simp / inspec-profile-disa_stig-el7 Goto Github PK

View Code? Open in Web Editor NEW

22.0 26.0 46.0 655 KB

InSpec Profile for the EL7 DISA STIG

License: Apache License 2.0

Ruby 97.45% Shell 2.55%

inspec stig disa rhel

inspec-profile-disa_stig-el7's People

Contributors

Stargazers

Watchers

inspec-profile-disa_stig-el7's Issues

update the profiles and controls to support shared attributes in the `inspec.yml` file

V-71961 Incorrect RegEx

V-71961 uses the Regex /^\s*password_pbkdf2\s+#{user}/ to examine user.cfg files. However, the syntax of user.cfg files are typically GRUB2_PASSWORD=grub.pbkdf2.$digest etc.

Also, I'm not sure if any additional superusers are allowed per this requirement? The way the STIG reads it seems like other superusers besides root are not allowed.

A check needs to be in place to ensure that there is an 'audit=1' parameter added to the kernel

Without this, auditing is not guaranteed to be started at the earliest possible moment during the boot sequence.

Tests should be wrapped in conditional to check whether it failed due to lack of permissions

Running inspec without sudo might fail some of the tests, the tests should be wrapped in a conditional to check for the superuser privilege.

Typo in V-71983

tag "subsystems" ['usb', 'kernel_module']

should be:

tag "subsystems": ['usb', 'kernel_module']

Syntax Error in V-71849

cd8b350 introduced a syntax error in V-71849.

https://github.com/simp/inspec-profile-disa_stig-el7/blob/master/controls/V-71849.rb#L35

Consider rewording the reporting for V-71999:

inspec-profile-disa_stig-el7/controls/V-71999.rb

Line 59 in 9dd1d5a

describe "All packages are up to date" do

Current reporting

  ✔  V-71999: Vendor packaged system security patches and updates must be installed
  and up to date.
     ✔  All packages are up to date should eq 0

Suggested reporting

    describe "List of out of date packages" do
      subject { linux_update.updates.length }
      it { should be_empty }
    end

Typo in V-72059

tags "subsystems": ['home_dirs', 'file_system']

should be

tag "subsystems": ['home_dirs', 'file_system']

Shouldn't old STIG controls be removed/deprecated?

It appears this version of the profile is written to STIG V1R4, but according to the STIG revision history controls V-71895 and V-72435 were removed in V1R4, and V-72181 was removed in V1R2.

To avoid confusion, shouldn't these be removed?
U_Red_Hat_Enterprise_Linux_7_V1R4_Revision_History.pdf

Control `V-72041` should also return a pass when /home is not mounted

control "V-72041"
title "File systems that contain user home directories must be mounted to
prevent files with the setuid and setgid bit set from being executed."

from the control checktext:

Note: If a separate file system has not been created for the user home
directories (user home directories are mounted under \"/\"), this is not a
finding as the \"nosuid\" option cannot be used on the \"/\" system.

Current test code does not cover this condition:

    describe mount('/home') do
      its('options') { should include 'nosuid' }
    end

Proposed code:

  describe.one do
    describe mount('/home') do
      its('options') { should include 'nosuid' }
    end

    describe etc_fstab.where { mount_point == '/home' } do
      its('entries') { should be_empty }
    end
  end

V-71947 Does not Consider Authentication Other Than Passwords

The check text for V-71947 states that "If passwords are not being used for authentication, this is Not
Applicable." This check does not perform a check to see if passwords are being used for authentication.

This test could either check the system to confirm that password authentication is enabled and continue, or create a new attribute similar to smart_card_status which will reduce the impact if disabled.

update the controls to use desc, 'fix': and desc, 'check': rather than tags

V-72223 Does not Parse Config File Properly

Without setting a custom assignment regex for InSpec's parse_config_file (more info here) TMOUT is not being properly parsed.

One alternative is to just check to see if the environment variable is set and of the correct value. However, that does not really meet the intent of the STIG which is to have it set "...in a script created to enforce session termination after inactivity..."

