From 054c452d7117385b94960145a69619e09ebe77ce Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 15 Jul 2017 10:30:02 +0100 Subject: [PATCH 1/2] Not using aide Check for tripwire cron entry instead --- src/freedombone-tests | 2 +- tests/check-aide-cron.sh | 5 ----- tests/check-tripwire-cron.sh | 5 +++++ 3 files changed, 6 insertions(+), 6 deletions(-) delete mode 100644 tests/check-aide-cron.sh create mode 100644 tests/check-tripwire-cron.sh diff --git a/src/freedombone-tests b/src/freedombone-tests index 3ff7785a..045797a3 100755 --- a/src/freedombone-tests +++ b/src/freedombone-tests @@ -1031,7 +1031,7 @@ function test_stig { ##RHEL-06-000302 ##A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries. - bash $STIG_TESTS_DIR/check-aide-cron.sh > /dev/null 2>&1 & + bash $STIG_TESTS_DIR/check-tripwire-cron.sh > /dev/null 2>&1 & stig_spinner $! output "V-38695" $? ${SETLANG} diff --git a/tests/check-aide-cron.sh b/tests/check-aide-cron.sh deleted file mode 100644 index 73b76148..00000000 --- a/tests/check-aide-cron.sh +++ /dev/null @@ -1,5 +0,0 @@ -#1/bin/bash - -if [ $(grep aide /etc/crontab /etc/cron.*/* | wc -l) -ne 0 ];then - exit 1 -fi diff --git a/tests/check-tripwire-cron.sh b/tests/check-tripwire-cron.sh new file mode 100644 index 00000000..eb17e22c --- /dev/null +++ b/tests/check-tripwire-cron.sh @@ -0,0 +1,5 @@ +#1/bin/bash + +if [ ! -f /etc/cron.daily/tripwire ];then + exit 1 +fi From 9741890691e3e5941fdbc60f8e1cfac1b4781327 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 15 Jul 2017 11:10:40 +0100 Subject: [PATCH 2/2] stig test for tripwire database --- src/freedombone-tests | 9 +++++++++ tests/check-aide-baseline.sh | 27 --------------------------- tests/check-tripwire-baseline.sh | 5 +++++ tests/output.sh | 2 +- 4 files changed, 15 insertions(+), 28 deletions(-) delete mode 100644 tests/check-aide-baseline.sh create mode 100644 tests/check-tripwire-baseline.sh diff --git a/src/freedombone-tests b/src/freedombone-tests index 045797a3..5272fbf2 100755 --- a/src/freedombone-tests +++ b/src/freedombone-tests @@ -1037,6 +1037,15 @@ function test_stig { output "V-38695" $? ${SETLANG} ################ + ##RHEL-06-000018 + #For tripwire to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files. + + bash $STIG_TESTS_DIR/check-tripwire-baseline.sh > /dev/null 2>&1 & + + stig_spinner $! + output "V-51391" $? ${SETLANG} + ################ + ##RHEL-06-000308 ##Process core dumps must be disabled unless needed. diff --git a/tests/check-aide-baseline.sh b/tests/check-aide-baseline.sh deleted file mode 100644 index 45c36af4..00000000 --- a/tests/check-aide-baseline.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash -#Tested on Aide 0.16a2-19-g16ed855 - -CHECKDATABASE=$(grep "database=" /etc/aide/aide.conf 2>/dev/null ) -if [ $? -eq 0 ];then - : -else - echo "couldn""'""t found aide.conf" - exit 1 -fi - -DATABASE=$(echo $CHECKDATABASE | awk -F ':' '{printf $2}' 2>/dev/null) - -if [ $? -eq 0 ];then - : -else - echo "couldn""'""t found database location at aide.conf" - exit 1 -fi - -if [ -f "$DATABASE" ];then - echo "There is a baseline for aide." - exit 0 -else - echo "Can""'""t find aide baseline" - exit 1 -fi diff --git a/tests/check-tripwire-baseline.sh b/tests/check-tripwire-baseline.sh new file mode 100644 index 00000000..05f09ce0 --- /dev/null +++ b/tests/check-tripwire-baseline.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +if ! ls /var/lib/tripwire/*.twd 1> /dev/null 2>&1; then + exit 1 +fi diff --git a/tests/output.sh b/tests/output.sh index 3f5ebe4d..78debf9b 100644 --- a/tests/output.sh +++ b/tests/output.sh @@ -259,7 +259,7 @@ an administrator.\n\n######################\n\n' >> $LOG log_msg $2 '必须创建文件完整性基线。' fi if [ $2 -ne 0 ];then - printf '\n######################\n\nSTIG-ID:RHEL-06-000018\n\nVulnerability Discussion: For AIDE to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.\n\nFix text: Run the following command to generate a new database:\n\n#aideinit\n\nBy default, the database will be written to the file "/var/lib/aide/aide.db.new.gz". Storing the database, the configuration file "/etc/aide.conf", and the binary "/usr/sbin/aide" (or hashes of these files), in a secure location (such as on read-only media) provides additional assurance about their integrity.\n\nThe newlygenerated database can be installed as follows:\n\n#cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db\n\nTo initiate a manual check, run the following command:\n\n#/usr/sbin/aide --check\n\nIf this check produces any unexpected output, investigate.\n\n######################\n\n' >> $LOG + printf '\n######################\n\nSTIG-ID:RHEL-06-000018\n\nVulnerability Discussion: For tripwire to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.\n\nFix text: Run "reset tripwire" from the administrator control panel.\n\n######################\n\n' >> $LOG fi ;; V-38491) if [ "$3" = "en" ]; then