Updated controls to use the new impact and sub-sections capability

* updated all impacts to use text based values
* updated check tags to use `desc 'check',` sub-sections
* updated fix tags to use `desc 'fix',` sub-sections

Fixes #2

Signed-off-by: Aaron Lippold <[email protected]>

controls/V-38437.rb

@@ -13,7 +13,7 @@
 if NFS is required, it is almost always possible to configure filesystem mounts
 statically by editing \"/etc/fstab\" rather than relying on the automounter.
   "
-  impact 0.3
+  impact 'low'
   tag "gtitle": "SRG-OS-999999"
   tag "gid": "V-38437"
   tag "rid": "SV-50237r1_rule"
@@ -31,7 +31,7 @@
   tag "mitigation_controls": nil
   tag "responsibility": nil
   tag "ia_controls": nil
-  tag "check": "To verify the \"autofs\" service is disabled, run the following
+  desc 'check', "To verify the \"autofs\" service is disabled, run the following
 command:
 
 chkconfig --list autofs
@@ -45,7 +45,7 @@
 # service autofs status
 
 If the autofs service is enabled or running, this is a finding."
-  tag "fix": "If the \"autofs\" service is not needed to dynamically mount NFS
+  desc 'fix', "If the \"autofs\" service is not needed to dynamically mount NFS
 filesystems or removable media, disable the service for all runlevels:
 
 # chkconfig --level 0123456 autofs off
@@ -76,4 +76,3 @@
     it { should_not be_enabled }
   end
 end
-

controls/V-38438.rb

@@ -4,7 +4,7 @@
 indicates whether its activities can be audited. Although \"auditd\" takes care
 of enabling this for all processes which launch after it does, adding the
 kernel argument ensures it is set for every process during boot."
-  impact 0.3
+  impact 'low'
   tag "gtitle": "SRG-OS-000062"
   tag "gid": "V-38438"
   tag "rid": "SV-50238r4_rule"
@@ -22,7 +22,7 @@
   tag "mitigation_controls": nil
   tag "responsibility": nil
   tag "ia_controls": nil
-  tag "check": "Inspect the kernel boot arguments (which follow the word
+  desc 'check', "Inspect the kernel boot arguments (which follow the word
 \"kernel\") in \"/boot/grub/grub.conf\". If they include \"audit=1\", then
 auditing is enabled at boot time.
 
@@ -31,7 +31,7 @@
 If the system uses UEFI inspect the kernel boot arguments (which follow the
 word \"kernel\") in \"/boot/efi/EFI/redhat/grub.conf\". If they include
 \"audit=1\", then auditing is enabled at boot time."
-  tag "fix": "To ensure all processes can be audited, even those which start
+  desc 'fix', "To ensure all processes can be audited, even those which start
 prior to the audit daemon, add the argument \"audit=1\" to the kernel line in
 \"/boot/grub/grub.conf\" or \"/boot/efi/EFI/redhat/grub.conf\", in the manner
 below:
@@ -50,4 +50,3 @@
     end
   end
 end
-

controls/V-38439.rb

@@ -6,7 +6,7 @@
 and promptly addressed. Enterprise environments make user account management
 challenging and complex. A user management process requiring administrators to
 manually address account management functions adds risk of potential oversight."
-  impact 0.5
+  impact 'medium'
   tag "gtitle": "SRG-OS-000001"
   tag "gid": "V-38439"
   tag "rid": "SV-50239r1_rule"
@@ -24,12 +24,12 @@
   tag "mitigation_controls": nil
   tag "responsibility": nil
   tag "ia_controls": nil
-  tag "check": "Interview the SA to determine if there is an automated system
+  desc 'check', "Interview the SA to determine if there is an automated system
 for managing user accounts, preferably integrated with an existing enterprise
 user management system.
 