And then you have the SIMP-specific issue of the template /etc/profile.d/simp.sh having the line [ $TMOUT ] || export TMOUT=600. You'd then parse the export statement, but then there is not a guarantee that it is correct unless you check the environment variable.

The auditd service should be enabled

Presently, V-72079 only checks to see if it is running but it should also check to make sure that it is enabled at boot time.

Review 71999

× V-71999: Vendor packaged system security patches and updates must be installed
and up to date.
× List of out-of-date packages
undefined local variable or method `linux_update' for #RSpec::ExampleGroups::ListOfOutOfDatePackages:0x0000000009aca568

 undefined local variable or method `linux_update' for #<RSpec::ExampleGroups::ListOfOutOfDatePackages:0x0000000006d3bf70>

× V-72001: The system must not have unnecessary accounts. (2 failed)
× /etc/passwd users should be in "root", "bin", "daemon", "adm", "lp", "sync", "shutdown", "halt", "mail", "operator", "nobody", "systemd-bus-proxy", "systemd-network", "dbus", "polkitd", "tss", "postfix", "chrony", "sshd", "sssd", "rpc", "ntp", "vboxadd", "nfsnobody", "vagrant", and "rpcuser"
expected ["root", "bin", "daemon", "adm", "lp", "sync", "shutdown", "halt", "mail", "operator", "games", "ftp", "nobody", "systemd-network", "dbus", "polkitd", "rpc", "rpcuser", "nfsnobody", "sshd", "postfix", "chrony", "vagrant", "vboxadd"] to be in the list: ["root", "bin", "daemon", "adm", "lp", "sync", "shutdown", "halt", "mail", "operator", "nobody", "systemd-bus-proxy", "systemd-network", "dbus", "polkitd", "tss", "postfix", "chrony", "sshd", "sssd", "rpc", "ntp", "vboxadd", "nfsnobody", "vagrant", "rpcuser"]
Diff:
["games", "ftp"]
× /etc/passwd users should not be in "games", "gopher", and "ftp"
expected ["root", "bin", "daemon", "adm", "lp", "sync", "shutdown", "halt", "mail", "operator", "games", "ftp", "nobody", "systemd-network", "dbus", "polkitd", "rpc", "rpcuser", "nfsnobody", "sshd", "postfix", "chrony", "vagrant", "vboxadd"] not to be in the list: ["games", "gopher", "ftp"]
Comm:
["games", "ftp"]

There needs to be a beaker test suite that is docker-only

The current suite attempts remediation via the SSG but we keep finding issues with inspec via the tests.

This will simply hook a basic inspec scan into a new suite for use in Travis

Tag for STIG V1R2

Need to:

Update the version number
Tag the repo

V-72027 Does not Handle Symbolic Links

V-72027 will fail on symbolic links which have permissions of 777. Should symbolic links be ignored?

V-72075 Not Checking if /boot or /boot/efi are on Removable Devices

From what I can tell, the call to grubby and subsequent parsing (looking for /^root=/) only looks at what device the root filesystem for that particular boot option, not if the boot loader is actually on removable media. This comes from my interpretation of "If the system is using an alternate boot loader on removable media..."

I was thinking a check to determine if /boot or /boot/efi were on removable media would need to include comparing the device from the output of the set root=($dev,$part) line in grub.cfg to the /sys/block/$dev/removable and confirming it is not removable.

Additionally, the STIG does not say that multiple instances of a grub.cfg are a finding but they may turn into a finding if they exist and the current form of V-72075 does not look for that.

Review 71961 - this seems broken :)

× V-71961: Systems with a Basic Input/Output System (BIOS) must require
authentication upon booting into single-user and maintenance modes. (3 failed)
✔ There must be only one grub2 superuser, and it must have the value ["root"] length should cmp == 1
× There must be only one grub2 superuser, and it must have the value ["root"] first should cmp == ["root"]

 expected: ["root"]
      got: "root"

 (compared using `cmp` matcher)

