From 0871f82beb84017dde41b43699aa2f6f88d5d684 Mon Sep 17 00:00:00 2001 From: Aaron Lippold Date: Fri, 23 Nov 2018 14:55:21 -0500 Subject: [PATCH] * fixed most rubocop issues using auto-correct-safe * added an autogenerated .rubocoy-todo and .rubocop Fixes #4 Signed-off-by: Aaron Lippold --- .rubocop.yml | 1 + .rubocop_todo.yml | 73 +++++++++++++++++++++++++++++++++++ LICENSE.md | 17 ++++++--- README.md | 34 ++++++++++------- controls/V-38437.rb | 31 ++++++++------- controls/V-38438.rb | 27 +++++++------ controls/V-38439.rb | 21 +++++----- controls/V-38443.rb | 25 ++++++------ controls/V-38444.rb | 21 +++++----- controls/V-38445.rb | 23 ++++++----- controls/V-38446.rb | 21 +++++----- controls/V-38447.rb | 19 +++++---- controls/V-38448.rb | 25 ++++++------ controls/V-38449.rb | 71 +++++++++++++++++----------------- controls/V-38450.rb | 25 ++++++------ controls/V-38451.rb | 25 ++++++------ controls/V-38452.rb | 17 ++++----- controls/V-38453.rb | 19 +++++---- controls/V-38454.rb | 17 ++++----- controls/V-38455.rb | 21 +++++----- controls/V-38456.rb | 21 +++++----- controls/V-38457.rb | 71 +++++++++++++++++----------------- controls/V-38458.rb | 25 ++++++------ controls/V-38459.rb | 25 ++++++------ controls/V-38460.rb | 21 +++++----- controls/V-38461.rb | 57 ++++++++++++++------------- controls/V-38463.rb | 21 +++++----- controls/V-38464.rb | 19 +++++---- controls/V-38465.rb | 21 +++++----- controls/V-38466.rb | 21 +++++----- controls/V-38467.rb | 19 +++++---- controls/V-38468.rb | 19 +++++---- controls/V-38469.rb | 21 +++++----- controls/V-38470.rb | 25 ++++++------ controls/V-38471.rb | 19 +++++---- controls/V-38472.rb | 21 +++++----- controls/V-38473.rb | 21 +++++----- controls/V-38474.rb | 25 ++++++------ controls/V-38475.rb | 23 ++++++----- controls/V-38476.rb | 17 ++++----- controls/V-38477.rb | 23 ++++++----- controls/V-38478.rb | 19 +++++---- controls/V-38479.rb | 25 ++++++------ controls/V-38480.rb | 25 ++++++------ controls/V-38481.rb | 23 ++++++----- controls/V-38482.rb | 41 ++++++++++---------- controls/V-38483.rb | 21 +++++----- controls/V-38484.rb | 19 +++++---- controls/V-38486.rb | 21 +++++----- controls/V-38487.rb | 21 +++++----- controls/V-38488.rb | 21 +++++----- controls/V-38489.rb | 21 +++++----- controls/V-38490.rb | 25 ++++++------ controls/V-38491.rb | 27 +++++++------ controls/V-38492.rb | 21 +++++----- controls/V-38493.rb | 19 +++++---- controls/V-38494.rb | 21 +++++----- controls/V-38495.rb | 27 +++++++------ controls/V-38496.rb | 21 +++++----- controls/V-38497.rb | 25 ++++++------ controls/V-38498.rb | 23 ++++++----- controls/V-38499.rb | 27 +++++++------ controls/V-38500.rb | 23 ++++++----- controls/V-38501.rb | 29 +++++++------- controls/V-38502.rb | 25 ++++++------ controls/V-38503.rb | 25 ++++++------ controls/V-38504.rb | 71 +++++++++++++++++----------------- controls/V-38511.rb | 29 +++++++------- controls/V-38512.rb | 17 ++++----- controls/V-38513.rb | 21 +++++----- controls/V-38514.rb | 25 ++++++------ controls/V-38515.rb | 25 ++++++------ controls/V-38516.rb | 25 ++++++------ controls/V-38517.rb | 25 ++++++------ controls/V-38518.rb | 34 ++++++++--------- controls/V-38519.rb | 34 ++++++++--------- controls/V-38520.rb | 23 ++++++----- controls/V-38521.rb | 23 ++++++----- controls/V-38522.rb | 25 ++++++------ controls/V-38523.rb | 29 +++++++------- controls/V-38524.rb | 31 ++++++++------- controls/V-38525.rb | 21 +++++----- controls/V-38526.rb | 29 +++++++------- controls/V-38527.rb | 25 ++++++------ controls/V-38528.rb | 31 ++++++++------- controls/V-38529.rb | 31 ++++++++------- controls/V-38530.rb | 21 +++++----- controls/V-38531.rb | 39 +++++++++---------- controls/V-38532.rb | 31 ++++++++------- controls/V-38533.rb | 31 ++++++++------- controls/V-38534.rb | 39 +++++++++---------- controls/V-38535.rb | 31 ++++++++------- controls/V-38536.rb | 37 +++++++++--------- controls/V-38537.rb | 31 ++++++++------- controls/V-38538.rb | 39 +++++++++---------- controls/V-38539.rb | 29 +++++++------- controls/V-38540.rb | 23 ++++++----- controls/V-38541.rb | 21 +++++----- controls/V-38542.rb | 29 +++++++------- controls/V-38543.rb | 26 ++++++------- controls/V-38544.rb | 29 +++++++------- controls/V-38545.rb | 26 ++++++------- controls/V-38547.rb | 26 ++++++------- controls/V-38548.rb | 27 +++++++------ controls/V-38549.rb | 19 +++++---- controls/V-38550.rb | 26 ++++++------- controls/V-38551.rb | 17 ++++----- controls/V-38552.rb | 26 ++++++------- controls/V-38553.rb | 17 ++++----- controls/V-38554.rb | 26 ++++++------- controls/V-38555.rb | 19 +++++---- controls/V-38556.rb | 26 ++++++------- controls/V-38557.rb | 26 ++++++------- controls/V-38558.rb | 26 ++++++------- controls/V-38559.rb | 26 ++++++------- controls/V-38560.rb | 17 ++++----- controls/V-38561.rb | 26 ++++++------- controls/V-38563.rb | 26 ++++++------- controls/V-38565.rb | 26 ++++++------- controls/V-38566.rb | 21 +++++----- controls/V-38567.rb | 21 +++++----- controls/V-38568.rb | 26 ++++++------- controls/V-38569.rb | 41 ++++++++++---------- controls/V-38570.rb | 41 ++++++++++---------- controls/V-38571.rb | 41 ++++++++++---------- controls/V-38572.rb | 41 ++++++++++---------- controls/V-38573.rb | 29 +++++++------- controls/V-38574.rb | 21 +++++----- controls/V-38575.rb | 58 ++++++++++++++-------------- controls/V-38576.rb | 21 +++++----- controls/V-38577.rb | 21 +++++----- controls/V-38578.rb | 21 +++++----- controls/V-38579.rb | 33 ++++++++-------- controls/V-38580.rb | 38 +++++++++--------- controls/V-38581.rb | 29 +++++++------- controls/V-38582.rb | 35 +++++++++-------- controls/V-38583.rb | 93 ++++++++++++++++++++++----------------------- controls/V-38584.rb | 19 +++++---- controls/V-38585.rb | 27 +++++++------ controls/V-38586.rb | 21 +++++----- controls/V-38587.rb | 21 +++++----- controls/V-38588.rb | 23 ++++++----- controls/V-38589.rb | 25 ++++++------ controls/V-38590.rb | 21 +++++----- controls/V-38591.rb | 21 +++++----- controls/V-38592.rb | 33 ++++++++-------- controls/V-38593.rb | 27 +++++++------ controls/V-38594.rb | 25 ++++++------ controls/V-38595.rb | 21 +++++----- controls/V-38596.rb | 21 +++++----- controls/V-38597.rb | 17 ++++----- controls/V-38598.rb | 25 ++++++------ controls/V-38599.rb | 21 +++++----- controls/V-38600.rb | 31 ++++++++------- controls/V-38601.rb | 31 ++++++++------- controls/V-38602.rb | 25 ++++++------ controls/V-38603.rb | 21 +++++----- controls/V-38604.rb | 37 +++++++++--------- controls/V-38605.rb | 35 +++++++++-------- controls/V-38606.rb | 21 +++++----- controls/V-38607.rb | 19 +++++---- controls/V-38608.rb | 19 +++++---- controls/V-38609.rb | 19 +++++---- controls/V-38610.rb | 19 +++++---- controls/V-38611.rb | 19 +++++---- controls/V-38612.rb | 19 +++++---- controls/V-38613.rb | 17 ++++----- controls/V-38614.rb | 19 +++++---- controls/V-38615.rb | 17 ++++----- controls/V-38616.rb | 19 +++++---- controls/V-38617.rb | 21 +++++----- controls/V-38618.rb | 33 ++++++++-------- controls/V-38619.rb | 19 +++++---- controls/V-38620.rb | 35 +++++++++-------- controls/V-38621.rb | 21 +++++----- controls/V-38622.rb | 23 ++++++----- controls/V-38623.rb | 32 ++++++++-------- controls/V-38624.rb | 25 ++++++------ controls/V-38627.rb | 21 +++++----- controls/V-38628.rb | 17 ++++----- controls/V-38629.rb | 23 ++++++----- controls/V-38630.rb | 23 ++++++----- controls/V-38631.rb | 17 ++++----- controls/V-38632.rb | 17 ++++----- controls/V-38633.rb | 25 ++++++------ controls/V-38634.rb | 19 +++++---- controls/V-38636.rb | 23 ++++++----- controls/V-38637.rb | 17 ++++----- controls/V-38638.rb | 25 ++++++------ controls/V-38639.rb | 23 ++++++----- controls/V-38640.rb | 37 +++++++++--------- controls/V-38641.rb | 37 +++++++++--------- controls/V-38642.rb | 25 ++++++------ controls/V-38643.rb | 21 +++++----- controls/V-38644.rb | 37 +++++++++--------- controls/V-38645.rb | 27 +++++++------ controls/V-38646.rb | 37 +++++++++--------- controls/V-38647.rb | 27 +++++++------ controls/V-38648.rb | 37 +++++++++--------- controls/V-38649.rb | 31 ++++++++------- controls/V-38650.rb | 37 +++++++++--------- controls/V-38651.rb | 27 +++++++------ controls/V-38652.rb | 19 +++++---- controls/V-38653.rb | 19 +++++---- controls/V-38654.rb | 19 +++++---- controls/V-38655.rb | 63 +++++++++++++++--------------- controls/V-38656.rb | 23 ++++++----- controls/V-38657.rb | 37 +++++++++--------- controls/V-38658.rb | 41 ++++++++++---------- controls/V-38659.rb | 21 +++++----- controls/V-38660.rb | 19 +++++---- controls/V-38661.rb | 21 +++++----- controls/V-38662.rb | 21 +++++----- controls/V-38663.rb | 17 ++++----- controls/V-38664.rb | 17 ++++----- controls/V-38665.rb | 19 +++++---- controls/V-38667.rb | 23 ++++++----- controls/V-38668.rb | 23 ++++++----- controls/V-38669.rb | 35 +++++++++-------- controls/V-38670.rb | 17 ++++----- controls/V-38671.rb | 21 +++++----- controls/V-38672.rb | 33 ++++++++-------- controls/V-38673.rb | 17 ++++----- controls/V-38674.rb | 23 ++++++----- controls/V-38675.rb | 21 +++++----- controls/V-38676.rb | 19 +++++---- controls/V-38677.rb | 23 ++++++----- controls/V-38678.rb | 47 ++++++++++++++++------- controls/V-38679.rb | 23 ++++++----- controls/V-38680.rb | 25 ++++++------ controls/V-38681.rb | 19 +++++---- controls/V-38682.rb | 23 ++++++----- controls/V-38683.rb | 25 ++++++------ controls/V-38684.rb | 17 ++++----- controls/V-38685.rb | 23 ++++++----- controls/V-38686.rb | 21 +++++----- controls/V-38687.rb | 19 +++++---- controls/V-38688.rb | 23 ++++++----- controls/V-38689.rb | 31 ++++++++------- controls/V-38690.rb | 24 ++++++------ controls/V-38691.rb | 33 ++++++++-------- controls/V-38692.rb | 27 +++++++------ controls/V-38693.rb | 21 +++++----- controls/V-38694.rb | 25 ++++++------ controls/V-38695.rb | 17 ++++----- controls/V-38696.rb | 17 ++++----- controls/V-38697.rb | 21 +++++----- controls/V-38698.rb | 17 ++++----- controls/V-38699.rb | 21 +++++----- controls/V-38700.rb | 17 ++++----- controls/V-38701.rb | 23 ++++++----- controls/V-38702.rb | 19 +++++---- controls/V-43150.rb | 25 ++++++------ controls/V-51337.rb | 23 ++++++----- controls/V-51363.rb | 25 ++++++------ controls/V-51369.rb | 25 ++++++------ controls/V-51379.rb | 19 +++++---- controls/V-51391.rb | 39 +++++++++---------- controls/V-51875.rb | 21 +++++----- controls/V-54381.rb | 23 ++++++----- controls/V-57569.rb | 27 +++++++------ controls/V-58901.rb | 19 +++++---- controls/V-72817.rb | 23 ++++++----- controls/V-81441.rb | 25 ++++++------ controls/V-81443.rb | 23 ++++++----- controls/V-81445.rb | 29 +++++++------- controls/V-81447.rb | 29 +++++++------- controls/V-81449.rb | 28 +++++++------- inspec.yml | 49 +++++++++++++++++++++--- 269 files changed, 3428 insertions(+), 3559 deletions(-) create mode 100644 .rubocop.yml create mode 100644 .rubocop_todo.yml diff --git a/.rubocop.yml b/.rubocop.yml new file mode 100644 index 0000000..cc32da4 --- /dev/null +++ b/.rubocop.yml @@ -0,0 +1 @@ +inherit_from: .rubocop_todo.yml diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml new file mode 100644 index 0000000..182bd75 --- /dev/null +++ b/.rubocop_todo.yml @@ -0,0 +1,73 @@ +# This configuration was generated by +# `rubocop --auto-gen-config` +# on 2018-11-23 11:05:12 -0500 using RuboCop version 0.60.0. +# The point is for the user to remove these configuration records +# one by one as the offenses are removed from the code base. +# Note that changes in the inspected code, or installation of new +# versions of RuboCop, may require this file to be generated again. + +# Offense count: 15 +Lint/AmbiguousRegexpLiteral: + Exclude: + - 'controls/V-38444.rb' + - 'controls/V-38513.rb' + - 'controls/V-38520.rb' + - 'controls/V-38521.rb' + - 'controls/V-38574.rb' + - 'controls/V-38617.rb' + - 'controls/V-38624.rb' + - 'controls/V-38685.rb' + - 'controls/V-38686.rb' + - 'controls/V-38690.rb' + - 'controls/V-38693.rb' + +# Offense count: 10 +Lint/ParenthesesAsGroupedExpression: + Exclude: + - 'controls/V-38520.rb' + - 'controls/V-38521.rb' + - 'controls/V-38611.rb' + - 'controls/V-38612.rb' + - 'controls/V-38614.rb' + - 'controls/V-38657.rb' + +# Offense count: 3 +Lint/UselessAssignment: + Exclude: + - 'controls/V-38518.rb' + - 'controls/V-38519.rb' + - 'controls/V-38623.rb' + +# Offense count: 264 +# Configuration parameters: CountComments, ExcludedMethods. +# ExcludedMethods: refine +Metrics/BlockLength: + Max: 101 + +# Offense count: 264 +# Configuration parameters: ExpectMatchingDefinition, Regex, IgnoreExecutableScripts, AllowedAcronyms. +# AllowedAcronyms: CLI, DSL, ACL, API, ASCII, CPU, CSS, DNS, EOF, GUID, HTML, HTTP, HTTPS, ID, IP, JSON, LHS, QPS, RAM, RHS, RPC, SLA, SMTP, SQL, SSH, TCP, TLS, TTL, UDP, UI, UID, UUID, URI, URL, UTF8, VM, XML, XMPP, XSRF, XSS +Naming/FileName: + Enabled: false + +# Offense count: 4 +Style/MultilineBlockChain: + Exclude: + - 'controls/V-38518.rb' + - 'controls/V-38519.rb' + - 'controls/V-38623.rb' + - 'controls/V-51391.rb' + +# Offense count: 93 +# Cop supports --auto-correct. +# Configuration parameters: EnforcedStyle, AllowInnerSlashes. +# SupportedStyles: slashes, percent_r, mixed +Style/RegexpLiteral: + EnforcedStyle: mixed + Enabled: true + +# Offense count: 262 +# Configuration parameters: AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, IgnoredPatterns. +# URISchemes: http, https +Metrics/LineLength: + Max: 240 diff --git a/LICENSE.md b/LICENSE.md index edfa841..38adca2 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,11 +1,16 @@ -Licensed under the Apache 2.0 license. +Licensed under the Apache 2.0 license. -Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: +Redistribution and use in source and binary forms, with or without modification, +are permitted provided that the following conditions are met: -* Redistributions of source code must retain the above copyright/ digital rights legend, this list of conditions and the following Notice. +* Redistributions of source code must retain the above copyright/ digital rights + legend, this list of conditions and the following Notice. -* Redistributions in binary form must reproduce the above copyright copyright/ digital rights legend, this list of conditions and the following Notice in the documentation and/or other materials provided with the distribution. +* Redistributions in binary form must reproduce the above copyright copyright/ + digital rights legend, this list of conditions and the following Notice in the + documentation and/or other materials provided with the distribution. -* Neither the name of The MITRE Corporation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. - +* Neither the name of The MITRE Corporation nor the names of its contributors may + be used to endorse or promote products derived from this software without + specific prior written permission. diff --git a/README.md b/README.md index 02a9922..657d75c 100644 --- a/README.md +++ b/README.md @@ -1,34 +1,42 @@ -# disa_stig_rhel6_baseline +# disa_stig_rhel6_baseline An InSpec profile of the DISA RHEL6 STIG baseline ## Versioning and State of Development -This project uses the [Semantic Versioning Policy](https://semver.org/). + +This project uses the [Semantic Versioning Policy](https://semver.org/). ### Branches -The master branch contains the latest version of the software leading up to a new release. -Other branches contain feature-specific updates. +The master branch contains the latest version of the software leading up to a new release. + +Other branches contain feature-specific updates. ### Tags + Tags indicate official releases of the project. -Please note 0.x releases are works in progress (WIP) and may change at any time. +Please note 0.x releases are works in progress (WIP) and may change at any time. -## NOTICE +### NOTICE -© 2018 The MITRE Corporation. +© 2018 The MITRE Corporation. -Approved for Public Release; Distribution Unlimited. Case Number 18-3678. +Approved for Public Release; Distribution Unlimited. Case Number 18-3678. -## NOTICE +### NOTICE -This software was produced for the U. S. Government under Contract Number HHSM-500-2012-00008I, and is subject to Federal Acquisition Regulation Clause 52.227-14, Rights in Data-General. +This software was produced for the U. S. Government under Contract Number +HHSM-500-2012-00008I, and is subject to Federal Acquisition Regulation Clause +52.227-14, Rights in Data-General. -No other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation. +No other use other than that granted to the U. S. Government, or to those acting +on behalf of the U. S. Government under that Clause is authorized without the +express written permission of The MITRE Corporation. -For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA 22102-7539, (703) 983-6000. +For further information, please contact The MITRE Corporation, Contracts +Management Office, 7515 Colshire Drive, McLean, VA 22102-7539, (703) 983-6000. -## NOTICE +### NOTICE DISA STIGs are published by DISA IASE, see: https://iase.disa.mil/Pages/privacy_policy.aspx diff --git a/controls/V-38437.rb b/controls/V-38437.rb index fb132a7..79c7944 100644 --- a/controls/V-38437.rb +++ b/controls/V-38437.rb @@ -1,4 +1,4 @@ -control "V-38437" do +control 'V-38437' do title "Automated file system mounting tools must not be enabled unless needed." desc "All filesystems that are required for the successful operation of the @@ -14,13 +14,13 @@ statically by editing \"/etc/fstab\" rather than relying on the automounter. " impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38437" - tag "rid": "SV-50237r1_rule" - tag "stig_id": "RHEL-06-000526" - tag "fix_id": "F-43381r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38437' + tag "rid": 'SV-50237r1_rule' + tag "stig_id": 'RHEL-06-000526' + tag "fix_id": 'F-43381r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -54,26 +54,25 @@ # service autofs stop" - describe service("autofs").runlevels(/0/) do + describe service('autofs').runlevels(/0/) do it { should_not be_enabled } end - describe service("autofs").runlevels(/1/) do + describe service('autofs').runlevels(/1/) do it { should_not be_enabled } end - describe service("autofs").runlevels(/2/) do + describe service('autofs').runlevels(/2/) do it { should_not be_enabled } end - describe service("autofs").runlevels(/3/) do + describe service('autofs').runlevels(/3/) do it { should_not be_enabled } end - describe service("autofs").runlevels(/4/) do + describe service('autofs').runlevels(/4/) do it { should_not be_enabled } end - describe service("autofs").runlevels(/5/) do + describe service('autofs').runlevels(/5/) do it { should_not be_enabled } end - describe service("autofs").runlevels(/6/) do + describe service('autofs').runlevels(/6/) do it { should_not be_enabled } end end - diff --git a/controls/V-38438.rb b/controls/V-38438.rb index e732b7a..8f98fb5 100644 --- a/controls/V-38438.rb +++ b/controls/V-38438.rb @@ -1,17 +1,17 @@ -control "V-38438" do - title "Auditing must be enabled at boot by setting a kernel parameter." +control 'V-38438' do + title 'Auditing must be enabled at boot by setting a kernel parameter.' desc "Each process on the system carries an \"auditable\" flag which indicates whether its activities can be audited. Although \"auditd\" takes care of enabling this for all processes which launch after it does, adding the kernel argument ensures it is set for every process during boot." impact 0.3 - tag "gtitle": "SRG-OS-000062" - tag "gid": "V-38438" - tag "rid": "SV-50238r4_rule" - tag "stig_id": "RHEL-06-000525" - tag "fix_id": "F-43382r4_fix" - tag "cci": ["CCI-000169"] - tag "nist": ["AU-12 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000062' + tag "gid": 'V-38438' + tag "rid": 'SV-50238r4_rule' + tag "stig_id": 'RHEL-06-000525' + tag "fix_id": 'F-43382r4_fix' + tag "cci": ['CCI-000169'] + tag "nist": ['AU-12 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -42,12 +42,11 @@ UEFI systems may prepend \"/boot\" to the \"/vmlinuz-version\" argument." describe.one do - describe file("/boot/grub/grub.conf") do - its("content") { should match(/^\s*kernel\s(?:\/boot)?\/vmlinuz.*audit=1.*$/) } + describe file('/boot/grub/grub.conf') do + its('content') { should match(/^\s*kernel\s(?:\/boot)?\/vmlinuz.*audit=1.*$/) } end - describe file("/boot/efi/EFI/redhat/grub.conf") do - its("content") { should match(/^\s*kernel\s(?:\/boot)?\/vmlinuz.*audit=1.*$/) } + describe file('/boot/efi/EFI/redhat/grub.conf') do + its('content') { should match(/^\s*kernel\s(?:\/boot)?\/vmlinuz.*audit=1.*$/) } end end end - diff --git a/controls/V-38439.rb b/controls/V-38439.rb index 9a348e2..2a06a35 100644 --- a/controls/V-38439.rb +++ b/controls/V-38439.rb @@ -1,4 +1,4 @@ -control "V-38439" do +control 'V-38439' do title "The system must provide automated support for account management functions." desc "A comprehensive account management process that includes automation @@ -7,13 +7,13 @@ challenging and complex. A user management process requiring administrators to manually address account management functions adds risk of potential oversight." impact 0.5 - tag "gtitle": "SRG-OS-000001" - tag "gid": "V-38439" - tag "rid": "SV-50239r1_rule" - tag "stig_id": "RHEL-06-000524" - tag "fix_id": "F-43384r1_fix" - tag "cci": ["CCI-000015"] - tag "nist": ["AC-2 (1)", "Rev_4"] + tag "gtitle": 'SRG-OS-000001' + tag "gid": 'V-38439' + tag "rid": 'SV-50239r1_rule' + tag "stig_id": 'RHEL-06-000524' + tag "fix_id": 'F-43384r1_fix' + tag "cci": ['CCI-000015'] + tag "nist": ['AC-2 (1)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -34,8 +34,7 @@ this system should integrate with an existing enterprise user management system, such as, one based Active Directory or Kerberos." - describe "Manual test" do - skip "This control must be reviewed manually" + describe 'Manual test' do + skip 'This control must be reviewed manually' end end - diff --git a/controls/V-38443.rb b/controls/V-38443.rb index da82487..bd08a88 100644 --- a/controls/V-38443.rb +++ b/controls/V-38443.rb @@ -1,15 +1,15 @@ -control "V-38443" do - title "The /etc/gshadow file must be owned by root." +control 'V-38443' do + title 'The /etc/gshadow file must be owned by root.' desc "The \"/etc/gshadow\" file contains group password hashes. Protection of this file is critical for system security." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38443" - tag "rid": "SV-50243r1_rule" - tag "stig_id": "RHEL-06-000036" - tag "fix_id": "F-43388r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38443' + tag "rid": 'SV-50243r1_rule' + tag "stig_id": 'RHEL-06-000036' + tag "fix_id": 'F-43388r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -31,11 +31,10 @@ # chown root /etc/gshadow" - describe file("/etc/gshadow") do + describe file('/etc/gshadow') do it { should exist } end - describe file("/etc/gshadow") do - its("uid") { should cmp 0 } + describe file('/etc/gshadow') do + its('uid') { should cmp 0 } end end - diff --git a/controls/V-38444.rb b/controls/V-38444.rb index 57450ac..18d9e0d 100644 --- a/controls/V-38444.rb +++ b/controls/V-38444.rb @@ -1,4 +1,4 @@ -control "V-38444" do +control 'V-38444' do title "The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets." desc "In \"ip6tables\" the default policy is applied only after all the @@ -6,13 +6,13 @@ policy to \"DROP\" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted." impact 0.5 - tag "gtitle": "SRG-OS-000231" - tag "gid": "V-38444" - tag "rid": "SV-50244r2_rule" - tag "stig_id": "RHEL-06-000523" - tag "fix_id": "F-43389r3_fix" - tag "cci": ["CCI-000066"] - tag "nist": ["AC-17 e", "Rev_4"] + tag "gtitle": 'SRG-OS-000231' + tag "gid": 'V-38444' + tag "rid": 'SV-50244r2_rule' + tag "stig_id": 'RHEL-06-000523' + tag "fix_id": 'F-43389r3_fix' + tag "cci": ['CCI-000066'] + tag "nist": ['AC-17 e', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -42,8 +42,7 @@ # service ip6tables restart" - describe command("ip6tables -nvL | grep -i input") do - its('stdout.strip') { should match %r{Chain INPUT \(policy DROP} } + describe command('ip6tables -nvL | grep -i input') do + its('stdout.strip') { should match /Chain INPUT \(policy DROP/ } end end - diff --git a/controls/V-38445.rb b/controls/V-38445.rb index 6a2c26d..78250f6 100644 --- a/controls/V-38445.rb +++ b/controls/V-38445.rb @@ -1,15 +1,15 @@ -control "V-38445" do - title "Audit log files must be group-owned by root." +control 'V-38445' do + title 'Audit log files must be group-owned by root.' desc "If non-privileged users can write to audit logs, audit trails can be modified or destroyed." impact 0.5 - tag "gtitle": "SRG-OS-000057" - tag "gid": "V-38445" - tag "rid": "SV-50245r2_rule" - tag "stig_id": "RHEL-06-000522" - tag "fix_id": "F-43390r1_fix" - tag "cci": ["CCI-000162"] - tag "nist": ["AU-9", "Rev_4"] + tag "gtitle": 'SRG-OS-000057' + tag "gid": 'V-38445' + tag "rid": 'SV-50245r2_rule' + tag "stig_id": 'RHEL-06-000522' + tag "fix_id": 'F-43390r1_fix' + tag "cci": ['CCI-000162'] + tag "nist": ['AU-9', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -32,8 +32,7 @@ # chgrp root [audit_file]" - describe command("grep \"^log_file\" /etc/audit/auditd.conf|sed s/^[^\\/]*//|xargs stat -c %G:%n") do - its('stdout.lines') { should all match %{^root:} } + describe command('grep "^log_file" /etc/audit/auditd.conf|sed s/^[^\\/]*//|xargs stat -c %G:%n') do + its('stdout.lines') { should all match %(^root:) } end end - diff --git a/controls/V-38446.rb b/controls/V-38446.rb index bb27063..ba2e1d1 100644 --- a/controls/V-38446.rb +++ b/controls/V-38446.rb @@ -1,17 +1,17 @@ -control "V-38446" do +control 'V-38446' do title "The mail system must forward all mail for root to one or more system administrators." desc "A number of system services utilize email messages sent to the root user to notify system administrators of active or impending issues. These messages must be forwarded to at least one monitored email address." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38446" - tag "rid": "SV-50246r2_rule" - tag "stig_id": "RHEL-06-000521" - tag "fix_id": "F-43391r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38446' + tag "rid": 'SV-50246r2_rule' + tag "stig_id": 'RHEL-06-000521' + tag "fix_id": 'F-43391r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -38,9 +38,9 @@ # echo \"root: @mail.mil\" >> /etc/aliases # newaliases" - alias_maps = parse_config(command("postconf alias_maps").stdout.strip).params['alias_maps'] + alias_maps = parse_config(command('postconf alias_maps').stdout.strip).params['alias_maps'] - describe "postconf alias_maps" do + describe 'postconf alias_maps' do subject { alias_maps } it { should_not be_empty } end @@ -49,4 +49,3 @@ its('stdout.strip') { should_not be_empty } end end - diff --git a/controls/V-38447.rb b/controls/V-38447.rb index 0706095..e556f7b 100644 --- a/controls/V-38447.rb +++ b/controls/V-38447.rb @@ -1,17 +1,17 @@ -control "V-38447" do +control 'V-38447' do title "The system package management tool must verify contents of all files associated with packages." desc "The hash on important files like system executables should match the information given by the RPM database. Executables with erroneous hashes could be a sign of nefarious activity on the system." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38447" - tag "rid": "SV-50247r4_rule" - tag "stig_id": "RHEL-06-000519" - tag "fix_id": "F-43392r5_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38447' + tag "rid": 'SV-50247r4_rule' + tag "stig_id": 'RHEL-06-000519' + tag "fix_id": 'F-43392r5_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -50,9 +50,8 @@ yum reinstall [affected_package] " - # TODO check against an exception list attribute + # TODO: check against an exception list attribute describe command("rpm -Va | awk '$1 ~ /..5/ && $2 != \"c\"'") do its('stdout.strip') { should be_empty } end end - diff --git a/controls/V-38448.rb b/controls/V-38448.rb index 116ba0f..c61ed0f 100644 --- a/controls/V-38448.rb +++ b/controls/V-38448.rb @@ -1,15 +1,15 @@ -control "V-38448" do - title "The /etc/gshadow file must be group-owned by root." +control 'V-38448' do + title 'The /etc/gshadow file must be group-owned by root.' desc "The \"/etc/gshadow\" file contains group password hashes. Protection of this file is critical for system security." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38448" - tag "rid": "SV-50248r1_rule" - tag "stig_id": "RHEL-06-000037" - tag "fix_id": "F-43393r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38448' + tag "rid": 'SV-50248r1_rule' + tag "stig_id": 'RHEL-06-000037' + tag "fix_id": 'F-43393r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -33,11 +33,10 @@ # chgrp root /etc/gshadow" - describe file("/etc/gshadow") do + describe file('/etc/gshadow') do it { should exist } end - describe file("/etc/gshadow") do - its("gid") { should cmp 0 } + describe file('/etc/gshadow') do + its('gid') { should cmp 0 } end end - diff --git a/controls/V-38449.rb b/controls/V-38449.rb index 52ee652..95da7d4 100644 --- a/controls/V-38449.rb +++ b/controls/V-38449.rb @@ -1,15 +1,15 @@ -control "V-38449" do - title "The /etc/gshadow file must have mode 0000." +control 'V-38449' do + title 'The /etc/gshadow file must have mode 0000.' desc "The /etc/gshadow file contains group password hashes. Protection of this file is critical for system security." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38449" - tag "rid": "SV-50249r1_rule" - tag "stig_id": "RHEL-06-000038" - tag "fix_id": "F-43394r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38449' + tag "rid": 'SV-50249r1_rule' + tag "stig_id": 'RHEL-06-000038' + tag "fix_id": 'F-43394r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -32,50 +32,49 @@ # chmod 0000 /etc/gshadow" - describe file("/etc/gshadow") do + describe file('/etc/gshadow') do it { should exist } end - describe file("/etc/gshadow") do - it { should_not be_executable.by "group" } + describe file('/etc/gshadow') do + it { should_not be_executable.by 'group' } end - describe file("/etc/gshadow") do - it { should_not be_readable.by "group" } + describe file('/etc/gshadow') do + it { should_not be_readable.by 'group' } end - describe file("/etc/gshadow") do - its("gid") { should cmp 0 } + describe file('/etc/gshadow') do + its('gid') { should cmp 0 } end - describe file("/etc/gshadow") do - it { should_not be_writable.by "group" } + describe file('/etc/gshadow') do + it { should_not be_writable.by 'group' } end - describe file("/etc/gshadow") do - it { should_not be_executable.by "other" } + describe file('/etc/gshadow') do + it { should_not be_executable.by 'other' } end - describe file("/etc/gshadow") do - it { should_not be_readable.by "other" } + describe file('/etc/gshadow') do + it { should_not be_readable.by 'other' } end - describe file("/etc/gshadow") do - it { should_not be_writable.by "other" } + describe file('/etc/gshadow') do + it { should_not be_writable.by 'other' } end - describe file("/etc/gshadow") do + describe file('/etc/gshadow') do it { should_not be_setgid } end - describe file("/etc/gshadow") do + describe file('/etc/gshadow') do it { should_not be_sticky } end - describe file("/etc/gshadow") do + describe file('/etc/gshadow') do it { should_not be_setuid } end - describe file("/etc/gshadow") do - it { should_not be_executable.by "owner" } + describe file('/etc/gshadow') do + it { should_not be_executable.by 'owner' } end - describe file("/etc/gshadow") do - it { should_not be_readable.by "owner" } + describe file('/etc/gshadow') do + it { should_not be_readable.by 'owner' } end - describe file("/etc/gshadow") do - its("uid") { should cmp 0 } + describe file('/etc/gshadow') do + its('uid') { should cmp 0 } end - describe file("/etc/gshadow") do - it { should_not be_writable.by "owner" } + describe file('/etc/gshadow') do + it { should_not be_writable.by 'owner' } end end - diff --git a/controls/V-38450.rb b/controls/V-38450.rb index 04a8c33..a3e16d9 100644 --- a/controls/V-38450.rb +++ b/controls/V-38450.rb @@ -1,16 +1,16 @@ -control "V-38450" do - title "The /etc/passwd file must be owned by root." +control 'V-38450' do + title 'The /etc/passwd file must be owned by root.' desc "The \"/etc/passwd\" file contains information about the users that are configured on the system. Protection of this file is critical for system security." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38450" - tag "rid": "SV-50250r1_rule" - tag "stig_id": "RHEL-06-000039" - tag "fix_id": "F-43395r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38450' + tag "rid": 'SV-50250r1_rule' + tag "stig_id": 'RHEL-06-000039' + tag "fix_id": 'F-43395r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -32,11 +32,10 @@ # chown root /etc/passwd" - describe file("/etc/passwd") do + describe file('/etc/passwd') do it { should exist } end - describe file("/etc/passwd") do - its("uid") { should cmp 0 } + describe file('/etc/passwd') do + its('uid') { should cmp 0 } end end - diff --git a/controls/V-38451.rb b/controls/V-38451.rb index 51f9f17..9784b57 100644 --- a/controls/V-38451.rb +++ b/controls/V-38451.rb @@ -1,16 +1,16 @@ -control "V-38451" do - title "The /etc/passwd file must be group-owned by root." +control 'V-38451' do + title 'The /etc/passwd file must be group-owned by root.' desc "The \"/etc/passwd\" file contains information about the users that are configured on the system. Protection of this file is critical for system security." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38451" - tag "rid": "SV-50251r1_rule" - tag "stig_id": "RHEL-06-000040" - tag "fix_id": "F-43396r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38451' + tag "rid": 'SV-50251r1_rule' + tag "stig_id": 'RHEL-06-000040' + tag "fix_id": 'F-43396r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -34,11 +34,10 @@ # chgrp root /etc/passwd" - describe file("/etc/passwd") do + describe file('/etc/passwd') do it { should exist } end - describe file("/etc/passwd") do - its("gid") { should cmp 0 } + describe file('/etc/passwd') do + its('gid') { should cmp 0 } end end - diff --git a/controls/V-38452.rb b/controls/V-38452.rb index 92c4f2b..52f46f5 100644 --- a/controls/V-38452.rb +++ b/controls/V-38452.rb @@ -1,4 +1,4 @@ -control "V-38452" do +control 'V-38452' do title "The system package management tool must verify permissions on all files and directories associated with packages." desc "Permissions on system binaries and configuration files that are too @@ -6,13 +6,13 @@ not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38452" - tag "rid": "SV-50252r2_rule" - tag "stig_id": "RHEL-06-000518" - tag "fix_id": "F-43398r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38452' + tag "rid": 'SV-50252r2_rule' + tag "stig_id": 'RHEL-06-000518' + tag "fix_id": 'F-43398r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -51,4 +51,3 @@ its('stdout.strip') { should be_empty } end end - diff --git a/controls/V-38453.rb b/controls/V-38453.rb index 73dc6e3..6583fb2 100644 --- a/controls/V-38453.rb +++ b/controls/V-38453.rb @@ -1,4 +1,4 @@ -control "V-38453" do +control 'V-38453' do title "The system package management tool must verify group-ownership on all files and directories associated with packages." desc "Group-ownership of system binaries and configuration files that is @@ -6,13 +6,13 @@ not have. The group-ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38453" - tag "rid": "SV-50253r2_rule" - tag "stig_id": "RHEL-06-000517" - tag "fix_id": "F-43399r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38453' + tag "rid": 'SV-50253r2_rule' + tag "stig_id": 'RHEL-06-000517' + tag "fix_id": 'F-43399r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -42,9 +42,8 @@ # rpm -qf [file or directory name] # rpm --setugids [package]" - # TODO check against an exception list attribute + # TODO: check against an exception list attribute describe command("rpm -Va | grep '^......G'") do its('stdout.strip') { should eq '' } end end - diff --git a/controls/V-38454.rb b/controls/V-38454.rb index 193ffa8..c3cfb89 100644 --- a/controls/V-38454.rb +++ b/controls/V-38454.rb @@ -1,4 +1,4 @@ -control "V-38454" do +control 'V-38454' do title "The system package management tool must verify ownership on all files and directories associated with packages." desc "Ownership of system binaries and configuration files that is incorrect @@ -6,13 +6,13 @@ The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38454" - tag "rid": "SV-50254r2_rule" - tag "stig_id": "RHEL-06-000516" - tag "fix_id": "F-43400r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38454' + tag "rid": 'SV-50254r2_rule' + tag "stig_id": 'RHEL-06-000516' + tag "fix_id": 'F-43400r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -45,4 +45,3 @@ its('stdout.strip') { should be_empty } end end - diff --git a/controls/V-38455.rb b/controls/V-38455.rb index c3f42f3..134d6b3 100644 --- a/controls/V-38455.rb +++ b/controls/V-38455.rb @@ -1,16 +1,16 @@ -control "V-38455" do - title "The system must use a separate file system for /tmp." +control 'V-38455' do + title 'The system must use a separate file system for /tmp.' desc "The \"/tmp\" partition is used as temporary storage by many programs. Placing \"/tmp\" in its own partition enables the setting of more restrictive mount options, which can help protect programs which use it." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38455" - tag "rid": "SV-50255r1_rule" - tag "stig_id": "RHEL-06-000001" - tag "fix_id": "F-43387r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38455' + tag "rid": 'SV-50255r1_rule' + tag "stig_id": 'RHEL-06-000001' + tag "fix_id": 'F-43387r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -32,8 +32,7 @@ temporary file storage. Ensure it has its own partition or logical volume at installation time, or migrate it using LVM." - describe mount("/tmp") do + describe mount('/tmp') do it { should be_mounted } end end - diff --git a/controls/V-38456.rb b/controls/V-38456.rb index 44b949c..add877f 100644 --- a/controls/V-38456.rb +++ b/controls/V-38456.rb @@ -1,18 +1,18 @@ -control "V-38456" do - title "The system must use a separate file system for /var." +control 'V-38456' do + title 'The system must use a separate file system for /var.' desc "Ensuring that \"/var\" is mounted on its own partition enables the setting of more restrictive mount options. This helps protect system services such as daemons or other programs which use it. It is not uncommon for the \"/var\" directory to contain world-writable directories, installed by other software packages." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38456" - tag "rid": "SV-50256r1_rule" - tag "stig_id": "RHEL-06-000002" - tag "fix_id": "F-43401r2_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38456' + tag "rid": 'SV-50256r1_rule' + tag "stig_id": 'RHEL-06-000002' + tag "fix_id": 'F-43401r2_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -34,8 +34,7 @@ services to store frequently-changing data. Ensure that \"/var\" has its own partition or logical volume at installation time, or migrate it using LVM." - describe mount("/var") do + describe mount('/var') do it { should be_mounted } end end - diff --git a/controls/V-38457.rb b/controls/V-38457.rb index 469f6f1..efc241a 100644 --- a/controls/V-38457.rb +++ b/controls/V-38457.rb @@ -1,17 +1,17 @@ -control "V-38457" do - title "The /etc/passwd file must have mode 0644 or less permissive." +control 'V-38457' do + title 'The /etc/passwd file must have mode 0644 or less permissive.' desc "If the \"/etc/passwd\" file is writable by a group-owner or the world the risk of its compromise is increased. The file contains the list of accounts on the system and associated information, and protection of this file is critical for system security." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38457" - tag "rid": "SV-50257r1_rule" - tag "stig_id": "RHEL-06-000041" - tag "fix_id": "F-43397r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38457' + tag "rid": 'SV-50257r1_rule' + tag "stig_id": 'RHEL-06-000041' + tag "fix_id": 'F-43397r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -34,50 +34,49 @@ # chmod 0644 /etc/passwd" - describe file("/etc/passwd") do + describe file('/etc/passwd') do it { should exist } end - describe file("/etc/passwd") do - it { should_not be_executable.by "group" } + describe file('/etc/passwd') do + it { should_not be_executable.by 'group' } end - describe file("/etc/passwd") do - it { should be_readable.by "group" } + describe file('/etc/passwd') do + it { should be_readable.by 'group' } end - describe file("/etc/passwd") do - its("gid") { should cmp 0 } + describe file('/etc/passwd') do + its('gid') { should cmp 0 } end - describe file("/etc/passwd") do - it { should_not be_writable.by "group" } + describe file('/etc/passwd') do + it { should_not be_writable.by 'group' } end - describe file("/etc/passwd") do - it { should_not be_executable.by "other" } + describe file('/etc/passwd') do + it { should_not be_executable.by 'other' } end - describe file("/etc/passwd") do - it { should be_readable.by "other" } + describe file('/etc/passwd') do + it { should be_readable.by 'other' } end - describe file("/etc/passwd") do - it { should_not be_writable.by "other" } + describe file('/etc/passwd') do + it { should_not be_writable.by 'other' } end - describe file("/etc/passwd") do + describe file('/etc/passwd') do it { should_not be_setgid } end - describe file("/etc/passwd") do + describe file('/etc/passwd') do it { should_not be_sticky } end - describe file("/etc/passwd") do + describe file('/etc/passwd') do it { should_not be_setuid } end - describe file("/etc/passwd") do - it { should_not be_executable.by "owner" } + describe file('/etc/passwd') do + it { should_not be_executable.by 'owner' } end - describe file("/etc/passwd") do - it { should be_readable.by "owner" } + describe file('/etc/passwd') do + it { should be_readable.by 'owner' } end - describe file("/etc/passwd") do - its("uid") { should cmp 0 } + describe file('/etc/passwd') do + its('uid') { should cmp 0 } end - describe file("/etc/passwd") do - it { should be_writable.by "owner" } + describe file('/etc/passwd') do + it { should be_writable.by 'owner' } end end - diff --git a/controls/V-38458.rb b/controls/V-38458.rb index db67e07..7eb5411 100644 --- a/controls/V-38458.rb +++ b/controls/V-38458.rb @@ -1,16 +1,16 @@ -control "V-38458" do - title "The /etc/group file must be owned by root." +control 'V-38458' do + title 'The /etc/group file must be owned by root.' desc "The \"/etc/group\" file contains information regarding groups that are configured on the system. Protection of this file is important for system security." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38458" - tag "rid": "SV-50258r1_rule" - tag "stig_id": "RHEL-06-000042" - tag "fix_id": "F-43403r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38458' + tag "rid": 'SV-50258r1_rule' + tag "stig_id": 'RHEL-06-000042' + tag "fix_id": 'F-43403r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -32,11 +32,10 @@ # chown root /etc/group" - describe file("/etc/group") do + describe file('/etc/group') do it { should exist } end - describe file("/etc/group") do - its("uid") { should cmp 0 } + describe file('/etc/group') do + its('uid') { should cmp 0 } end end - diff --git a/controls/V-38459.rb b/controls/V-38459.rb index 537a4f2..615ea46 100644 --- a/controls/V-38459.rb +++ b/controls/V-38459.rb @@ -1,16 +1,16 @@ -control "V-38459" do - title "The /etc/group file must be group-owned by root." +control 'V-38459' do + title 'The /etc/group file must be group-owned by root.' desc "The \"/etc/group\" file contains information regarding groups that are configured on the system. Protection of this file is important for system security." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38459" - tag "rid": "SV-50259r1_rule" - tag "stig_id": "RHEL-06-000043" - tag "fix_id": "F-43404r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38459' + tag "rid": 'SV-50259r1_rule' + tag "stig_id": 'RHEL-06-000043' + tag "fix_id": 'F-43404r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -34,11 +34,10 @@ # chgrp root /etc/group" - describe file("/etc/group") do + describe file('/etc/group') do it { should exist } end - describe file("/etc/group") do - its("gid") { should cmp 0 } + describe file('/etc/group') do + its('gid') { should cmp 0 } end end - diff --git a/controls/V-38460.rb b/controls/V-38460.rb index e474ba7..ea81390 100644 --- a/controls/V-38460.rb +++ b/controls/V-38460.rb @@ -1,16 +1,16 @@ -control "V-38460" do - title "The NFS server must not have the all_squash option enabled." +control 'V-38460' do + title 'The NFS server must not have the all_squash option enabled.' desc "The \"all_squash\" option maps all client requests to a single anonymous uid/gid on the NFS server, negating the ability to track file access by user ID." impact 0.3 - tag "gtitle": "SRG-OS-000104" - tag "gid": "V-38460" - tag "rid": "SV-50260r1_rule" - tag "stig_id": "RHEL-06-000515" - tag "fix_id": "F-43405r1_fix" - tag "cci": ["CCI-000764"] - tag "nist": ["IA-2", "Rev_4"] + tag "gtitle": 'SRG-OS-000104' + tag "gid": 'V-38460' + tag "rid": 'SV-50260r1_rule' + tag "stig_id": 'RHEL-06-000515' + tag "fix_id": 'F-43405r1_fix' + tag "cci": ['CCI-000764'] + tag "nist": ['IA-2', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -39,8 +39,7 @@ # service nfs restart" - describe command("grep all_squash /etc/exports") do + describe command('grep all_squash /etc/exports') do its('stdout.strip') { should be_empty } end end - diff --git a/controls/V-38461.rb b/controls/V-38461.rb index d4fd5f7..6753dbf 100644 --- a/controls/V-38461.rb +++ b/controls/V-38461.rb @@ -1,16 +1,16 @@ -control "V-38461" do - title "The /etc/group file must have mode 0644 or less permissive." +control 'V-38461' do + title 'The /etc/group file must have mode 0644 or less permissive.' desc "The \"/etc/group\" file contains information regarding groups that are configured on the system. Protection of this file is important for system security." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38461" - tag "rid": "SV-50261r1_rule" - tag "stig_id": "RHEL-06-000044" - tag "fix_id": "F-43406r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38461' + tag "rid": 'SV-50261r1_rule' + tag "stig_id": 'RHEL-06-000044' + tag "fix_id": 'F-43406r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -33,35 +33,34 @@ # chmod 644 /etc/group" - describe file("/etc/group") do + describe file('/etc/group') do it { should exist } end - describe file("/etc/group") do - it { should_not be_executable.by "group" } + describe file('/etc/group') do + it { should_not be_executable.by 'group' } end - describe file("/etc/group") do - it { should be_readable.by "group" } + describe file('/etc/group') do + it { should be_readable.by 'group' } end - describe file("/etc/group") do - it { should_not be_writable.by "group" } + describe file('/etc/group') do + it { should_not be_writable.by 'group' } end - describe file("/etc/group") do - it { should_not be_executable.by "other" } + describe file('/etc/group') do + it { should_not be_executable.by 'other' } end - describe file("/etc/group") do - it { should be_readable.by "other" } + describe file('/etc/group') do + it { should be_readable.by 'other' } end - describe file("/etc/group") do - it { should_not be_writable.by "other" } + describe file('/etc/group') do + it { should_not be_writable.by 'other' } end - describe file("/etc/group") do - it { should_not be_executable.by "owner" } + describe file('/etc/group') do + it { should_not be_executable.by 'owner' } end - describe file("/etc/group") do - it { should be_readable.by "owner" } + describe file('/etc/group') do + it { should be_readable.by 'owner' } end - describe file("/etc/group") do - it { should be_writable.by "owner" } + describe file('/etc/group') do + it { should be_writable.by 'owner' } end end - diff --git a/controls/V-38463.rb b/controls/V-38463.rb index 4dce179..993df41 100644 --- a/controls/V-38463.rb +++ b/controls/V-38463.rb @@ -1,15 +1,15 @@ -control "V-38463" do - title "The system must use a separate file system for /var/log." +control 'V-38463' do + title 'The system must use a separate file system for /var/log.' desc "Placing \"/var/log\" in its own partition enables better separation between log files and other files in \"/var/\"." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38463" - tag "rid": "SV-50263r1_rule" - tag "stig_id": "RHEL-06-000003" - tag "fix_id": "F-43408r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38463' + tag "rid": 'SV-50263r1_rule' + tag "stig_id": 'RHEL-06-000003' + tag "fix_id": 'F-43408r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -31,8 +31,7 @@ it has its own partition or logical volume at installation time, or migrate it using LVM." - describe mount("/var/log") do + describe mount('/var/log') do it { should be_mounted } end end - diff --git a/controls/V-38464.rb b/controls/V-38464.rb index dcb32ad..b548efe 100644 --- a/controls/V-38464.rb +++ b/controls/V-38464.rb @@ -1,16 +1,16 @@ -control "V-38464" do +control 'V-38464' do title "The audit system must take appropriate action when there are disk errors on the audit storage volume." desc "Taking appropriate action in case of disk errors will minimize the possibility of losing audit records." impact 0.5 - tag "gtitle": "SRG-OS-000047" - tag "gid": "V-38464" - tag "rid": "SV-50264r1_rule" - tag "stig_id": "RHEL-06-000511" - tag "fix_id": "F-43410r1_fix" - tag "cci": ["CCI-000140"] - tag "nist": ["AU-5 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000047' + tag "gid": 'V-38464' + tag "rid": 'SV-50264r1_rule' + tag "stig_id": 'RHEL-06-000511' + tag "fix_id": 'F-43410r1_fix' + tag "cci": ['CCI-000140'] + tag "nist": ['AU-5 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -51,7 +51,6 @@ describe parse_config_file('/etc/audit/auditd.conf') do its('disk_error_action') { should_not be_nil } - its('disk_error_action.downcase') { should_not be_in ['suspend', 'ignore'] } + its('disk_error_action.downcase') { should_not be_in %w[suspend ignore] } end end - diff --git a/controls/V-38465.rb b/controls/V-38465.rb index cffa524..3739481 100644 --- a/controls/V-38465.rb +++ b/controls/V-38465.rb @@ -1,17 +1,17 @@ -control "V-38465" do - title "Library files must have mode 0755 or less permissive." +control 'V-38465' do + title 'Library files must have mode 0755 or less permissive.' desc "Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Restrictive permissions are necessary to protect the integrity of the system." impact 0.5 - tag "gtitle": "SRG-OS-000259" - tag "gid": "V-38465" - tag "rid": "SV-50265r3_rule" - tag "stig_id": "RHEL-06-000045" - tag "fix_id": "F-43409r2_fix" - tag "cci": ["CCI-001499"] - tag "nist": ["CM-5 (6)", "Rev_4"] + tag "gtitle": 'SRG-OS-000259' + tag "gid": 'V-38465' + tag "rid": 'SV-50265r3_rule' + tag "stig_id": 'RHEL-06-000045' + tag "fix_id": 'F-43409r2_fix' + tag "cci": ['CCI-001499'] + tag "nist": ['CM-5 (6)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -57,11 +57,10 @@ # chmod go-w [FILE]" - libs = ["/lib", "/lib64", "/usr/lib", "/usr/lib64"] + libs = ['/lib', '/lib64', '/usr/lib', '/usr/lib64'] libs.each do |l| describe command("find -L #{l} -perm /022 -type f") do its('stdout.strip') { should be_empty } end end end - diff --git a/controls/V-38466.rb b/controls/V-38466.rb index a4ded20..d2ca239 100644 --- a/controls/V-38466.rb +++ b/controls/V-38466.rb @@ -1,16 +1,16 @@ -control "V-38466" do - title "Library files must be owned by a system account." +control 'V-38466' do + title 'Library files must be owned by a system account.' desc "Files from shared library directories are loaded into the address space of processes (including privileged ones) or of the kernel itself at runtime. Proper ownership is necessary to protect the integrity of the system." impact 0.5 - tag "gtitle": "SRG-OS-000259" - tag "gid": "V-38466" - tag "rid": "SV-50266r4_rule" - tag "stig_id": "RHEL-06-000046" - tag "fix_id": "F-43411r4_fix" - tag "cci": ["CCI-001499"] - tag "nist": ["CM-5 (6)", "Rev_4"] + tag "gtitle": 'SRG-OS-000259' + tag "gid": 'V-38466' + tag "rid": 'SV-50266r4_rule' + tag "stig_id": 'RHEL-06-000046' + tag "fix_id": 'F-43411r4_fix' + tag "cci": ['CCI-001499'] + tag "nist": ['CM-5 (6)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -69,7 +69,7 @@ # chown root [FILE]" - libs = ["/lib", "/lib64", "/usr/lib", "/usr/lib64", "/usr/local/lib", "/usr/local/lib64"] + libs = ['/lib', '/lib64', '/usr/lib', '/usr/lib64', '/usr/local/lib', '/usr/local/lib64'] libs.each do |l| files = command("find -L #{l} \\! -user root").stdout.strip.split("\n") if files.empty? @@ -85,4 +85,3 @@ end end end - diff --git a/controls/V-38467.rb b/controls/V-38467.rb index f287c89..44d923a 100644 --- a/controls/V-38467.rb +++ b/controls/V-38467.rb @@ -1,17 +1,17 @@ -control "V-38467" do +control 'V-38467' do title "The system must use a separate file system for the system audit data path." desc "Placing \"/var/log/audit\" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space." impact 0.3 - tag "gtitle": "SRG-OS-000044" - tag "gid": "V-38467" - tag "rid": "SV-50267r1_rule" - tag "stig_id": "RHEL-06-000004" - tag "fix_id": "F-43412r1_fix" - tag "cci": ["CCI-000137"] - tag "nist": ["AU-4", "Rev_4"] + tag "gtitle": 'SRG-OS-000044' + tag "gid": 'V-38467' + tag "rid": 'SV-50267r1_rule' + tag "stig_id": 'RHEL-06-000004' + tag "fix_id": 'F-43412r1_fix' + tag "cci": ['CCI-000137'] + tag "nist": ['AU-4', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -35,8 +35,7 @@ migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon." - describe mount("/var/log/audit") do + describe mount('/var/log/audit') do it { should be_mounted } end end - diff --git a/controls/V-38468.rb b/controls/V-38468.rb index 26b68c9..d35339b 100644 --- a/controls/V-38468.rb +++ b/controls/V-38468.rb @@ -1,16 +1,16 @@ -control "V-38468" do +control 'V-38468' do title "The audit system must take appropriate action when the audit storage volume is full." desc "Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records." impact 0.5 - tag "gtitle": "SRG-OS-000047" - tag "gid": "V-38468" - tag "rid": "SV-50268r1_rule" - tag "stig_id": "RHEL-06-000510" - tag "fix_id": "F-43413r1_fix" - tag "cci": ["CCI-000140"] - tag "nist": ["AU-5 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000047' + tag "gid": 'V-38468' + tag "rid": 'SV-50268r1_rule' + tag "stig_id": 'RHEL-06-000510' + tag "fix_id": 'F-43413r1_fix' + tag "cci": ['CCI-000140'] + tag "nist": ['AU-5 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -52,7 +52,6 @@ describe parse_config_file('/etc/audit/auditd.conf') do its('disk_full_action') { should_not be_nil } - its('disk_full_action.downcase') { should_not be_in ['suspend', 'ignore'] } + its('disk_full_action.downcase') { should_not be_in %w[suspend ignore] } end end - diff --git a/controls/V-38469.rb b/controls/V-38469.rb index 53a6648..db48e47 100644 --- a/controls/V-38469.rb +++ b/controls/V-38469.rb @@ -1,16 +1,16 @@ -control "V-38469" do - title "All system command files must have mode 755 or less permissive." +control 'V-38469' do + title 'All system command files must have mode 755 or less permissive.' desc "System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted." impact 0.5 - tag "gtitle": "SRG-OS-000259" - tag "gid": "V-38469" - tag "rid": "SV-50269r3_rule" - tag "stig_id": "RHEL-06-000047" - tag "fix_id": "F-43414r1_fix" - tag "cci": ["CCI-001499"] - tag "nist": ["CM-5 (6)", "Rev_4"] + tag "gtitle": 'SRG-OS-000259' + tag "gid": 'V-38469' + tag "rid": 'SV-50269r3_rule' + tag "stig_id": 'RHEL-06-000047' + tag "fix_id": 'F-43414r1_fix' + tag "cci": ['CCI-001499'] + tag "nist": ['CM-5 (6)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -54,11 +54,10 @@ # chmod go-w [FILE]" - dirs = ["/bin", "/usr/bin", "/usr/local/bin", "/sbin", "/usr/sbin", "/usr/local/sbin"] + dirs = ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin', '/usr/local/sbin'] dirs.each do |d| describe command("find -L #{d} -perm /022 -type f") do its('stdout.strip') { should be_empty } end end end - diff --git a/controls/V-38470.rb b/controls/V-38470.rb index c2f6d57..9c58262 100644 --- a/controls/V-38470.rb +++ b/controls/V-38470.rb @@ -1,16 +1,16 @@ -control "V-38470" do +control 'V-38470' do title "The audit system must alert designated staff members when the audit storage volume approaches capacity." desc "Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption." impact 0.5 - tag "gtitle": "SRG-OS-000045" - tag "gid": "V-38470" - tag "rid": "SV-50270r2_rule" - tag "stig_id": "RHEL-06-000005" - tag "fix_id": "F-43415r2_fix" - tag "cci": ["CCI-000138"] - tag "nist": ["AU-4", "Rev_4"] + tag "gtitle": 'SRG-OS-000045' + tag "gid": 'V-38470' + tag "rid": 'SV-50270r2_rule' + tag "stig_id": 'RHEL-06-000005' + tag "fix_id": 'F-43415r2_fix' + tag "cci": ['CCI-000138'] + tag "nist": ['AU-4', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -59,13 +59,12 @@ RHEL-06-000521 ensures that the email generated through the operation \"space_left_action\" will be sent to an administrator." - describe file("/etc/audit/auditd.conf") do - its("content") { should match(/^[ ]*space_left_action[ ]+=[ ]+(\S+)[ ]*$/) } + describe file('/etc/audit/auditd.conf') do + its('content') { should match(/^[ ]*space_left_action[ ]+=[ ]+(\S+)[ ]*$/) } end - file("/etc/audit/auditd.conf").content.to_s.scan(/^[ ]*space_left_action[ ]+=[ ]+(\S+)[ ]*$/).flatten.each do |entry| + file('/etc/audit/auditd.conf').content.to_s.scan(/^[ ]*space_left_action[ ]+=[ ]+(\S+)[ ]*$/).flatten.each do |entry| describe entry do - it { should cmp "email" } + it { should cmp 'email' } end end end - diff --git a/controls/V-38471.rb b/controls/V-38471.rb index b9c1e70..ac5523d 100644 --- a/controls/V-38471.rb +++ b/controls/V-38471.rb @@ -1,17 +1,17 @@ -control "V-38471" do - title "The system must forward audit records to the syslog service." +control 'V-38471' do + title 'The system must forward audit records to the syslog service.' desc "The auditd service does not include the ability to send audit records to a centralized server for management directly. It does, however, include an audit event multiplexor plugin (audispd) to pass audit records to the local syslog server." impact 0.3 - tag "gtitle": "SRG-OS-000043" - tag "gid": "V-38471" - tag "rid": "SV-50271r1_rule" - tag "stig_id": "RHEL-06-000509" - tag "fix_id": "F-43416r1_fix" - tag "cci": ["CCI-000136"] - tag "nist": ["AU-3 (2)", "Rev_4"] + tag "gtitle": 'SRG-OS-000043' + tag "gid": 'V-38471' + tag "rid": 'SV-50271r1_rule' + tag "stig_id": 'RHEL-06-000509' + tag "fix_id": 'F-43416r1_fix' + tag "cci": ['CCI-000136'] + tag "nist": ['AU-3 (2)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -36,4 +36,3 @@ its('active') { should eq 'yes' } end end - diff --git a/controls/V-38472.rb b/controls/V-38472.rb index 9e7be14..fb6f02e 100644 --- a/controls/V-38472.rb +++ b/controls/V-38472.rb @@ -1,16 +1,16 @@ -control "V-38472" do - title "All system command files must be owned by root." +control 'V-38472' do + title 'All system command files must be owned by root.' desc "System binaries are executed by privileged users as well as system services, and restrictive permissions are necessary to ensure that their execution of these programs cannot be co-opted." impact 0.5 - tag "gtitle": "SRG-OS-000259" - tag "gid": "V-38472" - tag "rid": "SV-50272r1_rule" - tag "stig_id": "RHEL-06-000048" - tag "fix_id": "F-43417r1_fix" - tag "cci": ["CCI-001499"] - tag "nist": ["CM-5 (6)", "Rev_4"] + tag "gtitle": 'SRG-OS-000259' + tag "gid": 'V-38472' + tag "rid": 'SV-50272r1_rule' + tag "stig_id": 'RHEL-06-000048' + tag "fix_id": 'F-43417r1_fix' + tag "cci": ['CCI-001499'] + tag "nist": ['CM-5 (6)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -54,11 +54,10 @@ # chown root [FILE]" - dirs = ["/bin", "/usr/bin", "/usr/local/bin", "/sbin", "/usr/sbin", "/usr/local/sbin"] + dirs = ['/bin', '/usr/bin', '/usr/local/bin', '/sbin', '/usr/sbin', '/usr/local/sbin'] dirs.each do |d| describe command("find -L #{d} \\! -user root") do its('stdout.strip') { should be_empty } end end end - diff --git a/controls/V-38473.rb b/controls/V-38473.rb index d6ac3bb..c7d691b 100644 --- a/controls/V-38473.rb +++ b/controls/V-38473.rb @@ -1,16 +1,16 @@ -control "V-38473" do - title "The system must use a separate file system for user home directories." +control 'V-38473' do + title 'The system must use a separate file system for user home directories.' desc "Ensuring that \"/home\" is mounted on its own partition enables the setting of more restrictive mount options, and also helps ensure that users cannot trivially fill partitions used for log or audit data storage." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38473" - tag "rid": "SV-50273r1_rule" - tag "stig_id": "RHEL-06-000007" - tag "fix_id": "F-43418r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38473' + tag "rid": 'SV-50273r1_rule' + tag "stig_id": 'RHEL-06-000007' + tag "fix_id": 'F-43418r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -34,8 +34,7 @@ server, then creating a separate partition is not necessary at installation time, and the mountpoint can instead be configured later." - describe mount("/home") do + describe mount('/home') do it { should be_mounted } end end - diff --git a/controls/V-38474.rb b/controls/V-38474.rb index cd2ae1e..d80ab01 100644 --- a/controls/V-38474.rb +++ b/controls/V-38474.rb @@ -1,16 +1,16 @@ -control "V-38474" do - title "The system must allow locking of graphical desktop sessions." +control 'V-38474' do + title 'The system must allow locking of graphical desktop sessions.' desc "The ability to lock graphical desktop sessions manually allows users to easily secure their accounts should they need to depart from their workstations temporarily." impact 0.3 - tag "gtitle": "SRG-OS-000030" - tag "gid": "V-38474" - tag "rid": "SV-50274r2_rule" - tag "stig_id": "RHEL-06-000508" - tag "fix_id": "F-43420r1_fix" - tag "cci": ["CCI-000058"] - tag "nist": ["AC-11 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000030' + tag "gid": 'V-38474' + tag "rid": 'SV-50274r2_rule' + tag "stig_id": 'RHEL-06-000508' + tag "fix_id": 'F-43420r1_fix' + tag "cci": ['CCI-000058'] + tag "nist": ['AC-11 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -43,14 +43,13 @@ the default for the Gnome desktop." if package('GConf2').installed? - describe command("gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode") do + describe command('gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode') do its('stdout.strip') { should_not eq '' } end else impact 0.0 - describe "Package GConf2 not installed" do - skip "Package GConf2 not installed, this control Not Applicable" + describe 'Package GConf2 not installed' do + skip 'Package GConf2 not installed, this control Not Applicable' end end end - diff --git a/controls/V-38475.rb b/controls/V-38475.rb index 9dc99ff..ff93b7e 100644 --- a/controls/V-38475.rb +++ b/controls/V-38475.rb @@ -1,4 +1,4 @@ -control "V-38475" do +control 'V-38475' do title "The system must require passwords to contain a minimum of 15 characters." desc "Requiring a minimum password length makes password cracking attacks @@ -11,13 +11,13 @@ on PKI (public key infrastructure). " impact 0.5 - tag "gtitle": "SRG-OS-000078" - tag "gid": "V-38475" - tag "rid": "SV-50275r3_rule" - tag "stig_id": "RHEL-06-000050" - tag "fix_id": "F-43419r3_fix" - tag "cci": ["CCI-000205"] - tag "nist": ["IA-5 (1) (a)", "Rev_4"] + tag "gtitle": 'SRG-OS-000078' + tag "gid": 'V-38475' + tag "rid": 'SV-50275r3_rule' + tag "stig_id": 'RHEL-06-000050' + tag "fix_id": 'F-43419r3_fix' + tag "cci": ['CCI-000205'] + tag "nist": ['IA-5 (1) (a)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -52,13 +52,12 @@ also another PAM module (such as \"pam_cracklib\") during a password change operation, then the most restrictive must be satisfied." - describe file("/etc/login.defs") do - its("content") { should match(/^PASS_MIN_LEN\s+(\d+)\s*$/) } + describe file('/etc/login.defs') do + its('content') { should match(/^PASS_MIN_LEN\s+(\d+)\s*$/) } end - file("/etc/login.defs").content.to_s.scan(/^PASS_MIN_LEN\s+(\d+)\s*$/).flatten.each do |entry| + file('/etc/login.defs').content.to_s.scan(/^PASS_MIN_LEN\s+(\d+)\s*$/).flatten.each do |entry| describe entry do it { should cmp >= 15 } end end end - diff --git a/controls/V-38476.rb b/controls/V-38476.rb index 4b95ae0..1201af8 100644 --- a/controls/V-38476.rb +++ b/controls/V-38476.rb @@ -1,16 +1,16 @@ -control "V-38476" do +control 'V-38476' do title "Vendor-provided cryptographic certificates must be installed to verify the integrity of system software." desc "The Red Hat GPG keys are necessary to cryptographically verify packages are from Red Hat. " impact 0.7 - tag "gtitle": "SRG-OS-000090" - tag "gid": "V-38476" - tag "rid": "SV-50276r3_rule" - tag "stig_id": "RHEL-06-000008" - tag "fix_id": "F-43421r3_fix" - tag "cci": ["CCI-000352"] - tag "nist": ["CM-5 (3)", "Rev_4"] + tag "gtitle": 'SRG-OS-000090' + tag "gid": 'V-38476' + tag "rid": 'SV-50276r3_rule' + tag "stig_id": 'RHEL-06-000008' + tag "fix_id": 'F-43421r3_fix' + tag "cci": ['CCI-000352'] + tag "nist": ['CM-5 (3)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -53,4 +53,3 @@ end end end - diff --git a/controls/V-38477.rb b/controls/V-38477.rb index 895f2f2..e9300b3 100644 --- a/controls/V-38477.rb +++ b/controls/V-38477.rb @@ -1,16 +1,16 @@ -control "V-38477" do +control 'V-38477' do title "Users must not be able to change passwords more than once every 24 hours." desc "Setting the minimum password age protects against users cycling back to a favorite password after satisfying the password reuse requirement." impact 0.5 - tag "gtitle": "SRG-OS-000075" - tag "gid": "V-38477" - tag "rid": "SV-50277r1_rule" - tag "stig_id": "RHEL-06-000051" - tag "fix_id": "F-43422r1_fix" - tag "cci": ["CCI-000198"] - tag "nist": ["IA-5 (1) (d)", "Rev_4"] + tag "gtitle": 'SRG-OS-000075' + tag "gid": 'V-38477' + tag "rid": 'SV-50277r1_rule' + tag "stig_id": 'RHEL-06-000051' + tag "fix_id": 'F-43422r1_fix' + tag "cci": ['CCI-000198'] + tag "nist": ['IA-5 (1) (d)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -36,13 +36,12 @@ A value of 1 day is considered sufficient for many environments. The DoD requirement is 1." - describe file("/etc/login.defs") do - its("content") { should match(/^[\s]*PASS_MIN_DAYS[\s]+(\d+)\s*$/) } + describe file('/etc/login.defs') do + its('content') { should match(/^[\s]*PASS_MIN_DAYS[\s]+(\d+)\s*$/) } end - file("/etc/login.defs").content.to_s.scan(/^[\s]*PASS_MIN_DAYS[\s]+(\d+)\s*$/).flatten.each do |entry| + file('/etc/login.defs').content.to_s.scan(/^[\s]*PASS_MIN_DAYS[\s]+(\d+)\s*$/).flatten.each do |entry| describe entry do it { should cmp >= 1 } end end end - diff --git a/controls/V-38478.rb b/controls/V-38478.rb index 7537015..5be8443 100644 --- a/controls/V-38478.rb +++ b/controls/V-38478.rb @@ -1,4 +1,4 @@ -control "V-38478" do +control 'V-38478' do title "The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite." desc "Although systems management and patching is extremely important to @@ -6,13 +6,13 @@ desirable for some environments. However, if the system is being managed by RHN or RHN Satellite Server the \"rhnsd\" daemon can remain on." impact 0.3 - tag "gtitle": "SRG-OS-000096" - tag "gid": "V-38478" - tag "rid": "SV-50278r2_rule" - tag "stig_id": "RHEL-06-000009" - tag "fix_id": "F-43423r2_fix" - tag "cci": ["CCI-000382"] - tag "nist": ["CM-7 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000096' + tag "gid": 'V-38478' + tag "rid": 'SV-50278r2_rule' + tag "stig_id": 'RHEL-06-000009' + tag "fix_id": 'F-43423r2_fix' + tag "cci": ['CCI-000382'] + tag "nist": ['CM-7 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -57,9 +57,8 @@ # chkconfig rhnsd off # service rhnsd stop" - describe service("rhnsd") do + describe service('rhnsd') do it { should_not be_running } it { should_not be_enabled } end end - diff --git a/controls/V-38479.rb b/controls/V-38479.rb index 7c4ad08..263c860 100644 --- a/controls/V-38479.rb +++ b/controls/V-38479.rb @@ -1,18 +1,18 @@ -control "V-38479" do - title "User passwords must be changed at least every 60 days." +control 'V-38479' do + title 'User passwords must be changed at least every 60 days.' desc "Setting the password maximum age ensures users are required to periodically change their passwords. This could possibly decrease the utility of a stolen password. Requiring shorter password lifetimes increases the risk of users writing down the password in a convenient location subject to physical compromise." impact 0.5 - tag "gtitle": "SRG-OS-000076" - tag "gid": "V-38479" - tag "rid": "SV-50279r1_rule" - tag "stig_id": "RHEL-06-000053" - tag "fix_id": "F-43424r1_fix" - tag "cci": ["CCI-000199"] - tag "nist": ["IA-5 (1) (d)", "Rev_4"] + tag "gtitle": 'SRG-OS-000076' + tag "gid": 'V-38479' + tag "rid": 'SV-50279r1_rule' + tag "stig_id": 'RHEL-06-000053' + tag "fix_id": 'F-43424r1_fix' + tag "cci": ['CCI-000199'] + tag "nist": ['IA-5 (1) (d)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -37,13 +37,12 @@ The DoD requirement is 60." - describe file("/etc/login.defs") do - its("content") { should match(/^[\s]*PASS_MAX_DAYS[\s]+(\d+)\s*$/) } + describe file('/etc/login.defs') do + its('content') { should match(/^[\s]*PASS_MAX_DAYS[\s]+(\d+)\s*$/) } end - file("/etc/login.defs").content.to_s.scan(/^[\s]*PASS_MAX_DAYS[\s]+(\d+)\s*$/).flatten.each do |entry| + file('/etc/login.defs').content.to_s.scan(/^[\s]*PASS_MAX_DAYS[\s]+(\d+)\s*$/).flatten.each do |entry| describe entry do it { should cmp <= 60 } end end end - diff --git a/controls/V-38480.rb b/controls/V-38480.rb index 39b44fc..a1a4394 100644 --- a/controls/V-38480.rb +++ b/controls/V-38480.rb @@ -1,15 +1,15 @@ -control "V-38480" do - title "Users must be warned 7 days in advance of password expiration." +control 'V-38480' do + title 'Users must be warned 7 days in advance of password expiration.' desc "Setting the password warning age enables users to make the change at a practical time." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38480" - tag "rid": "SV-50280r1_rule" - tag "stig_id": "RHEL-06-000054" - tag "fix_id": "F-43425r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38480' + tag "rid": 'SV-50280r1_rule' + tag "stig_id": 'RHEL-06-000054' + tag "fix_id": 'F-43425r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -34,13 +34,12 @@ The DoD requirement is 7." - describe file("/etc/login.defs") do - its("content") { should match(/^[\s]*PASS_WARN_AGE[\s]*(\d+)\s*$/) } + describe file('/etc/login.defs') do + its('content') { should match(/^[\s]*PASS_WARN_AGE[\s]*(\d+)\s*$/) } end - file("/etc/login.defs").content.to_s.scan(/^[\s]*PASS_WARN_AGE[\s]*(\d+)\s*$/).flatten.each do |entry| + file('/etc/login.defs').content.to_s.scan(/^[\s]*PASS_WARN_AGE[\s]*(\d+)\s*$/).flatten.each do |entry| describe entry do it { should cmp >= 7 } end end end - diff --git a/controls/V-38481.rb b/controls/V-38481.rb index d2ad3e5..904da90 100644 --- a/controls/V-38481.rb +++ b/controls/V-38481.rb @@ -1,15 +1,15 @@ -control "V-38481" do - title "System security patches and updates must be installed and up-to-date." +control 'V-38481' do + title 'System security patches and updates must be installed and up-to-date.' desc "Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities." impact 0.5 - tag "gtitle": "SRG-OS-000191" - tag "gid": "V-38481" - tag "rid": "SV-50281r1_rule" - tag "stig_id": "RHEL-06-000011" - tag "fix_id": "F-43426r1_fix" - tag "cci": ["CCI-001233"] - tag "nist": ["SI-2 (2)", "Rev_4"] + tag "gtitle": 'SRG-OS-000191' + tag "gid": 'V-38481' + tag "rid": 'SV-50281r1_rule' + tag "stig_id": 'RHEL-06-000011' + tag "fix_id": 'F-43426r1_fix' + tag "cci": ['CCI-001233'] + tag "nist": ['SI-2 (2)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -45,8 +45,7 @@ form of RPM packages) can be manually downloaded from the Red Hat Network and installed using \"rpm\"." - describe "Manual test" do - skip "This control must be reviewed manually" + describe 'Manual test' do + skip 'This control must be reviewed manually' end end - diff --git a/controls/V-38482.rb b/controls/V-38482.rb index 7e9ffa4..2906fd2 100644 --- a/controls/V-38482.rb +++ b/controls/V-38482.rb @@ -1,16 +1,16 @@ -control "V-38482" do +control 'V-38482' do title "The system must require passwords to contain at least one numeric character." desc "Requiring digits makes password guessing attacks more difficult by ensuring a larger search space." impact 0.3 - tag "gtitle": "SRG-OS-000071" - tag "gid": "V-38482" - tag "rid": "SV-50282r2_rule" - tag "stig_id": "RHEL-06-000056" - tag "fix_id": "F-43427r2_fix" - tag "cci": ["CCI-000194"] - tag "nist": ["IA-5 (1) (a)", "Rev_4"] + tag "gtitle": 'SRG-OS-000071' + tag "gid": 'V-38482' + tag "rid": 'SV-50282r2_rule' + tag "stig_id": 'RHEL-06-000056' + tag "fix_id": 'F-43427r2_fix' + tag "cci": ['CCI-000194'] + tag "nist": ['IA-5 (1) (a)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -43,40 +43,39 @@ " describe.one do - describe file("/etc/pam.d/system-auth") do - its("content") { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+dcredit=-(\d+)[^\n\r]*$/) } + describe file('/etc/pam.d/system-auth') do + its('content') { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+dcredit=-(\d+)[^\n\r]*$/) } end - file("/etc/pam.d/system-auth").content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+dcredit=-(\d+)[^\n\r]*$/).flatten.each do |entry| + file('/etc/pam.d/system-auth').content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+dcredit=-(\d+)[^\n\r]*$/).flatten.each do |entry| describe entry do it { should cmp >= 1 } end end - describe file("/etc/pam.d/system-auth") do - its("content") { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+dcredit=-(\d+)\s+.*$/) } + describe file('/etc/pam.d/system-auth') do + its('content') { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+dcredit=-(\d+)\s+.*$/) } end - file("/etc/pam.d/system-auth").content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+dcredit=-(\d+)\s+.*$/).flatten.each do |entry| + file('/etc/pam.d/system-auth').content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+dcredit=-(\d+)\s+.*$/).flatten.each do |entry| describe entry do it { should cmp >= 1 } end end end describe.one do - describe file("/etc/pam.d/password-auth") do - its("content") { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+dcredit=-(\d+)[^\n\r]*$/) } + describe file('/etc/pam.d/password-auth') do + its('content') { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+dcredit=-(\d+)[^\n\r]*$/) } end - file("/etc/pam.d/password-auth").content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+dcredit=-(\d+)[^\n\r]*$/).flatten.each do |entry| + file('/etc/pam.d/password-auth').content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+dcredit=-(\d+)[^\n\r]*$/).flatten.each do |entry| describe entry do it { should cmp >= 1 } end end - describe file("/etc/pam.d/password-auth") do - its("content") { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+dcredit=-(\d+)\s+.*$/) } + describe file('/etc/pam.d/password-auth') do + its('content') { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+dcredit=-(\d+)\s+.*$/) } end - file("/etc/pam.d/password-auth").content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+dcredit=-(\d+)\s+.*$/).flatten.each do |entry| + file('/etc/pam.d/password-auth').content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+dcredit=-(\d+)\s+.*$/).flatten.each do |entry| describe entry do it { should cmp >= 1 } end end end end - diff --git a/controls/V-38483.rb b/controls/V-38483.rb index 10d5650..9632f9d 100644 --- a/controls/V-38483.rb +++ b/controls/V-38483.rb @@ -1,17 +1,17 @@ -control "V-38483" do +control 'V-38483' do title "The system package management tool must cryptographically verify the authenticity of system software packages during installation." desc "Ensuring the validity of packages' cryptographic signatures prior to installation ensures the provenance of the software and protects against malicious tampering." impact 0.5 - tag "gtitle": "SRG-OS-000103" - tag "gid": "V-38483" - tag "rid": "SV-50283r1_rule" - tag "stig_id": "RHEL-06-000013" - tag "fix_id": "F-43429r1_fix" - tag "cci": ["CCI-000663"] - tag "nist": ["SA-7", "Rev_4"] + tag "gtitle": 'SRG-OS-000103' + tag "gid": 'V-38483' + tag "rid": 'SV-50283r1_rule' + tag "stig_id": 'RHEL-06-000013' + tag "fix_id": 'F-43429r1_fix' + tag "cci": ['CCI-000663'] + tag "nist": ['SA-7', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -41,8 +41,7 @@ gpgcheck=1" - describe file("/etc/yum.conf") do - its("content") { should match(/^\s*gpgcheck\s*=\s*1\s*$/) } + describe file('/etc/yum.conf') do + its('content') { should match(/^\s*gpgcheck\s*=\s*1\s*$/) } end end - diff --git a/controls/V-38484.rb b/controls/V-38484.rb index 78239cd..c045d7d 100644 --- a/controls/V-38484.rb +++ b/controls/V-38484.rb @@ -1,4 +1,4 @@ -control "V-38484" do +control 'V-38484' do title "The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh." desc "Users need to be aware of activity that occurs regarding their @@ -10,13 +10,13 @@ and time. " impact 0.5 - tag "gtitle": "SRG-OS-000025" - tag "gid": "V-38484" - tag "rid": "SV-50285r2_rule" - tag "stig_id": "RHEL-06-000507" - tag "fix_id": "F-43431r2_fix" - tag "cci": ["CCI-000052"] - tag "nist": ["AC-9", "Rev_4"] + tag "gtitle": 'SRG-OS-000025' + tag "gid": 'V-38484' + tag "rid": 'SV-50285r2_rule' + tag "stig_id": 'RHEL-06-000507' + tag "fix_id": 'F-43431r2_fix' + tag "cci": ['CCI-000052'] + tag "nist": ['AC-9', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -45,6 +45,5 @@ describe sshd_config do its('PrintLastLog') { should be_nil.or eq 'yes' } - end + end end - diff --git a/controls/V-38486.rb b/controls/V-38486.rb index a2c06f6..66666ff 100644 --- a/controls/V-38486.rb +++ b/controls/V-38486.rb @@ -1,4 +1,4 @@ -control "V-38486" do +control 'V-38486' do title "The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point @@ -9,13 +9,13 @@ must be consistent with organizational recovery time and recovery point objectives." impact 0.5 - tag "gtitle": "SRG-OS-000100" - tag "gid": "V-38486" - tag "rid": "SV-50287r1_rule" - tag "stig_id": "RHEL-06-000505" - tag "fix_id": "F-43434r1_fix" - tag "cci": ["CCI-000537"] - tag "nist": ["CP-9b", "Rev_4"] + tag "gtitle": 'SRG-OS-000100' + tag "gid": 'V-38486' + tag "rid": 'SV-50287r1_rule' + tag "stig_id": 'RHEL-06-000505' + tag "fix_id": 'F-43434r1_fix' + tag "cci": ['CCI-000537'] + tag "nist": ['CP-9b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -37,8 +37,7 @@ Implement a process whereby OS data is backed up from the system in accordance with local policies." - describe "Manual test" do - skip "This control must be reviewed manually" + describe 'Manual test' do + skip 'This control must be reviewed manually' end end - diff --git a/controls/V-38487.rb b/controls/V-38487.rb index 78cca84..b9a783e 100644 --- a/controls/V-38487.rb +++ b/controls/V-38487.rb @@ -1,17 +1,17 @@ -control "V-38487" do +control 'V-38487' do title "The system package management tool must cryptographically verify the authenticity of all software packages during installation." desc "Ensuring all packages' cryptographic signatures are valid prior to installation ensures the provenance of the software and protects against malicious tampering." impact 0.3 - tag "gtitle": "SRG-OS-000103" - tag "gid": "V-38487" - tag "rid": "SV-50288r1_rule" - tag "stig_id": "RHEL-06-000015" - tag "fix_id": "F-43433r1_fix" - tag "cci": ["CCI-000663"] - tag "nist": ["SA-7", "Rev_4"] + tag "gtitle": 'SRG-OS-000103' + tag "gid": 'V-38487' + tag "rid": 'SV-50288r1_rule' + tag "stig_id": 'RHEL-06-000015' + tag "fix_id": 'F-43433r1_fix' + tag "cci": ['CCI-000663'] + tag "nist": ['SA-7', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -38,10 +38,9 @@ gpgcheck=0" - command("find /etc/yum.repos.d -type f -regex .\\*/.\\*").stdout.split.each do |entry| + command('find /etc/yum.repos.d -type f -regex .\\*/.\\*').stdout.split.each do |entry| describe file(entry) do - its("content") { should_not match(/^\s*gpgcheck\s*=\s*0\s*$/) } + its('content') { should_not match(/^\s*gpgcheck\s*=\s*0\s*$/) } end end end - diff --git a/controls/V-38488.rb b/controls/V-38488.rb index 81e38b3..926d4ec 100644 --- a/controls/V-38488.rb +++ b/controls/V-38488.rb @@ -1,4 +1,4 @@ -control "V-38488" do +control 'V-38488' do title "The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives." @@ -7,13 +7,13 @@ information system and/or application users. Backups shall be consistent with organizational recovery time and recovery point objectives." impact 0.5 - tag "gtitle": "SRG-OS-000099" - tag "gid": "V-38488" - tag "rid": "SV-50289r1_rule" - tag "stig_id": "RHEL-06-000504" - tag "fix_id": "F-43435r1_fix" - tag "cci": ["CCI-000535"] - tag "nist": ["CP-9a", "Rev_4"] + tag "gtitle": 'SRG-OS-000099' + tag "gid": 'V-38488' + tag "rid": 'SV-50289r1_rule' + tag "stig_id": 'RHEL-06-000504' + tag "fix_id": 'F-43435r1_fix' + tag "cci": ['CCI-000535'] + tag "nist": ['CP-9a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -36,8 +36,7 @@ Implement a process whereby user data is backed up from the system in accordance with local policies." - describe "Manual test" do - skip "This control must be reviewed manually" + describe 'Manual test' do + skip 'This control must be reviewed manually' end end - diff --git a/controls/V-38489.rb b/controls/V-38489.rb index c0d1c19..7ccd4fd 100644 --- a/controls/V-38489.rb +++ b/controls/V-38489.rb @@ -1,15 +1,15 @@ -control "V-38489" do - title "A file integrity tool must be installed." +control 'V-38489' do + title 'A file integrity tool must be installed.' desc "The AIDE package must be installed if it is to be available for integrity checking." impact 0.5 - tag "gtitle": "SRG-OS-000232" - tag "gid": "V-38489" - tag "rid": "SV-50290r1_rule" - tag "stig_id": "RHEL-06-000016" - tag "fix_id": "F-43436r1_fix" - tag "cci": ["CCI-001069"] - tag "nist": ["RA-5 (7)", "Rev_4"] + tag "gtitle": 'SRG-OS-000232' + tag "gid": 'V-38489' + tag "rid": 'SV-50290r1_rule' + tag "stig_id": 'RHEL-06-000016' + tag "fix_id": 'F-43436r1_fix' + tag "cci": ['CCI-001069'] + tag "nist": ['RA-5 (7)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -33,8 +33,7 @@ # yum install aide" - describe package("aide") do + describe package('aide') do it { should be_installed } end end - diff --git a/controls/V-38490.rb b/controls/V-38490.rb index d336e54..db45eb6 100644 --- a/controls/V-38490.rb +++ b/controls/V-38490.rb @@ -1,17 +1,17 @@ -control "V-38490" do +control 'V-38490' do title "The operating system must enforce requirements for the connection of mobile devices to operating systems." desc "USB storage devices such as thumb drives can be used to introduce unauthorized software and other vulnerabilities. Support for these devices should be disabled and the devices themselves should be tightly controlled." impact 0.5 - tag "gtitle": "SRG-OS-000273" - tag "gid": "V-38490" - tag "rid": "SV-50291r6_rule" - tag "stig_id": "RHEL-06-000503" - tag "fix_id": "F-43437r3_fix" - tag "cci": ["CCI-000086"] - tag "nist": ["AC-19 d", "Rev_4"] + tag "gtitle": 'SRG-OS-000273' + tag "gid": 'V-38490' + tag "rid": 'SV-50291r6_rule' + tag "stig_id": 'RHEL-06-000503' + tag "fix_id": 'F-43437r3_fix' + tag "cci": ['CCI-000086'] + tag "nist": ['AC-19 d', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -47,14 +47,13 @@ the \"insmod\" program to load the module manually." describe.one do - command("find /etc/modprobe.d -type f -regex .\\*/\\^.\\*\\\\.conf\\$").stdout.split.each do |entry| + command('find /etc/modprobe.d -type f -regex .\\*/\\^.\\*\\\\.conf\\$').stdout.split.each do |entry| describe file(entry) do - its("content") { should match(/^\s*install\s+usb-storage\s+(\/bin\/true)\s*$/) } + its('content') { should match(/^\s*install\s+usb-storage\s+(\/bin\/true)\s*$/) } end end - describe file("/etc/modprobe.conf") do - its("content") { should match(/^\s*install\s+usb-storage\s+(\/bin\/true)\s*$/) } + describe file('/etc/modprobe.conf') do + its('content') { should match(/^\s*install\s+usb-storage\s+(\/bin\/true)\s*$/) } end end end - diff --git a/controls/V-38491.rb b/controls/V-38491.rb index a199933..9e3a711 100644 --- a/controls/V-38491.rb +++ b/controls/V-38491.rb @@ -1,15 +1,15 @@ -control "V-38491" do - title "There must be no .rhosts or hosts.equiv files on the system." +control 'V-38491' do + title 'There must be no .rhosts or hosts.equiv files on the system.' desc "Trust files are convenient, but when used in conjunction with the R-services, they can allow unauthenticated access to a system." impact 0.7 - tag "gtitle": "SRG-OS-000248" - tag "gid": "V-38491" - tag "rid": "SV-50292r1_rule" - tag "stig_id": "RHEL-06-000019" - tag "fix_id": "F-43438r1_fix" - tag "cci": ["CCI-001436"] - tag "nist": ["AC-17 (8)", "Rev_4"] + tag "gtitle": 'SRG-OS-000248' + tag "gid": 'V-38491' + tag "rid": 'SV-50292r1_rule' + tag "stig_id": 'RHEL-06-000019' + tag "fix_id": 'F-43438r1_fix' + tag "cci": ['CCI-001436'] + tag "nist": ['AC-17 (8)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -35,14 +35,13 @@ $ rm ~/.rhosts" - describe file("/root/^\\.(r|s)hosts$") do + describe file('/root/^\\.(r|s)hosts$') do it { should_not exist } end - describe command("find /home -regex .\\*/\\^\\\\.\\(r\\|s\\)hosts\\$ -type f -maxdepth 1") do - its("stdout") { should be_empty } + describe command('find /home -regex .\\*/\\^\\\\.\\(r\\|s\\)hosts\\$ -type f -maxdepth 1') do + its('stdout') { should be_empty } end - describe file("/etc/^s?hosts\\.equiv$") do + describe file('/etc/^s?hosts\\.equiv$') do it { should_not exist } end end - diff --git a/controls/V-38492.rb b/controls/V-38492.rb index c00b6cd..2fa0e9a 100644 --- a/controls/V-38492.rb +++ b/controls/V-38492.rb @@ -1,16 +1,16 @@ -control "V-38492" do +control 'V-38492' do title "The system must prevent the root account from logging in from virtual consoles." desc "Preventing direct root login to virtual console devices helps ensure accountability for actions taken on the system using the root account. " impact 0.5 - tag "gtitle": "SRG-OS-000109" - tag "gid": "V-38492" - tag "rid": "SV-50293r1_rule" - tag "stig_id": "RHEL-06-000027" - tag "fix_id": "F-43439r2_fix" - tag "cci": ["CCI-000770"] - tag "nist": ["IA-2 (5)", "Rev_4"] + tag "gtitle": 'SRG-OS-000109' + tag "gid": 'V-38492' + tag "rid": 'SV-50293r1_rule' + tag "stig_id": 'RHEL-06-000027' + tag "fix_id": 'F-43439r2_fix' + tag "cci": ['CCI-000770'] + tag "nist": ['IA-2 (5)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -40,8 +40,7 @@ Note: Virtual console entries are not limited to those listed above. Any lines starting with \"vc/\" followed by numerals should be removed." - describe file("/etc/securetty") do - its("content") { should_not match(/^vc\/[0-9]+$/) } + describe file('/etc/securetty') do + its('content') { should_not match(/^vc\/[0-9]+$/) } end end - diff --git a/controls/V-38493.rb b/controls/V-38493.rb index 01df0c0..64daeb9 100644 --- a/controls/V-38493.rb +++ b/controls/V-38493.rb @@ -1,15 +1,15 @@ -control "V-38493" do - title "Audit log directories must have mode 0755 or less permissive." +control 'V-38493' do + title 'Audit log directories must have mode 0755 or less permissive.' desc "If users can delete audit logs, audit trails can be modified or destroyed." impact 0.5 - tag "gtitle": "SRG-OS-000059" - tag "gid": "V-38493" - tag "rid": "SV-50294r1_rule" - tag "stig_id": "RHEL-06-000385" - tag "fix_id": "F-43440r1_fix" - tag "cci": ["CCI-000164"] - tag "nist": ["AU-9", "Rev_4"] + tag "gtitle": 'SRG-OS-000059' + tag "gid": 'V-38493' + tag "rid": 'SV-50294r1_rule' + tag "stig_id": 'RHEL-06-000385' + tag "fix_id": 'F-43440r1_fix' + tag "cci": ['CCI-000164'] + tag "nist": ['AU-9', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -39,4 +39,3 @@ it { should_not be_writable.by('others') } end end - diff --git a/controls/V-38494.rb b/controls/V-38494.rb index 7bc6c92..9168b73 100644 --- a/controls/V-38494.rb +++ b/controls/V-38494.rb @@ -1,16 +1,16 @@ -control "V-38494" do +control 'V-38494' do title "The system must prevent the root account from logging in from serial consoles." desc "Preventing direct root login to serial port interfaces helps ensure accountability for actions taken on the systems using the root account." impact 0.3 - tag "gtitle": "SRG-OS-000109" - tag "gid": "V-38494" - tag "rid": "SV-50295r1_rule" - tag "stig_id": "RHEL-06-000028" - tag "fix_id": "F-43441r1_fix" - tag "cci": ["CCI-000770"] - tag "nist": ["IA-2 (5)", "Rev_4"] + tag "gtitle": 'SRG-OS-000109' + tag "gid": 'V-38494' + tag "rid": 'SV-50295r1_rule' + tag "stig_id": 'RHEL-06-000028' + tag "fix_id": 'F-43441r1_fix' + tag "cci": ['CCI-000770'] + tag "nist": ['IA-2 (5)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -37,8 +37,7 @@ Note: Serial port entries are not limited to those listed above. Any lines starting with \"ttyS\" followed by numerals should be removed" - describe file("/etc/securetty") do - its("content") { should_not match(/^ttyS[0-9]+$/) } + describe file('/etc/securetty') do + its('content') { should_not match(/^ttyS[0-9]+$/) } end end - diff --git a/controls/V-38495.rb b/controls/V-38495.rb index c8a1d6e..92dbbc8 100644 --- a/controls/V-38495.rb +++ b/controls/V-38495.rb @@ -1,15 +1,15 @@ -control "V-38495" do - title "Audit log files must be owned by root." +control 'V-38495' do + title 'Audit log files must be owned by root.' desc "If non-privileged users can write to audit logs, audit trails can be modified or destroyed." impact 0.5 - tag "gtitle": "SRG-OS-000057" - tag "gid": "V-38495" - tag "rid": "SV-50296r1_rule" - tag "stig_id": "RHEL-06-000384" - tag "fix_id": "F-43443r1_fix" - tag "cci": ["CCI-000162"] - tag "nist": ["AU-9", "Rev_4"] + tag "gtitle": 'SRG-OS-000057' + tag "gid": 'V-38495' + tag "rid": 'SV-50296r1_rule' + tag "stig_id": 'RHEL-06-000384' + tag "fix_id": 'F-43443r1_fix' + tag "cci": ['CCI-000162'] + tag "nist": ['AU-9', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -32,11 +32,10 @@ # chown root [audit_file]" - describe command("find /var/log/audit -regex .\\*/\\^.\\*\\$ -user 0") do - its("stdout") { should_not be_empty } + describe command('find /var/log/audit -regex .\\*/\\^.\\*\\$ -user 0') do + its('stdout') { should_not be_empty } end - describe command("find /var/log/audit -type d -user 0") do - its("stdout") { should_not be_empty } + describe command('find /var/log/audit -type d -user 0') do + its('stdout') { should_not be_empty } end end - diff --git a/controls/V-38496.rb b/controls/V-38496.rb index b02b714..062ba63 100644 --- a/controls/V-38496.rb +++ b/controls/V-38496.rb @@ -1,15 +1,15 @@ -control "V-38496" do - title "Default operating system accounts, other than root, must be locked." +control 'V-38496' do + title 'Default operating system accounts, other than root, must be locked.' desc "Disabling authentication for default system accounts makes it more difficult for attackers to make use of them to compromise a system." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38496" - tag "rid": "SV-50297r3_rule" - tag "stig_id": "RHEL-06-000029" - tag "fix_id": "F-43442r2_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38496' + tag "rid": 'SV-50297r3_rule' + tag "stig_id": 'RHEL-06-000029' + tag "fix_id": 'F-43442r2_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -41,7 +41,7 @@ passwd_users = command('awk -F: \'$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1}\' /etc/shadow').stdout.strip.split("\n") if passwd_users.empty? - describe "Users with assigned password" do + describe 'Users with assigned password' do subject { passwd_users } it { should be_empty } end @@ -53,4 +53,3 @@ end end end - diff --git a/controls/V-38497.rb b/controls/V-38497.rb index 6a0342c..36a8b2a 100644 --- a/controls/V-38497.rb +++ b/controls/V-38497.rb @@ -1,17 +1,17 @@ -control "V-38497" do +control 'V-38497' do title "The system must not have accounts configured with blank or null passwords." desc "If an account has an empty password, anyone could log in and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments." impact 0.7 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38497" - tag "rid": "SV-50298r3_rule" - tag "stig_id": "RHEL-06-000030" - tag "fix_id": "F-43444r5_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38497' + tag "rid": 'SV-50298r3_rule' + tag "stig_id": 'RHEL-06-000030' + tag "fix_id": 'F-43444r5_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -36,11 +36,10 @@ \"/etc/pam.d/system-auth\" and \"/etc/pam.d/password-auth\" to prevent logons with empty passwords." - describe file("/etc/pam.d/system-auth") do - its("content") { should_not match(/^[^#]\s*.*\snullok\s*/) } + describe file('/etc/pam.d/system-auth') do + its('content') { should_not match(/^[^#]\s*.*\snullok\s*/) } end - describe file("/etc/pam.d/password-auth") do - its("content") { should_not match(/^[^#]\s*.*\snullok\s*/) } + describe file('/etc/pam.d/password-auth') do + its('content') { should_not match(/^[^#]\s*.*\snullok\s*/) } end end - diff --git a/controls/V-38498.rb b/controls/V-38498.rb index 0a96fff..d271714 100644 --- a/controls/V-38498.rb +++ b/controls/V-38498.rb @@ -1,15 +1,15 @@ -control "V-38498" do - title "Audit log files must have mode 0640 or less permissive." +control 'V-38498' do + title 'Audit log files must have mode 0640 or less permissive.' desc "If users can write to audit logs, audit trails can be modified or destroyed." impact 0.5 - tag "gtitle": "SRG-OS-000058" - tag "gid": "V-38498" - tag "rid": "SV-50299r1_rule" - tag "stig_id": "RHEL-06-000383" - tag "fix_id": "F-43445r1_fix" - tag "cci": ["CCI-000163"] - tag "nist": ["AU-9", "Rev_4"] + tag "gtitle": 'SRG-OS-000058' + tag "gid": 'V-38498' + tag "rid": 'SV-50299r1_rule' + tag "stig_id": 'RHEL-06-000383' + tag "fix_id": 'F-43445r1_fix' + tag "cci": ['CCI-000163'] + tag "nist": ['AU-9', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -32,8 +32,7 @@ # chmod 0640 [audit_file]" - describe command("find /var/log/audit -regex .\\*/\\^.\\*\\$ -perm -07137 -xdev") do - its("stdout") { should be_empty } + describe command('find /var/log/audit -regex .\\*/\\^.\\*\\$ -perm -07137 -xdev') do + its('stdout') { should be_empty } end end - diff --git a/controls/V-38499.rb b/controls/V-38499.rb index 602c59c..6038c61 100644 --- a/controls/V-38499.rb +++ b/controls/V-38499.rb @@ -1,15 +1,15 @@ -control "V-38499" do - title "The /etc/passwd file must not contain password hashes." +control 'V-38499' do + title 'The /etc/passwd file must not contain password hashes.' desc "The hashes for all user account passwords should be stored in the file \"/etc/shadow\" and never in \"/etc/passwd\", which is readable by all users." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38499" - tag "rid": "SV-50300r1_rule" - tag "stig_id": "RHEL-06-000031" - tag "fix_id": "F-43446r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38499' + tag "rid": 'SV-50300r1_rule' + tag "stig_id": 'RHEL-06-000031' + tag "fix_id": 'F-43446r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -32,13 +32,12 @@ be investigated. The account should have its password reset and the hash should be properly stored, or the account should be deleted entirely." - describe file("/etc/passwd") do - its("content") { should match(/^[^:]*:([^:]*):/) } + describe file('/etc/passwd') do + its('content') { should match(/^[^:]*:([^:]*):/) } end - file("/etc/passwd").content.to_s.scan(/^[^:]*:([^:]*):/).flatten.each do |entry| + file('/etc/passwd').content.to_s.scan(/^[^:]*:([^:]*):/).flatten.each do |entry| describe entry do - it { should eq "x" } + it { should eq 'x' } end end end - diff --git a/controls/V-38500.rb b/controls/V-38500.rb index c978d1e..7fdce38 100644 --- a/controls/V-38500.rb +++ b/controls/V-38500.rb @@ -1,18 +1,18 @@ -control "V-38500" do - title "The root account must be the only account having a UID of 0." +control 'V-38500' do + title 'The root account must be the only account having a UID of 0.' desc "An account has root authority if it has a UID of 0. Multiple accounts with a UID of 0 afford more opportunity for potential intruders to guess a password for a privileged account. Proper configuration of sudo is recommended to afford multiple system administrators access to root privileges in an accountable manner." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38500" - tag "rid": "SV-50301r2_rule" - tag "stig_id": "RHEL-06-000032" - tag "fix_id": "F-43447r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38500' + tag "rid": 'SV-50301r2_rule' + tag "stig_id": 'RHEL-06-000032' + tag "fix_id": 'F-43447r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -34,8 +34,7 @@ misconfiguration should be investigated and the accounts other than root should be removed or have their UID changed." - describe file("/etc/passwd") do - its("content") { should_not match(/^(?!root:)[^:]*:[^:]:0/) } + describe file('/etc/passwd') do + its('content') { should_not match(/^(?!root:)[^:]*:[^:]:0/) } end end - diff --git a/controls/V-38501.rb b/controls/V-38501.rb index b8910db..a58ce94 100644 --- a/controls/V-38501.rb +++ b/controls/V-38501.rb @@ -1,16 +1,16 @@ -control "V-38501" do +control 'V-38501' do title "The system must disable accounts after excessive login failures within a 15-minute interval." desc "Locking out user accounts after a number of incorrect attempts within a specific period of time prevents direct password guessing attacks." impact 0.5 - tag "gtitle": "SRG-OS-000249" - tag "gid": "V-38501" - tag "rid": "SV-50302r4_rule" - tag "stig_id": "RHEL-06-000357" - tag "fix_id": "F-43448r6_fix" - tag "cci": ["CCI-001452"] - tag "nist": ["AC-7 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000249' + tag "gid": 'V-38501' + tag "rid": 'SV-50302r4_rule' + tag "stig_id": 'RHEL-06-000357' + tag "fix_id": 'F-43448r6_fix' + tag "cci": ['CCI-001452'] + tag "nist": ['AC-7 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -56,21 +56,20 @@ \"/etc/pam.d/password-auth\" may be overwritten by the \"authconfig\" program. The \"authconfig\" program should not be used." - file("/etc/pam.d/system-auth").content.to_s.scan(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*deny=(?:[0-9]+).*unlock_time=(?:[0-9]+).*fail_interval=([0-9]+).*$/).flatten.each do |entry| + file('/etc/pam.d/system-auth').content.to_s.scan(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*deny=(?:[0-9]+).*unlock_time=(?:[0-9]+).*fail_interval=([0-9]+).*$/).flatten.each do |entry| describe entry do it { should cmp >= 900 } end end - describe file("/etc/pam.d/system-auth") do - its("content") { should match(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*deny=(?:[0-9]+).*unlock_time=(?:[0-9]+).*fail_interval=([0-9]+).*$/) } + describe file('/etc/pam.d/system-auth') do + its('content') { should match(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*deny=(?:[0-9]+).*unlock_time=(?:[0-9]+).*fail_interval=([0-9]+).*$/) } end - file("/etc/pam.d/password-auth").content.to_s.scan(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*deny=(?:[0-9]+).*unlock_time=(?:[0-9]+).*fail_interval=([0-9]+).*$/).flatten.each do |entry| + file('/etc/pam.d/password-auth').content.to_s.scan(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*deny=(?:[0-9]+).*unlock_time=(?:[0-9]+).*fail_interval=([0-9]+).*$/).flatten.each do |entry| describe entry do it { should cmp >= 900 } end end - describe file("/etc/pam.d/password-auth") do - its("content") { should match(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*deny=(?:[0-9]+).*unlock_time=(?:[0-9]+).*fail_interval=([0-9]+).*$/) } + describe file('/etc/pam.d/password-auth') do + its('content') { should match(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*deny=(?:[0-9]+).*unlock_time=(?:[0-9]+).*fail_interval=([0-9]+).*$/) } end end - diff --git a/controls/V-38502.rb b/controls/V-38502.rb index ec53762..e29a93d 100644 --- a/controls/V-38502.rb +++ b/controls/V-38502.rb @@ -1,18 +1,18 @@ -control "V-38502" do - title "The /etc/shadow file must be owned by root." +control 'V-38502' do + title 'The /etc/shadow file must be owned by root.' desc "The \"/etc/shadow\" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38502" - tag "rid": "SV-50303r1_rule" - tag "stig_id": "RHEL-06-000033" - tag "fix_id": "F-43449r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38502' + tag "rid": 'SV-50303r1_rule' + tag "stig_id": 'RHEL-06-000033' + tag "fix_id": 'F-43449r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -34,11 +34,10 @@ # chown root /etc/shadow" - describe file("/etc/shadow") do + describe file('/etc/shadow') do it { should exist } end - describe file("/etc/shadow") do - its("uid") { should cmp 0 } + describe file('/etc/shadow') do + its('uid') { should cmp 0 } end end - diff --git a/controls/V-38503.rb b/controls/V-38503.rb index 93dae2e..9bfe1dd 100644 --- a/controls/V-38503.rb +++ b/controls/V-38503.rb @@ -1,15 +1,15 @@ -control "V-38503" do - title "The /etc/shadow file must be group-owned by root." +control 'V-38503' do + title 'The /etc/shadow file must be group-owned by root.' desc "The \"/etc/shadow\" file stores password hashes. Protection of this file is critical for system security." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38503" - tag "rid": "SV-50304r1_rule" - tag "stig_id": "RHEL-06-000034" - tag "fix_id": "F-43450r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38503' + tag "rid": 'SV-50304r1_rule' + tag "stig_id": 'RHEL-06-000034' + tag "fix_id": 'F-43450r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -33,11 +33,10 @@ # chgrp root /etc/shadow" - describe file("/etc/shadow") do + describe file('/etc/shadow') do it { should exist } end - describe file("/etc/shadow") do - its("gid") { should cmp 0 } + describe file('/etc/shadow') do + its('gid') { should cmp 0 } end end - diff --git a/controls/V-38504.rb b/controls/V-38504.rb index 52651ea..f03851b 100644 --- a/controls/V-38504.rb +++ b/controls/V-38504.rb @@ -1,18 +1,18 @@ -control "V-38504" do - title "The /etc/shadow file must have mode 0000." +control 'V-38504' do + title 'The /etc/shadow file must have mode 0000.' desc "The \"/etc/shadow\" file contains the list of local system accounts and stores password hashes. Protection of this file is critical for system security. Failure to give ownership of this file to root provides the designated owner with access to sensitive information which could weaken the system security posture." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38504" - tag "rid": "SV-50305r1_rule" - tag "stig_id": "RHEL-06-000035" - tag "fix_id": "F-43451r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38504' + tag "rid": 'SV-50305r1_rule' + tag "stig_id": 'RHEL-06-000035' + tag "fix_id": 'F-43451r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -35,50 +35,49 @@ # chmod 0000 /etc/shadow" - describe file("/etc/shadow") do + describe file('/etc/shadow') do it { should exist } end - describe file("/etc/shadow") do - it { should_not be_executable.by "group" } + describe file('/etc/shadow') do + it { should_not be_executable.by 'group' } end - describe file("/etc/shadow") do - it { should_not be_readable.by "group" } + describe file('/etc/shadow') do + it { should_not be_readable.by 'group' } end - describe file("/etc/shadow") do - its("gid") { should cmp 0 } + describe file('/etc/shadow') do + its('gid') { should cmp 0 } end - describe file("/etc/shadow") do - it { should_not be_writable.by "group" } + describe file('/etc/shadow') do + it { should_not be_writable.by 'group' } end - describe file("/etc/shadow") do - it { should_not be_executable.by "other" } + describe file('/etc/shadow') do + it { should_not be_executable.by 'other' } end - describe file("/etc/shadow") do - it { should_not be_readable.by "other" } + describe file('/etc/shadow') do + it { should_not be_readable.by 'other' } end - describe file("/etc/shadow") do - it { should_not be_writable.by "other" } + describe file('/etc/shadow') do + it { should_not be_writable.by 'other' } end - describe file("/etc/shadow") do + describe file('/etc/shadow') do it { should_not be_setgid } end - describe file("/etc/shadow") do + describe file('/etc/shadow') do it { should_not be_sticky } end - describe file("/etc/shadow") do + describe file('/etc/shadow') do it { should_not be_setuid } end - describe file("/etc/shadow") do - it { should_not be_executable.by "owner" } + describe file('/etc/shadow') do + it { should_not be_executable.by 'owner' } end - describe file("/etc/shadow") do - it { should_not be_readable.by "owner" } + describe file('/etc/shadow') do + it { should_not be_readable.by 'owner' } end - describe file("/etc/shadow") do - its("uid") { should cmp 0 } + describe file('/etc/shadow') do + its('uid') { should cmp 0 } end - describe file("/etc/shadow") do - it { should_not be_writable.by "owner" } + describe file('/etc/shadow') do + it { should_not be_writable.by 'owner' } end end - diff --git a/controls/V-38511.rb b/controls/V-38511.rb index 0117090..a95942a 100644 --- a/controls/V-38511.rb +++ b/controls/V-38511.rb @@ -1,17 +1,17 @@ -control "V-38511" do +control 'V-38511' do title "IP forwarding for IPv4 must not be enabled, unless the system is a router." desc "IP forwarding permits the kernel to forward packets from one network interface to another. The ability to forward packets between two networks is only appropriate for systems acting as routers." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38511" - tag "rid": "SV-50312r2_rule" - tag "stig_id": "RHEL-06-000082" - tag "fix_id": "F-43458r2_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38511' + tag "rid": 'SV-50312r2_rule' + tag "stig_id": 'RHEL-06-000082' + tag "fix_id": 'F-43458r2_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -45,14 +45,13 @@ net.ipv4.ip_forward = 0" - describe kernel_parameter("net.ipv4.ip_forward") do - its("value") { should_not be_nil } + describe kernel_parameter('net.ipv4.ip_forward') do + its('value') { should_not be_nil } end - describe kernel_parameter("net.ipv4.ip_forward") do - its("value") { should eq 0 } + describe kernel_parameter('net.ipv4.ip_forward') do + its('value') { should eq 0 } end - describe file("/etc/sysctl.conf") do - its("content") { should match(/^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$/) } + describe file('/etc/sysctl.conf') do + its('content') { should match(/^[\s]*net.ipv4.ip_forward[\s]*=[\s]*0[\s]*$/) } end end - diff --git a/controls/V-38512.rb b/controls/V-38512.rb index 0817653..13cefa0 100644 --- a/controls/V-38512.rb +++ b/controls/V-38512.rb @@ -1,17 +1,17 @@ -control "V-38512" do +control 'V-38512' do title "The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices." desc "The \"iptables\" service provides the system's host-based firewalling capability for IPv4 and ICMP." impact 0.5 - tag "gtitle": "SRG-OS-000146" - tag "gid": "V-38512" - tag "rid": "SV-50313r2_rule" - tag "stig_id": "RHEL-06-000117" - tag "fix_id": "F-43459r2_fix" - tag "cci": ["CCI-001100"] - tag "nist": ["SC-7 (2)", "Rev_4"] + tag "gtitle": 'SRG-OS-000146' + tag "gid": 'V-38512' + tag "rid": 'SV-50313r2_rule' + tag "stig_id": 'RHEL-06-000117' + tag "fix_id": 'F-43459r2_fix' + tag "cci": ['CCI-001100'] + tag "nist": ['SC-7 (2)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -46,4 +46,3 @@ it { should be_running } end end - diff --git a/controls/V-38513.rb b/controls/V-38513.rb index af736f0..7d4f448 100644 --- a/controls/V-38513.rb +++ b/controls/V-38513.rb @@ -1,4 +1,4 @@ -control "V-38513" do +control 'V-38513' do title "The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets." desc "In \"iptables\" the default policy is applied only after all the @@ -6,13 +6,13 @@ policy to \"DROP\" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted." impact 0.5 - tag "gtitle": "SRG-OS-000231" - tag "gid": "V-38513" - tag "rid": "SV-50314r2_rule" - tag "stig_id": "RHEL-06-000120" - tag "fix_id": "F-43460r1_fix" - tag "cci": ["CCI-000066"] - tag "nist": ["AC-17 e", "Rev_4"] + tag "gtitle": 'SRG-OS-000231' + tag "gid": 'V-38513' + tag "rid": 'SV-50314r2_rule' + tag "stig_id": 'RHEL-06-000120' + tag "fix_id": 'F-43460r1_fix' + tag "cci": ['CCI-000066'] + tag "nist": ['AC-17 e', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -38,8 +38,7 @@ :INPUT DROP [0:0]" - describe command("iptables -nvL | grep -i input") do - its('stdout.strip') { should match %r{Chain INPUT \(policy DROP} } + describe command('iptables -nvL | grep -i input') do + its('stdout.strip') { should match /Chain INPUT \(policy DROP/ } end end - diff --git a/controls/V-38514.rb b/controls/V-38514.rb index 337c31f..ac38ddc 100644 --- a/controls/V-38514.rb +++ b/controls/V-38514.rb @@ -1,16 +1,16 @@ -control "V-38514" do +control 'V-38514' do title "The Datagram Congestion Control Protocol (DCCP) must be disabled unless required." desc "Disabling DCCP protects the system against exploitation of any flaws in its implementation." impact 0.5 - tag "gtitle": "SRG-OS-000096" - tag "gid": "V-38514" - tag "rid": "SV-50315r5_rule" - tag "stig_id": "RHEL-06-000124" - tag "fix_id": "F-43461r3_fix" - tag "cci": ["CCI-000382"] - tag "nist": ["CM-7 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000096' + tag "gid": 'V-38514' + tag "rid": 'SV-50315r5_rule' + tag "stig_id": 'RHEL-06-000124' + tag "fix_id": 'F-43461r3_fix' + tag "cci": ['CCI-000382'] + tag "nist": ['CM-7 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -42,14 +42,13 @@ install dccp /bin/true" describe.one do - command("find /etc/modprobe.d -type f -regex .\\*/\\^.\\*\\\\.conf\\$").stdout.split.each do |entry| + command('find /etc/modprobe.d -type f -regex .\\*/\\^.\\*\\\\.conf\\$').stdout.split.each do |entry| describe file(entry) do - its("content") { should match(/^\s*install\s+dccp\s+(\/bin\/true)\s*$/) } + its('content') { should match(/^\s*install\s+dccp\s+(\/bin\/true)\s*$/) } end end - describe file("/etc/modprobe.conf") do - its("content") { should match(/^\s*install\s+dccp\s+(\/bin\/true)\s*$/) } + describe file('/etc/modprobe.conf') do + its('content') { should match(/^\s*install\s+dccp\s+(\/bin\/true)\s*$/) } end end end - diff --git a/controls/V-38515.rb b/controls/V-38515.rb index 2d297ab..15e3fc8 100644 --- a/controls/V-38515.rb +++ b/controls/V-38515.rb @@ -1,16 +1,16 @@ -control "V-38515" do +control 'V-38515' do title "The Stream Control Transmission Protocol (SCTP) must be disabled unless required." desc "Disabling SCTP protects the system against exploitation of any flaws in its implementation." impact 0.5 - tag "gtitle": "SRG-OS-000096" - tag "gid": "V-38515" - tag "rid": "SV-50316r5_rule" - tag "stig_id": "RHEL-06-000125" - tag "fix_id": "F-43462r3_fix" - tag "cci": ["CCI-000382"] - tag "nist": ["CM-7 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000096' + tag "gid": 'V-38515' + tag "rid": 'SV-50316r5_rule' + tag "stig_id": 'RHEL-06-000125' + tag "fix_id": 'F-43462r3_fix' + tag "cci": ['CCI-000382'] + tag "nist": ['CM-7 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -42,14 +42,13 @@ install sctp /bin/true" describe.one do - command("find /etc/modprobe.d -type f -regex .\\*/\\^.\\*\\\\.conf\\$").stdout.split.each do |entry| + command('find /etc/modprobe.d -type f -regex .\\*/\\^.\\*\\\\.conf\\$').stdout.split.each do |entry| describe file(entry) do - its("content") { should match(/^\s*install\s+sctp\s+(\/bin\/true)\s*$/) } + its('content') { should match(/^\s*install\s+sctp\s+(\/bin\/true)\s*$/) } end end - describe file("/etc/modprobe.conf") do - its("content") { should match(/^\s*install\s+sctp\s+(\/bin\/true)\s*$/) } + describe file('/etc/modprobe.conf') do + its('content') { should match(/^\s*install\s+sctp\s+(\/bin\/true)\s*$/) } end end end - diff --git a/controls/V-38516.rb b/controls/V-38516.rb index de5c511..e5ef2e2 100644 --- a/controls/V-38516.rb +++ b/controls/V-38516.rb @@ -1,16 +1,16 @@ -control "V-38516" do +control 'V-38516' do title "The Reliable Datagram Sockets (RDS) protocol must be disabled unless required." desc "Disabling RDS protects the system against exploitation of any flaws in its implementation." impact 0.3 - tag "gtitle": "SRG-OS-000096" - tag "gid": "V-38516" - tag "rid": "SV-50317r3_rule" - tag "stig_id": "RHEL-06-000126" - tag "fix_id": "F-43463r4_fix" - tag "cci": ["CCI-000382"] - tag "nist": ["CM-7 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000096' + tag "gid": 'V-38516' + tag "rid": 'SV-50317r3_rule' + tag "stig_id": 'RHEL-06-000126' + tag "fix_id": 'F-43463r4_fix' + tag "cci": ['CCI-000382'] + tag "nist": ['CM-7 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -41,14 +41,13 @@ install rds /bin/true" describe.one do - command("find /etc/modprobe.d -type f -regex .\\*/\\^.\\*\\\\.conf\\$").stdout.split.each do |entry| + command('find /etc/modprobe.d -type f -regex .\\*/\\^.\\*\\\\.conf\\$').stdout.split.each do |entry| describe file(entry) do - its("content") { should match(/^\s*install\s+rds\s+(\/bin\/true)\s*$/) } + its('content') { should match(/^\s*install\s+rds\s+(\/bin\/true)\s*$/) } end end - describe file("/etc/modprobe.conf") do - its("content") { should match(/^\s*install\s+rds\s+(\/bin\/true)\s*$/) } + describe file('/etc/modprobe.conf') do + its('content') { should match(/^\s*install\s+rds\s+(\/bin\/true)\s*$/) } end end end - diff --git a/controls/V-38517.rb b/controls/V-38517.rb index 1e33750..257a0c7 100644 --- a/controls/V-38517.rb +++ b/controls/V-38517.rb @@ -1,16 +1,16 @@ -control "V-38517" do +control 'V-38517' do title "The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required." desc "Disabling TIPC protects the system against exploitation of any flaws in its implementation." impact 0.5 - tag "gtitle": "SRG-OS-000096" - tag "gid": "V-38517" - tag "rid": "SV-50318r5_rule" - tag "stig_id": "RHEL-06-000127" - tag "fix_id": "F-43464r3_fix" - tag "cci": ["CCI-000382"] - tag "nist": ["CM-7 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000096' + tag "gid": 'V-38517' + tag "rid": 'SV-50318r5_rule' + tag "stig_id": 'RHEL-06-000127' + tag "fix_id": 'F-43464r3_fix' + tag "cci": ['CCI-000382'] + tag "nist": ['CM-7 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -41,14 +41,13 @@ install tipc /bin/true" describe.one do - command("find /etc/modprobe.d -type f -regex .\\*/\\^.\\*\\\\.conf\\$").stdout.split.each do |entry| + command('find /etc/modprobe.d -type f -regex .\\*/\\^.\\*\\\\.conf\\$').stdout.split.each do |entry| describe file(entry) do - its("content") { should match(/^\s*install\s+tipc\s+(\/bin\/true)\s*$/) } + its('content') { should match(/^\s*install\s+tipc\s+(\/bin\/true)\s*$/) } end end - describe file("/etc/modprobe.conf") do - its("content") { should match(/^\s*install\s+tipc\s+(\/bin\/true)\s*$/) } + describe file('/etc/modprobe.conf') do + its('content') { should match(/^\s*install\s+tipc\s+(\/bin\/true)\s*$/) } end end end - diff --git a/controls/V-38518.rb b/controls/V-38518.rb index 146accd..ec93ab7 100644 --- a/controls/V-38518.rb +++ b/controls/V-38518.rb @@ -1,16 +1,16 @@ -control "V-38518" do - title "All rsyslog-generated log files must be owned by root." +control 'V-38518' do + title 'All rsyslog-generated log files must be owned by root.' desc "The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access." impact 0.5 - tag "gtitle": "SRG-OS-000206" - tag "gid": "V-38518" - tag "rid": "SV-50319r2_rule" - tag "stig_id": "RHEL-06-000133" - tag "fix_id": "F-43465r1_fix" - tag "cci": ["CCI-001314"] - tag "nist": ["SI-11 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000206' + tag "gid": 'V-38518' + tag "rid": 'SV-50319r2_rule' + tag "stig_id": 'RHEL-06-000133' + tag "fix_id": 'F-43465r1_fix' + tag "cci": ['CCI-001314'] + tag "nist": ['SI-11 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -47,27 +47,27 @@ # strip comments, empty lines, and lines which start with $ in order to get rules rules = file('/etc/rsyslog.conf').content.lines.map do |l| pound_index = l.index('#') - l = l.slice(0, pound_index) if !pound_index.nil? + l = l.slice(0, pound_index) unless pound_index.nil? l.strip - end.reject { |l| l.empty? or l.start_with? '$' } + end.reject { |l| l.empty? || l.start_with?('$') } paths = rules.map do |r| - filter, action = r.split(%r{\s+}) - next if !(action.start_with? '-/' or action.start_with? '/') + _filter, action = r.split(/\s+/) + next unless action.start_with? '-/', '/' + action.sub(%r{^-/}, '/') - end.reject { |path| path.nil? } + end.reject(&:nil?) if paths.empty? - describe "rsyslog log files" do + describe 'rsyslog log files' do subject { paths } it { should be_empty } end else paths.each do |path| - describe file(path) do + describe file(path) do its('owner') { should eq 'root' } end end end end - diff --git a/controls/V-38519.rb b/controls/V-38519.rb index 29b619e..aa97d5d 100644 --- a/controls/V-38519.rb +++ b/controls/V-38519.rb @@ -1,16 +1,16 @@ -control "V-38519" do - title "All rsyslog-generated log files must be group-owned by root." +control 'V-38519' do + title 'All rsyslog-generated log files must be group-owned by root.' desc "The log files generated by rsyslog contain valuable information regarding system configuration, user authentication, and other such information. Log files should be protected from unauthorized access." impact 0.5 - tag "gtitle": "SRG-OS-000206" - tag "gid": "V-38519" - tag "rid": "SV-50320r2_rule" - tag "stig_id": "RHEL-06-000134" - tag "fix_id": "F-43466r1_fix" - tag "cci": ["CCI-001314"] - tag "nist": ["SI-11 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000206' + tag "gid": 'V-38519' + tag "rid": 'SV-50320r2_rule' + tag "stig_id": 'RHEL-06-000134' + tag "fix_id": 'F-43466r1_fix' + tag "cci": ['CCI-001314'] + tag "nist": ['SI-11 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -47,27 +47,27 @@ # strip comments, empty lines, and lines which start with $ in order to get rules rules = file('/etc/rsyslog.conf').content.lines.map do |l| pound_index = l.index('#') - l = l.slice(0, pound_index) if !pound_index.nil? + l = l.slice(0, pound_index) unless pound_index.nil? l.strip - end.reject { |l| l.empty? or l.start_with? '$' } + end.reject { |l| l.empty? || l.start_with?('$') } paths = rules.map do |r| - filter, action = r.split(%r{\s+}) - next if !(action.start_with? '-/' or action.start_with? '/') + _filter, action = r.split(/\s+/) + next unless action.start_with? '-/', '/' + action.sub(%r{^-/}, '/') - end.reject { |path| path.nil? } + end.reject(&:nil?) if paths.empty? - describe "rsyslog log files" do + describe 'rsyslog log files' do subject { paths } it { should be_empty } end else paths.each do |path| - describe file(path) do + describe file(path) do its('group') { should eq 'root' } end end end end - diff --git a/controls/V-38520.rb b/controls/V-38520.rb index 00e0e1d..5c49bb6 100644 --- a/controls/V-38520.rb +++ b/controls/V-38520.rb @@ -1,4 +1,4 @@ -control "V-38520" do +control 'V-38520' do title "The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited." @@ -8,13 +8,13 @@ to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise." impact 0.5 - tag "gtitle": "SRG-OS-000215" - tag "gid": "V-38520" - tag "rid": "SV-50321r1_rule" - tag "stig_id": "RHEL-06-000136" - tag "fix_id": "F-43468r1_fix" - tag "cci": ["CCI-001348"] - tag "nist": ["AU-9 (2)", "Rev_4"] + tag "gtitle": 'SRG-OS-000215' + tag "gid": 'V-38520' + tag "rid": 'SV-50321r1_rule' + tag "stig_id": 'RHEL-06-000136' + tag "fix_id": 'F-43468r1_fix' + tag "cci": ['CCI-001348'] + tag "nist": ['AU-9 (2)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -65,9 +65,8 @@ *.* :omrelp:[loghost.example.com]" describe file('/etc/rsyslog.conf') do - its('content') { - should (match %r{^\s*\*\.\*\s+@[^@#]+}).or (match %r{^\s*\*\.\*\s+@@[^@#]+}). or (match %r{^\s*\*\.\*\s+:omrelp:[^@#]+}) - } + its('content') do + should (match /^\s*\*\.\*\s+@[^@#]+/).or (match /^\s*\*\.\*\s+@@[^@#]+/). or (match /^\s*\*\.\*\s+:omrelp:[^@#]+/) + end end end - diff --git a/controls/V-38521.rb b/controls/V-38521.rb index a153304..a64a9b6 100644 --- a/controls/V-38521.rb +++ b/controls/V-38521.rb @@ -1,4 +1,4 @@ -control "V-38521" do +control 'V-38521' do title "The operating system must support the requirement to centrally manage the content of audit records generated by organization defined information system components." @@ -8,13 +8,13 @@ to a remote loghost also provides system administrators with a centralized place to view the status of multiple hosts within the enterprise." impact 0.5 - tag "gtitle": "SRG-OS-000043" - tag "gid": "V-38521" - tag "rid": "SV-50322r1_rule" - tag "stig_id": "RHEL-06-000137" - tag "fix_id": "F-43656r1_fix" - tag "cci": ["CCI-000169"] - tag "nist": ["AU-12 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000043' + tag "gid": 'V-38521' + tag "rid": 'SV-50322r1_rule' + tag "stig_id": 'RHEL-06-000137' + tag "fix_id": 'F-43656r1_fix' + tag "cci": ['CCI-000169'] + tag "nist": ['AU-12 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -65,9 +65,8 @@ *.* :omrelp:[loghost.example.com]" describe file('/etc/rsyslog.conf') do - its('content') { - should (match %r{^\s*\*\.\*\s+@[^@#]+}).or (match %r{^\s*\*\.\*\s+@@[^@#]+}). or (match %r{^\s*\*\.\*\s+:omrelp:[^@#]+}) - } + its('content') do + should (match /^\s*\*\.\*\s+@[^@#]+/).or (match /^\s*\*\.\*\s+@@[^@#]+/). or (match /^\s*\*\.\*\s+:omrelp:[^@#]+/) + end end end - diff --git a/controls/V-38522.rb b/controls/V-38522.rb index d928143..10b34c8 100644 --- a/controls/V-38522.rb +++ b/controls/V-38522.rb @@ -1,4 +1,4 @@ -control "V-38522" do +control 'V-38522' do title "The audit system must be configured to audit all attempts to alter system time through settimeofday." desc "Arbitrary changes to the system time can be used to obfuscate @@ -6,13 +6,13 @@ are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited." impact 0.3 - tag "gtitle": "SRG-OS-000062" - tag "gid": "V-38522" - tag "rid": "SV-50323r3_rule" - tag "stig_id": "RHEL-06-000167" - tag "fix_id": "F-43470r2_fix" - tag "cci": ["CCI-000169"] - tag "nist": ["AU-12 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000062' + tag "gid": 'V-38522' + tag "rid": 'SV-50323r3_rule' + tag "stig_id": 'RHEL-06-000167' + tag "fix_id": 'F-43470r2_fix' + tag "cci": ['CCI-000169'] + tag "nist": ['AU-12 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -50,13 +50,12 @@ -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^-[Aa][\s]*(?:exit,always|always,exit)[\s]+-F[\s]+arch=b32.*(?:-S[\s]+|,)settimeofday(?:[\s]+|,).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^-[Aa][\s]*(?:exit,always|always,exit)[\s]+-F[\s]+arch=b32.*(?:-S[\s]+|,)settimeofday(?:[\s]+|,).*-k[\s]+[\S]+[\s]*$/) } end describe.one do - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^-[Aa][\s]*(?:exit,always|always,exit)[\s]+-F[\s]+arch=b64.*(?:-S[\s]+|,)settimeofday(?:[\s]+|,).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^-[Aa][\s]*(?:exit,always|always,exit)[\s]+-F[\s]+arch=b64.*(?:-S[\s]+|,)settimeofday(?:[\s]+|,).*-k[\s]+[\S]+[\s]*$/) } end end end - diff --git a/controls/V-38523.rb b/controls/V-38523.rb index 780bf43..a43030b 100644 --- a/controls/V-38523.rb +++ b/controls/V-38523.rb @@ -1,16 +1,16 @@ -control "V-38523" do +control 'V-38523' do title "The system must not accept IPv4 source-routed packets on any interface." desc "Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38523" - tag "rid": "SV-50324r2_rule" - tag "stig_id": "RHEL-06-000083" - tag "fix_id": "F-43471r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38523' + tag "rid": 'SV-50324r2_rule' + tag "stig_id": 'RHEL-06-000083' + tag "fix_id": 'F-43471r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -44,14 +44,13 @@ net.ipv4.conf.all.accept_source_route = 0" - describe kernel_parameter("net.ipv4.conf.all.accept_source_route") do - its("value") { should_not be_nil } + describe kernel_parameter('net.ipv4.conf.all.accept_source_route') do + its('value') { should_not be_nil } end - describe kernel_parameter("net.ipv4.conf.all.accept_source_route") do - its("value") { should eq 0 } + describe kernel_parameter('net.ipv4.conf.all.accept_source_route') do + its('value') { should eq 0 } end - describe file("/etc/sysctl.conf") do - its("content") { should match(/^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*0[\s]*$/) } + describe file('/etc/sysctl.conf') do + its('content') { should match(/^[\s]*net.ipv4.conf.all.accept_source_route[\s]*=[\s]*0[\s]*$/) } end end - diff --git a/controls/V-38524.rb b/controls/V-38524.rb index 2fcab50..5d6f6c9 100644 --- a/controls/V-38524.rb +++ b/controls/V-38524.rb @@ -1,15 +1,15 @@ -control "V-38524" do - title "The system must not accept ICMPv4 redirect packets on any interface." +control 'V-38524' do + title 'The system must not accept ICMPv4 redirect packets on any interface.' desc "Accepting ICMP redirects has few legitimate uses. It should be disabled unless it is absolutely required." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38524" - tag "rid": "SV-50325r2_rule" - tag "stig_id": "RHEL-06-000084" - tag "fix_id": "F-43472r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38524' + tag "rid": 'SV-50325r2_rule' + tag "stig_id": 'RHEL-06-000084' + tag "fix_id": 'F-43472r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -43,14 +43,13 @@ net.ipv4.conf.all.accept_redirects = 0" - describe kernel_parameter("net.ipv4.conf.all.accept_redirects") do - its("value") { should_not be_nil } + describe kernel_parameter('net.ipv4.conf.all.accept_redirects') do + its('value') { should_not be_nil } end - describe kernel_parameter("net.ipv4.conf.all.accept_redirects") do - its("value") { should eq 0 } + describe kernel_parameter('net.ipv4.conf.all.accept_redirects') do + its('value') { should eq 0 } end - describe file("/etc/sysctl.conf") do - its("content") { should match(/^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*0[\s]*$/) } + describe file('/etc/sysctl.conf') do + its('content') { should match(/^[\s]*net.ipv4.conf.all.accept_redirects[\s]*=[\s]*0[\s]*$/) } end end - diff --git a/controls/V-38525.rb b/controls/V-38525.rb index cb94b5d..74b3380 100644 --- a/controls/V-38525.rb +++ b/controls/V-38525.rb @@ -1,4 +1,4 @@ -control "V-38525" do +control 'V-38525' do title "The audit system must be configured to audit all attempts to alter system time through stime." desc "Arbitrary changes to the system time can be used to obfuscate @@ -6,13 +6,13 @@ are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited." impact 0.3 - tag "gtitle": "SRG-OS-000062" - tag "gid": "V-38525" - tag "rid": "SV-50326r4_rule" - tag "stig_id": "RHEL-06-000169" - tag "fix_id": "F-43473r4_fix" - tag "cci": ["CCI-000169"] - tag "nist": ["AU-12 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000062' + tag "gid": 'V-38525' + tag "rid": 'SV-50326r4_rule' + tag "stig_id": 'RHEL-06-000169' + tag "fix_id": 'F-43473r4_fix' + tag "cci": ['CCI-000169'] + tag "nist": ['AU-12 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -48,8 +48,7 @@ -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^-[Aa][\s]*(?:exit,always|always,exit)[\s]+-F[\s]+arch=b32.*(?:-S[\s]+|,)stime(?:[\s]+|,).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^-[Aa][\s]*(?:exit,always|always,exit)[\s]+-F[\s]+arch=b32.*(?:-S[\s]+|,)stime(?:[\s]+|,).*-k[\s]+[\S]+[\s]*$/) } end end - diff --git a/controls/V-38526.rb b/controls/V-38526.rb index fdf49fa..1d95ef1 100644 --- a/controls/V-38526.rb +++ b/controls/V-38526.rb @@ -1,17 +1,17 @@ -control "V-38526" do +control 'V-38526' do title "The system must not accept ICMPv4 secure redirect packets on any interface." desc "Accepting \"secure\" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38526" - tag "rid": "SV-50327r2_rule" - tag "stig_id": "RHEL-06-000086" - tag "fix_id": "F-43474r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38526' + tag "rid": 'SV-50327r2_rule' + tag "stig_id": 'RHEL-06-000086' + tag "fix_id": 'F-43474r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -45,14 +45,13 @@ net.ipv4.conf.all.secure_redirects = 0" - describe kernel_parameter("net.ipv4.conf.all.secure_redirects") do - its("value") { should_not be_nil } + describe kernel_parameter('net.ipv4.conf.all.secure_redirects') do + its('value') { should_not be_nil } end - describe kernel_parameter("net.ipv4.conf.all.secure_redirects") do - its("value") { should eq 0 } + describe kernel_parameter('net.ipv4.conf.all.secure_redirects') do + its('value') { should eq 0 } end - describe file("/etc/sysctl.conf") do - its("content") { should match(/^[\s]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*0[\s]*$/) } + describe file('/etc/sysctl.conf') do + its('content') { should match(/^[\s]*net.ipv4.conf.all.secure_redirects[\s]*=[\s]*0[\s]*$/) } end end - diff --git a/controls/V-38527.rb b/controls/V-38527.rb index 613f784..963cd63 100644 --- a/controls/V-38527.rb +++ b/controls/V-38527.rb @@ -1,4 +1,4 @@ -control "V-38527" do +control 'V-38527' do title "The audit system must be configured to audit all attempts to alter system time through clock_settime." desc "Arbitrary changes to the system time can be used to obfuscate @@ -6,13 +6,13 @@ are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited." impact 0.3 - tag "gtitle": "SRG-OS-000062" - tag "gid": "V-38527" - tag "rid": "SV-50328r3_rule" - tag "stig_id": "RHEL-06-000171" - tag "fix_id": "F-43475r2_fix" - tag "cci": ["CCI-000169"] - tag "nist": ["AU-12 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000062' + tag "gid": 'V-38527' + tag "rid": 'SV-50328r3_rule' + tag "stig_id": 'RHEL-06-000171' + tag "fix_id": 'F-43475r2_fix' + tag "cci": ['CCI-000169'] + tag "nist": ['AU-12 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -50,13 +50,12 @@ -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^-[Aa][\s]*(?:exit,always|always,exit)[\s]+-F[\s]+arch=b32.*(?:-S[\s]+|,)clock_settime(?:[\s]+|,).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^-[Aa][\s]*(?:exit,always|always,exit)[\s]+-F[\s]+arch=b32.*(?:-S[\s]+|,)clock_settime(?:[\s]+|,).*-k[\s]+[\S]+[\s]*$/) } end describe.one do - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^-[Aa][\s]*(?:exit,always|always,exit)[\s]+-F[\s]+arch=b64.*(?:-S[\s]+|,)clock_settime(?:[\s]+|,).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^-[Aa][\s]*(?:exit,always|always,exit)[\s]+-F[\s]+arch=b64.*(?:-S[\s]+|,)clock_settime(?:[\s]+|,).*-k[\s]+[\S]+[\s]*$/) } end end end - diff --git a/controls/V-38528.rb b/controls/V-38528.rb index e3613d2..2350c76 100644 --- a/controls/V-38528.rb +++ b/controls/V-38528.rb @@ -1,17 +1,17 @@ -control "V-38528" do - title "The system must log Martian packets." +control 'V-38528' do + title 'The system must log Martian packets.' desc "The presence of \"martian\" packets (which have impossible addresses) as well as spoofed packets, source-routed packets, and redirects could be a sign of nefarious network activity. Logging these packets enables this activity to be detected." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38528" - tag "rid": "SV-50329r2_rule" - tag "stig_id": "RHEL-06-000088" - tag "fix_id": "F-43476r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38528' + tag "rid": 'SV-50329r2_rule' + tag "stig_id": 'RHEL-06-000088' + tag "fix_id": 'F-43476r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -44,14 +44,13 @@ net.ipv4.conf.all.log_martians = 1" - describe kernel_parameter("net.ipv4.conf.all.log_martians") do - its("value") { should_not be_nil } + describe kernel_parameter('net.ipv4.conf.all.log_martians') do + its('value') { should_not be_nil } end - describe kernel_parameter("net.ipv4.conf.all.log_martians") do - its("value") { should eq 1 } + describe kernel_parameter('net.ipv4.conf.all.log_martians') do + its('value') { should eq 1 } end - describe file("/etc/sysctl.conf") do - its("content") { should match(/^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*1[\s]*$/) } + describe file('/etc/sysctl.conf') do + its('content') { should match(/^[\s]*net.ipv4.conf.all.log_martians[\s]*=[\s]*1[\s]*$/) } end end - diff --git a/controls/V-38529.rb b/controls/V-38529.rb index a348790..95c87ad 100644 --- a/controls/V-38529.rb +++ b/controls/V-38529.rb @@ -1,15 +1,15 @@ -control "V-38529" do - title "The system must not accept IPv4 source-routed packets by default." +control 'V-38529' do + title 'The system must not accept IPv4 source-routed packets by default.' desc "Accepting source-routed packets in the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38529" - tag "rid": "SV-50330r2_rule" - tag "stig_id": "RHEL-06-000089" - tag "fix_id": "F-43478r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38529' + tag "rid": 'SV-50330r2_rule' + tag "stig_id": 'RHEL-06-000089' + tag "fix_id": 'F-43478r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -43,14 +43,13 @@ net.ipv4.conf.default.accept_source_route = 0" - describe kernel_parameter("net.ipv4.conf.default.accept_source_route") do - its("value") { should_not be_nil } + describe kernel_parameter('net.ipv4.conf.default.accept_source_route') do + its('value') { should_not be_nil } end - describe kernel_parameter("net.ipv4.conf.default.accept_source_route") do - its("value") { should eq 0 } + describe kernel_parameter('net.ipv4.conf.default.accept_source_route') do + its('value') { should eq 0 } end - describe file("/etc/sysctl.conf") do - its("content") { should match(/^[\s]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*0[\s]*$/) } + describe file('/etc/sysctl.conf') do + its('content') { should match(/^[\s]*net.ipv4.conf.default.accept_source_route[\s]*=[\s]*0[\s]*$/) } end end - diff --git a/controls/V-38530.rb b/controls/V-38530.rb index b20cbc7..4b35e9b 100644 --- a/controls/V-38530.rb +++ b/controls/V-38530.rb @@ -1,4 +1,4 @@ -control "V-38530" do +control 'V-38530' do title "The audit system must be configured to audit all attempts to alter system time through /etc/localtime." desc "Arbitrary changes to the system time can be used to obfuscate @@ -6,13 +6,13 @@ are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited." impact 0.3 - tag "gtitle": "SRG-OS-000062" - tag "gid": "V-38530" - tag "rid": "SV-50331r2_rule" - tag "stig_id": "RHEL-06-000173" - tag "fix_id": "F-43477r1_fix" - tag "cci": ["CCI-000169"] - tag "nist": ["AU-12 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000062' + tag "gid": 'V-38530' + tag "rid": 'SV-50331r2_rule' + tag "stig_id": 'RHEL-06-000173' + tag "fix_id": 'F-43477r1_fix' + tag "cci": ['CCI-000169'] + tag "nist": ['AU-12 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -39,8 +39,7 @@ used for better reporting capability through ausearch and aureport and should always be used." - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-w[\s]+\/etc\/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*-k[\s]+[\S]+[\s]*$/) } end end - diff --git a/controls/V-38531.rb b/controls/V-38531.rb index 7c17d36..71f84b9 100644 --- a/controls/V-38531.rb +++ b/controls/V-38531.rb @@ -1,16 +1,16 @@ -control "V-38531" do - title "The operating system must automatically audit account creation." +control 'V-38531' do + title 'The operating system must automatically audit account creation.' desc "In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy." impact 0.3 - tag "gtitle": "SRG-OS-000004" - tag "gid": "V-38531" - tag "rid": "SV-50332r2_rule" - tag "stig_id": "RHEL-06-000174" - tag "fix_id": "F-43480r1_fix" - tag "cci": ["CCI-000018"] - tag "nist": ["AC-2 (4)", "Rev_4"] + tag "gtitle": 'SRG-OS-000004' + tag "gid": 'V-38531' + tag "rid": 'SV-50332r2_rule' + tag "stig_id": 'RHEL-06-000174' + tag "fix_id": 'F-43480r1_fix' + tag "cci": ['CCI-000018'] + tag "nist": ['AC-2 (4)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -42,20 +42,19 @@ -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/group\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/group\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/passwd\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/passwd\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/gshadow\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/gshadow\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/shadow\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/shadow\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/security\/opasswd\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/security\/opasswd\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } end end - diff --git a/controls/V-38532.rb b/controls/V-38532.rb index 4fbf644..39568c4 100644 --- a/controls/V-38532.rb +++ b/controls/V-38532.rb @@ -1,16 +1,16 @@ -control "V-38532" do - title "The system must not accept ICMPv4 secure redirect packets by default." +control 'V-38532' do + title 'The system must not accept ICMPv4 secure redirect packets by default.' desc "Accepting \"secure\" ICMP redirects (from those gateways listed as default gateways) has few legitimate uses. It should be disabled unless it is absolutely required." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38532" - tag "rid": "SV-50333r2_rule" - tag "stig_id": "RHEL-06-000090" - tag "fix_id": "F-43479r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38532' + tag "rid": 'SV-50333r2_rule' + tag "stig_id": 'RHEL-06-000090' + tag "fix_id": 'F-43479r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -44,14 +44,13 @@ net.ipv4.conf.default.secure_redirects = 0" - describe kernel_parameter("net.ipv4.conf.default.secure_redirects") do - its("value") { should_not be_nil } + describe kernel_parameter('net.ipv4.conf.default.secure_redirects') do + its('value') { should_not be_nil } end - describe kernel_parameter("net.ipv4.conf.default.secure_redirects") do - its("value") { should eq 0 } + describe kernel_parameter('net.ipv4.conf.default.secure_redirects') do + its('value') { should eq 0 } end - describe file("/etc/sysctl.conf") do - its("content") { should match(/^[\s]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*0[\s]*$/) } + describe file('/etc/sysctl.conf') do + its('content') { should match(/^[\s]*net.ipv4.conf.default.secure_redirects[\s]*=[\s]*0[\s]*$/) } end end - diff --git a/controls/V-38533.rb b/controls/V-38533.rb index 3ae0387..f93a82c 100644 --- a/controls/V-38533.rb +++ b/controls/V-38533.rb @@ -1,15 +1,15 @@ -control "V-38533" do - title "The system must ignore ICMPv4 redirect messages by default." +control 'V-38533' do + title 'The system must ignore ICMPv4 redirect messages by default.' desc "This feature of the IPv4 protocol has few legitimate uses. It should be disabled unless it is absolutely required." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38533" - tag "rid": "SV-50334r3_rule" - tag "stig_id": "RHEL-06-000091" - tag "fix_id": "F-43481r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38533' + tag "rid": 'SV-50334r3_rule' + tag "stig_id": 'RHEL-06-000091' + tag "fix_id": 'F-43481r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -43,14 +43,13 @@ net.ipv4.conf.default.accept_redirects = 0" - describe kernel_parameter("net.ipv4.conf.default.accept_redirects") do - its("value") { should_not be_nil } + describe kernel_parameter('net.ipv4.conf.default.accept_redirects') do + its('value') { should_not be_nil } end - describe kernel_parameter("net.ipv4.conf.default.accept_redirects") do - its("value") { should eq 0 } + describe kernel_parameter('net.ipv4.conf.default.accept_redirects') do + its('value') { should eq 0 } end - describe file("/etc/sysctl.conf") do - its("content") { should match(/^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*0[\s]*$/) } + describe file('/etc/sysctl.conf') do + its('content') { should match(/^[\s]*net.ipv4.conf.default.accept_redirects[\s]*=[\s]*0[\s]*$/) } end end - diff --git a/controls/V-38534.rb b/controls/V-38534.rb index 58b59a9..743d0b3 100644 --- a/controls/V-38534.rb +++ b/controls/V-38534.rb @@ -1,16 +1,16 @@ -control "V-38534" do - title "The operating system must automatically audit account modification." +control 'V-38534' do + title 'The operating system must automatically audit account modification.' desc "In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy." impact 0.3 - tag "gtitle": "SRG-OS-000239" - tag "gid": "V-38534" - tag "rid": "SV-50335r2_rule" - tag "stig_id": "RHEL-06-000175" - tag "fix_id": "F-43482r1_fix" - tag "cci": ["CCI-001403"] - tag "nist": ["AC-2 (4)", "Rev_4"] + tag "gtitle": 'SRG-OS-000239' + tag "gid": 'V-38534' + tag "rid": 'SV-50335r2_rule' + tag "stig_id": 'RHEL-06-000175' + tag "fix_id": 'F-43482r1_fix' + tag "cci": ['CCI-001403'] + tag "nist": ['AC-2 (4)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -42,20 +42,19 @@ -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/group\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/group\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/passwd\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/passwd\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/gshadow\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/gshadow\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/shadow\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/shadow\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/security\/opasswd\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/security\/opasswd\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } end end - diff --git a/controls/V-38535.rb b/controls/V-38535.rb index a399077..ad05080 100644 --- a/controls/V-38535.rb +++ b/controls/V-38535.rb @@ -1,15 +1,15 @@ -control "V-38535" do - title "The system must not respond to ICMPv4 sent to a broadcast address." +control 'V-38535' do + title 'The system must not respond to ICMPv4 sent to a broadcast address.' desc "Ignoring ICMP echo requests (pings) sent to broadcast or multicast addresses makes the system slightly more difficult to enumerate on the network." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38535" - tag "rid": "SV-50336r2_rule" - tag "stig_id": "RHEL-06-000092" - tag "fix_id": "F-43483r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38535' + tag "rid": 'SV-50336r2_rule' + tag "stig_id": 'RHEL-06-000092' + tag "fix_id": 'F-43483r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -43,14 +43,13 @@ net.ipv4.icmp_echo_ignore_broadcasts = 1" - describe kernel_parameter("net.ipv4.icmp_echo_ignore_broadcasts") do - its("value") { should_not be_nil } + describe kernel_parameter('net.ipv4.icmp_echo_ignore_broadcasts') do + its('value') { should_not be_nil } end - describe kernel_parameter("net.ipv4.icmp_echo_ignore_broadcasts") do - its("value") { should eq 1 } + describe kernel_parameter('net.ipv4.icmp_echo_ignore_broadcasts') do + its('value') { should eq 1 } end - describe file("/etc/sysctl.conf") do - its("content") { should match(/^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*1[\s]*$/) } + describe file('/etc/sysctl.conf') do + its('content') { should match(/^[\s]*net.ipv4.icmp_echo_ignore_broadcasts[\s]*=[\s]*1[\s]*$/) } end end - diff --git a/controls/V-38536.rb b/controls/V-38536.rb index 6516e3a..5d0dd90 100644 --- a/controls/V-38536.rb +++ b/controls/V-38536.rb @@ -1,17 +1,17 @@ -control "V-38536" do +control 'V-38536' do title "The operating system must automatically audit account disabling actions." desc "In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy." impact 0.3 - tag "gtitle": "SRG-OS-000240" - tag "gid": "V-38536" - tag "rid": "SV-50337r2_rule" - tag "stig_id": "RHEL-06-000176" - tag "fix_id": "F-43484r1_fix" - tag "cci": ["CCI-001404"] - tag "nist": ["AC-2 (4)", "Rev_4"] + tag "gtitle": 'SRG-OS-000240' + tag "gid": 'V-38536' + tag "rid": 'SV-50337r2_rule' + tag "stig_id": 'RHEL-06-000176' + tag "fix_id": 'F-43484r1_fix' + tag "cci": ['CCI-001404'] + tag "nist": ['AC-2 (4)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -43,20 +43,19 @@ -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/group\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/group\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/passwd\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/passwd\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/gshadow\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/gshadow\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/shadow\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/shadow\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/security\/opasswd\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/security\/opasswd\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } end end - diff --git a/controls/V-38537.rb b/controls/V-38537.rb index 9ad0dd7..87b8e98 100644 --- a/controls/V-38537.rb +++ b/controls/V-38537.rb @@ -1,15 +1,15 @@ -control "V-38537" do - title "The system must ignore ICMPv4 bogus error responses." +control 'V-38537' do + title 'The system must ignore ICMPv4 bogus error responses.' desc "Ignoring bogus ICMP error responses reduces log size, although some activity would not be logged." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38537" - tag "rid": "SV-50338r2_rule" - tag "stig_id": "RHEL-06-000093" - tag "fix_id": "F-43485r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38537' + tag "rid": 'SV-50338r2_rule' + tag "stig_id": 'RHEL-06-000093' + tag "fix_id": 'F-43485r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -44,14 +44,13 @@ net.ipv4.icmp_ignore_bogus_error_responses = 1" - describe kernel_parameter("net.ipv4.icmp_ignore_bogus_error_responses") do - its("value") { should_not be_nil } + describe kernel_parameter('net.ipv4.icmp_ignore_bogus_error_responses') do + its('value') { should_not be_nil } end - describe kernel_parameter("net.ipv4.icmp_ignore_bogus_error_responses") do - its("value") { should eq 1 } + describe kernel_parameter('net.ipv4.icmp_ignore_bogus_error_responses') do + its('value') { should eq 1 } end - describe file("/etc/sysctl.conf") do - its("content") { should match(/^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*1[\s]*$/) } + describe file('/etc/sysctl.conf') do + its('content') { should match(/^[\s]*net.ipv4.icmp_ignore_bogus_error_responses[\s]*=[\s]*1[\s]*$/) } end end - diff --git a/controls/V-38538.rb b/controls/V-38538.rb index 377ea70..c06673f 100644 --- a/controls/V-38538.rb +++ b/controls/V-38538.rb @@ -1,16 +1,16 @@ -control "V-38538" do - title "The operating system must automatically audit account termination." +control 'V-38538' do + title 'The operating system must automatically audit account termination.' desc "In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy." impact 0.3 - tag "gtitle": "SRG-OS-000241" - tag "gid": "V-38538" - tag "rid": "SV-50339r2_rule" - tag "stig_id": "RHEL-06-000177" - tag "fix_id": "F-43486r1_fix" - tag "cci": ["CCI-001405"] - tag "nist": ["AC-2 (4)", "Rev_4"] + tag "gtitle": 'SRG-OS-000241' + tag "gid": 'V-38538' + tag "rid": 'SV-50339r2_rule' + tag "stig_id": 'RHEL-06-000177' + tag "fix_id": 'F-43486r1_fix' + tag "cci": ['CCI-001405'] + tag "nist": ['AC-2 (4)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -42,20 +42,19 @@ -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/group\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/group\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/passwd\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/passwd\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/gshadow\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/gshadow\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/shadow\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/shadow\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/security\/opasswd\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/security\/opasswd\s+\-p\s+wa\s+\-k\s+\w+\s*$/) } end end - diff --git a/controls/V-38539.rb b/controls/V-38539.rb index 3945e8f..02e7203 100644 --- a/controls/V-38539.rb +++ b/controls/V-38539.rb @@ -1,4 +1,4 @@ -control "V-38539" do +control 'V-38539' do title "The system must be configured to use TCP syncookies when experiencing a TCP SYN flood." desc "A TCP SYN flood attack can cause a denial of service by filling a @@ -8,13 +8,13 @@ source. This feature is activated when a flood condition is detected, and enables the system to continue servicing valid connection requests." impact 0.5 - tag "gtitle": "SRG-OS-000142" - tag "gid": "V-38539" - tag "rid": "SV-50340r2_rule" - tag "stig_id": "RHEL-06-000095" - tag "fix_id": "F-43487r1_fix" - tag "cci": ["CCI-001095"] - tag "nist": ["SC-5 (2)", "Rev_4"] + tag "gtitle": 'SRG-OS-000142' + tag "gid": 'V-38539' + tag "rid": 'SV-50340r2_rule' + tag "stig_id": 'RHEL-06-000095' + tag "fix_id": 'F-43487r1_fix' + tag "cci": ['CCI-001095'] + tag "nist": ['SC-5 (2)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -47,14 +47,13 @@ net.ipv4.tcp_syncookies = 1" - describe kernel_parameter("net.ipv4.tcp_syncookies") do - its("value") { should_not be_nil } + describe kernel_parameter('net.ipv4.tcp_syncookies') do + its('value') { should_not be_nil } end - describe kernel_parameter("net.ipv4.tcp_syncookies") do - its("value") { should eq 1 } + describe kernel_parameter('net.ipv4.tcp_syncookies') do + its('value') { should eq 1 } end - describe file("/etc/sysctl.conf") do - its("content") { should match(/^[\s]*net.ipv4.tcp_syncookies[\s]*=[\s]*1[\s]*$/) } + describe file('/etc/sysctl.conf') do + its('content') { should match(/^[\s]*net.ipv4.tcp_syncookies[\s]*=[\s]*1[\s]*$/) } end end - diff --git a/controls/V-38540.rb b/controls/V-38540.rb index 7b6640c..eaf4b62 100644 --- a/controls/V-38540.rb +++ b/controls/V-38540.rb @@ -1,16 +1,16 @@ -control "V-38540" do +control 'V-38540' do title "The audit system must be configured to audit modifications to the systems network configuration." desc "The network environment should not be modified by anything other than administrator action. Any change to network parameters should be audited." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38540" - tag "rid": "SV-50341r4_rule" - tag "stig_id": "RHEL-06-000182" - tag "fix_id": "F-43488r2_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38540' + tag "rid": 'SV-50341r4_rule' + tag "stig_id": 'RHEL-06-000182' + tag "fix_id": 'F-43488r2_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -64,9 +64,9 @@ -w /etc/hosts -p wa -k audit_network_modifications -w /etc/sysconfig/network -p wa -k audit_network_modifications" - both_archs = command("ausyscall i386 sethostname").stdout.strip != command("ausyscall x86_64 sethostname").stdout.strip + both_archs = command('ausyscall i386 sethostname').stdout.strip != command('ausyscall x86_64 sethostname').stdout.strip - if os.arch == 'x86_64' or both_archs + if (os.arch == 'x86_64') || both_archs describe command("egrep -w '^[^\#]*sethostname' /etc/audit/audit.rules | grep 'arch=b64'") do its('stdout.strip') { should_not be_empty } end @@ -76,7 +76,7 @@ end end - if os.arch != 'x86_64' or both_archs + if (os.arch != 'x86_64') || both_archs describe command("egrep -w '^[^\#]*sethostname' /etc/audit/audit.rules | grep 'arch=b32'") do its('stdout.strip') { should_not be_empty } end @@ -102,4 +102,3 @@ its('stdout.strip') { should_not be_empty } end end - diff --git a/controls/V-38541.rb b/controls/V-38541.rb index e1a1c80..26ca59c 100644 --- a/controls/V-38541.rb +++ b/controls/V-38541.rb @@ -1,17 +1,17 @@ -control "V-38541" do +control 'V-38541' do title "The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux)." desc "The system's mandatory access policy (SELinux) should not be arbitrarily changed by anything other than administrator action. All changes to MAC policy should be audited." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38541" - tag "rid": "SV-50342r2_rule" - tag "stig_id": "RHEL-06-000183" - tag "fix_id": "F-43489r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38541' + tag "rid": 'SV-50342r2_rule' + tag "stig_id": 'RHEL-06-000183' + tag "fix_id": 'F-43489r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -37,8 +37,7 @@ -w /etc/selinux/ -p wa -k MAC-policy" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/selinux\/\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/selinux\/\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$/) } end end - diff --git a/controls/V-38542.rb b/controls/V-38542.rb index 49e338f..8f59369 100644 --- a/controls/V-38542.rb +++ b/controls/V-38542.rb @@ -1,4 +1,4 @@ -control "V-38542" do +control 'V-38542' do title "The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces." desc "Enabling reverse path filtering drops packets with source addresses @@ -6,13 +6,13 @@ received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38542" - tag "rid": "SV-50343r2_rule" - tag "stig_id": "RHEL-06-000096" - tag "fix_id": "F-43490r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38542' + tag "rid": 'SV-50343r2_rule' + tag "stig_id": 'RHEL-06-000096' + tag "fix_id": 'F-43490r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -45,14 +45,13 @@ net.ipv4.conf.all.rp_filter = 1" - describe kernel_parameter("net.ipv4.conf.all.rp_filter") do - its("value") { should_not be_nil } + describe kernel_parameter('net.ipv4.conf.all.rp_filter') do + its('value') { should_not be_nil } end - describe kernel_parameter("net.ipv4.conf.all.rp_filter") do - its("value") { should eq 1 } + describe kernel_parameter('net.ipv4.conf.all.rp_filter') do + its('value') { should eq 1 } end - describe file("/etc/sysctl.conf") do - its("content") { should match(/^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*1[\s]*$/) } + describe file('/etc/sysctl.conf') do + its('content') { should match(/^[\s]*net.ipv4.conf.all.rp_filter[\s]*=[\s]*1[\s]*$/) } end end - diff --git a/controls/V-38543.rb b/controls/V-38543.rb index 340cce0..3f6c4a3 100644 --- a/controls/V-38543.rb +++ b/controls/V-38543.rb @@ -1,4 +1,4 @@ -control "V-38543" do +control 'V-38543' do title "The audit system must be configured to audit all discretionary access control permission modifications using chmod." desc "The changing of file permissions could indicate that a user is @@ -6,13 +6,13 @@ Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." impact 0.3 - tag "gtitle": "SRG-OS-000064" - tag "gid": "V-38543" - tag "rid": "SV-50344r3_rule" - tag "stig_id": "RHEL-06-000184" - tag "fix_id": "F-43491r2_fix" - tag "cci": ["CCI-000172"] - tag "nist": ["AU-12 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000064' + tag "gid": 'V-38543' + tag "rid": 'SV-50344r3_rule' + tag "stig_id": 'RHEL-06-000184' + tag "fix_id": 'F-43491r2_fix' + tag "cci": ['CCI-000172'] + tag "nist": ['AU-12 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -47,14 +47,12 @@ -k perm_mod -a always,exit -F arch=b64 -S chmod -F auid=0 -k perm_mod" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)chmod(?:[\s]+|,))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)chmod(?:[\s]+|,))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)chmod(?:[\s]+|,))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)chmod(?:[\s]+|,))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } end describe.one do - end end - diff --git a/controls/V-38544.rb b/controls/V-38544.rb index ee27e70..6fd8c38 100644 --- a/controls/V-38544.rb +++ b/controls/V-38544.rb @@ -1,4 +1,4 @@ -control "V-38544" do +control 'V-38544' do title "The system must use a reverse-path filter for IPv4 network traffic when possible by default." desc "Enabling reverse path filtering drops packets with source addresses @@ -6,13 +6,13 @@ received on. It should not be used on systems which are routers for complicated networks, but is helpful for end hosts and routers serving small networks." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38544" - tag "rid": "SV-50345r2_rule" - tag "stig_id": "RHEL-06-000097" - tag "fix_id": "F-43492r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38544' + tag "rid": 'SV-50345r2_rule' + tag "stig_id": 'RHEL-06-000097' + tag "fix_id": 'F-43492r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -46,14 +46,13 @@ net.ipv4.conf.default.rp_filter = 1" - describe kernel_parameter("net.ipv4.conf.default.rp_filter") do - its("value") { should_not be_nil } + describe kernel_parameter('net.ipv4.conf.default.rp_filter') do + its('value') { should_not be_nil } end - describe kernel_parameter("net.ipv4.conf.default.rp_filter") do - its("value") { should eq 1 } + describe kernel_parameter('net.ipv4.conf.default.rp_filter') do + its('value') { should eq 1 } end - describe file("/etc/sysctl.conf") do - its("content") { should match(/^[\s]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*1[\s]*$/) } + describe file('/etc/sysctl.conf') do + its('content') { should match(/^[\s]*net.ipv4.conf.default.rp_filter[\s]*=[\s]*1[\s]*$/) } end end - diff --git a/controls/V-38545.rb b/controls/V-38545.rb index 466e9f9..0ed4e21 100644 --- a/controls/V-38545.rb +++ b/controls/V-38545.rb @@ -1,4 +1,4 @@ -control "V-38545" do +control 'V-38545' do title "The audit system must be configured to audit all discretionary access control permission modifications using chown." desc "The changing of file permissions could indicate that a user is @@ -6,13 +6,13 @@ Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." impact 0.3 - tag "gtitle": "SRG-OS-000064" - tag "gid": "V-38545" - tag "rid": "SV-50346r3_rule" - tag "stig_id": "RHEL-06-000185" - tag "fix_id": "F-43493r2_fix" - tag "cci": ["CCI-000172"] - tag "nist": ["AU-12 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000064' + tag "gid": 'V-38545' + tag "rid": 'SV-50346r3_rule' + tag "stig_id": 'RHEL-06-000185' + tag "fix_id": 'F-43493r2_fix' + tag "cci": ['CCI-000172'] + tag "nist": ['AU-12 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -46,14 +46,12 @@ -k perm_mod -a always,exit -F arch=b64 -S chown -F auid=0 -k perm_mod" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)chown(?:[\s]+|,))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)chown(?:[\s]+|,))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)chown(?:[\s]+|,))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)chown(?:[\s]+|,))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } end describe.one do - end end - diff --git a/controls/V-38547.rb b/controls/V-38547.rb index bfaf837..e673f0a 100644 --- a/controls/V-38547.rb +++ b/controls/V-38547.rb @@ -1,4 +1,4 @@ -control "V-38547" do +control 'V-38547' do title "The audit system must be configured to audit all discretionary access control permission modifications using fchmod." desc "The changing of file permissions could indicate that a user is @@ -6,13 +6,13 @@ Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." impact 0.3 - tag "gtitle": "SRG-OS-000064" - tag "gid": "V-38547" - tag "rid": "SV-50348r3_rule" - tag "stig_id": "RHEL-06-000186" - tag "fix_id": "F-43495r2_fix" - tag "cci": ["CCI-000172"] - tag "nist": ["AU-12 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000064' + tag "gid": 'V-38547' + tag "rid": 'SV-50348r3_rule' + tag "stig_id": 'RHEL-06-000186' + tag "fix_id": 'F-43495r2_fix' + tag "cci": ['CCI-000172'] + tag "nist": ['AU-12 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -46,14 +46,12 @@ -k perm_mod -a always,exit -F arch=b64 -S fchmod -F auid=0 -k perm_mod" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)fchmod(?:[\s]+|,))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)fchmod(?:[\s]+|,))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)fchmod(?:[\s]+|,))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)fchmod(?:[\s]+|,))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } end describe.one do - end end - diff --git a/controls/V-38548.rb b/controls/V-38548.rb index 79b3c88..79bc655 100644 --- a/controls/V-38548.rb +++ b/controls/V-38548.rb @@ -1,15 +1,15 @@ -control "V-38548" do - title "The system must ignore ICMPv6 redirects by default." +control 'V-38548' do + title 'The system must ignore ICMPv6 redirects by default.' desc "An illicit ICMP redirect message could result in a man-in-the-middle attack." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38548" - tag "rid": "SV-50349r3_rule" - tag "stig_id": "RHEL-06-000099" - tag "fix_id": "F-43496r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38548' + tag "rid": 'SV-50349r3_rule' + tag "stig_id": 'RHEL-06-000099' + tag "fix_id": 'F-43496r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -45,11 +45,10 @@ net.ipv6.conf.default.accept_redirects = 0" - describe kernel_parameter("net.ipv6.conf.default.accept_redirects") do - its("value") { should eq 0 } + describe kernel_parameter('net.ipv6.conf.default.accept_redirects') do + its('value') { should eq 0 } end - describe file("/etc/sysctl.conf") do - its("content") { should match(/^[\s]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*0[\s]*$/) } + describe file('/etc/sysctl.conf') do + its('content') { should match(/^[\s]*net.ipv6.conf.default.accept_redirects[\s]*=[\s]*0[\s]*$/) } end end - diff --git a/controls/V-38549.rb b/controls/V-38549.rb index 3a3f86d..45b813d 100644 --- a/controls/V-38549.rb +++ b/controls/V-38549.rb @@ -1,15 +1,15 @@ -control "V-38549" do - title "The system must employ a local IPv6 firewall." +control 'V-38549' do + title 'The system must employ a local IPv6 firewall.' desc "The \"ip6tables\" service provides the system's host-based firewalling capability for IPv6 and ICMPv6." impact 0.5 - tag "gtitle": "SRG-OS-000152" - tag "gid": "V-38549" - tag "rid": "SV-50350r3_rule" - tag "stig_id": "RHEL-06-000103" - tag "fix_id": "F-43497r3_fix" - tag "cci": ["CCI-001118"] - tag "nist": ["SC-7 (12)", "Rev_4"] + tag "gtitle": 'SRG-OS-000152' + tag "gid": 'V-38549' + tag "rid": 'SV-50350r3_rule' + tag "stig_id": 'RHEL-06-000103' + tag "fix_id": 'F-43497r3_fix' + tag "cci": ['CCI-001118'] + tag "nist": ['SC-7 (12)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -46,4 +46,3 @@ it { should be_running } end end - diff --git a/controls/V-38550.rb b/controls/V-38550.rb index d7ceb73..82a365c 100644 --- a/controls/V-38550.rb +++ b/controls/V-38550.rb @@ -1,4 +1,4 @@ -control "V-38550" do +control 'V-38550' do title "The audit system must be configured to audit all discretionary access control permission modifications using fchmodat." desc "The changing of file permissions could indicate that a user is @@ -6,13 +6,13 @@ Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." impact 0.3 - tag "gtitle": "SRG-OS-000064" - tag "gid": "V-38550" - tag "rid": "SV-50351r3_rule" - tag "stig_id": "RHEL-06-000187" - tag "fix_id": "F-43498r2_fix" - tag "cci": ["CCI-000172"] - tag "nist": ["AU-12 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000064' + tag "gid": 'V-38550' + tag "rid": 'SV-50351r3_rule' + tag "stig_id": 'RHEL-06-000187' + tag "fix_id": 'F-43498r2_fix' + tag "cci": ['CCI-000172'] + tag "nist": ['AU-12 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -46,14 +46,12 @@ -k perm_mod -a always,exit -F arch=b64 -S fchmodat -F auid=0 -k perm_mod" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)fchmodat(?:[\s]+|,))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)fchmodat(?:[\s]+|,))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)fchmodat(?:[\s]+|,))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)fchmodat(?:[\s]+|,))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } end describe.one do - end end - diff --git a/controls/V-38551.rb b/controls/V-38551.rb index b5f354a..13361c4 100644 --- a/controls/V-38551.rb +++ b/controls/V-38551.rb @@ -1,17 +1,17 @@ -control "V-38551" do +control 'V-38551' do title "The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture." desc "The \"ip6tables\" service provides the system's host-based firewalling capability for IPv6 and ICMPv6." impact 0.5 - tag "gtitle": "SRG-OS-000145" - tag "gid": "V-38551" - tag "rid": "SV-50352r3_rule" - tag "stig_id": "RHEL-06-000106" - tag "fix_id": "F-43499r2_fix" - tag "cci": ["CCI-001098"] - tag "nist": ["SC-7 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000145' + tag "gid": 'V-38551' + tag "rid": 'SV-50352r3_rule' + tag "stig_id": 'RHEL-06-000106' + tag "fix_id": 'F-43499r2_fix' + tag "cci": ['CCI-001098'] + tag "nist": ['SC-7 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -48,4 +48,3 @@ it { should be_running } end end - diff --git a/controls/V-38552.rb b/controls/V-38552.rb index 36aa483..3133b3a 100644 --- a/controls/V-38552.rb +++ b/controls/V-38552.rb @@ -1,4 +1,4 @@ -control "V-38552" do +control 'V-38552' do title "The audit system must be configured to audit all discretionary access control permission modifications using fchown." desc "The changing of file permissions could indicate that a user is @@ -6,13 +6,13 @@ Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." impact 0.3 - tag "gtitle": "SRG-OS-000064" - tag "gid": "V-38552" - tag "rid": "SV-50353r3_rule" - tag "stig_id": "RHEL-06-000188" - tag "fix_id": "F-43500r2_fix" - tag "cci": ["CCI-000172"] - tag "nist": ["AU-12 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000064' + tag "gid": 'V-38552' + tag "rid": 'SV-50353r3_rule' + tag "stig_id": 'RHEL-06-000188' + tag "fix_id": 'F-43500r2_fix' + tag "cci": ['CCI-000172'] + tag "nist": ['AU-12 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -46,14 +46,12 @@ -k perm_mod -a always,exit -F arch=b64 -S fchown -F auid=0 -k perm_mod" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)fchown(?:[\s]+|,))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)fchown(?:[\s]+|,))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)fchown(?:[\s]+|,))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)fchown(?:[\s]+|,))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } end describe.one do - end end - diff --git a/controls/V-38553.rb b/controls/V-38553.rb index 8939597..9c34257 100644 --- a/controls/V-38553.rb +++ b/controls/V-38553.rb @@ -1,17 +1,17 @@ -control "V-38553" do +control 'V-38553' do title "The operating system must prevent public IPv6 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices." desc "The \"ip6tables\" service provides the system's host-based firewalling capability for IPv6 and ICMPv6." impact 0.5 - tag "gtitle": "SRG-OS-000146" - tag "gid": "V-38553" - tag "rid": "SV-50354r3_rule" - tag "stig_id": "RHEL-06-000107" - tag "fix_id": "F-43501r2_fix" - tag "cci": ["CCI-001100"] - tag "nist": ["SC-7 (2)", "Rev_4"] + tag "gtitle": 'SRG-OS-000146' + tag "gid": 'V-38553' + tag "rid": 'SV-50354r3_rule' + tag "stig_id": 'RHEL-06-000107' + tag "fix_id": 'F-43501r2_fix' + tag "cci": ['CCI-001100'] + tag "nist": ['SC-7 (2)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -48,4 +48,3 @@ it { should be_running } end end - diff --git a/controls/V-38554.rb b/controls/V-38554.rb index e7eaa5a..03f527a 100644 --- a/controls/V-38554.rb +++ b/controls/V-38554.rb @@ -1,4 +1,4 @@ -control "V-38554" do +control 'V-38554' do title "The audit system must be configured to audit all discretionary access control permission modifications using fchownat." desc "The changing of file permissions could indicate that a user is @@ -6,13 +6,13 @@ Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." impact 0.3 - tag "gtitle": "SRG-OS-000064" - tag "gid": "V-38554" - tag "rid": "SV-50355r3_rule" - tag "stig_id": "RHEL-06-000189" - tag "fix_id": "F-43502r2_fix" - tag "cci": ["CCI-000172"] - tag "nist": ["AU-12 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000064' + tag "gid": 'V-38554' + tag "rid": 'SV-50355r3_rule' + tag "stig_id": 'RHEL-06-000189' + tag "fix_id": 'F-43502r2_fix' + tag "cci": ['CCI-000172'] + tag "nist": ['AU-12 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -46,14 +46,12 @@ -k perm_mod -a always,exit -F arch=b64 -S fchownat -F auid=0 -k perm_mod" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)fchownat(?:[\s]+|,))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)fchownat(?:[\s]+|,))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)fchownat(?:[\s]+|,))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:-S[\s]+|,)fchownat(?:[\s]+|,))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } end describe.one do - end end - diff --git a/controls/V-38555.rb b/controls/V-38555.rb index 728c027..f75ae64 100644 --- a/controls/V-38555.rb +++ b/controls/V-38555.rb @@ -1,15 +1,15 @@ -control "V-38555" do - title "The system must employ a local IPv4 firewall." +control 'V-38555' do + title 'The system must employ a local IPv4 firewall.' desc "The \"iptables\" service provides the system's host-based firewalling capability for IPv4 and ICMP." impact 0.5 - tag "gtitle": "SRG-OS-000152" - tag "gid": "V-38555" - tag "rid": "SV-50356r2_rule" - tag "stig_id": "RHEL-06-000113" - tag "fix_id": "F-43503r2_fix" - tag "cci": ["CCI-001118"] - tag "nist": ["SC-7 (12)", "Rev_4"] + tag "gtitle": 'SRG-OS-000152' + tag "gid": 'V-38555' + tag "rid": 'SV-50356r2_rule' + tag "stig_id": 'RHEL-06-000113' + tag "fix_id": 'F-43503r2_fix' + tag "cci": ['CCI-001118'] + tag "nist": ['SC-7 (12)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -44,4 +44,3 @@ it { should be_running } end end - diff --git a/controls/V-38556.rb b/controls/V-38556.rb index 07d5685..f9da37b 100644 --- a/controls/V-38556.rb +++ b/controls/V-38556.rb @@ -1,4 +1,4 @@ -control "V-38556" do +control 'V-38556' do title "The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr." desc "The changing of file permissions could indicate that a user is @@ -6,13 +6,13 @@ Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." impact 0.3 - tag "gtitle": "SRG-OS-000064" - tag "gid": "V-38556" - tag "rid": "SV-50357r3_rule" - tag "stig_id": "RHEL-06-000190" - tag "fix_id": "F-43504r2_fix" - tag "cci": ["CCI-000172"] - tag "nist": ["AU-12 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000064' + tag "gid": 'V-38556' + tag "rid": 'SV-50357r3_rule' + tag "stig_id": 'RHEL-06-000190' + tag "fix_id": 'F-43504r2_fix' + tag "cci": ['CCI-000172'] + tag "nist": ['AU-12 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -46,14 +46,12 @@ -k perm_mod -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)fremovexattr(?:,|[\s]+))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)fremovexattr(?:,|[\s]+))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)fremovexattr(?:,|[\s]+))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)fremovexattr(?:,|[\s]+))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } end describe.one do - end end - diff --git a/controls/V-38557.rb b/controls/V-38557.rb index 6deac2e..c5afbf5 100644 --- a/controls/V-38557.rb +++ b/controls/V-38557.rb @@ -1,4 +1,4 @@ -control "V-38557" do +control 'V-38557' do title "The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr." desc "The changing of file permissions could indicate that a user is @@ -6,13 +6,13 @@ Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." impact 0.3 - tag "gtitle": "SRG-OS-000064" - tag "gid": "V-38557" - tag "rid": "SV-50358r3_rule" - tag "stig_id": "RHEL-06-000191" - tag "fix_id": "F-43505r2_fix" - tag "cci": ["CCI-000172"] - tag "nist": ["AU-12 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000064' + tag "gid": 'V-38557' + tag "rid": 'SV-50358r3_rule' + tag "stig_id": 'RHEL-06-000191' + tag "fix_id": 'F-43505r2_fix' + tag "cci": ['CCI-000172'] + tag "nist": ['AU-12 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -46,14 +46,12 @@ -k perm_mod -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)fsetxattr(?:,|[\s]+))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)fsetxattr(?:,|[\s]+))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)fsetxattr(?:,|[\s]+))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)fsetxattr(?:,|[\s]+))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } end describe.one do - end end - diff --git a/controls/V-38558.rb b/controls/V-38558.rb index 6596b3d..a438fa6 100644 --- a/controls/V-38558.rb +++ b/controls/V-38558.rb @@ -1,4 +1,4 @@ -control "V-38558" do +control 'V-38558' do title "The audit system must be configured to audit all discretionary access control permission modifications using lchown." desc "The changing of file permissions could indicate that a user is @@ -6,13 +6,13 @@ Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." impact 0.3 - tag "gtitle": "SRG-OS-000064" - tag "gid": "V-38558" - tag "rid": "SV-50359r3_rule" - tag "stig_id": "RHEL-06-000192" - tag "fix_id": "F-43506r2_fix" - tag "cci": ["CCI-000172"] - tag "nist": ["AU-12 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000064' + tag "gid": 'V-38558' + tag "rid": 'SV-50359r3_rule' + tag "stig_id": 'RHEL-06-000192' + tag "fix_id": 'F-43506r2_fix' + tag "cci": ['CCI-000172'] + tag "nist": ['AU-12 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -46,14 +46,12 @@ -k perm_mod -a always,exit -F arch=b64 -S lchown -F auid=0 -k perm_mod" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)lchown(?:,|[\s]+))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)lchown(?:,|[\s]+))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)lchown(?:,|[\s]+))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)lchown(?:,|[\s]+))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } end describe.one do - end end - diff --git a/controls/V-38559.rb b/controls/V-38559.rb index 8fe9368..ad19544 100644 --- a/controls/V-38559.rb +++ b/controls/V-38559.rb @@ -1,4 +1,4 @@ -control "V-38559" do +control 'V-38559' do title "The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr." desc "The changing of file permissions could indicate that a user is @@ -6,13 +6,13 @@ Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." impact 0.3 - tag "gtitle": "SRG-OS-000064" - tag "gid": "V-38559" - tag "rid": "SV-50360r3_rule" - tag "stig_id": "RHEL-06-000193" - tag "fix_id": "F-43507r2_fix" - tag "cci": ["CCI-000172"] - tag "nist": ["AU-12 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000064' + tag "gid": 'V-38559' + tag "rid": 'SV-50360r3_rule' + tag "stig_id": 'RHEL-06-000193' + tag "fix_id": 'F-43507r2_fix' + tag "cci": ['CCI-000172'] + tag "nist": ['AU-12 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -46,14 +46,12 @@ -k perm_mod -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)lremovexattr(?:,|[\s]+))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)lremovexattr(?:,|[\s]+))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)lremovexattr(?:,|[\s]+))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)lremovexattr(?:,|[\s]+))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } end describe.one do - end end - diff --git a/controls/V-38560.rb b/controls/V-38560.rb index c7d49d1..5eb653c 100644 --- a/controls/V-38560.rb +++ b/controls/V-38560.rb @@ -1,17 +1,17 @@ -control "V-38560" do +control 'V-38560' do title "The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture." desc "The \"iptables\" service provides the system's host-based firewalling capability for IPv4 and ICMP." impact 0.5 - tag "gtitle": "SRG-OS-000145" - tag "gid": "V-38560" - tag "rid": "SV-50361r2_rule" - tag "stig_id": "RHEL-06-000116" - tag "fix_id": "F-43508r2_fix" - tag "cci": ["CCI-001098"] - tag "nist": ["SC-7 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000145' + tag "gid": 'V-38560' + tag "rid": 'SV-50361r2_rule' + tag "stig_id": 'RHEL-06-000116' + tag "fix_id": 'F-43508r2_fix' + tag "cci": ['CCI-001098'] + tag "nist": ['SC-7 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -46,4 +46,3 @@ it { should be_running } end end - diff --git a/controls/V-38561.rb b/controls/V-38561.rb index d8f6b9a..3d97d22 100644 --- a/controls/V-38561.rb +++ b/controls/V-38561.rb @@ -1,4 +1,4 @@ -control "V-38561" do +control 'V-38561' do title "The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr." desc "The changing of file permissions could indicate that a user is @@ -6,13 +6,13 @@ Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." impact 0.3 - tag "gtitle": "SRG-OS-000064" - tag "gid": "V-38561" - tag "rid": "SV-50362r3_rule" - tag "stig_id": "RHEL-06-000194" - tag "fix_id": "F-43509r2_fix" - tag "cci": ["CCI-000172"] - tag "nist": ["AU-12 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000064' + tag "gid": 'V-38561' + tag "rid": 'SV-50362r3_rule' + tag "stig_id": 'RHEL-06-000194' + tag "fix_id": 'F-43509r2_fix' + tag "cci": ['CCI-000172'] + tag "nist": ['AU-12 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -46,14 +46,12 @@ -k perm_mod -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)lsetxattr(?:,|[\s]+))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)lsetxattr(?:,|[\s]+))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)lsetxattr(?:,|[\s]+))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)lsetxattr(?:,|[\s]+))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } end describe.one do - end end - diff --git a/controls/V-38563.rb b/controls/V-38563.rb index 4ddf52f..f122400 100644 --- a/controls/V-38563.rb +++ b/controls/V-38563.rb @@ -1,4 +1,4 @@ -control "V-38563" do +control 'V-38563' do title "The audit system must be configured to audit all discretionary access control permission modifications using removexattr." desc "The changing of file permissions could indicate that a user is @@ -6,13 +6,13 @@ Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." impact 0.3 - tag "gtitle": "SRG-OS-000064" - tag "gid": "V-38563" - tag "rid": "SV-50364r3_rule" - tag "stig_id": "RHEL-06-000195" - tag "fix_id": "F-43511r2_fix" - tag "cci": ["CCI-000172"] - tag "nist": ["AU-12 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000064' + tag "gid": 'V-38563' + tag "rid": 'SV-50364r3_rule' + tag "stig_id": 'RHEL-06-000195' + tag "fix_id": 'F-43511r2_fix' + tag "cci": ['CCI-000172'] + tag "nist": ['AU-12 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -46,14 +46,12 @@ -k perm_mod -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^-[Aa][\s]*(?:exit,always|always,exit)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)removexattr(?:,|[\s]+))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^-[Aa][\s]*(?:exit,always|always,exit)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)removexattr(?:,|[\s]+))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^-[Aa][\s]*(?:exit,always|always,exit)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)removexattr(?:,|[\s]+))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^-[Aa][\s]*(?:exit,always|always,exit)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)removexattr(?:,|[\s]+))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } end describe.one do - end end - diff --git a/controls/V-38565.rb b/controls/V-38565.rb index fc22019..5ec9eb2 100644 --- a/controls/V-38565.rb +++ b/controls/V-38565.rb @@ -1,4 +1,4 @@ -control "V-38565" do +control 'V-38565' do title "The audit system must be configured to audit all discretionary access control permission modifications using setxattr." desc "The changing of file permissions could indicate that a user is @@ -6,13 +6,13 @@ Auditing DAC modifications can facilitate the identification of patterns of abuse among both authorized and unauthorized users." impact 0.3 - tag "gtitle": "SRG-OS-000064" - tag "gid": "V-38565" - tag "rid": "SV-50366r3_rule" - tag "stig_id": "RHEL-06-000196" - tag "fix_id": "F-43513r2_fix" - tag "cci": ["CCI-000172"] - tag "nist": ["AU-12 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000064' + tag "gid": 'V-38565' + tag "rid": 'SV-50366r3_rule' + tag "stig_id": 'RHEL-06-000196' + tag "fix_id": 'F-43513r2_fix' + tag "cci": ['CCI-000172'] + tag "nist": ['AU-12 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -46,14 +46,12 @@ -k perm_mod -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)setxattr(?:,|[\s]+))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)setxattr(?:,|[\s]+))(?:.*-F\s+auid>=500[\s]+)(?:.*-F\s+auid!=(?:-1|4294967295)[\s]+).*-k[\s]+[\S]+[\s]*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)setxattr(?:,|[\s]+))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32[\s]+)(?:.*(?:,|-S[\s]+)setxattr(?:,|[\s]+))(?:.*-F\s+auid=0[\s]+).*-k[\s]+[\S]+[\s]*$/) } end describe.one do - end end - diff --git a/controls/V-38566.rb b/controls/V-38566.rb index 4cb05b5..cb6473e 100644 --- a/controls/V-38566.rb +++ b/controls/V-38566.rb @@ -1,17 +1,17 @@ -control "V-38566" do +control 'V-38566' do title "The audit system must be configured to audit failed attempts to access files and programs." desc "Unsuccessful attempts to access files could be an indicator of malicious activity on a system. Auditing these events could serve as evidence of potential system compromise." impact 0.3 - tag "gtitle": "SRG-OS-000064" - tag "gid": "V-38566" - tag "rid": "SV-50367r2_rule" - tag "stig_id": "RHEL-06-000197" - tag "fix_id": "F-43514r2_fix" - tag "cci": ["CCI-000172"] - tag "nist": ["AU-12 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000064' + tag "gid": 'V-38566' + tag "rid": 'SV-50367r2_rule' + tag "stig_id": 'RHEL-06-000197' + tag "fix_id": 'F-43514r2_fix' + tag "cci": ['CCI-000172'] + tag "nist": ['AU-12 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -47,12 +47,11 @@ -a always,exit -F arch=ARCH -S creat -S open -S openat -S truncate \\ -S ftruncate -F exit=-EPERM -F auid=0 -k access" - describe command("grep EACCES /etc/audit/audit.rules") do + describe command('grep EACCES /etc/audit/audit.rules') do its('stdout.strip') { should_not eq '' } end - describe command("grep EPERM /etc/audit/audit.rules") do + describe command('grep EPERM /etc/audit/audit.rules') do its('stdout.strip') { should_not eq '' } end end - diff --git a/controls/V-38567.rb b/controls/V-38567.rb index 0152421..82a498f 100644 --- a/controls/V-38567.rb +++ b/controls/V-38567.rb @@ -1,4 +1,4 @@ -control "V-38567" do +control 'V-38567' do title "The audit system must be configured to audit all use of setuid and setgid programs." desc "Privileged programs are subject to escalation-of-privilege attacks, @@ -6,13 +6,13 @@ limited capability. As such, motivation exists to monitor these programs for unusual activity." impact 0.3 - tag "gtitle": "SRG-OS-000020" - tag "gid": "V-38567" - tag "rid": "SV-50368r4_rule" - tag "stig_id": "RHEL-06-000198" - tag "fix_id": "F-43515r6_fix" - tag "cci": ["CCI-000040"] - tag "nist": ["AC-6 (2)", "Rev_4"] + tag "gtitle": 'SRG-OS-000020' + tag "gid": 'V-38567' + tag "rid": 'SV-50368r4_rule' + tag "stig_id": 'RHEL-06-000198' + tag "fix_id": 'F-43515r6_fix' + tag "cci": ['CCI-000040'] + tag "nist": ['AC-6 (2)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -50,9 +50,9 @@ auid!=4294967295 -k privileged" files = command(%(find / -xautofs -noleaf -wholename '/proc' -prune -o -wholename '/sys' -prune -o -wholename '/dev' -prune -o -wholename '/selinux' -prune -o -type f -perm /6000 -print)).stdout.strip.split("\n") - + if files.empty? - describe "setuid and setgid files" do + describe 'setuid and setgid files' do subject { files } it { should be_empty } end @@ -64,4 +64,3 @@ end end end - diff --git a/controls/V-38568.rb b/controls/V-38568.rb index 569e2ec..249144a 100644 --- a/controls/V-38568.rb +++ b/controls/V-38568.rb @@ -1,4 +1,4 @@ -control "V-38568" do +control 'V-38568' do title "The audit system must be configured to audit successful file system mounts." desc "The unauthorized exportation of data to external media could result in @@ -6,13 +6,13 @@ intellectual property could be lost. An audit trail should be created each time a filesystem is mounted to help identify and guard against information loss." impact 0.3 - tag "gtitle": "SRG-OS-000064" - tag "gid": "V-38568" - tag "rid": "SV-50369r3_rule" - tag "stig_id": "RHEL-06-000199" - tag "fix_id": "F-43516r2_fix" - tag "cci": ["CCI-000172"] - tag "nist": ["AU-12 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000064' + tag "gid": 'V-38568' + tag "rid": 'SV-50369r3_rule' + tag "stig_id": 'RHEL-06-000199' + tag "fix_id": 'F-43516r2_fix' + tag "cci": ['CCI-000172'] + tag "nist": ['AU-12 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -39,14 +39,12 @@ -a always,exit -F arch=ARCH -S mount -F auid>=500 -F auid!=4294967295 -k export -a always,exit -F arch=ARCH -S mount -F auid=0 -k export" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s]+(?:always,exit|exit,always)\s+(-F\s+arch=b32\s+).*(?:,|-S\s+)mount(?:,|\s+).*-F\s+auid>=500\s+-F\s+auid!=(?:4294967295|-1)\s+-k\s+\S+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s]+(?:always,exit|exit,always)\s+(-F\s+arch=b32\s+).*(?:,|-S\s+)mount(?:,|\s+).*-F\s+auid>=500\s+-F\s+auid!=(?:4294967295|-1)\s+-k\s+\S+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s]+(?:always,exit|exit,always)\s+(-F\s+arch=b64\s+).*(?:,|-S\s+)mount(?:,|\s+).*-F\s+auid>=500\s+-F\s+auid!=(?:4294967295|-1)\s+-k\s+\S+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s]+(?:always,exit|exit,always)\s+(-F\s+arch=b64\s+).*(?:,|-S\s+)mount(?:,|\s+).*-F\s+auid>=500\s+-F\s+auid!=(?:4294967295|-1)\s+-k\s+\S+\s*$/) } end describe.one do - end end - diff --git a/controls/V-38569.rb b/controls/V-38569.rb index 13f59b7..c14a7b0 100644 --- a/controls/V-38569.rb +++ b/controls/V-38569.rb @@ -1,16 +1,16 @@ -control "V-38569" do +control 'V-38569' do title "The system must require passwords to contain at least one uppercase alphabetic character." desc "Requiring a minimum number of uppercase characters makes password guessing attacks more difficult by ensuring a larger search space." impact 0.3 - tag "gtitle": "SRG-OS-000069" - tag "gid": "V-38569" - tag "rid": "SV-50370r2_rule" - tag "stig_id": "RHEL-06-000057" - tag "fix_id": "F-43517r2_fix" - tag "cci": ["CCI-000192"] - tag "nist": ["IA-5 (1) (a)", "Rev_4"] + tag "gtitle": 'SRG-OS-000069' + tag "gid": 'V-38569' + tag "rid": 'SV-50370r2_rule' + tag "stig_id": 'RHEL-06-000057' + tag "fix_id": 'F-43517r2_fix' + tag "cci": ['CCI-000192'] + tag "nist": ['IA-5 (1) (a)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -41,40 +41,39 @@ after pam_cracklib.so to require use of an uppercase character in passwords." describe.one do - describe file("/etc/pam.d/system-auth") do - its("content") { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+ucredit=-(\d+)[^\n\r]*$/) } + describe file('/etc/pam.d/system-auth') do + its('content') { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+ucredit=-(\d+)[^\n\r]*$/) } end - file("/etc/pam.d/system-auth").content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+ucredit=-(\d+)[^\n\r]*$/).flatten.each do |entry| + file('/etc/pam.d/system-auth').content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+ucredit=-(\d+)[^\n\r]*$/).flatten.each do |entry| describe entry do it { should cmp >= 1 } end end - describe file("/etc/pam.d/system-auth") do - its("content") { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+ucredit=-(\d+)\s+.*$/) } + describe file('/etc/pam.d/system-auth') do + its('content') { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+ucredit=-(\d+)\s+.*$/) } end - file("/etc/pam.d/system-auth").content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+ucredit=-(\d+)\s+.*$/).flatten.each do |entry| + file('/etc/pam.d/system-auth').content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+ucredit=-(\d+)\s+.*$/).flatten.each do |entry| describe entry do it { should cmp >= 1 } end end end describe.one do - describe file("/etc/pam.d/password-auth") do - its("content") { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+ucredit=-(\d+)[^\n\r]*$/) } + describe file('/etc/pam.d/password-auth') do + its('content') { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+ucredit=-(\d+)[^\n\r]*$/) } end - file("/etc/pam.d/password-auth").content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+ucredit=-(\d+)[^\n\r]*$/).flatten.each do |entry| + file('/etc/pam.d/password-auth').content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+ucredit=-(\d+)[^\n\r]*$/).flatten.each do |entry| describe entry do it { should cmp >= 1 } end end - describe file("/etc/pam.d/password-auth") do - its("content") { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+ucredit=-(\d+)\s+.*$/) } + describe file('/etc/pam.d/password-auth') do + its('content') { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+ucredit=-(\d+)\s+.*$/) } end - file("/etc/pam.d/password-auth").content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+ucredit=-(\d+)\s+.*$/).flatten.each do |entry| + file('/etc/pam.d/password-auth').content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+ucredit=-(\d+)\s+.*$/).flatten.each do |entry| describe entry do it { should cmp >= 1 } end end end end - diff --git a/controls/V-38570.rb b/controls/V-38570.rb index dd0125c..8537693 100644 --- a/controls/V-38570.rb +++ b/controls/V-38570.rb @@ -1,16 +1,16 @@ -control "V-38570" do +control 'V-38570' do title "The system must require passwords to contain at least one special character." desc "Requiring a minimum number of special characters makes password guessing attacks more difficult by ensuring a larger search space." impact 0.3 - tag "gtitle": "SRG-OS-000266" - tag "gid": "V-38570" - tag "rid": "SV-50371r2_rule" - tag "stig_id": "RHEL-06-000058" - tag "fix_id": "F-43518r2_fix" - tag "cci": ["CCI-001619"] - tag "nist": ["IA-5 (1) (a)", "Rev_4"] + tag "gtitle": 'SRG-OS-000266' + tag "gid": 'V-38570' + tag "rid": 'SV-50371r2_rule' + tag "stig_id": 'RHEL-06-000058' + tag "fix_id": 'F-43518r2_fix' + tag "cci": ['CCI-001619'] + tag "nist": ['IA-5 (1) (a)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -41,40 +41,39 @@ after pam_cracklib.so to require use of a special character in passwords." describe.one do - describe file("/etc/pam.d/system-auth") do - its("content") { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+ocredit=-(\d+)[^\n\r]*$/) } + describe file('/etc/pam.d/system-auth') do + its('content') { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+ocredit=-(\d+)[^\n\r]*$/) } end - file("/etc/pam.d/system-auth").content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+ocredit=-(\d+)[^\n\r]*$/).flatten.each do |entry| + file('/etc/pam.d/system-auth').content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+ocredit=-(\d+)[^\n\r]*$/).flatten.each do |entry| describe entry do it { should cmp >= 1 } end end - describe file("/etc/pam.d/system-auth") do - its("content") { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+ocredit=-(\d+)\s+.*$/) } + describe file('/etc/pam.d/system-auth') do + its('content') { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+ocredit=-(\d+)\s+.*$/) } end - file("/etc/pam.d/system-auth").content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+ocredit=-(\d+)\s+.*$/).flatten.each do |entry| + file('/etc/pam.d/system-auth').content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+ocredit=-(\d+)\s+.*$/).flatten.each do |entry| describe entry do it { should cmp >= 1 } end end end describe.one do - describe file("/etc/pam.d/password-auth") do - its("content") { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+ocredit=-(\d+)[^\n\r]*$/) } + describe file('/etc/pam.d/password-auth') do + its('content') { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+ocredit=-(\d+)[^\n\r]*$/) } end - file("/etc/pam.d/password-auth").content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+ocredit=-(\d+)[^\n\r]*$/).flatten.each do |entry| + file('/etc/pam.d/password-auth').content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+ocredit=-(\d+)[^\n\r]*$/).flatten.each do |entry| describe entry do it { should cmp >= 1 } end end - describe file("/etc/pam.d/password-auth") do - its("content") { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+ocredit=-(\d+)\s+.*$/) } + describe file('/etc/pam.d/password-auth') do + its('content') { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+ocredit=-(\d+)\s+.*$/) } end - file("/etc/pam.d/password-auth").content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+ocredit=-(\d+)\s+.*$/).flatten.each do |entry| + file('/etc/pam.d/password-auth').content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+ocredit=-(\d+)\s+.*$/).flatten.each do |entry| describe entry do it { should cmp >= 1 } end end end end - diff --git a/controls/V-38571.rb b/controls/V-38571.rb index c8a3007..da58ad2 100644 --- a/controls/V-38571.rb +++ b/controls/V-38571.rb @@ -1,16 +1,16 @@ -control "V-38571" do +control 'V-38571' do title "The system must require passwords to contain at least one lower-case alphabetic character." desc "Requiring a minimum number of lower-case characters makes password guessing attacks more difficult by ensuring a larger search space." impact 0.3 - tag "gtitle": "SRG-OS-000070" - tag "gid": "V-38571" - tag "rid": "SV-50372r3_rule" - tag "stig_id": "RHEL-06-000059" - tag "fix_id": "F-43519r3_fix" - tag "cci": ["CCI-000193"] - tag "nist": ["IA-5 (1) (a)", "Rev_4"] + tag "gtitle": 'SRG-OS-000070' + tag "gid": 'V-38571' + tag "rid": 'SV-50372r3_rule' + tag "stig_id": 'RHEL-06-000059' + tag "fix_id": 'F-43519r3_fix' + tag "cci": ['CCI-000193'] + tag "nist": ['IA-5 (1) (a)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -41,40 +41,39 @@ " describe.one do - describe file("/etc/pam.d/system-auth") do - its("content") { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+lcredit=-(\d+)[^\n\r]*$/) } + describe file('/etc/pam.d/system-auth') do + its('content') { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+lcredit=-(\d+)[^\n\r]*$/) } end - file("/etc/pam.d/system-auth").content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+lcredit=-(\d+)[^\n\r]*$/).flatten.each do |entry| + file('/etc/pam.d/system-auth').content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+lcredit=-(\d+)[^\n\r]*$/).flatten.each do |entry| describe entry do it { should cmp >= 1 } end end - describe file("/etc/pam.d/system-auth") do - its("content") { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+lcredit=-(\d+)\s+.*$/) } + describe file('/etc/pam.d/system-auth') do + its('content') { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+lcredit=-(\d+)\s+.*$/) } end - file("/etc/pam.d/system-auth").content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+lcredit=-(\d+)\s+.*$/).flatten.each do |entry| + file('/etc/pam.d/system-auth').content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+lcredit=-(\d+)\s+.*$/).flatten.each do |entry| describe entry do it { should cmp >= 1 } end end end describe.one do - describe file("/etc/pam.d/password-auth") do - its("content") { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+lcredit=-(\d+)[^\n\r]*$/) } + describe file('/etc/pam.d/password-auth') do + its('content') { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+lcredit=-(\d+)[^\n\r]*$/) } end - file("/etc/pam.d/password-auth").content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+lcredit=-(\d+)[^\n\r]*$/).flatten.each do |entry| + file('/etc/pam.d/password-auth').content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+lcredit=-(\d+)[^\n\r]*$/).flatten.each do |entry| describe entry do it { should cmp >= 1 } end end - describe file("/etc/pam.d/password-auth") do - its("content") { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+lcredit=-(\d+)\s+.*$/) } + describe file('/etc/pam.d/password-auth') do + its('content') { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+lcredit=-(\d+)\s+.*$/) } end - file("/etc/pam.d/password-auth").content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+lcredit=-(\d+)\s+.*$/).flatten.each do |entry| + file('/etc/pam.d/password-auth').content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+lcredit=-(\d+)\s+.*$/).flatten.each do |entry| describe entry do it { should cmp >= 1 } end end end end - diff --git a/controls/V-38572.rb b/controls/V-38572.rb index b4c6bf1..53e627c 100644 --- a/controls/V-38572.rb +++ b/controls/V-38572.rb @@ -1,4 +1,4 @@ -control "V-38572" do +control 'V-38572' do title "The system must require at least eight characters be changed between the old and new passwords during a password change." desc "Requiring a minimum number of different characters during password @@ -6,13 +6,13 @@ compromised ones. Note that passwords which are changed on compromised systems will still be compromised, however." impact 0.3 - tag "gtitle": "SRG-OS-000072" - tag "gid": "V-38572" - tag "rid": "SV-50373r3_rule" - tag "stig_id": "RHEL-06-000060" - tag "fix_id": "F-43520r4_fix" - tag "cci": ["CCI-000195"] - tag "nist": ["IA-5 (1) (b)", "Rev_4"] + tag "gtitle": 'SRG-OS-000072' + tag "gid": 'V-38572' + tag "rid": 'SV-50373r3_rule' + tag "stig_id": 'RHEL-06-000060' + tag "fix_id": 'F-43520r4_fix' + tag "cci": ['CCI-000195'] + tag "nist": ['IA-5 (1) (b)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -42,40 +42,39 @@ " describe.one do - describe file("/etc/pam.d/system-auth") do - its("content") { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+difok=(\d+)[^\n\r]*$/) } + describe file('/etc/pam.d/system-auth') do + its('content') { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+difok=(\d+)[^\n\r]*$/) } end - file("/etc/pam.d/system-auth").content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+difok=(\d+)[^\n\r]*$/).flatten.each do |entry| + file('/etc/pam.d/system-auth').content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+difok=(\d+)[^\n\r]*$/).flatten.each do |entry| describe entry do it { should cmp >= 8 } end end - describe file("/etc/pam.d/system-auth") do - its("content") { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+difok=(\d+)\s+.*$/) } + describe file('/etc/pam.d/system-auth') do + its('content') { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+difok=(\d+)\s+.*$/) } end - file("/etc/pam.d/system-auth").content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+difok=(\d+)\s+.*$/).flatten.each do |entry| + file('/etc/pam.d/system-auth').content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+difok=(\d+)\s+.*$/).flatten.each do |entry| describe entry do it { should cmp >= 8 } end end end describe.one do - describe file("/etc/pam.d/password-auth") do - its("content") { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+difok=(\d+)[^\n\r]*$/) } + describe file('/etc/pam.d/password-auth') do + its('content') { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+difok=(\d+)[^\n\r]*$/) } end - file("/etc/pam.d/password-auth").content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+difok=(\d+)[^\n\r]*$/).flatten.each do |entry| + file('/etc/pam.d/password-auth').content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))[\t ]+[^#\n\r]*\s+difok=(\d+)[^\n\r]*$/).flatten.each do |entry| describe entry do it { should cmp >= 8 } end end - describe file("/etc/pam.d/password-auth") do - its("content") { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+difok=(\d+)\s+.*$/) } + describe file('/etc/pam.d/password-auth') do + its('content') { should match(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+difok=(\d+)\s+.*$/) } end - file("/etc/pam.d/password-auth").content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+difok=(\d+)\s+.*$/).flatten.each do |entry| + file('/etc/pam.d/password-auth').content.to_s.scan(/^\s*password\s+(?:(?:required)|(?:requisite))\s+(?:(?:\/lib\/security\/\$ISA\/pam_cracklib\.so)|(?:pam_cracklib\.so))\s+difok=(\d+)\s+.*$/).flatten.each do |entry| describe entry do it { should cmp >= 8 } end end end end - diff --git a/controls/V-38573.rb b/controls/V-38573.rb index 694ddbb..f9cc2e9 100644 --- a/controls/V-38573.rb +++ b/controls/V-38573.rb @@ -1,16 +1,16 @@ -control "V-38573" do +control 'V-38573' do title "The system must disable accounts after three consecutive unsuccessful logon attempts." desc "Locking out user accounts after a number of incorrect attempts prevents direct password guessing attacks." impact 0.5 - tag "gtitle": "SRG-OS-000021" - tag "gid": "V-38573" - tag "rid": "SV-50374r4_rule" - tag "stig_id": "RHEL-06-000061" - tag "fix_id": "F-43521r8_fix" - tag "cci": ["CCI-000044"] - tag "nist": ["AC-7 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000021' + tag "gid": 'V-38573' + tag "rid": 'SV-50374r4_rule' + tag "stig_id": 'RHEL-06-000061' + tag "fix_id": 'F-43521r8_fix' + tag "cci": ['CCI-000044'] + tag "nist": ['AC-7 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -53,21 +53,20 @@ \"/etc/pam.d/password-auth\" may be overwritten by the \"authconfig\" program. The \"authconfig\" program should not be used." - file("/etc/pam.d/system-auth").content.to_s.scan(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*deny=([0-9]+).*$/).flatten.each do |entry| + file('/etc/pam.d/system-auth').content.to_s.scan(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*deny=([0-9]+).*$/).flatten.each do |entry| describe entry do it { should cmp == 3 } end end - describe file("/etc/pam.d/system-auth") do - its("content") { should match(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*deny=([0-9]+).*$/) } + describe file('/etc/pam.d/system-auth') do + its('content') { should match(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*deny=([0-9]+).*$/) } end - file("/etc/pam.d/password-auth").content.to_s.scan(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*deny=([0-9]+).*$/).flatten.each do |entry| + file('/etc/pam.d/password-auth').content.to_s.scan(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*deny=([0-9]+).*$/).flatten.each do |entry| describe entry do it { should cmp == 3 } end end - describe file("/etc/pam.d/password-auth") do - its("content") { should match(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*deny=([0-9]+).*$/) } + describe file('/etc/pam.d/password-auth') do + its('content') { should match(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*deny=([0-9]+).*$/) } end end - diff --git a/controls/V-38574.rb b/controls/V-38574.rb index 49ad37d..ab0722d 100644 --- a/controls/V-38574.rb +++ b/controls/V-38574.rb @@ -1,16 +1,16 @@ -control "V-38574" do +control 'V-38574' do title "The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth)." desc "Using a stronger hashing algorithm makes password cracking attacks more difficult." impact 0.5 - tag "gtitle": "SRG-OS-000120" - tag "gid": "V-38574" - tag "rid": "SV-50375r4_rule" - tag "stig_id": "RHEL-06-000062" - tag "fix_id": "F-43522r4_fix" - tag "cci": ["CCI-000803"] - tag "nist": ["IA-7", "Rev_4"] + tag "gtitle": 'SRG-OS-000120' + tag "gid": 'V-38574' + tag "rid": 'SV-50375r4_rule' + tag "stig_id": 'RHEL-06-000062' + tag "fix_id": 'F-43522r4_fix' + tag "cci": ['CCI-000803'] + tag "nist": ['IA-7', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -96,8 +96,7 @@ its('stdout.strip') { should_not be_empty } end - describe command("grep password /etc/pam.d/* | grep pam_unix.so") do - its('stdout.strip.lines') { should all match %r{\bsha512\b} } + describe command('grep password /etc/pam.d/* | grep pam_unix.so') do + its('stdout.strip.lines') { should all match /\bsha512\b/ } end end - diff --git a/controls/V-38575.rb b/controls/V-38575.rb index 5e29d8e..bef681f 100644 --- a/controls/V-38575.rb +++ b/controls/V-38575.rb @@ -1,4 +1,4 @@ -control "V-38575" do +control 'V-38575' do title "The audit system must be configured to audit user deletions of files and programs." desc "Auditing file deletions will create an audit trail for files that are @@ -6,13 +6,13 @@ as well as detecting malicious processes that attempt to delete log files to conceal their presence." impact 0.3 - tag "gtitle": "SRG-OS-000064" - tag "gid": "V-38575" - tag "rid": "SV-50376r4_rule" - tag "stig_id": "RHEL-06-000200" - tag "fix_id": "F-43523r4_fix" - tag "cci": ["CCI-000172"] - tag "nist": ["AU-12 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000064' + tag "gid": 'V-38575' + tag "rid": 'SV-50376r4_rule' + tag "stig_id": 'RHEL-06-000200' + tag "fix_id": 'F-43523r4_fix' + tag "cci": ['CCI-000172'] + tag "nist": ['AU-12 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -67,38 +67,36 @@ " - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)\s+(?:-F\s+arch=b32\s+).*(?:,|-S\s+)rmdir(?:,|\s+).*-F\s+auid>=500\s+-F\s+auid!=(?:(?:-1)|(?:4294967295))\s+-k\s+\S+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)\s+(?:-F\s+arch=b32\s+).*(?:,|-S\s+)rmdir(?:,|\s+).*-F\s+auid>=500\s+-F\s+auid!=(?:(?:-1)|(?:4294967295))\s+-k\s+\S+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)\s+(?:-F\s+arch=b32\s+).*(?:,|-S\s+)unlink(?:,|\s+).*-F\s+auid>=500\s+-F\s+auid!=(?:(?:-1)|(?:4294967295))\s+-k\s+\S+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)\s+(?:-F\s+arch=b32\s+).*(?:,|-S\s+)unlink(?:,|\s+).*-F\s+auid>=500\s+-F\s+auid!=(?:(?:-1)|(?:4294967295))\s+-k\s+\S+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)\s+(?:-F\s+arch=b32\s+).*(?:,|-S\s+)unlinkat(?:,|\s+).*-F\s+auid>=500\s+-F\s+auid!=(?:(?:-1)|(?:4294967295))\s+-k\s+\S+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)\s+(?:-F\s+arch=b32\s+).*(?:,|-S\s+)unlinkat(?:,|\s+).*-F\s+auid>=500\s+-F\s+auid!=(?:(?:-1)|(?:4294967295))\s+-k\s+\S+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)\s+(?:-F\s+arch=b32\s+).*(?:,|-S\s+)rename(?:,|\s+).*-F\s+auid>=500\s+-F\s+auid!=(?:(?:-1)|(?:4294967295))\s+-k\s+\S+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)\s+(?:-F\s+arch=b32\s+).*(?:,|-S\s+)rename(?:,|\s+).*-F\s+auid>=500\s+-F\s+auid!=(?:(?:-1)|(?:4294967295))\s+-k\s+\S+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)\s+(?:-F\s+arch=b32\s+).*(?:,|-S\s+)renameat(?:,|\s+).*-F\s+auid>=500\s+-F\s+auid!=(?:(?:-1)|(?:4294967295))\s+-k\s+\S+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)\s+(?:-F\s+arch=b32\s+).*(?:,|-S\s+)renameat(?:,|\s+).*-F\s+auid>=500\s+-F\s+auid!=(?:(?:-1)|(?:4294967295))\s+-k\s+\S+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)\s+(?:-F\s+arch=b32\s+).*(?:,|-S\s+)rmdir(?:,|\s+).*-F\s+auid=0\s+-k\s+\S+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)\s+(?:-F\s+arch=b32\s+).*(?:,|-S\s+)rmdir(?:,|\s+).*-F\s+auid=0\s+-k\s+\S+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)\s+(?:-F\s+arch=b32\s+).*(?:,|-S\s+)unlink(?:,|\s+).*-F\s+auid=0\s+-k\s+\S+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)\s+(?:-F\s+arch=b32\s+).*(?:,|-S\s+)unlink(?:,|\s+).*-F\s+auid=0\s+-k\s+\S+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)\s+(?:-F\s+arch=b32\s+).*(?:,|-S\s+)unlinkat(?:,|\s+).*-F\s+auid=0\s+-k\s+\S+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)\s+(?:-F\s+arch=b32\s+).*(?:,|-S\s+)unlinkat(?:,|\s+).*-F\s+auid=0\s+-k\s+\S+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)\s+(?:-F\s+arch=b32\s+).*(?:,|-S\s+)rename(?:,|\s+).*-F\s+auid=0\s+-k\s+\S+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)\s+(?:-F\s+arch=b32\s+).*(?:,|-S\s+)rename(?:,|\s+).*-F\s+auid=0\s+-k\s+\S+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)\s+(?:-F\s+arch=b32\s+).*(?:,|-S\s+)renameat(?:,|\s+).*-F\s+auid=0\s+-k\s+\S+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)\s+(?:-F\s+arch=b32\s+).*(?:,|-S\s+)renameat(?:,|\s+).*-F\s+auid=0\s+-k\s+\S+\s*$/) } end describe.one do - end end - diff --git a/controls/V-38576.rb b/controls/V-38576.rb index 133dd1a..f737125 100644 --- a/controls/V-38576.rb +++ b/controls/V-38576.rb @@ -1,16 +1,16 @@ -control "V-38576" do +control 'V-38576' do title "The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs)." desc "Using a stronger hashing algorithm makes password cracking attacks more difficult." impact 0.5 - tag "gtitle": "SRG-OS-000120" - tag "gid": "V-38576" - tag "rid": "SV-50377r1_rule" - tag "stig_id": "RHEL-06-000063" - tag "fix_id": "F-43524r1_fix" - tag "cci": ["CCI-000803"] - tag "nist": ["IA-7", "Rev_4"] + tag "gtitle": 'SRG-OS-000120' + tag "gid": 'V-38576' + tag "rid": 'SV-50377r1_rule' + tag "stig_id": 'RHEL-06-000063' + tag "fix_id": 'F-43524r1_fix' + tag "cci": ['CCI-000803'] + tag "nist": ['IA-7', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -33,8 +33,7 @@ ENCRYPT_METHOD SHA512" - describe file("/etc/login.defs") do - its("content") { should match(/^[\s]*ENCRYPT_METHOD[\s]+SHA512[\s]*$/) } + describe file('/etc/login.defs') do + its('content') { should match(/^[\s]*ENCRYPT_METHOD[\s]+SHA512[\s]*$/) } end end - diff --git a/controls/V-38577.rb b/controls/V-38577.rb index 75c3d03..4dadf69 100644 --- a/controls/V-38577.rb +++ b/controls/V-38577.rb @@ -1,16 +1,16 @@ -control "V-38577" do +control 'V-38577' do title "The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf)." desc "Using a stronger hashing algorithm makes password cracking attacks more difficult." impact 0.5 - tag "gtitle": "SRG-OS-000120" - tag "gid": "V-38577" - tag "rid": "SV-50378r1_rule" - tag "stig_id": "RHEL-06-000064" - tag "fix_id": "F-43525r1_fix" - tag "cci": ["CCI-000803"] - tag "nist": ["IA-7", "Rev_4"] + tag "gtitle": 'SRG-OS-000120' + tag "gid": 'V-38577' + tag "rid": 'SV-50378r1_rule' + tag "stig_id": 'RHEL-06-000064' + tag "fix_id": 'F-43525r1_fix' + tag "cci": ['CCI-000803'] + tag "nist": ['IA-7', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -34,8 +34,7 @@ crypt_style = sha512" - describe file("/etc/libuser.conf") do - its("content") { should match(/^[\s]*crypt_style[\s]+=[\s]+(?i)sha512[\s]*$/) } + describe file('/etc/libuser.conf') do + its('content') { should match(/^[\s]*crypt_style[\s]+=[\s]+(?i)sha512[\s]*$/) } end end - diff --git a/controls/V-38578.rb b/controls/V-38578.rb index f2d5783..3d0438d 100644 --- a/controls/V-38578.rb +++ b/controls/V-38578.rb @@ -1,17 +1,17 @@ -control "V-38578" do +control 'V-38578' do title "The audit system must be configured to audit changes to the /etc/sudoers file." desc "The actions taken by system administrators should be audited to keep a record of what was executed on the system, as well as, for accountability purposes." impact 0.3 - tag "gtitle": "SRG-OS-000064" - tag "gid": "V-38578" - tag "rid": "SV-50379r2_rule" - tag "stig_id": "RHEL-06-000201" - tag "fix_id": "F-43526r1_fix" - tag "cci": ["CCI-000172"] - tag "nist": ["AU-12 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000064' + tag "gid": 'V-38578' + tag "rid": 'SV-50379r2_rule' + tag "stig_id": 'RHEL-06-000201' + tag "fix_id": 'F-43526r1_fix' + tag "cci": ['CCI-000172'] + tag "nist": ['AU-12 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -38,8 +38,7 @@ -w /etc/sudoers -p wa -k actions" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^\-w\s+\/etc\/sudoers\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^\-w\s+\/etc\/sudoers\s+\-p\s+wa\s+\-k\s+[-\w]+\s*$/) } end end - diff --git a/controls/V-38579.rb b/controls/V-38579.rb index b0ef173..fb785d7 100644 --- a/controls/V-38579.rb +++ b/controls/V-38579.rb @@ -1,14 +1,14 @@ -control "V-38579" do - title "The system boot loader configuration file(s) must be owned by root." - desc "Only root should be able to modify important boot parameters." +control 'V-38579' do + title 'The system boot loader configuration file(s) must be owned by root.' + desc 'Only root should be able to modify important boot parameters.' impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38579" - tag "rid": "SV-50380r2_rule" - tag "stig_id": "RHEL-06-000065" - tag "fix_id": "F-43527r2_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38579' + tag "rid": 'SV-50380r2_rule' + tag "stig_id": 'RHEL-06-000065' + tag "fix_id": 'F-43527r2_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -33,18 +33,17 @@ # chown root /boot/grub/grub.conf" describe.one do - describe file("/boot/grub/grub.conf") do + describe file('/boot/grub/grub.conf') do it { should exist } end - describe file("/boot/grub/grub.conf") do - its("uid") { should cmp 0 } + describe file('/boot/grub/grub.conf') do + its('uid') { should cmp 0 } end - describe file("/boot/efi/EFI/redhat/grub.conf") do + describe file('/boot/efi/EFI/redhat/grub.conf') do it { should exist } end - describe file("/boot/efi/EFI/redhat/grub.conf") do - its("uid") { should cmp 0 } + describe file('/boot/efi/EFI/redhat/grub.conf') do + its('uid') { should cmp 0 } end end end - diff --git a/controls/V-38580.rb b/controls/V-38580.rb index 40eaa7a..ea1c8a8 100644 --- a/controls/V-38580.rb +++ b/controls/V-38580.rb @@ -1,4 +1,4 @@ -control "V-38580" do +control 'V-38580' do title "The audit system must be configured to audit the loading and unloading of dynamic kernel modules." desc "The addition/removal of kernel modules can be used to alter the @@ -6,13 +6,13 @@ space. It is important to have an audit trail of modules that have been introduced into the kernel." impact 0.5 - tag "gtitle": "SRG-OS-000064" - tag "gid": "V-38580" - tag "rid": "SV-50381r2_rule" - tag "stig_id": "RHEL-06-000202" - tag "fix_id": "F-43528r2_fix" - tag "cci": ["CCI-000172"] - tag "nist": ["AU-12 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000064' + tag "gid": 'V-38580' + tag "rid": 'SV-50381r2_rule' + tag "stig_id": 'RHEL-06-000202' + tag "fix_id": 'F-43528r2_fix' + tag "cci": ['CCI-000172'] + tag "nist": ['AU-12 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -56,23 +56,21 @@ module management programs, run the following commands: -w /sbin/modprobe -p x -k modules -a always,exit -F arch=[ARCH] -S init_module -S delete_module -k modules" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^(?:-w\s+|-a\s+(?:always,exit|exit,always)\s+-F\s+path=)\/sbin\/insmod\s+-p\s+[rwa]*x[rwa]*\s+-k\s+\S+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^(?:-w\s+|-a\s+(?:always,exit|exit,always)\s+-F\s+path=)\/sbin\/insmod\s+-p\s+[rwa]*x[rwa]*\s+-k\s+\S+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^(?:-w\s+|-a\s+(?:always,exit|exit,always)\s+-F\s+path=)\/sbin\/rmmod\s+-p\s+[rwa]*x[rwa]*\s+-k\s+\S+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^(?:-w\s+|-a\s+(?:always,exit|exit,always)\s+-F\s+path=)\/sbin\/rmmod\s+-p\s+[rwa]*x[rwa]*\s+-k\s+\S+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^(?:-w\s+|-a\s+(?:always,exit|exit,always)\s+-F\s+path=)\/sbin\/modprobe\s+-p\s+[rwa]*x[rwa]*\s+-k\s+\S+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^(?:-w\s+|-a\s+(?:always,exit|exit,always)\s+-F\s+path=)\/sbin\/modprobe\s+-p\s+[rwa]*x[rwa]*\s+-k\s+\S+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32\s+).*(?:,|-S\s+)delete_module(?:,|\s+).*-k\s+\S+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)+(?:.*-F[\s]+arch=b32\s+).*(?:,|-S\s+)delete_module(?:,|\s+).*-k\s+\S+\s*$/) } end - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^[\s]*-a[\s](?:always,exit|exit,always)(?:.*-F[\s]+arch=b32\s+).*(?:,|-S\s+)init_module(?:,|\s+).*-k\s+\S+\s*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^[\s]*-a[\s](?:always,exit|exit,always)(?:.*-F[\s]+arch=b32\s+).*(?:,|-S\s+)init_module(?:,|\s+).*-k\s+\S+\s*$/) } end describe.one do - end end - diff --git a/controls/V-38581.rb b/controls/V-38581.rb index 688cc2a..a76064c 100644 --- a/controls/V-38581.rb +++ b/controls/V-38581.rb @@ -1,16 +1,16 @@ -control "V-38581" do +control 'V-38581' do title "The system boot loader configuration file(s) must be group-owned by root." desc "The \"root\" group is a highly-privileged group. Furthermore, the group-owner of this file should not have any access privileges anyway." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38581" - tag "rid": "SV-50382r2_rule" - tag "stig_id": "RHEL-06-000066" - tag "fix_id": "F-43529r2_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38581' + tag "rid": 'SV-50382r2_rule' + tag "stig_id": 'RHEL-06-000066' + tag "fix_id": 'F-43529r2_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -35,18 +35,17 @@ # chgrp root /boot/grub/grub.conf" describe.one do - describe file("/boot/grub/grub.conf") do + describe file('/boot/grub/grub.conf') do it { should exist } end - describe file("/boot/grub/grub.conf") do - its("gid") { should cmp 0 } + describe file('/boot/grub/grub.conf') do + its('gid') { should cmp 0 } end - describe file("/boot/efi/EFI/redhat/grub.conf") do + describe file('/boot/efi/EFI/redhat/grub.conf') do it { should exist } end - describe file("/boot/efi/EFI/redhat/grub.conf") do - its("gid") { should cmp 0 } + describe file('/boot/efi/EFI/redhat/grub.conf') do + its('gid') { should cmp 0 } end end end - diff --git a/controls/V-38582.rb b/controls/V-38582.rb index f2e8001..e25abc8 100644 --- a/controls/V-38582.rb +++ b/controls/V-38582.rb @@ -1,4 +1,4 @@ -control "V-38582" do +control 'V-38582' do title "The xinetd service must be disabled if no network services utilizing it are enabled." desc "The xinetd service provides a dedicated listener service for some @@ -6,13 +6,13 @@ Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself." impact 0.5 - tag "gtitle": "SRG-OS-000096" - tag "gid": "V-38582" - tag "rid": "SV-50383r2_rule" - tag "stig_id": "RHEL-06-000203" - tag "fix_id": "F-43530r2_fix" - tag "cci": ["CCI-000382"] - tag "nist": ["CM-7 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000096' + tag "gid": 'V-38582' + tag "rid": 'SV-50383r2_rule' + tag "stig_id": 'RHEL-06-000203' + tag "fix_id": 'F-43530r2_fix' + tag "cci": ['CCI-000382'] + tag "nist": ['CM-7 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -55,18 +55,17 @@ # service xinetd stop" describe.one do - describe package("xinetd") do + describe package('xinetd') do it { should_not be_installed } end - describe service("xinetd") do - its("runlevels(?-mix:0)") { should be_enabled } - its("runlevels(?-mix:1)") { should be_enabled } - its("runlevels(?-mix:2)") { should be_enabled } - its("runlevels(?-mix:3)") { should be_enabled } - its("runlevels(?-mix:4)") { should be_enabled } - its("runlevels(?-mix:5)") { should be_enabled } - its("runlevels(?-mix:6)") { should be_enabled } + describe service('xinetd') do + its('runlevels(?-mix:0)') { should be_enabled } + its('runlevels(?-mix:1)') { should be_enabled } + its('runlevels(?-mix:2)') { should be_enabled } + its('runlevels(?-mix:3)') { should be_enabled } + its('runlevels(?-mix:4)') { should be_enabled } + its('runlevels(?-mix:5)') { should be_enabled } + its('runlevels(?-mix:6)') { should be_enabled } end end end - diff --git a/controls/V-38583.rb b/controls/V-38583.rb index 64af685..ef56b09 100644 --- a/controls/V-38583.rb +++ b/controls/V-38583.rb @@ -1,16 +1,16 @@ -control "V-38583" do +control 'V-38583' do title "The system boot loader configuration file(s) must have mode 0600 or less permissive." desc "Proper permissions ensure that only the root user can modify important boot parameters." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38583" - tag "rid": "SV-50384r4_rule" - tag "stig_id": "RHEL-06-000067" - tag "fix_id": "F-43531r3_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38583' + tag "rid": 'SV-50384r4_rule' + tag "stig_id": 'RHEL-06-000067' + tag "fix_id": 'F-43531r3_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -51,65 +51,64 @@ require alternative measures. " - describe file("/boot/grub/grub.conf") do + describe file('/boot/grub/grub.conf') do it { should exist } end - describe file("/boot/grub/grub.conf") do - it { should_not be_executable.by "group" } + describe file('/boot/grub/grub.conf') do + it { should_not be_executable.by 'group' } end - describe file("/boot/grub/grub.conf") do - it { should_not be_readable.by "group" } + describe file('/boot/grub/grub.conf') do + it { should_not be_readable.by 'group' } end - describe file("/boot/grub/grub.conf") do - it { should_not be_writable.by "group" } + describe file('/boot/grub/grub.conf') do + it { should_not be_writable.by 'group' } end - describe file("/boot/grub/grub.conf") do - it { should_not be_executable.by "other" } + describe file('/boot/grub/grub.conf') do + it { should_not be_executable.by 'other' } end - describe file("/boot/grub/grub.conf") do - it { should_not be_readable.by "other" } + describe file('/boot/grub/grub.conf') do + it { should_not be_readable.by 'other' } end - describe file("/boot/grub/grub.conf") do - it { should_not be_writable.by "other" } + describe file('/boot/grub/grub.conf') do + it { should_not be_writable.by 'other' } end - describe file("/boot/grub/grub.conf") do - it { should_not be_executable.by "owner" } + describe file('/boot/grub/grub.conf') do + it { should_not be_executable.by 'owner' } end - describe file("/boot/grub/grub.conf") do - it { should be_readable.by "owner" } + describe file('/boot/grub/grub.conf') do + it { should be_readable.by 'owner' } end - describe file("/boot/grub/grub.conf") do - it { should be_writable.by "owner" } + describe file('/boot/grub/grub.conf') do + it { should be_writable.by 'owner' } end - describe file("/boot/efi/EFI/redhat/grub.conf") do + describe file('/boot/efi/EFI/redhat/grub.conf') do it { should exist } end - describe file("/boot/efi/EFI/redhat/grub.conf") do - it { should_not be_executable.by "group" } + describe file('/boot/efi/EFI/redhat/grub.conf') do + it { should_not be_executable.by 'group' } end - describe file("/boot/efi/EFI/redhat/grub.conf") do - it { should_not be_readable.by "group" } + describe file('/boot/efi/EFI/redhat/grub.conf') do + it { should_not be_readable.by 'group' } end - describe file("/boot/efi/EFI/redhat/grub.conf") do - it { should_not be_writable.by "group" } + describe file('/boot/efi/EFI/redhat/grub.conf') do + it { should_not be_writable.by 'group' } end - describe file("/boot/efi/EFI/redhat/grub.conf") do - it { should_not be_executable.by "other" } + describe file('/boot/efi/EFI/redhat/grub.conf') do + it { should_not be_executable.by 'other' } end - describe file("/boot/efi/EFI/redhat/grub.conf") do - it { should_not be_readable.by "other" } + describe file('/boot/efi/EFI/redhat/grub.conf') do + it { should_not be_readable.by 'other' } end - describe file("/boot/efi/EFI/redhat/grub.conf") do - it { should_not be_writable.by "other" } + describe file('/boot/efi/EFI/redhat/grub.conf') do + it { should_not be_writable.by 'other' } end - describe file("/boot/efi/EFI/redhat/grub.conf") do - it { should_not be_executable.by "owner" } + describe file('/boot/efi/EFI/redhat/grub.conf') do + it { should_not be_executable.by 'owner' } end - describe file("/boot/efi/EFI/redhat/grub.conf") do - it { should be_readable.by "owner" } + describe file('/boot/efi/EFI/redhat/grub.conf') do + it { should be_readable.by 'owner' } end - describe file("/boot/efi/EFI/redhat/grub.conf") do - it { should be_writable.by "owner" } + describe file('/boot/efi/EFI/redhat/grub.conf') do + it { should be_writable.by 'owner' } end end - diff --git a/controls/V-38584.rb b/controls/V-38584.rb index e24640e..545e3af 100644 --- a/controls/V-38584.rb +++ b/controls/V-38584.rb @@ -1,16 +1,16 @@ -control "V-38584" do +control 'V-38584' do title "The xinetd service must be uninstalled if no network services utilizing it are enabled." desc "Removing the \"xinetd\" package decreases the risk of the xinetd service's accidental (or intentional) activation." impact 0.3 - tag "gtitle": "SRG-OS-000096" - tag "gid": "V-38584" - tag "rid": "SV-50385r1_rule" - tag "stig_id": "RHEL-06-000204" - tag "fix_id": "F-43532r1_fix" - tag "cci": ["CCI-000382"] - tag "nist": ["CM-7 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000096' + tag "gid": 'V-38584' + tag "rid": 'SV-50385r1_rule' + tag "stig_id": 'RHEL-06-000204' + tag "fix_id": 'F-43532r1_fix' + tag "cci": ['CCI-000382'] + tag "nist": ['CM-7 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -35,8 +35,7 @@ # yum erase xinetd" - describe package("xinetd") do + describe package('xinetd') do it { should_not be_installed } end end - diff --git a/controls/V-38585.rb b/controls/V-38585.rb index e73f711..7447005 100644 --- a/controls/V-38585.rb +++ b/controls/V-38585.rb @@ -1,16 +1,16 @@ -control "V-38585" do - title "The system boot loader must require authentication." +control 'V-38585' do + title 'The system boot loader must require authentication.' desc "Password protection on the boot loader configuration ensures users with physical access cannot trivially alter important bootloader settings. These include which kernel to use, and whether to enter single-user mode." impact 0.5 - tag "gtitle": "SRG-OS-000080" - tag "gid": "V-38585" - tag "rid": "SV-50386r4_rule" - tag "stig_id": "RHEL-06-000068" - tag "fix_id": "F-43533r3_fix" - tag "cci": ["CCI-000213"] - tag "nist": ["AC-3", "Rev_4"] + tag "gtitle": 'SRG-OS-000080' + tag "gid": 'V-38585' + tag "rid": 'SV-50386r4_rule' + tag "stig_id": 'RHEL-06-000068' + tag "fix_id": 'F-43533r3_fix' + tag "cci": ['CCI-000213'] + tag "nist": ['AC-3', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -50,12 +50,11 @@ password --encrypted [password-hash]" describe.one do - describe file("/boot/grub/grub.conf") do - its("content") { should match(/^\s*password\s+--encrypted\s+.*/) } + describe file('/boot/grub/grub.conf') do + its('content') { should match(/^\s*password\s+--encrypted\s+.*/) } end - describe file("/boot/efi/EFI/redhat/grub.conf") do - its("content") { should match(/^\s*password\s+--encrypted\s+.*/) } + describe file('/boot/efi/EFI/redhat/grub.conf') do + its('content') { should match(/^\s*password\s+--encrypted\s+.*/) } end end end - diff --git a/controls/V-38586.rb b/controls/V-38586.rb index c7d400b..6a0d809 100644 --- a/controls/V-38586.rb +++ b/controls/V-38586.rb @@ -1,17 +1,17 @@ -control "V-38586" do +control 'V-38586' do title "The system must require authentication upon booting into single-user and maintenance modes." desc "This prevents attackers with physical access from trivially bypassing security on the machine and gaining root access. Such accesses are further prevented by configuring the bootloader password." impact 0.5 - tag "gtitle": "SRG-OS-000080" - tag "gid": "V-38586" - tag "rid": "SV-50387r1_rule" - tag "stig_id": "RHEL-06-000069" - tag "fix_id": "F-43534r1_fix" - tag "cci": ["CCI-000213"] - tag "nist": ["AC-3", "Rev_4"] + tag "gtitle": 'SRG-OS-000080' + tag "gid": 'V-38586' + tag "rid": 'SV-50387r1_rule' + tag "stig_id": 'RHEL-06-000069' + tag "fix_id": 'F-43534r1_fix' + tag "cci": ['CCI-000213'] + tag "nist": ['AC-3', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -44,8 +44,7 @@ SINGLE=/sbin/sulogin" - describe file("/etc/sysconfig/init") do - its("content") { should match(/^SINGLE=\/sbin\/sulogin[\s]*/) } + describe file('/etc/sysconfig/init') do + its('content') { should match(/^SINGLE=\/sbin\/sulogin[\s]*/) } end end - diff --git a/controls/V-38587.rb b/controls/V-38587.rb index f77c7d3..11fb181 100644 --- a/controls/V-38587.rb +++ b/controls/V-38587.rb @@ -1,5 +1,5 @@ -control "V-38587" do - title "The telnet-server package must not be installed." +control 'V-38587' do + title 'The telnet-server package must not be installed.' desc "Removing the \"telnet-server\" package decreases the risk of the unencrypted telnet service's accidental (or intentional) activation. @@ -8,13 +8,13 @@ tunnels, the risk of exposing sensitive information is mitigated. " impact 0.7 - tag "gtitle": "SRG-OS-000095" - tag "gid": "V-38587" - tag "rid": "SV-50388r1_rule" - tag "stig_id": "RHEL-06-000206" - tag "fix_id": "F-43535r1_fix" - tag "cci": ["CCI-000381"] - tag "nist": ["CM-7 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000095' + tag "gid": 'V-38587' + tag "rid": 'SV-50388r1_rule' + tag "stig_id": 'RHEL-06-000206' + tag "fix_id": 'F-43535r1_fix' + tag "cci": ['CCI-000381'] + tag "nist": ['CM-7 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -37,8 +37,7 @@ # yum erase telnet-server" - describe package("telnet-server") do + describe package('telnet-server') do it { should_not be_installed } end end - diff --git a/controls/V-38588.rb b/controls/V-38588.rb index 39ab6c2..c9b76ee 100644 --- a/controls/V-38588.rb +++ b/controls/V-38588.rb @@ -1,15 +1,15 @@ -control "V-38588" do - title "The system must not permit interactive boot." +control 'V-38588' do + title 'The system must not permit interactive boot.' desc "Using interactive boot, the console user could disable auditing, firewalls, or other services, weakening system security." impact 0.5 - tag "gtitle": "SRG-OS-000080" - tag "gid": "V-38588" - tag "rid": "SV-50389r1_rule" - tag "stig_id": "RHEL-06-000070" - tag "fix_id": "F-43536r1_fix" - tag "cci": ["CCI-000213"] - tag "nist": ["AC-3", "Rev_4"] + tag "gtitle": 'SRG-OS-000080' + tag "gid": 'V-38588' + tag "rid": 'SV-50389r1_rule' + tag "stig_id": 'RHEL-06-000070' + tag "fix_id": 'F-43536r1_fix' + tag "cci": ['CCI-000213'] + tag "nist": ['AC-3', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -40,8 +40,7 @@ startup, in which it is possible to select the set of services which are started on boot." - describe file("/etc/sysconfig/init") do - its("content") { should match(/^[\s]*PROMPT[\s]*=[\s]*no[\s]*$/) } + describe file('/etc/sysconfig/init') do + its('content') { should match(/^[\s]*PROMPT[\s]*=[\s]*no[\s]*$/) } end end - diff --git a/controls/V-38589.rb b/controls/V-38589.rb index cb192b8..017247b 100644 --- a/controls/V-38589.rb +++ b/controls/V-38589.rb @@ -1,5 +1,5 @@ -control "V-38589" do - title "The telnet daemon must not be running." +control 'V-38589' do + title 'The telnet daemon must not be running.' desc "The telnet protocol uses unencrypted network communication, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on @@ -10,13 +10,13 @@ tunnels, the risk of exposing sensitive information is mitigated. " impact 0.7 - tag "gtitle": "SRG-OS-000129" - tag "gid": "V-38589" - tag "rid": "SV-50390r2_rule" - tag "stig_id": "RHEL-06-000211" - tag "fix_id": "F-43537r1_fix" - tag "cci": ["CCI-000888"] - tag "nist": ["MA-4 (6)", "Rev_4"] + tag "gtitle": 'SRG-OS-000129' + tag "gid": 'V-38589' + tag "rid": 'SV-50390r2_rule' + tag "stig_id": 'RHEL-06-000211' + tag "fix_id": 'F-43537r1_fix' + tag "cci": ['CCI-000888'] + tag "nist": ['MA-4 (6)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -48,12 +48,11 @@ # chkconfig telnet off" describe.one do - describe package("telnet-server") do + describe package('telnet-server') do it { should_not be_installed } end - describe file("/etc/xinetd.d/telnet") do - its("content") { should match(/^\s*disable\s+=\s+yes\s*$/) } + describe file('/etc/xinetd.d/telnet') do + its('content') { should match(/^\s*disable\s+=\s+yes\s*$/) } end end end - diff --git a/controls/V-38590.rb b/controls/V-38590.rb index 5387fdb..27b7702 100644 --- a/controls/V-38590.rb +++ b/controls/V-38590.rb @@ -1,15 +1,15 @@ -control "V-38590" do - title "The system must allow locking of the console screen in text mode." +control 'V-38590' do + title 'The system must allow locking of the console screen in text mode.' desc "Installing \"screen\" ensures a console locking capability is available for users who may need to suspend console logins." impact 0.3 - tag "gtitle": "SRG-OS-000030" - tag "gid": "V-38590" - tag "rid": "SV-50391r1_rule" - tag "stig_id": "RHEL-06-000071" - tag "fix_id": "F-43538r1_fix" - tag "cci": ["CCI-000058"] - tag "nist": ["AC-11 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000030' + tag "gid": 'V-38590' + tag "rid": 'SV-50391r1_rule' + tag "stig_id": 'RHEL-06-000071' + tag "fix_id": 'F-43538r1_fix' + tag "cci": ['CCI-000058'] + tag "nist": ['AC-11 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -40,8 +40,7 @@ ctrl+a x" - describe package("screen") do + describe package('screen') do it { should be_installed } end end - diff --git a/controls/V-38591.rb b/controls/V-38591.rb index b0ef6b9..62a6573 100644 --- a/controls/V-38591.rb +++ b/controls/V-38591.rb @@ -1,16 +1,16 @@ -control "V-38591" do - title "The rsh-server package must not be installed." +control 'V-38591' do + title 'The rsh-server package must not be installed.' desc "The \"rsh-server\" package provides several obsolete and insecure network services. Removing it decreases the risk of those services' accidental (or intentional) activation." impact 0.7 - tag "gtitle": "SRG-OS-000095" - tag "gid": "V-38591" - tag "rid": "SV-50392r1_rule" - tag "stig_id": "RHEL-06-000213" - tag "fix_id": "F-43539r1_fix" - tag "cci": ["CCI-000381"] - tag "nist": ["CM-7 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000095' + tag "gid": 'V-38591' + tag "rid": 'SV-50392r1_rule' + tag "stig_id": 'RHEL-06-000213' + tag "fix_id": 'F-43539r1_fix' + tag "cci": ['CCI-000381'] + tag "nist": ['CM-7 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -33,8 +33,7 @@ # yum erase rsh-server" - describe package("rsh-server") do + describe package('rsh-server') do it { should_not be_installed } end end - diff --git a/controls/V-38592.rb b/controls/V-38592.rb index 67cf4a8..216abbb 100644 --- a/controls/V-38592.rb +++ b/controls/V-38592.rb @@ -1,4 +1,4 @@ -control "V-38592" do +control 'V-38592' do title "The system must require administrator action to unlock an account locked by excessive failed login attempts." desc "Locking out user accounts after a number of incorrect attempts @@ -6,13 +6,13 @@ involved in unlocking locked accounts draws appropriate attention to such situations." impact 0.5 - tag "gtitle": "SRG-OS-000022" - tag "gid": "V-38592" - tag "rid": "SV-50393r4_rule" - tag "stig_id": "RHEL-06-000356" - tag "fix_id": "F-43541r6_fix" - tag "cci": ["CCI-000047"] - tag "nist": ["AC-7 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000022' + tag "gid": 'V-38592' + tag "rid": 'SV-50393r4_rule' + tag "stig_id": 'RHEL-06-000356' + tag "fix_id": 'F-43541r6_fix' + tag "cci": ['CCI-000047'] + tag "nist": ['AC-7 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -57,21 +57,20 @@ \"/etc/pam.d/password-auth\" may be overwritten by the \"authconfig\" program. The \"authconfig\" program should not be used." - file("/etc/pam.d/system-auth").content.to_s.scan(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*\s+unlock_time=([0-9]+).*$/).flatten.each do |entry| + file('/etc/pam.d/system-auth').content.to_s.scan(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*\s+unlock_time=([0-9]+).*$/).flatten.each do |entry| describe entry do - it { should cmp == 604800 } + it { should cmp == 604_800 } end end - describe file("/etc/pam.d/system-auth") do - its("content") { should match(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*\s+unlock_time=([0-9]+).*$/) } + describe file('/etc/pam.d/system-auth') do + its('content') { should match(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*\s+unlock_time=([0-9]+).*$/) } end - file("/etc/pam.d/password-auth").content.to_s.scan(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*\s+unlock_time=([0-9]+).*$/).flatten.each do |entry| + file('/etc/pam.d/password-auth').content.to_s.scan(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*\s+unlock_time=([0-9]+).*$/).flatten.each do |entry| describe entry do - it { should cmp == 604800 } + it { should cmp == 604_800 } end end - describe file("/etc/pam.d/password-auth") do - its("content") { should match(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*\s+unlock_time=([0-9]+).*$/) } + describe file('/etc/pam.d/password-auth') do + its('content') { should match(/^\s*auth\s+(?:(?:sufficient)|(?:\[default=die\]))\s+pam_faillock\.so\s+authfail.*\s+unlock_time=([0-9]+).*$/) } end end - diff --git a/controls/V-38593.rb b/controls/V-38593.rb index e2d9c53..4d44921 100644 --- a/controls/V-38593.rb +++ b/controls/V-38593.rb @@ -1,18 +1,18 @@ -control "V-38593" do +control 'V-38593' do title "The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts." desc "An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers." impact 0.5 - tag "gtitle": "SRG-OS-000228" - tag "gid": "V-38593" - tag "rid": "SV-50394r3_rule" - tag "stig_id": "RHEL-06-000073" - tag "fix_id": "F-43540r3_fix" - tag "cci": ["CCI-001384", "CCI-001385", "CCI-001386", "CCI-001387", -"CCI-001388"] - tag "nist": ["AC-8 c 1", "AC-8 c 2", "AC-8 c 2", "AC-8 c 2", "AC-8 c 3", -"Rev_4"] + tag "gtitle": 'SRG-OS-000228' + tag "gid": 'V-38593' + tag "rid": 'SV-50394r3_rule' + tag "stig_id": 'RHEL-06-000073' + tag "fix_id": 'F-43540r3_fix' + tag "cci": ['CCI-001384', 'CCI-001385', 'CCI-001386', 'CCI-001387', + 'CCI-001388'] + tag "nist": ['AC-8 c 1', 'AC-8 c 2', 'AC-8 c 2', 'AC-8 c 2', 'AC-8 c 3', + 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -64,11 +64,10 @@ \"I've read & consent to terms in IS user agreem't.\"" - banner_text = file('/etc/issue').content.gsub(%r{[\r\n\s]}, '') + banner_text = file('/etc/issue').content.gsub(/[\r\n\s]/, '') - describe "Banner text" do + describe 'Banner text' do subject { banner_text } - it { should eq attribute('banner_text').gsub(%r{[\r\n\s]}, '') } + it { should eq attribute('banner_text').gsub(/[\r\n\s]/, '') } end end - diff --git a/controls/V-38594.rb b/controls/V-38594.rb index 2068f25..03307f6 100644 --- a/controls/V-38594.rb +++ b/controls/V-38594.rb @@ -1,16 +1,16 @@ -control "V-38594" do - title "The rshd service must not be running." +control 'V-38594' do + title 'The rshd service must not be running.' desc "The rsh service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network." impact 0.7 - tag "gtitle": "SRG-OS-000033" - tag "gid": "V-38594" - tag "rid": "SV-50395r2_rule" - tag "stig_id": "RHEL-06-000214" - tag "fix_id": "F-43542r3_fix" - tag "cci": ["CCI-000068"] - tag "nist": ["AC-17 (2)", "Rev_4"] + tag "gtitle": 'SRG-OS-000033' + tag "gid": 'V-38594' + tag "rid": 'SV-50395r2_rule' + tag "stig_id": 'RHEL-06-000214' + tag "fix_id": 'F-43542r3_fix' + tag "cci": ['CCI-000068'] + tag "nist": ['AC-17 (2)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -43,12 +43,11 @@ # chkconfig rsh off" describe.one do - describe package("rsh-server") do + describe package('rsh-server') do it { should_not be_installed } end - describe file("/etc/xinetd.d/rsh") do - its("content") { should match(/^\s*disable\s+=\s+yes\s*$/) } + describe file('/etc/xinetd.d/rsh') do + its('content') { should match(/^\s*disable\s+=\s+yes\s*$/) } end end end - diff --git a/controls/V-38595.rb b/controls/V-38595.rb index 13d16ed..2650d9e 100644 --- a/controls/V-38595.rb +++ b/controls/V-38595.rb @@ -1,17 +1,17 @@ -control "V-38595" do +control 'V-38595' do title "The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication." desc "Smart card login provides two-factor authentication stronger than that provided by a username/password combination. Smart cards leverage a PKI (public key infrastructure) in order to provide and verify credentials." impact 0.5 - tag "gtitle": "SRG-OS-000105" - tag "gid": "V-38595" - tag "rid": "SV-50396r3_rule" - tag "stig_id": "RHEL-06-000349" - tag "fix_id": "F-43544r2_fix" - tag "cci": ["CCI-000765"] - tag "nist": ["IA-2 (1)", "Rev_4"] + tag "gtitle": 'SRG-OS-000105' + tag "gid": 'V-38595' + tag "rid": 'SV-50396r3_rule' + tag "stig_id": 'RHEL-06-000349' + tag "fix_id": 'F-43544r2_fix' + tag "cci": ['CCI-000765'] + tag "nist": ['IA-2 (1)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -48,8 +48,7 @@ https://access.redhat.com/solutions/82273" - describe "Manual test" do - skip "This control must be reviewed manually" + describe 'Manual test' do + skip 'This control must be reviewed manually' end end - diff --git a/controls/V-38596.rb b/controls/V-38596.rb index d65bdfa..dfb2a4d 100644 --- a/controls/V-38596.rb +++ b/controls/V-38596.rb @@ -1,5 +1,5 @@ -control "V-38596" do - title "The system must implement virtual address space randomization." +control 'V-38596' do + title 'The system must implement virtual address space randomization.' desc "Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code he or she has introduced into a process's address space during an attempt at exploitation. Additionally, @@ -7,13 +7,13 @@ existing code in order to repurpose it using return oriented programming (ROP) techniques." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38596" - tag "rid": "SV-50397r2_rule" - tag "stig_id": "RHEL-06-000078" - tag "fix_id": "F-43543r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38596' + tag "rid": 'SV-50397r2_rule' + tag "stig_id": 'RHEL-06-000078' + tag "fix_id": 'F-43543r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -46,7 +46,7 @@ kernel.randomize_va_space = 2" describe command('sysctl -n kernel.randomize_va_space') do - its('stdout.strip') { should be_in ['1', '2'] } + its('stdout.strip') { should be_in %w[1 2] } end describe.one do @@ -59,4 +59,3 @@ end end end - diff --git a/controls/V-38597.rb b/controls/V-38597.rb index 7d550ec..abb3ae6 100644 --- a/controls/V-38597.rb +++ b/controls/V-38597.rb @@ -1,4 +1,4 @@ -control "V-38597" do +control 'V-38597' do title "The system must limit the ability of processes to have simultaneous write and execute access to memory." desc "ExecShield uses the segmentation feature on all x86 systems to prevent @@ -8,13 +8,13 @@ the stack and heap higher than this address, the hardware prevents execution in that address range." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38597" - tag "rid": "SV-50398r2_rule" - tag "stig_id": "RHEL-06-000079" - tag "fix_id": "F-43545r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38597' + tag "rid": 'SV-50398r2_rule' + tag "stig_id": 'RHEL-06-000079' + tag "fix_id": 'F-43545r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -53,4 +53,3 @@ its('params') { should be >= { 'kernel.exec-shield' => '1' } } end end - diff --git a/controls/V-38598.rb b/controls/V-38598.rb index f61025b..b1bb569 100644 --- a/controls/V-38598.rb +++ b/controls/V-38598.rb @@ -1,16 +1,16 @@ -control "V-38598" do - title "The rexecd service must not be running." +control 'V-38598' do + title 'The rexecd service must not be running.' desc "The rexec service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network." impact 0.7 - tag "gtitle": "SRG-OS-000033" - tag "gid": "V-38598" - tag "rid": "SV-50399r2_rule" - tag "stig_id": "RHEL-06-000216" - tag "fix_id": "F-43546r3_fix" - tag "cci": ["CCI-000068"] - tag "nist": ["AC-17 (2)", "Rev_4"] + tag "gtitle": 'SRG-OS-000033' + tag "gid": 'V-38598' + tag "rid": 'SV-50399r2_rule' + tag "stig_id": 'RHEL-06-000216' + tag "fix_id": 'F-43546r3_fix' + tag "cci": ['CCI-000068'] + tag "nist": ['AC-17 (2)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -43,12 +43,11 @@ # chkconfig rexec off" describe.one do - describe package("rsh-server") do + describe package('rsh-server') do it { should_not be_installed } end - describe file("/etc/xinetd.d/rexec") do - its("content") { should match(/^\s*disable\s+=\s+yes\s*$/) } + describe file('/etc/xinetd.d/rexec') do + its('content') { should match(/^\s*disable\s+=\s+yes\s*$/) } end end end - diff --git a/controls/V-38599.rb b/controls/V-38599.rb index f0b98e5..d28ccbf 100644 --- a/controls/V-38599.rb +++ b/controls/V-38599.rb @@ -1,16 +1,16 @@ -control "V-38599" do +control 'V-38599' do title "The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner." desc "This setting will cause the system greeting banner to be used for FTP connections as well." impact 0.5 - tag "gtitle": "SRG-OS-000023" - tag "gid": "V-38599" - tag "rid": "SV-50400r2_rule" - tag "stig_id": "RHEL-06-000348" - tag "fix_id": "F-43564r3_fix" - tag "cci": ["CCI-000048"] - tag "nist": ["AC-8 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000023' + tag "gid": 'V-38599' + tag "rid": 'SV-50400r2_rule' + tag "stig_id": 'RHEL-06-000348' + tag "fix_id": 'F-43564r3_fix' + tag "cci": ['CCI-000048'] + tag "nist": ['AC-8 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -52,9 +52,8 @@ end else impact 0.0 - describe "Package vsftpd not installed" do - skip "Package vsftpd not installed, this control Not Applicable" + describe 'Package vsftpd not installed' do + skip 'Package vsftpd not installed, this control Not Applicable' end end end - diff --git a/controls/V-38600.rb b/controls/V-38600.rb index 0c5f50d..34fe2d7 100644 --- a/controls/V-38600.rb +++ b/controls/V-38600.rb @@ -1,16 +1,16 @@ -control "V-38600" do - title "The system must not send ICMPv4 redirects by default." +control 'V-38600' do + title 'The system must not send ICMPv4 redirects by default.' desc "Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38600" - tag "rid": "SV-50401r2_rule" - tag "stig_id": "RHEL-06-000080" - tag "fix_id": "F-43547r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38600' + tag "rid": 'SV-50401r2_rule' + tag "stig_id": 'RHEL-06-000080' + tag "fix_id": 'F-43547r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -44,14 +44,13 @@ net.ipv4.conf.default.send_redirects = 0" - describe kernel_parameter("net.ipv4.conf.default.send_redirects") do - its("value") { should_not be_nil } + describe kernel_parameter('net.ipv4.conf.default.send_redirects') do + its('value') { should_not be_nil } end - describe kernel_parameter("net.ipv4.conf.default.send_redirects") do - its("value") { should eq 0 } + describe kernel_parameter('net.ipv4.conf.default.send_redirects') do + its('value') { should eq 0 } end - describe file("/etc/sysctl.conf") do - its("content") { should match(/^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$/) } + describe file('/etc/sysctl.conf') do + its('content') { should match(/^[\s]*net.ipv4.conf.default.send_redirects[\s]*=[\s]*0[\s]*$/) } end end - diff --git a/controls/V-38601.rb b/controls/V-38601.rb index d23095d..500a97d 100644 --- a/controls/V-38601.rb +++ b/controls/V-38601.rb @@ -1,16 +1,16 @@ -control "V-38601" do - title "The system must not send ICMPv4 redirects from any interface." +control 'V-38601' do + title 'The system must not send ICMPv4 redirects from any interface.' desc "Sending ICMP redirects permits the system to instruct other systems to update their routing information. The ability to send ICMP redirects is only appropriate for systems acting as routers." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38601" - tag "rid": "SV-50402r2_rule" - tag "stig_id": "RHEL-06-000081" - tag "fix_id": "F-43548r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38601' + tag "rid": 'SV-50402r2_rule' + tag "stig_id": 'RHEL-06-000081' + tag "fix_id": 'F-43548r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -44,14 +44,13 @@ net.ipv4.conf.all.send_redirects = 0" - describe kernel_parameter("net.ipv4.conf.all.send_redirects") do - its("value") { should_not be_nil } + describe kernel_parameter('net.ipv4.conf.all.send_redirects') do + its('value') { should_not be_nil } end - describe kernel_parameter("net.ipv4.conf.all.send_redirects") do - its("value") { should eq 0 } + describe kernel_parameter('net.ipv4.conf.all.send_redirects') do + its('value') { should eq 0 } end - describe file("/etc/sysctl.conf") do - its("content") { should match(/^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$/) } + describe file('/etc/sysctl.conf') do + its('content') { should match(/^[\s]*net.ipv4.conf.all.send_redirects[\s]*=[\s]*0[\s]*$/) } end end - diff --git a/controls/V-38602.rb b/controls/V-38602.rb index 0d9b925..bd24df3 100644 --- a/controls/V-38602.rb +++ b/controls/V-38602.rb @@ -1,17 +1,17 @@ -control "V-38602" do - title "The rlogind service must not be running." +control 'V-38602' do + title 'The rlogind service must not be running.' desc "The rlogin service uses unencrypted network communications, which means that data from the login session, including passwords and all other information transmitted during the session, can be stolen by eavesdroppers on the network." impact 0.7 - tag "gtitle": "SRG-OS-000248" - tag "gid": "V-38602" - tag "rid": "SV-50403r2_rule" - tag "stig_id": "RHEL-06-000218" - tag "fix_id": "F-43549r3_fix" - tag "cci": ["CCI-001436"] - tag "nist": ["AC-17 (8)", "Rev_4"] + tag "gtitle": 'SRG-OS-000248' + tag "gid": 'V-38602' + tag "rid": 'SV-50403r2_rule' + tag "stig_id": 'RHEL-06-000218' + tag "fix_id": 'F-43549r3_fix' + tag "cci": ['CCI-001436'] + tag "nist": ['AC-17 (8)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -45,12 +45,11 @@ # chkconfig rlogin off" describe.one do - describe package("rsh-server") do + describe package('rsh-server') do it { should_not be_installed } end - describe file("/etc/xinetd.d/rlogin") do - its("content") { should match(/^\s*disable\s+=\s+yes\s*$/) } + describe file('/etc/xinetd.d/rlogin') do + its('content') { should match(/^\s*disable\s+=\s+yes\s*$/) } end end end - diff --git a/controls/V-38603.rb b/controls/V-38603.rb index 382ef31..917813b 100644 --- a/controls/V-38603.rb +++ b/controls/V-38603.rb @@ -1,15 +1,15 @@ -control "V-38603" do - title "The ypserv package must not be installed." +control 'V-38603' do + title 'The ypserv package must not be installed.' desc "Removing the \"ypserv\" package decreases the risk of the accidental (or intentional) activation of NIS or NIS+ services." impact 0.5 - tag "gtitle": "SRG-OS-000095" - tag "gid": "V-38603" - tag "rid": "SV-50404r1_rule" - tag "stig_id": "RHEL-06-000220" - tag "fix_id": "F-43551r1_fix" - tag "cci": ["CCI-000381"] - tag "nist": ["CM-7 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000095' + tag "gid": 'V-38603' + tag "rid": 'SV-50404r1_rule' + tag "stig_id": 'RHEL-06-000220' + tag "fix_id": 'F-43551r1_fix' + tag "cci": ['CCI-000381'] + tag "nist": ['CM-7 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -32,8 +32,7 @@ # yum erase ypserv" - describe package("ypserv") do + describe package('ypserv') do it { should_not be_installed } end end - diff --git a/controls/V-38604.rb b/controls/V-38604.rb index 357a4c8..c9a81f7 100644 --- a/controls/V-38604.rb +++ b/controls/V-38604.rb @@ -1,15 +1,15 @@ -control "V-38604" do - title "The ypbind service must not be running." +control 'V-38604' do + title 'The ypbind service must not be running.' desc "Disabling the \"ypbind\" service ensures the system is not acting as a client in a NIS or NIS+ domain." impact 0.5 - tag "gtitle": "SRG-OS-000096" - tag "gid": "V-38604" - tag "rid": "SV-50405r2_rule" - tag "stig_id": "RHEL-06-000221" - tag "fix_id": "F-43552r2_fix" - tag "cci": ["CCI-000382"] - tag "nist": ["CM-7 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000096' + tag "gid": 'V-38604' + tag "rid": 'SV-50405r2_rule' + tag "stig_id": 'RHEL-06-000221' + tag "fix_id": 'F-43552r2_fix' + tag "cci": ['CCI-000382'] + tag "nist": ['CM-7 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -50,18 +50,17 @@ # service ypbind stop" describe.one do - describe package("ypbind") do + describe package('ypbind') do it { should_not be_installed } end - describe service("ypbind") do - its("runlevels(?-mix:0)") { should be_enabled } - its("runlevels(?-mix:1)") { should be_enabled } - its("runlevels(?-mix:2)") { should be_enabled } - its("runlevels(?-mix:3)") { should be_enabled } - its("runlevels(?-mix:4)") { should be_enabled } - its("runlevels(?-mix:5)") { should be_enabled } - its("runlevels(?-mix:6)") { should be_enabled } + describe service('ypbind') do + its('runlevels(?-mix:0)') { should be_enabled } + its('runlevels(?-mix:1)') { should be_enabled } + its('runlevels(?-mix:2)') { should be_enabled } + its('runlevels(?-mix:3)') { should be_enabled } + its('runlevels(?-mix:4)') { should be_enabled } + its('runlevels(?-mix:5)') { should be_enabled } + its('runlevels(?-mix:6)') { should be_enabled } end end end - diff --git a/controls/V-38605.rb b/controls/V-38605.rb index 95b3232..8a2fdfd 100644 --- a/controls/V-38605.rb +++ b/controls/V-38605.rb @@ -1,15 +1,15 @@ -control "V-38605" do - title "The cron service must be running." +control 'V-38605' do + title 'The cron service must be running.' desc "Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38605" - tag "rid": "SV-50406r2_rule" - tag "stig_id": "RHEL-06-000224" - tag "fix_id": "F-43553r2_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38605' + tag "rid": 'SV-50406r2_rule' + tag "stig_id": 'RHEL-06-000224' + tag "fix_id": 'F-43553r2_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -39,31 +39,30 @@ # chkconfig crond on # service crond start" - describe package("cronie") do + describe package('cronie') do it { should be_installed } end describe.one do - describe service("crond").runlevels(/0/) do + describe service('crond').runlevels(/0/) do it { should be_enabled } end - describe service("crond").runlevels(/1/) do + describe service('crond').runlevels(/1/) do it { should be_enabled } end - describe service("crond").runlevels(/2/) do + describe service('crond').runlevels(/2/) do it { should be_enabled } end - describe service("crond").runlevels(/3/) do + describe service('crond').runlevels(/3/) do it { should be_enabled } end - describe service("crond").runlevels(/4/) do + describe service('crond').runlevels(/4/) do it { should be_enabled } end - describe service("crond").runlevels(/5/) do + describe service('crond').runlevels(/5/) do it { should be_enabled } end - describe service("crond").runlevels(/6/) do + describe service('crond').runlevels(/6/) do it { should be_enabled } end end end - diff --git a/controls/V-38606.rb b/controls/V-38606.rb index 567263d..8405b1b 100644 --- a/controls/V-38606.rb +++ b/controls/V-38606.rb @@ -1,15 +1,15 @@ -control "V-38606" do - title "The tftp-server package must not be installed unless required." +control 'V-38606' do + title 'The tftp-server package must not be installed unless required.' desc "Removing the \"tftp-server\" package decreases the risk of the accidental (or intentional) activation of tftp services." impact 0.5 - tag "gtitle": "SRG-OS-000095" - tag "gid": "V-38606" - tag "rid": "SV-50407r2_rule" - tag "stig_id": "RHEL-06-000222" - tag "fix_id": "F-43554r1_fix" - tag "cci": ["CCI-000381"] - tag "nist": ["CM-7 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000095' + tag "gid": 'V-38606' + tag "rid": 'SV-50407r2_rule' + tag "stig_id": 'RHEL-06-000222' + tag "fix_id": 'F-43554r1_fix' + tag "cci": ['CCI-000381'] + tag "nist": ['CM-7 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -32,8 +32,7 @@ # yum erase tftp-server" - describe package("tftp-server") do + describe package('tftp-server') do it { should_not be_installed } end end - diff --git a/controls/V-38607.rb b/controls/V-38607.rb index 29934c4..dbbd20d 100644 --- a/controls/V-38607.rb +++ b/controls/V-38607.rb @@ -1,15 +1,15 @@ -control "V-38607" do - title "The SSH daemon must be configured to use only the SSHv2 protocol." +control 'V-38607' do + title 'The SSH daemon must be configured to use only the SSHv2 protocol.' desc "SSH protocol version 1 suffers from design flaws that result in security vulnerabilities and should not be used." impact 0.7 - tag "gtitle": "SRG-OS-000112" - tag "gid": "V-38607" - tag "rid": "SV-50408r1_rule" - tag "stig_id": "RHEL-06-000227" - tag "fix_id": "F-43555r1_fix" - tag "cci": ["CCI-000774"] - tag "nist": ["IA-2 (8)", "Rev_4"] + tag "gtitle": 'SRG-OS-000112' + tag "gid": 'V-38607' + tag "rid": 'SV-50408r1_rule' + tag "stig_id": 'RHEL-06-000227' + tag "fix_id": 'F-43555r1_fix' + tag "cci": ['CCI-000774'] + tag "nist": ['IA-2 (8)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -41,4 +41,3 @@ its('Protocol') { should cmp 2 } end end - diff --git a/controls/V-38608.rb b/controls/V-38608.rb index 6471298..3b3d7d5 100644 --- a/controls/V-38608.rb +++ b/controls/V-38608.rb @@ -1,15 +1,15 @@ -control "V-38608" do - title "The SSH daemon must set a timeout interval on idle sessions." +control 'V-38608' do + title 'The SSH daemon must set a timeout interval on idle sessions.' desc "Causing idle users to be automatically logged out guards against compromises one system leading trivially to compromises on another." impact 0.3 - tag "gtitle": "SRG-OS-000163" - tag "gid": "V-38608" - tag "rid": "SV-50409r1_rule" - tag "stig_id": "RHEL-06-000230" - tag "fix_id": "F-43556r1_fix" - tag "cci": ["CCI-001133"] - tag "nist": ["SC-10", "Rev_4"] + tag "gtitle": 'SRG-OS-000163' + tag "gid": 'V-38608' + tag "rid": 'SV-50409r1_rule' + tag "stig_id": 'RHEL-06-000230' + tag "fix_id": 'F-43556r1_fix' + tag "cci": ['CCI-001133'] + tag "nist": ['SC-10', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -49,4 +49,3 @@ its('ClientAliveInterval') { should_not be_nil } end end - diff --git a/controls/V-38609.rb b/controls/V-38609.rb index 90fe1c7..d0bb86a 100644 --- a/controls/V-38609.rb +++ b/controls/V-38609.rb @@ -1,15 +1,15 @@ -control "V-38609" do - title "The TFTP service must not be running." +control 'V-38609' do + title 'The TFTP service must not be running.' desc "Disabling the \"tftp\" service ensures the system is not acting as a tftp server, which does not provide encryption or authentication." impact 0.5 - tag "gtitle": "SRG-OS-000248" - tag "gid": "V-38609" - tag "rid": "SV-50410r2_rule" - tag "stig_id": "RHEL-06-000223" - tag "fix_id": "F-43557r4_fix" - tag "cci": ["CCI-001436"] - tag "nist": ["AC-17 (8)", "Rev_4"] + tag "gtitle": 'SRG-OS-000248' + tag "gid": 'V-38609' + tag "rid": 'SV-50410r2_rule' + tag "stig_id": 'RHEL-06-000223' + tag "fix_id": 'F-43557r4_fix' + tag "cci": ['CCI-001436'] + tag "nist": ['AC-17 (8)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -45,4 +45,3 @@ it { should_not be_running } end end - diff --git a/controls/V-38610.rb b/controls/V-38610.rb index efe7009..8460c4e 100644 --- a/controls/V-38610.rb +++ b/controls/V-38610.rb @@ -1,15 +1,15 @@ -control "V-38610" do - title "The SSH daemon must set a timeout count on idle sessions." +control 'V-38610' do + title 'The SSH daemon must set a timeout count on idle sessions.' desc "This ensures a user login will be terminated as soon as the \"ClientAliveCountMax\" is reached." impact 0.3 - tag "gtitle": "SRG-OS-000126" - tag "gid": "V-38610" - tag "rid": "SV-50411r1_rule" - tag "stig_id": "RHEL-06-000231" - tag "fix_id": "F-43558r1_fix" - tag "cci": ["CCI-000879"] - tag "nist": ["MA-4 e", "Rev_4"] + tag "gtitle": 'SRG-OS-000126' + tag "gid": 'V-38610' + tag "rid": 'SV-50411r1_rule' + tag "stig_id": 'RHEL-06-000231' + tag "fix_id": 'F-43558r1_fix' + tag "cci": ['CCI-000879'] + tag "nist": ['MA-4 e', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -40,4 +40,3 @@ its('ClientAliveCountMax') { should cmp 0 } end end - diff --git a/controls/V-38611.rb b/controls/V-38611.rb index e778811..bd4b57d 100644 --- a/controls/V-38611.rb +++ b/controls/V-38611.rb @@ -1,15 +1,15 @@ -control "V-38611" do - title "The SSH daemon must ignore .rhosts files." +control 'V-38611' do + title 'The SSH daemon must ignore .rhosts files.' desc "SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts." impact 0.5 - tag "gtitle": "SRG-OS-000106" - tag "gid": "V-38611" - tag "rid": "SV-50412r1_rule" - tag "stig_id": "RHEL-06-000234" - tag "fix_id": "F-43559r1_fix" - tag "cci": ["CCI-000766"] - tag "nist": ["IA-2 (2)", "Rev_4"] + tag "gtitle": 'SRG-OS-000106' + tag "gid": 'V-38611' + tag "rid": 'SV-50412r1_rule' + tag "stig_id": 'RHEL-06-000234' + tag "fix_id": 'F-43559r1_fix' + tag "cci": ['CCI-000766'] + tag "nist": ['IA-2 (2)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -41,4 +41,3 @@ its('IgnoreRhosts') { should (eq 'yes').or be_nil } end end - diff --git a/controls/V-38612.rb b/controls/V-38612.rb index 6bea8b1..0bb74bc 100644 --- a/controls/V-38612.rb +++ b/controls/V-38612.rb @@ -1,15 +1,15 @@ -control "V-38612" do - title "The SSH daemon must not allow host-based authentication." +control 'V-38612' do + title 'The SSH daemon must not allow host-based authentication.' desc "SSH trust relationships mean a compromise on one host can allow an attacker to move trivially to other hosts." impact 0.5 - tag "gtitle": "SRG-OS-000106" - tag "gid": "V-38612" - tag "rid": "SV-50413r1_rule" - tag "stig_id": "RHEL-06-000236" - tag "fix_id": "F-43560r1_fix" - tag "cci": ["CCI-000766"] - tag "nist": ["IA-2 (2)", "Rev_4"] + tag "gtitle": 'SRG-OS-000106' + tag "gid": 'V-38612' + tag "rid": 'SV-50413r1_rule' + tag "stig_id": 'RHEL-06-000236' + tag "fix_id": 'F-43560r1_fix' + tag "cci": ['CCI-000766'] + tag "nist": ['IA-2 (2)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -42,4 +42,3 @@ its('HostbasedAuthentication') { should (eq 'no').or be_nil } end end - diff --git a/controls/V-38613.rb b/controls/V-38613.rb index 2ee428b..d376d06 100644 --- a/controls/V-38613.rb +++ b/controls/V-38613.rb @@ -1,17 +1,17 @@ -control "V-38613" do +control 'V-38613' do title "The system must not permit root logins using remote access programs such as ssh." desc "Permitting direct root login reduces auditable information about who ran privileged commands on the system and also allows direct attack attempts on root's password." impact 0.5 - tag "gtitle": "SRG-OS-000109" - tag "gid": "V-38613" - tag "rid": "SV-50414r1_rule" - tag "stig_id": "RHEL-06-000237" - tag "fix_id": "F-43561r1_fix" - tag "cci": ["CCI-000770"] - tag "nist": ["IA-2 (5)", "Rev_4"] + tag "gtitle": 'SRG-OS-000109' + tag "gid": 'V-38613' + tag "rid": 'SV-50414r1_rule' + tag "stig_id": 'RHEL-06-000237' + tag "fix_id": 'F-43561r1_fix' + tag "cci": ['CCI-000770'] + tag "nist": ['IA-2 (5)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -39,4 +39,3 @@ its('PermitRootLogin') { should eq 'no' } end end - diff --git a/controls/V-38614.rb b/controls/V-38614.rb index a2521cb..b072d69 100644 --- a/controls/V-38614.rb +++ b/controls/V-38614.rb @@ -1,16 +1,16 @@ -control "V-38614" do - title "The SSH daemon must not allow authentication using an empty password." +control 'V-38614' do + title 'The SSH daemon must not allow authentication using an empty password.' desc "Configuring this setting for the SSH daemon provides additional assurance that remote login via SSH will require a password, even in the event of misconfiguration elsewhere." impact 0.7 - tag "gtitle": "SRG-OS-000106" - tag "gid": "V-38614" - tag "rid": "SV-50415r1_rule" - tag "stig_id": "RHEL-06-000239" - tag "fix_id": "F-43562r1_fix" - tag "cci": ["CCI-000766"] - tag "nist": ["IA-2 (2)", "Rev_4"] + tag "gtitle": 'SRG-OS-000106' + tag "gid": 'V-38614' + tag "rid": 'SV-50415r1_rule' + tag "stig_id": 'RHEL-06-000239' + tag "fix_id": 'F-43562r1_fix' + tag "cci": ['CCI-000766'] + tag "nist": ['IA-2 (2)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -42,4 +42,3 @@ its('PermitEmptyPasswords') { should (eq 'no').or be_nil } end end - diff --git a/controls/V-38615.rb b/controls/V-38615.rb index 2c6c78c..d7a4841 100644 --- a/controls/V-38615.rb +++ b/controls/V-38615.rb @@ -1,4 +1,4 @@ -control "V-38615" do +control 'V-38615' do title "The SSH daemon must be configured with the Department of Defense (DoD) login banner." desc "The warning message reinforces policy awareness during the logon @@ -6,13 +6,13 @@ systems whose ownership should not be obvious should ensure usage of a banner that does not provide easy attribution." impact 0.5 - tag "gtitle": "SRG-OS-000023" - tag "gid": "V-38615" - tag "rid": "SV-50416r1_rule" - tag "stig_id": "RHEL-06-000240" - tag "fix_id": "F-43563r1_fix" - tag "cci": ["CCI-000048"] - tag "nist": ["AC-8 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000023' + tag "gid": 'V-38615' + tag "rid": 'SV-50416r1_rule' + tag "stig_id": 'RHEL-06-000240' + tag "fix_id": 'F-43563r1_fix' + tag "cci": ['CCI-000048'] + tag "nist": ['AC-8 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -42,4 +42,3 @@ its('Banner') { should eq '/etc/issue' } end end - diff --git a/controls/V-38616.rb b/controls/V-38616.rb index 7fcfdf4..5ce7d2c 100644 --- a/controls/V-38616.rb +++ b/controls/V-38616.rb @@ -1,15 +1,15 @@ -control "V-38616" do - title "The SSH daemon must not permit user environment settings." +control 'V-38616' do + title 'The SSH daemon must not permit user environment settings.' desc "SSH environment options potentially allow users to bypass access restriction in some configurations." impact 0.3 - tag "gtitle": "SRG-OS-000242" - tag "gid": "V-38616" - tag "rid": "SV-50417r1_rule" - tag "stig_id": "RHEL-06-000241" - tag "fix_id": "F-43565r1_fix" - tag "cci": ["CCI-001414"] - tag "nist": ["AC-4", "Rev_4"] + tag "gtitle": 'SRG-OS-000242' + tag "gid": 'V-38616' + tag "rid": 'SV-50417r1_rule' + tag "stig_id": 'RHEL-06-000241' + tag "fix_id": 'F-43565r1_fix' + tag "cci": ['CCI-001414'] + tag "nist": ['AC-4', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -40,4 +40,3 @@ its('PermitUserEnvironment') { should eq 'no' } end end - diff --git a/controls/V-38617.rb b/controls/V-38617.rb index 96ed57a..74d2471 100644 --- a/controls/V-38617.rb +++ b/controls/V-38617.rb @@ -1,16 +1,16 @@ -control "V-38617" do +control 'V-38617' do title "The SSH daemon must be configured to use only FIPS 140-2 approved ciphers." desc "Approved algorithms should impart some level of confidence in their implementation. These are also required for compliance." impact 0.5 - tag "gtitle": "SRG-OS-000169" - tag "gid": "V-38617" - tag "rid": "SV-50418r1_rule" - tag "stig_id": "RHEL-06-000243" - tag "fix_id": "F-43566r1_fix" - tag "cci": ["CCI-001144"] - tag "nist": ["SC-13", "Rev_4"] + tag "gtitle": 'SRG-OS-000169' + tag "gid": 'V-38617' + tag "rid": 'SV-50418r1_rule' + tag "stig_id": 'RHEL-06-000243' + tag "fix_id": 'F-43566r1_fix' + tag "cci": ['CCI-001144'] + tag "nist": ['SC-13', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -43,11 +43,10 @@ end ciphers = sshd_config.params['ciphers'] - if !ciphers.nil? + unless ciphers.nil? describe 'sshd_config Ciphers' do subject { sshd_config.params['ciphers'].join(',').split(',') } - it { should all match %r{aes|3des} } + it { should all match /aes|3des/ } end end end - diff --git a/controls/V-38618.rb b/controls/V-38618.rb index a8205d7..d24d285 100644 --- a/controls/V-38618.rb +++ b/controls/V-38618.rb @@ -1,16 +1,16 @@ -control "V-38618" do - title "The avahi service must be disabled." +control 'V-38618' do + title 'The avahi service must be disabled.' desc "Because the Avahi daemon service keeps an open network port, it is subject to network attacks. Its functionality is convenient but is only appropriate if the local network can be trusted." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38618" - tag "rid": "SV-50419r2_rule" - tag "stig_id": "RHEL-06-000246" - tag "fix_id": "F-43567r2_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38618' + tag "rid": 'SV-50419r2_rule' + tag "stig_id": 'RHEL-06-000246' + tag "fix_id": 'F-43567r2_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -50,26 +50,25 @@ # chkconfig avahi-daemon off # service avahi-daemon stop" - describe service("avahi-daemon").runlevels(/0/) do + describe service('avahi-daemon').runlevels(/0/) do it { should_not be_enabled } end - describe service("avahi-daemon").runlevels(/1/) do + describe service('avahi-daemon').runlevels(/1/) do it { should_not be_enabled } end - describe service("avahi-daemon").runlevels(/2/) do + describe service('avahi-daemon').runlevels(/2/) do it { should_not be_enabled } end - describe service("avahi-daemon").runlevels(/3/) do + describe service('avahi-daemon').runlevels(/3/) do it { should_not be_enabled } end - describe service("avahi-daemon").runlevels(/4/) do + describe service('avahi-daemon').runlevels(/4/) do it { should_not be_enabled } end - describe service("avahi-daemon").runlevels(/5/) do + describe service('avahi-daemon').runlevels(/5/) do it { should_not be_enabled } end - describe service("avahi-daemon").runlevels(/6/) do + describe service('avahi-daemon').runlevels(/6/) do it { should_not be_enabled } end end - diff --git a/controls/V-38619.rb b/controls/V-38619.rb index ae625b2..79c4b4f 100644 --- a/controls/V-38619.rb +++ b/controls/V-38619.rb @@ -1,16 +1,16 @@ -control "V-38619" do - title "There must be no .netrc files on the system." +control 'V-38619' do + title 'There must be no .netrc files on the system.' desc "Unencrypted passwords for remote FTP servers may be stored in \".netrc\" files. DoD policy requires passwords be encrypted in storage and not used in access scripts." impact 0.5 - tag "gtitle": "SRG-OS-000073" - tag "gid": "V-38619" - tag "rid": "SV-50420r2_rule" - tag "stig_id": "RHEL-06-000347" - tag "fix_id": "F-43569r2_fix" - tag "cci": ["CCI-000196"] - tag "nist": ["IA-5 (1) (c)", "Rev_4"] + tag "gtitle": 'SRG-OS-000073' + tag "gid": 'V-38619' + tag "rid": 'SV-50420r2_rule' + tag "stig_id": 'RHEL-06-000347' + tag "fix_id": 'F-43569r2_fix' + tag "cci": ['CCI-000196'] + tag "nist": ['IA-5 (1) (c)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -37,4 +37,3 @@ its('stdout') { should be_empty } end end - diff --git a/controls/V-38620.rb b/controls/V-38620.rb index 250f4f7..cb3743f 100644 --- a/controls/V-38620.rb +++ b/controls/V-38620.rb @@ -1,5 +1,5 @@ -control "V-38620" do - title "The system clock must be synchronized continuously, or at least daily." +control 'V-38620' do + title 'The system clock must be synchronized continuously, or at least daily.' desc "Enabling the \"ntpd\" service ensures that the \"ntpd\" service will be running and that the system will synchronize its time to any servers specified. This is important whether the system is configured to be a client @@ -8,13 +8,13 @@ as Kerberos, but it is also important for maintaining accurate logs and auditing possible security breaches." impact 0.5 - tag "gtitle": "SRG-OS-000056" - tag "gid": "V-38620" - tag "rid": "SV-50421r1_rule" - tag "stig_id": "RHEL-06-000247" - tag "fix_id": "F-43568r1_fix" - tag "cci": ["CCI-000160"] - tag "nist": ["AU-8 (1)", "Rev_4"] + tag "gtitle": 'SRG-OS-000056' + tag "gid": 'V-38620' + tag "rid": 'SV-50421r1_rule' + tag "stig_id": 'RHEL-06-000247' + tag "fix_id": 'F-43568r1_fix' + tag "cci": ['CCI-000160'] + tag "nist": ['AU-8 (1)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -41,31 +41,30 @@ # chkconfig ntpd on # service ntpd start" - describe package("ntp") do + describe package('ntp') do it { should be_installed } end describe.one do - describe service("ntpd").runlevels(/0/) do + describe service('ntpd').runlevels(/0/) do it { should be_enabled } end - describe service("ntpd").runlevels(/1/) do + describe service('ntpd').runlevels(/1/) do it { should be_enabled } end - describe service("ntpd").runlevels(/2/) do + describe service('ntpd').runlevels(/2/) do it { should be_enabled } end - describe service("ntpd").runlevels(/3/) do + describe service('ntpd').runlevels(/3/) do it { should be_enabled } end - describe service("ntpd").runlevels(/4/) do + describe service('ntpd').runlevels(/4/) do it { should be_enabled } end - describe service("ntpd").runlevels(/5/) do + describe service('ntpd').runlevels(/5/) do it { should be_enabled } end - describe service("ntpd").runlevels(/6/) do + describe service('ntpd').runlevels(/6/) do it { should be_enabled } end end end - diff --git a/controls/V-38621.rb b/controls/V-38621.rb index 5d12db5..1c00dff 100644 --- a/controls/V-38621.rb +++ b/controls/V-38621.rb @@ -1,17 +1,17 @@ -control "V-38621" do +control 'V-38621' do title "The system clock must be synchronized to an authoritative DoD time source." desc "Synchronizing with an NTP server makes it possible to collate system logs from multiple sources or correlate computer events with real time events. Using a trusted NTP server provided by your organization is recommended." impact 0.5 - tag "gtitle": "SRG-OS-000056" - tag "gid": "V-38621" - tag "rid": "SV-50422r1_rule" - tag "stig_id": "RHEL-06-000248" - tag "fix_id": "F-43570r1_fix" - tag "cci": ["CCI-000160"] - tag "nist": ["AU-8 (1)", "Rev_4"] + tag "gtitle": 'SRG-OS-000056' + tag "gid": 'V-38621' + tag "rid": 'SV-50422r1_rule' + tag "stig_id": 'RHEL-06-000248' + tag "fix_id": 'F-43570r1_fix' + tag "cci": ['CCI-000160'] + tag "nist": ['AU-8 (1)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -43,8 +43,7 @@ This instructs the NTP software to contact that remote server to obtain time data." - describe file("/etc/ntp.conf") do - its("content") { should match(/^[\s]*server[\s]+.+$/) } + describe file('/etc/ntp.conf') do + its('content') { should match(/^[\s]*server[\s]+.+$/) } end end - diff --git a/controls/V-38622.rb b/controls/V-38622.rb index 550be95..ff714a0 100644 --- a/controls/V-38622.rb +++ b/controls/V-38622.rb @@ -1,16 +1,16 @@ -control "V-38622" do - title "Mail relaying must be restricted." +control 'V-38622' do + title 'Mail relaying must be restricted.' desc "This ensures \"postfix\" accepts mail messages (such as cron job reports) from the local system only, and not from the network, which protects it from network attack." impact 0.5 - tag "gtitle": "SRG-OS-000096" - tag "gid": "V-38622" - tag "rid": "SV-50423r2_rule" - tag "stig_id": "RHEL-06-000249" - tag "fix_id": "F-43572r1_fix" - tag "cci": ["CCI-000382"] - tag "nist": ["CM-7 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000096' + tag "gid": 'V-38622' + tag "rid": 'SV-50423r2_rule' + tag "stig_id": 'RHEL-06-000249' + tag "fix_id": 'F-43572r1_fix' + tag "cci": ['CCI-000382'] + tag "nist": ['CM-7 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -36,8 +36,7 @@ inet_interfaces = localhost" - describe file("/etc/postfix/main.cf") do - its("content") { should match(/^[\s]*inet_interfaces[\s]*=[\s]*localhost[\s]*$/) } + describe file('/etc/postfix/main.cf') do + its('content') { should match(/^[\s]*inet_interfaces[\s]*=[\s]*localhost[\s]*$/) } end end - diff --git a/controls/V-38623.rb b/controls/V-38623.rb index 01f2072..a17f5a4 100644 --- a/controls/V-38623.rb +++ b/controls/V-38623.rb @@ -1,17 +1,17 @@ -control "V-38623" do +control 'V-38623' do title "All rsyslog-generated log files must have mode 0600 or less permissive." desc "Log files can contain valuable information regarding system configuration. If the system log files are not protected, unauthorized users could change the logged data, eliminating their forensic value." impact 0.5 - tag "gtitle": "SRG-OS-000206" - tag "gid": "V-38623" - tag "rid": "SV-50424r2_rule" - tag "stig_id": "RHEL-06-000135" - tag "fix_id": "F-43571r1_fix" - tag "cci": ["CCI-001314"] - tag "nist": ["SI-11 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000206' + tag "gid": 'V-38623' + tag "rid": 'SV-50424r2_rule' + tag "stig_id": 'RHEL-06-000135' + tag "fix_id": 'F-43571r1_fix' + tag "cci": ['CCI-001314'] + tag "nist": ['SI-11 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -53,24 +53,25 @@ # strip comments, empty lines, and lines which start with $ in order to get rules rules = file('/etc/rsyslog.conf').content.lines.map do |l| pound_index = l.index('#') - l = l.slice(0, pound_index) if !pound_index.nil? + l = l.slice(0, pound_index) unless pound_index.nil? l.strip - end.reject { |l| l.empty? or l.start_with? '$' } + end.reject { |l| l.empty? || l.start_with?('$') } paths = rules.map do |r| - filter, action = r.split(%r{\s+}) - next if !(action.start_with? '-/' or action.start_with? '/') + _filter, action = r.split(/\s+/) + next unless action.start_with? '-/', '/' + action.sub(%r{^-/}, '/') - end.reject { |path| path.nil? } + end.reject(&:nil?) if paths.empty? - describe "rsyslog log files" do + describe 'rsyslog log files' do subject { paths } it { should be_empty } end else paths.each do |path| - describe file(path) do + describe file(path) do it { should_not be_executable } it { should_not be_readable.by('group') } it { should_not be_writable.by('group') } @@ -80,4 +81,3 @@ end end end - diff --git a/controls/V-38624.rb b/controls/V-38624.rb index 48dcf41..cf6a22f 100644 --- a/controls/V-38624.rb +++ b/controls/V-38624.rb @@ -1,16 +1,16 @@ -control "V-38624" do - title "System logs must be rotated daily." +control 'V-38624' do + title 'System logs must be rotated daily.' desc "Log files that are not properly rotated run the risk of growing so large that they fill up the /var/log partition. Valuable logging information could be lost if the /var/log partition becomes full." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38624" - tag "rid": "SV-50425r1_rule" - tag "stig_id": "RHEL-06-000138" - tag "fix_id": "F-43573r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38624' + tag "rid": 'SV-50425r1_rule' + tag "stig_id": 'RHEL-06-000138' + tag "fix_id": 'F-43573r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -33,9 +33,8 @@ # yum reinstall logrotate" - # TODO is this too specific? - describe bash("grep logrotate /var/log/cron*") do - its('stdout.strip') { should match %r{cron\.daily} } + # TODO: is this too specific? + describe bash('grep logrotate /var/log/cron*') do + its('stdout.strip') { should match /cron\.daily/ } end end - diff --git a/controls/V-38627.rb b/controls/V-38627.rb index 9f4f714..127b28e 100644 --- a/controls/V-38627.rb +++ b/controls/V-38627.rb @@ -1,15 +1,15 @@ -control "V-38627" do - title "The openldap-servers package must not be installed unless required." +control 'V-38627' do + title 'The openldap-servers package must not be installed unless required.' desc "Unnecessary packages should not be installed to decrease the attack surface of the system." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38627" - tag "rid": "SV-50428r2_rule" - tag "stig_id": "RHEL-06-000256" - tag "fix_id": "F-43577r2_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38627' + tag "rid": 'SV-50428r2_rule' + tag "stig_id": 'RHEL-06-000256' + tag "fix_id": 'F-43577r2_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -40,8 +40,7 @@ authentication. If the system is not intended for use as an LDAP Server it should be removed." - describe package("openldap-servers") do + describe package('openldap-servers') do it { should_not be_installed } end end - diff --git a/controls/V-38628.rb b/controls/V-38628.rb index 8f3a1ca..29287fc 100644 --- a/controls/V-38628.rb +++ b/controls/V-38628.rb @@ -1,4 +1,4 @@ -control "V-38628" do +control 'V-38628' do title "The operating system must produce audit records containing sufficient information to establish the identity of any user/subject associated with the event." @@ -6,13 +6,13 @@ generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist." impact 0.5 - tag "gtitle": "SRG-OS-000255" - tag "gid": "V-38628" - tag "rid": "SV-50429r2_rule" - tag "stig_id": "RHEL-06-000145" - tag "fix_id": "F-43576r2_fix" - tag "cci": ["CCI-001487"] - tag "nist": ["AU-3", "Rev_4"] + tag "gtitle": 'SRG-OS-000255' + tag "gid": 'V-38628' + tag "rid": 'SV-50429r2_rule' + tag "stig_id": 'RHEL-06-000145' + tag "fix_id": 'F-43576r2_fix' + tag "cci": ['CCI-001487'] + tag "nist": ['AU-3', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -46,4 +46,3 @@ it { should be_running } end end - diff --git a/controls/V-38629.rb b/controls/V-38629.rb index 1d155ba..997d95a 100644 --- a/controls/V-38629.rb +++ b/controls/V-38629.rb @@ -1,16 +1,16 @@ -control "V-38629" do +control 'V-38629' do title "The graphical desktop environment must set the idle timeout to no more than 15 minutes." desc "Setting the idle delay controls when the screensaver will start, and can be combined with screen locking to prevent access from passersby." impact 0.5 - tag "gtitle": "SRG-OS-000029" - tag "gid": "V-38629" - tag "rid": "SV-50430r3_rule" - tag "stig_id": "RHEL-06-000257" - tag "fix_id": "F-43578r1_fix" - tag "cci": ["CCI-000057"] - tag "nist": ["AC-11 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000029' + tag "gid": 'V-38629' + tag "rid": 'SV-50430r3_rule' + tag "stig_id": 'RHEL-06-000257' + tag "fix_id": 'F-43578r1_fix' + tag "cci": ['CCI-000057'] + tag "nist": ['AC-11 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -42,14 +42,13 @@ --set /apps/gnome-screensaver/idle_delay 15" if package('GConf2').installed? - describe command("gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_delay") do + describe command('gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_delay') do its('stdout.strip') { should cmp <= 15 } end else impact 0.0 - describe "Package GConf2 not installed" do - skip "Package GConf2 not installed, this control Not Applicable" + describe 'Package GConf2 not installed' do + skip 'Package GConf2 not installed, this control Not Applicable' end end end - diff --git a/controls/V-38630.rb b/controls/V-38630.rb index cf06a15..8311372 100644 --- a/controls/V-38630.rb +++ b/controls/V-38630.rb @@ -1,4 +1,4 @@ -control "V-38630" do +control 'V-38630' do title "The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment." @@ -8,13 +8,13 @@ login session does not have administrator rights and the display station is located in a controlled-access area." impact 0.5 - tag "gtitle": "SRG-OS-000029" - tag "gid": "V-38630" - tag "rid": "SV-50431r3_rule" - tag "stig_id": "RHEL-06-000258" - tag "fix_id": "F-43579r1_fix" - tag "cci": ["CCI-000057"] - tag "nist": ["AC-11 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000029' + tag "gid": 'V-38630' + tag "rid": 'SV-50431r3_rule' + tag "stig_id": 'RHEL-06-000258' + tag "fix_id": 'F-43579r1_fix' + tag "cci": ['CCI-000057'] + tag "nist": ['AC-11 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -45,14 +45,13 @@ --set /apps/gnome-screensaver/idle_activation_enabled true" if package('GConf2').installed? - describe command("gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_activation_enabled") do + describe command('gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/idle_activation_enabled') do its('stdout.strip') { should eq 'true' } end else impact 0.0 - describe "Package GConf2 not installed" do - skip "Package GConf2 not installed, this control Not Applicable" + describe 'Package GConf2 not installed' do + skip 'Package GConf2 not installed, this control Not Applicable' end end end - diff --git a/controls/V-38631.rb b/controls/V-38631.rb index 2a788e8..0f5cdc2 100644 --- a/controls/V-38631.rb +++ b/controls/V-38631.rb @@ -1,17 +1,17 @@ -control "V-38631" do +control 'V-38631' do title "The operating system must employ automated mechanisms to facilitate the monitoring and control of remote access methods." desc "Ensuring the \"auditd\" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist." impact 0.5 - tag "gtitle": "SRG-OS-000032" - tag "gid": "V-38631" - tag "rid": "SV-50432r2_rule" - tag "stig_id": "RHEL-06-000148" - tag "fix_id": "F-43580r2_fix" - tag "cci": ["CCI-000067"] - tag "nist": ["AC-17 (1)", "Rev_4"] + tag "gtitle": 'SRG-OS-000032' + tag "gid": 'V-38631' + tag "rid": 'SV-50432r2_rule' + tag "stig_id": 'RHEL-06-000148' + tag "fix_id": 'F-43580r2_fix' + tag "cci": ['CCI-000067'] + tag "nist": ['AC-17 (1)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -45,4 +45,3 @@ it { should be_running } end end - diff --git a/controls/V-38632.rb b/controls/V-38632.rb index d28b9bb..b7e7b22 100644 --- a/controls/V-38632.rb +++ b/controls/V-38632.rb @@ -1,17 +1,17 @@ -control "V-38632" do +control 'V-38632' do title "The operating system must produce audit records containing sufficient information to establish what type of events occurred." desc "Ensuring the \"auditd\" service is active ensures audit records generated by the kernel can be written to disk, or that appropriate actions will be taken if other obstacles exist." impact 0.5 - tag "gtitle": "SRG-OS-000037" - tag "gid": "V-38632" - tag "rid": "SV-50433r2_rule" - tag "stig_id": "RHEL-06-000154" - tag "fix_id": "F-43581r2_fix" - tag "cci": ["CCI-000130"] - tag "nist": ["AU-3", "Rev_4"] + tag "gtitle": 'SRG-OS-000037' + tag "gid": 'V-38632' + tag "rid": 'SV-50433r2_rule' + tag "stig_id": 'RHEL-06-000154' + tag "fix_id": 'F-43581r2_fix' + tag "cci": ['CCI-000130'] + tag "nist": ['AU-3', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -45,4 +45,3 @@ it { should be_running } end end - diff --git a/controls/V-38633.rb b/controls/V-38633.rb index 4fccad5..0ab7dc5 100644 --- a/controls/V-38633.rb +++ b/controls/V-38633.rb @@ -1,16 +1,16 @@ -control "V-38633" do - title "The system must set a maximum audit log file size." +control 'V-38633' do + title 'The system must set a maximum audit log file size.' desc "The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38633" - tag "rid": "SV-50434r1_rule" - tag "stig_id": "RHEL-06-000160" - tag "fix_id": "F-43582r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38633' + tag "rid": 'SV-50434r1_rule' + tag "stig_id": 'RHEL-06-000160' + tag "fix_id": 'F-43582r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -39,13 +39,12 @@ Set the value to \"6\" (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data." - describe file("/etc/audit/auditd.conf") do - its("content") { should match(/^max_log_file\s*=\s*(\d+)\s*$/) } + describe file('/etc/audit/auditd.conf') do + its('content') { should match(/^max_log_file\s*=\s*(\d+)\s*$/) } end - file("/etc/audit/auditd.conf").content.to_s.scan(/^max_log_file\s*=\s*(\d+)\s*$/).flatten.each do |entry| + file('/etc/audit/auditd.conf').content.to_s.scan(/^max_log_file\s*=\s*(\d+)\s*$/).flatten.each do |entry| describe entry do it { should cmp >= 6 } end end end - diff --git a/controls/V-38634.rb b/controls/V-38634.rb index 11b95d3..5ecd125 100644 --- a/controls/V-38634.rb +++ b/controls/V-38634.rb @@ -1,4 +1,4 @@ -control "V-38634" do +control 'V-38634' do title "The system must rotate audit log files that reach the maximum file size." desc "Automatically rotating logs (by setting this to \"rotate\") minimizes @@ -7,13 +7,13 @@ data, or which use external processes to transfer it and reclaim space, \"keep_logs\" can be employed." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38634" - tag "rid": "SV-50435r2_rule" - tag "stig_id": "RHEL-06-000161" - tag "fix_id": "F-43583r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38634' + tag "rid": 'SV-50435r2_rule' + tag "stig_id": 'RHEL-06-000161' + tag "fix_id": 'F-43583r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -57,7 +57,6 @@ default. The setting is case-insensitive." describe parse_config_file('/etc/audit/auditd.conf') do - its('max_log_file_action.downcase') { should be_in ['rotate', 'keep_logs'] } + its('max_log_file_action.downcase') { should be_in %w[rotate keep_logs] } end end - diff --git a/controls/V-38636.rb b/controls/V-38636.rb index a9d9558..61143a4 100644 --- a/controls/V-38636.rb +++ b/controls/V-38636.rb @@ -1,17 +1,17 @@ -control "V-38636" do +control 'V-38636' do title "The system must retain enough rotated audit logs to cover the required log retention period." desc "The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38636" - tag "rid": "SV-50437r1_rule" - tag "stig_id": "RHEL-06-000159" - tag "fix_id": "F-43585r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38636' + tag "rid": 'SV-50437r1_rule' + tag "stig_id": 'RHEL-06-000159' + tag "fix_id": 'F-43585r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -40,13 +40,12 @@ Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation." - describe file("/etc/audit/auditd.conf") do - its("content") { should match(/^num_logs\s*=\s*(\d+)\s*$/) } + describe file('/etc/audit/auditd.conf') do + its('content') { should match(/^num_logs\s*=\s*(\d+)\s*$/) } end - file("/etc/audit/auditd.conf").content.to_s.scan(/^num_logs\s*=\s*(\d+)\s*$/).flatten.each do |entry| + file('/etc/audit/auditd.conf').content.to_s.scan(/^num_logs\s*=\s*(\d+)\s*$/).flatten.each do |entry| describe entry do it { should cmp >= 5 } end end end - diff --git a/controls/V-38637.rb b/controls/V-38637.rb index d8d903d..6ee9f33 100644 --- a/controls/V-38637.rb +++ b/controls/V-38637.rb @@ -1,17 +1,17 @@ -control "V-38637" do +control 'V-38637' do title "The system package management tool must verify contents of all files associated with the audit package." desc "The hash on important files like audit system executables should match the information given by the RPM database. Audit executables with erroneous hashes could be a sign of nefarious activity on the system." impact 0.5 - tag "gtitle": "SRG-OS-000278" - tag "gid": "V-38637" - tag "rid": "SV-50438r2_rule" - tag "stig_id": "RHEL-06-000281" - tag "fix_id": "F-43586r1_fix" - tag "cci": ["CCI-001496"] - tag "nist": ["AU-9 (3)", "Rev_4"] + tag "gtitle": 'SRG-OS-000278' + tag "gid": 'V-38637' + tag "rid": 'SV-50438r2_rule' + tag "stig_id": 'RHEL-06-000281' + tag "fix_id": 'F-43586r1_fix' + tag "cci": ['CCI-001496'] + tag "nist": ['AU-9 (3)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -49,4 +49,3 @@ its('stdout.strip') { should be_empty } end end - diff --git a/controls/V-38638.rb b/controls/V-38638.rb index 5fcce02..1259890 100644 --- a/controls/V-38638.rb +++ b/controls/V-38638.rb @@ -1,16 +1,16 @@ -control "V-38638" do - title "The graphical desktop environment must have automatic lock enabled." +control 'V-38638' do + title 'The graphical desktop environment must have automatic lock enabled.' desc "Enabling the activation of the screen lock after an idle period ensures password entry will be required in order to access the system, preventing access by passersby." impact 0.5 - tag "gtitle": "SRG-OS-000029" - tag "gid": "V-38638" - tag "rid": "SV-50439r3_rule" - tag "stig_id": "RHEL-06-000259" - tag "fix_id": "F-43587r1_fix" - tag "cci": ["CCI-000057"] - tag "nist": ["AC-11 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000029' + tag "gid": 'V-38638' + tag "rid": 'SV-50439r3_rule' + tag "stig_id": 'RHEL-06-000259' + tag "fix_id": 'F-43587r1_fix' + tag "cci": ['CCI-000057'] + tag "nist": ['AC-11 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -41,14 +41,13 @@ --set /apps/gnome-screensaver/lock_enabled true" if package('GConf2').installed? - describe command("gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/lock_enabled") do + describe command('gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/lock_enabled') do its('stdout.strip') { should eq 'true' } end else impact 0.0 - describe "Package GConf2 not installed" do - skip "Package GConf2 not installed, this control Not Applicable" + describe 'Package GConf2 not installed' do + skip 'Package GConf2 not installed, this control Not Applicable' end end end - diff --git a/controls/V-38639.rb b/controls/V-38639.rb index f906af1..92a678b 100644 --- a/controls/V-38639.rb +++ b/controls/V-38639.rb @@ -1,16 +1,16 @@ -control "V-38639" do +control 'V-38639' do title "The system must display a publicly-viewable pattern during a graphical desktop environment session lock." desc "Setting the screensaver mode to blank-only conceals the contents of the display from passersby." impact 0.3 - tag "gtitle": "SRG-OS-000031" - tag "gid": "V-38639" - tag "rid": "SV-50440r3_rule" - tag "stig_id": "RHEL-06-000260" - tag "fix_id": "F-43588r2_fix" - tag "cci": ["CCI-000060"] - tag "nist": ["AC-11 (1)", "Rev_4"] + tag "gtitle": 'SRG-OS-000031' + tag "gid": 'V-38639' + tag "rid": 'SV-50440r3_rule' + tag "stig_id": 'RHEL-06-000260' + tag "fix_id": 'F-43588r2_fix' + tag "cci": ['CCI-000060'] + tag "nist": ['AC-11 (1)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -40,14 +40,13 @@ --set /apps/gnome-screensaver/mode blank-only" if package('GConf2').installed? - describe command("gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode") do + describe command('gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gnome-screensaver/mode') do its('stdout.strip') { should eq 'blank-only' } end else impact 0.0 - describe "Package GConf2 not installed" do - skip "Package GConf2 not installed, this control Not Applicable" + describe 'Package GConf2 not installed' do + skip 'Package GConf2 not installed, this control Not Applicable' end end end - diff --git a/controls/V-38640.rb b/controls/V-38640.rb index 75608e9..6ab93df 100644 --- a/controls/V-38640.rb +++ b/controls/V-38640.rb @@ -1,16 +1,16 @@ -control "V-38640" do - title "The Automatic Bug Reporting Tool (abrtd) service must not be running." +control 'V-38640' do + title 'The Automatic Bug Reporting Tool (abrtd) service must not be running.' desc "Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the local machine, as well as sensitive information from within a process's address space or registers." impact 0.3 - tag "gtitle": "SRG-OS-000096" - tag "gid": "V-38640" - tag "rid": "SV-50441r2_rule" - tag "stig_id": "RHEL-06-000261" - tag "fix_id": "F-43589r2_fix" - tag "cci": ["CCI-000382"] - tag "nist": ["CM-7 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000096' + tag "gid": 'V-38640' + tag "rid": 'SV-50441r2_rule' + tag "stig_id": 'RHEL-06-000261' + tag "fix_id": 'F-43589r2_fix' + tag "cci": ['CCI-000382'] + tag "nist": ['CM-7 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -54,18 +54,17 @@ # service abrtd stop" describe.one do - describe package("abrt") do + describe package('abrt') do it { should_not be_installed } end - describe service("abrtd") do - its("runlevels(?-mix:0)") { should be_enabled } - its("runlevels(?-mix:1)") { should be_enabled } - its("runlevels(?-mix:2)") { should be_enabled } - its("runlevels(?-mix:3)") { should be_enabled } - its("runlevels(?-mix:4)") { should be_enabled } - its("runlevels(?-mix:5)") { should be_enabled } - its("runlevels(?-mix:6)") { should be_enabled } + describe service('abrtd') do + its('runlevels(?-mix:0)') { should be_enabled } + its('runlevels(?-mix:1)') { should be_enabled } + its('runlevels(?-mix:2)') { should be_enabled } + its('runlevels(?-mix:3)') { should be_enabled } + its('runlevels(?-mix:4)') { should be_enabled } + its('runlevels(?-mix:5)') { should be_enabled } + its('runlevels(?-mix:6)') { should be_enabled } end end end - diff --git a/controls/V-38641.rb b/controls/V-38641.rb index a8f6ff7..6eb24f0 100644 --- a/controls/V-38641.rb +++ b/controls/V-38641.rb @@ -1,17 +1,17 @@ -control "V-38641" do - title "The atd service must be disabled." +control 'V-38641' do + title 'The atd service must be disabled.' desc "The \"atd\" service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with \"at\" or \"batch\" is not common." impact 0.3 - tag "gtitle": "SRG-OS-000096" - tag "gid": "V-38641" - tag "rid": "SV-50442r3_rule" - tag "stig_id": "RHEL-06-000262" - tag "fix_id": "F-43590r2_fix" - tag "cci": ["CCI-000382"] - tag "nist": ["CM-7 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000096' + tag "gid": 'V-38641' + tag "rid": 'SV-50442r3_rule' + tag "stig_id": 'RHEL-06-000262' + tag "fix_id": 'F-43590r2_fix' + tag "cci": ['CCI-000382'] + tag "nist": ['CM-7 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -58,18 +58,17 @@ # service atd stop" describe.one do - describe package("at") do + describe package('at') do it { should_not be_installed } end - describe service("atd") do - its("runlevels(?-mix:0)") { should be_enabled } - its("runlevels(?-mix:1)") { should be_enabled } - its("runlevels(?-mix:2)") { should be_enabled } - its("runlevels(?-mix:3)") { should be_enabled } - its("runlevels(?-mix:4)") { should be_enabled } - its("runlevels(?-mix:5)") { should be_enabled } - its("runlevels(?-mix:6)") { should be_enabled } + describe service('atd') do + its('runlevels(?-mix:0)') { should be_enabled } + its('runlevels(?-mix:1)') { should be_enabled } + its('runlevels(?-mix:2)') { should be_enabled } + its('runlevels(?-mix:3)') { should be_enabled } + its('runlevels(?-mix:4)') { should be_enabled } + its('runlevels(?-mix:5)') { should be_enabled } + its('runlevels(?-mix:6)') { should be_enabled } end end end - diff --git a/controls/V-38642.rb b/controls/V-38642.rb index 208c985..68d9766 100644 --- a/controls/V-38642.rb +++ b/controls/V-38642.rb @@ -1,16 +1,16 @@ -control "V-38642" do - title "The system default umask for daemons must be 027 or 022." +control 'V-38642' do + title 'The system default umask for daemons must be 027 or 022.' desc "The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38642" - tag "rid": "SV-50443r1_rule" - tag "stig_id": "RHEL-06-000346" - tag "fix_id": "F-43592r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38642' + tag "rid": 'SV-50443r1_rule' + tag "stig_id": 'RHEL-06-000346' + tag "fix_id": 'F-43592r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -39,13 +39,12 @@ runtime. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts." - describe file("/etc/rc.d/init.d/functions") do - its("content") { should match(/^\s*umask\s+([^#\s]*)/) } + describe file('/etc/rc.d/init.d/functions') do + its('content') { should match(/^\s*umask\s+([^#\s]*)/) } end - file("/etc/rc.d/init.d/functions").content.to_s.scan(/^\s*umask\s+([^#\s]*)/).flatten.each do |entry| + file('/etc/rc.d/init.d/functions').content.to_s.scan(/^\s*umask\s+([^#\s]*)/).flatten.each do |entry| describe entry do it { should match(/^0?(022|027)$/) } end end end - diff --git a/controls/V-38643.rb b/controls/V-38643.rb index 3332439..2e7e75e 100644 --- a/controls/V-38643.rb +++ b/controls/V-38643.rb @@ -1,17 +1,17 @@ -control "V-38643" do - title "There must be no world-writable files on the system." +control 'V-38643' do + title 'There must be no world-writable files on the system.' desc "Data in world-writable files can be modified by any user on the system. In almost all circumstances, files can be configured using a combination of user and group permissions to support whatever legitimate access is needed without the risk caused by world-writable files." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38643" - tag "rid": "SV-50444r3_rule" - tag "stig_id": "RHEL-06-000282" - tag "fix_id": "F-43591r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38643' + tag "rid": 'SV-50444r3_rule' + tag "stig_id": 'RHEL-06-000282' + tag "fix_id": 'F-43591r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -35,9 +35,8 @@ files, as these may be symptoms of a misconfigured application or user account." files = command(%(find / -xautofs -noleaf -wholename '/proc' -prune -o -wholename '/sys' -prune -o -wholename '/dev' -prune -o -wholename '/selinux' -prune -o -type f -perm -002 -print)) - describe "World-writable files" do + describe 'World-writable files' do subject { files.stdout.strip.split("\n") } it { should be_empty } end end - diff --git a/controls/V-38644.rb b/controls/V-38644.rb index a9f9157..935a658 100644 --- a/controls/V-38644.rb +++ b/controls/V-38644.rb @@ -1,17 +1,17 @@ -control "V-38644" do - title "The ntpdate service must not be running." +control 'V-38644' do + title 'The ntpdate service must not be running.' desc "The \"ntpdate\" service may only be suitable for systems which are rebooted frequently enough that clock drift does not cause problems between reboots. In any event, the functionality of the ntpdate service is now available in the ntpd program and should be considered deprecated." impact 0.3 - tag "gtitle": "SRG-OS-000096" - tag "gid": "V-38644" - tag "rid": "SV-50445r2_rule" - tag "stig_id": "RHEL-06-000265" - tag "fix_id": "F-43593r2_fix" - tag "cci": ["CCI-000382"] - tag "nist": ["CM-7 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000096' + tag "gid": 'V-38644' + tag "rid": 'SV-50445r2_rule' + tag "stig_id": 'RHEL-06-000265' + tag "fix_id": 'F-43593r2_fix' + tag "cci": ['CCI-000382'] + tag "nist": ['CM-7 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -54,18 +54,17 @@ # service ntpdate stop" describe.one do - describe package("ntpdate") do + describe package('ntpdate') do it { should_not be_installed } end - describe service("ntpdate") do - its("runlevels(?-mix:0)") { should be_enabled } - its("runlevels(?-mix:1)") { should be_enabled } - its("runlevels(?-mix:2)") { should be_enabled } - its("runlevels(?-mix:3)") { should be_enabled } - its("runlevels(?-mix:4)") { should be_enabled } - its("runlevels(?-mix:5)") { should be_enabled } - its("runlevels(?-mix:6)") { should be_enabled } + describe service('ntpdate') do + its('runlevels(?-mix:0)') { should be_enabled } + its('runlevels(?-mix:1)') { should be_enabled } + its('runlevels(?-mix:2)') { should be_enabled } + its('runlevels(?-mix:3)') { should be_enabled } + its('runlevels(?-mix:4)') { should be_enabled } + its('runlevels(?-mix:5)') { should be_enabled } + its('runlevels(?-mix:6)') { should be_enabled } end end end - diff --git a/controls/V-38645.rb b/controls/V-38645.rb index 0027094..ec69fe0 100644 --- a/controls/V-38645.rb +++ b/controls/V-38645.rb @@ -1,16 +1,16 @@ -control "V-38645" do - title "The system default umask in /etc/login.defs must be 077." +control 'V-38645' do + title 'The system default umask in /etc/login.defs must be 077.' desc "The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38645" - tag "rid": "SV-50446r1_rule" - tag "stig_id": "RHEL-06-000345" - tag "fix_id": "F-43594r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38645' + tag "rid": 'SV-50446r1_rule' + tag "stig_id": 'RHEL-06-000345' + tag "fix_id": 'F-43594r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -40,13 +40,12 @@ UMASK 077" - describe file("/etc/login.defs") do - its("content") { should match(/^[\s]*UMASK[\s]+([^#\s]*)/) } + describe file('/etc/login.defs') do + its('content') { should match(/^[\s]*UMASK[\s]+([^#\s]*)/) } end - file("/etc/login.defs").content.to_s.scan(/^[\s]*UMASK[\s]+([^#\s]*)/).flatten.each do |entry| + file('/etc/login.defs').content.to_s.scan(/^[\s]*UMASK[\s]+([^#\s]*)/).flatten.each do |entry| describe entry do - it { should eq "077" } + it { should eq '077' } end end end - diff --git a/controls/V-38646.rb b/controls/V-38646.rb index bb0a850..66e5c3f 100644 --- a/controls/V-38646.rb +++ b/controls/V-38646.rb @@ -1,17 +1,17 @@ -control "V-38646" do - title "The oddjobd service must not be running." +control 'V-38646' do + title 'The oddjobd service must not be running.' desc "The \"oddjobd\" service may provide necessary functionality in some environments but it can be disabled if it is not needed. Execution of tasks by privileged programs, on behalf of unprivileged ones, has traditionally been a source of privilege escalation security issues." impact 0.3 - tag "gtitle": "SRG-OS-000096" - tag "gid": "V-38646" - tag "rid": "SV-50447r2_rule" - tag "stig_id": "RHEL-06-000266" - tag "fix_id": "F-43595r2_fix" - tag "cci": ["CCI-000382"] - tag "nist": ["CM-7 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000096' + tag "gid": 'V-38646' + tag "rid": 'SV-50447r2_rule' + tag "stig_id": 'RHEL-06-000266' + tag "fix_id": 'F-43595r2_fix' + tag "cci": ['CCI-000382'] + tag "nist": ['CM-7 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -54,18 +54,17 @@ # service oddjobd stop" describe.one do - describe package("oddjob") do + describe package('oddjob') do it { should_not be_installed } end - describe service("oddjobd") do - its("runlevels(?-mix:0)") { should be_enabled } - its("runlevels(?-mix:1)") { should be_enabled } - its("runlevels(?-mix:2)") { should be_enabled } - its("runlevels(?-mix:3)") { should be_enabled } - its("runlevels(?-mix:4)") { should be_enabled } - its("runlevels(?-mix:5)") { should be_enabled } - its("runlevels(?-mix:6)") { should be_enabled } + describe service('oddjobd') do + its('runlevels(?-mix:0)') { should be_enabled } + its('runlevels(?-mix:1)') { should be_enabled } + its('runlevels(?-mix:2)') { should be_enabled } + its('runlevels(?-mix:3)') { should be_enabled } + its('runlevels(?-mix:4)') { should be_enabled } + its('runlevels(?-mix:5)') { should be_enabled } + its('runlevels(?-mix:6)') { should be_enabled } end end end - diff --git a/controls/V-38647.rb b/controls/V-38647.rb index 8980d39..3cbd163 100644 --- a/controls/V-38647.rb +++ b/controls/V-38647.rb @@ -1,16 +1,16 @@ -control "V-38647" do - title "The system default umask in /etc/profile must be 077." +control 'V-38647' do + title 'The system default umask in /etc/profile must be 077.' desc "The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38647" - tag "rid": "SV-50448r1_rule" - tag "stig_id": "RHEL-06-000344" - tag "fix_id": "F-43596r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38647' + tag "rid": 'SV-50448r1_rule' + tag "stig_id": 'RHEL-06-000344' + tag "fix_id": 'F-43596r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -40,13 +40,12 @@ umask 077" - describe file("/etc/profile") do - its("content") { should match(/^[\s]*umask[\s]+([^#\s]*)/) } + describe file('/etc/profile') do + its('content') { should match(/^[\s]*umask[\s]+([^#\s]*)/) } end - file("/etc/profile").content.to_s.scan(/^[\s]*umask[\s]+([^#\s]*)/).flatten.each do |entry| + file('/etc/profile').content.to_s.scan(/^[\s]*umask[\s]+([^#\s]*)/).flatten.each do |entry| describe entry do - it { should eq "077" } + it { should eq '077' } end end end - diff --git a/controls/V-38648.rb b/controls/V-38648.rb index f017ec6..69e819d 100644 --- a/controls/V-38648.rb +++ b/controls/V-38648.rb @@ -1,18 +1,18 @@ -control "V-38648" do - title "The qpidd service must not be running." +control 'V-38648' do + title 'The qpidd service must not be running.' desc "The qpidd service is automatically installed when the \"base\" package selection is selected during installation. The qpidd service listens for network connections which increases the attack surface of the system. If the system is not intended to receive AMQP traffic then the \"qpidd\" service is not needed and should be disabled or removed." impact 0.3 - tag "gtitle": "SRG-OS-000096" - tag "gid": "V-38648" - tag "rid": "SV-50449r2_rule" - tag "stig_id": "RHEL-06-000267" - tag "fix_id": "F-43597r2_fix" - tag "cci": ["CCI-000382"] - tag "nist": ["CM-7 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000096' + tag "gid": 'V-38648' + tag "rid": 'SV-50449r2_rule' + tag "stig_id": 'RHEL-06-000267' + tag "fix_id": 'F-43597r2_fix' + tag "cci": ['CCI-000382'] + tag "nist": ['CM-7 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -55,18 +55,17 @@ # service qpidd stop" describe.one do - describe package("qpid-cpp-server") do + describe package('qpid-cpp-server') do it { should_not be_installed } end - describe service("qpidd") do - its("runlevels(?-mix:0)") { should be_enabled } - its("runlevels(?-mix:1)") { should be_enabled } - its("runlevels(?-mix:2)") { should be_enabled } - its("runlevels(?-mix:3)") { should be_enabled } - its("runlevels(?-mix:4)") { should be_enabled } - its("runlevels(?-mix:5)") { should be_enabled } - its("runlevels(?-mix:6)") { should be_enabled } + describe service('qpidd') do + its('runlevels(?-mix:0)') { should be_enabled } + its('runlevels(?-mix:1)') { should be_enabled } + its('runlevels(?-mix:2)') { should be_enabled } + its('runlevels(?-mix:3)') { should be_enabled } + its('runlevels(?-mix:4)') { should be_enabled } + its('runlevels(?-mix:5)') { should be_enabled } + its('runlevels(?