Security Technical Implementation Guide tests based upon RHEL/hardenedlinux
This commit is contained in:
parent
95c758067a
commit
1f0ac1f3ce
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,27 @@
|
|||
#!/bin/bash
|
||||
#Tested on Aide 0.16a2-19-g16ed855
|
||||
|
||||
CHECKDATABASE=$(grep "database=" /etc/aide/aide.conf 2>/dev/null )
|
||||
if [ $? -eq 0 ];then
|
||||
:
|
||||
else
|
||||
echo "couldn""'""t found aide.conf"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
DATABASE=$(echo $CHECKDATABASE | awk -F ':' '{printf $2}' 2>/dev/null)
|
||||
|
||||
if [ $? -eq 0 ];then
|
||||
:
|
||||
else
|
||||
echo "couldn""'""t found database location at aide.conf"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -f "$DATABASE" ];then
|
||||
echo "There is a baseline for aide."
|
||||
exit 0
|
||||
else
|
||||
echo "Can""'""t find aide baseline"
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,5 @@
|
|||
#1/bin/bash
|
||||
|
||||
if [ $(grep aide /etc/crontab /etc/cron.*/* | wc -l) -ne 0 ];then
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
|
||||
if grep -i "gpg" /etc/apt/apt.conf.d/* | sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' | grep -i "gpg.*check.*false";then
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,100 @@
|
|||
#!/bin/bash
|
||||
#Verify with the key fatch from https://ftp-master.debian.org/keys.html
|
||||
|
||||
#---------------------------------------------------------------------------
|
||||
#"Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>"
|
||||
|
||||
JESSIEARCHIVEKEY=" 126C 0D24 BD8A 2942 CC7D F8AC 7638 D044 2B90 D010"
|
||||
CHECKTMP=$(apt-key finger | grep -B 1 "Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>" | head -n1 | awk -F '=' '{printf $2}')
|
||||
|
||||
if [ "$CHECKTMP" == "$JESSIEARCHIVEKEY" ];then
|
||||
echo Good
|
||||
:
|
||||
else
|
||||
echo bad
|
||||
exit 1
|
||||
fi
|
||||
|
||||
#---------------------------------------------------------------------------
|
||||
#"Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>"
|
||||
|
||||
JESSIESECURITYKEY=" D211 6914 1CEC D440 F2EB 8DDA 9D6D 8F6B C857 C906"
|
||||
CHECKTMP=$(apt-key finger | grep -B 1 "Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>" | head -n1 | awk -F '=' '{printf $2}')
|
||||
|
||||
if [ "$CHECKTMP" == "$JESSIESECURITYKEY" ];then
|
||||
echo Good
|
||||
:
|
||||
else
|
||||
echo bad
|
||||
exit 1
|
||||
fi
|
||||
|
||||
#---------------------------------------------------------------------------
|
||||
#"Jessie Stable Release Key <debian-release@lists.debian.org>"
|
||||
|
||||
JESSIESTABLEKEY=" 75DD C3C4 A499 F1A1 8CB5 F3C8 CBF8 D6FD 518E 17E1"
|
||||
CHECKTMP=$(apt-key finger | grep -B 1 "Jessie Stable Release Key <debian-release@lists.debian.org>" | head -n1 | awk -F '=' '{printf $2}')
|
||||
|
||||
if [ "$CHECKTMP" == "$JESSIESTABLEKEY" ];then
|
||||
echo Good
|
||||
:
|
||||
else
|
||||
echo bad
|
||||
exit 1
|
||||
fi
|
||||
|
||||
#---------------------------------------------------------------------------
|
||||
#"Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>"
|
||||
|
||||
SQUEEZEARCHIVEKEY=" 9FED 2BCB DCD2 9CDF 7626 78CB AED4 B06F 4730 41FA"
|
||||
CHECKTMP=$(apt-key finger | grep -B 1 "Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>" | head -n1 | awk -F '=' '{printf $2}')
|
||||
|
||||
if [ "$CHECKTMP" == "$SQUEEZEARCHIVEKEY" ];then
|
||||
echo Good
|
||||
:
|
||||
else
|
||||
echo bad
|
||||
exit 1
|
||||
fi
|
||||
|
||||
#---------------------------------------------------------------------------
|
||||
#"Squeeze Stable Release Key <debian-release@lists.debian.org>"
|
||||
|
||||
SQUEEZESTABLEKEY=" 0E4E DE2C 7F3E 1FC0 D033 800E 6448 1591 B983 21F9"
|
||||
CHECKTMP=$(apt-key finger | grep -B 1 "Squeeze Stable Release Key <debian-release@lists.debian.org>" | head -n1 | awk -F '=' '{printf $2}')
|
||||
|
||||
if [ "$CHECKTMP" == "$SQUEEZESTABLEKEY" ];then
|
||||
echo Good
|
||||
:
|
||||
else
|
||||
echo bad
|
||||
exit 1
|
||||
fi
|
||||
|
||||
#---------------------------------------------------------------------------
|
||||
#"Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>"
|
||||
|
||||
WHEEZYARCHIVEKEY=" A1BD 8E9D 78F7 FE5C 3E65 D8AF 8B48 AD62 4692 5553"
|
||||
CHECKTMP=$(apt-key finger | grep -B 1 "Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>" | head -n1 | awk -F '=' '{printf $2}')
|
||||
|
||||
if [ "$CHECKTMP" == "$WHEEZYARCHIVEKEY" ];then
|
||||
echo Good
|
||||
:
|
||||
else
|
||||
echo bad
|
||||
exit 1
|
||||
fi
|
||||
|
||||
#---------------------------------------------------------------------------
|
||||
#"Wheezy Stable Release Key <debian-release@lists.debian.org>"
|
||||
|
||||
WHEEZYSTABLEKEY=" ED6D 6527 1AAC F0FF 15D1 2303 6FB2 A1C2 65FF B764"
|
||||
CHECKTMP=$(apt-key finger | grep -B 1 "Wheezy Stable Release Key <debian-release@lists.debian.org>" | head -n1 | awk -F '=' '{printf $2}')
|
||||
|
||||
if [ "$CHECKTMP" == "$WHEEZYSTABLEKEY" ];then
|
||||
echo Good
|
||||
:
|
||||
else
|
||||
echo bad
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,9 @@
|
|||
#!/bin/bash
|
||||
|
||||
if dpkg -s audispd-plugins > /dev/null 2>&1;then
|
||||
if ! sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audisp/plugins.d/syslog.conf | grep -i "active.*yes";then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,112 @@
|
|||
#!/bin/bash
|
||||
#The hole idea of how to get the origin files' permission is learned from http://sysadminnotebook.blogspot.com/2012/06/how-to-reset-folder-permissions-to.html
|
||||
|
||||
TDIR=`mktemp -d`
|
||||
cd $TDIR
|
||||
aptitude download auditd
|
||||
FILES=`dpkg -c auditd*.deb | sed -e '/^d/d' | \
|
||||
sed '/audit.rules$/p;s/\/etc\/audit\/rules.d\/audit.rules$/\/etc\/audit\/audit.rules/'`
|
||||
DIRECTORY=`dpkg -c auditd*.deb | sed -n '/^d/p' | \
|
||||
sed -e '/\/usr\/share\/man/d'`
|
||||
case $1 in
|
||||
permission)
|
||||
echo "$FILES" | while read FILE;
|
||||
do
|
||||
echo "$FILE" | awk '{print $6}' | sed -e 's/^.//g' | while read line;
|
||||
do
|
||||
ORIGIN=$(echo "$FILE" | awk '{print $1}')
|
||||
CURRENT=$(ls -l "$line" | awk '{print $1}')
|
||||
if [ "$CURRENT" != "$ORIGIN" ];then
