free
/
freedomboneeee
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Security Technical Implementation Guide tests based upon RHEL/hardenedlinux

This commit is contained in:
Bob Mottram 2016-11-29 12:37:48 +00:00
parent 95c758067a
commit 1f0ac1f3ce
54 changed files with 4899 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1358
src/freedombone-tests
View File

File diff suppressed because it is too large Load Diff

27
tests/check-aide-baseline.sh Normal file
View File

@ -0,0 +1,27 @@
#!/bin/bash
#Tested on Aide 0.16a2-19-g16ed855
CHECKDATABASE=$(grep "database=" /etc/aide/aide.conf 2>/dev/null )
if [ $? -eq 0 ];then
:
else
echo "couldn""'""t found aide.conf"
exit 1
fi
DATABASE=$(echo $CHECKDATABASE | awk -F ':' '{printf $2}' 2>/dev/null)
if [ $? -eq 0 ];then
:
else
echo "couldn""'""t found database location at aide.conf"
exit 1
fi
if [ -f "$DATABASE" ];then
echo "There is a baseline for aide."
exit 0
else
echo "Can""'""t find aide baseline"
exit 1
fi

5
tests/check-aide-cron.sh Normal file
View File

@ -0,0 +1,5 @@
#1/bin/bash
if [ $(grep aide /etc/crontab /etc/cron.*/* | wc -l) -ne 0 ];then
exit 1
fi

5
tests/check-apt-gpg.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/bash
if grep -i "gpg" /etc/apt/apt.conf.d/* | sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' | grep -i "gpg.*check.*false";then
exit 1
fi

100
tests/check-apt-key.sh Normal file
View File

@ -0,0 +1,100 @@
#!/bin/bash
#Verify with the key fatch from https://ftp-master.debian.org/keys.html
#---------------------------------------------------------------------------
#"Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>"
JESSIEARCHIVEKEY=" 126C 0D24 BD8A 2942 CC7D F8AC 7638 D044 2B90 D010"
CHECKTMP=$(apt-key finger | grep -B 1 "Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>" | head -n1 | awk -F '=' '{printf $2}')
if [ "$CHECKTMP" == "$JESSIEARCHIVEKEY" ];then
echo Good
:
else
echo bad
exit 1
fi
#---------------------------------------------------------------------------
#"Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>"
JESSIESECURITYKEY=" D211 6914 1CEC D440 F2EB 8DDA 9D6D 8F6B C857 C906"
CHECKTMP=$(apt-key finger | grep -B 1 "Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>" | head -n1 | awk -F '=' '{printf $2}')
if [ "$CHECKTMP" == "$JESSIESECURITYKEY" ];then
echo Good
:
else
echo bad
exit 1
fi
#---------------------------------------------------------------------------
#"Jessie Stable Release Key <debian-release@lists.debian.org>"
JESSIESTABLEKEY=" 75DD C3C4 A499 F1A1 8CB5 F3C8 CBF8 D6FD 518E 17E1"
CHECKTMP=$(apt-key finger | grep -B 1 "Jessie Stable Release Key <debian-release@lists.debian.org>" | head -n1 | awk -F '=' '{printf $2}')
if [ "$CHECKTMP" == "$JESSIESTABLEKEY" ];then
echo Good
:
else
echo bad
exit 1
fi
#---------------------------------------------------------------------------
#"Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>"
SQUEEZEARCHIVEKEY=" 9FED 2BCB DCD2 9CDF 7626 78CB AED4 B06F 4730 41FA"
CHECKTMP=$(apt-key finger | grep -B 1 "Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>" | head -n1 | awk -F '=' '{printf $2}')
if [ "$CHECKTMP" == "$SQUEEZEARCHIVEKEY" ];then
echo Good
:
else
echo bad
exit 1
fi
#---------------------------------------------------------------------------
#"Squeeze Stable Release Key <debian-release@lists.debian.org>"
SQUEEZESTABLEKEY=" 0E4E DE2C 7F3E 1FC0 D033 800E 6448 1591 B983 21F9"
CHECKTMP=$(apt-key finger | grep -B 1 "Squeeze Stable Release Key <debian-release@lists.debian.org>" | head -n1 | awk -F '=' '{printf $2}')
if [ "$CHECKTMP" == "$SQUEEZESTABLEKEY" ];then
echo Good
:
else
echo bad
exit 1
fi
#---------------------------------------------------------------------------
#"Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>"
WHEEZYARCHIVEKEY=" A1BD 8E9D 78F7 FE5C 3E65 D8AF 8B48 AD62 4692 5553"
CHECKTMP=$(apt-key finger | grep -B 1 "Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>" | head -n1 | awk -F '=' '{printf $2}')
if [ "$CHECKTMP" == "$WHEEZYARCHIVEKEY" ];then
echo Good
:
else
echo bad
exit 1
fi
#---------------------------------------------------------------------------
#"Wheezy Stable Release Key <debian-release@lists.debian.org>"
WHEEZYSTABLEKEY=" ED6D 6527 1AAC F0FF 15D1 2303 6FB2 A1C2 65FF B764"
CHECKTMP=$(apt-key finger | grep -B 1 "Wheezy Stable Release Key <debian-release@lists.debian.org>" | head -n1 | awk -F '=' '{printf $2}')
if [ "$CHECKTMP" == "$WHEEZYSTABLEKEY" ];then
echo Good
:
else
echo bad
exit 1
fi

9
tests/check-audisp.sh Normal file
View File

@ -0,0 +1,9 @@
#!/bin/bash
if dpkg -s audispd-plugins > /dev/null 2>&1;then
if ! sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audisp/plugins.d/syslog.conf | grep -i "active.*yes";then
exit 1
fi
else
exit 1
fi

