Skip to content
This repository has been archived by the owner on Apr 17, 2023. It is now read-only.

Deprecated tests & Adding missing tests from RHEL7 STIG v2r4 #142

Closed
wants to merge 34 commits into from
Closed
Show file tree
Hide file tree
Changes from 32 commits
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
5fc9fa6
Merge pull request #1 from simp/master
cpoma Sep 5, 2019
d0d8f3d
Merge pull request #2 from simp/master
cpoma Sep 27, 2019
d5a349e
Merge branch 'master' into master
cpoma Oct 11, 2019
1668ef9
Added some missing tests
cpoma Oct 11, 2019
9ea34a3
Added missing tests
cpoma Oct 11, 2019
ee40b5e
Added ability to skips test that have been deprecated and removed fro…
cpoma Oct 12, 2019
d2d45b0
Merge pull request #3 from cpoma/deprecatedTests
cpoma Oct 24, 2019
746e9bf
Update V-71895.rb
djhaynes Nov 14, 2019
00f3d5e
Update V-71981.rb
djhaynes Nov 14, 2019
ab31ab9
Update V-72143.rb
djhaynes Nov 14, 2019
afc4032
Update V-72169.rb
djhaynes Nov 14, 2019
93fc5e9
Update V-72181.rb
djhaynes Nov 14, 2019
d87c909
Update V-72193.rb
djhaynes Nov 14, 2019
8734a31
Update V-72195.rb
djhaynes Nov 14, 2019
66ae13d
Update V-72215.rb
djhaynes Nov 14, 2019
9564b2c
Update V-72435.rb
djhaynes Nov 14, 2019
f221a93
Update V-78995.rb
djhaynes Nov 14, 2019
901d833
updating master to simp master
HackerShark Feb 21, 2020
4a2ffad
Update V-71895.rb
djhaynes Nov 14, 2019
f40f241
Update V-71981.rb
djhaynes Nov 14, 2019
48a7646
Update V-72143.rb
djhaynes Nov 14, 2019
27e0ac4
Update V-72169.rb
djhaynes Nov 14, 2019
9c43243
Update V-72181.rb
djhaynes Nov 14, 2019
7c14a67
Update V-72193.rb
djhaynes Nov 14, 2019
019ed23
Update V-72195.rb
djhaynes Nov 14, 2019
891fbf1
Update V-72215.rb
djhaynes Nov 14, 2019
c03d5ed
Update V-72435.rb
djhaynes Nov 14, 2019
d98e6fe
Update V-78995.rb
djhaynes Nov 14, 2019
3e2bba2
Merge branch 'deprecatedTests' of https://github.com/HackerShark/insp…
HackerShark Feb 21, 2020
fef1c13
cleaning up controls and inspec.yml, fixing typos
HackerShark Mar 4, 2020
5477cf0
Merge branch 'master' into deprecatedTests
aaronlippold Mar 5, 2020
06ff8d0
fixed badly formed array of hash on like 445
aaronlippold Mar 5, 2020
67fc42c
Merge branch 'master' into deprecatedTests
aaronlippold Mar 31, 2020
17969be
fixed array in inspec.yml
aaronlippold Mar 31, 2020
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions attributes.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,20 @@
# Controls that are known to consistently have long run times can be disabled with this attribute
disable_slow_controls: false

# Skips test that have been deprecated and removed from the STIG.
# Currently the following have been removed from the Latest STIG RHEL7 V2R4
# V-71895 - The operating system must set the idle delay setting for all connection types.
# V-71981 - The operating system must prevent the installation of software, patches, service packs, device drivers, or operating system components of packages without verification of the repository metadata.
# V-72143 - The operating system must generate audit records for all successful/unsuccessful account access count events.
# V-72169 - All uses of the sudoedit command must be audited.
# V-72181 - All uses of the pt_chown command must be audited.
# V-72193 - All uses of the rmmod command must be audited
# V-72195 - All uses of the modprobe command must be audited.
# V-72215 - The system must update the virus scan program every seven days or more frequently
# V-72435 - The operating system must implement smart card logons for multifactor authentication for access to privileged accounts.
# V-78995 - The operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface.
skip_deprecated_test: true

