control "xccdf_org.cisecurity.benchmarks_rule_1.1.1_Create_Separate_Partition_for_tmp" do title "Create Separate Partition for /tmp" desc "The /tmp directory is a world-writable directory used for temporary storage by all users and some applications." impact 1.0 describe mount("/tmp") do it { should be_mounted } end end control "xccdf_org.cisecurity.benchmarks_rule_1.1.2_Set_nodev_option_for_tmp_Partition" do title "Set nodev option for /tmp Partition" desc "The nodev mount option specifies that the filesystem cannot contain special devices." impact 1.0 describe mount("/tmp") do it { should be_mounted } end describe mount("/tmp") do its("options") { should include "nodev" } end end control "xccdf_org.cisecurity.benchmarks_rule_1.1.3_Set_nosuid_option_for_tmp_Partition" do title "Set nosuid option for /tmp Partition" desc "The nosuid mount option specifies that the filesystem cannot contain set userid files." impact 1.0 describe mount("/tmp") do it { should be_mounted } end describe mount("/tmp") do its("options") { should include "nosuid" } end end control "xccdf_org.cisecurity.benchmarks_rule_1.1.4_Set_noexec_option_for_tmp_Partition" do title "Set noexec option for /tmp Partition" desc "The noexec mount option specifies that the filesystem cannot contain executable binaries." impact 1.0 describe mount("/tmp") do it { should be_mounted } end describe mount("/tmp") do its("options") { should include "noexec" } end end control "xccdf_org.cisecurity.benchmarks_rule_1.1.5_Create_Separate_Partition_for_var" do title "Create Separate Partition for /var" desc "The /var directory is used by daemons and other system services to temporarily store dynamic data. Some directories created by these processes may be world-writable." impact 1.0 describe mount("/var") do it { should be_mounted } end end control "xccdf_org.cisecurity.benchmarks_rule_1.1.6_Bind_Mount_the_vartmp_directory_to_tmp" do title "Bind Mount the /var/tmp directory to /tmp" desc "The /var/tmp directory is normally a standalone directory in the /var file system. Binding /var/tmp to /tmp establishes an unbreakable link to /tmp that cannot be removed (even by the root user). It also allows /var/tmp to inherit the same mount options that /tmp owns, allowing /var/tmp to be protected in the same /tmp is protected. It will also prevent /var from filling up with temporary files as the contents of /var/tmp will actually reside in the file system containing /tmp." impact 1.0 describe file("/etc/fstab") do its("content") { should match /$\s*\/tmp\s+\/var\/tmp\s+none\s+bind\s+0\s+0\s*$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_1.1.7_Create_Separate_Partition_for_varlog" do title "Create Separate Partition for /var/log" desc "The /var/log directory is used by system services to store log data ." impact 1.0 describe mount("/var/log") do it { should be_mounted } end end control "xccdf_org.cisecurity.benchmarks_rule_1.1.8_Create_Separate_Partition_for_varlogaudit" do title "Create Separate Partition for /var/log/audit" desc "The auditing daemon, auditd, stores log data in the /var/log/audit directory." impact 1.0 describe mount("/var/log/audit") do it { should be_mounted } end end control "xccdf_org.cisecurity.benchmarks_rule_1.1.9_Create_Separate_Partition_for_home" do title "Create Separate Partition for /home" desc "The /home directory is used to support disk storage needs of local users." impact 1.0 describe mount("/home") do it { should be_mounted } end end control "xccdf_org.cisecurity.benchmarks_rule_1.1.10_Add_nodev_Option_to_home" do title "Add nodev Option to /home" desc "When set on a file system, this option prevents character and block special devices from being defined, or if they exist, from being used as character and block special devices." impact 1.0 describe mount("/home") do it { should be_mounted } end describe mount("/home") do its("options") { should include "nodev" } end end control "xccdf_org.cisecurity.benchmarks_rule_1.1.11_Add_nodev_Option_to_Removable_Media_Partitions" do title "Add nodev Option to Removable Media Partitions" desc "Set nodev on removable media to prevent character and block special devices that are present on the removable be treated as these device files." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_1.1.12_Add_noexec_Option_to_Removable_Media_Partitions" do title "Add noexec Option to Removable Media Partitions" desc "Set noexec on removable media to prevent programs from executing from the removable media." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_1.1.13_Add_nosuid_Option_to_Removable_Media_Partitions" do title "Add nosuid Option to Removable Media Partitions" desc "Set nosuid on removable media to prevent setuid and setgid executable files that are on that media from being executed as setuid and setgid." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_1.1.14_Add_nodev_Option_to_devshm_Partition" do title "Add nodev Option to /dev/shm Partition" desc "The nodev mount option specifies that the /dev/shm (temporary filesystem stored in memory) cannot contain block or character special devices." impact 1.0 describe mount("/dev/shm") do it { should be_mounted } end describe mount("/dev/shm") do its("options") { should include "nodev" } end end control "xccdf_org.cisecurity.benchmarks_rule_1.1.15_Add_nosuid_Option_to_devshm_Partition" do title "Add nosuid Option to /dev/shm Partition" desc "The nosuid mount option specifies that the /dev/shm (temporary filesystem stored in memory) will not execute setuid and setgid on executable programs as such, but rather execute them with the uid and gid of the user executing the program." impact 1.0 describe mount("/dev/shm") do it { should be_mounted } end describe mount("/dev/shm") do its("options") { should include "nosuid" } end end control "xccdf_org.cisecurity.benchmarks_rule_1.1.16_Add_noexec_Option_to_devshm_Partition" do title "Add noexec Option to /dev/shm Partition" desc "Set noexec on the shared memory partition to prevent programs from executing from there." impact 1.0 describe mount("/dev/shm") do it { should be_mounted } end describe mount("/dev/shm") do its("options") { should include "noexec" } end end control "xccdf_org.cisecurity.benchmarks_rule_1.1.17_Set_Sticky_Bit_on_All_World-Writable_Directories" do title "Set Sticky Bit on All World-Writable Directories" desc "Setting the sticky bit on world writable directories prevents users from deleting or renaming files in that directory that are not owned by them." impact 1.0 describe command("find / -type d -perm -00002 \\! -perm -01000") do its("stdout") { should be_empty } end end control "xccdf_org.cisecurity.benchmarks_rule_1.1.18_Disable_Mounting_of_cramfs_Filesystems" do title "Disable Mounting of cramfs Filesystems" desc "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_1.1.19_Disable_Mounting_of_freevxfs_Filesystems" do title "Disable Mounting of freevxfs Filesystems" desc "The freevxfs filesystem type is a free version of the Veritas type filesystem. This is the primary filesystem type for HP-UX operating systems." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_1.1.20_Disable_Mounting_of_jffs2_Filesystems" do title "Disable Mounting of jffs2 Filesystems" desc "The jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem used in flash memory devices." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_1.1.21_Disable_Mounting_of_hfs_Filesystems" do title "Disable Mounting of hfs Filesystems" desc "The hfs filesystem type is a hierarchical filesystem that allows you to mount Mac OS filesystems." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_1.1.22_Disable_Mounting_of_hfsplus_Filesystems" do title "Disable Mounting of hfsplus Filesystems" desc "The hfsplus filesystem type is a hierarchical filesystem designed to replace hfs that allows you to mount Mac OS filesystems." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_1.1.23_Disable_Mounting_of_squashfs_Filesystems" do title "Disable Mounting of squashfs Filesystems" desc "The squashfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems (similar to cramfs). A squashfs image can be used without having to first decompress the image." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_1.1.24_Disable_Mounting_of_udf_Filesystems" do title "Disable Mounting of udf Filesystems" desc "The udf filesystem type is the universal disk format used to implement ISO/IEC 13346 and ECMA-167 specifications. This is an open vendor filesystem type for data storage on a broad range of media. This filesystem type is necessary to support writing DVDs and newer optical disc formats." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_1.2.1_Verify_CentOS_GPG_Key_is_Installed" do title "Verify CentOS GPG Key is Installed" desc "CentOS cryptographically signs updates with a GPG key to verify that they are valid." impact 1.0 describe package("gpg-pubkey") do it { should be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_1.2.2_Verify_that_gpgcheck_is_Globally_Activated" do title "Verify that gpgcheck is Globally Activated" desc "The gpgcheck option, found in the main section of the /etc/yum.conf file determines if an RPM package's signature is always checked prior to its installation." impact 1.0 describe file("/etc/yum.conf") do its("content") { should match /^\s*gpgcheck=1\s*(#.*)?$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_1.2.3_Obtain_Software_Package_Updates_with_yum" do title "Obtain Software Package Updates with yum" desc "The yum update utility performs software updates, including dependency analysis, based on repository metadata and can be run manually from the command line, invoked from one of the provided front-end tools, or configured to run automatically at specified intervals." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_1.2.4_Verify_Package_Integrity_Using_RPM" do title "Verify Package Integrity Using RPM" desc "RPM has the capability of verifying installed packages by comparing the installed files against the file information stored in the package." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_1.3.1_Install_AIDE" do title "Install AIDE" desc "In some installations, AIDE is not installed automatically." impact 1.0 describe package("aide") do it { should be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_1.3.2_Implement_Periodic_Execution_of_File_Integrity" do title "Implement Periodic Execution of File Integrity" desc "Implement periodic file checking, in compliance with site policy." impact 1.0 describe file("/var/spool/cron/root") do its("content") { should match /^0 5 \* \* \* \/usr\/sbin\/aide --check$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_1.4.1_Ensure_SELinux_is_not_disabled_in_bootgrub2grub.cfg" do title "Ensure SELinux is not disabled in /boot/grub2/grub.cfg" desc "Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters" impact 1.0 describe file("/boot/grub2/grub.cfg") do its("content") { should_not match /selinux=0/ } end describe file("/boot/grub2/grub.cfg") do its("content") { should_not match /enforcing=0/ } end end control "xccdf_org.cisecurity.benchmarks_rule_1.4.2_Set_the_SELinux_State" do title "Set the SELinux State" desc "Set SELinux to enable when the system is booted." impact 1.0 describe file("/etc/selinux/config") do its("content") { should match /^SELINUX=enforcing$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_1.4.3_Set_the_SELinux_Policy" do title "Set the SELinux Policy" desc "Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only." impact 1.0 describe file("/etc/selinux/config") do its("content") { should match /^SELINUXTYPE=(targeted|strict|mls)$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_1.4.4_Remove_SETroubleshoot" do title "Remove SETroubleshoot" desc "The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly interface. The service provides important information around configuration errors, unauthorized intrusions, and other potential errors." impact 1.0 describe package("setroubleshoot") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_1.4.5_Remove_MCS_Translation_Service_mcstrans" do title "Remove MCS Translation Service (mcstrans)" desc "The mcstransd daemon provides category label information to client processes requesting information. The label translations are defined in /etc/selinux/targeted/setrans.conf" impact 1.0 describe package("mcstrans") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_1.4.6_Check_for_Unconfined_Daemons" do title "Check for Unconfined Daemons" desc "Daemons that are not defined in SELinux policy will inherit the security context of their parent process." impact 1.0 describe "SCAP oval resource process58_test is not yet supported." do skip "SCAP oval resource process58_test is not yet supported." end end control "xccdf_org.cisecurity.benchmarks_rule_1.5.1_Set_UserGroup_Owner_on_bootgrub2grub.cfg" do title "Set User/Group Owner on /boot/grub2/grub.cfg" desc "Set the owner and group of /boot/grub2/grub.cfgto the root user." impact 1.0 describe file("/boot/grub2/grub.cfg") do it { should exist } end describe file("/boot/grub2/grub.cfg") do its("gid") { should cmp 0 } end describe file("/boot/grub2/grub.cfg") do its("uid") { should cmp 0 } end end control "xccdf_org.cisecurity.benchmarks_rule_1.5.2_Set_Permissions_on_bootgrub2grub.cfg" do