|
||||
echo "ORIGIN:$FILE"
|
||||
echo "CURRENT:$(ls -l $line)"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
done
|
||||
echo "$DIRECTORY" | while read DIR;
|
||||
do
|
||||
echo "$DIR" | awk '{print $6}' | sed -e 's/^.//g' | while read line;
|
||||
do
|
||||
ORIGIN=$(echo "$DIR" | awk '{print $1}' )
|
||||
CURRENT=$(ls -dl "$line" | awk '{print $1}' )
|
||||
if [ "$CURRENT" != "$ORIGIN" ];then
|
||||
echo "$ORIGIN:$DIR"
|
||||
echo "$CURRENT:$(ls -dl $line)"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
done
|
||||
;;
|
||||
owner)
|
||||
echo "$FILES" | while read FILE;
|
||||
do
|
||||
echo "$FILE" | awk '{print $6}' | sed -e 's/^.//g' | while read line;
|
||||
do
|
||||
ORIGIN=$(echo "$FILE" | awk '{print $2}' | awk -F '/' '{print $1}')
|
||||
CURRENT=$(ls -l "$line" | awk '{print $3}')
|
||||
if [ "$CURRENT" != "$ORIGIN" ];then
|
||||
echo "ORIGIN:$FILE"
|
||||
echo "CURRENT:$(ls -l $line)"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
done
|
||||
echo "$DIRECTORY" | while read DIR;
|
||||
do
|
||||
echo "$DIR" | awk '{print $6}' | sed -e 's/^.//g' | while read line;
|
||||
do
|
||||
ORIGIN=$(echo "$DIR" | awk '{print $2}' | awk -F '/' '{print $1}' )
|
||||
CURRENT=$(ls -dl "$line" | awk '{print $3}' )
|
||||
if [ "$CURRENT" != "$ORIGIN" ];then
|
||||
echo "$ORIGIN:$DIR"
|
||||
echo "$CURRENT:$(ls -dl $line)"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
done
|
||||
;;
|
||||
group-owner)
|
||||
echo "$FILES" | while read FILE;
|
||||
do
|
||||
echo "$FILE" | awk '{print $6}' | sed -e 's/^.//g' | while read line;
|
||||
do
|
||||
ORIGIN=$(echo "$FILE" | awk '{print $2}' | awk -F '/' '{print $2}')
|
||||
CURRENT=$(ls -l "$line" | awk '{print $4}')
|
||||
if [ "$CURRENT" != "$ORIGIN" ];then
|
||||
echo "ORIGIN:$FILE"
|
||||
echo "CURRENT:$(ls -l $line)"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
done
|
||||
echo "$DIRECTORY" | while read DIR;
|
||||
do
|
||||
echo "$DIR" | awk '{print $6}' | sed -e 's/^.//g' | while read line;
|
||||
do
|
||||
ORIGIN=$(echo "$DIR" | awk '{print $2}' | awk -F '/' '{print $2}' )
|
||||
CURRENT=$(ls -dl "$line" | awk '{print $4}' )
|
||||
if [ "$CURRENT" != "$ORIGIN" ];then
|
||||
echo "$ORIGIN:$DIR"
|
||||
echo "$CURRENT:$(ls -dl $line)"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
done
|
||||
;;
|
||||
file-hashes)
|
||||
dpkg-deb -R audit*.deb .
|
||||
echo "$FILES" | grep "bin/" | while read FILE;
|
||||
do
|
||||
echo "$FILE" | awk '{print $6}' | sed -e 's/^.//g' | while read line;
|
||||
do
|
||||
ORIGIN=$(sha512sum "$(echo "$line" | sed -e 's/^.\///g')" | awk '{print $1}')
|
||||
CURRENT=$(sha512sum "$line" | awk '{print $1}')
|
||||
if [ "$CURRENT" != "$ORIGIN" ];then
|
||||
echo "ORIGIN:$FILE"
|
||||
echo "CURRENT:$(ls -l $line)"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
done
|
||||
;;
|
||||
esac
|
|
@ -0,0 +1,153 @@
|
|||
#!/bin/bash
|
||||
|
||||
case $1 in
|
||||
space_left_action)
|
||||
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
|
||||
if [ $? -eq 0 ];then
|
||||
ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
|
||||
if [ "${ACTION,,}" != "email" ];then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
num_logs)
|
||||
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
|
||||
if [ $? -eq 0 ];then
|
||||
if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}') -$2 $3 ];then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
max_log_file)
|
||||
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1=)
|
||||
if [ $? -eq 0 ];then
|
||||
if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1= | awk -F '=' '{print $2}') -$2 $3 ];then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
max_log_file_action)
|
||||
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
|
||||
if [ $? -eq 0 ];then
|
||||
ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
|
||||
if [ "${ACTION,,}" != "rotate" ];then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
admin_space_left_action)
|
||||
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
|
||||
if [ $? -eq 0 ];then
|
||||
ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
|
||||
if [ "${ACTION,,}" != "single" ];then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
account)
|
||||
if ! auditctl -l | grep "/etc/passwd" ;then
|
||||
exit 1
|
||||
elif ! auditctl -l | grep "/etc/shadow";then
|
||||
exit 1
|
||||
elif ! auditctl -l | grep "/etc/group";then
|
||||
exit 1
|
||||
elif ! auditctl -l | grep "/etc/gshadow";then
|
||||
exit 1
|
||||
elif ! auditctl -l | grep "/etc/security/opasswd";then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
network)
|
||||
if ! auditctl -l | grep "sethostname" ;then
|
||||
exit 1
|
||||
elif ! auditctl -l | grep "setdomainname";then
|
||||
exit 1
|
||||
elif ! auditctl -l | grep "/etc/issue.net";then
|
||||
exit 1
|
||||
elif ! auditctl -l | grep "/etc/hosts";then
|
||||
exit 1
|
||||
elif ! auditctl -l | grep "/etc/sysconfig";then
|
||||
exit 1
|
||||
elif ! auditctl -l | grep "network";then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
apparmor-config)
|
||||
if ! auditctl -l | grep "/etc/apparmor/" ;then
|
||||
exit 1
|
||||
elif ! auditctl -l | grep "/etc/apparmor.d/";then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
failed-access-files-programs)
|
||||
if ! auditctl -l | grep "EACCES" ;then
|
||||
exit 1
|
||||
elif ! auditctl -l | grep "EPERM";then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
setuid-setgid)
|
||||
find / -xdev -type f -perm /6000 2>/dev/null | while read line;do
|
||||
if ! auditctl -l | grep "$line" ;then
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
;;
|
||||
deletions)
|
||||
if ! auditctl -l | grep "rmdir" ;then
|
||||
exit 1
|
||||
elif ! auditctl -l | grep "unlink";then
|
||||
exit 1
|
||||
elif ! auditctl -l | grep "unlinkat";then
|
||||
exit 1
|
||||
elif ! auditctl -l | grep "rename";then
|
||||
exit 1
|
||||
elif ! auditctl -l | grep "renameat";then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
kernel-modules)
|
||||
if ! auditctl -l | egrep -e "(-w |-F path=)/sbin/insmod";then
|
||||
exit 1
|
||||
elif ! auditctl -l | egrep -e "(-w |-F path=)/sbin/rmmod";then