-mix:6)') { should be_enabled } end end end - diff --git a/controls/V-38649.rb b/controls/V-38649.rb index 12e0e62..312fc7b 100644 --- a/controls/V-38649.rb +++ b/controls/V-38649.rb @@ -1,16 +1,16 @@ -control "V-38649" do - title "The system default umask for the csh shell must be 077." +control 'V-38649' do + title 'The system default umask for the csh shell must be 077.' desc "The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38649" - tag "rid": "SV-50450r1_rule" - tag "stig_id": "RHEL-06-000343" - tag "fix_id": "F-43598r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38649' + tag "rid": 'SV-50450r1_rule' + tag "stig_id": 'RHEL-06-000343' + tag "fix_id": 'F-43598r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -41,20 +41,19 @@ umask 077" describe.one do - describe file("/etc/csh.cshrc") do - its("content") { should match(/^[\s]*umask[\s]+([^#\s]*)/) } + describe file('/etc/csh.cshrc') do + its('content') { should match(/^[\s]*umask[\s]+([^#\s]*)/) } end - file("/etc/csh.cshrc").content.to_s.scan(/^[\s]*umask[\s]+([^#\s]*)/).flatten.each do |entry| + file('/etc/csh.cshrc').content.to_s.scan(/^[\s]*umask[\s]+([^#\s]*)/).flatten.each do |entry| describe entry do - it { should eq "077" } + it { should eq '077' } end end - describe package("tcsh") do + describe package('tcsh') do it { should_not be_installed } end - describe file("/etc/csh.cshrc") do + describe file('/etc/csh.cshrc') do it { should_not exist } end end end - diff --git a/controls/V-38650.rb b/controls/V-38650.rb index 0e5930e..10ea26e 100644 --- a/controls/V-38650.rb +++ b/controls/V-38650.rb @@ -1,17 +1,17 @@ -control "V-38650" do - title "The rdisc service must not be running." +control 'V-38650' do + title 'The rdisc service must not be running.' desc "General-purpose systems typically have their network and routing information configured statically by a system administrator. Workstations or some special-purpose systems often use DHCP (instead of IRDP) to retrieve dynamic network configuration information." impact 0.3 - tag "gtitle": "SRG-OS-000096" - tag "gid": "V-38650" - tag "rid": "SV-50451r2_rule" - tag "stig_id": "RHEL-06-000268" - tag "fix_id": "F-43599r2_fix" - tag "cci": ["CCI-000382"] - tag "nist": ["CM-7 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000096' + tag "gid": 'V-38650' + tag "rid": 'SV-50451r2_rule' + tag "stig_id": 'RHEL-06-000268' + tag "fix_id": 'F-43599r2_fix' + tag "cci": ['CCI-000382'] + tag "nist": ['CM-7 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -54,18 +54,17 @@ # service rdisc stop" describe.one do - describe package("iputils") do + describe package('iputils') do it { should_not be_installed } end - describe service("rdisc") do - its("runlevels(?-mix:0)") { should be_enabled } - its("runlevels(?-mix:1)") { should be_enabled } - its("runlevels(?-mix:2)") { should be_enabled } - its("runlevels(?-mix:3)") { should be_enabled } - its("runlevels(?-mix:4)") { should be_enabled } - its("runlevels(?-mix:5)") { should be_enabled } - its("runlevels(?-mix:6)") { should be_enabled } + describe service('rdisc') do + its('runlevels(?-mix:0)') { should be_enabled } + its('runlevels(?-mix:1)') { should be_enabled } + its('runlevels(?-mix:2)') { should be_enabled } + its('runlevels(?-mix:3)') { should be_enabled } + its('runlevels(?-mix:4)') { should be_enabled } + its('runlevels(?-mix:5)') { should be_enabled } + its('runlevels(?-mix:6)') { should be_enabled } end end end - diff --git a/controls/V-38651.rb b/controls/V-38651.rb index 0db82c7..b235398 100644 --- a/controls/V-38651.rb +++ b/controls/V-38651.rb @@ -1,16 +1,16 @@ -control "V-38651" do - title "The system default umask for the bash shell must be 077." +control 'V-38651' do + title 'The system default umask for the bash shell must be 077.' desc "The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and/or written to by unauthorized users." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38651" - tag "rid": "SV-50452r1_rule" - tag "stig_id": "RHEL-06-000342" - tag "fix_id": "F-43600r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38651' + tag "rid": 'SV-50452r1_rule' + tag "stig_id": 'RHEL-06-000342' + tag "fix_id": 'F-43600r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -41,13 +41,12 @@ umask 077" - describe file("/etc/bashrc") do - its("content") { should match(/^[\s]*umask[\s]+([^#\s]*)/) } + describe file('/etc/bashrc') do + its('content') { should match(/^[\s]*umask[\s]+([^#\s]*)/) } end - file("/etc/bashrc").content.to_s.scan(/^[\s]*umask[\s]+([^#\s]*)/).flatten.each do |entry| + file('/etc/bashrc').content.to_s.scan(/^[\s]*umask[\s]+([^#\s]*)/).flatten.each do |entry| describe entry do - it { should eq "077" } + it { should eq '077' } end end end - diff --git a/controls/V-38652.rb b/controls/V-38652.rb index 6c19b60..8d3df94 100644 --- a/controls/V-38652.rb +++ b/controls/V-38652.rb @@ -1,15 +1,15 @@ -control "V-38652" do - title "Remote file systems must be mounted with the nodev option." +control 'V-38652' do + title 'Remote file systems must be mounted with the nodev option.' desc "Legitimate device files should only exist in the /dev directory. NFS mounts should not present device files to users." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38652" - tag "rid": "SV-50453r2_rule" - tag "stig_id": "RHEL-06-000269" - tag "fix_id": "F-43601r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38652' + tag "rid": 'SV-50453r2_rule' + tag "stig_id": 'RHEL-06-000269' + tag "fix_id": 'F-43601r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -35,4 +35,3 @@ its('stdout.strip.lines') { should all include 'nodev' } end end - diff --git a/controls/V-38653.rb b/controls/V-38653.rb index daf5449..c4f8e97 100644 --- a/controls/V-38653.rb +++ b/controls/V-38653.rb @@ -1,15 +1,15 @@ -control "V-38653" do - title "The snmpd service must not use a default password." +control 'V-38653' do + title 'The snmpd service must not use a default password.' desc "Presence of the default SNMP password enables querying of different system aspects and could result in unauthorized knowledge of the system." impact 0.7 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38653" - tag "rid": "SV-50454r1_rule" - tag "stig_id": "RHEL-06-000341" - tag "fix_id": "F-43602r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38653' + tag "rid": 'SV-50454r1_rule' + tag "stig_id": 'RHEL-06-000341' + tag "fix_id": 'F-43602r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -36,4 +36,3 @@ its('stdout.strip') { should be_empty } end end - diff --git a/controls/V-38654.rb b/controls/V-38654.rb index b550aa3..481782f 100644 --- a/controls/V-38654.rb +++ b/controls/V-38654.rb @@ -1,16 +1,16 @@ -control "V-38654" do - title "Remote file systems must be mounted with the nosuid option." +control 'V-38654' do + title 'Remote file systems must be mounted with the nosuid option.' desc "NFS mounts should not present suid binaries to users. Only vendor-supplied suid executables should be installed to their default location on the local filesystem." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38654" - tag "rid": "SV-50455r2_rule" - tag "stig_id": "RHEL-06-000270" - tag "fix_id": "F-43603r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38654' + tag "rid": 'SV-50455r2_rule' + tag "stig_id": 'RHEL-06-000270' + tag "fix_id": 'F-43603r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -36,4 +36,3 @@ its('stdout.strip.lines') { should all include 'nosuid' } end end - diff --git a/controls/V-38655.rb b/controls/V-38655.rb index 62c5a92..5c97a46 100644 --- a/controls/V-38655.rb +++ b/controls/V-38655.rb @@ -1,15 +1,15 @@ -control "V-38655" do - title "The noexec option must be added to removable media partitions." +control 'V-38655' do + title 'The noexec option must be added to removable media partitions.' desc "Allowing users to execute binaries from removable media such as USB keys exposes the system to potential compromise." impact 0.3 - tag "gtitle": "SRG-OS-000035" - tag "gid": "V-38655" - tag "rid": "SV-50456r1_rule" - tag "stig_id": "RHEL-06-000271" - tag "fix_id": "F-43605r1_fix" - tag "cci": ["CCI-000087"] - tag "nist": ["AC-19 e", "Rev_4"] + tag "gtitle": 'SRG-OS-000035' + tag "gid": 'V-38655' + tag "rid": 'SV-50456r1_rule' + tag "stig_id": 'RHEL-06-000271' + tag "fix_id": 'F-43605r1_fix' + tag "cci": ['CCI-000087'] + tag "nist": ['AC-19 e', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -36,36 +36,36 @@ \"/etc/fstab\" for the line which controls mounting of any removable media partitions." - mounts = command('mount').stdout.strip.split("\n"). - map do |d| - split_mounts = d.split(%r{\s+}) - options = split_mounts[-1].match(%r{\((.*)\)$}).captures.first.split(',') - dev_file = file(split_mounts[0]) - dev_link = dev_file.symlink? ? dev_file.link_path : dev_file.path - {'dev'=>split_mounts[0], 'link'=>dev_link, 'mount'=>split_mounts[2], 'options'=>options} - end + mounts = command('mount').stdout.strip.split("\n") + .map do |d| + split_mounts = d.split(/\s+/) + options = split_mounts[-1].match(/\((.*)\)$/).captures.first.split(',') + dev_file = file(split_mounts[0]) + dev_link = dev_file.symlink? ? dev_file.link_path : dev_file.path + { 'dev' => split_mounts[0], 'link' => dev_link, 'mount' => split_mounts[2], 'options' => options } + end - dev_mounts = mounts. - select { |mnt| mnt['dev'].start_with? '/' and !mnt['dev'].start_with? '//' }. - map do |mnt| - # https://unix.stackexchange.com/a/308724 - partition = ['/sys/class/block', mnt['link'].sub(%r{^/dev/}, ''), 'partition'].join('/') - if file(partition).exist? - root_dev = command('basename "$(readlink -f "/sys/class/block/sda1/..")"').stdout.strip - mnt['root_dev'] = '/dev/' + root_dev - else - mnt['root_dev'] = mnt['link'] - end - mnt + dev_mounts = mounts + .select { |mnt| mnt['dev'].start_with?('/') && !mnt['dev'].start_with?('//') } + .map do |mnt| + # https://unix.stackexchange.com/a/308724 + partition = ['/sys/class/block', mnt['link'].sub(%r{^/dev/}, ''), 'partition'].join('/') + if file(partition).exist? + root_dev = command('basename "$(readlink -f "/sys/class/block/sda1/..")"').stdout.strip + mnt['root_dev'] = '/dev/' + root_dev + else + mnt['root_dev'] = mnt['link'] end + mnt + end - removable_mounts = dev_mounts.select do |mnt| + removable_mounts = dev_mounts.select do |mnt| removable = ['/sys/block', mnt['root_dev'].sub(%r{^/dev/}, ''), 'removable'].join('/') file(removable).content.strip == '1' end if removable_mounts.empty? - describe "Removable mounted devices" do + describe 'Removable mounted devices' do subject { removable_mounts } it { should be_empty } end @@ -78,4 +78,3 @@ end end end - diff --git a/controls/V-38656.rb b/controls/V-38656.rb index 8db4ac7..e8bdeee 100644 --- a/controls/V-38656.rb +++ b/controls/V-38656.rb @@ -1,16 +1,16 @@ -control "V-38656" do +control 'V-38656' do title "The system must use SMB client signing for connecting to samba servers using smbclient." desc "Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38656" - tag "rid": "SV-50457r1_rule" - tag "stig_id": "RHEL-06-000272" - tag "fix_id": "F-43606r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38656' + tag "rid": 'SV-50457r1_rule' + tag "stig_id": 'RHEL-06-000272' + tag "fix_id": 'F-43606r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -42,12 +42,11 @@ they can only communicate with servers that support packet signing." describe.one do - describe package("samba-common") do + describe package('samba-common') do it { should_not be_installed } end - describe file("/etc/samba/smb.conf") do - its("content") { should match(/^[\s]*client[\s]+signing[\s]*=[\s]*mandatory/) } + describe file('/etc/samba/smb.conf') do + its('content') { should match(/^[\s]*client[\s]+signing[\s]*=[\s]*mandatory/) } end end end - diff --git a/controls/V-38657.rb b/controls/V-38657.rb index 39eb8b0..20f0626 100644 --- a/controls/V-38657.rb +++ b/controls/V-38657.rb @@ -1,16 +1,16 @@ -control "V-38657" do +control 'V-38657' do title "The system must use SMB client signing for connecting to samba servers using mount.cifs." desc "Packet signing can prevent man-in-the-middle attacks which modify SMB packets in transit." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38657" - tag "rid": "SV-50458r2_rule" - tag "stig_id": "RHEL-06-000273" - tag "fix_id": "F-43607r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38657' + tag "rid": 'SV-50458r2_rule' + tag "stig_id": 'RHEL-06-000273' + tag "fix_id": 'F-43607r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -38,21 +38,21 @@ See the \"mount.cifs(8)\" man page for more information. A Samba client should only communicate with servers who can support SMB packet signing." - mounts = command('mount').stdout.strip.split("\n"). - map do |d| - split_mounts = d.split(%r{\s+}) - options = split_mounts[-1].match(%r{\((.*)\)$}).captures.first.split(',') - dev_file = file(split_mounts[0]) - dev_link = dev_file.symlink? ? dev_file.link_path : dev_file.path - {'dev'=>split_mounts[0], 'link'=>dev_link, 'mount'=>split_mounts[2], 'options'=>options, 'type'=> split_mounts[-2]} - end + mounts = command('mount').stdout.strip.split("\n") + .map do |d| + split_mounts = d.split(/\s+/) + options = split_mounts[-1].match(/\((.*)\)$/).captures.first.split(',') + dev_file = file(split_mounts[0]) + dev_link = dev_file.symlink? ? dev_file.link_path : dev_file.path + { 'dev' => split_mounts[0], 'link' => dev_link, 'mount' => split_mounts[2], 'options' => options, 'type' => split_mounts[-2] } + end cifs_mounts = mounts.select { |mnt| mnt['type'] == 'cifs' } if cifs_mounts.empty? impact 0.0 - describe "Samba shares not in use" do - skip "Samba shares not in use, this control Not Applicable" + describe 'Samba shares not in use' do + skip 'Samba shares not in use, this control Not Applicable' end else cifs_mounts.each do |mnt| @@ -63,4 +63,3 @@ end end end - diff --git a/controls/V-38658.rb b/controls/V-38658.rb index f31b68b..504a63e 100644 --- a/controls/V-38658.rb +++ b/controls/V-38658.rb @@ -1,16 +1,16 @@ -control "V-38658" do +control 'V-38658' do title "The system must prohibit the reuse of passwords within five iterations." desc "Preventing reuse of previous passwords helps ensure that a compromised password is not reused by a user." impact 0.5 - tag "gtitle": "SRG-OS-000077" - tag "gid": "V-38658" - tag "rid": "SV-50459r6_rule" - tag "stig_id": "RHEL-06-000274" - tag "fix_id": "F-43608r6_fix" - tag "cci": ["CCI-000200"] - tag "nist": ["IA-5 (1) (e)", "Rev_4"] + tag "gtitle": 'SRG-OS-000077' + tag "gid": 'V-38658' + tag "rid": 'SV-50459r6_rule' + tag "stig_id": 'RHEL-06-000274' + tag "fix_id": 'F-43608r6_fix' + tag "cci": ['CCI-000200'] + tag "nist": ['IA-5 (1) (e)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -44,40 +44,39 @@ The DoD requirement is five passwords." describe.one do - describe file("/etc/pam.d/system-auth") do - its("content") { should match(/^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so[\t ]+[^#\n\r]*\s+remember=(\d+)(?:(?:\s)|(?:$))/) } + describe file('/etc/pam.d/system-auth') do + its('content') { should match(/^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so[\t ]+[^#\n\r]*\s+remember=(\d+)(?:(?:\s)|(?:$))/) } end - file("/etc/pam.d/system-auth").content.to_s.scan(/^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so[\t ]+[^#\n\r]*\s+remember=(\d+)(?:(?:\s)|(?:$))/).flatten.each do |entry| + file('/etc/pam.d/system-auth').content.to_s.scan(/^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so[\t ]+[^#\n\r]*\s+remember=(\d+)(?:(?:\s)|(?:$))/).flatten.each do |entry| describe entry do it { should cmp >= 5 } end end - describe file("/etc/pam.d/system-auth") do - its("content") { should match(/^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so\s+remember=(\d+)(?:(?:\s)|(?:$))/) } + describe file('/etc/pam.d/system-auth') do + its('content') { should match(/^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so\s+remember=(\d+)(?:(?:\s)|(?:$))/) } end - file("/etc/pam.d/system-auth").content.to_s.scan(/^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so\s+remember=(\d+)(?:(?:\s)|(?:$))/).flatten.each do |entry| + file('/etc/pam.d/system-auth').content.to_s.scan(/^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so\s+remember=(\d+)(?:(?:\s)|(?:$))/).flatten.each do |entry| describe entry do it { should cmp >= 5 } end end end describe.one do - describe file("/etc/pam.d/password-auth") do - its("content") { should match(/^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so[\t ]+[^#\n\r]*\s+remember=(\d+)(?:(?:\s)|(?:$))/) } + describe file('/etc/pam.d/password-auth') do + its('content') { should match(/^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so[\t ]+[^#\n\r]*\s+remember=(\d+)(?:(?:\s)|(?:$))/) } end - file("/etc/pam.d/password-auth").content.to_s.scan(/^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so[\t ]+[^#\n\r]*\s+remember=(\d+)(?:(?:\s)|(?:$))/).flatten.each do |entry| + file('/etc/pam.d/password-auth').content.to_s.scan(/^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so[\t ]+[^#\n\r]*\s+remember=(\d+)(?:(?:\s)|(?:$))/).flatten.each do |entry| describe entry do it { should cmp >= 5 } end end - describe file("/etc/pam.d/password-auth") do - its("content") { should match(/^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so\s+remember=(\d+)(?:(?:\s)|(?:$))/) } + describe file('/etc/pam.d/password-auth') do + its('content') { should match(/^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so\s+remember=(\d+)(?:(?:\s)|(?:$))/) } end - file("/etc/pam.d/password-auth").content.to_s.scan(/^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so\s+remember=(\d+)(?:(?:\s)|(?:$))/).flatten.each do |entry| + file('/etc/pam.d/password-auth').content.to_s.scan(/^\s*password\s+(?:(?:requisite)|(?:required))\s+pam_pwhistory\.so\s+remember=(\d+)(?:(?:\s)|(?:$))/).flatten.each do |entry| describe entry do it { should cmp >= 5 } end end end end - diff --git a/controls/V-38659.rb b/controls/V-38659.rb index 37a0552..4032af4 100644 --- a/controls/V-38659.rb +++ b/controls/V-38659.rb @@ -1,17 +1,17 @@ -control "V-38659" do +control 'V-38659' do title "The operating system must employ cryptographic mechanisms to protect information in storage." desc "The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost." impact 0.3 - tag "gtitle": "SRG-OS-000131" - tag "gid": "V-38659" - tag "rid": "SV-50460r2_rule" - tag "stig_id": "RHEL-06-000275" - tag "fix_id": "F-43609r3_fix" - tag "cci": ["CCI-001019"] - tag "nist": ["MP-4 (1)", "Rev_4"] + tag "gtitle": 'SRG-OS-000131' + tag "gid": 'V-38659' + tag "rid": 'SV-50460r2_rule' + tag "stig_id": 'RHEL-06-000275' + tag "fix_id": 'F-43609r3_fix' + tag "cci": ['CCI-001019'] + tag "nist": ['MP-4 (1)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -52,8 +52,7 @@ https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html" - describe "Manual test" do - skip "This control must be reviewed manually" + describe 'Manual test' do + skip 'This control must be reviewed manually' end end - diff --git a/controls/V-38660.rb b/controls/V-38660.rb index b000bef..4f21c21 100644 --- a/controls/V-38660.rb +++ b/controls/V-38660.rb @@ -1,17 +1,17 @@ -control "V-38660" do - title "The snmpd service must use only SNMP protocol version 3 or newer." +control 'V-38660' do + title 'The snmpd service must use only SNMP protocol version 3 or newer.' desc "Earlier versions of SNMP are considered insecure, as they potentially allow unauthorized access to detailed system management information. " impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38660" - tag "rid": "SV-50461r1_rule" - tag "stig_id": "RHEL-06-000340" - tag "fix_id": "F-43604r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38660' + tag "rid": 'SV-50461r1_rule' + tag "stig_id": 'RHEL-06-000340' + tag "fix_id": 'F-43604r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -38,4 +38,3 @@ its('stdout.strip') { should be_empty } end end - diff --git a/controls/V-38661.rb b/controls/V-38661.rb index e01dd19..5786500 100644 --- a/controls/V-38661.rb +++ b/controls/V-38661.rb @@ -1,17 +1,17 @@ -control "V-38661" do +control 'V-38661' do title "The operating system must protect the confidentiality and integrity of data at rest. " desc "The risk of a system's physical compromise, particularly mobile systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost." impact 0.3 - tag "gtitle": "SRG-OS-000185" - tag "gid": "V-38661" - tag "rid": "SV-50462r2_rule" - tag "stig_id": "RHEL-06-000276" - tag "fix_id": "F-43610r3_fix" - tag "cci": ["CCI-001199"] - tag "nist": ["SC-28", "Rev_4"] + tag "gtitle": 'SRG-OS-000185' + tag "gid": 'V-38661' + tag "rid": 'SV-50462r2_rule' + tag "stig_id": 'RHEL-06-000276' + tag "fix_id": 'F-43610r3_fix' + tag "cci": ['CCI-001199'] + tag "nist": ['SC-28', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -52,8 +52,7 @@ https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html" - describe "Manual test" do - skip "This control must be reviewed manually" + describe 'Manual test' do + skip 'This control must be reviewed manually' end end - diff --git a/controls/V-38662.rb b/controls/V-38662.rb index 0cc7bb4..b98b370 100644 --- a/controls/V-38662.rb +++ b/controls/V-38662.rb @@ -1,4 +1,4 @@ -control "V-38662" do +control 'V-38662' do title "The operating system must employ cryptographic mechanisms to prevent unauthorized disclosure of data at rest unless otherwise protected by alternative physical measures." @@ -6,13 +6,13 @@ systems such as laptops, places its data at risk of compromise. Encrypting this data mitigates the risk of its loss if the system is lost." impact 0.3 - tag "gtitle": "SRG-OS-000230" - tag "gid": "V-38662" - tag "rid": "SV-50463r2_rule" - tag "stig_id": "RHEL-06-000277" - tag "fix_id": "F-43611r3_fix" - tag "cci": ["CCI-001200"] - tag "nist": ["SC-28 (1)", "Rev_4"] + tag "gtitle": 'SRG-OS-000230' + tag "gid": 'V-38662' + tag "rid": 'SV-50463r2_rule' + tag "stig_id": 'RHEL-06-000277' + tag "fix_id": 'F-43611r3_fix' + tag "cci": ['CCI-001200'] + tag "nist": ['SC-28 (1)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -53,8 +53,7 @@ https://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html" - describe "Manual test" do - skip "This control must be reviewed manually" + describe 'Manual test' do + skip 'This control must be reviewed manually' end end - diff --git a/controls/V-38663.rb b/controls/V-38663.rb index b0f6d7a..9cb6e8c 100644 --- a/controls/V-38663.rb +++ b/controls/V-38663.rb @@ -1,4 +1,4 @@ -control "V-38663" do +control 'V-38663' do title "The system package management tool must verify permissions on all files and directories associated with the audit package." desc "Permissions on audit binaries and configuration files that are too @@ -6,13 +6,13 @@ not have. The permissions set by the vendor should be maintained. Any deviations from this baseline should be investigated." impact 0.5 - tag "gtitle": "SRG-OS-000256" - tag "gid": "V-38663" - tag "rid": "SV-50464r1_rule" - tag "stig_id": "RHEL-06-000278" - tag "fix_id": "F-43612r1_fix" - tag "cci": ["CCI-001493"] - tag "nist": ["AU-9", "Rev_4"] + tag "gtitle": 'SRG-OS-000256' + tag "gid": 'V-38663' + tag "rid": 'SV-50464r1_rule' + tag "stig_id": 'RHEL-06-000278' + tag "fix_id": 'F-43612r1_fix' + tag "cci": ['CCI-001493'] + tag "nist": ['AU-9', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -48,4 +48,3 @@ its('stdout.strip') { should be_empty } end end - diff --git a/controls/V-38664.rb b/controls/V-38664.rb index 24ad93a..e102461 100644 --- a/controls/V-38664.rb +++ b/controls/V-38664.rb @@ -1,4 +1,4 @@ -control "V-38664" do +control 'V-38664' do title "The system package management tool must verify ownership on all files and directories associated with the audit package." desc "Ownership of audit binaries and configuration files that is incorrect @@ -6,13 +6,13 @@ The ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated." impact 0.5 - tag "gtitle": "SRG-OS-000257" - tag "gid": "V-38664" - tag "rid": "SV-50465r1_rule" - tag "stig_id": "RHEL-06-000279" - tag "fix_id": "F-43613r1_fix" - tag "cci": ["CCI-001494"] - tag "nist": ["AU-9", "Rev_4"] + tag "gtitle": 'SRG-OS-000257' + tag "gid": 'V-38664' + tag "rid": 'SV-50465r1_rule' + tag "stig_id": 'RHEL-06-000279' + tag "fix_id": 'F-43613r1_fix' + tag "cci": ['CCI-001494'] + tag "nist": ['AU-9', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -40,4 +40,3 @@ its('stdout.strip') { should be_empty } end end - diff --git a/controls/V-38665.rb b/controls/V-38665.rb index d8fef24..ad99a20 100644 --- a/controls/V-38665.rb +++ b/controls/V-38665.rb @@ -1,4 +1,4 @@ -control "V-38665" do +control 'V-38665' do title "The system package management tool must verify group-ownership on all files and directories associated with the audit package." desc "Group-ownership of audit binaries and configuration files that is @@ -6,13 +6,13 @@ not have. The group-ownership set by the vendor should be maintained. Any deviations from this baseline should be investigated." impact 0.5 - tag "gtitle": "SRG-OS-000258" - tag "gid": "V-38665" - tag "rid": "SV-50466r1_rule" - tag "stig_id": "RHEL-06-000280" - tag "fix_id": "F-43614r1_fix" - tag "cci": ["CCI-001495"] - tag "nist": ["AU-9", "Rev_4"] + tag "gtitle": 'SRG-OS-000258' + tag "gid": 'V-38665' + tag "rid": 'SV-50466r1_rule' + tag "stig_id": 'RHEL-06-000280' + tag "fix_id": 'F-43614r1_fix' + tag "cci": ['CCI-001495'] + tag "nist": ['AU-9', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -38,7 +38,6 @@ # rpm --setugids audit" describe command("rpm -V audit | grep '^......G'") do - its('stdout.strip') { should be_empty } + its('stdout.strip') { should be_empty } end end - diff --git a/controls/V-38667.rb b/controls/V-38667.rb index 78b24ff..8ff3912 100644 --- a/controls/V-38667.rb +++ b/controls/V-38667.rb @@ -1,18 +1,18 @@ -control "V-38667" do - title "The system must have a host-based intrusion detection tool installed." +control 'V-38667' do + title 'The system must have a host-based intrusion detection tool installed.' desc "Adding host-based intrusion detection tools can provide the capability to automatically take actions in response to malicious behavior, which can provide additional agility in reacting to network threats. These tools also often include a reporting capability to provide network awareness of system, which may not otherwise exist in an organization's systems management regime." impact 0.5 - tag "gtitle": "SRG-OS-000196" - tag "gid": "V-38667" - tag "rid": "SV-50468r3_rule" - tag "stig_id": "RHEL-06-000285" - tag "fix_id": "F-43616r3_fix" - tag "cci": ["CCI-001263"] - tag "nist": ["SI-4 (5)", "Rev_4"] + tag "gtitle": 'SRG-OS-000196' + tag "gid": 'V-38667' + tag "rid": 'SV-50468r3_rule' + tag "stig_id": 'RHEL-06-000285' + tag "fix_id": 'F-43616r3_fix' + tag "cci": ['CCI-001263'] + tag "nist": ['SI-4 (5)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -66,8 +66,7 @@ Authorizing Official. " - describe "Manual test" do - skip "This control must be reviewed manually" + describe 'Manual test' do + skip 'This control must be reviewed manually' end end - diff --git a/controls/V-38668.rb b/controls/V-38668.rb index 255b1c7..e77defc 100644 --- a/controls/V-38668.rb +++ b/controls/V-38668.rb @@ -1,5 +1,5 @@ -control "V-38668" do - title "The x86 Ctrl-Alt-Delete key sequence must be disabled." +control 'V-38668' do + title 'The x86 Ctrl-Alt-Delete key sequence must be disabled.' desc "A locally logged-in user who presses Ctrl-Alt-Delete, when at the console, can reboot the system. If accidentally pressed, as could happen in the case of mixed OS environment, this can create the risk of short-term loss of @@ -7,13 +7,13 @@ environment, risk of unintentional reboot from the Ctrl-Alt-Delete sequence is reduced because the user will be prompted before any action is taken." impact 0.7 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38668" - tag "rid": "SV-50469r4_rule" - tag "stig_id": "RHEL-06-000286" - tag "fix_id": "F-43617r3_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38668' + tag "rid": 'SV-50469r4_rule' + tag "stig_id": 'RHEL-06-000286' + tag "fix_id": 'F-43617r3_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -45,8 +45,7 @@ exec /usr/bin/logger -p authpriv.notice \"Ctrl-Alt-Delete pressed\"" - describe file("/etc/init/control-alt-delete.override") do - its("content") { should match(/^\s*exec \/usr\/bin\/logger -p authpriv\.notice "Ctrl-Alt-Delete pressed"\s*$/) } + describe file('/etc/init/control-alt-delete.override') do + its('content') { should match(/^\s*exec \/usr\/bin\/logger -p authpriv\.notice "Ctrl-Alt-Delete pressed"\s*$/) } end end - diff --git a/controls/V-38669.rb b/controls/V-38669.rb index cb8f309..c6893e0 100644 --- a/controls/V-38669.rb +++ b/controls/V-38669.rb @@ -1,15 +1,15 @@ -control "V-38669" do - title "The postfix service must be enabled for mail delivery." +control 'V-38669' do + title 'The postfix service must be enabled for mail delivery.' desc "Local mail delivery is essential to some system maintenance and notification tasks." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38669" - tag "rid": "SV-50470r1_rule" - tag "stig_id": "RHEL-06-000287" - tag "fix_id": "F-43618r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38669' + tag "rid": 'SV-50470r1_rule' + tag "stig_id": 'RHEL-06-000287' + tag "fix_id": 'F-43618r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -39,31 +39,30 @@ # chkconfig postfix on # service postfix start" - describe package("postfix") do + describe package('postfix') do it { should be_installed } end describe.one do - describe service("postfix").runlevels(/0/) do + describe service('postfix').runlevels(/0/) do it { should be_enabled } end - describe service("postfix").runlevels(/1/) do + describe service('postfix').runlevels(/1/) do it { should be_enabled } end - describe service("postfix").runlevels(/2/) do + describe service('postfix').runlevels(/2/) do it { should be_enabled } end - describe service("postfix").runlevels(/3/) do + describe service('postfix').runlevels(/3/) do it { should be_enabled } end - describe service("postfix").runlevels(/4/) do + describe service('postfix').runlevels(/4/) do it { should be_enabled } end - describe service("postfix").runlevels(/5/) do + describe service('postfix').runlevels(/5/) do it { should be_enabled } end - describe service("postfix").runlevels(/6/) do + describe service('postfix').runlevels(/6/) do it { should be_enabled } end end end - diff --git a/controls/V-38670.rb b/controls/V-38670.rb index 3c5d770..84db4f9 100644 --- a/controls/V-38670.rb +++ b/controls/V-38670.rb @@ -1,16 +1,16 @@ -control "V-38670" do +control 'V-38670' do title "The operating system must detect unauthorized changes to software and information. " desc "By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files." impact 0.5 - tag "gtitle": "SRG-OS-000202" - tag "gid": "V-38670" - tag "rid": "SV-50471r2_rule" - tag "stig_id": "RHEL-06-000306" - tag "fix_id": "F-43619r1_fix" - tag "cci": ["CCI-001297"] - tag "nist": ["SI-7", "Rev_4"] + tag "gtitle": 'SRG-OS-000202' + tag "gid": 'V-38670' + tag "rid": 'SV-50471r2_rule' + tag "stig_id": 'RHEL-06-000306' + tag "fix_id": 'F-43619r1_fix' + tag "cci": ['CCI-001297'] + tag "nist": ['SI-7', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -40,4 +40,3 @@ its('stdout.strip') { should_not be_empty } end end - diff --git a/controls/V-38671.rb b/controls/V-38671.rb index 0493830..db74b70 100644 --- a/controls/V-38671.rb +++ b/controls/V-38671.rb @@ -1,16 +1,16 @@ -control "V-38671" do - title "The sendmail package must be removed." +control 'V-38671' do + title 'The sendmail package must be removed.' desc "The sendmail software was not developed with security in mind and its design prevents it from being effectively contained by SELinux. Postfix should be used instead." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38671" - tag "rid": "SV-50472r1_rule" - tag "stig_id": "RHEL-06-000288" - tag "fix_id": "F-43620r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38671' + tag "rid": 'SV-50472r1_rule' + tag "stig_id": 'RHEL-06-000288' + tag "fix_id": 'F-43620r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -34,8 +34,7 @@ # yum erase sendmail" - describe package("sendmail") do + describe package('sendmail') do it { should_not be_installed } end end - diff --git a/controls/V-38672.rb b/controls/V-38672.rb index e397ef2..b084999 100644 --- a/controls/V-38672.rb +++ b/controls/V-38672.rb @@ -1,15 +1,15 @@ -control "V-38672" do - title "The netconsole service must be disabled unless required." +control 'V-38672' do + title 'The netconsole service must be disabled unless required.' desc "The \"netconsole\" service is not necessary unless there is a need to debug kernel panics, which is not common." impact 0.3 - tag "gtitle": "SRG-OS-000096" - tag "gid": "V-38672" - tag "rid": "SV-50473r2_rule" - tag "stig_id": "RHEL-06-000289" - tag "fix_id": "F-43622r2_fix" - tag "cci": ["CCI-000382"] - tag "nist": ["CM-7 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000096' + tag "gid": 'V-38672' + tag "rid": 'SV-50473r2_rule' + tag "stig_id": 'RHEL-06-000289' + tag "fix_id": 'F-43622r2_fix' + tag "cci": ['CCI-000382'] + tag "nist": ['CM-7 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -52,26 +52,25 @@ # chkconfig netconsole off # service netconsole stop" - describe service("netconsole").runlevels(/0/) do + describe service('netconsole').runlevels(/0/) do it { should_not be_enabled } end - describe service("netconsole").runlevels(/1/) do + describe service('netconsole').runlevels(/1/) do it { should_not be_enabled } end - describe service("netconsole").runlevels(/2/) do + describe service('netconsole').runlevels(/2/) do it { should_not be_enabled } end - describe service("netconsole").runlevels(/3/) do + describe service('netconsole').runlevels(/3/) do it { should_not be_enabled } end - describe service("netconsole").runlevels(/4/) do + describe service('netconsole').runlevels(/4/) do it { should_not be_enabled } end - describe service("netconsole").runlevels(/5/) do + describe service('netconsole').runlevels(/5/) do it { should_not be_enabled } end - describe service("netconsole").runlevels(/6/) do + describe service('netconsole').runlevels(/6/) do it { should_not be_enabled } end end - diff --git a/controls/V-38673.rb b/controls/V-38673.rb index 0a814c6..4a582fe 100644 --- a/controls/V-38673.rb +++ b/controls/V-38673.rb @@ -1,16 +1,16 @@ -control "V-38673" do +control 'V-38673' do title "The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked." desc "By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files." impact 0.5 - tag "gtitle": "SRG-OS-000265" - tag "gid": "V-38673" - tag "rid": "SV-50474r2_rule" - tag "stig_id": "RHEL-06-000307" - tag "fix_id": "F-43621r1_fix" - tag "cci": ["CCI-001589"] - tag "nist": ["CM-6 (3)", "Rev_4"] + tag "gtitle": 'SRG-OS-000265' + tag "gid": 'V-38673' + tag "rid": 'SV-50474r2_rule' + tag "stig_id": 'RHEL-06-000307' + tag "fix_id": 'F-43621r1_fix' + tag "cci": ['CCI-001589'] + tag "nist": ['CM-6 (3)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -40,4 +40,3 @@ its('stdout.strip') { should_not be_empty } end end - diff --git a/controls/V-38674.rb b/controls/V-38674.rb index 6ac4f7d..1823489 100644 --- a/controls/V-38674.rb +++ b/controls/V-38674.rb @@ -1,15 +1,15 @@ -control "V-38674" do - title "X Windows must not be enabled unless required." +control 'V-38674' do + title 'X Windows must not be enabled unless required.' desc "Unnecessary services should be disabled to decrease the attack surface of the system." impact 0.5 - tag "gtitle": "SRG-OS-000248" - tag "gid": "V-38674" - tag "rid": "SV-50475r1_rule" - tag "stig_id": "RHEL-06-000290" - tag "fix_id": "F-43623r1_fix" - tag "cci": ["CCI-001436"] - tag "nist": ["AC-17 (8)", "Rev_4"] + tag "gtitle": 'SRG-OS-000248' + tag "gid": 'V-38674' + tag "rid": 'SV-50475r1_rule' + tag "stig_id": 'RHEL-06-000290' + tag "fix_id": 'F-43623r1_fix' + tag "cci": ['CCI-001436'] + tag "nist": ['AC-17 (8)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -36,8 +36,7 @@ id:3:initdefault:" - describe file("/etc/inittab") do - its("content") { should match(/^[\s]*id:3:initdefault:[\s]*$/) } + describe file('/etc/inittab') do + its('content') { should match(/^[\s]*id:3:initdefault:[\s]*$/) } end end - diff --git a/controls/V-38675.rb b/controls/V-38675.rb index f5a50b3..5d7019f 100644 --- a/controls/V-38675.rb +++ b/controls/V-38675.rb @@ -1,16 +1,16 @@ -control "V-38675" do - title "Process core dumps must be disabled unless needed." +control 'V-38675' do + title 'Process core dumps must be disabled unless needed.' desc "A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38675" - tag "rid": "SV-50476r2_rule" - tag "stig_id": "RHEL-06-000308" - tag "fix_id": "F-43624r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38675' + tag "rid": 'SV-50476r2_rule' + tag "stig_id": 'RHEL-06-000308' + tag "fix_id": 'F-43624r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -37,7 +37,6 @@ * hard core 0" describe limits_conf do - its('*') { should include ['hard', 'core', '0'] } + its('*') { should include %w[hard core 0] } end end - diff --git a/controls/V-38676.rb b/controls/V-38676.rb index 3a64efe..1251455 100644 --- a/controls/V-38676.rb +++ b/controls/V-38676.rb @@ -1,16 +1,16 @@ -control "V-38676" do +control 'V-38676' do title "The xorg-x11-server-common (X Windows) package must not be installed, unless required." desc "Unnecessary packages should not be installed to decrease the attack surface of the system." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38676" - tag "rid": "SV-50477r2_rule" - tag "stig_id": "RHEL-06-000291" - tag "fix_id": "F-43625r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38676' + tag "rid": 'SV-50477r2_rule' + tag "stig_id": 'RHEL-06-000291' + tag "fix_id": 'F-43625r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -38,8 +38,7 @@ # yum groupremove \"X Window System\"" - describe package("xorg-x11-server-common") do + describe package('xorg-x11-server-common') do it { should_not be_installed } end end - diff --git a/controls/V-38677.rb b/controls/V-38677.rb index c75300a..4c4e998 100644 --- a/controls/V-38677.rb +++ b/controls/V-38677.rb @@ -1,15 +1,15 @@ -control "V-38677" do - title "The NFS server must not have the insecure file locking option enabled." +control 'V-38677' do + title 'The NFS server must not have the insecure file locking option enabled.' desc "Allowing insecure file locking could allow for sensitive data to be viewed or edited by an unauthorized user." impact 0.7 - tag "gtitle": "SRG-OS-000104" - tag "gid": "V-38677" - tag "rid": "SV-50478r1_rule" - tag "stig_id": "RHEL-06-000309" - tag "fix_id": "F-43626r1_fix" - tag "cci": ["CCI-000764"] - tag "nist": ["IA-2", "Rev_4"] + tag "gtitle": 'SRG-OS-000104' + tag "gid": 'V-38677' + tag "rid": 'SV-50478r1_rule' + tag "stig_id": 'RHEL-06-000309' + tag "fix_id": 'F-43626r1_fix' + tag "cci": ['CCI-000764'] + tag "nist": ['IA-2', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -37,8 +37,7 @@ data for which it does not have authorization. Remove any instances of the \"insecure_locks\" option from the file \"/etc/exports\"." - describe file("/etc/exports") do - its("content") { should_not match(/^[^#]*insecure_locks.*$/) } + describe file('/etc/exports') do + its('content') { should_not match(/^[^#]*insecure_locks.*$/) } end end - diff --git a/controls/V-38678.rb b/controls/V-38678.rb index a29ac29..2f23be8 100644 --- a/controls/V-38678.rb +++ b/controls/V-38678.rb @@ -1,17 +1,17 @@ -control "V-38678" do +control 'V-38678' do title "The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity." desc "Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption." impact 0.5 - tag "gtitle": "SRG-OS-000048" - tag "gid": "V-38678" - tag "rid": "SV-50479r2_rule" - tag "stig_id": "RHEL-06-000311" - tag "fix_id": "F-43627r2_fix" - tag "cci": ["CCI-000143"] - tag "nist": ["AU-5 (1)", "Rev_4"] + tag "gtitle": 'SRG-OS-000048' + tag "gid": 'V-38678' + tag "rid": 'SV-50479r2_rule' + tag "stig_id": 'RHEL-06-000311' + tag "fix_id": 'F-43627r2_fix' + tag "cci": ['CCI-000143'] + tag "nist": ['AU-5 (1)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -22,7 +22,7 @@ tag "mitigation_controls": nil tag "responsibility": nil tag "ia_controls": nil - tag "check": "Inspect \"/etc/audit/auditd.conf\" and locate the following + tag "check": "Review the \"/etc/audit/auditd.conf\" and locate the following line to determine whether the system is configured to email the administrator when disk space is starting to run low: @@ -33,7 +33,9 @@ If the \"num_megabytes\" value does not correspond to a documented value for remaining audit partition capacity or if there is no locally documented value -for remaining audit partition capacity, this is a finding." +for remaining audit partition capacity, this is a finding. + If the value of the \"space_left\" keyword is not set to 25 percent of the +total partition size, this is a finding." tag "fix": "The \"auditd\" service can be configured to take an action when disk space starts to run low. Edit the file \"/etc/audit/auditd.conf\". Modify the following line, substituting [num_megabytes] appropriately: @@ -45,8 +47,27 @@ notified with enough time to respond to the situation causing the capacity issues. This value must also be documented locally." - describe parse_config_file('/etc/audit/auditd.conf') do - its('space_left') { should cmp attribute('auditd_space_left') } + describe auditd_conf do + before(:all) do + @audit_log_dir = File.dirname(auditd_conf.log_file) + + if file(@audit_log_dir).directory? + partition_info = command("df -h #{@audit_log_dir}").stdout.split("\n") + + partition_sz_arr = partition_info.last.gsub(/\s+/m, ' ').strip.split(' ') + + # Get partition size in GB + partition_sz = partition_sz_arr[1].delete('G') + + # Convert to MB and get 25% + @exp_space_left = partition_sz.to_i * 1024 / 4 + end + end + + it 'should have an audit log directory' do + expect(file(@audit_log_dir).directory?).to be true + end + + its('space_left.to_i') { should be >= @exp_space_left } end end - diff --git a/controls/V-38679.rb b/controls/V-38679.rb index 965cf89..8d08ba2 100644 --- a/controls/V-38679.rb +++ b/controls/V-38679.rb @@ -1,17 +1,17 @@ -control "V-38679" do - title "The DHCP client must be disabled if not needed." +control 'V-38679' do + title 'The DHCP client must be disabled if not needed.' desc "DHCP relies on trusting the local network. If the local network is not trusted, then it should not be used. However, the automatic configuration provided by DHCP is commonly used and the alternative, manual configuration, presents an unacceptable burden in many circumstances." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38679" - tag "rid": "SV-50480r3_rule" - tag "stig_id": "RHEL-06-000292" - tag "fix_id": "F-43628r2_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38679' + tag "rid": 'SV-50480r3_rule' + tag "stig_id": 'RHEL-06-000292' + tag "fix_id": 'F-43628r2_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -51,10 +51,9 @@ IPADDR=[assigned IP address] GATEWAY=[local LAN default gateway]" - command("find /etc/sysconfig/network-scripts -type f -regex .\\*/ifcfg-.\\*").stdout.split.each do |entry| + command('find /etc/sysconfig/network-scripts -type f -regex .\\*/ifcfg-.\\*').stdout.split.each do |entry| describe file(entry) do - its("content") { should match(/^[\s]*BOOTPROTO[\s]*=[\s"]*([^#"\s]*)/) } + its('content') { should match(/^[\s]*BOOTPROTO[\s]*=[\s"]*([^#"\s]*)/) } end end end - diff --git a/controls/V-38680.rb b/controls/V-38680.rb index 4f38cb2..dc2d4ec 100644 --- a/controls/V-38680.rb +++ b/controls/V-38680.rb @@ -1,16 +1,16 @@ -control "V-38680" do +control 'V-38680' do title "The audit system must identify staff members to receive notifications of audit log storage volume capacity issues." desc "Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action." impact 0.5 - tag "gtitle": "SRG-OS-000046" - tag "gid": "V-38680" - tag "rid": "SV-50481r1_rule" - tag "stig_id": "RHEL-06-000313" - tag "fix_id": "F-43629r1_fix" - tag "cci": ["CCI-000139"] - tag "nist": ["AU-5 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000046' + tag "gid": 'V-38680' + tag "rid": 'SV-50481r1_rule' + tag "stig_id": 'RHEL-06-000313' + tag "fix_id": 'F-43629r1_fix' + tag "cci": ['CCI-000139'] + tag "nist": ['AU-5 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -37,13 +37,12 @@ action_mail_acct = root" - describe file("/etc/audit/auditd.conf") do - its("content") { should match(/^action_mail_acct\s*=\s*(\S+)\s*$/) } + describe file('/etc/audit/auditd.conf') do + its('content') { should match(/^action_mail_acct\s*=\s*(\S+)\s*$/) } end - file("/etc/audit/auditd.conf").content.to_s.scan(/^action_mail_acct\s*=\s*(\S+)\s*$/).flatten.each do |entry| + file('/etc/audit/auditd.conf').content.to_s.scan(/^action_mail_acct\s*=\s*(\S+)\s*$/).flatten.each do |entry| describe entry do - it { should eq "root" } + it { should eq 'root' } end end end - diff --git a/controls/V-38681.rb b/controls/V-38681.rb index d504d06..ac6d91c 100644 --- a/controls/V-38681.rb +++ b/controls/V-38681.rb @@ -1,15 +1,15 @@ -control "V-38681" do - title "All GIDs referenced in /etc/passwd must be defined in /etc/group" +control 'V-38681' do + title 'All GIDs referenced in /etc/passwd must be defined in /etc/group' desc "Inconsistency in GIDs between /etc/passwd and /etc/group could lead to a user having unintended rights." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38681" - tag "rid": "SV-50482r2_rule" - tag "stig_id": "RHEL-06-000294" - tag "fix_id": "F-43630r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38681' + tag "rid": 'SV-50482r2_rule' + tag "stig_id": 'RHEL-06-000294' + tag "fix_id": 'F-43630r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -34,4 +34,3 @@ its('stdout.strip') { should be_empty } end end - diff --git a/controls/V-38682.rb b/controls/V-38682.rb index b27a7ca..b807020 100644 --- a/controls/V-38682.rb +++ b/controls/V-38682.rb @@ -1,16 +1,16 @@ -control "V-38682" do - title "The Bluetooth kernel module must be disabled." +control 'V-38682' do + title 'The Bluetooth kernel module must be disabled.' desc "If Bluetooth functionality must be disabled, preventing the kernel from loading the kernel module provides an additional safeguard against its activation." impact 0.5 - tag "gtitle": "SRG-OS-000034" - tag "gid": "V-38682" - tag "rid": "SV-50483r5_rule" - tag "stig_id": "RHEL-06-000315" - tag "fix_id": "F-43631r3_fix" - tag "cci": ["CCI-000085"] - tag "nist": ["AC-19 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000034' + tag "gid": 'V-38682' + tag "rid": 'SV-50483r5_rule' + tag "stig_id": 'RHEL-06-000315' + tag "fix_id": 'F-43631r3_fix' + tag "cci": ['CCI-000085'] + tag "nist": ['AC-19 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -53,12 +53,11 @@ install net-pf-31 /bin/true install bluetooth /bin/true" - describe command("grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d | grep -i \"/bin/true\" | grep -v \"#\"") do + describe command('grep -r bluetooth /etc/modprobe.conf /etc/modprobe.d | grep -i "/bin/true" | grep -v "#"') do its('stdout.strip') { should_not be_empty } end - describe command("grep -r net-pf-31 /etc/modprobe.conf /etc/modprobe.d | grep -i \"/bin/true\" | grep -v \"#\"") do + describe command('grep -r net-pf-31 /etc/modprobe.conf /etc/modprobe.d | grep -i "/bin/true" | grep -v "#"') do its('stdout.strip') { should_not be_empty } end end - diff --git a/controls/V-38683.rb b/controls/V-38683.rb index 329313d..1b0a4aa 100644 --- a/controls/V-38683.rb +++ b/controls/V-38683.rb @@ -1,14 +1,14 @@ -control "V-38683" do - title "All accounts on the system must have unique user or account names" - desc "Unique usernames allow for accountability on the system." +control 'V-38683' do + title 'All accounts on the system must have unique user or account names' + desc 'Unique usernames allow for accountability on the system.' impact 0.3 - tag "gtitle": "SRG-OS-000121" - tag "gid": "V-38683" - tag "rid": "SV-50484r1_rule" - tag "stig_id": "RHEL-06-000296" - tag "fix_id": "F-43632r1_fix" - tag "cci": ["CCI-000804"] - tag "nist": ["IA-8", "Rev_4"] + tag "gtitle": 'SRG-OS-000121' + tag "gid": 'V-38683' + tag "rid": 'SV-50484r1_rule' + tag "stig_id": 'RHEL-06-000296' + tag "fix_id": 'F-43632r1_fix' + tag "cci": ['CCI-000804'] + tag "nist": ['IA-8', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -25,10 +25,9 @@ If there are no duplicate names, no line will be returned. If a line is returned, this is a finding." - tag "fix": "Change usernames, or delete accounts, so each has a unique name." + tag "fix": 'Change usernames, or delete accounts, so each has a unique name.' - describe command("pwck -rq") do + describe command('pwck -rq') do its('stdout.strip') { should be_empty } end end - diff --git a/controls/V-38684.rb b/controls/V-38684.rb index 9be66c5..c5159e3 100644 --- a/controls/V-38684.rb +++ b/controls/V-38684.rb @@ -1,4 +1,4 @@ -control "V-38684" do +control 'V-38684' do title "The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements." desc "Limiting simultaneous user logins can insulate the system from denial @@ -6,13 +6,13 @@ operating improperly or maliciously may result in an exceptional number of simultaneous login sessions." impact 0.3 - tag "gtitle": "SRG-OS-000027" - tag "gid": "V-38684" - tag "rid": "SV-50485r2_rule" - tag "stig_id": "RHEL-06-000319" - tag "fix_id": "F-43633r1_fix" - tag "cci": ["CCI-000054"] - tag "nist": ["AC-10", "Rev_4"] + tag "gtitle": 'SRG-OS-000027' + tag "gid": 'V-38684' + tag "rid": 'SV-50485r2_rule' + tag "stig_id": 'RHEL-06-000319' + tag "fix_id": 'F-43633r1_fix' + tag "cci": ['CCI-000054'] + tag "nist": ['AC-10', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -47,4 +47,3 @@ its('*') { should include ['hard', 'maxlogins', attribute('maxlogins').to_s] } end end - diff --git a/controls/V-38685.rb b/controls/V-38685.rb index 49b72fc..6e45a8d 100644 --- a/controls/V-38685.rb +++ b/controls/V-38685.rb @@ -1,16 +1,16 @@ -control "V-38685" do - title "Temporary accounts must be provisioned with an expiration date." +control 'V-38685' do + title 'Temporary accounts must be provisioned with an expiration date.' desc "When temporary accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of accounts being misused or hijacked." impact 0.3 - tag "gtitle": "SRG-OS-000002" - tag "gid": "V-38685" - tag "rid": "SV-50486r1_rule" - tag "stig_id": "RHEL-06-000297" - tag "fix_id": "F-43634r1_fix" - tag "cci": ["CCI-000016"] - tag "nist": ["AC-2 (2)", "Rev_4"] + tag "gtitle": 'SRG-OS-000002' + tag "gid": 'V-38685' + tag "rid": 'SV-50486r1_rule' + tag "stig_id": 'RHEL-06-000297' + tag "fix_id": 'F-43634r1_fix' + tag "cci": ['CCI-000016'] + tag "nist": ['AC-2 (2)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -41,15 +41,14 @@ temporary_accounts = attribute('temporary_accounts') if temporary_accounts.empty? - describe "Temporary accounts" do + describe 'Temporary accounts' do it { should_be empty } end else temporary_accounts.each do |acct| describe command("chage -l #{acct} | grep 'Account expires'") do - its('stdout.strip') { should_not match %r{:\s*never} } + its('stdout.strip') { should_not match /:\s*never/ } end end end end - diff --git a/controls/V-38686.rb b/controls/V-38686.rb index 6a42f6a..99520ff 100644 --- a/controls/V-38686.rb +++ b/controls/V-38686.rb @@ -1,4 +1,4 @@ -control "V-38686" do +control 'V-38686' do title "The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets." desc "In \"iptables\" the default policy is applied only after all the @@ -6,13 +6,13 @@ policy to \"DROP\" implements proper design for a firewall, i.e., any packets which are not explicitly permitted should not be accepted." impact 0.5 - tag "gtitle": "SRG-OS-000147" - tag "gid": "V-38686" - tag "rid": "SV-50487r2_rule" - tag "stig_id": "RHEL-06-000320" - tag "fix_id": "F-43635r1_fix" - tag "cci": ["CCI-001109"] - tag "nist": ["SC-7 (5)", "Rev_4"] + tag "gtitle": 'SRG-OS-000147' + tag "gid": 'V-38686' + tag "rid": 'SV-50487r2_rule' + tag "stig_id": 'RHEL-06-000320' + tag "fix_id": 'F-43635r1_fix' + tag "cci": ['CCI-001109'] + tag "nist": ['SC-7 (5)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -39,8 +39,7 @@ :FORWARD DROP [0:0]" - describe command("iptables -nvL | grep -i forward") do - its('stdout.strip') { should match %r{Chain FORWARD \(policy DROP} } + describe command('iptables -nvL | grep -i forward') do + its('stdout.strip') { should match /Chain FORWARD \(policy DROP/ } end end - diff --git a/controls/V-38687.rb b/controls/V-38687.rb index aaf4d3c..4785366 100644 --- a/controls/V-38687.rb +++ b/controls/V-38687.rb @@ -1,17 +1,17 @@ -control "V-38687" do +control 'V-38687' do title "The system must provide VPN connectivity for communications over untrusted networks." desc "Providing the ability for remote users or systems to initiate a secure VPN connection protects information when it is transmitted over a wide area network." impact 0.3 - tag "gtitle": "SRG-OS-000160" - tag "gid": "V-38687" - tag "rid": "SV-50488r3_rule" - tag "stig_id": "RHEL-06-000321" - tag "fix_id": "F-43636r2_fix" - tag "cci": ["CCI-001130"] - tag "nist": ["SC-9", "Rev_4"] + tag "gtitle": 'SRG-OS-000160' + tag "gid": 'V-38687' + tag "rid": 'SV-50488r3_rule' + tag "stig_id": 'RHEL-06-000321' + tag "fix_id": 'F-43636r2_fix' + tag "cci": ['CCI-001130'] + tag "nist": ['SC-9', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -38,8 +38,7 @@ # yum install libreswan " - describe package("libreswan") do + describe package('libreswan') do it { should be_installed } end end - diff --git a/controls/V-38688.rb b/controls/V-38688.rb index c3f1455..577a13c 100644 --- a/controls/V-38688.rb +++ b/controls/V-38688.rb @@ -1,16 +1,16 @@ -control "V-38688" do +control 'V-38688' do title "A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts." desc "An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers." impact 0.5 - tag "gtitle": "SRG-OS-000024" - tag "gid": "V-38688" - tag "rid": "SV-50489r3_rule" - tag "stig_id": "RHEL-06-000324" - tag "fix_id": "F-43637r2_fix" - tag "cci": ["CCI-000050"] - tag "nist": ["AC-8 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000024' + tag "gid": 'V-38688' + tag "rid": 'SV-50489r3_rule' + tag "stig_id": 'RHEL-06-000324' + tag "fix_id": 'F-43637r2_fix' + tag "cci": ['CCI-000050'] + tag "nist": ['AC-8 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -44,14 +44,13 @@ also be set." if package('GConf2').installed? - describe command("gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_enable") do + describe command('gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_enable') do its('stdout.strip') { should eq 'true' } end else impact 0.0 - describe "Package GConf2 not installed" do - skip "Package GConf2 not installed, this control Not Applicable" + describe 'Package GConf2 not installed' do + skip 'Package GConf2 not installed, this control Not Applicable' end end end - diff --git a/controls/V-38689.rb b/controls/V-38689.rb index 3cd1144..fb67bf9 100644 --- a/controls/V-38689.rb +++ b/controls/V-38689.rb @@ -1,19 +1,19 @@ -control "V-38689" do +control 'V-38689' do title "The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts." desc "An appropriate warning message reinforces policy awareness during the logon process and facilitates possible legal action against attackers." impact 0.5 - tag "gtitle": "SRG-OS-000228" - tag "gid": "V-38689" - tag "rid": "SV-50490r5_rule" - tag "stig_id": "RHEL-06-000326" - tag "fix_id": "F-43638r5_fix" - tag "cci": ["CCI-001384", "CCI-001385", "CCI-001386", "CCI-001387", -"CCI-001388"] - tag "nist": ["AC-8 c 1", "AC-8 c 2", "AC-8 c 2", "AC-8 c 2", "AC-8 c 3", -"Rev_4"] + tag "gtitle": 'SRG-OS-000228' + tag "gid": 'V-38689' + tag "rid": 'SV-50490r5_rule' + tag "stig_id": 'RHEL-06-000326' + tag "fix_id": 'F-43638r5_fix' + tag "cci": ['CCI-001384', 'CCI-001385', 'CCI-001386', 'CCI-001387', + 'CCI-001388'] + tag "nist": ['AC-8 c 1', 'AC-8 c 2', 'AC-8 c 2', 'AC-8 c 2', 'AC-8 c 3', + 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -104,16 +104,15 @@ file can later be edited directly if necessary." if package('GConf2').installed? - banner_text = command("gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_text").stdout.strip.gsub(%r{[\r\n\s]}, '') - describe "gconf2 banner text" do + banner_text = command('gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/banner_message_text').stdout.strip.gsub(/[\r\n\s]/, '') + describe 'gconf2 banner text' do subject { banner_text } - it { should eq attribute('banner_text').gsub(%r{[\r\n\s]}, '') } + it { should eq attribute('banner_text').gsub(/[\r\n\s]/, '') } end else impact 0.0 - describe "Package GConf2 not installed" do - skip "Package GConf2 not installed, this control Not Applicable" + describe 'Package GConf2 not installed' do + skip 'Package GConf2 not installed, this control Not Applicable' end end end - diff --git a/controls/V-38690.rb b/controls/V-38690.rb index 30467b1..00e3cd9 100644 --- a/controls/V-38690.rb +++ b/controls/V-38690.rb @@ -1,17 +1,16 @@ -control "V-38690" do - title "Emergency accounts must be provisioned with an expiration date. -" +control 'V-38690' do + title "Emergency accounts must be provisioned with an expiration date.