title "Set Permissions on /boot/grub2/grub.cfg" desc "Set permission on the /boot/grub2/grub.cfg file to read and write for root only." impact 1.0 describe file("/boot/grub2/grub.cfg") do it { should exist } end describe file("/boot/grub2/grub.cfg") do it { should_not be_executable.by "group" } end describe file("/boot/grub2/grub.cfg") do it { should_not be_readable.by "group" } end describe file("/boot/grub2/grub.cfg") do it { should_not be_writable.by "group" } end describe file("/boot/grub2/grub.cfg") do it { should_not be_executable.by "other" } end describe file("/boot/grub2/grub.cfg") do it { should_not be_readable.by "other" } end describe file("/boot/grub2/grub.cfg") do it { should_not be_writable.by "other" } end end control "xccdf_org.cisecurity.benchmarks_rule_1.5.3_Set_Boot_Loader_Password" do title "Set Boot Loader Password" desc "Setting the boot loader password will require that anyone rebooting the system must enter a password before being able to set command line boot parameters" impact 1.0 describe file("/boot/grub2/grub.cfg") do its("content") { should match /^set superusers=".*"\s*(?:#.*)?$/ } end describe file("/boot/grub2/grub.cfg") do its("content") { should match /^password/ } end end control "xccdf_org.cisecurity.benchmarks_rule_1.6.1_Restrict_Core_Dumps" do title "Restrict Core Dumps" desc "A core dump is the memory of an executable program. It is generally used to determine why a program aborted. It can also be used to glean confidential information from a core file. The system provides the ability to set a soft limit for core dumps, but this can be overridden by the user." impact 1.0 describe file("/etc/security/limits.conf") do its("content") { should match /^\s*\*\shard\score\s0(\s+#.*)?$/ } end describe kernel_parameter("fs.suid_dumpable") do its("value") { should_not be_nil } end describe kernel_parameter("fs.suid_dumpable") do its("value") { should eq 0 } end end control "xccdf_org.cisecurity.benchmarks_rule_1.6.2_Enable_Randomized_Virtual_Memory_Region_Placement" do title "Enable Randomized Virtual Memory Region Placement" desc "Set the system flag to force randomized virtual memory region placement." impact 1.0 describe kernel_parameter("kernel.randomize_va_space") do its("value") { should_not be_nil } end describe kernel_parameter("kernel.randomize_va_space") do its("value") { should eq 2 } end end control "xccdf_org.cisecurity.benchmarks_rule_1.7_Use_the_Latest_OS_Release" do title "Use the Latest OS Release" desc "Periodically, CentOS releases updates to the CentOS operating system to support new hardware platforms, deliver new functionality as well as the bundle together a set of patches that can be tested as a unit." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_2.1.1_Remove_telnet-server" do title "Remove telnet-server" desc "The telnet-server package contains the telnetd daemon, which accepts connections from users from other systems via the telnet protocol." impact 1.0 describe package("telnet-server") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_2.1.2_Remove_telnet_Clients" do title "Remove telnet Clients" desc "The telnet package contains the telnet client, which allows users to start connections to other systems via the telnet protocol." impact 1.0 describe package("telnet") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_2.1.3_Remove_rsh-server" do title "Remove rsh-server" desc "The Berkeley rsh-server (rsh, rlogin, rcp) package contains legacy services that exchange credentials in clear-text." impact 1.0 describe package("rsh-server") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_2.1.4_Remove_rsh" do title "Remove rsh" desc "The rsh package contains the client commands for the rsh services." impact 1.0 describe package("rsh") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_2.1.5_Remove_NIS_Client" do title "Remove NIS Client" desc "The Network Information Service (NIS), formerly known as Yellow Pages, is a client-server directory service protocol used to distribute system configuration files. The NIS client (ypbind) was used to bind a machine to an NIS server and receive the distributed configuration files." impact 1.0 describe package("ypbind") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_2.1.6_Remove_NIS_Server" do title "Remove NIS Server" desc "The Network Information Service (NIS) (formally known as Yellow Pages) is a client-server directory