 ×  The grub2 superuser password entry must begin with 'password_pbkdf2' length should be >= 1
 expected: >= 1
      got:    0
 ×  The grub2 superuser account password should be encrypted with pbkdf2. should match /password_pbkdf2\s["root"]\sgrub\.pbkdf2/i
 expected "#\n# DO NOT EDIT THIS FILE\n#\n# It is automatically generated by grub2-mkconfig using templates\n# ...  $prefix/custom.cfg ]; then\n  source $prefix/custom.cfg;\nfi\n### END /etc/grub.d/41_custom ###\n" to match /password_pbkdf2\s["root"]\sgrub\.pbkdf2/i
 Diff:
 @@ -1,2 +1,157 @@
 -/password_pbkdf2\s["root"]\sgrub\.pbkdf2/i
 +#
 +# DO NOT EDIT THIS FILE
 +#
 +# It is automatically generated by grub2-mkconfig using templates
 +# from /etc/grub.d and settings from /etc/default/grub
 +#
 +
 +### BEGIN /etc/grub.d/00_header ###
 +set pager=1
 +
 +if [ -s $prefix/grubenv ]; then
 +  load_env
 +fi
 +if [ "${next_entry}" ] ; then
 +   set default="${next_entry}"
 +   set next_entry=
 +   save_env next_entry
 +   set boot_once=true
 +else
 +   set default="${saved_entry}"
 +fi
 +
 +if [ x"${feature_menuentry_id}" = xy ]; then
 +  menuentry_id_option="--id"
 +else
 +  menuentry_id_option=""
 +fi
 +
 +export menuentry_id_option
 +
 +if [ "${prev_saved_entry}" ]; then
 +  set saved_entry="${prev_saved_entry}"
 +  save_env saved_entry
 +  set prev_saved_entry=
 +  save_env prev_saved_entry
 +  set boot_once=true
 +fi
 +
 +function savedefault {
 +  if [ -z "${boot_once}" ]; then
 +    saved_entry="${chosen}"
 +    save_env saved_entry
 +  fi
 +}
 +
 +function load_video {
 +  if [ x$feature_all_video_module = xy ]; then
 +    insmod all_video
 +  else
 +    insmod efi_gop
 +    insmod efi_uga
 +    insmod ieee1275_fb
 +    insmod vbe
 +    insmod vga
 +    insmod video_bochs
 +    insmod video_cirrus
 +  fi
 +}
 +
 +terminal_output console
 +if [ x$feature_timeout_style = xy ] ; then
 +  set timeout_style=menu
 +  set timeout=5
 +# Fallback normal timeout code in case the timeout_style feature is
 +# unavailable.
 +else
 +  set timeout=5
 +fi
 +### END /etc/grub.d/00_header ###
 +
 +### BEGIN /etc/grub.d/00_tuned ###
 +set tuned_params=""
 +set tuned_initrd=""
 +### END /etc/grub.d/00_tuned ###
 +
 +### BEGIN /etc/grub.d/01_users ###
 +if [ -f ${prefix}/user.cfg ]; then
 +  source ${prefix}/user.cfg
 +  if [ -n "${GRUB2_PASSWORD}" ]; then
 +    set superusers="root"
 +    export superusers
 +    password_pbkdf2 root ${GRUB2_PASSWORD}
 +  fi
 +fi
 +### END /etc/grub.d/01_users ###
 +
 +### BEGIN /etc/grub.d/10_linux ###
 +menuentry 'CentOS Linux (3.10.0-1062.4.3.el7.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-1062.el7.x86_64-advanced-605c046a-1ed3-4029-ba85-56c1d8b7055f' {
 +	load_video
 +	set gfxpayload=keep
 +	insmod gzio
 +	insmod part_msdos
 +	insmod xfs
 +	set root='hd0,msdos1'
 +	if [ x$feature_platform_search_hint = xy ]; then
 +	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1'  ae29dba3-7757-4fc5-a26c-465385dd8474
 +	else
 +	  search --no-floppy --fs-uuid --set=root ae29dba3-7757-4fc5-a26c-465385dd8474
 +	fi
 +	linux16 /vmlinuz-3.10.0-1062.4.3.el7.x86_64 root=/dev/mapper/centos-root ro net.ifnames=0 biosdevname=0 crashkernel=auto spectre_v2=retpoline rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet LANG=en_US.UTF-8 fips=1 boot=UUID=ae29dba3-7757-4fc5-a26c-465385dd8474
 +	initrd16 /initramfs-3.10.0-1062.4.3.el7.x86_64.img
 +}
 +menuentry 'CentOS Linux (3.10.0-1062.1.2.el7.x86_64) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-3.10.0-1062.el7.x86_64-advanced-605c046a-1ed3-4029-ba85-56c1d8b7055f' {
 +	load_video
 +	set gfxpayload=keep
 +	insmod gzio
 +	insmod part_msdos
 +	insmod xfs
 +	set root='hd0,msdos1'
 +	if [ x$feature_platform_search_hint = xy ]; then
 +	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1'  ae29dba3-7757-4fc5-a26c-465385dd8474
 +	else
 +	  search --no-floppy --fs-uuid --set=root ae29dba3-7757-4fc5-a26c-465385dd8474
 +	fi
 +	linux16 /vmlinuz-3.10.0-1062.1.2.el7.x86_64 root=/dev/mapper/centos-root ro net.ifnames=0 biosdevname=0 crashkernel=auto spectre_v2=retpoline rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet LANG=en_US.UTF-8 fips=1 boot=UUID=ae29dba3-7757-4fc5-a26c-465385dd8474
 +	initrd16 /initramfs-3.10.0-1062.1.2.el7.x86_64.img
 +}
 +menuentry 'CentOS Linux (0-rescue-db95a22b243d4c30b1683d28b27424dc) 7 (Core)' --class centos --class gnu-linux --class gnu --class os --unrestricted $menuentry_id_option 'gnulinux-0-rescue-db95a22b243d4c30b1683d28b27424dc-advanced-605c046a-1ed3-4029-ba85-56c1d8b7055f' {
 +	load_video
 +	insmod gzio
 +	insmod part_msdos
 +	insmod xfs
 +	set root='hd0,msdos1'
 +	if [ x$feature_platform_search_hint = xy ]; then
 +	  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 --hint='hd0,msdos1'  ae29dba3-7757-4fc5-a26c-465385dd8474
 +	else
 +	  search --no-floppy --fs-uuid --set=root ae29dba3-7757-4fc5-a26c-465385dd8474
 +	fi
 +	linux16 /vmlinuz-0-rescue-db95a22b243d4c30b1683d28b27424dc root=/dev/mapper/centos-root ro net.ifnames=0 biosdevname=0 crashkernel=auto spectre_v2=retpoline rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet fips=1 boot=UUID=ae29dba3-7757-4fc5-a26c-465385dd8474
 +	initrd16 /initramfs-0-rescue-db95a22b243d4c30b1683d28b27424dc.img
 +}
 +
 +### END /etc/grub.d/10_linux ###
 +
 +### BEGIN /etc/grub.d/20_linux_xen ###
 +### END /etc/grub.d/20_linux_xen ###
 +
 +### BEGIN /etc/grub.d/20_ppc_terminfo ###
 +### END /etc/grub.d/20_ppc_terminfo ###
 +
 +### BEGIN /etc/grub.d/30_os-prober ###
 +### END /etc/grub.d/30_os-prober ###
 +
 +### BEGIN /etc/grub.d/40_custom ###
 +# This file provides an easy way to add custom menu entries.  Simply type the
 +# menu entries you want to add after this comment.  Be careful not to change
 +# the 'exec tail' line above.
 +### END /etc/grub.d/40_custom ###
 +
 +### BEGIN /etc/grub.d/41_custom ###
 +if [ -f  ${config_directory}/custom.cfg ]; then
 +  source ${config_directory}/custom.cfg
 +elif [ -z "${config_directory}" -a -f  $prefix/custom.cfg ]; then
 +  source $prefix/custom.cfg;
 +fi
 +### END /etc/grub.d/41_custom ###

Review 73163

× V-73163: The audit system must take appropriate action when there is an error
sending audit records to a remote system.
× Parse Config File /etc/audisp/audisp-remote.conf network_failure_action.strip
undefined method `strip' for nil:NilClass
Did you mean? String

Rewrite all controls that use regex where a simple attribute will do

Improve PAM resource matching ability

The new PAM resource is a bit limited in the ability to match parameters against a range of numerical values (for example). A regular expression is required. One solution to this would be if PAM resource could match values using native matchers.

Update all controls to use the `input` vs `attribute` given we are now based on InSpec 4.x

Given commit b9731f7 we should have also updated the function to use the new input keyword rather than attribute to keep consistanct with the new 4.x convention.

V-71965 Utilizes authconfig

V-71965 utilizes authconfig to perform a check if smartcard for login is enabled.

describe command("authconfig --test | grep -i smartcard") do

Unfortunately authconfig does not really exist on SIMP systems...

$ cat /sbin/authconfig
#!/bin/sh
# This file is managed by Puppet. DO NOT EDIT.

# authconfig cannot be used to generate equivalent,
# security-compliant, PAM configuration as that created by
# SIMP.  To prevent an administrator from inadvertently
# corrupting PAM configuration by using /usr/sbin/authconfig,
# /usr/sbin/authconfig-tui or tools that call them, SIMP has
# replaced the original authconfig and authconfig-tui links
# with links to this no-op script.

/bin/true

Therefore this control needs to look at the configuration directly.

Review 72223

It doesn't make sense that TMOUT would be defined in these files ...

This could be a logic error in the collection script for the array under evaluation

× V-72223: All network connections associated with a communication session must
be terminated at the end of the session or after 10 minutes of inactivity from
the user at a command prompt, except to fulfill documented and validated
mission requirements. (18 failed)
× Parse Config File /etc/bashrc TMOUT should cmp <= 600

 expected it to be <= 600
      got: nil

 (compared using `cmp` matcher)

 ×  Parse Config File /etc/profile.d/256term.csh TMOUT should cmp <= 600

 expected it to be <= 600
      got: nil

 (compared using `cmp` matcher)

 ×  Parse Config File /etc/profile.d/256term.sh TMOUT should cmp <= 600

 expected it to be <= 600
      got: nil

 (compared using `cmp` matcher)

 ×  Parse Config File /etc/profile.d/colorgrep.csh TMOUT should cmp <= 600

 expected it to be <= 600
      got: nil

 (compared using `cmp` matcher)

 ×  Parse Config File /etc/profile.d/colorgrep.sh TMOUT should cmp <= 600

 expected it to be <= 600
      got: nil

 (compared using `cmp` matcher)

 ×  Parse Config File /etc/profile.d/colorls.csh TMOUT should cmp <= 600

 expected it to be <= 600
      got: nil

 (compared using `cmp` matcher)

 ×  Parse Config File /etc/profile.d/colorls.sh TMOUT should cmp <= 600

 expected it to be <= 600
      got: nil

 (compared using `cmp` matcher)

 ×  Parse Config File /etc/profile.d/csh.local TMOUT should cmp <= 600

 expected it to be <= 600
      got: nil

 (compared using `cmp` matcher)

 ×  Parse Config File /etc/profile.d/lang.csh TMOUT should cmp <= 600

 expected it to be <= 600
      got: nil

 (compared using `cmp` matcher)

 ×  Parse Config File /etc/profile.d/lang.sh TMOUT should cmp <= 600

 expected it to be <= 600
      got: nil

 (compared using `cmp` matcher)

 ×  Parse Config File /etc/profile.d/less.csh TMOUT should cmp <= 600

 expected it to be <= 600
      got: nil

 (compared using `cmp` matcher)

 ×  Parse Config File /etc/profile.d/less.sh TMOUT should cmp <= 600

 expected it to be <= 600
      got: nil

 (compared using `cmp` matcher)

 ×  Parse Config File /etc/profile.d/proxy.sh TMOUT should cmp <= 600

 expected it to be <= 600
      got: nil

 (compared using `cmp` matcher)

 ×  Parse Config File /etc/profile.d/sh.local TMOUT should cmp <= 600

 expected it to be <= 600
      got: nil

 (compared using `cmp` matcher)

 ×  Parse Config File /etc/profile.d/vim.csh TMOUT should cmp <= 600

 expected it to be <= 600
      got: nil

 (compared using `cmp` matcher)

 ×  Parse Config File /etc/profile.d/vim.sh TMOUT should cmp <= 600

 expected it to be <= 600
      got: nil

 (compared using `cmp` matcher)

 ×  Parse Config File /etc/profile.d/which2.csh TMOUT should cmp <= 600

 expected it to be <= 600
      got: nil

 (compared using `cmp` matcher)

 ×  Parse Config File /etc/profile.d/which2.sh TMOUT should cmp <= 600

 expected it to be <= 600
      got: nil

 (compared using `cmp` matcher)

Management of version tag

There are currently no GitHub releases or tags pushed to this repository so I'm wondering what the policy for the inspec.yml version tag is.

Can anyone shed some light? If there is nothing thought out perhaps we can discuss options here.

update the controls to use text based impacts

V-72043 Update Assumptions about Filesystems

V-72043 makes some assumptions about what filesystems are removable. While the filesystems listed in the default (xfs & ext4) are not often seen in removable media as opposed to FAT, I'm not sure if filtering like this is the best way to go about checking this control. Furthermore, should other filesystems such as sysfs or proc be included?

I'd propose a general approach similar to what is currently happening in V-72075:

Filter mounts based on filesystems mounted
Gather all options for remaining mounts
Determine block devices for remaining mounts
Check if the device is removable
If the device is removable, make sure all mounts corresponding to the device have the correct options

Move inputs/attributes into the `inspec.yml` file and rename `attributes.yml` to `inputs.yml.example`

This would close our our transition to the 4.x standards

V-71849 - remove extra code to change desc field

https://github.com/simp/inspec-profile-disa_stig-el7/blob/master/controls/V-71849.rb

Lines 16-21 are not necessary and mute the desc field needlessly:
if disable_slow_controls
desc "This control consistently takes a long to run and has been disabled
using the disable_slow_controls attribute."
else
desc "Discretionary access control is weakened if a user or group has access
permissions to system files and directories greater than the default."
end

The describe block starting at line 81 already provide the needed output in the result instead:
if disable_slow_controls
describe "This control consistently takes a long time to run and has been disabled
using the disable_slow_controls attribute." do
skip "This control consistently takes a long time to run and has been disabled
using the disable_slow_controls attribute. You must enable this control for a
full accredidation for production."
end

V-71849, V-71855, V-72037 - wording change for disabled controls

https://github.com/simp/inspec-profile-disa_stig-el7/blob/master/controls/V-71849.rb
https://github.com/simp/inspec-profile-disa_stig-el7/blob/master/controls/V-71855.rb
https://github.com/simp/inspec-profile-disa_stig-el7/blob/master/controls/V-72037.rb

For clarity and simplicity, recommend changing:

  skip "This control consistently takes a long time to run and has been disabled
        using the disable_slow_controls attribute. You must enable this control for a
        full accredidation for production."

to simply:

skip "This control consistently takes a long time to run and has been disabled
using the disable_slow_controls attribute. You must enable this control
to ensure its tests are performed."

(Also: typo: V-71849 line 3 # Support for passed in Atrributes)

PAM checks need to be corrected

This will probably require additional capabilities to be added to the PAM library to check for the first and/or last instance of a rule type.

The following are either broken or too far reaching (matching too many rules when we only want the first):

V-71943
V-71945
V-72275

Ensure that the entire 'ipsec' configuration is read for processing in V-72317

Per #10, we need to add a capability to read the entire ipsec.conf stack to ensure that the entire include stack is processed for validation.

Review where and if we need to use the `:sensitive` flag on any tests

Sensitive resources
In some scenarios, you may be writing checks involving resources with sensitive content (e.g. a file resource). In the case of failures, it may be desired to suppress output. This can be done by adding the :sensitive flag to the resource definition

describe file('/tmp/mysecretfile'), :sensitive do
its('content') { should contain 'secret_info' }
end

Fix dynamic impact on V-72305 for TFPT server

We do not set impact on the negative case correctly

technically we should use https://www.inspec.io/docs/reference/resources/xinetd_conf/ to write this test.

