/spec/stig/stig_spec.rb
Ruby | 3764 lines | 1106 code | 265 blank | 2393 comment | 110 complexity | 20fb34174896b8481f082ea129578e91 MD5 | raw file
Large files files are truncated, but you can click here to view the full file
- require 'spec_helper'
- describe "Red Hat Enterprise Linux 6 Security Technical Implementation Guide Audit for #{ENV['TARGET_HOST']}" do
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38437
- it "V-38437 Automated file system mounting tools must not be enabled unless needed." do
- # Check: To verify the "autofs" service is disabled, run the following command:
- # chkconfig --list autofs
- # If properly configured, the output should be the following:
- # autofs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
- # Verify the "autofs" service is not running:
- # # service autofs status
- # If the autofs service is enabled or running, this is a finding.
- expect( package('autofs')).not_to be_installed
- expect( service('autofs')).not_to be_enabled
- expect( service('autofs')).not_to be_running
- # Fix: If the "autofs" service is not needed to dynamically mount NFS filesystems or removable media,
- # disable the service for all runlevels:
- # # chkconfig --level 0123456 autofs off
- # Stop the service if it is already running:
- # # service autofs stop
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38438
- it "V-38438 Auditing must be enabled at boot by setting a kernel parameter." do
- # Check: Inspect the kernel boot arguments (which follow the word "kernel") in "/etc/grub.conf". If they include "audit=1",
- # then auditing is enabled at boot time.
- # If auditing is not enabled at boot time, this is a finding.
- expect( command('grep audit=1 /etc/grub.conf') ).not_to return_stdout ""
- # Fix: To ensure all processes can be audited, even those which start prior to the audit daemon, add the argument "audit=1"
- # to the kernel line in "/etc/grub.conf", in the manner below:
- # kernel /vmlinuz-version ro vga=ext root=/dev/VolGroup00/LogVol00 rhgb quiet audit=1
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38439
- it "V-38439 The system must provide automated support for account management functions." do
- # Check: Interview the SA to determine if there is an automated system for managing user accounts, preferably integrated with
- # an existing enterprise user management system.
- # If there is not, this is a finding.
- pending( "Manual step" )
- # Fix: Implement an automated system for managing user accounts that minimizes the risk of errors, either intentional or deliberate.
- # If possible, this system should integrate with an existing enterprise user management system, such as, one based Active
- # Directory or Kerberos.
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38443
- it "V-38443 The /etc/gshadow file must be owned by root." do
- # Check: To check the ownership of "/etc/gshadow", run the command:
- # $ ls -l /etc/gshadow
- # If properly configured, the output should indicate the following owner: "root"
- # If it does not, this is a finding.
- expect( file('/etc/gshadow')).to be_owned_by 'root'
- # Fix: To properly set the owner of "/etc/gshadow", run the command:
- # # chown root /etc/gshadow
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38444
- it "V-38444 The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets." do
- # Check: Inspect the file "/etc/sysconfig/ip6tables" to determine the default policy for the INPUT chain. It should be set to DROP.
- # # grep ":INPUT" /etc/sysconfig/ip6tables
- # If the default policy for the INPUT chain is not set to DROP, this is a finding.
- if $environment['ipv6Enabled']
- expect( command('grep \':INPUT ACCEPT [0:0]\' /etc/sysconfig/ip6tables') ).not_to return_stdout ""
- else
- pending("Not applicable")
- end
- # Fix: To set the default policy to DROP (instead of ACCEPT) for the built-in INPUT chain which processes incoming packets, add or correct the following line in "/etc/sysconfig/ip6tables":
- # :INPUT DROP [0:0]
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38445
- it "V-38445 Audit log files must be group-owned by root." do
- # Check: Run the following command to check the group owner of the system audit logs:
- # grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\/]*//|xargs stat -c %G:%n
- # Audit logs must be group-owned by root.
- # If they are not, this is a finding.
- expect( file('/etc/audit/auditd.conf')).to be_grouped_into 'root'
- # Fix: Change the group owner of the audit log files with the following command:
- # # chgrp root [audit_file]
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38446
- it "V-38446 The mail system must forward all mail for root to one or more system administrators." do
- # Check: Find the list of alias maps used by the Postfix mail server:
- # # postconf alias_maps
- # Query the Postfix alias maps for an alias for "root":
- # # postmap -q root <alias_map>
- # If there are no aliases configured for root that forward to a monitored email address, this is a finding.