 If there is not, this is a finding."
-  tag "fix": "Implement an automated system for managing user accounts that
+  desc 'fix', "Implement an automated system for managing user accounts that
 minimizes the risk of errors, either intentional or deliberate.  If possible,
 this system should integrate with an existing enterprise user management
 system, such as, one based Active Directory or Kerberos."
@@ -38,4 +38,3 @@
     skip "This control must be reviewed manually"
   end
 end
-

controls/V-38443.rb

@@ -2,7 +2,7 @@
   title "The /etc/gshadow file must be owned by root."
   desc  "The \"/etc/gshadow\" file contains group password hashes. Protection
 of this file is critical for system security."
-  impact 0.5
+  impact 'medium'
   tag "gtitle": "SRG-OS-999999"
   tag "gid": "V-38443"
   tag "rid": "SV-50243r1_rule"
@@ -20,14 +20,14 @@
   tag "mitigation_controls": nil
   tag "responsibility": nil
   tag "ia_controls": nil
-  tag "check": "To check the ownership of \"/etc/gshadow\", run the command:
+  desc 'check', "To check the ownership of \"/etc/gshadow\", run the command:
 
 $ ls -l /etc/gshadow
 
 If properly configured, the output should indicate the following owner:
 \"root\"
 If it does not, this is a finding."
-  tag "fix": "To properly set the owner of \"/etc/gshadow\", run the command:
+  desc 'fix', "To properly set the owner of \"/etc/gshadow\", run the command:
 
 # chown root /etc/gshadow"
 
@@ -38,4 +38,3 @@
     its("uid") { should cmp 0 }
   end
 end
-

controls/V-38444.rb

@@ -5,7 +5,7 @@
 applicable rules in the table are examined for a match. Setting the default
 policy to \"DROP\" implements proper design for a firewall, i.e., any packets
 which are not explicitly permitted should not be accepted."
-  impact 0.5
+  impact 'medium'
   tag "gtitle": "SRG-OS-000231"
   tag "gid": "V-38444"
   tag "rid": "SV-50244r2_rule"
@@ -23,7 +23,7 @@
   tag "mitigation_controls": nil
   tag "responsibility": nil
   tag "ia_controls": nil
-  tag "check": "If IPv6 is disabled, this is not applicable.
+  desc 'check', "If IPv6 is disabled, this is not applicable.
 
 Inspect the file \"/etc/sysconfig/ip6tables\" to determine the default policy
 for the INPUT chain. It should be set to DROP:
@@ -32,7 +32,7 @@
 
 If the default policy for the INPUT chain is not set to DROP, this is a
 finding. "
-  tag "fix": "To set the default policy to DROP (instead of ACCEPT) for the
+  desc 'fix', "To set the default policy to DROP (instead of ACCEPT) for the
 built-in INPUT chain which processes incoming packets, add or correct the
 following line in \"/etc/sysconfig/ip6tables\":
 
@@ -46,4 +46,3 @@
     its('stdout.strip') { should match %r{Chain INPUT \(policy DROP} }
   end
 end
-

controls/V-38445.rb

@@ -2,7 +2,7 @@
   title "Audit log files must be group-owned by root."
   desc  "If non-privileged users can write to audit logs, audit trails can be
 modified or destroyed."
-  impact 0.5
+  impact 'medium'
   tag "gtitle": "SRG-OS-000057"
   tag "gid": "V-38445"
   tag "rid": "SV-50245r2_rule"
@@ -20,14 +20,14 @@
   tag "mitigation_controls": nil
   tag "responsibility": nil
   tag "ia_controls": nil
-  tag "check": "Run the following command to check the group owner of the
+  desc 'check', "Run the following command to check the group owner of the
 system audit logs:
 
 grep \"^log_file\" /etc/audit/auditd.conf|sed s/^[^\\/]*//|xargs stat -c %G:%n
 
 Audit logs must be group-owned by root.
 If they are not, this is a finding."
-  tag "fix": "Change the group owner of the audit log files with the following
+  desc 'fix', "Change the group owner of the audit log files with the following
 command:
 