112
tests/check-auditd-package.sh Normal file
View File

@ -0,0 +1,112 @@
#!/bin/bash
#The hole idea of how to get the origin files' permission is learned from http://sysadminnotebook.blogspot.com/2012/06/how-to-reset-folder-permissions-to.html
TDIR=`mktemp -d`
cd $TDIR
aptitude download auditd
FILES=`dpkg -c auditd*.deb | sed -e '/^d/d' | \
sed '/audit.rules$/p;s/\/etc\/audit\/rules.d\/audit.rules$/\/etc\/audit\/audit.rules/'`
DIRECTORY=`dpkg -c auditd*.deb | sed -n '/^d/p' | \
sed -e '/\/usr\/share\/man/d'`
case $1 in
permission)
echo "$FILES" | while read FILE;
do
echo "$FILE" | awk '{print $6}' | sed -e 's/^.//g' | while read line;
do
ORIGIN=$(echo "$FILE" | awk '{print $1}')
CURRENT=$(ls -l "$line" | awk '{print $1}')
if [ "$CURRENT" != "$ORIGIN" ];then
echo "ORIGIN:$FILE"
echo "CURRENT:$(ls -l $line)"
exit 1
fi
done
done
echo "$DIRECTORY" | while read DIR;
do
echo "$DIR" | awk '{print $6}' | sed -e 's/^.//g' | while read line;
do
ORIGIN=$(echo "$DIR" | awk '{print $1}' )
CURRENT=$(ls -dl "$line" | awk '{print $1}' )
if [ "$CURRENT" != "$ORIGIN" ];then
echo "$ORIGIN:$DIR"
echo "$CURRENT:$(ls -dl $line)"
exit 1
fi
done
done
;;
owner)
echo "$FILES" | while read FILE;
do
echo "$FILE" | awk '{print $6}' | sed -e 's/^.//g' | while read line;
do
ORIGIN=$(echo "$FILE" | awk '{print $2}' | awk -F '/' '{print $1}')
CURRENT=$(ls -l "$line" | awk '{print $3}')
if [ "$CURRENT" != "$ORIGIN" ];then
echo "ORIGIN:$FILE"
echo "CURRENT:$(ls -l $line)"
exit 1
fi
done
done
echo "$DIRECTORY" | while read DIR;
do
echo "$DIR" | awk '{print $6}' | sed -e 's/^.//g' | while read line;
do
ORIGIN=$(echo "$DIR" | awk '{print $2}' | awk -F '/' '{print $1}' )
CURRENT=$(ls -dl "$line" | awk '{print $3}' )
if [ "$CURRENT" != "$ORIGIN" ];then
echo "$ORIGIN:$DIR"
echo "$CURRENT:$(ls -dl $line)"
exit 1
fi
done
done
;;
group-owner)
echo "$FILES" | while read FILE;
do
echo "$FILE" | awk '{print $6}' | sed -e 's/^.//g' | while read line;
do
ORIGIN=$(echo "$FILE" | awk '{print $2}' | awk -F '/' '{print $2}')
CURRENT=$(ls -l "$line" | awk '{print $4}')
if [ "$CURRENT" != "$ORIGIN" ];then
echo "ORIGIN:$FILE"
echo "CURRENT:$(ls -l $line)"
exit 1
fi
done
done
echo "$DIRECTORY" | while read DIR;
do
echo "$DIR" | awk '{print $6}' | sed -e 's/^.//g' | while read line;
do
ORIGIN=$(echo "$DIR" | awk '{print $2}' | awk -F '/' '{print $2}' )
CURRENT=$(ls -dl "$line" | awk '{print $4}' )
if [ "$CURRENT" != "$ORIGIN" ];then
echo "$ORIGIN:$DIR"
echo "$CURRENT:$(ls -dl $line)"
exit 1
fi
done
done
;;
file-hashes)
dpkg-deb -R audit*.deb .
echo "$FILES" | grep "bin/" | while read FILE;
do
echo "$FILE" | awk '{print $6}' | sed -e 's/^.//g' | while read line;
do
ORIGIN=$(sha512sum "$(echo "$line" | sed -e 's/^.\///g')" | awk '{print $1}')
CURRENT=$(sha512sum "$line" | awk '{print $1}')
if [ "$CURRENT" != "$ORIGIN" ];then
echo "ORIGIN:$FILE"
echo "CURRENT:$(ls -l $line)"
exit 1
fi
done
done
;;
esac

153
tests/check-auditd.sh Normal file
View File

@ -0,0 +1,153 @@
#!/bin/bash
case $1 in
space_left_action)
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
if [ $? -eq 0 ];then
ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
if [ "${ACTION,,}" != "email" ];then
exit 1
fi
else
exit 1
fi
;;
num_logs)
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
if [ $? -eq 0 ];then
if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}') -$2 $3 ];then
exit 1
fi
else
exit 1
fi
;;
max_log_file)
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1=)
if [ $? -eq 0 ];then
if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1= | awk -F '=' '{print $2}') -$2 $3 ];then
exit 1
fi
else
exit 1
fi
;;
max_log_file_action)
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
if [ $? -eq 0 ];then
ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
if [ "${ACTION,,}" != "rotate" ];then
exit 1
fi
else
exit 1
fi
;;
admin_space_left_action)
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
if [ $? -eq 0 ];then
ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
if [ "${ACTION,,}" != "single" ];then
exit 1
fi
else
exit 1
fi
;;
account)
if ! auditctl -l | grep "/etc/passwd" ;then
exit 1
elif ! auditctl -l | grep "/etc/shadow";then
exit 1
elif ! auditctl -l | grep "/etc/group";then
exit 1
elif ! auditctl -l | grep "/etc/gshadow";then
exit 1
elif ! auditctl -l | grep "/etc/security/opasswd";then
exit 1
fi
;;
network)
if ! auditctl -l | grep "sethostname" ;then
exit 1
elif ! auditctl -l | grep "setdomainname";then
exit 1
elif ! auditctl -l | grep "/etc/issue.net";then
exit 1
elif ! auditctl -l | grep "/etc/hosts";then
exit 1
elif ! auditctl -l | grep "/etc/sysconfig";then
exit 1
elif ! auditctl -l | grep "network";then
exit 1
fi
;;
apparmor-config)
if ! auditctl -l | grep "/etc/apparmor/" ;then
exit 1
elif ! auditctl -l | grep "/etc/apparmor.d/";then
exit 1
fi
;;
failed-access-files-programs)
if ! auditctl -l | grep "EACCES" ;then
exit 1
elif ! auditctl -l | grep "EPERM";then
exit 1
fi
;;
setuid-setgid)
find / -xdev -type f -perm /6000 2>/dev/null | while read line;do
if ! auditctl -l | grep "$line" ;then
exit 1
fi
done
;;
deletions)
if ! auditctl -l | grep "rmdir" ;then
exit 1
elif ! auditctl -l | grep "unlink";then
exit 1
elif ! auditctl -l | grep "unlinkat";then
exit 1
elif ! auditctl -l | grep "rename";then
exit 1
elif ! auditctl -l | grep "renameat";then
exit 1
fi
;;
kernel-modules)
if ! auditctl -l | egrep -e "(-w |-F path=)/sbin/insmod";then
exit 1
elif ! auditctl -l | egrep -e "(-w |-F path=)/sbin/rmmod";then
exit 1
elif ! auditctl -l | egrep -e "(-w |-F path=)/sbin/modprobe";then
exit 1
elif ! auditctl -l | grep -w "init_module";then
exit 1
elif ! auditctl -l | grep -w "delete_module";then
exit 1
fi
;;
action_mail_acct)
EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
if [ $? -eq 0 ];then
ACCOUNT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
if [ "${ACCOUNT,,}" != "root" ];then
exit 1
fi
else
exit 1
fi
;;
disk_full_action)
if grep -i "disk_full_action.*ignore\|disk_full_action.*suspend" /etc/audit/auditd.conf;then
exit 1
fi
;;
disk_error_action)
if grep -i "disk_error_action.*ignore\|disk_error_action.*suspend" /etc/audit/auditd.conf;then
exit 1
fi
;;
esac