# V-72081 - 'monitor_kernel_log', (bool)
# Set this to false if your system availability concern is not documented or
# there is no monitoring of the kernel log
Expand Down
13 changes: 2 additions & 11 deletions controls/V-71849.rb
Original file line number Diff line number Diff line change
@@ -1,17 +1,8 @@
# encoding: utf-8
#
# Support for passed in Atrributes
disable_slow_controls = input(
'disable_slow_controls',
value: false,
description: 'If enabled, this attribute disables this control and other
controls that consistently take a long time to complete.'
)
rpm_verify_perms_except = input(
'rpm_verify_perms_except',
value: [],
description: 'This is a list of system files that should be allowed to change
permission attributes from an rpm verify point of view.')
disable_slow_controls = input('disable_slow_controls')
rpm_verify_perms_except = input('rpm_verify_perms_except')

control "V-71849" do
title "The file permissions, ownership, and group membership of system files and commands must match the vendor" \
Expand Down
12 changes: 2 additions & 10 deletions controls/V-71855.rb
Original file line number Diff line number Diff line change
@@ -1,16 +1,8 @@
# encoding: utf-8
#
disable_slow_controls = input(
'disable_slow_controls',
value: false,
description: 'If enabled, this attribute disables this control and other
controls that consistently take a long time to complete.')
disable_slow_controls = input('disable_slow_controls')

rpm_verify_integrity_except = input(
'rpm_verify_integrity_except',
value: [],
description: 'This is a list of system files that should be allowed to change
from an rpm verify point of view.')
rpm_verify_integrity_except = input('rpm_verify_integrity_except')

control "V-71855" do
title "The cryptographic hash of system files and commands must match vendor
Expand Down
12 changes: 3 additions & 9 deletions controls/V-71859.rb
Original file line number Diff line number Diff line change
@@ -1,15 +1,9 @@
# encoding: utf-8
#

banner_message_enabled = input('banner_message_enabled', value: "true",
description: 'The banner message must display the Standard Mandatory DoD notice
before granting access.')

dconf_user = input(
'dconf_user',
value: nil,
description: "User to use to check dconf settings"
)
banner_message_enabled = input('banner_message_enabled')

dconf_user = input('dconf_user')

control "V-71859" do
title "The operating system must display the Standard Mandatory DoD Notice
Expand Down
28 changes: 3 additions & 25 deletions controls/V-71861.rb
Original file line number Diff line number Diff line change
@@ -1,30 +1,8 @@
# encoding: utf-8
#
banner_message_text_gui = input('banner_message_text_gui',
value:
"You are accessing a U.S. Government (USG) Information System (IS) that is \
provided for USG-authorized use only. By using this IS (which includes any \
device attached to this IS), you consent to the following conditions: -The USG \
routinely intercepts and monitors communications on this IS for purposes \
including, but not limited to, penetration testing, COMSEC monitoring, network \
operations and defense, personnel misconduct (PM), law enforcement (LE), and \
counterintelligence (CI) investigations. -At any time, the USG may inspect and \
seize data stored on this IS. -Communications using, or data stored on, this \
IS are not private, are subject to routine monitoring, interception, and \
search, and may be disclosed or used for any USG-authorized purpose. -This IS \
includes security measures (e.g., authentication and access controls) to \
protect USG interests--not for your personal benefit or privacy. \
-Notwithstanding the above, using this IS does not constitute consent to PM, \
LE or CI investigative searching or monitoring of the content of privileged \
communications, or work product, related to personal representation or \
services by attorneys, psychotherapists, or clergy, and their assistants. Such \
communications and work product are private and confidential. See User \
Agreement for details.",
description: 'The banner message must display the designated banner before granting access.')

banner_message_text_gui_limited = input('banner_message_text_gui_limited',
value: "I've read & consent to terms in IS user agreem't.",
description: 'The banner message must display the designated banner before granting access.')
banner_message_text_gui = input('banner_message_text_gui')

banner_message_text_gui_limited = input('banner_message_text_gui_limited')

control "V-71861" do
title "The operating system must display the approved Standard Mandatory DoD
Expand Down
28 changes: 3 additions & 25 deletions controls/V-71863.rb
Original file line number Diff line number Diff line change
Expand Up @@ -3,31 +3,9 @@

#TODO: Make sure this is actually an onlyif on the GUI - ssh banner, ftp banner also use /etc/issue

banner_message_text_cli = input('banner_message_text_cli',
value:
"You are accessing a U.S. Government (USG) Information System (IS) that is \
provided for USG-authorized use only. By using this IS (which includes any \
device attached to this IS), you consent to the following conditions: -The USG \
routinely intercepts and monitors communications on this IS for purposes \
including, but not limited to, penetration testing, COMSEC monitoring, network \
operations and defense, personnel misconduct (PM), law enforcement (LE), and \
counterintelligence (CI) investigations. -At any time, the USG may inspect and \
seize data stored on this IS. -Communications using, or data stored on, this \
IS are not private, are subject to routine monitoring, interception, and \
search, and may be disclosed or used for any USG-authorized purpose. -This IS \
includes security measures (e.g., authentication and access controls) to \
protect USG interests--not for your personal benefit or privacy. \
-Notwithstanding the above, using this IS does not constitute consent to PM, \
LE or CI investigative searching or monitoring of the content of privileged \
communications, or work product, related to personal representation or \
services by attorneys, psychotherapists, or clergy, and their assistants. Such \
communications and work product are private and confidential. See User \
Agreement for details.",
description: 'The banner message must display the designated banner before granting access.')