 # chgrp root [audit_file]"
@@ -36,4 +36,3 @@
     its('stdout.lines') { should all match %{^root:} }
   end
 end
-

controls/V-38446.rb

@@ -4,7 +4,7 @@
   desc  "A number of system services utilize email messages sent to the root
 user to notify system administrators of active or impending issues.  These
 messages must be forwarded to at least one monitored email address."
-  impact 0.5
+  impact 'medium'
   tag "gtitle": "SRG-OS-999999"
   tag "gid": "V-38446"
   tag "rid": "SV-50246r2_rule"
@@ -22,7 +22,7 @@
   tag "mitigation_controls": nil
   tag "responsibility": nil
   tag "ia_controls": nil
-  tag "check": "Find the list of alias maps used by the Postfix mail server:
+  desc 'check', "Find the list of alias maps used by the Postfix mail server:
 
 # postconf alias_maps
 
@@ -32,7 +32,7 @@
 
 If there are no aliases configured for root that forward to a monitored email
 address, this is a finding."
-  tag "fix": "Set up an alias for root that forwards to a monitored email
+  desc 'fix', "Set up an alias for root that forwards to a monitored email
 address:
 
 # echo \"root: <system.administrator>@mail.mil\" >> /etc/aliases

controls/V-38447.rb

@@ -4,7 +4,7 @@
   desc  "The hash on important files like system executables should match the
 information given by the RPM database. Executables with erroneous hashes could
 be a sign of nefarious activity on the system."
-  impact 0.3
+  impact 'low'
   tag "gtitle": "SRG-OS-999999"
   tag "gid": "V-38447"
   tag "rid": "SV-50247r4_rule"
@@ -22,7 +22,7 @@
   tag "mitigation_controls": nil
   tag "responsibility": nil
   tag "ia_controls": nil
-  tag "check": "The following command will list which files on the system have
+  desc 'check', "The following command will list which files on the system have
 file hashes different from what is expected by the RPM database:
 
 # rpm -Va | awk '$1 ~ /..5/ && $2 != \"c\"'
@@ -33,7 +33,7 @@
 If there are changes to system binaries and they are not documented with the
 ISSO, this is a finding.
 "
-  tag "fix": "The RPM package management system can check the hashes of
+  desc 'fix', "The RPM package management system can check the hashes of
 installed software packages, including many that are important to system
 security. Run the following command to list which files on the system have
 hashes that differ from what is expected by the RPM database:

controls/V-38448.rb

@@ -2,7 +2,7 @@
   title "The /etc/gshadow file must be group-owned by root."
   desc  "The \"/etc/gshadow\" file contains group password hashes. Protection
 of this file is critical for system security."
-  impact 0.5
+  impact 'medium'
   tag "gtitle": "SRG-OS-999999"
   tag "gid": "V-38448"
   tag "rid": "SV-50248r1_rule"
@@ -20,15 +20,15 @@
   tag "mitigation_controls": nil
   tag "responsibility": nil
   tag "ia_controls": nil
-  tag "check": "To check the group ownership of \"/etc/gshadow\", run the
+  desc 'check', "To check the group ownership of \"/etc/gshadow\", run the
 command:
 
 $ ls -l /etc/gshadow
 
 If properly configured, the output should indicate the following group-owner.
 \"root\"
 If it does not, this is a finding."
-  tag "fix": "To properly set the group owner of \"/etc/gshadow\", run the
+  desc 'fix', "To properly set the group owner of \"/etc/gshadow\", run the
 command:
 
 # chgrp root /etc/gshadow"

controls/V-38449.rb

@@ -2,7 +2,7 @@
   title "The /etc/gshadow file must have mode 0000."
   desc  "The /etc/gshadow file contains group password hashes. Protection of
 this file is critical for system security."
-  impact 0.5
+  impact 'medium'
   tag "gtitle": "SRG-OS-999999"
   tag "gid": "V-38449"
   tag "rid": "SV-50249r1_rule"
@@ -20,14 +20,14 @@
   tag "mitigation_controls": nil
   tag "responsibility": nil
   tag "ia_controls": nil
-  tag "check": "To check the permissions of \"/etc/gshadow\", run the command:
+  desc 'check', "To check the permissions of \"/etc/gshadow\", run the command:
 