9
tests/check-bluetooth.sh Normal file
View File

@ -0,0 +1,9 @@
#!/bin/bash
if grep -r bluetooth /etc/modprobe.d;then
if ! grep -r net-pf-31 /etc/modprobe.d;then
exit 1
fi
else
exit 1
fi

62
tests/check-cmd-mode.sh Normal file
View File

@ -0,0 +1,62 @@
#!/bin/bash
if [ -d "/bin" ];then
COUNT=$(find -L /bin -type f -perm /022 -exec ls -l {} \; |wc -l)
if [ $COUNT -eq 0 ];then
:
else
exit 1
fi
fi
if [ -d "/usr/bin" ];then
COUNT=$(find -L /usr/bin -type f -perm /022 -exec ls -l {} \; |wc -l)
if [ $COUNT -eq 0 ];then
:
else
exit 1
fi
fi
if [ -d "/usr/local/bin" ];then
COUNT=$(find -L /usr/local/bin -type f -perm /022 -exec ls -l {} \; |wc -l)
if [ $COUNT -eq 0 ];then
:
else
exit 1
fi
fi
if [ -d "/sbin" ];then
COUNT=$(find -L /sbin -type f -perm /022 -exec ls -l {} \; |wc -l)
if [ $COUNT -eq 0 ];then
:
else
exit 1
fi
fi
if [ -d "/usr/sbin" ];then
COUNT=$(find -L /usr/sbin -type f -perm /022 -exec ls -l {} \; |wc -l)
if [ $COUNT -eq 0 ];then
:
else
exit 1
fi
fi
if [ -d "/usr/local/sbin" ];then
COUNT=$(find -L /usr/local/sbin -type f -perm /022 -exec ls -l {} \; |wc -l)
if [ $COUNT -eq 0 ];then
:
else
exit 1
fi
fi

62
tests/check-cmd-owner.sh Normal file
View File

@ -0,0 +1,62 @@
#!/bin/bash
if [ -d "/bin" ];then
COUNT=$(find -L /bin \! -user root -exec ls -l {} \; |wc -l)
if [ $COUNT -eq 0 ];then
:
else
exit 1
fi
fi
if [ -d "/usr/bin" ];then
COUNT=$(find -L /usr/bin \! -user root -exec ls -l {} \; |wc -l)
if [ $COUNT -eq 0 ];then
:
else
exit 1
fi
fi
if [ -d "/usr/local/bin" ];then
COUNT=$(find -L /usr/local/bin \! -user root -exec ls -l {} \; |wc -l)
if [ $COUNT -eq 0 ];then
:
else
exit 1
fi
fi
if [ -d "/sbin" ];then
COUNT=$(find -L /sbin \! -user root -exec ls -l {} \; |wc -l)
if [ $COUNT -eq 0 ];then
:
else
exit 1
fi
fi
if [ -d "/usr/sbin" ];then
COUNT=$(find -L /usr/sbin \! -user root -exec ls -l {} \; |wc -l)
if [ $COUNT -eq 0 ];then
:
else
exit 1
fi
fi
if [ -d "/usr/local/sbin" ];then
COUNT=$(find -L /usr/local/sbin \! -user root -exec ls -l {} \; |wc -l)
if [ $COUNT -eq 0 ];then
:
else
exit 1
fi
fi

21
tests/check-consoles.sh Normal file
View File

@ -0,0 +1,21 @@
#!/bin/bash
case $1 in
virtual)
if [ -f /etc/securetty ];then
if grep '^vc/[0-9]' /etc/securetty;then
exit 1
fi
else
exit 0
fi
;;
serial)
if [ -f "/etc/securetty" ];then
if grep '^ttyS[0-9]' /etc/securetty;then
exit 1
fi
else
exit 0
fi
;;
esac

9
tests/check-ctrl-alt-del.sh Normal file
View File

@ -0,0 +1,9 @@
#!/bin/bash
if [ -f /etc/systemd/system/ctrl-alt-del.target ];then
if ! ls -l /etc/systemd/system/ctrl-alt-del.target | grep "/dev/null";then
exit 1
fi
else
exit 1
fi

11
tests/check-default-account.sh Normal file
View File

@ -0,0 +1,11 @@
#!/bin/bash
echo $(awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 ":" $2}' /etc/shadow | awk -F ':' '{printf $1}' )| while read ACCOUNT
do
awk -F':' '{ if ( $3 <= 500 ) print $1 }' /etc/passwd | sed '/^root$/d' | while read ACCOUNTLIST
do
if [ "$ACCOUNT" == "$ACCOUNTLIST" ];then
echo "There is at least one default account is using"
exit 1
fi
done
done