banner_message_text_cli_limited = input('banner_message_text_cli_limited',
value: "I've read & consent to terms in IS user agreem't.",
description: 'The banner message must display the designated banner before granting access.')
banner_message_text_cli = input('banner_message_text_cli')

banner_message_text_cli_limited = input('banner_message_text_cli_limited')

control "V-71863" do
title "The operating system must display the Standard Mandatory DoD Notice
Expand Down
35 changes: 12 additions & 23 deletions controls/V-71895.rb
Original file line number Diff line number Diff line change
@@ -1,24 +1,6 @@
# encoding: utf-8
#
=begin
-----------------
Benchmark: Red Hat Enterprise Linux 7 Security Technical Implementation Guide
Status: Accepted

This Security Technical Implementation Guide is published as a tool to improve
the security of Department of Defense (DoD) information systems. The
requirements are derived from the National Institute of Standards and
Technology (NIST) 800-53 and related documents. Comments or proposed revisions
to this document should be sent via email to the following address:
[email protected].

Release Date: 2017-03-08
Version: 1
Publisher: DISA
Source: STIG.DOD.MIL
uri: http://iase.disa.mil
-----------------
=end
skip_deprecated_test = input('skip_deprecated_test')

control "V-71895" do
title "The operating system must set the idle delay setting for all connection
Expand Down Expand Up @@ -82,9 +64,16 @@

/org/gnome/desktop/screensaver/idle-delay"

describe command("grep -i idle-delay /etc/dconf/db/*/locks/*") do
its('stdout.strip') { should_not cmp "" }
its('stderr') { should_not match /.*No such file or directory\n?$/ }

if skip_deprecated_test
describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do
skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True"
end
else
describe command("grep -i idle-delay /etc/dconf/db/*/locks/*") do
its('stdout.strip') { should_not cmp "" }
its('stderr') { should_not match /.*No such file or directory\n?$/ }
end
only_if { package('gnome-desktop3').installed? }
end
only_if { package('gnome-desktop3').installed? }
end
5 changes: 1 addition & 4 deletions controls/V-71901.rb
Original file line number Diff line number Diff line change
@@ -1,10 +1,7 @@
# encoding: utf-8
#

lock_delay = input('lock_delay',
value: 5,
description: 'The scereensaver lock-delay must be less than or equal to the
specified value.')
lock_delay = input('lock_delay')

control "V-71901" do
title "The operating system must initiate a session lock for graphical user
Expand Down
4 changes: 1 addition & 3 deletions controls/V-71911.rb
Original file line number Diff line number Diff line change
@@ -1,9 +1,7 @@
# encoding: utf-8
#

difok = input('difok', value: 8, description: 'The acceptable range of
values for difok which specifies the maximum number of characters that must
change when a password is changed.')
difok = input('difok')

control "V-71911" do
title "When passwords are changed a minimum of eight of the total number of
Expand Down
4 changes: 1 addition & 3 deletions controls/V-71933.rb
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,7 @@
# TODO this can happen if `authconfig` has not been run on the system yet and
# TODO the system is still using the `non-ac` versions of the files yet.

min_reuse_generations = input('min_reuse_generations', value: 5,
description: 'The minimum number of generations before a password can be
reused.')
min_reuse_generations = input('min_reuse_generations')

control "V-71933" do
title "Passwords must be prohibited from reuse for a minimum of five
Expand Down
3 changes: 1 addition & 2 deletions controls/V-71935.rb
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,7 @@
# TODO update attrib to use the same `style` as the other PAM/PASSWD attributes
# TODO we should also have a PAM_PWQUALITY_PATH attrib I think

min_len = input('min_len', value: 15,
description: 'The minimum number of characters for passwords.')
min_len = input('min_len')

control "V-71935" do
title "Passwords must be a minimum of 15 characters in length."
Expand Down
3 changes: 1 addition & 2 deletions controls/V-71941.rb
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
# encoding: utf-8
#

days_of_inactivity = input('days_of_inactivity', value: 0, description: 'The
number of days of inactivity before an account is disabled.')
days_of_inactivity = input('days_of_inactivity')