|
||||
exit 1
|
||||
elif ! auditctl -l | egrep -e "(-w |-F path=)/sbin/modprobe";then
|
||||
exit 1
|
||||
elif ! auditctl -l | grep -w "init_module";then
|
||||
exit 1
|
||||
elif ! auditctl -l | grep -w "delete_module";then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
action_mail_acct)
|
||||
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
|
||||
if [ $? -eq 0 ];then
|
||||
ACCOUNT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
|
||||
if [ "${ACCOUNT,,}" != "root" ];then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
disk_full_action)
|
||||
if grep -i "disk_full_action.*ignore\|disk_full_action.*suspend" /etc/audit/auditd.conf;then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
disk_error_action)
|
||||
if grep -i "disk_error_action.*ignore\|disk_error_action.*suspend" /etc/audit/auditd.conf;then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
esac
|
|
@ -0,0 +1,9 @@
|
|||
#!/bin/bash
|
||||
|
||||
if grep -r bluetooth /etc/modprobe.d;then
|
||||
if ! grep -r net-pf-31 /etc/modprobe.d;then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,62 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ -d "/bin" ];then
|
||||
|
||||
COUNT=$(find -L /bin -type f -perm /022 -exec ls -l {} \; |wc -l)
|
||||
|
||||
if [ $COUNT -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
if [ -d "/usr/bin" ];then
|
||||
|
||||
COUNT=$(find -L /usr/bin -type f -perm /022 -exec ls -l {} \; |wc -l)
|
||||
|
||||
if [ $COUNT -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
if [ -d "/usr/local/bin" ];then
|
||||
|
||||
COUNT=$(find -L /usr/local/bin -type f -perm /022 -exec ls -l {} \; |wc -l)
|
||||
|
||||
if [ $COUNT -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
if [ -d "/sbin" ];then
|
||||
|
||||
COUNT=$(find -L /sbin -type f -perm /022 -exec ls -l {} \; |wc -l)
|
||||
|
||||
if [ $COUNT -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
if [ -d "/usr/sbin" ];then
|
||||
|
||||
COUNT=$(find -L /usr/sbin -type f -perm /022 -exec ls -l {} \; |wc -l)
|
||||
|
||||
if [ $COUNT -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
if [ -d "/usr/local/sbin" ];then
|
||||
|
||||
COUNT=$(find -L /usr/local/sbin -type f -perm /022 -exec ls -l {} \; |wc -l)
|
||||
|
||||
if [ $COUNT -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
|
@ -0,0 +1,62 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ -d "/bin" ];then
|
||||
|
||||
COUNT=$(find -L /bin \! -user root -exec ls -l {} \; |wc -l)
|
||||
|
||||
if [ $COUNT -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
if [ -d "/usr/bin" ];then
|
||||
|
||||
COUNT=$(find -L /usr/bin \! -user root -exec ls -l {} \; |wc -l)
|
||||
|
||||
if [ $COUNT -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
if [ -d "/usr/local/bin" ];then
|
||||
|
||||
COUNT=$(find -L /usr/local/bin \! -user root -exec ls -l {} \; |wc -l)
|
||||
|
||||
if [ $COUNT -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
if [ -d "/sbin" ];then
|
||||
|
||||
COUNT=$(find -L /sbin \! -user root -exec ls -l {} \; |wc -l)
|
||||
|
||||
if [ $COUNT -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
if [ -d "/usr/sbin" ];then
|
||||
|
||||
COUNT=$(find -L /usr/sbin \! -user root -exec ls -l {} \; |wc -l)
|
||||
|
||||
if [ $COUNT -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
if [ -d "/usr/local/sbin" ];then
|
||||
|
||||
COUNT=$(find -L /usr/local/sbin \! -user root -exec ls -l {} \; |wc -l)
|
||||
|
||||
if [ $COUNT -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
case $1 in
|
||||
virtual)
|
||||
if [ -f /etc/securetty ];then
|
||||
if grep '^vc/[0-9]' /etc/securetty;then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 0
|
||||
fi
|
||||
;;
|
||||
serial)
|
||||
if [ -f "/etc/securetty" ];then
|
||||
if grep '^ttyS[0-9]' /etc/securetty;then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 0
|
||||
fi
|
||||
;;
|
||||
esac
|
|
@ -0,0 +1,9 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ -f /etc/systemd/system/ctrl-alt-del.target ];then
|
||||
if ! ls -l /etc/systemd/system/ctrl-alt-del.target | grep "/dev/null";then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,11 @@
|
|||
#!/bin/bash
|
||||
echo $(awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 ":" $2}' /etc/shadow | awk -F ':' '{printf $1}' )| while read ACCOUNT
|
||||
do
|
||||
awk -F':' '{ if ( $3 <= 500 ) print $1 }' /etc/passwd | sed '/^root$/d' | while read ACCOUNTLIST
|
||||
do
|
||||
if [ "$ACCOUNT" == "$ACCOUNTLIST" ];then
|
||||
echo "There is at least one default account is using"
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
done
|
|
@ -0,0 +1,30 @@
|
|||
#!/bin/bash
|
||||
|
||||
case $1 in
|
||||
smb-signing)
|
||||
if dpkg -s samba >/dev/null 2>&1;then
|
||||
if ! sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' -e '/^;/d' /etc/samba/smb.conf | grep "client.*signing.*mandatory";then
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
smb-sec)
|
||||
if [ "$(grep "cifs.*sec=krb5a\|cifs.*sec=ntlmv2i" /etc/mtab /etc/fstab | wc -l)" != "$(grep "cifs" /etc/mtab /etc/fstab | wc -l)" ];then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
libuser)
|
||||
if [ -f /etc/libuser.conf ];then
|
||||
if ! sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/libuser.conf | grep "crypt_style.*sha512";then
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
icmpv6)
|
||||
if [ -a /proc/net/if_inet6 ];then
|
||||
if ! sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/libuser.conf | grep "crypt_style.*sha512";then
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
esac
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ $(pwck -r | grep "no group" | wc -l) -ne 0 ];then
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,98 @@
|
|||
#!/bin/bash
|
||||
MODE=$(ls -l /boot/grub/grub.cfg | awk '{print $1}')
|
||||
|
||||
if [ "$(printf "%c" "$MODE")" == "-" ];then #First char at MODE(----------)
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
TEMP=${MODE#?} #remove first char at MODE and save at $TEMP
|
||||
|
||||
printf "%c" "$TEMP" | grep -w "^r$\|^-$"
|
||||
|
||||
if [ $? -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
TEMP=${TEMP#?}