 $ ls -l /etc/gshadow
 
 If properly configured, the output should indicate the following permissions:
 \"----------\"
 If it does not, this is a finding."
-  tag "fix": "To properly set the permissions of \"/etc/gshadow\", run the
+  desc 'fix', "To properly set the permissions of \"/etc/gshadow\", run the
 command:
 
 # chmod 0000 /etc/gshadow"

controls/V-38450.rb

@@ -3,7 +3,7 @@
   desc  "The \"/etc/passwd\" file contains information about the users that are
 configured on the system. Protection of this file is critical for system
 security."
-  impact 0.5
+  impact 'medium'
   tag "gtitle": "SRG-OS-999999"
   tag "gid": "V-38450"
   tag "rid": "SV-50250r1_rule"
@@ -21,14 +21,14 @@
   tag "mitigation_controls": nil
   tag "responsibility": nil
   tag "ia_controls": nil
-  tag "check": "To check the ownership of \"/etc/passwd\", run the command:
+  desc 'check', "To check the ownership of \"/etc/passwd\", run the command:
 
 $ ls -l /etc/passwd
 
 If properly configured, the output should indicate the following owner:
 \"root\"
 If it does not, this is a finding."
-  tag "fix": "To properly set the owner of \"/etc/passwd\", run the command:
+  desc 'fix', "To properly set the owner of \"/etc/passwd\", run the command:
 
 # chown root /etc/passwd"
 

controls/V-38451.rb

@@ -3,7 +3,7 @@
   desc  "The \"/etc/passwd\" file contains information about the users that are
 configured on the system. Protection of this file is critical for system
 security."
-  impact 0.5
+  impact 'medium'
   tag "gtitle": "SRG-OS-999999"
   tag "gid": "V-38451"
   tag "rid": "SV-50251r1_rule"
@@ -21,15 +21,15 @@
   tag "mitigation_controls": nil
   tag "responsibility": nil
   tag "ia_controls": nil
-  tag "check": "To check the group ownership of \"/etc/passwd\", run the
+  desc 'check', "To check the group ownership of \"/etc/passwd\", run the
 command:
 
 $ ls -l /etc/passwd
 
 If properly configured, the output should indicate the following group-owner.
 \"root\"
 If it does not, this is a finding."
-  tag "fix": "To properly set the group owner of \"/etc/passwd\", run the
+  desc 'fix', "To properly set the group owner of \"/etc/passwd\", run the
 command:
 
 # chgrp root /etc/passwd"

controls/V-38452.rb

@@ -5,7 +5,7 @@
 generous could allow an unauthorized user to gain privileges that they should
 not have. The permissions set by the vendor should be maintained. Any
 deviations from this baseline should be investigated."
-  impact 0.3
+  impact 'low'
   tag "gtitle": "SRG-OS-999999"
   tag "gid": "V-38452"
   tag "rid": "SV-50252r2_rule"
@@ -23,7 +23,7 @@
   tag "mitigation_controls": nil
   tag "responsibility": nil
   tag "ia_controls": nil
-  tag "check": "The following command will list which files and directories on
+  desc 'check', "The following command will list which files and directories on
 the system have permissions different from what is expected by the RPM
 database:
 
@@ -40,7 +40,7 @@
 
 If the existing permissions are more permissive than those expected by RPM,
 this is a finding."
-  tag "fix": "The RPM package management system can restore file access
+  desc 'fix', "The RPM package management system can restore file access
 permissions of package files and directories. The following command will update
 permissions on files and directories with permissions different from what is
 expected by the RPM database: