This repository has been archived by the owner on Apr 17, 2023. It is now read-only.
Combine checks for number of 'cert_policy' lines and inclusion of 'os… #72
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…cp_on' option in V-72433
aaronlippold
suggested changes
Mar 5, 2019
aaronlippold
previously approved these changes
Mar 5, 2019
…s in V-72433. Also update the pattern to not match commented out lines.
trevor-vaughan
suggested changes
Mar 11, 2019
|
If it doesn't exist, then do we jump to a 'skip' case or it is NA? Didn't
read, but agree that we need to cover this and build in the logic.
--------
Aaron Lippold
lippold@gmail.com
260-255-4779
twitter/aim/yahoo,etc.
'aaronlippold'
…On Mon, Mar 11, 2019 at 1:04 PM Trevor Vaughan ***@***.***> wrote:
***@***.**** requested changes on this pull request.
------------------------------
In controls/V-72433.rb
<#72 (comment)>
:
>
- describe command("grep cert_policy /etc/pam_pkcs11/pam_pkcs11.conf | wc -l") do
- its('stdout.strip.to_i') { should cmp >= 3 }
- end if smart_card_status.eql?('enabled')
-
- describe "The system is not smartcard enabled" do
- skip "The system is not using Smartcards / PIVs to fulfil the MFA requirement, this control is Not Applicable."
- end if !smart_card_status.eql?('enabled')
+ if smart_card_status.eql?('enabled')
+ cert_policy_lines = file('/etc/pam_pkcs11/pam_pkcs11.conf').content.lines.grep(%r{^(?!.+#).*cert_policy}i)
This will fail if /etc/pam_pkcs11/pam_pkcs11.conf does not exist.
Probably need a test just before all of this to ensure that the file
exists at all since, if it doesn't, the whole things fails anyway.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#72 (review)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABauaO1kEiZ8HZqrKPezOdk8IpLpQ071ks5vVoyNgaJpZM4bdc4P>
.
|
|
@aaronlippold If it doesn't exist, it would be a failure, yes? |
|
Yes, if smart_card_enabled and for whatever reason the file doesn't exist
then we would fail the tests - but rather than failing with confusing `nil`
expect to match something, we should just throw a resource failure
exception.
--------
Aaron Lippold
lippold@gmail.com
260-255-4779
twitter/aim/yahoo,etc.
'aaronlippold'
…On Mon, Mar 11, 2019 at 4:13 PM Trevor Vaughan ***@***.***> wrote:
@aaronlippold <https://github.com/aaronlippold> If it doesn't exist, it
would be a failure, yes?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#72 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABauaLyzWkHiqpVg40LPzr9tLMwWepjcks5vVrkBgaJpZM4bdc4P>
.
|
|
So after chatting with Jerry ... if we 'wrap' this test set in a `file(...)
{ should exist } ` and make it fail fast then we should report as expected.
--------
Aaron Lippold
lippold@gmail.com
260-255-4779
twitter/aim/yahoo,etc.
'aaronlippold'
…On Mon, Mar 11, 2019 at 4:53 PM Aaron Lippold ***@***.***> wrote:
Yes, if smart_card_enabled and for whatever reason the file doesn't exist
then we would fail the tests - but rather than failing with confusing `nil`
expect to match something, we should just throw a resource failure
exception.
--------
Aaron Lippold
***@***.***
260-255-4779
twitter/aim/yahoo,etc.
'aaronlippold'
On Mon, Mar 11, 2019 at 4:13 PM Trevor Vaughan ***@***.***>
wrote:
> @aaronlippold <https://github.com/aaronlippold> If it doesn't exist, it
> would be a failure, yes?
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#72 (comment)>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/ABauaLyzWkHiqpVg40LPzr9tLMwWepjcks5vVrkBgaJpZM4bdc4P>
> .
>
|
Add check for if /etc/pam_pkcs11/pam_pkcs11.conf exists first
djhaynes
added a commit
to djhaynes/inspec-profile-disa_stig-el7
that referenced
this pull request
Sep 24, 2019
Merged
djhaynes
referenced
this pull request
in mitre/redhat-enterprise-linux-7-stig-baseline
Oct 9, 2019
Merged
aaronlippold
pushed a commit
that referenced
this pull request
Oct 9, 2019
|
I think this can be closed out because of PR #109. |
em-c-rod
pushed a commit
to mitre/redhat-enterprise-linux-7-stig-baseline
that referenced
this pull request
Jul 20, 2022
HenryXiaoHX
added a commit
to mitre/redhat-enterprise-linux-7-stig-baseline
that referenced
this pull request
Jul 25, 2022
Updating STIG from V2R6 to V3R6
* Fixes and Rev4 updates for PAM controls (#41)
Updated PAM controls and pam resource to reflect changes from the revision 4 update
Signed-off-by: Sam Cornwell <14048146+samcornwell@users.noreply.github.com>
* Fixes and Rev4 updates for grub controls (#29)
* Updated CCI and NIST tags to use arrays.
* * Reviewed all controls and fixed many issues
* updated impact logic to account for Not Applicable cases
* used the protected regex pattern `%r{ }` in place of //
* fixed many false positives reported by end users
* added TODOs to all controls that need to be enhanced
* added a new attributes files for this branch for review
* added logic so that all controls correctly report
* removed most `only_if` statments and replaced with skips + impact 0.0
* removed all `severity` tags in lue of using `impact`
* * updated V-71863 fix the banner compare
* updated V-71961 to account for multiple users
* added attributes to support each
* Fixed V-71961 regex to accept spaces in front of password_pbkdf2
* Fixed V-71963 regex to accept spaces in front of password_pbkdf2
* Rewrote V-72075 to check the root partition is not removable
* Rewrote V-72067 to use grubby to check actual args for fips=1 rather than using buggy resource to try to parse the grub config
* Removed constant attributes from grub controls
* Removing dedup from V-72075
* Fixes and Rev4 updates for ssh controls (#25)
* Updated CCI and NIST tags to use arrays.
* * Reviewed all controls and fixed many issues
* updated impact logic to account for Not Applicable cases
* used the protected regex pattern `%r{ }` in place is //
* fixed many false positives reported by end users
* added TODOs to all controls that need to be enhanced
* added a new attributes files for this branch for review
* added logic so that all controls correctly report
* removed most `only_if` statements and replaced with skips + impact 0.0
* removed all `severity` tags in lue of using `impact`
** Added EXEMPT_HOME_USERS attribute attributes file
* Removed extra attribute defn
* Fixed typo in call to package resource
* Updated attributes file
* Updating to do a range check and if the ClientAliveInterval is not set
* updating controls so they don't evaluate to not_tested.
* Fixed some ssh controls to be more explicit
* Replaced constant attribute CLIENT_ALIVE_INTERVAL with non-constant
* Fixes and Rev4 updates for login_defs controls (#32)
* * Reviewed all controls and fixed many issues
* updated impact logic to account for Not Applicable cases
* used the protected regex pattern `%r{ }` in place is //
* fixed many false positives reported by end users
* added TODOs to all controls that need to be enhanced
* added a new attributes files for this branch for review
* added logic so that all controls correctly report
* removed most `only_if` statements and replaced with skips + impact 0.0
* removed all `severity` tags in lieu of using `impact`
** Added EXEMPT_HOME_USERS attribute attributes file
* Removed extra attribute defn
* Fixed typo in call to package resource
* Updated attributes file
* Fixing typo in login_defs UMASK setting name
* Fixes and Rev4 updates for antivirus controls (#34)
* Updated to verify that the anti-virus software is installed.
* Updated to use an attribute to check if the anti-virus installation check should be performed.
** Reviewed all controls and fixed many issues
* updated impact logic to account for Not Applicable cases
* used the protected regex pattern `%r{ }` in place is //
* fixed many false positives reported by end users
* added TODOs to all controls that need to be enhanced
* added a new attributes files for this branch for review
* added logic so that all controls correctly report
* removed most `only_if` statements and replaced with skips + impact 0.0
* removed all `severity` tags in lieu of using `impact`
** updated V-71863 fix the banner compare
* updated V-71961 to account for multiple users
* added attributes to support each
* Removing ENABLE_AV attribute from antivirus controls
* Fixed the all_with_integer_arg logic (#43)
* Fixed the all_with_integer_arg logic
* This wasn't failing in all cases but was triggered in testing the SIMP
PAM module and required a fix.
* Removed the need to make the operators a symbol and also allow
strings for ease of use.
* Minor fixes
* Throw a helpful message if somone passes a bad operator
* Flip the default mode to immediately pass on success
* Make sure the value is actually an integer
* Fixed all_with_integer_arg and added any_with_integer_arg to PAM matcher
* Loosened constraint in V-71933 to allow either pam_unix or pam_pwhistory to have remember arg
* Fixes and Rev4 updates for initialization files controls (#22)
* Updated to use attribute to determine if control should be run as well as updated to get home directories from users resource.
* Updated to get home directories from users resource.
* Refactored control to check permissions using the find command.
* Refactored control to check owners using the find command.
* Updated to check for a length of 0.
* Updated to check for user gid and root group.
* Removed debug code and added a comment stating how we would be checking for directories more permissive than 750 and files more permissive than 640.
* Refactored to not use describe statements to check permissions when we can do it with find.
* Updated to use sets and check the length of findings.
* Updated to check that it should be empty.
* Updated CCI and NIST tags to use arrays.
* Fixed a few errors in the tags.
* Updated to use be_empty. Also removed attribute for now.
* Removed extra end keyword.
* Updated to support an attribute that allows the control to be disabled because it is slow.
* * Reviewed all controls and fixed many issues
* updated impact logic to account for Not Applicable cases
* used the protected regex pattern `%r{ }` in place is //
* fixed many false positives reported by end users
* added TODOs to all controls that need to be enhanced
* added a new attributes files for this branch for review
* added logic so that all controls correctly report
* removed most `only_if` statments and replaced with skips + impact 0.0
* removed all `severity` tags in lue of using `impact`
* * Added EXEMPT_HOME_USERS attribute attributes file
* Removed extra attribute defn
* Fixed typo in call to package resource
* Updated attributes file
* small change to push file
* * updated V-71863 fix the banner compare
* updated V-71961 to account for multiple users
* added attrubutes to support each
* * fixed small / major issues with some of the tests.
* enhanced / corrected the Not Applicable reporting.
* ensured all 'Not Applicable' by attribute controls worked fully.
* small fixes to attributes
* enhamcements to completeness of controls and testing
* Updated local interactive checks to filter out non-interactive users.
* Fixed several controls involving interactive users which were not properly querying for only interactive users
* Minor update to make consistent with other controls
* Updated to use users resource. Also, added check to exclude comments and check for nosuid being set in /etc/fstab.
* Fixing logic of control V-72037 to properly get count of references to world-writable files and compare against it
* Formatting changes
* Fixed find command in V-72027 to search for all directories and files with permissions less restrictive than 0750
* Update to RHEL7v4
* Fixing smart double quotes to be ascii double quotes
* updating controls so they don't evaluate to not_tested.
* Removed constants from initialization files controls
* Adding /bin/true to list of non-interactive shells
* Fixes and Rev4 updates for miscellaneous controls (#40)
* Updated to fix typo in grep command.
* Updated CCI and NIST tags to use arrays.
** Reviewed all controls and fixed many issues
* updated impact logic to account for Not Applicable cases
* used the protected regex pattern `%r{ }` in place is //
* fixed many false positives reported by end users
* added TODOs to all controls that need to be enhanced
* added a new attributes files for this branch for review
* added logic so that all controls correctly report
* removed most `only_if` statements and replaced with skips + impact 0.0
* removed all `severity` tags in lieu of using `impact`
** Added EXEMPT_HOME_USERS attribute attributes file
* Removed extra attribute defn
* Fixed typo in call to package resource
* Updated attributes file
** updated V-71863 fix the banner compare
* updated V-71961 to account for multiple users
* added attributes to support each
** fixed small / major issues with some of the tests.
* enhanced / corrected the Not Applicable reporting.
* ensured all 'Not Applicable' by attribute controls worked fully.
* small fixes to attributes
* enhancements to completeness of controls and testing
* Fixed usb storage driver name. For configuration files, usb-storage and usb_storage are interchangeable. modprobe seems to use the name usb_storage regardless of the config name
* Update to RHEL7v4
* Fixing smart double quotes to be ascii double quotes
* Removing constant attributes and adding subsystems tag for misc controls
* Fixes and Rev4 updates for privilege controls (#39)
* Rewrote V-71947 to be able to recursively process all sudoers files by following include and `includedir` directives
* Removed constant variables in some privilege controls
* Removed non-standard users from V-72001
* Fixes and Rev4 updates for installed packages controls (#38)
* Fixed clean_requirements_on_remove to be referenced within the main section of yum.conf for control V-71987
* Update to RHEL7v4
* Fixed find expression and test statement for control V-72039
* Rewrote V-72299 to allow ftp server as long as SSL is used
* Rewrote rpm verify controls to remove hard-coded exceptions
* Removed constant attribute from V-72307
* Added dangerous tag to control which uses global find command
* Fixes and Rev4 updates for interactive user controls (#36)
* Updated local interactive checks to filter out non-interactive users.
* Fixed several controls involving interactive users which were not properly querying for only interactive users
* Adding uid constraints to controls V-72011 and V-72015
* Update to RHEL7v4
* Removed constant attributes from interactive user controls
* Added lookup of UID_MIN from login_defs to the interactive user controls
* Added xdev and xautofs args to some find commands on home directories
* Fixes and Rev4 updates for network controls (#33)
* Updated to include iptables check.
* Updated to account for IPv6 being disabled in the kernel.
* Updated CCI and NIST tags to use arrays.
* fixed missing [ in cci tag.
* Pulling in changes from csp_mod branch
* * Reviewed all controls and fixed many issues
* updated impact logic to account for Not Applicable cases
* used the protected regex pattern `%r{ }` in place is //
* fixed many false positives reported by end users
* added TODOs to all controls that need to be enhanced
* added a new attributes files for this branch for review
* added logic so that all controls correctly report
* removed most `only_if` statments and replaced with skips + impact 0.0
* removed all `severity` tags in lue of using `impact`
* * Added EXEMPT_HOME_USERS attribute attributes file
* Removed extra attribute defn
* Fixed typo in call to package resource
* Updated attributes file
* small change to push file
* * updated V-71863 fix the banner compare
* updated V-71961 to account for multiple users
* added attrubutes to support each
* * Added check in V-72223 for TMOUT is in the bashrc file
* Corrected attribute name in V-72223
* Merged attributes files
* * Updated control V-72317
* * fixed small / major issues with some of the tests. * enhanced / corrected the Not Applicable reporting. * ensured all 'Not Applicable' by attribute controls worked fully. * small fixes to attributes * enhamcements to completeness of controls and testing
* Update to RHEL7v4
* Updated to support checking the files in /etc/profile.d
* Fixed V-72269 to properly check that maxpoll is set
* Fixed control V-72223 to describe.one on all the possible locations of TMOUT
* Removed constant attribute from V-72223
* Added xautofs flag to a few find commands
* Rewrote SNMP control V-72313 to recursively find all conf files via include statements
* Rewrote ipsec control V-72317 to recursively find all conf files via include
* Changed ntpd maxpoll control to use ntpd --saveconfigquit (currently loaded config) rather than the config file
* Added dangerous global find tag to couple controls
* Fixes and Rev4 updates for multifactor controls (#31)
* Updated to check for other sssd files
* Updated to include checking logic.
* Fixed SMART_CARD_STATUS constant attribute to be a non-constant
* Modified multifactor_enabled control to take optional user parameter to use when running dconf
* Fixes and Rev4 updates for LDAP controls (#28)
* fixing the logic of the V-72227 to match check text
* fixing the logic of the V-72229 to match check text
* fixing the logic of the V-72231 to match check text
* Added support to LDAP controls for SSSD (#11)
* Updating V-72227, V-72229, and V-72231 controls to take into account usage of SSSD
* Tweaked regex syntax in V-72229 and V-72231 controls
* Revised LDAP controls to not be dependent upon authconfig and also removed constant variables
* Fixed LDAP controls to dynamically extract CA cert files and directories
* Fixes and Rev4 updates for session lock controls (#26)
* Update from RHEL7 Rel1 to Rel4
* Updating logic to extract value so it can be evaluated using comparison operators.
* Fixing smart double quotes to be ascii double quotes
* updating controls so they don't evaluate to not_tested.
* Improved gnome controls to use gsettings rather than hard-coded file paths
* Fixes and Rev4 updates for aide controls (#24)
* Update to RHEL7v4
* Fixed V-72069, V-72071, and V-72073 to work around aide_conf resource bug
* Replaced constant attribute FILE_INTEGRITY_INTERVAL and FILE_INTEGRITY_TOOL with non-constants
* Fixed aide controls to also search for cron jobs in the root crontab and /etc/cron.d
* Fixes and Rev4 updates for filesystem controls (#30)
* Adding attributes and removing login.defs requirement from V-72059 (#13)
* Fixing uid comparison logic of control V-72059 to use the same constant min_uid of 1000 as in other controls. Added exception to this control to ignore the root user because its home directory does not typically exist on the same mount point as other home directories
* Updating control to include new logic using the mount resource.
* updating controls so they don't evaluate to not_tested.
* Removed some constant attributes
* Rewrote nouser and nogroup controls to properly iterate over all mounted filesystem types
* Added lookup of UID_MIN from login_defs to V-72059
* Fixes and Rev4 updates for banner controls (#23)
* Updated to check if banner is not set, disabled, or provides a non-existent filepath.
* Fixed misuse of constants in banner controls. Constants inside the controls have global scope, and so re-use of constant names between controls can cause collisions if they are not intended to be the same
* Updated to make escaping of quote characters consistent.
* Tweaking V-71859 attribute to work even if boolean passed instead of string
* updating controls so they don't evaluate to not_tested.
* Removed constant attributes on banner controls and added some guards to check for gnome on certain controls. Added ability to specify a user to use to execute dconf
* Add attributes file and clean attributes (#44)
* Adding attributes file
* Cleaned up all the attributes. Fixed some inconsistencies and renamed a few. Also added missing attributes to attributes.yml
* Formatting banner texts to be multiline string. Removing unbound user from known_system_accounts
Signed-off-by: Sam Cornwell <14048146+samcornwell@users.noreply.github.com>
* Adding configurable unlock_time to pam_faillock controls (#47)
* Adding configurable unlock_time to pam_faillock controls
* Adding lockout_time to attributes file
* (SIMP-MAINT) Subsystem control tagging update (#65)
* (SIMP-MAINT) Subsystem control tagging update
* vendor prior to tests
* force revendoring
* tweak travis settings
* require all checks to pass
* Updated the find command for V-72027 to filter by '! -type l' (#71)
* Set the desc field for the control and only update the describe/skip … (#70)
* Set the desc field for the control and only update the describe/skip text in V-71849.
* Fix syntax error (missing :)
* Remove TODO comments to cleanup control
* Modify reporting for V-71999 to 'List of out-of-date packages should be empty'. Fix describe.one syntax error. (#69)
* Update mfa_pkg_list attribute with packages from RHEL documentation (#68)
* Various updates (#66)
* Update V-72241 and V-72251 to check the operating system release as described.
* Introduce a 'virtual_machine' attribute for V-72039 so that if the target is expected to be a virtual machine the check will allow /dev/vmci. Update V-72039 to check for vmci_device_t contexts.
* Fix impact rating in V-72305 when TFTP is not installed. Fix checking for incorrect package name. Expand RegEx check to match the long option (--secure) and short optin (-s) and match an absolute path.
* Update comment for smart_card_status in attributes.yml to include V-72417 and V-72433.
* Expand comment about exempt_home_users attribute to include all applicable controls.
* Fix disable_slow_controls to false and update comment for exempt_home_users
* Move impact reduction out of describe block
* Updated 72253 (#11)
* fix typo (#78)
Small fix: Typo fix on 'explicitly'
* removed extra spaces (#77)
* - V-71999: fixed incorrect path for `su` in auditd config (#79)
- disabled slow controls in .kitchen.yml
- added a `nolong` attributes file
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Moves linux_patch resource into our libraries directory (#80)
* moves the linux patches resource into our profiles library
* updates the `inspec.yml` to remove dependcy upstream
* updates the `.gitignore` to include .beaker
* bumped Gemfile for beaker-helper to 1.14.1
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Fixes #82 (#83)
Signed-off-by: Rony Xavier <rx294@nyu.edu>
* added subsystem tag to aide tests (#84)
* Updated 'default' label for attributes to 'value' (#85)
* (SIMP-6708) Create and ensure inspec tests work (#86)
* Updated 'default' label for attributes to 'value'
* Added 'subsystem' tags to items that did not have them
* (SIMP-6708) Create and ensure inspec tests work by module (#87)
Added subsystem tags
* missing parenthesis on example (#89)
* (SIMP-6708) Create and ensure inspec tests work by module (#90)
* Updated subsystem tags
* V-72037 V2R1 Update title and find command
Per https://github.com/ComplianceAsCode/content/issues/3432
Adding -xdev to find prevents scanning /proc/, significantly speeding up
this control.
* Update V-72037 to search using pattern file
To reduce the number of grep invocations, we instead combine the
world-writable files list and invoke grep using this combined list as a
pattern file.
If no world-writable files exist, we skip the grep invocations
to prevent matching on an empty pattern
* Update V-72037 to limit grep pattern file length
Since we are passing the list of world-writable files to grep using
process substitution, we need to make sure the command line isn't too
long. We hard-code a limit and break the list of world-writable files
into chunks of pattern files no bigger than said limit.
* Update V-72037 to prevent searching .bash_history
Since .bash_history isn't executed, it will cause false positives if
there is any mention of a world writable file.
* Update V-72037, Get PATTERN_FILE_MAX_LENGTH
* Update V-72427.rb (#99)
Updating to handle the case where SSSD is installed, but, no configuration files are found.
* Update V-71941.rb
Closes #93.
* Update V-71983.rb
Closes #96.
* Update V-72059.rb
Closes #94.
* Update V-72315.rb
Closes #95.
* Update V-72433.rb
Re-issuing @Bialogs pull request (https://github.com/simp/inspec-profile-disa_stig-el7/pull/72).
* (SIMP-6708) Create and ensure inspec tests work by module (#91)
Added tags to the various inspec controls
* changing attributes to inputs (#106)
* updating the code so it doesn't error out when the file doesn't exist. (#108)
* updating check and fix text to use new format. (#107)
* 72433 (#109)
* Updating control to handle the case when the file doesn't exist. Replaces PR #72.
* updating to use inputs and sub descriptions.
* adding the `matchers.rb` file back into the libraries as the `pam` resource breaks without it until the pam work is merged into upstream master. (#111)
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* updating controls to use resources. (#115)
* V-71961 grub2 Configuration File (#67)
* Changed array of grub2 superusers to a single superuser in grub_superuser attribute. Updated V-71961 to look for all instances of setting a grub2 superuser and superusers password within given grub configuration.
* Update V-71961 to check if environment variables are being set for the grub2 superuser password, if they are the control now examines provided user.cfg files to ensure that they password is encrypted with pbkdf2, if they are not it will check the password_ line entry in the given grub_main_cfg file.
* V 72049 (#122)
* Updated to check mask of initialization files and umask for each user.
* Skips remote filesystems
* Adding an automated test for this control. (#123)
* Updating control to check ports and services for all zones. (#120)
* Update V-71961.rb (#124)
* Updating attributes to inputs and moving defaults to inspec.yml. (#130)
* 73163 - Updating attributes to inputs and moving defaults to inspec.yml. (#132)
* Fixing 72223 to correctly handle the collection of TMOUT (#133)
Fixed a bug in 72223 where it was reporting a value of nil when the configuration setting was not set in a file. The code now reports that the configuration setting is not configured in the specific file.
Updating this control to include an active check by looking at the set TMOUT environment variable as well as accommodating situations where 'readonly TMOUT' is set.
* Update inspec.yml (#134)
* Fixed the check for oscp_on in the cert policy lines. (#136)
* Fixed incorrect subsystem entries (#138)
* Update dconf input to use nil instead of '' (#131)
* Updating attributes to inputs and moving defaults to inspec.yml.
* Updating dconf checks to use nil instead of ''.
* fix trailing whitespace
Co-authored-by: Trevor Vaughan <tvaughan@onyxpoint.com>
* V-71971 SELinux should ignore system_u (#139)
- Fixed the SELinux tests to ignore system_u by default in V-71971
* Fix to issue #140 (#141)
* Addressing issue #143 (#146)
Modified a duplicate declaration of 'file_integrity_tool' in inspec.yml.
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Addressing issue #145 (#147)
Updated control V-72191 to reference '/usr/bin/kmod' instead of
'/sbin/insmod'.
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
Co-authored-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
Co-authored-by: Trevor Vaughan <tvaughan@onyxpoint.com>
* Addressing issue #129 (#148)
Set the input 'grub_superuser' to type String with value 'root' in
inspec.yml as this is what dependent controls expect.
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
Co-authored-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
Co-authored-by: Trevor Vaughan <tvaughan@onyxpoint.com>
* Addressing issue #149 (#150)
Moved the 'linux_update' resource reference out of the describe/subject
block into a control-level variable. Also, generated a list of package
names to pass to the 'List of out-of-date packages' block instead of
the entire JSON object for cleaner output.
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
Co-authored-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
Co-authored-by: Trevor Vaughan <tvaughan@onyxpoint.com>
* Set theme jekyll-theme-cayman
* Updating repo name in readme
* Setting up github workflows
* Delete .travis.yml
* Updating master branch to v2.6 of STIG (#135)
* updating controls up to v2.6 of STIG
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* updating controls up to v2.6 of STIG
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Updating name, title and summary
* updated local vagrant to working state - cleanup required
fixed long running controls
started on EC2 spot instanstance testing using the SPEL partitioned images
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* workflow testing
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* added kitchen commands to workflow
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* added bundler to the workflow
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* fixed yaml syntax error
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* added build-essentials package to the container and removed simp-helper
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* fixed spelling
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* apt-get issues ...
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* fix for sudo
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* fixed vagrant kitchen file to keep in line with other kitchen files
added validation, threshold and upload to heimdall-demo
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* added uploading artifacts
changed path to results to be in the './results' dir
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* fixed spacing error
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* added `chef shell-init` to build process.
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* correct chef shell-init command
added parallel jobs to bundler
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* fixing workflow a bit more
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* added inspec_tools to Gemfile
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* bundler updates and hacks
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* bundler again...
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Gemfile updates
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* fixed ruby version
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* updated results file name and made it cleaner
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* added more explicit kitchen steps
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* spacing issue
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* added puppet to gemfile
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* moved off the container
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* fixed yml formatting
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* fixed workstation uri
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* added needed sudo commands
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* corrected apt install command
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* switching to dpkg
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* almost to full done
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* removed testing and setting of root password
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* testing new aws testing instance type
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Fixes #11
Added logic to allow the control to insensitively match the
prescribed values. This is the behavior of audisp.
* Fixes #14
Updated the control to utilize '/etc/audisp/plugins.d/au-remote.conf'
instead of '/etc/audisp/audispd.conf'. Also, pulled the filename
into a variable to ease the burden of future updates.
* Fixes #12
Updated the control to utilize '/etc/audisp/plugins.d/au-remote.conf'
instead of '/etc/audisp/audispd.conf'. Also, pulled the filename
into a variable to ease the burden of future updates.
* Resolves #19
Utilized the default input values from the v1 controls to generate
default values in inspec.yml.
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Reorganized logic for V-72433 (#47)
Pulled the conditional impact statements out of the if/then construct
early on and added them to the corresponding section near the
corresponding describe blocks.
- Fixes #16
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
Co-authored-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Reorganized logic for V-71965 (#49)
Pulled the conditional impact statements out of the if/then construct
early on and added them to the corresponding section near the
corresponding describe blocks.
- Fixes #18
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
Co-authored-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Updated V-81019 to correctly match configurations (#50)
Added logic to allow the control to insensitively match the
prescribed values. This is the behavior of audisp.
- Fixes #21
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
Co-authored-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Resolved datatype comparison issue in V-72223 (#52)
The control was comparing os_env('value').content to an integer.
os_env('value'}.content returns a string. Updated to convert the
string to an integer (to_i). The output of doing this directly was
poor so I added an explicit subject to clean up the output.
- Fixes #27
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
Co-authored-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Update V-71861.rb
* Update V-71859.rb
* Update V-71891.rb
* fixed some of the missing NAs that didn't have impact 0.0 but more remain
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* moved impact back to outside the describe block
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Reorganized logic for V-72417 (#48)
* Reorganized logic for V-72417
Pulled the conditional impact statements out of the if/then construct
early on and added them to the corresponding section near the
corresponding describe blocks.
- Fixes #17
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* updated to expet syntax for cleaner reporting
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* expect syntax fix
Signed-off-by Aaron Lippold <lippold@gmail.com>
* updated back to standard should syntax
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Co-authored-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
Co-authored-by: Aaron Lippold <lippold@gmail.com>
* Adding support for chronyd in V-72269
- Added tests to ensure either chronyd or ntpd are installed, enabled
and running.
- Modified to search for files under /etc/cron.daily that contain
'ntpd -q' rather than checking for static file /etc/cron.daily/ntpdate.
- Allowed for checking configuration of both services if both are installed.
- Extract the actual `maxpoll` values into a list for more readable
reporting (avoid printing complex regex).
- Fixes #13
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Adjusted calculation logic in V-72089
- Removed the `@` symbol from the `#{audit_log_dir}` variable causing
it to resolve to `nil` and presenting all system partitions.
- Update the shell call to `df` to use standard 1K blocksize instead
of human readable format which can return results with various units.
- Update the space calculation to convert KB into MB ( / 1024) instead
of converting [assumed] GB into MB ( * 1024).
- Updated to remove the use of the Ruby `File` class which would be
executed on the Inspec runner instead of the target.
- Fixes #32
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Resolved `undefined local variable` in V-71911
Added variable definition via input (difok).
- Fixes #33
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Resolved `undefined local variable` in V-71863
Added variable definition via input (banner_message_text_cli).
Added variable definition via input (banner_message_text_cli_limited).
- Fixes #34
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Fixed `undefined variable` error for V-71933
Added a variable definition via input (min_reuse_generations).
- Fixes #35
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Remove faulty logic from V-78995
Removed the switch 'skip_deprecated_controls' from the control.
Restored 'traditional' if/then structure and located the 'impact'
override in the fallthrough case.
- Fixes #3
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* moved to c5.large instances to lower test bed cost
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Adding new control for V-92253
- Fixes #8
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Adding new control for V-92251
- Fixes #7
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Consider limits.d when checking for hard maxlogins
Added the functionality of collecting all configuration files under
limits.d. These files are then searched for any global ('*') entries
matching 'hard' and 'maxlogins'. Entries are then compared to the
maximum allowable value. At least one file containing a compliant
entry is required. No files can contain noncompliant entries.
The maximum login number is now configurable via an input
('maxlogins_limit').
- Fixes #23
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Update V-72217.rb
* Added new control for V-92255.
- Resolves #9
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Allow customization of the A/V solution in use. (#73)
Update the control to take a switch/boolean input that specifies
whether a non-nails solution is in use. If it is, require that
a description of the solution be input as a way to document
the solution
- Fixes #24
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
Co-authored-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
Co-authored-by: Aaron Lippold <lippold@gmail.com>
* Restore default property value.
Property value for 'custom_antivirus_description' was mistakenly removed
in a previous commit.
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Added new control V-94843.
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Updated V-71963 to be NA when EFI not in use
- Added a check to see if the EFI configuration file exists. If not,
this becomes NA.
- Added a check for minor version of the OS. If 7.2 or later we only
allow 'root' as a superuser.
- The STIG guidance states that this is NA for versions after 7.2.
However, it seems clear that this is still needed it just changes
the way we enforce it.
- Removed 'efi_user_boot_files' input as it doesn't matter what file
the configuration comes from, only that it is merged into the main
config.
- Removed 'efi_main_cfg' input since we need to make the path dynamic to
support RHEL variants such as CentOS. Also, the EFI path is pretty
well static.
- Fixes #40
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* testing
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Corrected the tests for V-72171
- Removed the architecture check for path watches.
- Removed all check for '/bin/mount' as this path is not used.
- Fixes #29
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Update V-72095 to use `execve`
This new change prevents us from having to collect all of the SUID/SGID
files on the system.
- Fixes #30
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Updated V-72073 to support overrides
- Simplified logic to remove loop searching for 'sha512' entries.
Instead return them directly with the 'where' clause.
- Provide an input array to contain patterns to exclude from the test.
- Fixes #36
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Updating V-72065 to account for fstab entry
- Allow /tmp to be specified in /etc/fstab as well as with the tmp.mount
service.
- Validate that there is only one entry for /tmp in fstab
- Ensure that the device_name is not empty for the mount
- Fixes #37
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Update V-71897 to allow multiple multiplexers
- Per v2r6 of the DISA STIG `tmux` is now an allowable option along with
screen.
- Add an input list to contain `screen` and `tmux` and to support any
future options.
- Fixes #67
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Modify V-71937 to ignore `*-ac` files
- If ac (authconfig) files are included or substacked by other services
they will still be checked.
- Loop over each service file in /etc/pam.d to provide a complete view
of the configuration.
- Fixes #41
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Updating V-72001 to validate all `allowed_users`
- The STIG control asks to validate that all accounts present on the
system are approved. Explicilty adding them to a known user list
provides that validation.
- There doesn't seem to be a need for a 'disallowed_users' list as users are
implicitly disallowed by not being explicitly allowed.