|
||||
|
||||
printf "%c" "$TEMP" | grep -w "^w$\|^-$"
|
||||
|
||||
if [ $? -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
TEMP=${TEMP#?}
|
||||
|
||||
printf "%c" "$TEMP" | grep -w "^-$"
|
||||
|
||||
if [ $? -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
TEMP=${TEMP#?}
|
||||
|
||||
printf "%c" "$TEMP" | grep -w "^-$"
|
||||
|
||||
if [ $? -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
TEMP=${TEMP#?}
|
||||
|
||||
printf "%c" "$TEMP" | grep -w "^-$"
|
||||
if [ $? -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
TEMP=${TEMP#?}
|
||||
|
||||
printf "%c" "$TEMP" | grep -w "^-$"
|
||||
|
||||
if [ $? -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
TEMP=${TEMP#?}
|
||||
|
||||
printf "%c" "$TEMP" | grep -w "^-$"
|
||||
|
||||
if [ $? -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
TEMP=${TEMP#?}
|
||||
|
||||
printf "%c" "$TEMP" | grep -w "^-$"
|
||||
|
||||
if [ $? -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
TEMP=${TEMP#?}
|
||||
|
||||
printf "%c" "$TEMP" | grep -w "^-$"
|
||||
|
||||
if [ $? -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
#!/bin/bash
|
||||
|
||||
if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/default/useradd | grep INACTIVE;then
|
||||
if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/default/useradd | grep INACTIVE | awk -F '=' '{printf $2}') -gt 35 ];then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,6 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ -a /proc/net/if_inet6 ];then
|
||||
echo bad
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,42 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ -d "/lib" ];then
|
||||
|
||||
COUNT=$(find -L /lib -type f -perm /022 -exec ls -l {} \; |wc -l)
|
||||
|
||||
if [ $COUNT -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
if [ -d "/lib64" ];then
|
||||
|
||||
COUNT=$(find -L /lib64 -type f -perm /022 -exec ls -l {} \; |wc -l)
|
||||
|
||||
if [ $COUNT -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
if [ -d "/usr/lib" ];then
|
||||
|
||||
COUNT=$(find -L /usr/lib -type f -perm /022 -exec ls -l {} \; |wc -l)
|
||||
|
||||
if [ $COUNT -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
if [ -d "/usr/lib64" ];then
|
||||
|
||||
COUNT=$(find -L /usr/lib64 -type f -perm /022 -exec ls -l {} \; |wc -l)
|
||||
|
||||
if [ $COUNT -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
|
@ -0,0 +1,43 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ -d "/lib" ];then
|
||||
|
||||
COUNT=$(find -L /lib \! -user root -exec ls -l {} \; |wc -l)
|
||||
|
||||
if [ $COUNT -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
if [ -d "/lib64" ];then
|
||||
|
||||
COUNT=$(find -L /lib64 \! -user root -exec ls -l {} \; |wc -l)
|
||||
|
||||
if [ $COUNT -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
if [ -d "/usr/lib" ];then
|
||||
|
||||
COUNT=$(find -L /usr/lib \! -user root -exec ls -l {} \; |wc -l)
|
||||
|
||||
if [ $COUNT -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
if [ -d "/usr/lib64" ];then
|
||||
|
||||
COUNT=$(find -L /usr/lib64 \! -user root -exec ls -l {} \; |wc -l)
|
||||
|
||||
if [ $COUNT -eq 0 ];then
|
||||
:
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
case $1 in
|
||||
core-dumps)
|
||||
if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/security/limits.conf | grep "hard.*core";then
|
||||
if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/security/limits.conf | grep "hard.*core" | awk -F 'core' '{print $2}' | sed 's/\ *//g') -ne 0 ];then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
maxlogins)
|
||||
if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/security/limits.conf | grep "maxlogins";then
|
||||
if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/security/limits.conf | grep "maxlogins" | awk -F 'maxlogins' '{print $2}' | sed 's/\ *//g') -lt 10 ];then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
esac
|
|
@ -0,0 +1,21 @@
|
|||
#!/bin/bash
|
||||
|
||||
LOCATION=$1
|
||||
KEYWORD=$2
|
||||
OPTION=$3
|
||||
|
||||
if [ -f "$LOCATION" ];then
|
||||
|
||||
RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep "$KEYWORD.*$OPTION")
|
||||
#above line is remove any comment in the configuration file and use grep to output a exit status
|
||||
#if matched both $KEYWORD and $OPTION there is a success exit status: 0
|
||||
|
||||
if [ $? -eq 0 ];then
|
||||
if [ "$(echo $RESULT | tr "\t" "\n" | tr " " "\n" | sed -n "/$OPTION/p"| awk -F "=" '{printf $2}')" -$(echo $COMPARE) "$CONDITION" ];then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
fi
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ $(find /etc/cron.d*/ -name logrotate | wc -l) -eq 0 ];then
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,16 @@
|
|||
#!/bin/bash
|
||||
#In STIG there is only 5 kinds of permission : 0000, 0644, 0755, 0600, 0640
|
||||
LOCALTION=$1
|
||||
PERM=$2
|
||||
|
||||
LEN=(stat $LOCALTION -c %a)
|
||||
#if permisiion of the file or directory
|
||||
|
||||
|
||||
if [ $LEN == 4 ];then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
let FPERM=777-$PERM
|
||||
|
||||
find $LOCALTION -perm /$(printf "%03d\n" $FPERM) | wc -l | awk -F: '($1 != "0") {print; err=1} END {exit err}'
|
|
@ -0,0 +1,17 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ -f ~/.netrc ];then
|
||||
echo "Found .netrc in /root"
|
||||
exit 1
|
||||
else
|
||||
echo ".netrc no found in /root"
|
||||
fi
|
||||
for i in $(awk -F':' '{ if ( $3 >= 500 ) print $1 }' /etc/passwd);do
|
||||
HOMEDIR=`eval "echo ~$i"`
|
||||
if [ -f "$HOMEDIR/.netrc" ];then
|
||||
echo "Found .netrc in $HOMEDIR"
|
||||
exit 1
|
||||
else
|
||||
echo ".netrc no found in $HOMEDIR"
|
||||
fi
|
||||
done
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
|
||||
if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/exports | grep -i "all_squash";then
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
|
||||
if ! sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/exports | grep insecure_locks;then
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,14 @@
|
|||
#!/bin/bash
|
||||
|
||||
case $1 in
|
||||
nodev)
|
||||
