895.rb index 917753fdf..9a61d3eb1 100644 --- a/controls/V-71895.rb +++ b/controls/V-71895.rb @@ -3,7 +3,7 @@ skip_deprecated_test = input( 'skip_deprecated_test', value: true, - description: 'Skips test that have been deprecated and removed from the STIG.') + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-71895" do title "The operating system must set the idle delay setting for all connection @@ -69,8 +69,8 @@ if skip_deprecated_test - describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do - skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end else describe command("grep -i idle-delay /etc/dconf/db/*/locks/*") do From f40f2417941186586bcdcdfc506943bfffa7b38c Mon Sep 17 00:00:00 2001 From: Danny Haynes Date: Thu, 14 Nov 2019 13:03:35 -0500 Subject: [PATCH 15/26] Update V-71981.rb Fixed some typos. --- controls/V-71981.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/V-71981.rb b/controls/V-71981.rb index 7d7191fa6..586f561e1 100644 --- a/controls/V-71981.rb +++ b/controls/V-71981.rb @@ -3,7 +3,7 @@ skip_deprecated_test = input( 'skip_deprecated_test', value: true, - description: 'Skips test that have been deprecated and removed from the STIG.') + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-71981" do title "The operating system must prevent the installation of software, @@ -58,8 +58,8 @@ tag "fix_id": "F-78333r1_fix" if skip_deprecated_test - describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do - skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end else yum_conf = file('/etc/yum.conf') From 48a7646053ad42942991026ee229771b1c42160a Mon Sep 17 00:00:00 2001 From: Danny Haynes Date: Thu, 14 Nov 2019 13:05:54 -0500 Subject: [PATCH 16/26] Update V-72143.rb Fixed some typos. --- controls/V-72143.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/V-72143.rb b/controls/V-72143.rb index 95dd82a3b..019deb19b 100644 --- a/controls/V-72143.rb +++ b/controls/V-72143.rb @@ -3,7 +3,7 @@ skip_deprecated_test = input( 'skip_deprecated_test', value: true, - description: 'Skips test that have been deprecated and removed from the STIG.') + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-72143" do title "The operating system must generate audit records for all @@ -57,8 +57,8 @@ end if skip_deprecated_test - describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do - skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end else describe auditd.file(audit_file) do From 27e0ac4c108c0bc1cce591c46685bb06b9565448 Mon Sep 17 00:00:00 2001 From: Danny Haynes Date: Thu, 14 Nov 2019 13:06:35 -0500 Subject: [PATCH 17/26] Update V-72169.rb Fixed some typos. --- controls/V-72169.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/V-72169.rb b/controls/V-72169.rb index 351a78355..63e38c8c3 100644 --- a/controls/V-72169.rb +++ b/controls/V-72169.rb @@ -3,7 +3,7 @@ skip_deprecated_test = input( 'skip_deprecated_test', value: true, - description: 'Skips test that have been deprecated and removed from the STIG.') + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-72169" do title "All uses of the sudoedit command must be audited." @@ -57,8 +57,8 @@ end if skip_deprecated_test - describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do - skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end else describe auditd.file(audit_file) do From 9c43243caddb7317a33e30971f26623578d48382 Mon Sep 17 00:00:00 2001 From: Danny Haynes Date: Thu, 14 Nov 2019 13:07:18 -0500 Subject: [PATCH 18/26] Update V-72181.rb Fixed some typos. --- controls/V-72181.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/V-72181.rb b/controls/V-72181.rb index e73e70533..5d74b56a7 100644 --- a/controls/V-72181.rb +++ b/controls/V-72181.rb @@ -3,7 +3,7 @@ skip_deprecated_test = input( 'skip_deprecated_test', value: true, - description: 'Skips test that have been deprecated and removed from the STIG.') + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-72181" do title "All uses of the pt_chown command must be audited." @@ -61,8 +61,8 @@ end if skip_deprecated_test - describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do - skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end else describe auditd.file(audit_file) do From 7c14a67a3de42a215713115414ac64438f4108b3 Mon Sep 17 00:00:00 2001 From: Danny Haynes Date: Thu, 14 Nov 2019 13:08:24 -0500 Subject: [PATCH 19/26] Update V-72193.rb Fixed some typos. --- controls/V-72193.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/V-72193.rb b/controls/V-72193.rb index d6a81143d..20e78237e 100644 --- a/controls/V-72193.rb +++ b/controls/V-72193.rb @@ -3,7 +3,7 @@ skip_deprecated_test = input( 'skip_deprecated_test', value: true, - description: 'Skips test that have been deprecated and removed from the STIG.') + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-72193" do title "All uses of the rmmod command must be audited." @@ -57,8 +57,8 @@ end if skip_deprecated_test - describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do - skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end else describe auditd.file(audit_file) do From 019ed239dc394ebba327ebe270eef2a12c8fd4d9 Mon Sep 17 00:00:00 2001 From: Danny Haynes Date: Thu, 14 Nov 2019 13:09:17 -0500 Subject: [PATCH 20/26] Update V-72195.rb --- controls/V-72195.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/V-72195.rb b/controls/V-72195.rb index 8599f0150..570f19e4a 100644 --- a/controls/V-72195.rb +++ b/controls/V-72195.rb @@ -3,7 +3,7 @@ skip_deprecated_test = input( 'skip_deprecated_test', value: true, - description: 'Skips test that have been deprecated and removed from the STIG.') + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-72195" do title "All uses of the modprobe command must be audited." @@ -61,8 +61,8 @@ end if skip_deprecated_test - describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do - skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end else describe auditd.file(audit_file) do From 891fbf17649404c0b5aeafce2c2e339d36173614 Mon Sep 17 00:00:00 2001 From: Danny Haynes Date: Thu, 14 Nov 2019 13:10:48 -0500 Subject: [PATCH 21/26] Update V-72215.rb Fixed some typos. --- controls/V-72215.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/V-72215.rb b/controls/V-72215.rb index bb707532b..3e76e873d 100644 --- a/controls/V-72215.rb +++ b/controls/V-72215.rb @@ -3,7 +3,7 @@ skip_deprecated_test = input( 'skip_deprecated_test', value: true, - description: 'Skips test that have been deprecated and removed from the STIG.') + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-72215" do title "The system must update the virus scan program every seven days or more @@ -72,8 +72,8 @@ tag "fix_id": "F-78569r2_fix" if skip_deprecated_test - describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do - skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end else sec_per_wk = 604800 From c03d5ed439e9f25c57f738f5d0c3ca66c8b5dd83 Mon Sep 17 00:00:00 2001 From: Danny Haynes Date: Thu, 14 Nov 2019 13:11:49 -0500 Subject: [PATCH 22/26] Update V-72435.rb Fixed some typos. --- controls/V-72435.