30
tests/check-depends.sh Normal file
View File

@ -0,0 +1,30 @@
#!/bin/bash
case $1 in
smb-signing)
if dpkg -s samba >/dev/null 2>&1;then
if ! sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' -e '/^;/d' /etc/samba/smb.conf | grep "client.*signing.*mandatory";then
exit 1
fi
fi
;;
smb-sec)
if [ "$(grep "cifs.*sec=krb5a\|cifs.*sec=ntlmv2i" /etc/mtab /etc/fstab | wc -l)" != "$(grep "cifs" /etc/mtab /etc/fstab | wc -l)" ];then
exit 1
fi
;;
libuser)
if [ -f /etc/libuser.conf ];then
if ! sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/libuser.conf | grep "crypt_style.*sha512";then
exit 1
fi
fi
;;
icmpv6)
if [ -a /proc/net/if_inet6 ];then
if ! sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/libuser.conf | grep "crypt_style.*sha512";then
exit 1
fi
fi
;;
esac

5
tests/check-gids.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/bash
if [ $(pwck -r | grep "no group" | wc -l) -ne 0 ];then
exit 1
fi

98
tests/check-grub-mode.sh Normal file
View File

@ -0,0 +1,98 @@
#!/bin/bash
MODE=$(ls -l /boot/grub/grub.cfg | awk '{print $1}')
if [ "$(printf "%c" "$MODE")" == "-" ];then #First char at MODE(----------)
:
else
exit 1
fi
TEMP=${MODE#?} #remove first char at MODE and save at $TEMP
printf "%c" "$TEMP" | grep -w "^r$\|^-$"
if [ $? -eq 0 ];then
:
else
exit 1
fi
TEMP=${TEMP#?}
printf "%c" "$TEMP" | grep -w "^w$\|^-$"
if [ $? -eq 0 ];then
:
else
exit 1
fi
TEMP=${TEMP#?}
printf "%c" "$TEMP" | grep -w "^-$"
if [ $? -eq 0 ];then
:
else
exit 1
fi
TEMP=${TEMP#?}
printf "%c" "$TEMP" | grep -w "^-$"
if [ $? -eq 0 ];then
:
else
exit 1
fi
TEMP=${TEMP#?}
printf "%c" "$TEMP" | grep -w "^-$"
if [ $? -eq 0 ];then
:
else
exit 1
fi
TEMP=${TEMP#?}
printf "%c" "$TEMP" | grep -w "^-$"
if [ $? -eq 0 ];then
:
else
exit 1
fi
TEMP=${TEMP#?}
printf "%c" "$TEMP" | grep -w "^-$"
if [ $? -eq 0 ];then
:
else
exit 1
fi
TEMP=${TEMP#?}
printf "%c" "$TEMP" | grep -w "^-$"
if [ $? -eq 0 ];then
:
else
exit 1
fi
TEMP=${TEMP#?}
printf "%c" "$TEMP" | grep -w "^-$"
if [ $? -eq 0 ];then
:
else
exit 1
fi

9
tests/check-inactive.sh Normal file
View File

@ -0,0 +1,9 @@
#!/bin/bash
if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/default/useradd | grep INACTIVE;then
if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/default/useradd | grep INACTIVE | awk -F '=' '{printf $2}') -gt 35 ];then
exit 1
fi
else
exit 1
fi

6
tests/check-ipv6-enable.sh Normal file
View File

@ -0,0 +1,6 @@
#!/bin/bash
if [ -a /proc/net/if_inet6 ];then
echo bad
exit 1
fi

42
tests/check-libs-mode.sh Normal file
View File

@ -0,0 +1,42 @@
#!/bin/bash
if [ -d "/lib" ];then
COUNT=$(find -L /lib -type f -perm /022 -exec ls -l {} \; |wc -l)
if [ $COUNT -eq 0 ];then
:
else
exit 1
fi
fi
if [ -d "/lib64" ];then
COUNT=$(find -L /lib64 -type f -perm /022 -exec ls -l {} \; |wc -l)
if [ $COUNT -eq 0 ];then
:
else
exit 1
fi
fi
if [ -d "/usr/lib" ];then
COUNT=$(find -L /usr/lib -type f -perm /022 -exec ls -l {} \; |wc -l)
if [ $COUNT -eq 0 ];then
:
else
exit 1
fi
fi
if [ -d "/usr/lib64" ];then
COUNT=$(find -L /usr/lib64 -type f -perm /022 -exec ls -l {} \; |wc -l)
if [ $COUNT -eq 0 ];then
:
else
exit 1
fi
fi

43
tests/check-libs-owner.sh Normal file
View File

@ -0,0 +1,43 @@
#!/bin/bash
if [ -d "/lib" ];then
COUNT=$(find -L /lib \! -user root -exec ls -l {} \; |wc -l)
if [ $COUNT -eq 0 ];then
:
else
exit 1
fi
fi
if [ -d "/lib64" ];then
COUNT=$(find -L /lib64 \! -user root -exec ls -l {} \; |wc -l)
if [ $COUNT -eq 0 ];then
:
else
exit 1
fi
fi
if [ -d "/usr/lib" ];then
COUNT=$(find -L /usr/lib \! -user root -exec ls -l {} \; |wc -l)
if [ $COUNT -eq 0 ];then
:
else
exit 1
fi
fi
if [ -d "/usr/lib64" ];then
COUNT=$(find -L /usr/lib64 \! -user root -exec ls -l {} \; |wc -l)
if [ $COUNT -eq 0 ];then
:
else
exit 1
fi
fi

21
tests/check-limits.sh Normal file
View File

@ -0,0 +1,21 @@
#!/bin/bash
case $1 in
core-dumps)
if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/security/limits.conf | grep "hard.*core";then
if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/security/limits.conf | grep "hard.*core" | awk -F 'core' '{print $2}' | sed 's/\ *//g') -ne 0 ];then
exit 1
fi
else
exit 1
fi
;;
maxlogins)
if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/security/limits.conf | grep "maxlogins";then
if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/security/limits.conf | grep "maxlogins" | awk -F 'maxlogins' '{print $2}' | sed 's/\ *//g') -lt 10 ];then
exit 1
fi
else
exit 1
fi
;;
esac