- expect( mail_alias('root')).to be_aliased_to $environment['rootEmailAddress']
- # Fix: Set up an alias for root that forwards to a monitored email address:
- # # echo "root: <system.administrator>@mail.mil" >> /etc/aliases
- # # newaliases
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38447
- it "V-38447 The system package management tool must verify contents of all files associated with packages.", :slow => true do
- # Check: The following command will list which files on the system have file hashes different from what is expected
- # by the RPM database.
- # # rpm -Va | grep '$1 ~ /..5/ && $2 != "c"'
- # If there is output, this is a finding.
- expect( command('rpm -Va | grep \'$1 ~ /..5/ && $2 != "c"\'') ).to return_stdout ""
- # Fix: The RPM package management system can check the hashes of installed software packages, including many that are important
- # to system security. Run the following command to list which files on the system have hashes that differ from what is expected
- # by the RPM database:
- # # rpm -Va | grep '^..5'
- # A "c" in the second column indicates that a file is a configuration file, which may appropriately be expected to change. If
- # the file that has changed was not expected to then refresh from distribution media or online repositories.
- # rpm -Uvh [affected_package]
- # OR
- # yum reinstall [affected_package]
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38448
- it "V-38448 The /etc/gshadow file must be group-owned by root." do
- # Check: To check the group ownership of "/etc/gshadow", run the command:
- # $ ls -l /etc/gshadow
- # If properly configured, the output should indicate the following group-owner. "root"
- # If it does not, this is a finding.
- expect( file('/etc/gshadow')).to be_grouped_into 'root'
- # Fix: To properly set the group owner of "/etc/gshadow", run the command:
- # # chgrp root /etc/gshadow
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38449
- it "V-38449 The /etc/gshadow file must have mode 0000." do
- # Check: To check the permissions of "/etc/gshadow", run the command:
- # $ ls -l /etc/gshadow
- # If properly configured, the output should indicate the following permissions: "----------"
- # If it does not, this is a finding.
- expect( file('/etc/shadow')).to be_mode 000
- # Fix: To properly set the permissions of "/etc/gshadow", run the command:
- # # chmod 0000 /etc/gshadow
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38450
- it "V-38450 The /etc/passwd file must be owned by root." do
- # Check: To check the ownership of "/etc/passwd", run the command:
- # $ ls -l /etc/passwd
- # If properly configured, the output should indicate the following owner: "root"
- # If it does not, this is a finding.
- expect( file('/etc/passwd')).to be_owned_by 'root'
- # Fix: To properly set the owner of "/etc/passwd", run the command:
- # # chown root /etc/passwd
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38451
- it "V-38451 The /etc/passwd file must be group-owned by root." do
- # Check: To check the group ownership of "/etc/passwd", run the command:
- # $ ls -l /etc/passwd
- # If properly configured, the output should indicate the following group-owner. "root"
- # If it does not, this is a finding.
- expect( file('/etc/passwd')).to be_grouped_into 'root'
- # Fix: To properly set the group owner of "/etc/passwd", run the command:
- # # chgrp root /etc/passwd
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38452
- it "V-38452 The system package management tool must verify permissions on all files and directories associated with packages.", :slow => true do
- # Check: The following command will list which files and directories on the system have
- # permissions different from what is expected by the RPM database: # rpm -Va
- # | grep '^.M' If there is any output, for each file or directory found, find the
- # associated RPM package and compare the RPM-expected permissions with the actual
- # permissions on the file or directory: # rpm -qf [file or directory name] # rpm
- # -q --queryformat "[%{FILENAMES} %{FILEMODES:perms}\n]" [package] | grep [filename]
- # # ls -lL [filename] If the existing permissions are more permissive than those
- # expected by RPM, this is a finding.
- expect( command('rpm -Va | grep \'^.M\'') ).to return_stdout ""
- # Fix: The RPM package management system can restore file access permissions of package files and directories. The following
- # command will update permissions on files and directories with permissions different from what is expected by the RPM database:
- # # rpm --setperms [package]
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38453
- it "V-38453 The system package management tool must verify group-ownership on all files and directories associated with packages.", :slow => true do
- # Check: The following command will list which files on the system have group-ownership different from what is expected by the
- # RPM database:
- # # rpm -Va | grep '^......G'
- # If there is output, this is a finding.
- expect( command('rpm -Va | grep \'^......G\'') ).to return_stdout ""
- # Fix: The RPM package management system can restore group-ownership of the package files and directories. The following command will
- # update files and directories with group-ownership different from what is expected by the RPM database:
- # # rpm -qf [file or directory name]
- # # rpm --setugids [package]
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38454
- it "V-38454 The system package management tool must verify ownership on all files and directories associated with packages.", :slow => true do
- # Check: The following command will list which files on the system have ownership different from what is expected by the RPM database:
- # # rpm -Va | grep '^.....U'
- # If there is output, this is a finding.