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/V-72435.rb b/controls/V-72435.rb index a1e3c9a69..3f926c388 100644 --- a/controls/V-72435.rb +++ b/controls/V-72435.rb @@ -3,7 +3,7 @@ skip_deprecated_test = input( 'skip_deprecated_test', value: true, - description: 'Skips test that have been deprecated and removed from the STIG.') + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-72435" do title "The operating system must implement smart card logons for multifactor @@ -72,8 +72,8 @@ # authconfig --enablerequiresmartcard --update" if skip_deprecated_test - describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do - skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end else describe command("authconfig --test | grep -i \"smartcard for login is\" | awk '{ print $NF }'") do From d98e6fed6a207cf14967ccb7f6dd37b3f9bcb455 Mon Sep 17 00:00:00 2001 From: Danny Haynes Date: Thu, 14 Nov 2019 13:12:32 -0500 Subject: [PATCH 23/26] Update V-78995.rb Fixed some typos. --- controls/V-78995.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/controls/V-78995.rb b/controls/V-78995.rb index a5fcc19e9..a61c86532 100644 --- a/controls/V-78995.rb +++ b/controls/V-78995.rb @@ -3,7 +3,7 @@ skip_deprecated_test = input( 'skip_deprecated_test', value: true, - description: 'Skips test that have been deprecated and removed from the STIG.') + description: 'Skips tests that have been deprecated and removed from the STIG.') control "V-78995" do title "The operating system must prevent a user from overriding the @@ -78,8 +78,8 @@ tag "fix_id": "F-85745r1_fix" if skip_deprecated_test - describe "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" do - skip "This control has been deprecated out of the RHEL7 STIG. It will not be run becuase 'skip_deprecated_test' is set to True" + describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do + skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" end else describe command("gsettings writable org.gnome.desktop.screensaver lock-enabled") do From fef1c137d51f52511dba7e2721477aa8164065fc Mon Sep 17 00:00:00 2001 From: HackerShark Date: Wed, 4 Mar 2020 10:35:36 -0500 Subject: [PATCH 24/26] cleaning up controls and inspec.yml, fixing typos Signed-off-by: HackerShark --- controls/V-71849.rb | 13 ++----- controls/V-71855.rb | 12 ++----- controls/V-71859.rb | 12 ++----- controls/V-71861.rb | 28 ++------------- controls/V-71863.rb | 28 ++------------- controls/V-71895.rb | 5 +-- controls/V-71901.rb | 5 +-- controls/V-71911.rb | 4 +-- controls/V-71933.rb | 4 +-- controls/V-71935.rb | 3 +- controls/V-71941.rb | 3 +- controls/V-71943.rb | 13 ++----- controls/V-71961.rb | 18 ++-------- controls/V-71963.rb | 18 ++-------- controls/V-71965.rb | 6 +--- controls/V-71971.rb | 6 +--- controls/V-71981.rb | 5 +-- controls/V-72001.rb | 49 ++------------------------ controls/V-72011.rb | 12 ++----- controls/V-72015.rb | 12 ++----- controls/V-72017.rb | 12 ++----- controls/V-72019.rb | 12 ++----- controls/V-72021.rb | 12 ++----- controls/V-72023.rb | 12 ++----- controls/V-72025.rb | 12 ++----- controls/V-72027.rb | 12 ++----- controls/V-72029.rb | 12 ++----- controls/V-72031.rb | 12 ++----- controls/V-72033.rb | 14 ++------ controls/V-72035.rb | 12 ++----- controls/V-72037.rb | 19 ++-------- controls/V-72039.rb | 5 +-- controls/V-72043.rb | 6 +--- controls/V-72047.rb | 6 +--- controls/V-72049.rb | 6 +--- controls/V-72051.rb | 6 +--- controls/V-72059.rb | 12 ++----- controls/V-72081.rb | 7 +--- controls/V-72143.rb | 5 +-- controls/V-72169.rb | 5 +-- controls/V-72181.rb | 5 +-- controls/V-72193.rb | 5 +-- controls/V-72195.rb | 5 +-- controls/V-72209.rb | 6 +--- controls/V-72211.rb | 6 +--- controls/V-72215.rb | 5 +-- controls/V-72219.rb | 62 +++++---------------------------- controls/V-72223.rb | 6 +--- controls/V-72225.rb | 28 ++------------- controls/V-72237.rb | 3 +- controls/V-72307.rb | 6 +--- controls/V-72315.rb | 85 ++++++++------------------------------------- controls/V-72317.rb | 9 +---- controls/V-72417.rb | 17 ++------- controls/V-72433.rb | 6 +--- controls/V-72435.rb | 5 +-- controls/V-73159.rb | 4 +-- controls/V-77819.rb | 14 ++------ controls/V-77825.rb | 4 +-- controls/V-78995.rb | 5 +-- inspec.yml | 69 ++++++++++++++++++++++++++++++++++-- 61 files changed, 187 insertions(+), 623 deletions(-) diff --git a/controls/V-71849.rb b/controls/V-71849.rb index d860aef95..a798df613 100644 --- a/controls/V-71849.rb +++ b/controls/V-71849.rb @@ -1,17 +1,8 @@ # encoding: utf-8 # # Support for passed in Atrributes -disable_slow_controls = input( - 'disable_slow_controls', - value: false, - description: 'If enabled, this attribute disables this control and other - controls that consistently take a long time to complete.' -) -rpm_verify_perms_except = input( - 'rpm_verify_perms_except', - value: [], - description: 'This is a list of system files that should be allowed to change - permission attributes from an rpm verify point of view.') +disable_slow_controls = input('disable_slow_controls') +rpm_verify_perms_except = input('rpm_verify_perms_except') control "V-71849" do title "The file permissions, ownership, and group membership of system files and commands must match the vendor" \ diff --git a/controls/V-71855.rb b/controls/V-71855.rb index e6eee00a8..e9c1dc744 100644 --- a/controls/V-71855.rb +++ b/controls/V-71855.rb @@ -1,16 +1,8 @@ # encoding: utf-8 # -disable_slow_controls = input( - 'disable_slow_controls', - value: false, - description: 'If enabled, this attribute disables this control and other - controls that consistently take a long time to complete.') +disable_slow_controls = input('disable_slow_controls') -rpm_verify_integrity_except = input( - 'rpm_verify_integrity_except', - value: [], - description: 'This is a list of system files that should be allowed to change - from an rpm verify point of view.') +rpm_verify_integrity_except = input('rpm_verify_integrity_except') control "V-71855" do title "The cryptographic hash of system files and commands must match vendor diff --git a/controls/V-71859.rb b/controls/V-71859.rb index 7608a12a9..2f6c93e1e 100644 --- a/controls/V-71859.rb +++ b/controls/V-71859.rb @@ -1,15 +1,9 @@ # encoding: utf-8 # -banner_message_enabled = input('banner_message_enabled', value: "true", - description: 'The banner message must display the Standard Mandatory DoD notice - before granting access.') - -dconf_user = input( - 'dconf_user', - value: nil, - description: "User to use to check dconf settings" -) +banner_message_enabled = input('banner_message_enabled') + +dconf_user = input('dconf_user') control "V-71859" do title "The operating system must display the Standard Mandatory DoD Notice diff --git a/controls/V-71861.rb b/controls/V-71861.rb index e91d3913a..05b445af3 100644 --- a/controls/V-71861.rb +++ b/controls/V-71861.rb @@ -1,30 +1,8 @@ # encoding: utf-8 # -banner_message_text_gui = input('banner_message_text_gui', -value: -"You are accessing a U.S. Government (USG) Information System (IS) that is \ -provided for USG-authorized use only. By using this IS (which includes any \ -device attached to this IS), you consent to the following conditions: -The USG \ -routinely intercepts and monitors communications on this IS for purposes \ -including, but not limited to, penetration testing, COMSEC monitoring, network \ -operations and defense, personnel misconduct (PM), law enforcement (LE), and \ -counterintelligence (CI) investigations. -At any time, the USG may inspect and \ -seize data stored on this IS. -Communications using, or data stored on, this \ -IS are not private, are subject to routine monitoring, interception, and \ -search, and may be disclosed or used for any USG-authorized purpose. -This IS \ -includes security measures (e.g., authentication and access controls) to \ -protect USG interests--not for your personal benefit or privacy. \ --Notwithstanding the above, using this IS does not constitute consent to PM, \ -LE or CI investigative searching or monitoring of the content of privileged \ -communications, or work product, related to personal representation or \ -services by attorneys, psychotherapists, or clergy, and their assistants. Such \ -communications and work product are private and confidential. See User \ -Agreement for details.", -description: 'The banner message must display the designated banner before granting access.') - -banner_message_text_gui_limited = input('banner_message_text_gui_limited', -value: "I've read & consent to terms in IS user agreem't.", -description: 'The banner message must display the designated banner before granting access.') +banner_message_text_gui = input('banner_message_text_gui') + +banner_message_text_gui_limited = input('banner_message_text_gui_limited') control "V-71861" do title "The operating system must display the approved Standard Mandatory DoD diff --git a/controls/V-71863.rb b/controls/V-71863.rb index fbc7abad7..551d3fed1 100644 --- a/controls/V-71863.rb +++ b/controls/V-71863.rb @@ -3,31 +3,9 @@ #TODO: Make sure this is actually an onlyif on the GUI - ssh banner, ftp banner also use /etc/issue -banner_message_text_cli = input('banner_message_text_cli', -value: -"You are accessing a U.S. Government (USG) Information System (IS) that is \ -provided for USG-authorized use only. By using this IS (which includes any \ -device attached to this IS), you consent to the following conditions: -The USG \ -routinely intercepts and monitors communications on this IS for purposes \ -including, but not limited to, penetration testing, COMSEC monitoring, network \ -operations and defense, personnel misconduct (PM), law enforcement (LE), and \ -counterintelligence (CI) investigations. -At any time, the USG may inspect and \ -seize data stored on this IS. -Communications using, or data stored on, this \ -IS are not private, are subject to routine monitoring, interception, and \ -search, and may be disclosed or used for any USG-authorized purpose. -This IS \ -includes security measures (e.g., authentication and access controls) to \ -protect USG interests--not for your personal benefit or privacy. \ --Notwithstanding the above, using this IS does not constitute consent to PM, \ -LE or CI investigative searching or monitoring of the content of privileged \ -communications, or work product, related to personal representation or \ -services by attorneys, psychotherapists, or clergy, and their assistants. Such \ -communications and work product are private and confidential. See User \ -Agreement for details.", -description: 'The banner message must display the designated banner before granting access.') - -banner_message_text_cli_limited = input('banner_message_text_cli_limited', -value: "I've read & consent to terms in IS user agreem't.", -description: 'The banner message must display the designated banner before granting access.') +banner_message_text_cli = input('banner_message_text_cli') + +banner_message_text_cli_limited = input('banner_message_text_cli_limited') control "V-71863" do title "The operating system must display the Standard Mandatory DoD Notice diff --git a/controls/V-71895.rb b/controls/V-71895.rb index 9a61d3eb1..ed1f6c977 100644 --- a/controls/V-71895.rb +++ b/controls/V-71895.rb @@ -1,9 +1,6 @@ # encoding: utf-8 # -skip_deprecated_test = input( - 'skip_deprecated_test', - value: true, - description: 'Skips tests that have been deprecated and removed from the STIG.') +skip_deprecated_test = input('skip_deprecated_test') control "V-71895" do title "The operating system must set the idle delay setting for all connection diff --git a/controls/V-71901.rb b/controls/V-71901.rb index 7d83a1b96..20f25994c 100644 --- a/controls/V-71901.rb +++ b/controls/V-71901.rb @@ -1,10 +1,7 @@ # encoding: utf-8 # -lock_delay = input('lock_delay', -value: 5, -description: 'The scereensaver lock-delay must be less than or equal to the -specified value.') +lock_delay = input('lock_delay') control "V-71901" do title "The operating system must initiate a session lock for graphical user diff --git a/controls/V-71911.rb b/controls/V-71911.rb index 4006be00e..29ec9b819 100644 --- a/controls/V-71911.rb +++ b/controls/V-71911.rb @@ -1,9 +1,7 @@ # encoding: utf-8 # -difok = input('difok', value: 8, description: 'The acceptable range of -values for difok which specifies the maximum number of characters that must -change when a password is changed.') +difok = input('difok') control "V-71911" do title "When passwords are changed a minimum of eight of the total number of diff --git a/controls/V-71933.rb b/controls/V-71933.rb index d52b6a19e..7718c13f1 100644 --- a/controls/V-71933.rb +++ b/controls/V-71933.rb @@ -5,9 +5,7 @@ # TODO this can happen if `authconfig` has not been run on the system yet and # TODO the system is still using the `non-ac` versions of the files yet. -min_reuse_generations = input('min_reuse_generations', value: 5, -description: 'The minimum number of generations before a password can be -reused.') +min_reuse_generations = input('min_reuse_generations') control "V-71933" do title "Passwords must be prohibited from reuse for a minimum of five diff --git a/controls/V-71935.rb b/controls/V-71935.rb index 9cdc79581..d82d7a497 100644 --- a/controls/V-71935.rb +++ b/controls/V-71935.rb @@ -4,8 +4,7 @@ # TODO update attrib to use the same `style` as the other PAM/PASSWD attributes # TODO we should also have a PAM_PWQUALITY_PATH attrib I think -min_len = input('min_len', value: 15, -description: 'The minimum number of characters for passwords.') +min_len = input('min_len') control "V-71935" do title "Passwords must be a minimum of 15 characters in length." diff --git a/controls/V-71941.rb b/controls/V-71941.rb index 1032428da..db6bd5468 100644 --- a/controls/V-71941.rb +++ b/controls/V-71941.rb @@ -1,8 +1,7 @@ # encoding: utf-8 # -days_of_inactivity = input('days_of_inactivity', value: 0, description: 'The -number of days of inactivity before an account is disabled.') +days_of_inactivity = input('days_of_inactivity') control "V-71941" do title "The operating system must disable account identifiers (individuals, diff --git a/controls/V-71943.rb b/controls/V-71943.rb index 04a2ba2cc..a8bf9e8f9 100644 --- a/controls/V-71943.rb +++ b/controls/V-71943.rb @@ -1,16 +1,9 @@ # encoding: utf-8 # -unsuccessful_attempts = input('unsuccessful_attempts', value: 3, -description: 'The account is denied access after the specified number of -consecutive failed logon attempts.') -fail_interval = input('fail_interval', value: 900, -description: 'The interval of time in which the consecutive failed logon -attempts must occur in order for the account to be locked out (in seconds).') -lockout_time = input('lockout_time', value: 604800, -description: 'The minimum amount of time that an account must be locked out -after the specified number of unsuccessful logon attempts (in seconds). -This attribute should never be set greater than 604800.') +unsuccessful_attempts = input('unsuccessful_attempts') +fail_interval = input('fail_interval') +lockout_time = input('lockout_time') control "V-71943" do title "Accounts subject to three unsuccessful logon attempts within 15 diff --git a/controls/V-71961.rb b/controls/V-71961.rb index 434eed70e..3829dba51 100644 --- a/controls/V-71961.rb +++ b/controls/V-71961.rb @@ -1,20 +1,8 @@ # encoding: utf-8 # -grub_superuser = input( - 'grub_superuser', - description: 'superusers for grub boot ( array )', - value: ['root'] -) -grub_user_boot_files = input( - 'grub_user_boot_files', - description: 'grub boot config files', - value: ['/boot/grub2/user.cfg'] -) -grub_main_cfg = input( - 'grub_main_cfg', - description: 'main grub boot config file', - value: '/boot/grub2/grub.cfg' -) +grub_superuser = input('grub_superuser') +grub_user_boot_files = input('grub_user_boot_files') +grub_main_cfg = input('grub_main_cfg') control "V-71961" do title "Systems with a Basic Input/Output System (BIOS) must require diff --git a/controls/V-71963.rb b/controls/V-71963.rb index 296e605d2..80134ab35 100644 --- a/controls/V-71963.rb +++ b/controls/V-71963.rb @@ -1,21 +1,9 @@ # encoding: utf-8 # -efi_superusers = input( - 'efi_superusers', - description: 'superusers for efi boot ( array )', - value: ['root'] -) -efi_user_boot_files = input( - 'efi_user_boot_files', - description: 'efi boot config files', - value: ['/boot/efi/EFI/redhat/user.cfg'] -) -efi_main_cfg = input( - 'efi_main_cfg', - description: 'main efi boot config file', - value: '/boot/efi/EFI/redhat/grub.cfg' -) +efi_superusers = input('efi_superusers') +efi_user_boot_files = input('efi_user_boot_files') +efi_main_cfg = input('efi_main_cfg') control "V-71963" do title "Systems using Unified Extensible Firmware Interface (UEFI) must diff --git a/controls/V-71965.rb b/controls/V-71965.rb index aee20f80d..2a5b97bb8 100644 --- a/controls/V-71965.rb +++ b/controls/V-71965.rb @@ -8,11 +8,7 @@ # users may be unable to log into the system. # -smart_card_status = input( - 'smart_card_status', - value: 'enabled', # values(enabled|disabled) - description: 'Smart Card Status' -) +smart_card_status = input('smart_card_status') control "V-71965" do title "The operating system must uniquely identify and must authenticate diff --git a/controls/V-71971.rb b/controls/V-71971.rb index 06938cac0..d1255e996 100644 --- a/controls/V-71971.rb +++ b/controls/V-71971.rb @@ -1,11 +1,7 @@ # encoding: utf-8 # # Will need to be changed to reflect list of authorized system accounts -admin_logins = input( - 'admin_logins', - value: [], - description: "System accounts that support approved system activities." -) +admin_logins = input('admin_logins') # TODO we really do need an `semanage` resource. diff --git a/controls/V-71981.rb b/controls/V-71981.rb index 586f561e1..faa08b12d 100644 --- a/controls/V-71981.rb +++ b/controls/V-71981.rb @@ -1,9 +1,6 @@ # encoding: utf-8 # -skip_deprecated_test = input( - 'skip_deprecated_test', - value: true, - description: 'Skips tests that have been deprecated and removed from the STIG.') +skip_deprecated_test = input('skip_deprecated_test') control "V-71981" do title "The operating system must prevent the installation of software, diff --git a/controls/V-72001.rb b/controls/V-72001.rb index 24fcef05c..e2fbbc5a3 100644 --- a/controls/V-72001.rb +++ b/controls/V-72001.rb @@ -1,54 +1,11 @@ # encoding: utf-8 # -known_system_accounts = input( - 'known_system_accounts', - value: [ - 'root', - 'bin', - 'daemon', - 'adm', - 'lp', - 'sync', - 'shutdown', - 'halt', - 'mail', - 'operator', - 'nobody', - 'systemd-bus-proxy', - 'systemd-network', - 'dbus', - 'polkitd', - 'tss', # Account used by the trousers package to sandbox the tcsd daemon - 'postfix', # Service Account for Postfix Mail Daemon - 'chrony', # Service Account for the Chrony Time Service - 'sshd', # Service Account for SSH - 'sssd', # Service Account for the SSSH Authentication service - 'rpc', # Service Account RPCBind Daemon - 'ntp', # Service Account for NTPD Daemon - 'vboxadd', # known Virtualbox user - 'nfsnobody', # service account for nsfd - 'vagrant', # known service account for vagrant / Virtualbox - 'rpcuser', # known centos system account for nsf - ], - description: 'System accounts that support approved system activities. (Array)' -) +known_system_accounts = input('known_system_accounts') -disallowed_accounts = input( - 'disallowed_accounts', - description: 'Accounts that are not allowed on the system (Array)', - value: [ - 'games', - 'gopher', - 'ftp', - ] -) +disallowed_accounts = input('disallowed_accounts') -user_accounts = input( - 'user_accounts', - description: 'accounts of known managed users (Array)', - value:[] -) +user_accounts = input('user_accounts') control "V-72001" do title "The system must not have unnecessary accounts." diff --git a/controls/V-72011.rb b/controls/V-72011.rb index f4aa9a7a7..3dafdf71a 100644 --- a/controls/V-72011.rb +++ b/controls/V-72011.rb @@ -4,17 +4,9 @@ # TODO ENHANCE: 1. this needs to be enhanced, to loop though all the users # TODO 2. drop ones that have `gid` <= 999. I think If I read this right./s -exempt_home_users = input( - 'exempt_home_users', - description: 'These are `home dir` exempt interactive accounts', - value: [] -) +exempt_home_users = input('exempt_home_users') -non_interactive_shells = input( - 'non_interactive_shells', - description: 'These shells do not allow a user to login', - value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] -) +non_interactive_shells = input('non_interactive_shells') control "V-72011" do title "All local interactive users must have a home directory assigned in the diff --git a/controls/V-72015.rb b/controls/V-72015.rb index 739b203a3..766c69e0e 100644 --- a/controls/V-72015.rb +++ b/controls/V-72015.rb @@ -3,17 +3,9 @@ # TODO ENHANCE: 1. this needs to be enhanced, i.e. to check the right thing. like V-72017 -exempt_home_users = input( - 'exempt_home_users', - description: 'These are `home dir` exempt interactive accounts', - value: [] -) +exempt_home_users = input('exempt_home_users') -non_interactive_shells = input( - 'non_interactive_shells', - description: 'These shells do not allow a user to login', - value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] -) +non_interactive_shells = input('non_interactive_shells') control "V-72015" do title "All local interactive user home directories defined in the /etc/passwd diff --git a/controls/V-72017.rb b/controls/V-72017.rb index 53aca6be6..29c2f5360 100644 --- a/controls/V-72017.rb +++ b/controls/V-72017.rb @@ -1,17 +1,9 @@ # encoding: utf-8 # -exempt_home_users = input( - 'exempt_home_users', - description: 'These are `home dir` exempt interactive accounts', - value: [] -) +exempt_home_users = input('exempt_home_users') -non_interactive_shells = input( - 'non_interactive_shells', - description: 'These shells do not allow a user to login', - value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] -) +non_interactive_shells = input('non_interactive_shells') control "V-72017" do title "All local interactive user home directories must have mode 0750 or diff --git a/controls/V-72019.rb b/controls/V-72019.rb index 12d952131..6f7235a1a 100644 --- a/controls/V-72019.rb +++ b/controls/V-72019.rb @@ -1,17 +1,9 @@ # encoding: utf-8 # -exempt_home_users = input( - 'exempt_home_users', - description: 'These are `home dir` exempt interactive accounts', - value: [] -) +exempt_home_users = input('exempt_home_users') -non_interactive_shells = input( - 'non_interactive_shells', - description: 'These shells do not allow a user to login', - value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] -) +non_interactive_shells = input('non_interactive_shells') control "V-72019" do title "All local interactive user home directories must be owned by their diff --git a/controls/V-72021.rb b/controls/V-72021.rb index f144b26d8..6a69fbedc 100644 --- a/controls/V-72021.rb +++ b/controls/V-72021.rb @@ -1,17 +1,9 @@ # encoding: utf-8 # -exempt_home_users = input( - 'exempt_home_users', - description: 'These are `home dir` exempt interactive accounts', - value: [] -) +exempt_home_users = input('exempt_home_users') -non_interactive_shells = input( - 'non_interactive_shells', - description: 'These shells do not allow a user to login', - value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] -) +non_interactive_shells = input('non_interactive_shells') control "V-72021" do title "All local interactive user home directories must be group-owned by the diff --git a/controls/V-72023.rb b/controls/V-72023.rb index 1b3ea42e5..8faedca69 100644 --- a/controls/V-72023.rb +++ b/controls/V-72023.rb @@ -1,17 +1,9 @@ # encoding: utf-8 # -exempt_home_users = input( - 'exempt_home_users', - description: 'These are `home dir` exempt interactive accounts', - value: [] -) +exempt_home_users = input('exempt_home_users') -non_interactive_shells = input( - 'non_interactive_shells', - description: 'These shells do not allow a user to login', - value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] -) +non_interactive_shells = input('non_interactive_shells') control "V-72023" do title "All files and directories contained in local interactive user home diff --git a/controls/V-72025.rb b/controls/V-72025.rb index 83248a1c7..887a26641 100644 --- a/controls/V-72025.rb +++ b/controls/V-72025.rb @@ -1,17 +1,9 @@ # encoding: utf-8 # -exempt_home_users = input( - 'exempt_home_users', - description: 'These are `home dir` exempt interactive accounts', - value: [] -) +exempt_home_users = input('exempt_home_users') -non_interactive_shells = input( - 'non_interactive_shells', - description: 'These shells do not allow a user to login', - value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] -) +non_interactive_shells = input('non_interactive_shells') control "V-72025" do title "All files and directories contained in local interactive user home diff --git a/controls/V-72027.rb b/controls/V-72027.rb index 142c4a012..aafd88336 100644 --- a/controls/V-72027.rb +++ b/controls/V-72027.rb @@ -1,17 +1,9 @@ # encoding: utf-8 # -exempt_home_users = input( - 'exempt_home_users', - description: 'These are `home dir` exempt interactive accounts', - value: [] -) +exempt_home_users = input('exempt_home_users') -non_interactive_shells = input( - 'non_interactive_shells', - description: 'These shells do not allow a user to login', - value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] -) +non_interactive_shells = input('non_interactive_shells') control "V-72027" do title "All files and directories contained in local interactive user home diff --git a/controls/V-72029.rb b/controls/V-72029.rb index 15322ccbd..7b2168beb 100644 --- a/controls/V-72029.rb +++ b/controls/V-72029.rb @@ -1,17 +1,9 @@ # encoding: utf-8 # -exempt_home_users = input( - 'exempt_home_users', - description: 'These are `home dir` exempt interactive accounts', - value: [] -) +exempt_home_users = input('exempt_home_users') -non_interactive_shells = input( - 'non_interactive_shells', - description: 'These shells do not allow a user to login', - value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] -) +non_interactive_shells = input('non_interactive_shells') control "V-72029" do title "All local initialization files for interactive users must be owned by diff --git a/controls/V-72031.rb b/controls/V-72031.rb index 5c23e6da7..d2b69ad37 100644 --- a/controls/V-72031.rb +++ b/controls/V-72031.rb @@ -1,17 +1,9 @@ # encoding: utf-8 # -exempt_home_users = input( - 'exempt_home_users', - description: 'These are `home dir` exempt interactive accounts', - value: [] -) +exempt_home_users = input('exempt_home_users') -non_interactive_shells = input( - 'non_interactive_shells', - description: 'These shells do not allow a user to login', - value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] -) +non_interactive_shells = input('non_interactive_shells') control "V-72031" do title "Local initialization files for local interactive users must be diff --git a/controls/V-72033.rb b/controls/V-72033.rb index 0d02f08c4..d3ac14d0a 100644 --- a/controls/V-72033.rb +++ b/controls/V-72033.rb @@ -1,17 +1,9 @@ # encoding: utf-8 # -exempt_home_users = input( - 'exempt_home_users', - description: 'These are `home dir` exempt interactive accounts', - value: [] -) - -non_interactive_shells = input( - 'non_interactive_shells', - description: 'These shells do not allow a user to login', - value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] -) +exempt_home_users = input('exempt_home_users') + +non_interactive_shells = input('non_interactive_shells') control "V-72033" do title "All local initialization files must have mode 0740 or less permissive." diff --git a/controls/V-72035.rb b/controls/V-72035.rb index 3e5115e28..021f11406 100644 --- a/controls/V-72035.rb +++ b/controls/V-72035.rb @@ -1,17 +1,9 @@ # encoding: utf-8 # -exempt_home_users = input( - 'exempt_home_users', - description: 'These are `home dir` exempt interactive accounts', - value: [] -) +exempt_home_users = input('exempt_home_users') -non_interactive_shells = input( - 'non_interactive_shells', - description: 'These shells do not allow a user to login', - value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] -) +non_interactive_shells = input('non_interactive_shells') control "V-72035" do title "All local interactive user initialization files executable search diff --git a/controls/V-72037.rb b/controls/V-72037.rb index 6d37d7a73..0ec32721e 100644 --- a/controls/V-72037.rb +++ b/controls/V-72037.rb @@ -1,23 +1,10 @@ # encoding: utf-8 -disable_slow_controls = input( - 'disable_slow_controls', - value: false, - description: 'If enabled, this attribute disables this control and other - controls that consistently take a long time to complete.' -) +disable_slow_controls = input('disable_slow_controls') -exempt_home_users = input( - 'exempt_home_users', - description: 'These are `home dir` exempt interactive accounts', - value: [] -) +exempt_home_users = input('exempt_home_users') -non_interactive_shells = input( - 'non_interactive_shells', - description: 'These shells do not allow a user to login', - value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] -) +non_interactive_shells = input('non_interactive_shells') control "V-72037" do title "The Red Hat Enterprise Linux operating system must be configured so diff --git a/controls/V-72039.rb b/controls/V-72039.rb index 1859fc65f..12d05d5b1 100644 --- a/controls/V-72039.rb +++ b/controls/V-72039.rb @@ -1,10 +1,7 @@ # encoding: utf-8 # -virtual_machine = input( - 'virtual_machine', - value: false, - description: 'Is the target expected to be a virtual machine') +virtual_machine = input('virtual_machine') control "V-72039" do title "All system device files must be correctly labeled to prevent diff --git a/controls/V-72043.rb b/controls/V-72043.rb index 1cae8ec9d..6784d551d 100644 --- a/controls/V-72043.rb +++ b/controls/V-72043.rb @@ -1,11 +1,7 @@ # encoding: utf-8 # -non_removable_media_fs = input( - 'non_removable_media_fs', - value: ['xfs', 'ext4', 'swap', 'tmpfs'], - description: "File systems that don't correspond to removable