- Use 'expect' syntax to allow for finer control over the reporting
output. Previous output displayed a list of users for each line. Now we
just show that each user listed in /etc/passwd has been explicitly
listed as an approved user.
- Fixes #39
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Adding test logic for new control V-81003
- Fixes #4
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* added logic to new control
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* updating logic test for UEFI
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* adding logic to control V-81005. Updating V-81007 logic to account for extra condition
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Updated logic, rather than taking user input checking system directly if it uses UEFI or BIOS
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Update V-81005.rb
* added creating the current profile JSON and uploading it to the repo
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* testing profile creation
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* actually helps to add the file you create
* removing fancy text
* adding -a to the commandwq
* adding a pull prior to the push
* adding a pull prior to the push
* adding a pull prior to the push
* adding a pull prior to the push
* adding profile.json to the repository
* adding a pull prior to the push
* testing
* further fixing on the script
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* adding profile.json to the repository
* added saving both the profile.json and the test-result.json to the repo on each change
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* added git status
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* trying to fix build
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* removed profile.json and updated file to older version
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* added git add to the command
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* adding profile.json to the repository
* adding test-result.json to the repository
* updating controls to place impact adjustment in the main code body
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* refactored conrols to match current style
* fixed malformed control
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* adding profile.json to the repository
* adding test-result.json to the repository
* testing to see if this gets the right branch name
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* removed files for testing
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* adding profile.json to the repository
* adding test-result.json to the repository
* updated to using the v2 preview of upload-artifact
added the git --cache trick to allow for unchanged profile.json or test-result.json
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* fixed json file
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* added -f for the git add commands
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* being a bit more forceful ...
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* removing git commits for now to unblock the PR process - artifacts are still being saved.
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* added the creation of the profile.json again
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* fixing control logic
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* adding profile.json to the repository
* adding test-result.json to the repository
* demoing a full run
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* fixed the vagrant kichen file to use the vagrant user and not ec2-user
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Modified inspec.yml to use `block` style
- Updated inspec.yml to remove any arrays or hashes with enclosing
brackets.
- The only time brackets are used is when an empty array ([]) or hash
({}) needs to be represented
- Fixes #84
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Fixed reporting for V-71947
- This control was not splitting output lines into an array and was
matching ALL lines containing 'NOPASSWD', which included commented
lines.
- Modified to use the `file` resource to be more OS agnostic and build
a results array of uncommented lines containing 'NOPASSWD'
- Reporting is improved for readability
- Fixes #90
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Correct logic in V-81005
- Only OS versions earlier than 7.2 should be checked. Was checking any
version 7.2 and later.
- Fixes #91
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Fixed issues in V-72219
- Changed `firewalld_ports_deny` to a Hash instead of Array
- Cast hash references to symbols for proper resolution
- Fixes #28
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Fixes issue #56
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Fixing logic error
* Fixes issue #55
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Fixing logic error
* Updated V-72257
- Removed multiple individual tests and replaced with
'be_more_permissive_than' which covers all permission sets.
- Changed the command to return key files to stop filtering by current
permissions. Inspec should validate the permissions in tests. We need
pre-filter results outside of tests.
- Fixes #97
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Fixes #57
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Fixes #59
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* added note about long running controls
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* added utf-8 encoding strings
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Fixed bug in V-71855
- Added input call for `rpm_verify_integrity_except`
- Fixes #103
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Fixed bug in V-71849
- Added input call for `rpm_verify_perms_except`
- Fixes #102
Signed-off-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
* Fixes #58
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* fixing error
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Fixes #53
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* fixing error
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* updated logic to properly look for systems that don't use passwords for authentication
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Fixes #54
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* fixing error
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* updated logic to properly look for systems that don't use passwords for authentication
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* testing gpg
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Update workflow to not install ruby twice, remove a few unnecessary commands
* Do not install chef workstation and instead just use ruby 2.7 with Chef gems
* Cleanup kitchen.yml, add vanilla test run
This cleans up the code for kitchen to deduplicate some items between kitchen.ec2.yml and kitchen.vagrant.yml. It also adds support for vanilla and hardened threshold levels that the CI can be tested against.
* Remove proxy-related pieces of kitchen vagrant file
* Try running Vagrant with macos in GH Actions
* Remove EC2 verification step and perform the verification in Github Actions using Vagrant instead
* Verify using Vagrant for every PR, only verify using EC2 on release
* Fix update profile script to properly push to PRs
* Rename inputs.example.yml to a more descriptive name
* Move inspec check to a different file, fix the Github action profile.json push back to repository
* Updating profile.json in the repository
* Add clarification with respect to local testing and EC2 versus Vagrant
* Fixes #91
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Fixes #112
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Fixes #101
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Fixes #31 (#110)
* Fixes #31
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* updating logic to call inputs directly
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Fixes #111 (#118)
* Fixes #111
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Updating profile.json in the repository
* Revert "Fixes #111 (#118)"
This reverts commit e53c5a4f39582120c93d603fd816130fcc165127.
* Switch over to the official ruby setup since the actions/setup-ruby one is throwing an error
* Lock ruby version to 2.6 in order to avoid Puppet load error
bundler is installed automatically, no need to install it as part of our steps
Release Puppet version lock
* Updating profile.json in the repository
* Update V-72417.rb
bugfix
* Add Trend AV to V-72213 checks
Trend Micro Anti-virus service is named 'ds_agent'.
This adds one more type of anti-virus this check can check for.
* Updating profile.json in the repository
* Fix describe.one formatting for V-72213
* Updating profile.json in the repository
* Fixes #115, fixes #25 (#124)
* Fixes #115, fixes #25
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Updating profile.json in the repository
* Revert "Fixes #111 (#118)"
This reverts commit e53c5a4f39582120c93d603fd816130fcc165127.
* Switch over to the official ruby setup since the actions/setup-ruby one is throwing an error
* Lock ruby version to 2.6 in order to avoid Puppet load error
bundler is installed automatically, no need to install it as part of our steps
Release Puppet version lock
* Updating profile.json in the repository
* Update V-72417.rb
bugfix
* Add Trend AV to V-72213 checks
Trend Micro Anti-virus service is named 'ds_agent'.
This adds one more type of anti-virus this check can check for.
* Updating profile.json in the repository
* Fix describe.one formatting for V-72213
* Updating profile.json in the repository
* Fixes #115, fixes #25
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Updating profile.json in the repository
* Fixes #115, fixes #25
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* rebase, resolve merge conflicts
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Updating profile.json in the repository
* Updating profile.json in the repository
Co-authored-by: Robert Clark <rbclark@mitre.org>
Co-authored-by: rbclark <rbclark@users.noreply.github.com>
Co-authored-by: Maven35 <Charles.Tony.Gibbs@gmail.com>
Co-authored-by: ejaronne <34140975+ejaronne@users.noreply.github.com>
Co-authored-by: ejaronne <ejaronne@users.noreply.github.com>
* Fixes #114 (#131)
* Add Trend AV to V-72213 checks
Trend Micro Anti-virus service is named 'ds_agent'.
This adds one more type of anti-virus this check can check for.
* Updating profile.json in the repository
* Fix describe.one formatting for V-72213
* Updating profile.json in the repository
* Fixes #114
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Updating profile.json in the repository
* fixing syntax error
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Delete profile.json
* Fixes #114
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* fixing syntax error
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Updating profile.json in the repository
* Fixes #115, fixes #25 (#124)
* Fixes #115, fixes #25
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Updating profile.json in the repository
* Revert "Fixes #111 (#118)"
This reverts commit e53c5a4f39582120c93d603fd816130fcc165127.
* Switch over to the official ruby setup since the actions/setup-ruby one is throwing an error
* Lock ruby version to 2.6 in order to avoid Puppet load error
bundler is installed automatically, no need to install it as part of our steps
Release Puppet version lock
* Updating profile.json in the repository
* Update V-72417.rb
bugfix
* Add Trend AV to V-72213 checks
Trend Micro Anti-virus service is named 'ds_agent'.
This adds one more type of anti-virus this check can check for.
* Updating profile.json in the repository
* Fix describe.one formatting for V-72213
* Updating profile.json in the repository
* Fixes #115, fixes #25
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Updating profile.json in the repository
* Fixes #115, fixes #25
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* rebase, resolve merge conflicts
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Updating profile.json in the repository
* Updating profile.json in the repository
Co-authored-by: Robert Clark <rbclark@mitre.org>
Co-authored-by: rbclark <rbclark@users.noreply.github.com>
Co-authored-by: Maven35 <Charles.Tony.Gibbs@gmail.com>
Co-authored-by: ejaronne <34140975+ejaronne@users.noreply.github.com>
Co-authored-by: ejaronne <ejaronne@users.noreply.github.com>
* Fixes #114
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* fixing syntax error
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Updating profile.json in the repository
* Updating profile.json in the repository
Co-authored-by: ejaronne <34140975+ejaronne@users.noreply.github.com>
Co-authored-by: ejaronne <ejaronne@users.noreply.github.com>
Co-authored-by: Robert Clark <rbclark@mitre.org>
Co-authored-by: rbclark <rbclark@users.noreply.github.com>
Co-authored-by: Aaron Lippold <lippold@gmail.com>
Co-authored-by: Maven35 <Charles.Tony.Gibbs@gmail.com>
* Update inspec.yml
locking inspec_version
* Updating profile.json in the repository
* fixing #132 (#133)
* fixing #132
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Updating profile.json in the repository
* Update inspec.yml
locking inspec_version
* Updating profile.json in the repository
* version bump
* Updating profile.json in the repository
Co-authored-by: Aaron Lippold <lippold@gmail.com>
Co-authored-by: Lesley Kimmel <lesley.j.kimmel@users.noreply.github.com>
Co-authored-by: ljkimmel <31107861+ljkimmel@users.noreply.github.com>
Co-authored-by: GitHub Action <action@github.com>
Co-authored-by: Robert Clark <rbclark@mitre.org>
Co-authored-by: rbclark <rbclark@users.noreply.github.com>
Co-authored-by: Maven35 <Charles.Tony.Gibbs@gmail.com>
Co-authored-by: ejaronne <34140975+ejaronne@users.noreply.github.com>
Co-authored-by: ejaronne <ejaronne@users.noreply.github.com>
* Delete greetings_program.yml
* added 4th NOTICE statement since this is STIG based
* Update README.md
* Rename LICENSE to LICENSE.md
* Update README.md
* Update README.md
* Update README.md
* Update README.md
* Update README.md
* Updating profile.json in the repository
* Update find controls to use -xdev tags to prevent search of network fs
* Update V-72039 add -xdev to find command
Signed-off-by: Rony Xavier <rxavier@mitre.org>
* Updating profile.json in the repository
* Remove caching
The cache seems to be causing issues with nokogiri
* Adding a new disconnected_system flag to allow the ability to flag certain controls that require external connectivity in the target system
* Modifying the V-71999 control to use the new disconnected_system flag
* Fixing the flag typo on the control
* Fixing another Ruby typo
* fixed location of if statement
fixed regex escaping
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Updating profile.json in the repository
* removed the v2.6 branch from the workflows (#142)
* removed the v2.6 branch from the workflows now that
it has been merged
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Updating profile.json in the repository
* removed the conflicting profile.json
Signed-off-by: Aaron Lippold <lippold@gmail.com>
Co-authored-by: aaronlippold <aaronlippold@users.noreply.github.com>
* Remove Rev_4 from NIST tag (#143)
* Remove Rev_4 from NIST tag
- removed the Rev_4 array element form the NIST tag array
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Updating profile.json in the repository
* Updating profile.json in the repository
Co-authored-by: aaronlippold <aaronlippold@users.noreply.github.com>
* updated the profile version number
* removed unneeded lines
* fixed the ec2 testing to go on PR or Push
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* testing updates for ec2 builds and testing
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* put things back
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* turned the matrix back on and fixed file names for ec2 runs
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* fixed typo in the yaml
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* fixed broken step
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* updated Workflow name for easier reading when demoing
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* corrected typo for mfa
removed quotes around input for MFA:
changed multifactor_enabled: "true"
to
multifactor_enabled: true
* fixed reference to input
* fixed reference to input
* fixed another reference to input
* another fix to input refernce
* fixed new line issues
* ensuring no profile errors
* ensuring no profile errors
* Updated License.md
Signed-off-by: karikarshivani <karikarshivani@gmail.com>
* Updating profile.json in the repository
* Updated inspec.yml to the latest standards
Signed-off-by: karikarshivani <karikarshivani@gmail.com>
* Updating profile.json in the repository
* Updating README.md to latest standards
Signed-off-by: HackerShark <melsharkawi@mitre.org>
* Updating profile.json in the repository
* adding a sensitive input for test and demo
* Revert "adding a sensitive input for test and demo"
This reverts commit 569e50997e55b214c16cadae3ccc57c18e980b5e.
* Check permissions for all auditd rules in a cleaner manner
The previous method was causing very opaque failures due to permissions returning a nil array in some cases and `nil.include` was causing an error. This change provides a much more straightfoward error to show users that they have to add the execute filter in auditd for their test to pass.
* Updating profile.json in the repository
* Remove newline from middle of starting
This was causing a newline to show up in the scan results.
* Updating profile.json in the repository
* Fix supports for base profile (#162)
* Fix supports for base profile
Testing if this falls through to child profiles
* Updating profile.json in the repository
* added centos
Signed-off-by: GitHub <noreply@github.com>
* update profile.json
Signed-off-by: GitHub <noreply@github.com>
* fixing profile.json
Signed-off-by: GitHub <noreply@github.com>
* Updating profile.json in the repository
Co-authored-by: aaronlippold <aaronlippold@users.noreply.github.com>
* swapped descs to tags
Signed-off-by: Will Dower <wdower@mitre.org>
* rubocop run
Signed-off-by: Will Dower <wdower@mitre.org>
* fixed a buggy regex
Signed-off-by: Will Dower <wdower@mitre.org>
* used inspec_delta profile update_id to update control filenames to SV-XXXXXX
Signed-off-by: Will Dower <wdower@mitre.org>
* ran inspec_delta profile update to update metadata/control names
Signed-off-by: Will Dower <wdower@mitre.org>
* swapped out check, fix, and rational tags for descs
Signed-off-by: Will Dower <wdower@mitre.org>
* ran rubocop
Signed-off-by: Will Dower <wdower@mitre.org>
* fixed buggy regex
Signed-off-by: Will Dower <wdower@mitre.org>
* moved descs to tags
Signed-off-by: Will Dower <wdower@mitre.org>
* added LineLength to rubocop
Signed-off-by: Will Dower <wdower@mitre.org>
* ran update
Signed-off-by: Will Dower <wdower@mitre.org>
* swapped out tags for check, fix, rational with descs
Signed-off-by: Will Dower <wdower@mitre.org>
* updating to use the pipeline config that we will use for gitlab repo side
Signed-off-by: Will Dower <wdower@mitre.org>
* pulling in correct Gemfile for this pipeline version
Signed-off-by: Will Dower <wdower@mitre.org>
* made a local docker testing yml and some docker testing inputs
Signed-off-by: Will Dower <wdower@mitre.org>
* first few new controls
Signed-off-by: Will Dower <wdower@mitre.org>
* wrote the brand new controls, removed spec dir
Signed-off-by: Will Dower <wdower@mitre.org>
* removed unecessary files from old profile version
Signed-off-by: Will Dower <wdower@mitre.org>
* merging in pipeline control code
Signed-off-by: Will Dower <wdower@mitre.org>
* removing controls from previous versions of the STIG that have been deprecated
Signed-off-by: Will Dower <wdower@mitre.org>
* refactored audit control
Signed-off-by: Will Dower <wdower@mitre.org>
* finished updating audit controls to new pattern
Signed-off-by: Will Dower <wdower@mitre.org>
* further updates to old control code, fixed pipeline to run the full profile, updated the hardened ec2 threshold
Signed-off-by: Will Dower <wdower@mitre.org>
* last batch of updates to control code to bring it to current STIG release
Signed-off-by: Will Dower <wdower@mitre.org>
* fixing profile errors
Signed-off-by: Will Dower <wdower@mitre.org>
* fixed profile errors from pipeline, started adding tags to the controls based on container applicability and subsystem category
Signed-off-by: Will Dower <wdower@mitre.org>
* assessing more controls for container applicability
Signed-off-by: Will Dower <wdower@mitre.org>
* refactored the remaining audit controls to match the new pattern, applied tags
Signed-off-by: Will Dower <wdower@mitre.org>
* finished tagging controls for container applicability
Signed-off-by: Will Dower <wdower@mitre.org>
* clarifying test output, fixing bugs
Signed-off-by: Will Dower <wdower@mitre.org>
* taking a look at the pam controls
Signed-off-by: Will Dower <wdower@mitre.org>
* updating README
Signed-off-by: Will Dower <wdower@mitre.org>
* adding in a few more container checks, figured out a cleaner test pattern for the pam checks
Signed-off-by: Will Dower <wdower@mitre.org>
* small tweaks to inspec.yml and the README
Signed-off-by: Will Dower <wdower@mitre.org>
* removed threshold file from controls dir
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Updated the README and `inspec.yml`
- updated langauage to not promise an ATO if they ran this on their
system
- udpated all organizational references to offical sources, DISA, NIST,
etc
- simplifed and ocrrected direction on execution of the profile both
locally and from an archive
- simplified language and use of acronyms
- corrected vendor references and names
- corrected instructions on use of inputs
- corrected references to SRGs, STIGs, CCIs, NIST 800-53 controls etc
- removed all external links - wikipedia etc - and used official
publications
- linted for GitLab Markdown Sytleguide
- reformatted yaml files
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Forgot the container aware section and enhanced the inputs section for a bit more clarity as to why they want to do things this way
* Add new file
* Update CONTAINER-ONLY-TESTS.md
* Documented the create method
* added links to profile stats
* getting the paths working
* Update README.md
* Simplified the Profile stats section
* Fixed typo in path
* clarified the intended use of the main branch vs our formal releases
* Grammer
* removed unneed bolding of text and a few other grammer use issues
* Update README.md
* fixed broken link
* Update README.md
* Update README.md
* Delete CONTAINER-ONLY-TESTS.md
* moved the container applicable controls page to a wiki
* fixed typo in kitchen.dokken-local.yml
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* Update section depth to be more logical with what the user has to do and added section links
* Logical flow and information grouping
* Update README.md
* Update README.md
* Update README.md
* tweaking the README
Signed-off-by: Will Dower <wdower@mitre.org>
* adding cli output to container pipeline run for easier reading
Signed-off-by: Will Dower <wdower@mitre.org>
* adjusted the rest of the pam checks, added a few more inputs for configurability
Signed-off-by: Will Dower <wdower@mitre.org>
* standardized input names, fixed a few broken inputs in the
Signed-off-by: Will Dower <wdower@mitre.org>
* fixed broken inputs, updated README to explain the expected vs max/min inputs
Signed-off-by: Will Dower <wdower@mitre.org>
* removed to_i calls in several tests to ensure that nil values don't get incorrectly cast as '0'
Signed-off-by: Will Dower <wdower@mitre.org>
* fixed bug in which audit space_left was expected to exactly equal what should have been a minimum threshold
Signed-off-by: Will Dower <wdower@mitre.org>
* fixed parse_config_file matching regex to allow for the value to be contained in quotes
Signed-off-by: Will Dower <wdower@mitre.org>
* fixed the regex to allow for whitespace, fixed test to account for nil result
Signed-off-by: Will Dower <wdower@mitre.org>
* cleaned up output for readability
Signed-off-by: Will Dower <wdower@mitre.org>
* fixing too recent inspec version
Signed-off-by: Will Dower <wdower@mitre.org>
* started adding sub-descritions for na and container situations
Signed-off-by: Aaron Lippold <lippold@gmail.com>
* removed controls that were sonsolidated into other controls in V3R6
Signed-off-by: Will Dower <wdower@mitre.org>
* Revert "started adding sub-descritions for na and container situations" since it caused a pipeline fail
This reverts commit 73057e25ab71e8dd6c08d36251bd0aaafcca75bf.
* Remove puppet hardening (unmaintained)
* ansible vanilla role
* ansible hardening role
* ansible hardened role (directly from ansible-rhel7-stig-hardening)
* Uses actions to clone hardening repository
* Updating profile.json in the reposito…
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…cp_on' option in V-72433
Closes #56