service protocol for distributing system configuration files. The NIS server is a collection of programs that allow for the distribution of configuration files." impact 1.0 describe package("ypserv") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_2.1.7_Remove_tftp" do title "Remove tftp" desc "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot files between machines. TFTP does not support authentication and can be easily hacked. The package tftp is a client program that allows for connections to a tftp server." impact 1.0 describe package("tftp") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_2.1.8_Remove_tftp-server" do title "Remove tftp-server" desc "Trivial File Transfer Protocol (TFTP) is a simple file transfer protocol, typically used to automatically transfer configuration or boot machines from a boot server. The package tftp-server is the server package used to define and support a TFTP server." impact 1.0 describe package("tftp-server") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_2.1.9_Remove_talk" do title "Remove talk" desc "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initialization of talk sessions) is installed by default." impact 1.0 describe package("talk") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_2.1.10_Remove_talk-server" do title "Remove talk-server" desc "The talk software makes it possible for users to send and receive messages across systems through a terminal session. The talk client (allows initiate of talk sessions) is installed by default." impact 1.0 describe package("talk-server") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_2.1.11_Remove_xinetd" do title "Remove xinetd" desc "The eXtended InterNET Daemon (xinetd) is an open source super daemon that replaced the original inetd daemon. The xinetd daemon listens for well known services and dispatches the appropriate daemon to properly respond to service requests." impact 1.0 describe package("xinetd") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_2.1.12_Disable_chargen-dgram" do title "Disable chargen-dgram" desc "chargen-dgram is a network service that responds with 0 to 512 ASCII characters for each datagram it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." impact 1.0 describe.one do describe xinetd_conf.services("chargen").socket_types("dgram") do it { should be disabled } end describe package("xinetd") do it { should_not be_installed } end end end control "xccdf_org.cisecurity.benchmarks_rule_2.1.13_Disable_chargen-stream" do title "Disable chargen-stream" desc "chargen-stream is a network service that responds with 0 to 512 ASCII characters for each connection it receives. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." impact 1.0 describe.one do describe xinetd_conf.services("chargen").socket_types("stream") do it { should be disabled } end describe package("xinetd") do it { should_not be_installed } end end end control "xccdf_org.cisecurity.benchmarks_rule_2.1.14_Disable_daytime-dgram" do title "Disable daytime-dgram" desc "daytime-dgram is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." impact 1.0 describe.one do describe xinetd_conf.services("daytime").socket_types("dgram") do it { should be disabled } end describe package("xinetd") do it { should_not be_installed } end end end control "xccdf_org.cisecurity.benchmarks_rule_2.1.15_Disable_daytime-stream" do title "Disable daytime-stream" desc "daytime-stream is a network service that responds with the server's current date and time. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." impact 1.0 describe.one do describe xinetd_conf.services("daytime").socket_types("stream") do it { should be disabled } end describe package("xinetd") do it { should_not be_installed } end end end control "xccdf_org.cisecurity.benchmarks_rule_2.1.16_Disable_echo-dgram" do title "Disable echo-dgram" desc "echo-dgram is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." impact 1.0 describe.one do describe xinetd_conf.services("echo").socket_types("dgram") do it { should be disabled } end describe package("xinetd") do it { should_not be_installed } end end end control "xccdf_org.cisecurity.benchmarks_rule_2.1.17_Disable_echo-stream" do title "Disable echo-stream" desc "echo-stream is a network service that responds to clients with the data sent to it by the client. This service is intended for debugging and testing purposes. It is recommended that this