if [ "$(mount | grep nfs | wc -l)" != "$(mount | grep "nfs.*nodev" | wc -l)" ];then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
nosuid)
|
||||
if [ "$(mount | grep nfs | wc -l)" != "$(mount | grep "nfs.*nosuid" | wc -l)" ];then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
esac
|
|
@ -0,0 +1,9 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ -f /etc/ntp.conf ];then
|
||||
if ! sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ntp.conf | grep server;then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,19 @@
|
|||
#!/bin/bash
|
||||
|
||||
#Based on http://unix.stackexchange.com/questions/175146/apt-get-update-exit-status
|
||||
#And http://unix.stackexchange.com/questions/19470/list-available-updates-but-do-not-install-them
|
||||
|
||||
if ! { apt-get update 2>&1 || echo E: update failed ;} | grep -q '^[WE]:';then
|
||||
echo update success
|
||||
else
|
||||
echo update failure
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ $(aptitude search '~U' | wc -l) -gt 0 ];then
|
||||
echo Need-to-update
|
||||
exit 1
|
||||
else
|
||||
echo No-Need-to-update
|
||||
exit 0
|
||||
fi
|
|
@ -0,0 +1,44 @@
|
|||
#!/bin/bash
|
||||
|
||||
case $1 in
|
||||
xinetd)
|
||||
if dpkg -s xinetd ;then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
telnetd)
|
||||
if dpkg -s telnetd ;then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
rsh-server)
|
||||
if dpkg -s rsh-server ;then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
nis)
|
||||
if dpkg -s nis ;then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
tftpd)
|
||||
if dpkg -s tftpd ;then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
sldap)
|
||||
if dpkg -s sldap ;then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
sendmail)
|
||||
if dpkg -s sendmail ;then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
x11-common)
|
||||
if dpkg -s x11-common ;then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
esac
|
|
@ -0,0 +1,15 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ -f "/etc/login.def" ];then
|
||||
|
||||
RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/login.defs | grep PASS_MAX_DAYS)
|
||||
if [ $? -eq 0 ];then
|
||||
if [ "$(echo $RESULT | awk '{printf $2}')" -gt "60" ];then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,15 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ -f "/etc/login.def" ];then
|
||||
|
||||
RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/login.defs | grep PASS_MIN_DAYS)
|
||||
if [ $? -eq 0 ];then
|
||||
if [ "$(echo $RESULT | awk '{printf $2}')" -lt "1" ];then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,15 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ -f "/etc/login.def" ];then
|
||||
|
||||
RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/login.defs | grep PASS_MIN_LEN)
|
||||
if [ $? -eq 0 ];then
|
||||
if [ "$(echo $RESULT | awk '{printf $2}')" -lt "14" ];then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,15 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ -f "/etc/login.def" ];then
|
||||
|
||||
RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/login.defs | grep PASS_WARN_AGE)
|
||||
if [ $? -eq 0 ];then
|
||||
if [ "$(echo $RESULT | awk '{printf $2}')" -lt "7" ];then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,30 @@
|
|||
#!/bin/bash
|
||||
LOCATION=$1
|
||||
KEYWORD=$2
|
||||
OPTION=$3
|
||||
COMPARE=$4
|
||||
CONDITION=$5
|
||||
|
||||
#Example:
|
||||
#LOCATION="/etc/pam.d/common-password"
|
||||
#For debian is common-password ,for Gentoo and Red hat the file is system-auth
|
||||
#KEYWORD="pam_cracklib.so"
|
||||
#OPTION="ocredit"
|
||||
#COMPARE="gt"
|
||||
#CONDITION="-1"
|
||||
|
||||
if [ -f "$LOCATION" ];then
|
||||
|
||||
RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep "$KEYWORD.*$OPTION")
|
||||
#above line is remove any comment in the configuration file and use grep to output a exit status
|
||||
#if matched both $KEYWORD and $OPTION there is a success exit status: 0
|
||||
|
||||
if [ $? -eq 0 ];then
|
||||
if [ "$(echo $RESULT | tr "\t" "\n" | tr " " "\n" | sed -n "/$OPTION/p"| awk -F "=" '{printf $2}')" -$(echo $COMPARE) "$CONDITION" ];then
|
||||
exit 1
|
||||
fi
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
|
||||
fi
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' -e 's/ //g' /etc/postfix/main.cf | grep inet_interfaces | awk -F '=' '{print $2}')" != "localhost" ];then
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ $(find / -xdev -type d -perm -0002 -uid +499 -print | wc -l) -gt 0 ];then
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,15 @@
|
|||
#!/bin/bash
|
||||
#for more detial to determine which sd is usb
|
||||
#http://unix.stackexchange.com/questions/60299/how-to-determine-which-sd-is-usb
|
||||
|
||||
grep -Hv ^0$ /sys/block/*/removable | \
|
||||
sed s/removable:.*$/device\\/uevent/ | \
|
||||
xargs grep -H ^DRIVER=sd | \
|
||||
sed s/device.uevent.*$/size/ | \
|
||||
xargs grep -Hv ^0$ | \
|
||||
cut -d / -f 4 | \
|
||||
while read line ;do
|
||||
if [ "$(mount | grep "$line" | wc -l)" != "$(mount | grep "$line.*noexec" | wc -l )" ];then
|
||||
exit 1
|
||||
fi
|
||||
done
|
|
@ -0,0 +1,23 @@
|
|||
HOSTS="/etc/hosts.equiv"
|
||||
|
||||
if [ -f "$HOSTS" ];then
|
||||
echo "Found hosts.equiv"
|
||||
exit 1
|
||||
else
|
||||
echo "hosts.equiv no found"
|
||||
fi
|
||||
if [ -f ~/.rhosts ];then
|
||||
echo "Found .rhosts in /root"
|
||||
exit 1
|
||||
else
|
||||
echo ".rhosts no found in /root"
|
||||
fi
|
||||
for i in $(awk -F':' '{ if ( $3 >= 500 ) print $1 }' /etc/passwd);do
|
||||
HOMEDIR=`eval "echo ~$i"`
|
||||
if [ -f "$HOMEDIR/.rhosts" ];then
|
||||
echo "Found .rhosts in $HOMEDIR"
|
||||
exit 1
|
||||
else
|
||||
echo ".rhosts no found in $HOMEDIR"
|
||||
fi
|
||||
done
|
|
@ -0,0 +1,11 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ $(awk -F: '($3 == 0) {print}' /etc/passwd | wc -l) -gt 1 ];then
|
||||
exit 1
|
||||
else
|
||||
if [ "$(awk -F: '($3 == 0) {print}' /etc/passwd | awk -F ':' '{printf $1}')" == "root" ];then
|
||||
exit 0
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
fi
|
|
@ -0,0 +1,37 @@
|
|||
#!/bin/bash
|
||||
|
||||
case "$1" in
|
||||
|
||||
owned)
|
||||
if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/rsyslog.conf | grep FileOwner | awk '{print $2}')" != "root" ];then
|
||||
exit 1
|
||||
fi
|
||||
sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/rsyslog.conf | sed -e '/\$/d' | awk '{print $2}' | sed -e '/^:/d' -e '/|/d' -e 's/^-//g' -e '/^$/d' | \
|
||||
while read line;do
|
||||
if [ -f $line ] && [ "$(ls -alh $line | awk '{print $3}')" != "root" ];then
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
;;
|
||||
group-owned)
|
||||
if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/rsyslog.conf | grep FileGroup | awk '{print $2}')" != "root" ];then
|
||||
exit 1
|
||||
fi
|
||||
sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/rsyslog.conf | sed -e '/\$/d' | awk '{print $2}' | sed -e '/^:/d' -e '/|/d' -e 's/^-//g' -e '/^$/d' | \
|
||||
while read line;do
|
||||
if [ -f $line ] && [ "$(ls -alh $line | awk '{print $4}')" != "root" ];then
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
;;
|
||||
mode)
|
||||
sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/rsyslog.conf | sed -e '/\$/d' | awk '{print $2}' | sed -e '/^:/d' -e '/|/d' -e 's/^-//g' -e '/^$/d' | \
|
||||
while read line;do
|
||||
bash check-mode.sh $line 600
|
||||
if [ $? -eq 1 ];then
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
|
||||
;;
|
||||
esac
|
|
@ -0,0 +1,79 @@
|
|||
#!/bin/bash
|
||||
|
||||
case $1 in
|
||||
atd)
|
||||
if service --status-all | grep "+.*atd";then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
avahi-daemon)
|
||||
if service --status-all | grep "+.*avahi-daemon";then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
xinetd)
|
||||
if service --status-all | grep "+.*xinetd";then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
telnetd)
|
||||
if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/inetd.conf | grep telnet;then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
rshd)
|
||||
if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/inetd.conf | grep rshd;then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
rexecd)
|
||||
if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/inetd.conf | grep rexecd;then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
rlogind)
|
||||
if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/inetd.conf | grep rlogind;then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
nis)
|
||||
if service --status-all | grep "+.*\ nis$";then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
tftpd)
|
||||
if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/inetd.conf | grep tftpd;then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
cron)
|
||||
if ! service --status-all | grep "+.*cron";then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
ntp)
|
||||
if ! service --status-all | grep "+.*ntp";then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
postfix)
|
||||
if ! service --status-all | grep "+.*postfix";then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
x11-common)
|
||||
if service --status-all | grep "+.*x11-common";then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
bluetooth)
|
||||
if service --status-all | grep "+.*bluetooth";then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
autofs)
|
||||
if service --status-all | grep "+.*autofs";then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
esac
|
|
@ -0,0 +1,12 @@
|
|||
#!/bin/bash
|
||||
FIPS="aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc"
|
||||
cipher=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i "Ciphers")
|
||||
if [ $? -eq 0 ];then
|
||||
echo $cipher | sed -e 's/Ciphers//' | tr "," "\n" | while read line;do
|
||||
if ! echo $FIPS | grep $line;then
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
else
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,33 @@
|
|||
#!/bin/bash
|
||||
case $1 in
|
||||
Protocol)
|
||||
if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -w "^Protocol" | awk '{print $2}')" -ne 2 ];then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
rhosts)
|
||||
if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i IgnoreRhosts | awk '{print $2}')" != "yes" ];then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
hostauth)
|
||||
if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i HostbasedAuthentication | awk '{print $2}')" != "no" ];then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
permitroot)
|
||||
if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitRootLogin | awk '{print $2}')" != "no" ];then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
emptypassword)
|
||||
if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitEmptyPasswords | awk '{print $2}')" != "no" ];then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
emptypasswordenvironment)
|
||||
if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitEmptyPasswords | awk '{print $2}')" != "no" ];then
|
||||
exit 1
|
||||
fi
|
||||
;;
|
||||
esac
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ $(find / -xdev -type d -perm -002 \! -perm -1000 | wc -l) -gt 0 ];then
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,7 @@
|
|||
#!/bin/bash
|
||||
|
||||
if grep -i "NOPASSWD" /etc/sudoers /etc/sudoers.d/* | sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' | grep -i "NOPASSWD";then
|
||||
exit 1
|
||||
elif grep -i '!authenticate' /etc/sudoers /etc/sudoers.d/* | sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' | grep -i '!authenticate';then
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,8 @@
|
|||
#!/bin/bash
|
||||
OPTION=$1
|
||||
COMPARE=$2
|
||||
CONDITION=$3
|
||||
|
||||
if [ "$(sysctl $OPTION | awk '{print $3}')" -$(echo $COMPARE) "$CONDITION" ];then
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ $(pwck -rq | wc -l ) -ne 0 ];then
|
||||
exit 1
|
||||
fi
|
|
@ -0,0 +1,5 @@
|
|||
#!/bin/bash
|
||||
|
||||
if [ "$(find / -xdev -type f -perm -002 | wc -l)" -ne 0 ];then
|
||||
exit 1
|
||||
fi
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,164 @@
|
|||
|
||||
######CHANGE#######
|
||||
|
||||
#RHEL-06-000008: Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
|
||||
#Change corresponding gpg key check to Debian compatible.
|
||||
|
||||
#RHEL-06-000011: System security patches and updates must be installed and up-to-date.
|
||||
#Change corresponding update utility to Debian compatible.
|
||||
|
||||
#RHEL-06-000017: The system must use a Linux Security Module at boot time.
|
||||
#Change the SElinux to AppArmor
|
||||
|
||||
#RHEL-06-000030: The system must not have accounts configured with blank or null passwords.
|
||||
#RHEL-06-000274: The system must prohibit the reuse of passwords within twenty-four iterations.
|
||||
#Change /etc/pam.d/system-auth - CentOS/RHEL/Fedora/Red Hat/Scientific Linux pam config file.
|
||||
#To /etc/pam.d/common-password - Debian / Ubuntu Linux pam config file.
|
||||
#For more Detial http://www.cyberciti.biz/tips/linux-or-unix-disable-null-passwords.html
|
||||
|
||||
#RHEL-06-000061:The system must disable accounts after three consecutive unsuccessful logon attempts.
|
||||
#Change pam_faillock.so pam module to use pam_tally2.so
|
||||
|
||||
#RHEL-06-000065:The system boot loader configuration file(s) must be owned by root.
|
||||
#RHEL-06-000066:The system boot loader configuration file(s) must be group-owned by root.
|
||||
#RHEL-06-000067:The system boot loader configuration file(s) must have mode 0600 or less permissive.
|
||||
#Change /etc/grub.conf to /boot/grub/grub.cfg
|
||||
|
||||
#RHEL-06-000068:The system boot loader must require authentication.
|
||||
#Change grub-crypt --sha-512 to grub-mkpasswd-pbkdf2
|
||||
|
||||
#RHEL-06-000278:The system package management tool must verify permissions on all files and directories associated with the audit package.
|
||||
#RHEL-06-000279:The system package management tool must verify ownership on all files and directories associated with the audit package.
|
||||
#RHEL-06-000280:The system package management tool must verify group-ownership on all files and directories associated with the audit package.
|
||||
#RHEL-06-000281:The system package management tool must verify contents of all files associated with the audit package.
|
||||
#For auditd package, to do what we wanna do in Debian there's something different, if you wanna get the packages default permission or owner(group-owner), or the packages'contents. You should use the "aptitude download <package-name>" to download it and use "dpkg -c <package.deb>" to read.
|
||||
#There's one file is very special,if you issue the command "dpkg -c audit*.deb" you will found the audit rules file is "/etc/audit/rules.d/audit.rules", but when you extract the deb package and read the "DEBIAN/postinst" you will find the auditd package copy the "/etc/audit/audit.d/audit.rules" file to "/etc/audit/audit.rules", so we could'n only use the "dpkg -c audit*.deb | awk '{print $6}' | sed -e 's/^.//g'" to get "ALL" the files we want to check.We should manually add the "/etc/audit/audit.rules" to check
|
||||
#And the directory we check also have one thing special, the "/usr/share/man", in Debian that directory have permission 0775 by default. but the package show the 0755, so I decided to check without this directory.
|
||||
#I use the sha512sum to do the files' content checking
|
||||
|
||||
#RHEL-06-000286:The x86 Ctrl-Alt-Delete key sequence must be disabled.
|
||||
#In Debian 8 use systemd by default, you could use "systemctl mask ctrl-alt-del.target" to disable it by link to /dev/null
|
||||
|
||||
#RHEL-06-000514:The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
|
||||
|
||||
|
||||
####DEPRECATED#####
|
||||
#RHEL-06-000009:The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.
|
||||
#DEPRECATED
|
||||
|
||||
#RHEL-06-000069:The system must require authentication upon booting into single-user and maintenance modes.
|
||||
#DEPRECATED.
|
||||
#Debian and therefore Ubuntu both require root password when booting into single user mode or recovery mode. RHEL and CentOS allows access from the console into single user mode without a password.
|
||||
|
||||
#RHEL-06-000070:The system must not permit interactive boot.
|
||||
#DEPRECATED.Don't find any interactive boot option in debian yet.
|
||||
|
||||
#RHEL-06-000073:The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
|
||||
#DEPRECATED
|
||||
|
||||
#RHEL-06-000079:The system must limit the ability of processes to have simultaneous write and execute access to memory.
|
||||
#DEPRECATED
|
||||
#In debian 8 amd64, system enabled NX by default,and debian 8 i386 system use PAE by default
|
||||
|
||||
#RHEL-06-000098:The IPv6 protocol handler must not be bound to the network stack unless needed.
|
||||
#Change ipv6 checking method and disable method.
|
||||
#Use /proc/net/if_inet6 to check if ipv6 is enabled
|
||||
#Use kernel boot option in Grub "ipv6.disable=1" to disable ipv6 permanently
|
||||
|
||||
#RHEL-06-000103:The system must employ a local IPv6 firewall.
|
||||
#RHEL-06-000106:The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
|
||||
#RHEL-06-000107:The operating system must prevent public IPv6 access into an organizations internal networks,except as appropriately mediated by managed interfaces employing boundary protection devices.
|
||||
#RHEL-06-000113:The system must employ a local IPv4 firewall.
|
||||
#RHEL-06-000116:The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
|
||||
#RHEL-06-000117:The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
|
||||
#DEPRECATED. Debian 8 enable iptables (both ipv4 and ipv6) by default
|
||||
|
||||
#RHEL-06-000183:The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).
|
||||
#Change SELinux to Apparmor
|
||||
|
||||
#RHEL-06-000203:The xinetd service must be disabled if no network services utilizing it are enabled.