Originally posted by @aaronlippold in #66

Update the reporting / check to be more clear

I have to read this twice every time ... we should make this more clear

We expect to have at least one defined permission ...

"The audit rules for file #{file} must have defined permissions"

failure_message: "No permissions were defied in the audit rules for file #{file}"

I think this would be a good place to use the expect syntax so we can over ride the default fail message and pass message to make things much more understandable.

bad_users = inspec.shadow.where { password != "*" && password != "!" && password !~ /\$6\$/ }.users

describe 'Password hashes in /etc/shadow' do
  it 'should only contain SHA512 hashes' do
    failure_message = "Users without SHA512 hashes: #{bad_users.join(', ')}"
    expect(bad_users).to be_empty, failure_message
  end
end

× V-72191: All uses of the insmod command must be audited. (1 failed)
× Auditd Rules with file == "/sbin/insmod" permissions should not cmp == []

 expected it not to be == []
      got: []

 (compared using `cmp` matcher)

 ✔  Auditd Rules with file == "/sbin/insmod" action should not include "never"

× V-72193: All uses of the rmmod command must be audited. (1 failed)
× Auditd Rules with file == "/sbin/rmmod" permissions should not cmp == []

 expected it not to be == []
      got: []

 (compared using `cmp` matcher)

 ✔  Auditd Rules with file == "/sbin/rmmod" action should not include "never"

× V-72195: All uses of the modprobe command must be audited. (1 failed)
× Auditd Rules with file == "/sbin/modprobe" permissions should not cmp == []

 expected it not to be == []
      got: []

 (compared using `cmp` matcher)

Typo in V-72315

describe "This control must be reviewd manually" do

should be

describe "This control must be reviewed manually" do

V-71849 Add puppet content to fix any RPMs that get out of wack

This issue was originally a @todo and a bunch of comments in V-71849. I am just capturing it here.

# @todo add puppet content to fix any rpms that get out of wack
# The following are known to be different and must be excluded. These are changed by the following
# Chef Manage Cookbooks:
# cron entries - stig/recipies/file_permissions.rb
#.M.......  /etc/cron.d
#.M.......  /etc/cron.daily
#.M.......  /etc/cron.hourly
#.M.......  /etc/cron.monthly
#.M.......  /etc/cron.weekly
#.M.......  c /etc/crontab
# /etc/default/useradd - stig/recipies/login_defs.rb
#.M5....T.  c /etc/default/useradd
# /etc/ntp.conf - stig/recipies/ntp.rb
#.M.......  c /etc/ntp.conf
# /etc/sysctl.conf - stig
#SM5....T.  c /etc/sysctl.conf
#
#/etc/default/useradd - stig/recipies/ipv6.rb
#SM5....T.  c /etc/sysconfig/iptables
# /var/cache/yum -  if you ever clear out the yum cache to free system space
#.M.......    /var/cache/yum

Update V-72427 to handle edge case

V-72427 doesn't handle the case when no configuration files are found, but, SSSD is installed.

Error in V-72433 Check Logic

V-72433 states that "There should be at least three lines returned." and "If oscp_on is not present in all cert_policy lines in /etc/pam_pkcs11/pam_pkcs11.conf, this is a finding."

The current check does not validate that every line containing cert_policy contains oscp_on.

integrate in the work @cpoma and his teams are working on

@dhaynes is working on integration of updates on his side and with a few other teams. We should have a much more complete profile in the next week or two

V-72095 Does not Check for Blanket auditd Rules

This check finds all setuid and setgid programs on the system and attempts to match them with an auditd rule. However, this does not account for blanket rules such as the ones SIMP creates with the auditd:: audit_suid_sgid parameter.

This check could be updated to describe.one either the blanket rule or the individual rules.