\n" desc "When emergency accounts are created, there is a risk they may remain in place and active after the need for them no longer exists. Account expiration greatly reduces the risk of accounts being misused or hijacked." impact 0.3 - tag "gtitle": "SRG-OS-000123" - tag "gid": "V-38690" - tag "rid": "SV-50491r1_rule" - tag "stig_id": "RHEL-06-000298" - tag "fix_id": "F-43639r1_fix" - tag "cci": ["CCI-001682"] - tag "nist": ["AC-2 (2)", "Rev_4"] + tag "gtitle": 'SRG-OS-000123' + tag "gid": 'V-38690' + tag "rid": 'SV-50491r1_rule' + tag "stig_id": 'RHEL-06-000298' + tag "fix_id": 'F-43639r1_fix' + tag "cci": ['CCI-001682'] + tag "nist": ['AC-2 (2)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -42,15 +41,14 @@ emergency_accounts = attribute('emergency_accounts') if emergency_accounts.empty? - describe "Emergency accounts" do + describe 'Emergency accounts' do it { should_be empty } end else emergency_accounts.each do |acct| describe command("chage -l #{acct} | grep 'Account expires'") do - its('stdout.strip') { should_not match %r{:\s*never} } + its('stdout.strip') { should_not match /:\s*never/ } end end end end - diff --git a/controls/V-38691.rb b/controls/V-38691.rb index 4023883..e7b8eaa 100644 --- a/controls/V-38691.rb +++ b/controls/V-38691.rb @@ -1,17 +1,17 @@ -control "V-38691" do - title "The Bluetooth service must be disabled." +control 'V-38691' do + title 'The Bluetooth service must be disabled.' desc "Disabling the \"bluetooth\" service prevents the system from attempting connections to Bluetooth devices, which entails some security risk. Nevertheless, variation in this risk decision may be expected due to the utility of Bluetooth connectivity and its limited range." impact 0.5 - tag "gtitle": "SRG-OS-000034" - tag "gid": "V-38691" - tag "rid": "SV-50492r2_rule" - tag "stig_id": "RHEL-06-000331" - tag "fix_id": "F-43640r1_fix" - tag "cci": ["CCI-000085"] - tag "nist": ["AC-19 c", "Rev_4"] + tag "gtitle": 'SRG-OS-000034' + tag "gid": 'V-38691' + tag "rid": 'SV-50492r2_rule' + tag "stig_id": 'RHEL-06-000331' + tag "fix_id": 'F-43640r1_fix' + tag "cci": ['CCI-000085'] + tag "nist": ['AC-19 c', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -44,26 +44,25 @@ # service bluetooth stop" - describe service("bluetooth").runlevels(/0/) do + describe service('bluetooth').runlevels(/0/) do it { should_not be_enabled } end - describe service("bluetooth").runlevels(/1/) do + describe service('bluetooth').runlevels(/1/) do it { should_not be_enabled } end - describe service("bluetooth").runlevels(/2/) do + describe service('bluetooth').runlevels(/2/) do it { should_not be_enabled } end - describe service("bluetooth").runlevels(/3/) do + describe service('bluetooth').runlevels(/3/) do it { should_not be_enabled } end - describe service("bluetooth").runlevels(/4/) do + describe service('bluetooth').runlevels(/4/) do it { should_not be_enabled } end - describe service("bluetooth").runlevels(/5/) do + describe service('bluetooth').runlevels(/5/) do it { should_not be_enabled } end - describe service("bluetooth").runlevels(/6/) do + describe service('bluetooth').runlevels(/6/) do it { should_not be_enabled } end end - diff --git a/controls/V-38692.rb b/controls/V-38692.rb index e538a1d..330451e 100644 --- a/controls/V-38692.rb +++ b/controls/V-38692.rb @@ -1,16 +1,16 @@ -control "V-38692" do - title "Accounts must be locked upon 35 days of inactivity." +control 'V-38692' do + title 'Accounts must be locked upon 35 days of inactivity.' desc "Disabling inactive accounts ensures that accounts which may not have been responsibly removed are not available to attackers who may have compromised their credentials." impact 0.3 - tag "gtitle": "GEN006660" - tag "gid": "V-38692" - tag "rid": "SV-50493r1_rule" - tag "stig_id": "RHEL-06-000334" - tag "fix_id": "F-43641r2_fix" - tag "cci": ["CCI-000017"] - tag "nist": ["AC-2 (3)", "Rev_4"] + tag "gtitle": 'GEN006660' + tag "gid": 'V-38692' + tag "rid": 'SV-50493r1_rule' + tag "stig_id": 'RHEL-06-000334' + tag "fix_id": 'F-43641r2_fix' + tag "cci": ['CCI-000017'] + tag "nist": ['AC-2 (3)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -49,18 +49,17 @@ incurs support costs and also has the potential to impact availability of the system to legitimate users." - describe file("/etc/default/useradd") do - its("content") { should match(/^\s*INACTIVE\s*=\s*(\d+)\s*$/) } + describe file('/etc/default/useradd') do + its('content') { should match(/^\s*INACTIVE\s*=\s*(\d+)\s*$/) } end - file("/etc/default/useradd").content.to_s.scan(/^\s*INACTIVE\s*=\s*(\d+)\s*$/).flatten.each do |entry| + file('/etc/default/useradd').content.to_s.scan(/^\s*INACTIVE\s*=\s*(\d+)\s*$/).flatten.each do |entry| describe entry do it { should cmp <= 35 } end end - file("/etc/default/useradd").content.to_s.scan(/^\s*INACTIVE\s*=\s*(\d+)\s*$/).flatten.each do |entry| + file('/etc/default/useradd').content.to_s.scan(/^\s*INACTIVE\s*=\s*(\d+)\s*$/).flatten.each do |entry| describe entry do it { should cmp > -1 } end end end - diff --git a/controls/V-38693.rb b/controls/V-38693.rb index d7713ef..8130662 100644 --- a/controls/V-38693.rb +++ b/controls/V-38693.rb @@ -1,16 +1,16 @@ -control "V-38693" do +control 'V-38693' do title "The system must require passwords to contain no more than three consecutive repeating characters." desc "Passwords with excessive repeating characters may be more vulnerable to password-guessing attacks." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38693" - tag "rid": "SV-50494r3_rule" - tag "stig_id": "RHEL-06-000299" - tag "fix_id": "F-43642r3_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38693' + tag "rid": 'SV-50494r3_rule' + tag "stig_id": 'RHEL-06-000299' + tag "fix_id": 'F-43642r3_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -40,7 +40,7 @@ password required pam_cracklib.so maxrepeat=3 " - pam_files = ["/etc/pam.d/system-auth", "/etc/pam.d/password-auth"] + pam_files = ['/etc/pam.d/system-auth', '/etc/pam.d/password-auth'] pam_files.each do |pam_file| lines = command("grep pam_cracklib #{pam_file}").stdout.strip.split("\n") describe "pam_cracklib lines in #{pam_file}" do @@ -50,9 +50,8 @@ lines.each do |l| describe l do - it { should match %r{\bmaxrepeat=([3-9]|[1-9][0-9]+)\b} } + it { should match /\bmaxrepeat=([3-9]|[1-9][0-9]+)\b/ } end end end end - diff --git a/controls/V-38694.rb b/controls/V-38694.rb index bd650a2..2713453 100644 --- a/controls/V-38694.rb +++ b/controls/V-38694.rb @@ -1,4 +1,4 @@ -control "V-38694" do +control 'V-38694' do title "The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity." @@ -6,13 +6,13 @@ been responsibly removed are not available to attackers who may have compromised their credentials." impact 0.3 - tag "gtitle": "SRG-OS-000118" - tag "gid": "V-38694" - tag "rid": "SV-50495r1_rule" - tag "stig_id": "RHEL-06-000335" - tag "fix_id": "F-43643r2_fix" - tag "cci": ["CCI-000795"] - tag "nist": ["IA-4 e", "Rev_4"] + tag "gtitle": 'SRG-OS-000118' + tag "gid": 'V-38694' + tag "rid": 'SV-50495r1_rule' + tag "stig_id": 'RHEL-06-000335' + tag "fix_id": 'F-43643r2_fix' + tag "cci": ['CCI-000795'] + tag "nist": ['IA-4 e', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -51,18 +51,17 @@ incurs support costs and also has the potential to impact availability of the system to legitimate users." - describe file("/etc/default/useradd") do - its("content") { should match(/^\s*INACTIVE\s*=\s*(\d+)\s*$/) } + describe file('/etc/default/useradd') do + its('content') { should match(/^\s*INACTIVE\s*=\s*(\d+)\s*$/) } end - file("/etc/default/useradd").content.to_s.scan(/^\s*INACTIVE\s*=\s*(\d+)\s*$/).flatten.each do |entry| + file('/etc/default/useradd').content.to_s.scan(/^\s*INACTIVE\s*=\s*(\d+)\s*$/).flatten.each do |entry| describe entry do it { should cmp <= 35 } end end - file("/etc/default/useradd").content.to_s.scan(/^\s*INACTIVE\s*=\s*(\d+)\s*$/).flatten.each do |entry| + file('/etc/default/useradd').content.to_s.scan(/^\s*INACTIVE\s*=\s*(\d+)\s*$/).flatten.each do |entry| describe entry do it { should cmp > -1 } end end end - diff --git a/controls/V-38695.rb b/controls/V-38695.rb index c6ac88f..1dc14dc 100644 --- a/controls/V-38695.rb +++ b/controls/V-38695.rb @@ -1,4 +1,4 @@ -control "V-38695" do +control 'V-38695' do title "A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system @@ -6,13 +6,13 @@ desc "By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files." impact 0.5 - tag "gtitle": "SRG-OS-000094" - tag "gid": "V-38695" - tag "rid": "SV-50496r2_rule" - tag "stig_id": "RHEL-06-000302" - tag "fix_id": "F-43644r1_fix" - tag "cci": ["CCI-000374"] - tag "nist": ["CM-6 (2)", "Rev_4"] + tag "gtitle": 'SRG-OS-000094' + tag "gid": 'V-38695' + tag "rid": 'SV-50496r2_rule' + tag "stig_id": 'RHEL-06-000302' + tag "fix_id": 'F-43644r1_fix' + tag "cci": ['CCI-000374'] + tag "nist": ['CM-6 (2)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -42,4 +42,3 @@ its('stdout.strip') { should_not be_empty } end end - diff --git a/controls/V-38696.rb b/controls/V-38696.rb index 412c249..f18594b 100644 --- a/controls/V-38696.rb +++ b/controls/V-38696.rb @@ -1,17 +1,17 @@ -control "V-38696" do +control 'V-38696' do title "The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system." desc "By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files." impact 0.5 - tag "gtitle": "SRG-OS-000098" - tag "gid": "V-38696" - tag "rid": "SV-50497r2_rule" - tag "stig_id": "RHEL-06-000303" - tag "fix_id": "F-43645r1_fix" - tag "cci": ["CCI-000416"] - tag "nist": ["CM-8 (3) (a)", "Rev_4"] + tag "gtitle": 'SRG-OS-000098' + tag "gid": 'V-38696' + tag "rid": 'SV-50497r2_rule' + tag "stig_id": 'RHEL-06-000303' + tag "fix_id": 'F-43645r1_fix' + tag "cci": ['CCI-000416'] + tag "nist": ['CM-8 (3) (a)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -41,4 +41,3 @@ its('stdout.strip') { should_not be_empty } end end - diff --git a/controls/V-38697.rb b/controls/V-38697.rb index 4953743..2544757 100644 --- a/controls/V-38697.rb +++ b/controls/V-38697.rb @@ -1,5 +1,5 @@ -control "V-38697" do - title "The sticky bit must be set on all public directories." +control 'V-38697' do + title 'The sticky bit must be set on all public directories.' desc "Failing to set the sticky bit on public directories allows unauthorized users to delete files in the directory structure. @@ -10,13 +10,13 @@ global read/write access. " impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38697" - tag "rid": "SV-50498r2_rule" - tag "stig_id": "RHEL-06-000336" - tag "fix_id": "F-43646r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38697' + tag "rid": 'SV-50498r2_rule' + tag "stig_id": 'RHEL-06-000336' + tag "fix_id": 'F-43646r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -49,9 +49,8 @@ # chmod +t [DIR]" dirs = command(%(find / -xautofs -noleaf -wholename '/proc' -prune -o -wholename '/sys' -prune -o -wholename '/dev' -prune -o -wholename '/selinux' -prune -o -type d -perm -002 \\! -perm -1000 -print)) - describe "World-writable directories lacking sticky bit" do + describe 'World-writable directories lacking sticky bit' do subject { dirs.stdout.strip.split("\n") } it { should be_empty } end end - diff --git a/controls/V-38698.rb b/controls/V-38698.rb index 503d1d1..6b75abc 100644 --- a/controls/V-38698.rb +++ b/controls/V-38698.rb @@ -1,4 +1,4 @@ -control "V-38698" do +control 'V-38698' do title "The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization @@ -6,13 +6,13 @@ desc "By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files." impact 0.5 - tag "gtitle": "SRG-OS-000232" - tag "gid": "V-38698" - tag "rid": "SV-50499r2_rule" - tag "stig_id": "RHEL-06-000304" - tag "fix_id": "F-43647r1_fix" - tag "cci": ["CCI-001069"] - tag "nist": ["RA-5 (7)", "Rev_4"] + tag "gtitle": 'SRG-OS-000232' + tag "gid": 'V-38698' + tag "rid": 'SV-50499r2_rule' + tag "stig_id": 'RHEL-06-000304' + tag "fix_id": 'F-43647r1_fix' + tag "cci": ['CCI-001069'] + tag "nist": ['RA-5 (7)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -42,4 +42,3 @@ its('stdout.strip') { should_not be_empty } end end - diff --git a/controls/V-38699.rb b/controls/V-38699.rb index 9e54a4e..c68d403 100644 --- a/controls/V-38699.rb +++ b/controls/V-38699.rb @@ -1,16 +1,16 @@ -control "V-38699" do - title "All public directories must be owned by a system account." +control 'V-38699' do + title 'All public directories must be owned by a system account.' desc "Allowing a user account to own a world-writable directory is undesirable because it allows the owner of that directory to remove or replace any files that may be placed in the directory by other users." impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38699" - tag "rid": "SV-50500r2_rule" - tag "stig_id": "RHEL-06-000337" - tag "fix_id": "F-43648r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38699' + tag "rid": 'SV-50500r2_rule' + tag "stig_id": 'RHEL-06-000337' + tag "fix_id": 'F-43648r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -37,9 +37,8 @@ group." dirs = command(%(find / -xautofs -noleaf -wholename '/proc' -prune -o -wholename '/sys' -prune -o -wholename '/dev' -prune -o -wholename '/selinux' -prune -o -type d -perm -0002 -uid +499 -print)) - describe "World-writable directories not owned by system account" do + describe 'World-writable directories not owned by system account' do subject { dirs.stdout.strip.split("\n") } it { should be_empty } end end - diff --git a/controls/V-38700.rb b/controls/V-38700.rb index ad12cd9..eafff82 100644 --- a/controls/V-38700.rb +++ b/controls/V-38700.rb @@ -1,17 +1,17 @@ -control "V-38700" do +control 'V-38700' do title "The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs. " desc "By default, AIDE does not install itself for periodic execution. Periodically running AIDE may reveal unexpected changes in installed files." impact 0.5 - tag "gtitle": "SRG-OS-000196" - tag "gid": "V-38700" - tag "rid": "SV-50501r2_rule" - tag "stig_id": "RHEL-06-000305" - tag "fix_id": "F-43649r1_fix" - tag "cci": ["CCI-001263"] - tag "nist": ["SI-4 (5)", "Rev_4"] + tag "gtitle": 'SRG-OS-000196' + tag "gid": 'V-38700' + tag "rid": 'SV-50501r2_rule' + tag "stig_id": 'RHEL-06-000305' + tag "fix_id": 'F-43649r1_fix' + tag "cci": ['CCI-001263'] + tag "nist": ['SI-4 (5)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -41,4 +41,3 @@ its('stdout.strip') { should_not be_empty } end end - diff --git a/controls/V-38701.rb b/controls/V-38701.rb index 94ab136..7cfbcd8 100644 --- a/controls/V-38701.rb +++ b/controls/V-38701.rb @@ -1,17 +1,17 @@ -control "V-38701" do +control 'V-38701' do title "The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system." desc "Using the \"-s\" option causes the TFTP service to only serve files from the given directory. Serving files from an intentionally specified directory reduces the risk of sharing files which should remain private." impact 0.7 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-38701" - tag "rid": "SV-50502r1_rule" - tag "stig_id": "RHEL-06-000338" - tag "fix_id": "F-43650r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-38701' + tag "rid": 'SV-50502r1_rule' + tag "stig_id": 'RHEL-06-000338' + tag "fix_id": 'F-43650r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -42,12 +42,11 @@ server_args = -s /var/lib/tftpboot" describe.one do - describe package("tftp-server") do + describe package('tftp-server') do it { should_not be_installed } end - describe file("/etc/xinetd.d/tftp") do - its("content") { should match(/^[\s]*server_args[\s]+=[\s]+\-s[\s]+.+$/) } + describe file('/etc/xinetd.d/tftp') do + its('content') { should match(/^[\s]*server_args[\s]+=[\s]+\-s[\s]+.+$/) } end end end - diff --git a/controls/V-38702.rb b/controls/V-38702.rb index 021e0fa..78ac94c 100644 --- a/controls/V-38702.rb +++ b/controls/V-38702.rb @@ -1,17 +1,17 @@ -control "V-38702" do - title "The FTP daemon must be configured for logging or verbose mode." +control 'V-38702' do + title 'The FTP daemon must be configured for logging or verbose mode.' desc "To trace malicious activity facilitated by the FTP service, it must be configured to ensure that all commands sent to the ftp server are logged using the verbose vsftpd log format. The default vsftpd log file is /var/log/vsftpd.log." impact 0.3 - tag "gtitle": "SRG-OS-000037" - tag "gid": "V-38702" - tag "rid": "SV-50503r1_rule" - tag "stig_id": "RHEL-06-000339" - tag "fix_id": "F-43651r1_fix" - tag "cci": ["CCI-000130"] - tag "nist": ["AU-3", "Rev_4"] + tag "gtitle": 'SRG-OS-000037' + tag "gid": 'V-38702' + tag "rid": 'SV-50503r1_rule' + tag "stig_id": 'RHEL-06-000339' + tag "fix_id": 'F-43651r1_fix' + tag "cci": ['CCI-000130'] + tag "nist": ['AU-3', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -54,4 +54,3 @@ its('xferlog_enable') { should eq 'YES' } end end - diff --git a/controls/V-43150.rb b/controls/V-43150.rb index d2f4ee9..77bd63a 100644 --- a/controls/V-43150.rb +++ b/controls/V-43150.rb @@ -1,16 +1,16 @@ -control "V-43150" do - title "The login user list must be disabled." +control 'V-43150' do + title 'The login user list must be disabled.' desc "Leaving the user list enabled is a security risk since it allows anyone with physical access to the system to quickly enumerate known user accounts without logging in." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-43150" - tag "rid": "SV-55880r2_rule" - tag "stig_id": "RHEL-06-000527" - tag "fix_id": "F-48722r2_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-43150' + tag "rid": 'SV-55880r2_rule' + tag "stig_id": 'RHEL-06-000527' + tag "fix_id": 'F-48722r2_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -41,14 +41,13 @@ --type bool --set /apps/gdm/simple-greeter/disable_user_list true" if package('GConf2').installed? - describe command("gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/disable_user_list") do + describe command('gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --get /apps/gdm/simple-greeter/disable_user_list') do its('stdout.strip') { should eq 'true' } end else impact 0.0 - describe "Package GConf2 not installed" do - skip "Package GConf2 not installed, this control Not Applicable" + describe 'Package GConf2 not installed' do + skip 'Package GConf2 not installed, this control Not Applicable' end end end - diff --git a/controls/V-51337.rb b/controls/V-51337.rb index 7d4391a..bcbaae1 100644 --- a/controls/V-51337.rb +++ b/controls/V-51337.rb @@ -1,16 +1,16 @@ -control "V-51337" do - title "The system must use a Linux Security Module at boot time." +control 'V-51337' do + title 'The system must use a Linux Security Module at boot time.' desc "Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-51337" - tag "rid": "SV-65547r2_rule" - tag "stig_id": "RHEL-06-000017" - tag "fix_id": "F-56147r2_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-51337' + tag "rid": 'SV-65547r2_rule' + tag "stig_id": 'RHEL-06-000017' + tag "fix_id": 'F-56147r2_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -29,8 +29,7 @@ \"/boot/grub/grub.conf\". Remove any instances of \"selinux=0\" from the kernel arguments in that file to prevent SELinux from being disabled at boot. " - describe file("/boot/grub/grub.conf") do - its("content") { should_not match(/^[\s]*kernel[\s]+.*(selinux|enforcing)=0.*$/) } + describe file('/boot/grub/grub.conf') do + its('content') { should_not match(/^[\s]*kernel[\s]+.*(selinux|enforcing)=0.*$/) } end end - diff --git a/controls/V-51363.rb b/controls/V-51363.rb index 1823408..8712b99 100644 --- a/controls/V-51363.rb +++ b/controls/V-51363.rb @@ -1,4 +1,4 @@ -control "V-51363" do +control 'V-51363' do title "The system must use a Linux Security Module configured to enforce limits on system services." desc "Setting the SELinux state to enforcing ensures SELinux is able to @@ -6,13 +6,13 @@ designed to prevent them from causing damage to the system or further elevating their privileges. " impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-51363" - tag "rid": "SV-65573r1_rule" - tag "stig_id": "RHEL-06-000020" - tag "fix_id": "F-56165r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-51363' + tag "rid": 'SV-65573r1_rule' + tag "stig_id": 'RHEL-06-000020' + tag "fix_id": 'F-56165r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -35,13 +35,12 @@ SELINUX=enforcing" - describe file("/etc/selinux/config") do - its("content") { should match(/^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$/) } + describe file('/etc/selinux/config') do + its('content') { should match(/^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$/) } end - file("/etc/selinux/config").content.to_s.scan(/^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$/).flatten.each do |entry| + file('/etc/selinux/config').content.to_s.scan(/^[\s]*SELINUX[\s]*=[\s]*(.*)[\s]*$/).flatten.each do |entry| describe entry do - it { should eq "enforcing" } + it { should eq 'enforcing' } end end end - diff --git a/controls/V-51369.rb b/controls/V-51369.rb index d6a48bb..9be89f2 100644 --- a/controls/V-51369.rb +++ b/controls/V-51369.rb @@ -1,17 +1,17 @@ -control "V-51369" do +control 'V-51369' do title "The system must use a Linux Security Module configured to limit the privileges of system services." desc "Setting the SELinux policy to \"targeted\" or a more specialized policy ensures the system will confine processes that are likely to be targeted for exploitation, such as network or system services. " impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-51369" - tag "rid": "SV-65579r1_rule" - tag "stig_id": "RHEL-06-000023" - tag "fix_id": "F-56171r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-51369' + tag "rid": 'SV-65579r1_rule' + tag "stig_id": 'RHEL-06-000023' + tag "fix_id": 'F-56171r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -39,13 +39,12 @@ greater confinement but are not compatible with many general-purpose use cases. " - describe file("/etc/selinux/config") do - its("content") { should match(/^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*)/) } + describe file('/etc/selinux/config') do + its('content') { should match(/^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*)/) } end - file("/etc/selinux/config").content.to_s.scan(/^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*)/).flatten.each do |entry| + file('/etc/selinux/config').content.to_s.scan(/^[\s]*SELINUXTYPE[\s]*=[\s]*([^\s]*)/).flatten.each do |entry| describe entry do - it { should eq "targeted" } + it { should eq 'targeted' } end end end - diff --git a/controls/V-51379.rb b/controls/V-51379.rb index a6189dd..d091761 100644 --- a/controls/V-51379.rb +++ b/controls/V-51379.rb @@ -1,16 +1,16 @@ -control "V-51379" do +control 'V-51379' do title "All device files must be monitored by the system Linux Security Module." desc "If a device file carries the SELinux type \"unlabeled_t\", then SELinux cannot properly restrict access to the device file. " impact 0.3 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-51379" - tag "rid": "SV-65589r1_rule" - tag "stig_id": "RHEL-06-000025" - tag "fix_id": "F-56179r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-51379' + tag "rid": 'SV-65589r1_rule' + tag "stig_id": 'RHEL-06-000025' + tag "fix_id": 'F-56179r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -33,8 +33,7 @@ files carry the SELinux type \"unlabeled_t\", investigate the cause and correct the file's context. " - describe command("ls -RZ /dev | grep unlabeled_t") do + describe command('ls -RZ /dev | grep unlabeled_t') do its('stdout.strip') { should be_empty } end end - diff --git a/controls/V-51391.rb b/controls/V-51391.rb index b5d19ee..47cd965 100644 --- a/controls/V-51391.rb +++ b/controls/V-51391.rb @@ -1,16 +1,16 @@ -control "V-51391" do - title "A file integrity baseline must be created." +control 'V-51391' do + title 'A file integrity baseline must be created.' desc "For AIDE to be effective, an initial database of \"known-good\" information about files must be captured and it should be able to be verified against the installed files. " impact 0.5 - tag "gtitle": "SRG-OS-000232" - tag "gid": "V-51391" - tag "rid": "SV-65601r1_rule" - tag "stig_id": "RHEL-06-000018" - tag "fix_id": "F-56189r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-000232' + tag "gid": 'V-51391' + tag "rid": 'SV-65601r1_rule' + tag "stig_id": 'RHEL-06-000018' + tag "fix_id": 'F-56189r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -54,30 +54,30 @@ database = parse_config_file('/etc/aide.conf').params['database'] if database.nil? - describe "aide.conf database variable" do + describe 'aide.conf database variable' do subject { nil } it { should_not be_nil } end else # find the constants which are used by the database variable defines = database.match('@@{([A-Z,a-z]+)}') - if defines.nil? - defines = [] - else - defines = defines.captures - end + defines = if defines.nil? + [] + else + defines.captures + end # lookup the values of the constants used by the database variable aide_conf_file = file('/etc/aide.conf') defines_map = defines.map do |d| define_match = aide_conf_file.content.match("^\\s*@@define\\s*#{d}\\s*(\\S*)\\s*$") - define_value = if define_match.nil? then nil else define_match.captures[0] end + define_value = define_match.nil? ? nil : define_match.captures[0] [d, define_value] - end.to_h.reject { |k,v| v.nil? } + end.to_h.reject { |_k, v| v.nil? } # substitute the constants names in the database variable with their values - defines_map.each { |k,v| database.gsub!("@@{#{k}}", v) } - database.gsub!(%r{^file:}, '') + defines_map.each { |k, v| database.gsub!("@@{#{k}}", v) } + database.gsub!(/^file:/, '') describe file(database) do it { should exist } @@ -85,4 +85,3 @@ end end end - diff --git a/controls/V-51875.rb b/controls/V-51875.rb index 19ed47a..9f6b939 100644 --- a/controls/V-51875.rb +++ b/controls/V-51875.rb @@ -1,4 +1,4 @@ -control "V-51875" do +control 'V-51875' do title "The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access." @@ -8,13 +8,13 @@ if any unauthorized activity has occurred and gives them an opportunity to notify administrators. " impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-51875" - tag "rid": "SV-66089r1_rule" - tag "stig_id": "RHEL-06-000372" - tag "fix_id": "F-56701r1_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-51875' + tag "rid": 'SV-66089r1_rule' + tag "stig_id": 'RHEL-06-000372' + tag "fix_id": 'F-56701r1_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -38,8 +38,7 @@ session required pam_lastlog.so showfailed" - describe file("/etc/pam.d/system-auth") do - its("content") { should match(/^\s*session\s+(required|requisite)?\s+pam_lastlog.so[\s\w\d\=]+showfailed/) } + describe file('/etc/pam.d/system-auth') do + its('content') { should match(/^\s*session\s+(required|requisite)?\s+pam_lastlog.so[\s\w\d\=]+showfailed/) } end end - diff --git a/controls/V-54381.rb b/controls/V-54381.rb index b546417..04a5036 100644 --- a/controls/V-54381.rb +++ b/controls/V-54381.rb @@ -1,17 +1,17 @@ -control "V-54381" do +control 'V-54381' do title "The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low." desc "Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. " impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-54381" - tag "rid": "SV-68627r3_rule" - tag "stig_id": "RHEL-06-000163" - tag "fix_id": "F-59235r2_fix" - tag "cci": ["CCI-000366"] - tag "nist": ["CM-6 b", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-54381' + tag "rid": 'SV-68627r3_rule' + tag "stig_id": 'RHEL-06-000163' + tag "fix_id": 'F-59235r2_fix' + tag "cci": ['CCI-000366'] + tag "nist": ['CM-6 b', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -43,13 +43,12 @@ actions, and a different setting should be determined. Details regarding all possible values for [ACTION] are described in the \"auditd.conf\" man page. " - describe file("/etc/audit/auditd.conf") do - its("content") { should match(/^\s*admin_space_left_action[ ]+=[ ]+(\S+)\s*$/) } + describe file('/etc/audit/auditd.conf') do + its('content') { should match(/^\s*admin_space_left_action[ ]+=[ ]+(\S+)\s*$/) } end - file("/etc/audit/auditd.conf").content.to_s.scan(/^\s*admin_space_left_action[ ]+=[ ]+(\S+)\s*$/).flatten.each do |entry| + file('/etc/audit/auditd.conf').content.to_s.scan(/^\s*admin_space_left_action[ ]+=[ ]+(\S+)\s*$/).flatten.each do |entry| describe entry do it { should match(/^(?:[sS][iI][nN][gG][lL][eE]|[sS][uU][sS][pP][eE][nN][dD]|[hH][aA][lL][tT])$/) } end end end - diff --git a/controls/V-57569.rb b/controls/V-57569.rb index 0045afa..23df14d 100644 --- a/controls/V-57569.rb +++ b/controls/V-57569.rb @@ -1,16 +1,16 @@ -control "V-57569" do - title "The noexec option must be added to the /tmp partition." +control 'V-57569' do + title 'The noexec option must be added to the /tmp partition.' desc "Allowing users to execute binaries from world-writable directories such as \"/tmp\" should never be necessary in normal operation and can expose the system to potential compromise." impact 0.5 - tag "gtitle": "SRG-OS-999999" - tag "gid": "V-57569" - tag "rid": "SV-71919r1_rule" - tag "stig_id": "RHEL-06-000528" - tag "fix_id": "F-62639r1_fix" - tag "cci": ["CCI-000381"] - tag "nist": ["CM-7 a", "Rev_4"] + tag "gtitle": 'SRG-OS-999999' + tag "gid": 'V-57569' + tag "rid": 'SV-71919r1_rule' + tag "stig_id": 'RHEL-06-000528' + tag "fix_id": 'F-62639r1_fix' + tag "cci": ['CCI-000381'] + tag "nist": ['CM-7 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -32,16 +32,15 @@ tag "fix": "The \"noexec\" mount option can be used to prevent binaries from being executed out of \"/tmp\". Add the \"noexec\" option to the fourth column of \"/etc/fstab\" for the line which controls mounting of \"/tmp\"." - - # TODO should we check the /dev/shm directory also? + + # TODO: should we check the /dev/shm directory also? if mount('/tmp').mounted? describe mount('/tmp') do its('options') { should include 'noexec' } end else - describe "/tmp partition not found" do - skip "/tmp partition not found, this control must be reviewed manually" + describe '/tmp partition not found' do + skip '/tmp partition not found, this control must be reviewed manually' end end end - diff --git a/controls/V-58901.rb b/controls/V-58901.rb index ff24d36..e87c054 100644 --- a/controls/V-58901.rb +++ b/controls/V-58901.rb @@ -1,5 +1,5 @@ -control "V-58901" do - title "The sudo command must require authentication." +control 'V-58901' do + title 'The sudo command must require authentication.' desc "The \"sudo\" command allows authorized users to run programs (including shells) as other users, system users, and root. The \"/etc/sudoers\" file is used to configure authorized \"sudo\" users as well as the programs @@ -8,13 +8,13 @@ these configuration options makes it easier for one compromised account to be used to compromise other accounts." impact 0.5 - tag "gtitle": "SRG-OS-000373" - tag "gid": "V-58901" - tag "rid": "SV-73331r2_rule" - tag "stig_id": "RHEL-06-000529" - tag "fix_id": "F-64285r1_fix" - tag "cci": ["CCI-002038"] - tag "nist": ["IA-11", "Rev_4"] + tag "gtitle": 'SRG-OS-000373' + tag "gid": 'V-58901' + tag "rid": 'SV-73331r2_rule' + tag "stig_id": 'RHEL-06-000529' + tag "fix_id": 'F-64285r1_fix' + tag "cci": ['CCI-002038'] + tag "nist": ['IA-11', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -53,4 +53,3 @@ its('stdout') { should be_empty } end end - diff --git a/controls/V-72817.rb b/controls/V-72817.rb index bead041..4c9d886 100644 --- a/controls/V-72817.rb +++ b/controls/V-72817.rb @@ -1,5 +1,5 @@ -control "V-72817" do - title "Wireless network adapters must be disabled." +control 'V-72817' do + title 'Wireless network adapters must be disabled.' desc "The use of wireless networking can introduce many different attack vectors into the organization's network. Common attack vectors such as malicious association and ad hoc networks will allow an attacker to spoof a @@ -8,13 +8,13 @@ These malicious APs can also serve to create a man-in-the-middle attack or be used to create a denial of service to valid network resources." impact 0.5 - tag "gtitle": "RHEL-06-000293" - tag "gid": "V-72817" - tag "rid": "SV-87461r1_rule" - tag "stig_id": "RHEL-06-000293" - tag "fix_id": "F-79233r1_fix" - tag "cci": ["CCI-001443", "CCI-001444", "CCI-002418"] - tag "nist": ["AC-18 (1)", "AC-18 (1)", "SC-8", "Rev_4"] + tag "gtitle": 'RHEL-06-000293' + tag "gid": 'V-72817' + tag "rid": 'SV-87461r1_rule' + tag "stig_id": 'RHEL-06-000293' + tag "fix_id": 'F-79233r1_fix' + tag "cci": ['CCI-001443', 'CCI-001444', 'CCI-002418'] + tag "nist": ['AC-18 (1)', 'AC-18 (1)', 'SC-8', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -59,12 +59,12 @@ If a wireless interface is configured and has not been documented and approved, this is a finding. " - tag "fix": "Configure the system to disable all wireless network interfaces." + tag "fix": 'Configure the system to disable all wireless network interfaces.' wlans = command('ls /sys/class/net').stdout.split.select { |e| e.start_with? 'wlan' } if wlans.empty? - describe "No wlan interfaces exist" do + describe 'No wlan interfaces exist' do subject { true } it { should eq true } end @@ -76,4 +76,3 @@ end end end - diff --git a/controls/V-81441.rb b/controls/V-81441.rb index 95f3b4e..a35c173 100644 --- a/controls/V-81441.rb +++ b/controls/V-81441.rb @@ -1,4 +1,4 @@ -control "V-81441" do +control 'V-81441' do title "The audit system must be configured to audit all attempts to alter system time through adjtimex." desc "Arbitrary changes to the system time can be used to obfuscate @@ -6,13 +6,13 @@ are highly dependent upon an accurate system time (such as sshd). All changes to the system time should be audited." impact 0.3 - tag "gtitle": "SRG-OS-000062" - tag "gid": "V-81441" - tag "rid": "SV-96155r1_rule" - tag "stig_id": "RHEL-06-000166" - tag "fix_id": "F-88259r1_fix" - tag "cci": ["CCI-000169"] - tag "nist": ["AU-12 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000062' + tag "gid": 'V-81441' + tag "rid": 'SV-96155r1_rule' + tag "stig_id": 'RHEL-06-000166' + tag "fix_id": 'F-88259r1_fix' + tag "cci": ['CCI-000169'] + tag "nist": ['AU-12 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -44,13 +44,12 @@ -a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules" - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^-[Aa][\s]*(?:exit,always|always,exit)[\s]+-F[\s]+arch=b32.*(?:,|-S[\s]+)adjtimex(?:,|[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^-[Aa][\s]*(?:exit,always|always,exit)[\s]+-F[\s]+arch=b32.*(?:,|-S[\s]+)adjtimex(?:,|[\s]+).*-k[\s]+[\S]+[\s]*$/) } end describe.one do - describe file("/etc/audit/audit.rules") do - its("content") { should match(/^-[Aa][\s]*(?:exit,always|always,exit)[\s]+-F[\s]+arch=b64.*(?:,|-S[\s]+)adjtimex(?:,|[\s]+).*-k[\s]+[\S]+[\s]*$/) } + describe file('/etc/audit/audit.rules') do + its('content') { should match(/^-[Aa][\s]*(?:exit,always|always,exit)[\s]+-F[\s]+arch=b64.*(?:,|-S[\s]+)adjtimex(?:,|[\s]+).*-k[\s]+[\S]+[\s]*$/) } end end end - diff --git a/controls/V-81443.rb b/controls/V-81443.rb index 6a84ee5..ad695f0 100644 --- a/controls/V-81443.rb +++ b/controls/V-81443.rb @@ -1,17 +1,17 @@ -control "V-81443" do +control 'V-81443' do title "The Red Hat Enterprise Linux operating system must have an anti-virus solution installed." desc "Virus scanning software can be used to protect a system from penetration from computer viruses and to limit their spread through intermediate systems. " impact 0.5 - tag "gtitle": "SRG-OS-000480-GPOS-00227" - tag "gid": "V-81443" - tag "rid": "SV-96157r1_rule" - tag "stig_id": "RHEL-06-000533" - tag "fix_id": "F-88261r1_fix" - tag "cci": ["CCI-001668"] - tag "nist": ["SI-3 a", "Rev_4"] + tag "gtitle": 'SRG-OS-000480-GPOS-00227' + tag "gid": 'V-81443' + tag "rid": 'SV-96157r1_rule' + tag "stig_id": 'RHEL-06-000533' + tag "fix_id": 'F-88261r1_fix' + tag "cci": ['CCI-001668'] + tag "nist": ['SI-3 a', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -28,10 +28,9 @@ If there is no anti-virus solution installed on the system, this is a finding. " - tag "fix": "Install an anti-virus solution on the system. " + tag "fix": 'Install an anti-virus solution on the system. ' - describe "Manual test" do - skip "This control must be reviewed manually" + describe 'Manual test' do + skip 'This control must be reviewed manually' end end - diff --git a/controls/V-81445.rb b/controls/V-81445.rb index 62ffc2b..9b97ee8 100644 --- a/controls/V-81445.rb +++ b/controls/V-81445.rb @@ -1,4 +1,4 @@ -control "V-81445" do +control 'V-81445' do title "The Red Hat Enterprise Linux operating system must mount /dev/shm with the nodev option." desc "The \"nodev\" mount option causes the system to not interpret @@ -6,13 +6,13 @@ devices from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access." impact 0.3 - tag "gtitle": "SRG-OS-000368-GPOS-00154" - tag "gid": "V-81445" - tag "rid": "SV-96159r1_rule" - tag "stig_id": "RHEL-06-000530" - tag "fix_id": "F-88263r1_fix" - tag "cci": ["CCI-001764"] - tag "nist": ["CM-7 (2)", "Rev_4"] + tag "gtitle": 'SRG-OS-000368-GPOS-00154' + tag "gid": 'V-81445' + tag "rid": 'SV-96159r1_rule' + tag "stig_id": 'RHEL-06-000530' + tag "fix_id": 'F-88263r1_fix' + tag "cci": ['CCI-001764'] + tag "nist": ['CM-7 (2)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -44,21 +44,20 @@ tag "fix": "Configure the \"/etc/fstab\" to use the \"nodev\" option for all lines containing \"/dev/shm\"." - describe file("/etc/fstab") do - its("content") { should match(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/) } + describe file('/etc/fstab') do + its('content') { should match(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/) } end - file("/etc/fstab").content.to_s.scan(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/).flatten.each do |entry| + file('/etc/fstab').content.to_s.scan(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/).flatten.each do |entry| describe entry do it { should match(/^(?:nodev|[\w,]+,nodev)(?:$|,[\w,]+$)/) } end end - describe file("/etc/mtab") do - its("content") { should match(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/) } + describe file('/etc/mtab') do + its('content') { should match(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/) } end - file("/etc/mtab").content.to_s.scan(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/).flatten.each do |entry| + file('/etc/mtab').content.to_s.scan(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/).flatten.each do |entry| describe entry do it { should match(/^(?:nodev|[\w,]+,nodev)(?:$|,[\w,]+$)/) } end end end - diff --git a/controls/V-81447.rb b/controls/V-81447.rb index be7f2fa..6d7c078 100644 --- a/controls/V-81447.rb +++ b/controls/V-81447.rb @@ -1,4 +1,4 @@ -control "V-81447" do +control 'V-81447' do title "The Red Hat Enterprise Linux operating system must mount /dev/shm with the nosuid option." desc "The \"nosuid\" mount option causes the system to not execute @@ -7,13 +7,13 @@ files. Executing files from untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access." impact 0.3 - tag "gtitle": "SRG-OS-000368-GPOS-00154" - tag "gid": "V-81447" - tag "rid": "SV-96161r1_rule" - tag "stig_id": "RHEL-06-000531" - tag "fix_id": "F-88265r1_fix" - tag "cci": ["CCI-001764"] - tag "nist": ["CM-7 (2)", "Rev_4"] + tag "gtitle": 'SRG-OS-000368-GPOS-00154' + tag "gid": 'V-81447' + tag "rid": 'SV-96161r1_rule' + tag "stig_id": 'RHEL-06-000531' + tag "fix_id": 'F-88265r1_fix' + tag "cci": ['CCI-001764'] + tag "nist": ['CM-7 (2)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -44,21 +44,20 @@ tag "fix": "Configure the \"/etc/fstab\" to use the \"nosuid\" option for all lines containing \"/dev/shm\"." - describe file("/etc/fstab") do - its("content") { should match(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/) } + describe file('/etc/fstab') do + its('content') { should match(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/) } end - file("/etc/fstab").content.to_s.scan(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/).flatten.each do |entry| + file('/etc/fstab').content.to_s.scan(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/).flatten.each do |entry| describe entry do it { should match(/^(?:nosuid|[\w,]+,nosuid)(?:$|,[\w,]+$)/) } end end - describe file("/etc/mtab") do - its("content") { should match(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/) } + describe file('/etc/mtab') do + its('content') { should match(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/) } end - file("/etc/mtab").content.to_s.scan(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/).flatten.each do |entry| + file('/etc/mtab').content.to_s.scan(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/).flatten.each do |entry| describe entry do it { should match(/^(?:nosuid|[\w,]+,nosuid)(?:$|,[\w,]+$)/) } end end end - diff --git a/controls/V-81449.rb b/controls/V-81449.rb index 5d8986f..a61a2ae 100644 --- a/controls/V-81449.rb +++ b/controls/V-81449.rb @@ -1,4 +1,4 @@ -control "V-81449" do +control 'V-81449' do title "The Red Hat Enterprise Linux operating system must mount /dev/shm with the noexec option." desc "The \"noexec\" mount option causes the system to not execute binary @@ -7,13 +7,13 @@ untrusted file systems increases the opportunity for unprivileged users to attain unauthorized administrative access." impact 0.3 - tag "gtitle": "SRG-OS-000368-GPOS-00154" - tag "gid": "V-81449" - tag "rid": "SV-96163r1_rule" - tag "stig_id": "RHEL-06-000532" - tag "fix_id": "F-88267r1_fix" - tag "cci": ["CCI-001764"] - tag "nist": ["CM-7 (2)", "Rev_4"] + tag "gtitle": 'SRG-OS-000368-GPOS-00154' + tag "gid": 'V-81449' + tag "rid": 'SV-96163r1_rule' + tag "stig_id": 'RHEL-06-000532' + tag "fix_id": 'F-88267r1_fix' + tag "cci": ['CCI-001764'] + tag "nist": ['CM-7 (2)', 'Rev_4'] tag "false_negatives": nil tag "false_positives": nil tag "documentable": false @@ -45,18 +45,18 @@ tag "fix": "Configure the \"/etc/fstab\" to use the \"noexec\" option for all lines containing \"/dev/shm\"." - describe file("/etc/fstab") do - its("content") { should match(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/) } + describe file('/etc/fstab') do + its('content') { should match(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/) } end - file("/etc/fstab").content.to_s.scan(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/).flatten.each do |entry| + file('/etc/fstab').content.to_s.scan(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/).flatten.each do |entry| describe entry do it { should match(/^(?:noexec|[\w,]+,noexec)(?:$|,[\w,]+$)/) } end end - describe file("/etc/mtab") do - its("content") { should match(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/) } + describe file('/etc/mtab') do + its('content') { should match(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/) } end - file("/etc/mtab").content.to_s.scan(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/).flatten.each do |entry| + file('/etc/mtab').content.to_s.scan(/^[^#\s]+[ \t]+\/dev\/shm[ \t]+[\w\d]+[ \t]+([\w,]+)\s*.*$/).flatten.each do |entry| describe entry do it { should match(/^(?:noexec|[\w,]+,noexec)(?:$|,[\w,]+$)/) } end diff --git a/inspec.yml b/inspec.yml index fc4e4f6..4281498 100644 --- a/inspec.yml +++ b/inspec.yml @@ -4,18 +4,55 @@ maintainer: The Authors copyright: The Authors copyright_email: you@example.com license: Apache-2.0 -summary: "The Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. Comments or proposed revisions to this document should be sent via e-mail to the following address: disa.stig_spt@mail.mil." -version: 0.1.0 +summary: "The Red Hat Enterprise Linux 6 Security Technical Implementation Guide +(STIG) is published as a tool to improve the security of Department of Defense (DoD) +information systems. Comments or proposed revisions to this document should be +sent via e-mail to the following address: disa.stig_spt@mail.mil." + +version: 0.9.0 + +supports: + - platform-name: redhat + release: 6.* + +inspec_version: "~> 3.0" + attributes: - - name: auditd_space_left - default: SET_ME - name: banner_text - default: SET_ME + type: string + default: 'You are accessing a U.S. Government (USG) Information System (IS) + that is provided for USG-authorized use only. By using this IS (which + includes any device attached to this IS), you consent to the following + conditions: + -The USG routinely intercepts and monitors communications on this IS for + purposes including, but not limited to, penetration testing, COMSEC monitoring, + network operations and defense, personnel misconduct (PM), law enforcement + (LE), and counterintelligence (CI) investigations. + -At any time, the USG may inspect and seize data stored on this IS. + -Communications using, or data stored on, this IS are not private, are subject + to routine monitoring, interception, and search, and may be disclosed or used + for any USG-authorized purpose. + -This IS includes security measures (e.g., authentication and access controls) + to protect USG interests--not for your personal benefit or privacy. + -Notwithstanding the above, using this IS does not constitute consent to PM, LE + or CI investigative searching or monitoring of the content of privileged + communications, or work product, related to personal representation or services + by attorneys, psychotherapists, or clergy, and their assistants. Such + communications and work product are private and confidential. See User + Agreement for details.' + - name: max_logins + type: numeric default: 10 + - name: emergency_accounts + type: array default: [] + - name: temporary_accounts + type: array default: [] + - name: package_signing_keys - default: ['gpg-pubkey-fd431d51-4ae0493b', 'gpg-pubkey-2fa658e0-45700c69'] \ No newline at end of file + type: array + default: ['gpg-pubkey-fd431d51-4ae0493b', 'gpg-pubkey-2fa658e0-45700c69']