|
||||
#Using 'service --status-all | grep "xinetd" ' instead of chkconfig
|
||||
|
||||
#RHEL-06-000211:The telnet daemon must not be running.
|
||||
#In Debian telnet service using inetd. You could disable it by comment the telnet line in the /etc/inetd.conf
|
||||
|
||||
#RHEL-06-000214:The rshd service must not be running.
|
||||
#In Debian rshd service using inetd. You could disable it by comment the rshd line in the /etc/inetd.conf
|
||||
|
||||
#RHEL-06-000216:The rexecd service must not be running.
|
||||
#In Debian rexecd service using inetd. You could disable it by comment the rexecd line in the /etc/inetd.conf
|
||||
|
||||
#RHEL-06-000218:The rlogind service must not be running.
|
||||
#In Debian rlogind service using inetd. You could disable it by comment the rlogind line in the /etc/inetd.conf
|
||||
|
||||
#RHEL-06-000220:The ypserv package must not be installed.
|
||||
#In Debian using nis package instead of ypserv package.
|
||||
|
||||
#RHEL-06-000221:The ypbind service must not be running.
|
||||
#In Debian using nis service instead of ypbind service.
|
||||
|
||||
#RHEL-06-000240:The SSH daemon must be configured with the Department of Defense (DoD) login banner.
|
||||
#DEPRECATED
|
||||
|
||||
#RHEL-06-000247:The system clock must be synchronized continuously, or at least daily.
|
||||
#In debian use ntp instead of ntpd
|
||||
|
||||
#RHEL-06-000248:The system clock must be synchronized to an authoritative DoD time source.
|
||||
#Changing `DoD` time source to trusted time source
|
||||
|
||||
#RHEL-06-000261:The Automatic Bug Reporting Tool (abrtd) service must not be running.
|
||||
#DEPRECATED.
|
||||
#Didn't find abrtd-like tool in debian yet
|
||||
|
||||
#RHEL-06-000265:The ntpdate service must not be running.
|
||||
#DEPRECATED
|
||||
#In Debian there's no running service "ntpdate", some of ntpdate's function is include in "ntp" so DEPRECATED.
|
||||
|
||||
#RHEL-06-000266:The oddjobd service must not be running.
|
||||
#DEPRECATED.Debian don't have oddjob service or package
|
||||
|
||||
#RHEL-06-000267:The qpidd service must not be running.
|
||||
#Debian don't have qpidd service by default, in RHEL this service is selected by "base" package.
|
||||
|
||||
#RHEL-06-000268:The rdisc service must not be running.
|
||||
#Debian don't have rdisc service by default
|
||||
|
||||
#RHEL-06-000303:The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system.
|
||||
#RHEL-06-000304:The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.
|
||||
#RHEL-06-000305:The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.
|
||||
#RHEL-06-000306:The operating system must detect unauthorized changes to software and information.
|
||||
#RHEL-06-000307:The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
|
||||
#In aide package employ automated mechanisms by default.(cron.daily)
|
||||
|
||||
#RHEL-06-000324:A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
|
||||
|
||||
#RHEL-06-000326:The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
|
||||
#RHEL-06-000344:The system default umask in /etc/profile must be 077.
|
||||
#RHEL-06-000343:The system default umask for the csh shell must be 077.
|
||||
#RHEL-06-000342:The system default umask for the bash shell must be 077.
|
||||
#RHEL-06-000348:The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
|
||||
|
||||
#RHEL-06-000357:The system must disable accounts after excessive login failures within a 15-minute interval.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#RHEL-06-000284:The system must use and update a DoD-approved virus scan program.
|
||||
#RHEL-06-000285:The system must have a host-based intrusion detection tool installed.
|
||||
|
||||
|
||||
|
||||
####SHOULD-CHECK-ON-YOU-OWN####
|
||||
|
||||
|
||||
#RHEL-06-000289:The netconsole service must be disabled unless required.
|
||||
#Red Hat has netconsole init script. However, under Debian / Ubuntu Linux, you need to manually configure netconsole. Type the following command to start netconsole by loading kernel netconsole module
|
||||
#RHEL-06-000297:Temporary accounts must be provisioned with an expiration date.
|
||||
#RHEL-06-000298:Emergency accounts must be provisioned with an expiration date.
|
||||
#RHEL-06-000311:The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.
|
||||
#RHEL-06-000321:The system must provide VPN connectivity for communications over untrusted networks.
|
||||
#RHEL-06-000349:The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
|
||||
#RHEL-06-000504:The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.
|
||||
#RHEL-06-000505:The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
|
||||
#RHEL-06-000524:The system must provide automated support for account management functions.
|
|
@ -0,0 +1,27 @@
|
|||
RHEL-06-000013:The system package management tool must cryptographically verify the authenticity of system software packages during installation.
|
||||
RHEL-06-000015:The system package management tool must cryptographically verify the authenticity of all software packages during installation.
|
||||
RHEL-06-000020:The system must use a Linux Security Module configured to enforce limits on system services.
|
||||
RHEL-06-000023:The system must use a Linux Security Module configured to limit the privileges of system services.
|
||||
RHEL-06-000025:All device files must be monitored by the system Linux Security Module.
|
||||
|
||||
RHEL-06-000252:If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.
|
||||
RHEL-06-000253:The LDAP client must use a TLS connection using trust certificates signed by the site CA.
|
||||
RHEL-06-000257:The graphical desktop environment must set the idle timeout to no more than 15 minutes.
|
||||
RHEL-06-000258:The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.
|
||||
RHEL-06-000259:The graphical desktop environment must have automatic lock enabled.
|
||||
RHEL-06-000260:The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
|
||||
RHEL-06-000292:The DHCP client must be disabled if not needed.
|
||||
RHEL-06-000324:A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
|
||||
RHEL-06-000527:The login user list must be disabled.
|
||||
|
||||
|
||||
RHEL-06-000340:The snmpd service must use only SNMP protocol version 3 or newer.
|
||||
RHEL-06-000341:The snmpd service must not use a default password.
|
||||
|
||||
|
||||
RHEL-06-000508:The system must allow locking of graphical desktop sessions.
|
||||
|
||||
RHEL-06-000516:The system package management tool must verify ownership on all files and directories associated with packages.
|
||||
RHEL-06-000517:The system package management tool must verify group-ownership on all files and directories associated with packages.
|
||||
RHEL-06-000518:The system package management tool must verify permissions on all files and directories associated with packages.
|
||||
RHEL-06-000519:The system package management tool must verify contents of all files associated with packages.
|
Loading…
Reference in New Issue