- expect( command('rpm -Va | grep \'^.....U\'') ).to return_stdout ""
- # Fix: The RPM package management system can restore ownership of package files and directories. The following command will update files and directories with ownership different from what is expected by the RPM database:
- # # rpm -qf [file or directory name]
- # # rpm --setugids [package]
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38455
- it "V-38455 The system must use a separate file system for /tmp." do
- # Check: Run the following command to determine if "/tmp" is on its own partition or logical volume:
- # $ mount | grep "on /tmp "
- # If "/tmp" has its own partition or volume group, a line will be returned.
- # If no line is returned, this is a finding.
- expect( command('grep "[[:space:]]/tmp[[:space:]]" /etc/fstab') ).not_to return_stdout ""
- # Fix: The "/tmp" directory is a world-writable directory used for temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM.
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38456
- it "V-38456 The system must use a separate file system for /var." do
- # Check: Run the following command to determine if "/var" is on its own partition or logical volume:
- # $ mount | grep "on /var "
- # If "/var" has its own partition or volume group, a line will be returned.
- # If no line is returned, this is a finding.
- expect( command('grep "[[:space:]]/var[[:space:]]" /etc/fstab') ).not_to return_stdout ""
- # Fix: The "/var" directory is used by daemons and other system services to store frequently-changing data. Ensure that "/var" has its own partition or logical volume at installation time, or migrate it using LVM.
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38457
- it "V-38457 The /etc/passwd file must have mode 0644 or less permissive." do
- # Check: To check the permissions of "/etc/passwd", run the command:
- # $ ls -l /etc/passwd
- # If properly configured, the output should indicate the following permissions: "-rw-r--r--"
- # If it does not, this is a finding.
- expect( file('/etc/passwd')).to be_mode 644
- # Fix: To properly set the permissions of "/etc/passwd", run the command:
- # # chmod 0644 /etc/passwd
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38458
- it "V-38458 The /etc/group file must be owned by root." do
- # Check: To check the ownership of "/etc/group", run the command:
- # $ ls -l /etc/group
- # If properly configured, the output should indicate the following owner: "root"
- # If it does not, this is a finding.
- expect( file('/etc/group')).to be_owned_by 'root'
- # Fix: To properly set the owner of "/etc/group", run the command:
- # # chown root /etc/group
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38459
- it "V-38459 The /etc/group file must be group-owned by root." do
- # Check: To check the group ownership of "/etc/group", run the command:
- # $ ls -l /etc/group
- # If properly configured, the output should indicate the following group-owner. "root"
- # If it does not, this is a finding.
- expect( file('/etc/group')).to be_grouped_into 'root'
- # Fix: To properly set the group owner of "/etc/group", run the command:
- # # chgrp root /etc/group
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38460
- it "V-38460 The NFS server must not have the all_squash option enabled." do
- # Check: If the NFS server is read-only, in support of unrestricted access to organizational content, this is not applicable.
- # The related "root_squash" option provides protection against remote administrator-level access to NFS server content. Its use is not a finding.
- # To verify the "all_squash" option has been disabled, run the following command:
- # # grep all_squash /etc/exports
- # If there is output, this is a finding.
- if property[:roles].include? 'nfsServer'
- expect( command('grep all_squash /etc/exports') ).to return_stdout ""
- else
- pending("Not applicable")
- end
- # Fix: Remove any instances of the "all_squash" option from the file "/etc/exports". Restart the NFS daemon for the changes to take effect.
- # # service nfs restart
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38461
- it "V-38461 The /etc/group file must have mode 0644 or less permissive." do
- # Check: To check the permissions of "/etc/group", run the command:
- # $ ls -l /etc/group
- # If properly configured, the output should indicate the following permissions: "-rw-r--r--"
- # If it does not, this is a finding.
- expect( file('/etc/group')).to be_mode 644
- # Fix: To properly set the permissions of "/etc/group", run the command:
- # # chmod 644 /etc/group
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38462
- it "V-38462 The RPM package management tool must cryptographically verify the authenticity of all software packages during installation." do
- # Check: Verify RPM signature validation is not disabled:
- # # grep nosignature /etc/rpmrc /usr/lib/rpm/rpmrc /usr/lib/rpm/redhat/rpmrc ~root/.rpmrc
- # If any configuration is found, this is a finding.