control "V-71941" do
title "The operating system must disable account identifiers (individuals,
Expand Down
13 changes: 3 additions & 10 deletions controls/V-71943.rb
Original file line number Diff line number Diff line change
@@ -1,16 +1,9 @@
# encoding: utf-8
#

unsuccessful_attempts = input('unsuccessful_attempts', value: 3,
description: 'The account is denied access after the specified number of
consecutive failed logon attempts.')
fail_interval = input('fail_interval', value: 900,
description: 'The interval of time in which the consecutive failed logon
attempts must occur in order for the account to be locked out (in seconds).')
lockout_time = input('lockout_time', value: 604800,
description: 'The minimum amount of time that an account must be locked out
after the specified number of unsuccessful logon attempts (in seconds).
This attribute should never be set greater than 604800.')
unsuccessful_attempts = input('unsuccessful_attempts')
fail_interval = input('fail_interval')
lockout_time = input('lockout_time')

control "V-71943" do
title "Accounts subject to three unsuccessful logon attempts within 15
Expand Down
18 changes: 3 additions & 15 deletions controls/V-71961.rb
Original file line number Diff line number Diff line change
@@ -1,20 +1,8 @@
# encoding: utf-8
#
grub_superuser = input(
'grub_superuser',
description: 'superusers for grub boot ( array )',
value: ['root']
)
grub_user_boot_files = input(
'grub_user_boot_files',
description: 'grub boot config files',
value: ['/boot/grub2/user.cfg']
)
grub_main_cfg = input(
'grub_main_cfg',
description: 'main grub boot config file',
value: '/boot/grub2/grub.cfg'
)
grub_superuser = input('grub_superuser')
grub_user_boot_files = input('grub_user_boot_files')
grub_main_cfg = input('grub_main_cfg')

control "V-71961" do
title "Systems with a Basic Input/Output System (BIOS) must require
Expand Down
18 changes: 3 additions & 15 deletions controls/V-71963.rb
Original file line number Diff line number Diff line change
@@ -1,21 +1,9 @@
# encoding: utf-8
#

efi_superusers = input(
'efi_superusers',
description: 'superusers for efi boot ( array )',
value: ['root']
)
efi_user_boot_files = input(
'efi_user_boot_files',
description: 'efi boot config files',
value: ['/boot/efi/EFI/redhat/user.cfg']
)
efi_main_cfg = input(
'efi_main_cfg',
description: 'main efi boot config file',
value: '/boot/efi/EFI/redhat/grub.cfg'
)
efi_superusers = input('efi_superusers')
efi_user_boot_files = input('efi_user_boot_files')
efi_main_cfg = input('efi_main_cfg')

control "V-71963" do
title "Systems using Unified Extensible Firmware Interface (UEFI) must
Expand Down
6 changes: 1 addition & 5 deletions controls/V-71965.rb
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,7 @@
# users may be unable to log into the system.
#

smart_card_status = input(
'smart_card_status',
value: 'enabled', # values(enabled|disabled)
description: 'Smart Card Status'
)
smart_card_status = input('smart_card_status')

control "V-71965" do
title "The operating system must uniquely identify and must authenticate
Expand Down
6 changes: 1 addition & 5 deletions controls/V-71971.rb
Original file line number Diff line number Diff line change
@@ -1,11 +1,7 @@
# encoding: utf-8
#
# Will need to be changed to reflect list of authorized system accounts
admin_logins = input(
'admin_logins',
value: [],
description: "System accounts that support approved system activities."
)
admin_logins = input('admin_logins')

# TODO we really do need an `semanage` resource.

Expand Down
28 changes: 20 additions & 8 deletions controls/V-71981.rb
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
# encoding: utf-8
#
skip_deprecated_test = input('skip_deprecated_test')

control "V-71981" do
title "The operating system must prevent the installation of software,
patches, service packs, device drivers, or operating system components of
Expand Down Expand Up @@ -52,15 +54,25 @@
repo_gpgcheck=1"
tag "fix_id": "F-78333r1_fix"

yum_conf = '/etc/yum.conf'

if ((f = file(yum_conf)).exist?)
describe ini(yum_conf) do
its('main.repo_gpgcheck') { cmp 1 }
if skip_deprecated_test
describe "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True" do
skip "This control has been deprecated out of the RHEL7 STIG. It will not be run because 'skip_deprecated_test' is set to True"
end
else
describe f do
it { should exist }
yum_conf = file('/etc/yum.conf')

describe yum_conf.path do
context yum_conf do
it { should exist }
end

if yum_conf.exist?
context '[main]' do
context 'repo_gpgcheck' do
it { expect( ini(yum_conf.path)['main'][subject] ).to cmp 1 }
end
end
end
end
end
end
end
Loading