service be disabled." impact 1.0 describe.one do describe xinetd_conf.services("echo").socket_types("stream") do it { should be disabled } end describe package("xinetd") do it { should_not be_installed } end end end control "xccdf_org.cisecurity.benchmarks_rule_2.1.18_Disable_tcpmux-server" do title "Disable tcpmux-server" desc "tcpmux-server is a network service that allows a client to access other network services running on the server. It is recommended that this service be disabled." impact 1.0 describe.one do describe xinetd_conf.services("tcpmux").socket_types("stream") do it { should be disabled } end describe package("xinetd") do it { should_not be_installed } end end end control "xccdf_org.cisecurity.benchmarks_rule_3.1_Set_Daemon_umask" do title "Set Daemon umask" desc "Set the default umask for all processes started at boot time. The settings in umask selectively turn off default permission when a file is created by a daemon process." impact 1.0 describe file("/etc/sysconfig/init") do its("content") { should match /^\s*umask\s+027\s*(?:#.*)?$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_3.2_Remove_the_X_Window_System" do title "Remove the X Window System" desc "The X Window system provides a Graphical User Interface (GUI) where users can have multiple windows in which to run programs and various add on. The X Window system is typically used on desktops where users login, but not on servers where users typically do not login." impact 1.0 describe package("xorg-x11-server-common") do it { should_not be_installed } end describe file("/etc/systemd/system/default.target") do it { should exist } end describe file("/etc/systemd/system/default.target") do its("basename") { should_not eq "graphical.target" } end end control "xccdf_org.cisecurity.benchmarks_rule_3.3_Disable_Avahi_Server" do title "Disable Avahi Server" desc "Avahi is a free zeroconf implementation, including a system for multicast DNS/DNS-SD service discovery. Avahi allows programs to publish and discover services and hosts running on a local network with no specific configuration. For example, a user can plug a computer into a network and Avahi automatically finds printers to print to, files to look at and people to talk to, as well as network services running on the machine." impact 1.0 describe service("avahi-daemon") do it { should be_installed } end describe service("avahi-daemon") do it { should_not be_enabled } end end control "xccdf_org.cisecurity.benchmarks_rule_3.4_Disable_Print_Server_-_CUPS" do title "Disable Print Server - CUPS" desc "The Common Unix Print System (CUPS) provides the ability to print to both local and network printers. A system running CUPS can also accept print jobs from remote systems and print them to local printers. It also provides a web based remote administration capability." impact 0.0 describe service("cups") do it { should be_installed } end describe service("cups") do it { should_not be_enabled } end end control "xccdf_org.cisecurity.benchmarks_rule_3.5_Remove_DHCP_Server" do title "Remove DHCP Server" desc "The Dynamic Host Configuration Protocol (DHCP) is a service that allows machines to be dynamically assigned IP addresses." impact 1.0 describe package("dhcp") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_3.6_Configure_Network_Time_Protocol_NTP" do title "Configure Network Time Protocol (NTP)" desc "The Network Time Protocol (NTP) is designed to synchronize system clocks across a variety of systems and use a source that is highly accurate. The version of NTP delivered with CentOS can be found at http://www.ntp.org. NTP can be configured to be a client and/or a server." impact 1.0 describe file("/etc/ntp.conf") do its("content") { should match /^\s*restrict\s+default(?=[^#]*\s+kod)(?=[^#]*\s+nomodify)(?=[^#]*\s+notrap)(?=[^#]*\s+nopeer)(?=[^#]*\s+noquery)(\s+kod|\s+nomodify|\s+notrap|\s+nopeer|\s+noquery)*\s*(?:#.*)?$/ } end describe file("/etc/ntp.conf") do its("content") { should match /^\s*restrict\s+-6\s+default(?=[^#]*\s+kod)(?=[^#]*\s+nomodify)(?=[^#]*\s+notrap)(?=[^#]*\s+nopeer)(?=[^#]*\s+noquery)(\s+kod|\s+nomodify|\s+notrap|\s+nopeer|\s+noquery)*\s*(?:#.*)?$/ } end describe file("/etc/ntp.conf") do its("content") { should match /^\s*server\s+\S+/ } end describe file("/etc/sysconfig/ntpd") do its("content") { should match /^\s*OPTIONS="[^"]*-u ntp:ntp[^"]*"\s*(?:#.*)?$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_3.7_Remove_LDAP" do title "Remove LDAP" desc "The Lightweight Directory Access Protocol (LDAP) was introduced as a replacement for NIS/YP. It is a service that provides a method for looking up information from a central database. The default client/server LDAP application for CentOS is OpenLDAP." impact 0.0 describe package("openldap-servers") do it { should_not be_installed } end describe package("openldap-clients") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_3.8_Disable_NFS_and_RPC" do title "Disable NFS and RPC" desc "The Network File System (NFS) is one of the first and most widely distributed file systems in the UNIX environment. It provides the ability for systems to mount file systems of other servers through the network." impact 0.0 describe service("rpcidmapd") do it { should be_installed } end describe service("rpcidmapd") do it { should_not be_enabled } end describe service("rpcsvcgssd") do it { should be_installed } end describe service("rpcsvcgssd") do it { should_not be_enabled } end describe service("rpcbind") do it { should be_installed } end describe service("rpcbind") do it { should_not be_enabled } end describe service("rpcgssd") do it { should be_installed } end describe service("rpcgssd") do it { should_not be_enabled } end describe service("nfslock") do it { should be_installed } end describe service("nfslock") do it { should_not be_enabled } end end control "xccdf_org.cisecurity.benchmarks_rule_3.9_Remove_DNS_Server" do title "Remove DNS Server" desc "The Domain Name System (DNS) is a hierarchical naming system that maps names to IP addresses for computers, services and other resources connected to a network." impact 0.0 describe package("bind") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_3.10_Remove_FTP_Server" do title "Remove FTP Server" desc "The File Transfer Protocol (FTP) provides networked computers with the ability to transfer files." impact 0.0 describe package("vsftpd") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_3.11_Remove_HTTP_Server" do title "Remove HTTP Server" desc "HTTP or web servers provide the ability to host web site content. The default HTTP server shipped with CentOS Linux is Apache." impact 0.0 describe package("httpd") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_3.12_Remove_Dovecot_IMAP_and_POP3_services" do title "Remove Dovecot (IMAP and POP3 services)" desc "Dovecot is an open source IMAP and POP3 server for Linux based systems." impact 0.0 describe package("dovecot") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_3.13_Remove_Samba" do title "Remove Samba" desc "The Samba daemon allows system administrators to configure their Linux systems to share file systems and directories with Windows desktops. Samba will advertise the file systems and directories via the Small Message Block (SMB) protocol. Windows desktop users will be able to mount these directories and file systems as letter drives on their systems." impact 0.0 describe package("samba") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_3.14_Remove_HTTP_Proxy_Server" do title "Remove HTTP Proxy Server" desc "The default HTTP proxy package shipped with CentOS Linux is squid." impact 0.0 describe package("squid") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_3.15_Remove_SNMP_Server" do title "Remove SNMP Server" desc "The Simple Network Management Protocol (SNMP) server is used to listen for SNMP commands from an SNMP management system, execute the commands or collect the information and then send results back to the requesting system." impact 0.0 describe package("net-snmp") do it { should_not be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_3.16_Configure_Mail_Transfer_Agent_for_Local-Only_Mode" do title "Configure Mail Transfer Agent for Local-Only Mode" desc "Mail Transfer Agents (MTA), such as sendmail and Postfix, are used to listen for incoming mail and transfer the messages to the appropriate user or mail server. If the system is not intended to be a mail server, it is recommended that the MTA be configured to only process local mail. By default, the MTA is set to loopback mode on CentOS." impact 1.0 describe "SCAP oval resource inetlisteningservers_test is not yet supported." do skip "SCAP oval resource inetlisteningservers_test is not yet supported." end end control "xccdf_org.cisecurity.benchmarks_rule_4.1.1_Disable_IP_Forwarding" do title "Disable IP Forwarding" desc "The