media" -) +non_removable_media_fs = input('non_removable_media_fs') control "V-72043" do title "File systems that are used with removable media must be mounted to diff --git a/controls/V-72047.rb b/controls/V-72047.rb index c9ddc7f41..b9db6b52e 100644 --- a/controls/V-72047.rb +++ b/controls/V-72047.rb @@ -1,11 +1,7 @@ # encoding: utf-8 # -application_groups = input( - 'application_groups', - description: 'Known application groups that are allowed to have world-writeable files or directories', - value: [] -) +application_groups = input('application_groups') control "V-72047" do title "All world-writable directories must be group-owned by root, sys, bin, diff --git a/controls/V-72049.rb b/controls/V-72049.rb index 3654fb089..2ff1bcbbc 100644 --- a/controls/V-72049.rb +++ b/controls/V-72049.rb @@ -1,10 +1,6 @@ # encoding: utf-8 # -non_interactive_shells = input( - 'non_interactive_shells', - description: 'These shells do not allow a user to login', - value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] -) +non_interactive_shells = input('non_interactive_shells') control "V-72049" do title "The umask must be set to 077 for all local interactive user accounts." diff --git a/controls/V-72051.rb b/controls/V-72051.rb index ccadce4ef..efd26e2fb 100644 --- a/controls/V-72051.rb +++ b/controls/V-72051.rb @@ -1,11 +1,7 @@ # encoding: utf-8 # -log_pkg_path = input( - 'log_pkg_path', - value: '/etc/rsyslog.conf', - description: "The path to the logging package" -) +log_pkg_path = input('log_pkg_path') control "V-72051" do title "Cron logging must be implemented." diff --git a/controls/V-72059.rb b/controls/V-72059.rb index 429b6dbcc..47d06cd83 100644 --- a/controls/V-72059.rb +++ b/controls/V-72059.rb @@ -1,17 +1,9 @@ # encoding: utf-8 # -exempt_home_users = input( - 'exempt_home_users', - description: 'These are `home dir` exempt interactive accounts', - value: [] -) +exempt_home_users = input('exempt_home_users') -non_interactive_shells = input( - 'non_interactive_shells', - description: 'These shells do not allow a user to login', - value: ["/sbin/nologin","/sbin/halt","/sbin/shutdown","/bin/false","/bin/sync", "/bin/true"] -) +non_interactive_shells = input('non_interactive_shells') control "V-72059" do title "A separate file system must be used for user home directories (such as diff --git a/controls/V-72081.rb b/controls/V-72081.rb index 86d739469..c296cb85a 100644 --- a/controls/V-72081.rb +++ b/controls/V-72081.rb @@ -1,12 +1,7 @@ # encoding: utf-8 # -monitor_kernel_log = input( - 'monitor_kernel_log', - description: 'Set this to false if your system availability concern is not documented or - there is no monitoring of the kernel log', - value: true -) +monitor_kernel_log = input('monitor_kernel_log') control "V-72081" do title "The operating system must shut down upon audit processing failure, diff --git a/controls/V-72143.rb b/controls/V-72143.rb index 019deb19b..322e9fe5b 100644 --- a/controls/V-72143.rb +++ b/controls/V-72143.rb @@ -1,9 +1,6 @@ # encoding: utf-8 # -skip_deprecated_test = input( - 'skip_deprecated_test', - value: true, - description: 'Skips tests that have been deprecated and removed from the STIG.') +skip_deprecated_test = input('skip_deprecated_test') control "V-72143" do title "The operating system must generate audit records for all diff --git a/controls/V-72169.rb b/controls/V-72169.rb index 63e38c8c3..d0b43aa31 100644 --- a/controls/V-72169.rb +++ b/controls/V-72169.rb @@ -1,9 +1,6 @@ # encoding: utf-8 # -skip_deprecated_test = input( - 'skip_deprecated_test', - value: true, - description: 'Skips tests that have been deprecated and removed from the STIG.') +skip_deprecated_test = input('skip_deprecated_test') control "V-72169" do title "All uses of the sudoedit command must be audited." diff --git a/controls/V-72181.rb b/controls/V-72181.rb index 5d74b56a7..6d8365253 100644 --- a/controls/V-72181.rb +++ b/controls/V-72181.rb @@ -1,9 +1,6 @@ # encoding: utf-8 # -skip_deprecated_test = input( - 'skip_deprecated_test', - value: true, - description: 'Skips tests that have been deprecated and removed from the STIG.') +skip_deprecated_test = input('skip_deprecated_test') control "V-72181" do title "All uses of the pt_chown command must be audited." diff --git a/controls/V-72193.rb b/controls/V-72193.rb index 20e78237e..171f17584 100644 --- a/controls/V-72193.rb +++ b/controls/V-72193.rb @@ -1,9 +1,6 @@ # encoding: utf-8 # -skip_deprecated_test = input( - 'skip_deprecated_test', - value: true, - description: 'Skips tests that have been deprecated and removed from the STIG.') +skip_deprecated_test = input('skip_deprecated_test') control "V-72193" do title "All uses of the rmmod command must be audited." diff --git a/controls/V-72195.rb b/controls/V-72195.rb index 570f19e4a..f5cc770a5 100644 --- a/controls/V-72195.rb +++ b/controls/V-72195.rb @@ -1,9 +1,6 @@ # encoding: utf-8 # -skip_deprecated_test = input( - 'skip_deprecated_test', - value: true, - description: 'Skips tests that have been deprecated and removed from the STIG.') +skip_deprecated_test = input('skip_deprecated_test') control "V-72195" do title "All uses of the modprobe command must be audited." diff --git a/controls/V-72209.rb b/controls/V-72209.rb index c60cf95cb..bbb9ea5e8 100644 --- a/controls/V-72209.rb +++ b/controls/V-72209.rb @@ -1,11 +1,7 @@ # encoding: utf-8 # -log_pkg_path = input( - 'log_pkg_path', - value: '/etc/rsyslog.conf', - description: "The path to the logging package" -) +log_pkg_path = input('log_pkg_path') control "V-72209" do title "The system must send rsyslog output to a log aggregation server." diff --git a/controls/V-72211.rb b/controls/V-72211.rb index 885d9afbb..08edbf61e 100644 --- a/controls/V-72211.rb +++ b/controls/V-72211.rb @@ -1,11 +1,7 @@ # encoding: utf-8 # -log_aggregation_server = input( - 'log_aggregation_server', - description: 'The system is intented to be a log aggregation server.', - value: false -) +log_aggregation_server = input('log_aggregation_server') # TODO account for using other log systems. `syslog-ng` # TODO add attribute for `SYSLOG_SYSTEM` and adjust control logic diff --git a/controls/V-72215.rb b/controls/V-72215.rb index 3e76e873d..4aa19dd96 100644 --- a/controls/V-72215.rb +++ b/controls/V-72215.rb @@ -1,9 +1,6 @@ # encoding: utf-8 # -skip_deprecated_test = input( - 'skip_deprecated_test', - value: true, - description: 'Skips tests that have been deprecated and removed from the STIG.') +skip_deprecated_test = input('skip_deprecated_test') control "V-72215" do title "The system must update the virus scan program every seven days or more diff --git a/controls/V-72219.rb b/controls/V-72219.rb index e8fb02e7e..7772fc053 100644 --- a/controls/V-72219.rb +++ b/controls/V-72219.rb @@ -1,59 +1,15 @@ # encoding: utf-8 # -firewalld_services_deny = input( - 'firewalld_services_deny', - value: { - # Examples (zone:[services]) - # "public"=>['ssh', 'icmp'], - # "dmz"=>['http'] - }, - description: "Services that firewalld should be configured to deny." -) - -firewalld_hosts_deny = input( - 'firewalld_hosts_deny', - value: [ - # Example - # 'rule family="ipv4" source address="104.56.21.1/24" accept]' - ], - description: "Hosts that firewalld should be configured to deny." -) - -firewalld_ports_deny = input( - 'firewalld_ports_deny', - value: { - # Examples (zone:[ports]) - #"public"=>['12345/tcp', '23456/tcp'], - # "dmz"=>['80/http', '22/ssh'] - }, - description: "Ports that firewalld should be configured to deny." -) - -firewalld_zones = input( - 'firewalld_zones', - value: [ - # Examples - # 'drop', - # 'block', - # 'public' - # 'external', - # 'dmz', - # 'work', - # 'home', - # 'internal', - # 'trusted' - ] -) - -iptables_rules = input( - 'iptables_rules', - value: [ - # Example - # '-P INPUT ACCEPT', - ], - description: "Iptables rules that should exist." -) +firewalld_services_deny = input('firewalld_services_deny') + +firewalld_hosts_deny = input('firewalld_hosts_deny') + +firewalld_ports_deny = input('firewalld_ports_deny') + +firewalld_zones = input('firewalld_zones') + +iptables_rules = input('iptables_rules') control "V-72219" do title "The host must be configured to prohibit or restrict the use of diff --git a/controls/V-72223.rb b/controls/V-72223.rb index f78f454af..02cba9f64 100644 --- a/controls/V-72223.rb +++ b/controls/V-72223.rb @@ -1,11 +1,7 @@ # encoding: utf-8 # -system_activity_timeout = input( -'system_activity_timeout', -value: 600, -description: 'The length of inactivity from the user in which the network connections associated with a session in terminated.' -) +system_activity_timeout = input('system_activity_timeout') control "V-72223" do title "All network connections associated with a communication session must diff --git a/controls/V-72225.rb b/controls/V-72225.rb index 92e1c6a8d..67c3516fb 100644 --- a/controls/V-72225.rb +++ b/controls/V-72225.rb @@ -1,31 +1,9 @@ # encoding: utf-8 # -banner_message_text_ral = input('banner_message_text_ral', -value: -"You are accessing a U.S. Government (USG) Information System (IS) that is \ -provided for USG-authorized use only. By using this IS (which includes any \ -device attached to this IS), you consent to the following conditions: -The USG \ -routinely intercepts and monitors communications on this IS for purposes \ -including, but not limited to, penetration testing, COMSEC monitoring, network \ -operations and defense, personnel misconduct (PM), law enforcement (LE), and \ -counterintelligence (CI) investigations. -At any time, the USG may inspect and \ -seize data stored on this IS. -Communications using, or data stored on, this \ -IS are not private, are subject to routine monitoring, interception, and \ -search, and may be disclosed or used for any USG-authorized purpose. -This IS \ -includes security measures (e.g., authentication and access controls) to \ -protect USG interests--not for your personal benefit or privacy. \ --Notwithstanding the above, using this IS does not constitute consent to PM, \ -LE or CI investigative searching or monitoring of the content of privileged \ -communications, or work product, related to personal representation or \ -services by attorneys, psychotherapists, or clergy, and their assistants. Such \ -communications and work product are private and confidential. See User \ -Agreement for details.", -description: 'The banner message must display the designated banner before granting access.') - -banner_message_text_ral_limited = input('banner_message_text_ral_limited', -value: "I've read & consent to terms in IS user agreem't.", -description: 'The banner message must display the designated banner before granting access.') +banner_message_text_ral = input('banner_message_text_ral') + +banner_message_text_ral_limited = input('banner_message_text_ral_limited') control "V-72225" do title "The Standard Mandatory DoD Notice and Consent Banner must be displayed diff --git a/controls/V-72237.rb b/controls/V-72237.rb index 897462ab4..91d7b2314 100644 --- a/controls/V-72237.rb +++ b/controls/V-72237.rb @@ -1,8 +1,7 @@ # encoding: utf-8 # -client_alive_interval = input('client_alive_interval', value: 600, -description: "Value expected for ClientAliveInterval in sshd_config") +client_alive_interval = input('client_alive_interval') control "V-72237" do title "All network connections associated with SSH traffic must terminate at diff --git a/controls/V-72307.rb b/controls/V-72307.rb index 3f49a4b36..932c1ebf8 100644 --- a/controls/V-72307.rb +++ b/controls/V-72307.rb @@ -3,11 +3,7 @@ # TODO this needs to be reworked to allow `X11_NEEDED` attribute -x11_enabled = input( - 'x11_enabled', - description: 'Set to `true` if a GUI or X11 is needed on the system', - value: false -) +x11_enabled = input('x11_enabled') control "V-72307" do title "An X Windows display manager must not be installed unless approved." diff --git a/controls/V-72315.rb b/controls/V-72315.rb index 724a4f8bc..11abcd000 100644 --- a/controls/V-72315.rb +++ b/controls/V-72315.rb @@ -2,76 +2,21 @@ # # These inputs must be filled in to reflect expectations of particular system -firewalld_services = input( - 'firewalld_services', - value: [ - # Examples - # 'dhcpv6-client', - # 'ssh' - ], - description: "Services that firewalld should be configured to allow." -) - -firewalld_hosts_allow = input( - 'firewalld_hosts_allow', - value: [ - ], - description: "Hosts that firewalld should be configured to allow." -) - -firewalld_hosts_deny = input( - 'firewalld_hosts_deny', - value: [ - ], - description: "Hosts that firewalld should be configured to deny." -) - -firewalld_ports_allow = input( - 'firewalld_ports_allow', - value: [ - # Examples - # '22/tcp', - # '4722/tcp' - ], - description: "Ports that firewalld should be configured to allow." -) - -firewalld_ports_deny = input( - 'firewalld_ports_deny', - value: [ - # Examples - # '22/tcp', - # '4722/tcp' - ], - description: "Ports that firewalld should be configured to deny." -) - -tcpwrappers_allow = input( - 'tcpwrappers_allow', - value: [ - # Example - # { 'daemon' => 'ALL', 'client_list' => ['ALL'], 'options' => ['allow'] } - ], - description: "Allow rules from etc/hosts.allow." -) - -tcpwrappers_deny = input( - 'tcpwrappers_deny', - value: [ - # Example - { 'daemon' => 'ALL', 'client_list' => ['ALL'], 'options' => [] } - ], - description: "Deny rules from etc/hosts.deny." -) - -iptable_rules = input( - 'iptable_rules', - value: [ - # Example - # '-P INPUT ACCEPT', - ], - description: "Iptable rules that should exist." -) +firewalld_services = input('firewalld_services') + +firewalld_hosts_allow = input('firewalld_hosts_allow') + +firewalld_hosts_deny = input('firewalld_hosts_deny') + +firewalld_ports_allow = input('firewalld_ports_allow') + +firewalld_ports_deny = input('firewalld_ports_deny') + +tcpwrappers_allow = input('tcpwrappers_allow') + +tcpwrappers_deny = input('tcpwrappers_deny') + +iptable_rules = input('iptables_rules') control "V-72315" do title "The system access control program must be configured to grant or deny diff --git a/controls/V-72317.rb b/controls/V-72317.rb index 0f9f3cb37..80a0d658b 100644 --- a/controls/V-72317.rb +++ b/controls/V-72317.rb @@ -1,14 +1,7 @@ # encoding: utf-8 # -approved_tunnels = input( - 'approved_tunnels', - value: [ - # Example - # 'conn myTunnel' - ], - description: "Approved configured tunnels prepended with word 'conn'" -) +approved_tunnels = input('approved_tunnels') control "V-72317" do title "The system must not have unauthorized IP tunnels configured." diff --git a/controls/V-72417.rb b/controls/V-72417.rb index 7d252d94a..9a7a92ff4 100644 --- a/controls/V-72417.rb +++ b/controls/V-72417.rb @@ -1,20 +1,9 @@ # encoding: utf-8 # -mfa_pkg_list = input( - 'mfa_pkg_list', - description: 'The list of packages needed for MFA on RHEL', - value: [ - 'esc', - 'pam_pkcs11', - 'authconfig-gtk', - ]) - -smart_card_status = input( - 'smart_card_status', - value: 'enabled', # values(enabled|disabled) - description: 'Smart Card Status' -) +mfa_pkg_list = input('mfa_pkg_list') + +smart_card_status = input('smart_card_status') control "V-72417" do title "The operating system must have the required packages for multifactor diff --git a/controls/V-72433.rb b/controls/V-72433.rb index cc03a82b8..1b76f41d6 100644 --- a/controls/V-72433.rb +++ b/controls/V-72433.rb @@ -1,11 +1,7 @@ # encoding: utf-8 # -smart_card_status = input( - 'smart_card_status', - value: 'enabled', # values(enabled|disabled) - description: 'Smart Card Status' -) +smart_card_status = input('smart_card_status') control "V-72433" do title "The operating system must implement certificate status checking for diff --git a/controls/V-72435.rb b/controls/V-72435.rb index 3f926c388..6408ee9c9 100644 --- a/controls/V-72435.rb +++ b/controls/V-72435.rb @@ -1,9 +1,6 @@ # encoding: utf-8 # -skip_deprecated_test = input( - 'skip_deprecated_test', - value: true, - description: 'Skips tests that have been deprecated and removed from the STIG.') +skip_deprecated_test = input('skip_deprecated_test') control "V-72435" do title "The operating system must implement smart card logons for multifactor diff --git a/controls/V-73159.rb b/controls/V-73159.rb index 007c94a2b..7beebbd9c 100644 --- a/controls/V-73159.rb +++ b/controls/V-73159.rb @@ -1,8 +1,6 @@ # encoding: utf-8 # -max_retry = input('max_retry', value: 3, -description: 'The operating system must limit password -failures.') +max_retry = input('max_retry') control "V-73159" do title "When passwords are changed or new passwords are established, pwquality diff --git a/controls/V-77819.rb b/controls/V-77819.rb index e0f35f368..0b7da7ac5 100644 --- a/controls/V-77819.rb +++ b/controls/V-77819.rb @@ -1,17 +1,9 @@ # encoding: utf-8 # -multifactor_enabled = input( - 'multifactor_enabled', - value: 'true', - description: "Should dconf have smart card authentication" -) - -dconf_user = input( - 'dconf_user', - value: nil, - description: "User to use to check dconf settings" -) +multifactor_enabled = input('multifactor_enabled') + +dconf_user = input('dconf_user') control "V-77819" do title "The operating system must uniquely identify and must authenticate diff --git a/controls/V-77825.rb b/controls/V-77825.rb index 6d6646592..67e739390 100644 --- a/controls/V-77825.rb +++ b/controls/V-77825.rb @@ -1,8 +1,6 @@ # encoding: utf-8 # -randomize_va_space = input('randomize_va_space', value: 2, -description: 'The value for the randomize virtual address space -kernel parameter.') +randomize_va_space = input('randomize_va_space') control "V-77825" do title "The operating system must implement virtual address space diff --git a/controls/V-78995.rb b/controls/V-78995.rb index a61c86532..7b58ae2e0 100644 --- a/controls/V-78995.rb +++ b/controls/V-78995.rb @@ -1,9 +1,6 @@ # encoding: utf-8 # -skip_deprecated_test = input( - 'skip_deprecated_test', - value: true, - description: 'Skips tests that have been deprecated and removed from the STIG.') +skip_deprecated_test = input('skip_deprecated_test') control "V-78995" do title "The operating system must prevent a user from overriding the diff --git a/inspec.yml b/inspec.yml index 2e7cbb741..7223c09ff 100644 --- a/inspec.yml +++ b/inspec.yml @@ -89,7 +89,21 @@ inputs: 'mail', 'operator', 'nobody', - 'systemd-bus-proxy' + 'systemd-bus-proxy', + 'systemd-network', + 'dbus', + 'polkitd', + 'tss', # Account used by the trousers package to sandbox the tcsd daemon + 'postfix', # Service Account for Postfix Mail Daemon + 'chrony', # Service Account for the Chrony Time Service + 'sshd', # Service Account for SSH + 'sssd', # Service Account for the SSSH Authentication service + 'rpc', # Service Account RPCBind Daemon + 'ntp', # Service Account for NTPD Daemon + 'vboxadd', # known Virtualbox user + 'nfsnobody', # service account for nsfd + 'vagrant', # known service account for vagrant / Virtualbox + 'rpcuser', ] @@ -317,7 +331,7 @@ inputs: value: [] # V-73159 -- name: max_rety +- name: max_retry description: Maximum number of times to prompt user for new password type: Numeric value: 3 @@ -380,3 +394,54 @@ inputs: #type: Boolean value: false +- name: firewalld_services + description: Services that firewalld should be configured to allow. (e.g., 'dhcpv6-client', 'ssh') + type: Array + value: [] + +- name: firewalld_services_deny + description: Services that firewalld should be configured to deny. (e.g., (zone:[services]), "public"=>['ssh', 'icmp'],"dmz"=>['http']) + type: Array + value: [] + +- name: firewalld_hosts_allow + description: Hosts that firewalld should be configured to allow. + type: Array + value: [] + +- name: firewalld_hosts_deny + description: Hosts that firewalld should be configured to deny. (e.g., 'rule family="ipv4" source address="104.56.21.1/24" accept]') + type: Array + value: [] + +- name: firewalld_ports_allow + description: Ports that firewalld should be configured to allow. (e.g., '22/tcp', '4722/tcp') + type: Array + value: [] + +- name: firewalld_ports_deny + description: Ports that firewalld should be configured to deny. (e.g., (zone:[ports]), "public"=>['12345/tcp', '23456/tcp'], "dmz"=>['80/http', '22/ssh']) + type: Array + value: [] + +- name: firewalld_zones + description: firewalld zones (e.g. 'drop', 'block', 'public' 'external', 'dmz', 'work', 'home', 'internal', 'trusted') + type: Array + value: [] + +- name: iptables_rules + description: Iptables rules that should exist. (e.g. '-P INPUT ACCEPT') + type: Array + value: [] + +- name: tcpwrappers_allow + description: Allow rules from etc/hosts.allow. (e.g., { 'daemon' => 'ALL', 'client_list' => ['ALL'], 'options' => ['allow']) + type: Array + value: [] + +- name: tcpwrappers_deny + description: Deny rules from etc/hosts.deny. (e.g., { 'daemon' => 'ALL', 'client_list' => ['ALL'], 'options' => [] }) + type: Array + value: [ + { 'daemon' => 'ALL', 'client_list' => ['ALL'], 'options' => [] } + ] From 06ff8d080d1e2601a44fee961f76844f6e41e484 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Thu, 5 Mar 2020 17:08:31 -0500 Subject: [PATCH 25/26] fixed badly formed array of hash on like 445 --- inspec.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/inspec.yml b/inspec.yml index 7223c09ff..b7f1f90c7 100644 --- a/inspec.yml +++ b/inspec.yml @@ -442,6 +442,4 @@ inputs: - name: tcpwrappers_deny description: Deny rules from etc/hosts.deny. (e.g., { 'daemon' => 'ALL', 'client_list' => ['ALL'], 'options' => [] }) type: Array - value: [ - { 'daemon' => 'ALL', 'client_list' => ['ALL'], 'options' => [] } - ] + value: [{ 'daemon' => 'ALL', 'client_list' => ['ALL'], 'options' => [] }] From 17969be7d8dba36f343e59372c98cb825d7a2482 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Tue, 31 Mar 2020 12:31:18 -0400 Subject: [PATCH 26/26] fixed array in inspec.yml Signed-off-by: Aaron Lippold --- inspec.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/inspec.yml b/inspec.yml index c3ca0c19d..c72c1c32d 100644 --- a/inspec.yml +++ b/inspec.yml @@ -439,7 +439,11 @@ inputs: type: Array value: [] -- name: tcpwrappers_deny + - name: tcpwrappers_deny description: Deny rules from etc/hosts.deny. (e.g., { 'daemon' => 'ALL', 'client_list' => ['ALL'], 'options' => [] }) type: Array - value: [{ 'daemon' => 'ALL', 'client_list' => ['ALL'], 'options' => [] }] + value: + - daemon: ‘ALL’ + client_list: + - ALL + options: []