- expect( file('/etc/rpmrc')).not_to be_file
- expect( file('/root/.rpmrc')).not_to be_file
- expect( command('grep nosignature /usr/lib/rpm/rpmrc') ).to return_stdout ""
- # Fix: Edit the RPM configuration files containing the "nosignature" option and remove the option.
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38463
- it "V-38463 The system must use a separate file system for /var/log." do
- # Check: Run the following command to determine if "/var/log" is on its own partition or logical volume:
- # $ mount | grep "on /var/log "
- # If "/var/log" has its own partition or volume group, a line will be returned.
- # If no line is returned, this is a finding.
- expect( command('grep "[[:space:]]/var/log[[:space:]]" /etc/fstab') ).not_to return_stdout ""
- # Fix: System logs are stored in the "/var/log" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it using LVM.
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38464
- it "V-38464 The audit system must take appropriate action when there are disk errors on the audit storage volume." do
- # Check: Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when disk errors occur:
- # # grep disk_error_action /etc/audit/auditd.conf
- # disk_error_action = [ACTION]
- # If the system is configured to "suspend" when disk errors occur or "ignore" them, this is a finding.
- expect( command('grep --ignore-case \'disk_error_action = SUSPEND\' /etc/audit/auditd.conf') ).to return_stdout ""
- expect( command('grep --ignore-case \'disk_error_action = IGNORE\' /etc/audit/auditd.conf') ).to return_stdout ""
- # Fix: Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately:
- # disk_error_action = [ACTION]
- # Possible values for [ACTION] are described in the "auditd.conf" man page. These include:
- # "ignore"
- # "syslog"
- # "exec"
- # "suspend"
- # "single"
- # "halt"
- # Set this to "syslog", "exec", "single", or "halt".
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38465
- it "V-38465 Library files must have mode 0755 or less permissive." do
- # Check: System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
- # /lib
- # /lib64
- # /usr/lib
- # /usr/lib64
- # Kernel modules, which can be added to the kernel during runtime, are stored in "/lib/modules". All files in these directories should not be group-writable or world-writable. To find shared libraries that are group-writable or world-writable, run the following command for each directory [DIR] which contains shared libraries:
- # $ find -L [DIR] -perm /022
- # If any of these files are group-writable or world-writable, this is a finding.
- expect( file('/lib')).to be_mode 555
- expect( file('/lib64')).to be_mode 555
- expect( file('/usr/lib')).to be_mode 555
- expect( file('/usr/lib64')).to be_mode 555
- # Fix: System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
- # /lib
- # /lib64
- # /usr/lib
- # /usr/lib64
- # If any file in these directories is found to be group-writable or world-writeable correct its permission with the following command:
- # # chmod go-w [FILE]
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38466
- it "V-38466 Library files must be owned by root." do
- # Check: System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
- # /lib
- # /lib64
- # /usr/lib
- # /usr/lib64
- # Kernel modules, which can be added to the kernel during runtime, are stored in "/lib/modules". All files in these directories should not be group-writable or world-writable. To find shared libraries that are not owned by "root", run the following command for each directory [DIR] which contains shared libraries:
- # $ find -L [DIR] \! -user root
- # If any of these files are not owned by root, this is a finding.
- expect( file('/lib')).to be_owned_by 'root'
- expect( file('/lib64')).to be_owned_by 'root'
- expect( file('/usr/lib')).to be_owned_by 'root'
- expect( file('/usr/lib64')).to be_owned_by 'root'
- # Fix: System-wide shared library files, which are linked to executables during process load time or run time, are stored in the following directories by default:
- # /lib
- # /lib64
- # /usr/lib
- # /usr/lib64
- # If any file in these directories is found to be owned by a user other than root, correct its ownership with the following command:
- # # chown root [FILE]
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38467
- it "V-38467 The system must use a separate file system for the system audit data path." do
- # Check: Run the following command to determine if "/var/log/audit" is on its own partition or logical volume:
- # $ mount | grep "on /var/log/audit "
- # If "/var/log/audit" has its own partition or volume group, a line will be returned.
- # If no line is returned, this is a finding.
- expect( command('grep "[[:space:]]/var/log/audit[[:space:]]" /etc/fstab') ).not_to return_stdout ""
- # Fix: Audit logs are stored in the "/var/log/audit" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38468
- it "V-38468 The audit system must take appropriate action when the audit storage volume is full." do
- # Check: Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when the audit storage volume is full:
- # # grep disk_full_action /etc/audit/auditd.conf
- # disk_full_action = [ACTION]
- # If the system is configured to "suspend" when the volume is full or "ignore" that it is full, this is a finding.
- expect( command('grep --ignore-case \'disk_full_action = SUSPEND\' /etc/audit/auditd.conf') ).to return_stdout ""
- expect( command('grep --ignore-case \'disk_full_action = IGNORE\' /etc/audit/auditd.conf') ).to return_stdout ""
- # Fix: The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately:
- # disk_full_action = [ACTION]
- # Possible values for [ACTION] are described in the "auditd.conf" man page. These include:
- # "ignore"
- # "syslog"
- # "exec"
- # "suspend"
- # "single"
- # "halt"
- # Set this to "syslog", "exec", "single", or "halt".
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38469
- it "V-38469 All system command files must have mode 0755 or less permissive." do
- # Check: System executables are stored in the following directories by default:
- # /bin
- # /usr/bin
- # /usr/local/bin
- # /sbin
- # /usr/sbin
- # /usr/local/sbin
- # All files in these directories should not be group-writable or world-writable. To find system executables that are group-writable or world-writable, run the following command for each directory [DIR] which contains system executables:
- # $ find -L [DIR] -perm /022
- # If any system executables are found to be group-writable or world-writable, this is a finding.
- expect( file('/bin')).to be_mode 555
- expect( file('/usr/bin')).to be_mode 555
- expect( file('/usr/local/bin')).to be_mode 555
- expect( file('/sbin')).to be_mode 555
- expect( file('/usr/sbin')).to be_mode 555
- expect( file('/usr/local/sbin')).to be_mode 555
- # Fix: System executables are stored in the following directories by default:
- # /bin
- # /usr/bin
- # /usr/local/bin
- # /sbin
- # /usr/sbin
- # /usr/local/sbin
- # If any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:
- # # chmod go-w [FILE]
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38470
- it "V-38470 The audit system must alert designated staff members when the audit storage volume approaches capacity." do
- # Check: Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low:
- # # grep space_left_action /etc/audit/auditd.conf
- # space_left_action = email
- # If the system is not configured to send an email to the system administrator when disk space is starting to run low, this is a finding.
- expect( command('grep --ignore-case "^space_left_action = email" /etc/audit/auditd.conf') ).not_to return_stdout ""
- # Fix: The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately:
- # space_left_action = [ACTION]
- # Possible values for [ACTION] are described in the "auditd.conf" man page. These include:
- # "ignore"
- # "syslog"
- # "email"
- # "exec"
- # "suspend"
- # "single"
- # "halt"
- # Set this to "email" (instead of the default, which is "suspend") as it is more likely to get prompt attention.
- # RHEL-06-000521 ensures that the email generated through the operation "space_left_action" will be sent to an administrator.
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38471
- it "V-38471 The system must forward audit records to the syslog service." do
- # Check: Verify the audispd plugin is active:
- # # grep active /etc/audisp/plugins.d/syslog.conf
- # If the "active" setting is missing or set to "no", this is a finding.
- expect( command('grep "^active = yes" /etc/audisp/plugins.d/syslog.conf')).not_to return_stdout ""
- # Fix: Set the "active" line in "/etc/audisp/plugins.d/syslog.conf" to "yes". Restart the auditd process.
- # # service auditd restart
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38472
- it "V-38472 All system command files must be owned by root." do
- # Check: System executables are stored in the following directories by default:
- # /bin
- # /usr/bin
- # /usr/local/bin
- # /sbin
- # /usr/sbin
- # /usr/local/sbin
- # All files in these directories should not be group-writable or world-writable. To find system executables that are not owned by "root", run the following command for each directory [DIR] which contains system executables:
- # $ find -L [DIR] \! -user root
- # If any system executables are found to not be owned by root, this is a finding.
- expect( file('/bin')).to be_owned_by 'root'
- expect( file('/usr/bin')).to be_owned_by 'root'
- expect( file('/usr/local/bin')).to be_owned_by 'root'
- expect( file('/sbin')).to be_owned_by 'root'
- expect( file('/usr/sbin')).to be_owned_by 'root'
- expect( file('/usr/local/sbin')).to be_owned_by 'root'
- # Fix: System executables are stored in the following directories by default:
- # /bin
- # /usr/bin
- # /usr/local/bin
- # /sbin
- # /usr/sbin
- # /usr/local/sbin
- # If any file [FILE] in these directories is found to be owned by a user other than root, correct its ownership with the following command:
- # # chown root [FILE]
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38473
- it "V-38473 The system must use a separate file system for user home directories." do
- # Check: Run the following command to determine if "/home" is on its own partition or logical volume:
- # $ mount | grep "on /home "
- # If "/home" has its own partition or volume group, a line will be returned.