Deprecation notices

Lots of these popping up now (this is just a sample):

 inspec exec '/tmp/inspec/inspec_profiles/CentOS-7-disa_stig' --chef-license accept --reporter json > /tmp/inspec_results.json
  [2019-05-07T12:45:48+00:00] WARN: DEPRECATION: The 'default' option for attributes is being replaced by 'value' - please use it instead. attribute name: 'Inspec::Input' (used at /tmp/inspec/inspec_deps/inspec_profiles/profiles/disa_stig-el7-baseline/controls/V-71849.rb:4)
  [2019-05-07T12:45:48+00:00] WARN: DEPRECATION: The 'default' option for attributes is being replaced by 'value' - please use it instead. attribute name: 'Inspec::Input' (used at /tmp/inspec/inspec_deps/inspec_profiles/profiles/disa_stig-el7-baseline/controls/V-71849.rb:10)
  [2019-05-07T12:46:43+00:00] WARN: DEPRECATION: The 'default' option for attributes is being replaced by 'value' - please use it instead. attribute name: 'Inspec::Input' (used at /tmp/inspec/inspec_deps/inspec_profiles/profiles/disa_stig-el7-baseline/controls/V-71855.rb:3)
  [2019-05-07T12:46:43+00:00] WARN: DEPRECATION: The 'default' option for attributes is being replaced by 'value' - please use it instead. attribute name: 'Inspec::Input' (used at /tmp/inspec/inspec_deps/inspec_profiles/profiles/disa_stig-el7-baseline/controls/V-71855.rb:9)

V-72257: invalid use `be_executable.by('user')`

inspec-profile-disa_stig-el7/controls/V-72257.rb

Line 42 in 534232d

it { should_not be_executable.by('user') }

The usage should_not be_executable.by('user') is invalid
correct usage is should_not be_executable.by_user('ec2-user')

inspec> key_files.each do |keyfile|
inspec> describe file(keyfile) do
inspec> it { should_not be_executable.by('user') }
inspec> end
inspec> end

Error trace:

Profile: inspec-shell
Version: (not specified)

  File /etc/ssh/ssh_host_rsa_key
     ×  should not be executable by user
     Invalid usergroup/owner provided
  File /etc/ssh/ssh_host_ecdsa_key
     ×  should not be executable by user
     Invalid usergroup/owner provided
  File /etc/ssh/ssh_host_ed25519_key
     ×  should not be executable by user
     Invalid usergroup/owner provided

Solution:

replace: it { should_not be_executable.by('user') }
with: it { should_not be_executable.by('all') }

Consider Updating mfa_package_list Defaults

I was doing a bit of investigating on RHEL's MFA/Smartcard requirements and they posted this. The control currently has the STIG recommended check of three packages:

mfa_pkg_list: [
    'esc',
    'pam_pkcs11',
    'authconfig-gtk',
]

If you want to consider the RHEL documentation mfa_pkg_list would look something like

mfa_pkg_list: [
    'nss-tools',
    'nss-pam-ldapd',
    'esc',
    'pam_pkcs11',
    'pam_krb5',
    'opensc',
    'pcsc-lite-ccid',
    'gdm',
    'authconfig',
    'authconfig-gtk',
    'krb5-libs',
    'krb5-workstation',
    'krb5-pkinit',
    'pcsc-lite',
    'pcsc-lite-libs'
]

V-71941 could return a false pass

The test with current design will return a false pass when INACTIVE is set to default value -1
which disables feature

inspec-profile-disa_stig-el7/controls/V-71941.rb

Line 46 in ecdf03e

its('INACTIVE') { should cmp <= days_of_inactivity }

A check should be added to verify that INACTIVE >= 0

write unit tests and docs for the `pam` resource so we can push it upstream

Inspec tests fail to run after SSG remediation on a VM

This relates to #115. We need to isolate why the inspec tests are failing on a remediated system.
The error does not occur when run in a remediated Docker container.

simp / inspec-profile-disa_stig-el7 Goto Github PK

inspec-profile-disa_stig-el7's People

Contributors

Stargazers

Watchers

Forkers

inspec-profile-disa_stig-el7's Issues

Recommend Projects

Recommend Topics

Recommend Org

Jobs