1329 lines
38 KiB
Bash
Executable File
1329 lines
38 KiB
Bash
Executable File
#!/bin/bash
|
|
# _____ _ _
|
|
# | __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
|
|
# | __| _| -_| -_| . | . | | . | . | | -_|
|
|
# |__| |_| |___|___|___|___|_|_|_|___|___|_|_|___|
|
|
#
|
|
# Freedom in the Cloud
|
|
#
|
|
# Run tests on the system
|
|
#
|
|
# License
|
|
# =======
|
|
#
|
|
# Copyright (C) 2015-2018 Bob Mottram <bob@freedombone.net>
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU Affero General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
PROJECT_NAME='freedombone'
|
|
|
|
export TEXTDOMAIN=${PROJECT_NAME}-tests
|
|
export TEXTDOMAINDIR="/usr/share/locale"
|
|
source /usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-setup
|
|
|
|
# Whether to run STIG tests
|
|
RUN_STIG=
|
|
|
|
# Whether to show both passes and fails of STIG tests
|
|
SHOW_ALL_TESTS=
|
|
|
|
function show_help {
|
|
echo ''
|
|
echo $"${PROJECT_NAME}-tests"
|
|
echo ''
|
|
echo $'Runs tests on the system'
|
|
echo ''
|
|
echo $' -s --stig [yes|no|fix] Run STIG tests'
|
|
echo $' -a --static Run static analysis on scripts'
|
|
echo $' --help Show help'
|
|
echo ''
|
|
exit 0
|
|
}
|
|
|
|
function test_app_function_type {
|
|
filename=$1
|
|
fn_type=$2
|
|
app_name=$(echo "${filename}" | awk -F '-app-' '{print $2}')
|
|
app_function=$(grep "function ${fn_type}_${app_name} {" "${filename}" | awk -F "${fn_type}_" '{print $2}' | awk -F ' ' '{print $1}')
|
|
if [ ! "${app_function}" ]; then
|
|
echo $"Application ${app_name} does not contain a function called '${fn_type}_${app_name}'"
|
|
echo ''
|
|
echo "See ${filename}"
|
|
exit 72852
|
|
fi
|
|
}
|
|
|
|
function test_static_analysis {
|
|
if [ ! -f /usr/bin/shellcheck ]; then
|
|
apt-get -yq install shellcheck
|
|
fi
|
|
|
|
STATIC_ANALYSIS_EXCLUDED='SC2034,SC1090'
|
|
|
|
FILES="/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-*"
|
|
|
|
for filename in $FILES
|
|
do
|
|
if ! shellcheck --exclude "$STATIC_ANALYSIS_EXCLUDED" "$filename"; then
|
|
echo ''
|
|
echo $"${filename} failed static analysis"
|
|
exit 24687242
|
|
fi
|
|
done
|
|
|
|
FILES="/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-*"
|
|
|
|
for filename in $FILES
|
|
do
|
|
if ! shellcheck --exclude "$STATIC_ANALYSIS_EXCLUDED" "$filename"; then
|
|
echo ''
|
|
echo $"${filename} failed static analysis"
|
|
exit 3857395935
|
|
fi
|
|
done
|
|
|
|
FILES="/usr/local/bin/${PROJECT_NAME}-*"
|
|
|
|
for filename in $FILES
|
|
do
|
|
if [[ "$filename" == *"-config-qtox" || "$filename" == *"-image-make"* ]]; then
|
|
continue
|
|
fi
|
|
|
|
if ! shellcheck --exclude "$STATIC_ANALYSIS_EXCLUDED" "$filename"; then
|
|
echo ''
|
|
echo $"${filename} failed static analysis"