- # If no line is returned, this is a finding.
- expect( command('grep "[[:space:]]/home[[:space:]]" /etc/fstab') ).not_to return_stdout ""
- # Fix: If user home directories will be stored locally, create a separate partition for "/home" at installation time (or migrate it later using LVM). If "/home" will be mounted from another system such as an NFS server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later.
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38474
- it "V-38474 The system must allow locking of graphical desktop sessions." do
- # Check: Verify the keybindings for the Gnome screensaver:
- # # gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome_settings_daemon/keybindings/screensaver
- # If no output is visible, this is a finding.
- if property[:gnomeInstalled]
- expect( command('gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome_settings_daemon/keybindings/screensaver') ).not_to return_stdout ""
- else
- pending( "Not Applicable" )
- end
- # Fix: Run the following command to set the Gnome desktop keybinding for locking the screen:
- # # gconftool-2
- # --direct \
- # --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
- # --type string \
- # --set /apps/gnome_settings_daemon/keybindings/screensaver "<Control><Alt>l"
- # Another keyboard sequence may be substituted for "<Control><Alt>l", which is the default for the Gnome desktop.
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38475
- it "V-38475 The system must require passwords to contain a minimum of 14 characters." do
- # Check: To check the minimum password length, run the command:
- # $ grep PASS_MIN_LEN /etc/login.defs
- # The DoD requirement is "14".
- # If it is not set to the required value, this is a finding.
- expect( file('/etc/login.defs')).to contain /^PASS_MIN_LEN 14/
- # Fix: To specify password length requirements for new accounts, edit the file "/etc/login.defs" and add or correct the following lines:
- # PASS_MIN_LEN 14
- # The DoD requirement is "14". If a program consults "/etc/login.defs" and also another PAM module (such as "pam_cracklib") during a password change operation, then the most restrictive must be satisfied.
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38476
- it "V-38476 Vendor-provided cryptographic certificates must be installed to verify the integrity of system software." do
- # Check: To ensure that the GPG key is installed, run:
- # $ rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey
- # The command should return the string below:
- # gpg(Red Hat, Inc. (release key <security@redhat.com>)
- # If the Red Hat GPG Key is not installed, this is a finding.
- if $environment['linuxFlavor'] == 'centos'
- expect( command('gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6| grep fingerprint') ).to return_stdout "Key fingerprint = C1DA C52D 1664 E8A4 386D BA43 0946 FCA2 C105 B9DE"
- expect( command('rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey| grep "gpg(CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key@centos.org>)"') ).not_to return_stdout ""
- elsif $environment['linuxFlavor'] == 'redhat'
- expect( command('rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey| grep "gpg(Red Hat, Inc. (release key <security@redhat.com>)"') ).not_to return_stdout ""
- elsif $environment['linuxFlavor'] == 'oracle'
- expect( command('rpm -q --queryformat "%{SUMMARY}\n" gpg-pubkey| grep "gpg(Oracle OSS group (Open Source Software group) <build@oss.oracle.com>)"') ).not_to return_stdout ""
- else
- fail("linuxFlavor set to unknown value")
- end
- # Fix: To ensure the system can cryptographically verify base software packages come from Red Hat (and to connect to the Red Hat Network to receive them if desired), the Red Hat GPG key must properly be installed. To ensure the GPG key is installed, run:
- # # rhn_register
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38477
- it "V-38477 Users must not be able to change passwords more than once every 24 hours." do
- # Check: To check the minimum password age, run the command:
- # $ grep PASS_MIN_DAYS /etc/login.defs
- # The DoD requirement is 1.
- # If it is not set to the required value, this is a finding.
- expect( file('/etc/login.defs')).to contain /^PASS_MIN_DAYS 1/
- # Fix: To specify password minimum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately:
- # PASS_MIN_DAYS [DAYS]
- # A value of 1 day is considered sufficient for many environments. The DoD requirement is 1.
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38478
- it "V-38478 The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite." do
- # Check: If the system uses RHN or is an RHN Satellite, this is not applicable.
- # To check that the "rhnsd" service is disabled in system boot configuration, run the following command:
- # # chkconfig "rhnsd" --list
- # Output should indicate the "rhnsd" service has either not been installed, or has been disabled at all runlevels, as shown in the example below:
- # # chkconfig "rhnsd" --list
- # "rhnsd" 0:off 1:off 2:off 3:off 4:off 5:off 6:off
- # Run the following command to verify "rhnsd" is disabled through current runtime configuration:
- # # service rhnsd status
- # If the service is disabled the command will return the following output:
- # rhnsd is stopped
- # If the service is running, this is a finding.
- if $environment['linuxFlavor'] == 'centos'
- pending("Not applicable")
- elsif $environment['linuxFlavor'] == 'redhat'
- if property[:roles].include? 'redHatNetworkService'
- pending("Not applicable")
- else
- expect( service('rhnsd')).not_to be_enabled
- expect( service('rhnsd')).not_to be_running
- end
- elsif $environment['linuxFlavor'] == 'oracle'
- pending("Not applicable")
- else
- fail("linuxFlavor set to unknown value")
- end
- # Fix: The Red Hat Network service automatically queries Red Hat Network servers to determine whether there are any actions that should be executed, such as package updates. This only occurs if the system was registered to an RHN server or satellite and managed as such. The "rhnsd" service can be disabled with the following command:
- # # chkconfig rhnsd off
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38479
- it "V-38479 User passwords must be changed at least every 60 days." do
- # Check: To check the maximum password age, run the command:
- # $ grep PASS_MAX_DAYS /etc/login.defs
- # The DoD requirement is 60.
- # If it is not set to the required value, this is a finding.
- expect( file('/etc/login.defs')).to contain /^PASS_MAX_DAYS 60/
- # Fix: To specify password maximum age for new accounts, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately:
- # PASS_MAX_DAYS [DAYS]
- # The DoD requirement is 60.
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38480
- it "V-38480 Users must be warned 7 days in advance of password expiration." do
- # Check: To check the password warning age, run the command:
- # $ grep PASS_WARN_AGE /etc/login.defs
- # The DoD requirement is 7.
- # If it is not set to the required value, this is a finding.
- expect( file('/etc/login.defs')).to contain /^PASS_WARN_AGE 7/
- # Fix: To specify how many days prior to password expiration that a warning will be issued to users, edit the file "/etc/login.defs" and add or correct the following line, replacing [DAYS] appropriately:
- # PASS_WARN_AGE [DAYS]
- # The DoD requirement is 7.
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38481
- it "V-38481 System security patches and updates must be installed and up-to-date." do
- # Check: If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server which provides updates, invoking the following command will indicate if updates are available:
- # # yum check-update
- # If the system is not configured to update from one of these sources, run the following command to list when each package was last updated:
- # $ rpm -qa -last
- # Compare this to Red Hat Security Advisories (RHSA) listed at https://access.redhat.com/security/updates/active/ to determine whether the system is missing applicable security and bugfix updates.
- # If updates are not installed, this is a finding.
- expect( command('yum check-update') ).to return_exit_status 0
- # Fix: If the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates:
- # # yum update
- # If the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using "rpm".
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38482
- it "V-38482 The system must require passwords to contain at least one numeric character." do
- # Check: To check how many digits are required in a password, run the following command:
- # $ grep pam_cracklib /etc/pam.d/system-auth
- # The "dcredit" parameter (as a negative number) will indicate how many digits are required. The DoD requires at least one digit in a password. This would appear as "dcredit=-1".
- # If dcredit is not found or not set to the required value, this is a finding.
- expect( file('/etc/pam.d/system-auth-ac')).to contain "dcredit=-1"
- # Fix: The pam_cracklib module's "dcredit" parameter controls requirements for usage of digits in a password. When set to a negative number, any password will be required to contain that many digits. When set to a positive number, pam_cracklib will grant +1 additional length credit for each digit. Add "dcredit=-1" after pam_cracklib.so to require use of a digit in passwords.
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38483
- it "V-38483 The system package management tool must cryptographically verify the authenticity of system software packages during installation." do
- # Check: To determine whether "yum" is configured to use "gpgcheck", inspect "/etc/yum.conf" and ensure the following appears in the "[main]" section:
- # gpgcheck=1
- # A value of "1" indicates that "gpgcheck" is enabled. Absence of a "gpgcheck" line or a setting of "0" indicates that it is disabled.
- # If GPG checking is not enabled, this is a finding.
- # If the "yum" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed.
- expect( command('grep "^gpgcheck=1" /etc/yum.conf') ).not_to return_stdout ""
- # Fix: The "gpgcheck" option should be used to ensure checking of an RPM package's signature always occurs prior to its installation. To configure yum to check package signatures before installing them, ensure the following line appears in "/etc/yum.conf" in the "[main]" section:
- # gpgcheck=1
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38484
- it "V-38484 The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh." do
- # Check: Verify the value associated with the "PrintLastLog" keyword in /etc/ssh/sshd_config:
- # # grep -i PrintLastLog /etc/ssh/sshd_config
- # If the value is not set to "yes", this is a finding. If the "PrintLastLog" keyword is not present, this is not a finding.
- expect( file('/etc/ssh/sshd_config')).to contain /^PrintLastLog yes/
- # Fix: Update the "PrintLastLog" keyword to "yes" in /etc/ssh/sshd_config:
- # PrintLastLog yes
- # While it is acceptable to remove the keyword entirely since the default action for the SSH daemon is to print the last login date and time, it is preferred to have the value explicitly documented.
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38485
- it "V-38485 The operating system, upon successful logon, must display to the user the date and time of the last logon or access via a local console or tty." do
- # Check: Verify there are no "hushlogin" files active on the system:
- # # ls -l /etc/hushlogins
- # For each home directory stored in "/etc/passwd":
- # # ls ~<userid>/.hushlogin
- # If there are any "hushlogin" files on the system, this is a finding.
- expect( file('/etc/hushlogins')).not_to be_file
- expect( command('find /home -name \'.hushlogin\'') ).to return_stdout ""
- # Fix: Remove any "hushlogin" files from the system:
- # # rm /etc/hushlogins
- # # rm ~<userid>/.hushlogin
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38486
- it "V-38486 The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives." do
- # Check: Ask an administrator if a process exists to back up OS data from the system, including configuration data.
- # If such a process does not exist, this is a finding.
- pending( "Manual step" )
- # Fix: Procedures to back up OS data from the system must be established and executed. The Red Hat operating system provides utilities for automating such a process. Commercial and open-source products are also available.
- # Implement a process whereby OS data is backed up from the system in accordance with local policies.
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38487
- it "V-38487 The system package management tool must cryptographically verify the authenticity of all software packages during installation." do
- # Check: To determine whether "yum" has been configured to disable "gpgcheck" for any repos, inspect all files in "/etc/yum.repos.d" and ensure the following does not appear in any sections:
- # gpgcheck=0
- # A value of "0" indicates that "gpgcheck" has been disabled for that repo.
- # If GPG checking is disabled, this is a finding.
- # If the "yum" system package management tool is not used to update the system, verify with the SA that installed packages are cryptographically signed.
- expect( command('grep ^gpgcheck=0 /etc/yum.repos.d/*.repo') ).to return_stdout ""
- # Fix: To ensure signature checking is not disabled for any repos, remove any lines from files in "/etc/yum.repos.d" of the form:
- # gpgcheck=0
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38488
- it "V-38488 The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives." do
- # Check: Ask an administrator if a process exists to back up user data from the system.
- # If such a process does not exist, this is a finding.
- pending( "Manual step" )
- # Fix: Procedures to back up user data from the system must be established and executed. The Red Hat operating system provides utilities for automating such a process. Commercial and open-source products are also available.
- # Implement a process whereby user data is backed up from the system in accordance with local policies.
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38489
- it "V-38489 A file integrity tool must be installed." do
- # Check: If another file integrity tool is installed, this is not a finding.
- # Run the following command to determine if the "aide" package is installed:
- # # rpm -q aide
- # If the package is not installed, this is a finding.
- if $environment['ids'] == 'ossec'
- expect( package('ossec-hids') ).to be_installed
- elsif $environment['ids'] == 'aide'
- expect( package('aide') ).to be_installed
- else
- fail("IDS variable set to unknown value")
- end
- # Fix: Install the AIDE package with the command:
- # # yum install aide
- end
- # STIG Viewer Link: http://www.stigviewer.com/check/V-38490
- it "V-38490 The operating system must enforce requirements for the connection of mobile devices to operating systems." do
- # Check: If the system is configured to prevent the loading of the "usb-storage" kernel module, it will contain lines inside any file in "/etc/modprobe.d" or the deprecated"/etc/modprobe.conf". These lines instruct the module loading system to run another program (such as "/bin/true") upon a module "install" event. Run the following command to search for such lines in all files in "/etc/modprobe.d" and the deprecated "/etc/modprobe.conf":
- # $ grep -r usb-storage /etc/modprobe.conf /etc/modprobe.d
- # If no line is returned, this is a finding.
- expect( command('grep -r usb-storage /etc/modprobe.d') ).not_to return_stdout ""
- # Fix: To prevent USB storage devices from being used, configure the kernel module loading system to prevent automatic loading of the USB storage drive…
Large files files are truncated, but you can click here to view the full file