21
tests/check-login-defs.sh Normal file
View File

@ -0,0 +1,21 @@
#!/bin/bash
LOCATION=$1
KEYWORD=$2
OPTION=$3
if [ -f "$LOCATION" ];then
RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep "$KEYWORD.*$OPTION")
#above line is remove any comment in the configuration file and use grep to output a exit status
#if matched both $KEYWORD and $OPTION there is a success exit status: 0
if [ $? -eq 0 ];then
if [ "$(echo $RESULT | tr "\t" "\n" | tr " " "\n" | sed -n "/$OPTION/p"| awk -F "=" '{printf $2}')" -$(echo $COMPARE) "$CONDITION" ];then
exit 1
fi
else
exit 1
fi
fi

5
tests/check-logrotate.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/bash
if [ $(find /etc/cron.d*/ -name logrotate | wc -l) -eq 0 ];then
exit 1
fi

16
tests/check-mode.sh Normal file
View File

@ -0,0 +1,16 @@
#!/bin/bash
#In STIG there is only 5 kinds of permission : 0000, 0644, 0755, 0600, 0640
LOCALTION=$1
PERM=$2
LEN=(stat $LOCALTION -c %a)
#if permisiion of the file or directory
if [ $LEN == 4 ];then
exit 1
fi
let FPERM=777-$PERM
find $LOCALTION -perm /$(printf "%03d\n" $FPERM) | wc -l | awk -F: '($1 != "0") {print; err=1} END {exit err}'

17
tests/check-netrc.sh Normal file
View File

@ -0,0 +1,17 @@
#!/bin/bash
if [ -f ~/.netrc ];then
echo "Found .netrc in /root"
exit 1
else
echo ".netrc no found in /root"
fi
for i in $(awk -F':' '{ if ( $3 >= 500 ) print $1 }' /etc/passwd);do
HOMEDIR=`eval "echo ~$i"`
if [ -f "$HOMEDIR/.netrc" ];then
echo "Found .netrc in $HOMEDIR"
exit 1
else
echo ".netrc no found in $HOMEDIR"
fi
done

5
tests/check-nfs-all-squash.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/bash
if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/exports | grep -i "all_squash";then
exit 1
fi

5
tests/check-nfs-insecure.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/bash
if ! sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/exports | grep insecure_locks;then
exit 1
fi

14
tests/check-nfs.sh Normal file
View File

@ -0,0 +1,14 @@
#!/bin/bash
case $1 in
nodev)
if [ "$(mount | grep nfs | wc -l)" != "$(mount | grep "nfs.*nodev" | wc -l)" ];then
exit 1
fi
;;
nosuid)
if [ "$(mount | grep nfs | wc -l)" != "$(mount | grep "nfs.*nosuid" | wc -l)" ];then
exit 1
fi
;;
esac

9
tests/check-ntp-sources.sh Normal file
View File

@ -0,0 +1,9 @@
#!/bin/bash
if [ -f /etc/ntp.conf ];then
if ! sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ntp.conf | grep server;then
exit 1
fi
else
exit 1
fi

19
tests/check-package-up2date.sh Normal file
View File

@ -0,0 +1,19 @@
#!/bin/bash
#Based on http://unix.stackexchange.com/questions/175146/apt-get-update-exit-status
#And http://unix.stackexchange.com/questions/19470/list-available-updates-but-do-not-install-them
if ! { apt-get update 2>&1 || echo E: update failed ;} | grep -q '^[WE]:';then
echo update success
else
echo update failure
exit 1
fi
if [ $(aptitude search '~U' | wc -l) -gt 0 ];then
echo Need-to-update
exit 1
else
echo No-Need-to-update
exit 0
fi

44
tests/check-packages.sh Normal file
View File

@ -0,0 +1,44 @@
#!/bin/bash
case $1 in
xinetd)
if dpkg -s xinetd ;then
exit 1
fi
;;
telnetd)
if dpkg -s telnetd ;then
exit 1
fi
;;
rsh-server)
if dpkg -s rsh-server ;then
exit 1
fi
;;
nis)
if dpkg -s nis ;then
exit 1
fi
;;
tftpd)
if dpkg -s tftpd ;then
exit 1
fi
;;
sldap)
if dpkg -s sldap ;then
exit 1
fi
;;
sendmail)
if dpkg -s sendmail ;then
exit 1
fi
;;
x11-common)
if dpkg -s x11-common ;then
exit 1
fi
;;
esac

15
tests/check-password-max-day.sh Normal file
View File

@ -0,0 +1,15 @@
#!/bin/bash
if [ -f "/etc/login.def" ];then
RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/login.defs | grep PASS_MAX_DAYS)
if [ $? -eq 0 ];then
if [ "$(echo $RESULT | awk '{printf $2}')" -gt "60" ];then
exit 1
fi
else
exit 1
fi
else
exit 1
fi

15
tests/check-password-min-day.sh Normal file
View File

@ -0,0 +1,15 @@
#!/bin/bash
if [ -f "/etc/login.def" ];then
RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/login.defs | grep PASS_MIN_DAYS)
if [ $? -eq 0 ];then
if [ "$(echo $RESULT | awk '{printf $2}')" -lt "1" ];then
exit 1
fi
else
exit 1
fi
else
exit 1
fi

15
tests/check-password-min-len.sh Normal file
View File

@ -0,0 +1,15 @@
#!/bin/bash
if [ -f "/etc/login.def" ];then
RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/login.defs | grep PASS_MIN_LEN)
if [ $? -eq 0 ];then
if [ "$(echo $RESULT | awk '{printf $2}')" -lt "14" ];then
exit 1
fi
else
exit 1
fi
else
exit 1
fi

15
tests/check-password-warn-age.sh Normal file
View File

@ -0,0 +1,15 @@
#!/bin/bash
if [ -f "/etc/login.def" ];then
RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/login.defs | grep PASS_WARN_AGE)
if [ $? -eq 0 ];then
if [ "$(echo $RESULT | awk '{printf $2}')" -lt "7" ];then
exit 1
fi
else
exit 1
fi
else
exit 1
fi