|
|
exit 784243468435
|
|
fi
|
|
done
|
|
}
|
|
|
|
function test_app_functions {
|
|
if [ $RUN_STIG ]; then
|
|
return
|
|
fi
|
|
FILES="/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*"
|
|
|
|
# check that these functions exist
|
|
interface_functions=( install remove backup_local backup_remote restore_local restore_remote upgrade reconfigure )
|
|
|
|
# for all the app scripts
|
|
for filename in $FILES
|
|
do
|
|
# for each expected interface function
|
|
# shellcheck disable=SC2068
|
|
for f in ${interface_functions[@]}
|
|
do
|
|
test_app_function_type "${filename}" "$f"
|
|
done
|
|
done
|
|
}
|
|
|
|
function test_unique_onion_ports {
|
|
if [ $RUN_STIG ]; then
|
|
return
|
|
fi
|
|
|
|
# test that some services are not assigned the same onion port
|
|
FILES="/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-*"
|
|
# shellcheck disable=SC2086
|
|
ports=$(grep -r "_ONION_PORT=" $FILES | awk -F ':' '{print $2}' | uniq | awk -F '=' '{print $2}')
|
|
# shellcheck disable=SC2086
|
|
unique_ports=$(grep -r "_ONION_PORT=" $FILES | awk -F ':' '{print $2}' | uniq | awk -F '=' '{print $2}' | uniq)
|
|
if [[ "$ports" != "$unique_ports" ]]; then
|
|
echo $'Some onion ports are clashing'
|
|
# shellcheck disable=SC2086
|
|
grep -r "_ONION_PORT=" $FILES | awk -F ':' '{print $2}' | uniq
|
|
exit 637252
|
|
fi
|
|
}
|
|
|
|
function stig_log_msg {
|
|
|
|
ESTATUS=$1
|
|
RED=$(tput setaf 1)
|
|
BOLD=$(tput bold)
|
|
GREEN=$(tput setaf 2)
|
|
NORMAL=$(tput sgr0)
|
|
MSG="$2"
|
|
|
|
if [ "$ESTATUS" -eq 0 ];then
|
|
printf "%s %s" "$GREEN$BOLD[ PASS ]$NORMAL" "$MSG"
|
|
echo
|
|
else
|
|
printf "%s %s" "$RED$BOLD[ FAIL ]$NORMAL" "$MSG"
|
|
echo
|
|
fi
|
|
}
|
|
|
|
function stig_spinner {
|
|
|
|
local pid=$1
|
|
local delay=0.1
|
|
# shellcheck disable=SC2143
|
|
while [ "$(ps -a | awk '{print $1}' | grep "$pid")" ];
|
|
do
|
|
sleep $delay
|
|
done
|
|
printf " \\b"
|
|
wait "$1"
|
|
}
|
|
|
|
function disallow_package {
|
|
package_name=$1
|
|
|
|
if service --status-all | grep "+.*${package_name}";then
|
|
apt-get -yq remove --purge "${package_name}"
|
|
apt -yq autoremove
|
|
fi
|
|
}
|
|
|
|
function fix_stig {
|
|
if [[ $RUN_STIG != 'fix' ]]; then
|
|
return
|
|
fi
|
|
disallow_package xinetd
|
|
lockdown_permissions
|
|
}
|
|
|
|
function test_stig {
|
|
if [ ! $RUN_STIG ]; then
|
|
return
|
|
fi
|
|
STIG_TESTS_DIR=tests
|
|
if [ ! -d $STIG_TESTS_DIR ]; then
|
|
STIG_TESTS_DIR=~/${PROJECT_NAME}/tests
|
|
if [ ! -d $STIG_TESTS_DIR ]; then
|
|
echo $'No tests were found'
|
|
exit 62725
|
|
fi
|
|
fi
|
|
|
|
CATCOLOR=1
|
|
SETLANG="en"
|
|
|
|
source "$STIG_TESTS_DIR/output.sh"
|
|
|
|
##RHEL-06-000001
|
|
##The system must use a separate file system for /tmp.
|
|
mount | grep "on /tmp " >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38455" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000008
|
|
##Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
|
|
|
|
bash $STIG_TESTS_DIR/check-apt-key.sh >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38476" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000016
|
|
##A file integrity tool must be installed.
|
|
|
|
dpkg -s tripwire >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38489" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000019
|
|
##There must be no .rhosts or hosts.equiv files on the system.
|
|
|
|
bash $STIG_TESTS_DIR/check-rhosts.sh > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38491" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000027
|
|
##The system must prevent the root account from logging in from virtual consoles.
|
|
|
|
bash $STIG_TESTS_DIR/check-consoles.sh virtual > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38492" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000028
|
|
##The system must prevent the root account from logging in from serial consoles.
|
|
|
|
bash $STIG_TESTS_DIR/check-consoles.sh serial > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38494" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000029
|
|
##Default operating system accounts, other than root, must be locked.
|
|
|
|
bash $STIG_TESTS_DIR/check-default-account.sh > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38496" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000031
|
|
##The /etc/passwd file must not contain password hashes.
|
|
|
|
awk -F: '($2 != "x") {print; err=1} END {exit err}' /etc/passwd > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38499" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000032
|
|
##The root account must be the only account having a UID of 0.
|
|
|
|
bash $STIG_TESTS_DIR/check-root-uid.sh > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38500" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000033
|
|
##The /etc/shadow file must be owned by root.
|
|
|
|
# shellcheck disable=SC2012
|
|
ls -l /etc/shadow | awk '{print $3}' | grep "^root$" > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38502" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000034
|
|
##The /etc/shadow file must be group-owned by root.
|
|
|
|
# shellcheck disable=SC2012
|
|
ls -l /etc/shadow | awk '{print $4}' | grep "^root$" > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38503" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000035
|
|
##The /etc/shadow file must have mode 0000.
|
|
|
|
# shellcheck disable=SC2012
|
|
ls -l /etc/shadow | awk '{print $1}' | grep "^----------$" > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38504" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000036
|
|
##The /etc/gshadow file must be owned by root.
|
|
|
|
# shellcheck disable=SC2012
|
|
ls -l /etc/gshadow | awk '{print $3}' | grep "^root$" > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38443" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000037
|
|
##The /etc/gshadow file must be group-owned by root.
|
|
|
|
# shellcheck disable=SC2012
|
|
ls -l /etc/gshadow | awk '{print $4}' | grep "^root$" > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38448" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000038
|
|
##The /etc/gshadow file must have mode 0000.
|
|
|
|
# shellcheck disable=SC2012
|
|
ls -l /etc/gshadow | awk '{print $1}' | grep "^----------$" > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38449" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000039
|
|
##The /etc/passwd file must be owned by root.
|
|
|
|
# shellcheck disable=SC2012
|
|
ls -l /etc/passwd | awk '{print $3}' | grep "^root$" > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38450" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000040
|
|
##The /etc/passwd file must be group-owned by root.
|
|
|
|
# shellcheck disable=SC2012
|
|
ls -l /etc/passwd | awk '{print $4}' | grep "^root$" > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38451" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000041
|
|
##The /etc/passwd file must have mode 0644 or less permissive.
|
|
|
|
bash $STIG_TESTS_DIR/check-mode.sh /etc/passwd 644 > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38457" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000042
|
|
##The /etc/group file must be owned by root.
|
|
|
|
# shellcheck disable=SC2012
|
|
ls -l /etc/group | awk '{print $3}' | grep "^root$" > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38458" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000043
|
|
##The /etc/group file must be group-owned by root.
|
|
|
|
# shellcheck disable=SC2012
|
|
ls -l /etc/group | awk '{print $4}' | grep "^root$" > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38459" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000044
|
|
##The /etc/group file must have mode 0644 or less permissive.
|
|
|
|
bash $STIG_TESTS_DIR/check-mode.sh "/etc/group" 644 > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38461" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000045
|
|
##Library files must have mode 0755 or less permissive.
|
|
|
|
bash $STIG_TESTS_DIR/check-libs-mode.sh > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38465" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000046
|
|
##Library files must be owned by root.
|
|
|
|
bash $STIG_TESTS_DIR/check-libs-owner.sh > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38466" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000047
|
|
##All system command files must have mode 755 or less permissive.
|
|
|
|
bash $STIG_TESTS_DIR/check-cmd-mode.sh > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38469" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000048
|
|
##All system command files must be owned by root.
|
|
|
|
bash $STIG_TESTS_DIR/check-cmd-owner.sh > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38472" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000061
|
|
##The system must disable accounts after ten consecutive unsuccessful logon attempts.
|
|
|
|
bash $STIG_TESTS_DIR/check-password.sh /etc/pam.d/common-auth pam_tally deny gt 10 > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38573" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000062
|
|
##The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).
|
|
|
|
sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/pam.d/* | grep password | grep pam_unix.so | grep sha512 > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38574" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000063
|
|
##The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).
|
|
|
|
sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/login.defs | grep "ENCRYPT_METHOD.*SHA512" > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38576" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000064
|
|
##The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).
|
|
|
|
bash $STIG_TESTS_DIR/check-depends.sh > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38577" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000071
|
|
##The system must allow locking of the console screen in text mode.
|
|
|
|
dpkg -s screen >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38590" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000078
|
|
##The system must implement virtual address space randomization.
|
|
|
|
bash $STIG_TESTS_DIR/check-sysctl.sh kernel.randomize_va_space ne 2 >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38596" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000080
|
|
##The system must not send ICMPv4 redirects by default.
|
|
|
|
bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.conf.default.send_redirects ne 0 >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38600" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000081
|
|
##The system must not send ICMPv4 redirects from any interface.
|
|
|
|
bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.conf.all.send_redirects ne 0 >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38601" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000082
|
|
##IP forwarding for IPv4 must not be enabled, unless the system is a router.
|
|
|
|
bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.ip_forward ne 0 >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38511" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000083
|
|
##The system must not accept IPv4 source-routed packets on any interface.
|
|
|
|
bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.conf.all.accept_source_route ne 0 >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38523" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000084
|
|
##The system must not accept ICMPv4 redirect packets on any interface.
|
|
|
|
bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.conf.all.accept_redirects ne 0 >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38524" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000086
|
|
##The system must not accept ICMPv4 secure redirect packets on any interface.
|
|
|
|
bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.conf.all.secure_redirects ne 0 >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38526" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000089
|
|
##The system must not accept IPv4 source-routed packets by default.
|
|
|
|
bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.conf.default.accept_source_route ne 0 >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38529" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000090
|
|
##The system must not accept ICMPv4 secure redirect packets by default.
|
|
|
|
bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.conf.default.secure_redirects ne 0 >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38532" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000091
|
|
##The system must ignore ICMPv4 redirect messages by default.
|
|
|
|
bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.conf.default.accept_redirects ne 0 >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38533" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000092
|
|
##The system must not respond to ICMPv4 sent to a broadcast address.
|
|
|
|
bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.icmp_echo_ignore_broadcasts ne 1 >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38535" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000093
|
|
##The system must ignore ICMPv4 bogus error responses.
|
|
|
|
bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.icmp_ignore_bogus_error_responses ne 1 >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38537" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000095
|
|
##The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
|
|
|
|
bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.tcp_syncookies ne 1 >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38539" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000096
|
|
##The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
|
|
|
|
bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.conf.all.rp_filter ne 1 >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38542" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000097
|
|
##The system must use a reverse-path filter for IPv4 network traffic when possible by default.
|
|
|
|
bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.conf.default.rp_filter ne 1 >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38544" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000099
|
|
##The system must ignore ICMPv6 redirects by default.
|
|
##If IPv6 is disabled, this is not applicable.
|
|
|
|
if [ -a /proc/net/if_inet6 ];then
|
|
|
|
bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv6.conf.default.accept_redirects ne 1 >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38548" $? ${SETLANG}
|
|
fi
|
|
################
|
|
|
|
##RHEL-06-000120
|
|
##The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound
|
|
|
|
iptables -L INPUT | head -n1 | grep "INPUT.*DROP" >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38513" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000138
|
|
##System logs must be rotated daily.
|
|
|
|
bash $STIG_TESTS_DIR/check-logrotate.sh >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38624" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000203
|
|
##The xinetd service must be disabled if no network services utilizing it are enabled.
|
|
|
|
bash $STIG_TESTS_DIR/check-services.sh xinetd >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38582" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000204
|
|
##The xinetd service must be uninstalled if no network services utilizing it are enabled.
|
|
|
|
bash $STIG_TESTS_DIR/check-packages.sh xinetd >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38584" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000206
|
|
##The telnet-server package must not be installed.
|
|
|
|
bash $STIG_TESTS_DIR/check-packages.sh telnetd >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38587" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000211
|
|
##The telnet daemon must not be running.
|
|
|
|
bash $STIG_TESTS_DIR/check-services.sh telnetd >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38589" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000213
|
|
##The rsh-server package must not be installed.
|
|
|
|
bash $STIG_TESTS_DIR/check-packages.sh rsh-server >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38591" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000214
|
|
##The rshd service must not be running.
|
|
|
|
bash $STIG_TESTS_DIR/check-services.sh rshd >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38594" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000216
|
|
##The rexecd service must not be running.
|
|
|
|
bash $STIG_TESTS_DIR/check-services.sh rexecd >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38598" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000218
|
|
##The rlogind service must not be running.
|
|
|
|
bash $STIG_TESTS_DIR/check-services.sh rlogind >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38602" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000220
|
|
##The NIS(ypserv) package must not be installed.
|
|
|
|
bash $STIG_TESTS_DIR/check-packages.sh nis >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38603" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000221
|
|
##The nis(ypbind) service must not be running.
|
|
|
|
bash $STIG_TESTS_DIR/check-services.sh nis >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38604" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000224
|
|
##The cron service must be running.
|
|
|
|
bash $STIG_TESTS_DIR/check-services.sh cron >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38605" $? ${SETLANG}
|
|
################
|
|
|
|
##Check that openssh client and server are installed
|
|
bash $STIG_TESTS_DIR/check-ssh.sh installed >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86857r1_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000227
|
|
##The SSH daemon must be configured to use only the SSHv2 protocol.
|
|
|
|
bash $STIG_TESTS_DIR/check-ssh.sh Protocol >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38607" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000230
|
|
##The SSH daemon must set a timeout interval on idle sessions.
|
|
|
|
sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep "ClientAliveInterval" >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38608" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000231
|
|
##The SSH daemon must set a timeout count on idle sessions.
|
|
|
|
sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep "ClientAliveCountMax" >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38610" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000234
|
|
##The SSH daemon must ignore .rhosts files.
|
|
|
|
bash $STIG_TESTS_DIR/check-ssh.sh rhosts >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38611" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000236
|
|
##The SSH daemon must not allow host-based authentication.
|
|
|
|
bash $STIG_TESTS_DIR/check-ssh.sh hostauth >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38612" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000237
|
|
##The system must not permit root logins using remote access programs such as ssh.
|
|
|
|
bash $STIG_TESTS_DIR/check-ssh.sh permitroot >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38613" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000239
|
|
##The SSH daemon must not allow authentication using an empty password.
|
|
|
|
bash $STIG_TESTS_DIR/check-ssh.sh emptypassword >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38615" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000241
|
|
##The SSH daemon must not permit user environment settings.
|
|
|
|
bash $STIG_TESTS_DIR/check-ssh.sh emptypasswordenvironment >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38616" $? ${SETLANG}
|
|
################
|
|
|
|
##A FIPS 140-2 approved cryptographic algorithm must be used for SSH communications.
|
|
bash $STIG_TESTS_DIR/check-ssh.sh ciphers >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86845r2_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##The Standard Notice must be displayed immediately prior to, or as part of, remote access logon prompts.
|
|
bash $STIG_TESTS_DIR/check-ssh.sh banner >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86849r2_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##All networked systems must use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission.
|
|
bash $STIG_TESTS_DIR/check-ssh.sh sshd_status >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86859r2_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##All network connections associated with SSH traffic must terminate at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements.
|
|
bash $STIG_TESTS_DIR/check-ssh.sh ClientAliveInterval >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86861r2_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##The SSH daemon must not allow authentication using RSA rhosts authentication.
|
|
bash $STIG_TESTS_DIR/check-ssh.sh RhostsRSAAuthentication >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86863r2_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##All network connections associated with SSH traffic must terminate after a period of inactivity.
|
|
bash $STIG_TESTS_DIR/check-ssh.sh ClientAliveCountMax >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86865r2_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##The SSH daemon must not allow authentication using rhosts authentication.
|
|
bash $STIG_TESTS_DIR/check-ssh.sh IgnoreRhosts >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86867r2_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##The system must display the date and time of the last successful account logon upon an SSH logon.
|
|
bash $STIG_TESTS_DIR/check-ssh.sh PrintLastLog >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86869r2_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##The system must not permit direct logons to the root account using remote access via SSH.
|
|
bash $STIG_TESTS_DIR/check-ssh.sh permitroot >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86871r2_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##The SSH daemon must not allow authentication using known hosts authentication.
|
|
bash $STIG_TESTS_DIR/check-ssh.sh IgnoreUserKnownHosts >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86873r2_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##The SSH daemon must be configured to only use the SSHv2 protocol.
|
|
bash $STIG_TESTS_DIR/check-ssh.sh Protocol >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86875r2_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##The SSH daemon must be configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms.
|
|
bash $STIG_TESTS_DIR/check-ssh.sh macs >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86877r2_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##The SSH public host key files must have mode 0644 or less permissive.
|
|
bash $STIG_TESTS_DIR/check-ssh.sh pubkeypermissive >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86879r1_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##The SSH private host key files must have mode 0600 or less permissive.
|
|
bash $STIG_TESTS_DIR/check-ssh.sh hostkeypermissive >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86881r1_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##The SSH daemon must not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed.
|
|
bash $STIG_TESTS_DIR/check-ssh.sh GSSAPIAuthentication >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86883r2_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##The SSH daemon must not permit Kerberos authentication unless needed.
|
|
bash $STIG_TESTS_DIR/check-ssh.sh KerberosAuthentication >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86885r2_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##The SSH daemon must perform strict mode checking of home directory configuration files.
|
|
bash $STIG_TESTS_DIR/check-ssh.sh StrictModes >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86887r2_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##The SSH daemon must use privilege separation.
|
|
bash $STIG_TESTS_DIR/check-ssh.sh UsePrivilegeSeparation >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86889r2_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##The SSH daemon must not allow compression or must only allow compression after successful authentication.
|
|
bash $STIG_TESTS_DIR/check-ssh.sh Compression >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86891r2_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##Dont allow remote X connections.
|
|
bash $STIG_TESTS_DIR/check-ssh.sh X11Forwarding >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86927r2_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##Check that pam_python is not installed
|
|
bash $STIG_TESTS_DIR/check-ssh.sh pam_python >/dev/null 2>&1 &
|
|
stig_spinner $!
|
|
output "SV-86724r2_rule" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000247
|
|
##The system clock must be synchronized continuously, or at least daily.
|
|
|
|
bash $STIG_TESTS_DIR/check-services.sh ntp >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38620" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000248
|
|
##The system clock must be synchronized to an authoritative time source.
|
|
|
|
bash $STIG_TESTS_DIR/check-ntp-sources.sh >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38621" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000252
|
|
##If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.
|
|
|
|
#Waiting to figure out
|
|
|
|
#stig_spinner $!
|
|
#output "V-38625" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000253
|
|
##The LDAP client must use a TLS connection using trust certificates signed by the site CA.
|
|
|
|
#Waiting to figure out
|
|
|
|
#stig_spinner $!
|
|
#output "V-38626" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000256
|
|
##The openldap-servers package must not be installed unless required.
|
|
|
|
bash $STIG_TESTS_DIR/check-packages.sh sldap>/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38627" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000257
|
|
##The graphical desktop environment must set the idle timeout to no more than 15 minutes.
|
|
|
|
#stig_spinner $!
|
|
#output "V-38629" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000258
|
|
##The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.
|
|
|
|
#stig_spinner $!
|
|
#output "V-38630" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000259
|
|
##The graphical desktop environment must have automatic lock enabled.
|
|
|
|
#stig_spinner $!
|
|
#output "V-38638" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000260
|
|
##The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
|
|
|
|
#stig_spinner $!
|
|
#output "V-38639" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000262
|
|
##The atd service must be disabled.
|
|
|
|
bash $STIG_TESTS_DIR/check-services.sh atd >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38641" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000271
|
|
##The noexec option must be added to removable media partitions.
|
|
if [ "$(grep -Hv ^0$ /sys/block/*/removable | sed s/removable:.*$/device\\/uevent/ | xargs grep -H ^DRIVER=sd | sed s/device.uevent.*$/size/ | xargs grep -Hv ^0$ | cut -d / -f 4 | wc -l)" -gt 0 ];then
|
|
bash $STIG_TESTS_DIR/check-removable.sh >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38655" $? ${SETLANG}
|
|
fi
|
|
################
|
|
|
|
##RHEL-06-000272
|
|
##The system must use SMB client signing for connecting to samba servers using smbclient.
|
|
|
|
bash $STIG_TESTS_DIR/check-depends.sh smb-signing >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38656" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000273
|
|
##The system must use SMB client signing for connecting to samba servers using mount.cifs.
|
|
|
|
bash $STIG_TESTS_DIR/check-depends.sh smb-sec >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38657" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000282
|
|
##There must be no world-writable files on the system.
|
|
|
|
bash $STIG_TESTS_DIR/check-world-writable.sh >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38643" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000286
|
|
##The x86 Ctrl-Alt-Delete key sequence must be disabled.
|
|
|
|
bash $STIG_TESTS_DIR/check-ctrl-alt-del.sh >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38668" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000288
|
|
##The sendmail package must be removed.
|
|
|
|
bash $STIG_TESTS_DIR/check-packages.sh sendmail >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38671" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000290
|
|
##X Windows must not be enabled unless required.
|
|
|
|
bash $STIG_TESTS_DIR/check-services.sh x11-common >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38674" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000302
|
|
##A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
|
|
|
|
bash $STIG_TESTS_DIR/check-tripwire-cron.sh > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38695" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000018
|
|
#For tripwire to be effective, an initial database of "known-good" information about files must be captured and it should be able to be verified against the installed files.
|
|
|
|
bash $STIG_TESTS_DIR/check-tripwire-baseline.sh > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-51391" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000308
|
|
##Process core dumps must be disabled unless needed.
|
|
|
|
bash $STIG_TESTS_DIR/check-limits.sh core-dumps > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38675" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000319
|
|
##The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
|
|
|
|
bash $STIG_TESTS_DIR/check-limits.sh maxlogins > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38684" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000320
|
|
##The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets.
|
|
|
|
iptables -L FORWARD | head -n1 | grep "FORWARD.*DROP" >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38686" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000331
|
|
##The Bluetooth service must be disabled.
