###############################################################
# Certify has reached it's end of life. There are now several #
# well known alternatives for system configuration management.#
# The only advantage Certify has over other manageent systes  #
# is that it does not depend on communication between nodes.  #
# I am freezing development and transitioning to Ansible      #
###############################################################

# Description:
Certify is a toolset for managing system security.  It includes
scripts for hardening and checking system security. It can also
optionally install and configure Aide and Clamav.  Cron files
are provided to automate recurring tasks.

Certify is intended for environments where security is routinely
audited, such as government facilities with classified information.

Certify has been tested on Red Hat and Centos versions 5 to 7.

Certify is not an all encompassing security configuration tool.
Unlike "Fortify", which overrides many operating system settings,
certify manages security posture.  Certify attempts to make sure
vendor supplied tools are properly implemented.

It contains three primary Python scripts, "harden.py", "check.py"
& "setup.py"; for managing security settings.  Harden applies
security settings, while check reports on security findings.  The
setup script customization.

The original driving force for developing certify was an interest
in simplifying the process of system certification.  Before certify
the system certification process took two people, one ISSO and one
System Administrator, several hours to complete.  With certify only
the ISSO is required, and by using tools such as Splunk, all of the
logs can be quickly reviewed.

#Latest additions to certify:
Installation and configuration of AIDE, CLAMAV and LogWatch.
Firewalld files for Simpana and Splunk

# Dependencies:
The following Python rpm's are required.
	python-argparse
	pexpect

# Install:
Install or upgrade the rpm:

If you have certify in a yum repository, install as follows:

	yum install certify
		or
	yum upgrade certify

If you do not access to a yum repository, get a copy of the latest
rpm and use localinstall as follows.

	yum --localinstall certify<version>.rpm
		or
	yum --localupdate certify<version>.rpm


#Package list:
/etc/cron.d/certify.cron
/etc/firewalld/services/simpana.xml (rhel7)
/etc/firewalld/services/splunk.xml (rhel7)
/etc/gconf/gconf.xml.mandatory/%gconf-tree.xml
/etc/gdm/banner.png
/usr/local/certify/certify_config.py
/usr/local/certify/check.py
/usr/local/certify/harden.py
/usr/local/certify/setup.py
/usr/local/certify/testPassword.py
/usr/local/certify/savedfiles
/etc/logrotate.d/certify
/usr/sbin/aide_check
/usr/share/doc/certify-%{Version}/readme
/usr/share/doc/certify-%{Version}/changelog
/usr/share/doc/certify-%{Version}/banner.png.llnl
/usr/share/doc/certify-%{Version}/banner.png.sample
/usr/share/doc/certify-%{Version}/certify_config.py

# Customize configuration
./setup.py -h

Certify Setup
     1: AIDE
     2: Authentication
     3: ClamAV
Enter choice or 'q' to quit:

# System Hardening:
./harden.py -h
usage: harden.py [-h] [-i] [-l] [--logfile LOGFILE]

If no arguments, all security options will be performed

optional arguments:
  -h, --help         show this help message and exit
  -i, --interactive  interactive mode (default: False)
  -l, --log          create log (default: False)
  --logfile LOGFILE  log file name (default: /var/log/certify)


# Certification Test:
./check.py -h
usage: check.py [-h] [-i] [-c] [-l] [--logfile LOGFILE]

If no arguments, all security tests will be performed

optional arguments:
  -h, --help         show this help message and exit
  -i, --interactive  interactive mode (default: False)
  -c, --check        md5 check (default: False)
  -l, --log          create log (default: False)
  --logfile LOGFILE  log file name (default: /var/log/certify)