30
tests/check-password.sh Normal file
View File

@ -0,0 +1,30 @@
#!/bin/bash
LOCATION=$1
KEYWORD=$2
OPTION=$3
COMPARE=$4
CONDITION=$5
#Example:
#LOCATION="/etc/pam.d/common-password"
#For debian is common-password ,for Gentoo and Red hat the file is system-auth
#KEYWORD="pam_cracklib.so"
#OPTION="ocredit"
#COMPARE="gt"
#CONDITION="-1"
if [ -f "$LOCATION" ];then
RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep "$KEYWORD.*$OPTION")
#above line is remove any comment in the configuration file and use grep to output a exit status
#if matched both $KEYWORD and $OPTION there is a success exit status: 0
if [ $? -eq 0 ];then
if [ "$(echo $RESULT | tr "\t" "\n" | tr " " "\n" | sed -n "/$OPTION/p"| awk -F "=" '{printf $2}')" -$(echo $COMPARE) "$CONDITION" ];then
exit 1
fi
else
exit 1
fi
fi

5
tests/check-postfix.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/bash
if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' -e 's/ //g' /etc/postfix/main.cf | grep inet_interfaces | awk -F '=' '{print $2}')" != "localhost" ];then
exit 1
fi

5
tests/check-public-dir-owned.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/bash
if [ $(find / -xdev -type d -perm -0002 -uid +499 -print | wc -l) -gt 0 ];then
exit 1
fi

15
tests/check-removable.sh Normal file
View File

@ -0,0 +1,15 @@
#!/bin/bash
#for more detial to determine which sd is usb
#http://unix.stackexchange.com/questions/60299/how-to-determine-which-sd-is-usb
grep -Hv ^0$ /sys/block/*/removable | \
sed s/removable:.*$/device\\/uevent/ | \
xargs grep -H ^DRIVER=sd | \
sed s/device.uevent.*$/size/ | \
xargs grep -Hv ^0$ | \
cut -d / -f 4 | \
while read line ;do
if [ "$(mount | grep "$line" | wc -l)" != "$(mount | grep "$line.*noexec" | wc -l )" ];then
exit 1
fi
done

23
tests/check-rhosts.sh Normal file
View File

@ -0,0 +1,23 @@
HOSTS="/etc/hosts.equiv"
if [ -f "$HOSTS" ];then
echo "Found hosts.equiv"
exit 1
else
echo "hosts.equiv no found"
fi
if [ -f ~/.rhosts ];then
echo "Found .rhosts in /root"
exit 1
else
echo ".rhosts no found in /root"
fi
for i in $(awk -F':' '{ if ( $3 >= 500 ) print $1 }' /etc/passwd);do
HOMEDIR=`eval "echo ~$i"`
if [ -f "$HOMEDIR/.rhosts" ];then
echo "Found .rhosts in $HOMEDIR"
exit 1
else
echo ".rhosts no found in $HOMEDIR"
fi
done

11
tests/check-root-uid.sh Normal file
View File

@ -0,0 +1,11 @@
#!/bin/bash
if [ $(awk -F: '($3 == 0) {print}' /etc/passwd | wc -l) -gt 1 ];then
exit 1
else
if [ "$(awk -F: '($3 == 0) {print}' /etc/passwd | awk -F ':' '{printf $1}')" == "root" ];then
exit 0
else
exit 1
fi
fi

37
tests/check-rsyslog.sh Normal file
View File

@ -0,0 +1,37 @@
#!/bin/bash
case "$1" in
owned)
if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/rsyslog.conf | grep FileOwner | awk '{print $2}')" != "root" ];then
exit 1
fi
sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/rsyslog.conf | sed -e '/\$/d' | awk '{print $2}' | sed -e '/^:/d' -e '/|/d' -e 's/^-//g' -e '/^$/d' | \
while read line;do
if [ -f $line ] && [ "$(ls -alh $line | awk '{print $3}')" != "root" ];then
exit 1
fi
done
;;
group-owned)
if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/rsyslog.conf | grep FileGroup | awk '{print $2}')" != "root" ];then
exit 1
fi
sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/rsyslog.conf | sed -e '/\$/d' | awk '{print $2}' | sed -e '/^:/d' -e '/|/d' -e 's/^-//g' -e '/^$/d' | \
while read line;do
if [ -f $line ] && [ "$(ls -alh $line | awk '{print $4}')" != "root" ];then
exit 1
fi
done
;;
mode)
sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/rsyslog.conf | sed -e '/\$/d' | awk '{print $2}' | sed -e '/^:/d' -e '/|/d' -e 's/^-//g' -e '/^$/d' | \
while read line;do
bash check-mode.sh $line 600
if [ $? -eq 1 ];then
exit 1
fi
done
;;
esac

79
tests/check-services.sh Normal file
View File

@ -0,0 +1,79 @@
#!/bin/bash
case $1 in
atd)
if service --status-all | grep "+.*atd";then
exit 1
fi
;;
avahi-daemon)
if service --status-all | grep "+.*avahi-daemon";then
exit 1
fi
;;
xinetd)
if service --status-all | grep "+.*xinetd";then
exit 1
fi
;;
telnetd)
if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/inetd.conf | grep telnet;then
exit 1
fi
;;
rshd)
if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/inetd.conf | grep rshd;then
exit 1
fi
;;
rexecd)
if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/inetd.conf | grep rexecd;then
exit 1
fi
;;
rlogind)
if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/inetd.conf | grep rlogind;then
exit 1
fi
;;
nis)
if service --status-all | grep "+.*\ nis$";then
exit 1
fi
;;
tftpd)
if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/inetd.conf | grep tftpd;then
exit 1
fi
;;
cron)
if ! service --status-all | grep "+.*cron";then
exit 1
fi
;;
ntp)
if ! service --status-all | grep "+.*ntp";then
exit 1
fi
;;
postfix)
if ! service --status-all | grep "+.*postfix";then
exit 1
fi
;;
x11-common)
if service --status-all | grep "+.*x11-common";then
exit 1
fi
;;
bluetooth)
if service --status-all | grep "+.*bluetooth";then
exit 1
fi
;;
autofs)
if service --status-all | grep "+.*autofs";then
exit 1
fi
;;
esac

12
tests/check-ssh-ciphers.sh Normal file
View File

@ -0,0 +1,12 @@
#!/bin/bash
FIPS="aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc"
cipher=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i "Ciphers")
if [ $? -eq 0 ];then
echo $cipher | sed -e 's/Ciphers//' | tr "," "\n" | while read line;do
if ! echo $FIPS | grep $line;then
exit 1
fi
done
else
exit 1
fi

33
tests/check-ssh.sh Normal file
View File

@ -0,0 +1,33 @@
#!/bin/bash
case $1 in
Protocol)
if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -w "^Protocol" | awk '{print $2}')" -ne 2 ];then
exit 1
fi
;;
rhosts)
if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i IgnoreRhosts | awk '{print $2}')" != "yes" ];then
exit 1
fi
;;
hostauth)
if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i HostbasedAuthentication | awk '{print $2}')" != "no" ];then
exit 1
fi
;;
permitroot)
if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitRootLogin | awk '{print $2}')" != "no" ];then
exit 1
fi
;;
emptypassword)
if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitEmptyPasswords | awk '{print $2}')" != "no" ];then
exit 1
fi
;;
emptypasswordenvironment)
if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitEmptyPasswords | awk '{print $2}')" != "no" ];then
exit 1
fi
;;
esac

5
tests/check-sticky-bit.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/bash
if [ $(find / -xdev -type d -perm -002 \! -perm -1000 | wc -l) -gt 0 ];then
exit 1
fi

7
tests/check-sudo.sh Normal file
View File

@ -0,0 +1,7 @@
#!/bin/bash
if grep -i "NOPASSWD" /etc/sudoers /etc/sudoers.d/* | sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' | grep -i "NOPASSWD";then
exit 1
elif grep -i '!authenticate' /etc/sudoers /etc/sudoers.d/* | sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' | grep -i '!authenticate';then
exit 1
fi

8
tests/check-sysctl.sh Normal file
View File

@ -0,0 +1,8 @@
#!/bin/bash
OPTION=$1
COMPARE=$2
CONDITION=$3
if [ "$(sysctl $OPTION | awk '{print $3}')" -$(echo $COMPARE) "$CONDITION" ];then
exit 1
fi

5
tests/check-uniq-names.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/bash
if [ $(pwck -rq | wc -l ) -ne 0 ];then
exit 1
fi

5
tests/check-world-writable.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/bash
if [ "$(find / -xdev -type f -perm -002 | wc -l)" -ne 0 ];then
exit 1
fi

2016
tests/output.sh Normal file
View File

File diff suppressed because it is too large Load Diff

164
tests/porting_log Normal file
View File

@ -0,0 +1,164 @@
######CHANGE#######
#RHEL-06-000008: Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
#Change corresponding gpg key check to Debian compatible.
#RHEL-06-000011: System security patches and updates must be installed and up-to-date.
#Change corresponding update utility to Debian compatible.
#RHEL-06-000017: The system must use a Linux Security Module at boot time.
#Change the SElinux to AppArmor
#RHEL-06-000030: The system must not have accounts configured with blank or null passwords.
#RHEL-06-000274: The system must prohibit the reuse of passwords within twenty-four iterations.
#Change /etc/pam.d/system-auth - CentOS/RHEL/Fedora/Red Hat/Scientific Linux pam config file.
#To /etc/pam.d/common-password - Debian / Ubuntu Linux pam config file.
#For more Detial http://www.cyberciti.biz/tips/linux-or-unix-disable-null-passwords.html
#RHEL-06-000061:The system must disable accounts after three consecutive unsuccessful logon attempts.
#Change pam_faillock.so pam module to use pam_tally2.so
#RHEL-06-000065:The system boot loader configuration file(s) must be owned by root.
#RHEL-06-000066:The system boot loader configuration file(s) must be group-owned by root.
#RHEL-06-000067:The system boot loader configuration file(s) must have mode 0600 or less permissive.
#Change /etc/grub.conf to /boot/grub/grub.cfg
#RHEL-06-000068:The system boot loader must require authentication.
#Change grub-crypt --sha-512 to grub-mkpasswd-pbkdf2
#RHEL-06-000278:The system package management tool must verify permissions on all files and directories associated with the audit package.
#RHEL-06-000279:The system package management tool must verify ownership on all files and directories associated with the audit package.
#RHEL-06-000280:The system package management tool must verify group-ownership on all files and directories associated with the audit package.
#RHEL-06-000281:The system package management tool must verify contents of all files associated with the audit package.
#For auditd package, to do what we wanna do in Debian there's something different, if you wanna get the packages default permission or owner(group-owner), or the packages'contents. You should use the "aptitude download <package-name>" to download it and use "dpkg -c <package.deb>" to read.
#There's one file is very special,if you issue the command "dpkg -c audit*.deb" you will found the audit rules file is "/etc/audit/rules.d/audit.rules", but when you extract the deb package and read the "DEBIAN/postinst" you will find the auditd package copy the "/etc/audit/audit.d/audit.rules" file to "/etc/audit/audit.rules", so we could'n only use the "dpkg -c audit*.deb | awk '{print $6}' | sed -e 's/^.//g'" to get "ALL" the files we want to check.We should manually add the "/etc/audit/audit.rules" to check
#And the directory we check also have one thing special, the "/usr/share/man", in Debian that directory have permission 0775 by default. but the package show the 0755, so I decided to check without this directory.
#I use the sha512sum to do the files' content checking
#RHEL-06-000286:The x86 Ctrl-Alt-Delete key sequence must be disabled.
#In Debian 8 use systemd by default, you could use "systemctl mask ctrl-alt-del.target" to disable it by link to /dev/null
#RHEL-06-000514:The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
####DEPRECATED#####
#RHEL-06-000009:The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.
#DEPRECATED
#RHEL-06-000069:The system must require authentication upon booting into single-user and maintenance modes.
#DEPRECATED.
#Debian and therefore Ubuntu both require root password when booting into single user mode or recovery mode. RHEL and CentOS allows access from the console into single user mode without a password.
#RHEL-06-000070:The system must not permit interactive boot.
#DEPRECATED.Don't find any interactive boot option in debian yet.
#RHEL-06-000073:The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
#DEPRECATED
#RHEL-06-000079:The system must limit the ability of processes to have simultaneous write and execute access to memory.
#DEPRECATED
#In debian 8 amd64, system enabled NX by default,and debian 8 i386 system use PAE by default
#RHEL-06-000098:The IPv6 protocol handler must not be bound to the network stack unless needed.
#Change ipv6 checking method and disable method.
#Use /proc/net/if_inet6 to check if ipv6 is enabled
#Use kernel boot option in Grub "ipv6.disable=1" to disable ipv6 permanently
#RHEL-06-000103:The system must employ a local IPv6 firewall.
#RHEL-06-000106:The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
#RHEL-06-000107:The operating system must prevent public IPv6 access into an organizations internal networks,except as appropriately mediated by managed interfaces employing boundary protection devices.
#RHEL-06-000113:The system must employ a local IPv4 firewall.
#RHEL-06-000116:The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
#RHEL-06-000117:The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
#DEPRECATED. Debian 8 enable iptables (both ipv4 and ipv6) by default
#RHEL-06-000183:The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).
#Change SELinux to Apparmor
#RHEL-06-000203:The xinetd service must be disabled if no network services utilizing it are enabled.
#Using 'service --status-all | grep "xinetd" ' instead of chkconfig
#RHEL-06-000211:The telnet daemon must not be running.
#In Debian telnet service using inetd. You could disable it by comment the telnet line in the /etc/inetd.conf
#RHEL-06-000214:The rshd service must not be running.
#In Debian rshd service using inetd. You could disable it by comment the rshd line in the /etc/inetd.conf
#RHEL-06-000216:The rexecd service must not be running.
#In Debian rexecd service using inetd. You could disable it by comment the rexecd line in the /etc/inetd.conf
#RHEL-06-000218:The rlogind service must not be running.
#In Debian rlogind service using inetd. You could disable it by comment the rlogind line in the /etc/inetd.conf
#RHEL-06-000220:The ypserv package must not be installed.
#In Debian using nis package instead of ypserv package.
#RHEL-06-000221:The ypbind service must not be running.
#In Debian using nis service instead of ypbind service.
#RHEL-06-000240:The SSH daemon must be configured with the Department of Defense (DoD) login banner.
#DEPRECATED
#RHEL-06-000247:The system clock must be synchronized continuously, or at least daily.
#In debian use ntp instead of ntpd
#RHEL-06-000248:The system clock must be synchronized to an authoritative DoD time source.
#Changing `DoD` time source to trusted time source
#RHEL-06-000261:The Automatic Bug Reporting Tool (abrtd) service must not be running.
#DEPRECATED.
#Didn't find abrtd-like tool in debian yet
#RHEL-06-000265:The ntpdate service must not be running.
#DEPRECATED
#In Debian there's no running service "ntpdate", some of ntpdate's function is include in "ntp" so DEPRECATED.
#RHEL-06-000266:The oddjobd service must not be running.
#DEPRECATED.Debian don't have oddjob service or package
#RHEL-06-000267:The qpidd service must not be running.
#Debian don't have qpidd service by default, in RHEL this service is selected by "base" package.
#RHEL-06-000268:The rdisc service must not be running.
#Debian don't have rdisc service by default
#RHEL-06-000303:The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system.
#RHEL-06-000304:The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.
#RHEL-06-000305:The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.
#RHEL-06-000306:The operating system must detect unauthorized changes to software and information.
#RHEL-06-000307:The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
#In aide package employ automated mechanisms by default.(cron.daily)
#RHEL-06-000324:A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
#RHEL-06-000326:The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
#RHEL-06-000344:The system default umask in /etc/profile must be 077.
#RHEL-06-000343:The system default umask for the csh shell must be 077.
#RHEL-06-000342:The system default umask for the bash shell must be 077.
#RHEL-06-000348:The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
#RHEL-06-000357:The system must disable accounts after excessive login failures within a 15-minute interval.
#RHEL-06-000284:The system must use and update a DoD-approved virus scan program.
#RHEL-06-000285:The system must have a host-based intrusion detection tool installed.
####SHOULD-CHECK-ON-YOU-OWN####
#RHEL-06-000289:The netconsole service must be disabled unless required.
#Red Hat has netconsole init script. However, under Debian / Ubuntu Linux, you need to manually configure netconsole. Type the following command to start netconsole by loading kernel netconsole module
#RHEL-06-000297:Temporary accounts must be provisioned with an expiration date.
#RHEL-06-000298:Emergency accounts must be provisioned with an expiration date.
#RHEL-06-000311:The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.
#RHEL-06-000321:The system must provide VPN connectivity for communications over untrusted networks.
#RHEL-06-000349:The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
#RHEL-06-000504:The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.
#RHEL-06-000505:The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
#RHEL-06-000524:The system must provide automated support for account management functions.

27
tests/undone_log Normal file
View File

@ -0,0 +1,27 @@
RHEL-06-000013:The system package management tool must cryptographically verify the authenticity of system software packages during installation.
RHEL-06-000015:The system package management tool must cryptographically verify the authenticity of all software packages during installation.
RHEL-06-000020:The system must use a Linux Security Module configured to enforce limits on system services.
RHEL-06-000023:The system must use a Linux Security Module configured to limit the privileges of system services.
RHEL-06-000025:All device files must be monitored by the system Linux Security Module.
RHEL-06-000252:If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.
RHEL-06-000253:The LDAP client must use a TLS connection using trust certificates signed by the site CA.
RHEL-06-000257:The graphical desktop environment must set the idle timeout to no more than 15 minutes.
RHEL-06-000258:The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.
RHEL-06-000259:The graphical desktop environment must have automatic lock enabled.
RHEL-06-000260:The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
RHEL-06-000292:The DHCP client must be disabled if not needed.
RHEL-06-000324:A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
RHEL-06-000527:The login user list must be disabled.
RHEL-06-000340:The snmpd service must use only SNMP protocol version 3 or newer.
RHEL-06-000341:The snmpd service must not use a default password.
RHEL-06-000508:The system must allow locking of graphical desktop sessions.
RHEL-06-000516:The system package management tool must verify ownership on all files and directories associated with packages.
RHEL-06-000517:The system package management tool must verify group-ownership on all files and directories associated with packages.
RHEL-06-000518:The system package management tool must verify permissions on all files and directories associated with packages.
RHEL-06-000519:The system package management tool must verify contents of all files associated with packages.