|
|
|
|
bash $STIG_TESTS_DIR/check-services.sh bluetooth >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38691" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000336
|
|
##The sticky bit must be set on all public directories.
|
|
|
|
bash $STIG_TESTS_DIR/check-sticky-bit.sh >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38697" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000337
|
|
##All public directories must be owned by a system account.
|
|
|
|
bash $STIG_TESTS_DIR/check-public-dir-owned.sh >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38699" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000345
|
|
##The system default umask in /etc/login.defs must be 077.
|
|
##For more detial :http://stackoverflow.com/questions/10220531/how-to-set-system-wide-umask
|
|
|
|
sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/login.defs | grep -i "umask.*077" >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38645" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000347
|
|
##There must be no .netrc files on the system.
|
|
|
|
bash $STIG_TESTS_DIR/check-netrc.sh >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38619" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000372
|
|
##The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.
|
|
|
|
sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/pam.d/common-session | grep -i "pam_lastlog.so.*showfailed" > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38501" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000507
|
|
##The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh.
|
|
|
|
sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i "^PrintLastLog.*yes" > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38484" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000514
|
|
##The package management tool must cryptographically verify the authenticity of all software packages during installation.
|
|
|
|
bash $STIG_TESTS_DIR/check-apt-gpg.sh > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38462" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000523
|
|
##The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
|
|
|
|
ip6tables -L INPUT | head -n1 | grep "INPUT.*DROP" > /dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38444" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000526
|
|
##Automated file system mounting tools must not be enabled unless needed.
|
|
|
|
bash $STIG_TESTS_DIR/check-services.sh autofs >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-38437" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000528
|
|
##The noexec option must be added to the /tmp partition.
|
|
|
|
sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/fstab | grep "/tmp.*noexec" >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-57569" $? ${SETLANG}
|
|
################
|
|
|
|
##RHEL-06-000529
|
|
##The sudo command must require authentication.
|
|
|
|
bash $STIG_TESTS_DIR/check-sudo.sh >/dev/null 2>&1 &
|
|
|
|
stig_spinner $!
|
|
output "V-58901" $? ${SETLANG}
|
|
################
|
|
|
|
show_passes_fails=
|
|
if [ $SHOW_ALL_TESTS ]; then
|
|
show_passes_fails=1
|
|
else
|
|
if [ "$FAILS" -gt 0 ]; then
|
|
show_passes_fails=1
|
|
fi
|
|
fi
|
|
|
|
if [ $show_passes_fails ]; then
|
|
echo ''
|
|
echo $"Passes: $PASSES"
|
|
echo $"Fails: $FAILS"
|
|
if [ "$FAILS" -gt 0 ]; then
|
|
exit 792353
|
|
fi
|
|
fi
|
|
}
|
|
|
|
while [ $# -gt 1 ]
|
|
do
|
|
key="$1"
|
|
|
|
case $key in
|
|
-h|--help)
|
|
show_help
|
|
;;
|
|
-a|--static)
|
|
echo $'Running static analysis tests'
|
|
test_static_analysis
|
|
echo $'All tests passed'
|
|
exit 0
|
|
;;
|
|
-s|--stig)
|
|
shift
|
|
if [[ "$1" == 'showall' ]]; then
|
|
SHOW_ALL_TESTS=1
|
|
fi
|
|
RUN_STIG="$1"
|
|
;;
|
|
*)
|
|
# unknown option
|
|
;;
|
|
esac
|
|
shift
|
|
done
|
|
|
|
if [ ! "$RUN_STIG" ]; then
|
|
echo $'Running tests'
|
|
fi
|
|
|
|
test_app_functions
|
|
test_unique_onion_ports
|
|
remove_management_engine_interface
|
|
freedombone-pass --test yes
|
|
fix_stig
|
|
test_stig
|
|
|
|
if [ ! "$RUN_STIG" ]; then
|
|
echo $'All tests passed'
|
|
fi
|
|
|
|
exit 0
|