net.ipv4.ip_forward flag is used to tell the server whether it can forward packets or not. If the server is not to be used as a router, set the flag to 0." impact 1.0 describe kernel_parameter("net.ipv4.ip_forward") do its("value") { should_not be_nil } end describe kernel_parameter("net.ipv4.ip_forward") do its("value") { should eq 0 } end end control "xccdf_org.cisecurity.benchmarks_rule_4.1.2_Disable_Send_Packet_Redirects" do title "Disable Send Packet Redirects" desc "ICMP Redirects are used to send routing information to other hosts. As a host itself does not act as a router (in a host only configuration), there is no need to send redirects." impact 1.0 describe kernel_parameter("net.ipv4.conf.all.send_redirects") do its("value") { should_not be_nil } end describe kernel_parameter("net.ipv4.conf.all.send_redirects") do its("value") { should eq 0 } end describe kernel_parameter("net.ipv4.conf.default.send_redirects") do its("value") { should_not be_nil } end describe kernel_parameter("net.ipv4.conf.default.send_redirects") do its("value") { should eq 0 } end end control "xccdf_org.cisecurity.benchmarks_rule_4.2.1_Disable_Source_Routed_Packet_Acceptance" do title "Disable Source Routed Packet Acceptance" desc "In networking, source routing allows a sender to partially or fully specify the route packets take through a network. In contrast, non-source routed packets travel a path determined by routers in the network. In some cases, systems may not be routable or reachable from some locations (e.g. private addresses vs. Internet routable), and so source routed packets would need to be used." impact 1.0 describe kernel_parameter("net.ipv4.conf.all.accept_source_route") do its("value") { should_not be_nil } end describe kernel_parameter("net.ipv4.conf.all.accept_source_route") do its("value") { should eq 0 } end describe kernel_parameter("net.ipv4.conf.default.accept_source_route") do its("value") { should_not be_nil } end describe kernel_parameter("net.ipv4.conf.default.accept_source_route") do its("value") { should eq 0 } end end control "xccdf_org.cisecurity.benchmarks_rule_4.2.2_Disable_ICMP_Redirect_Acceptance" do title "Disable ICMP Redirect Acceptance" desc "ICMP redirect messages are packets that convey routing information and tell your host (acting as a router) to send packets via an alternate path. It is a way of allowing an outside routing device to update your system routing tables. By setting net.ipv4.conf.all.accept_redirects to 0, the system will not accept any ICMP redirect messages, and therefore, won't allow outsiders to update the system's routing tables." impact 1.0 describe kernel_parameter("net.ipv4.conf.all.accept_redirects") do its("value") { should_not be_nil } end describe kernel_parameter("net.ipv4.conf.all.accept_redirects") do its("value") { should eq 0 } end describe kernel_parameter("net.ipv4.conf.default.accept_redirects") do its("value") { should_not be_nil } end describe kernel_parameter("net.ipv4.conf.default.accept_redirects") do its("value") { should eq 0 } end end control "xccdf_org.cisecurity.benchmarks_rule_4.2.3_Disable_Secure_ICMP_Redirect_Acceptance" do title "Disable Secure ICMP Redirect Acceptance" desc "Secure ICMP redirects are the same as ICMP redirects, except they come from gateways listed on the default gateway list. It is assumed that these gateways are known to your system, and that they are likely to be secure." impact 1.0 describe kernel_parameter("net.ipv4.conf.all.secure_redirects") do its("value") { should_not be_nil } end describe kernel_parameter("net.ipv4.conf.all.secure_redirects") do its("value") { should eq 0 } end describe kernel_parameter("net.ipv4.conf.default.secure_redirects") do its("value") { should_not be_nil } end describe kernel_parameter("net.ipv4.conf.default.secure_redirects") do its("value") { should eq 0 } end end control "xccdf_org.cisecurity.benchmarks_rule_4.2.4_Log_Suspicious_Packets" do title "Log Suspicious Packets" desc "When enabled, this feature logs packets with un-routable source addresses to the kernel log." impact 1.0 describe kernel_parameter("net.ipv4.conf.all.log_martians") do its("value") { should_not be_nil } end describe kernel_parameter("net.ipv4.conf.all.log_martians") do its("value") { should eq 1 } end describe kernel_parameter("net.ipv4.conf.default.log_martians") do its("value") { should_not be_nil } end describe kernel_parameter("net.ipv4.conf.default.log_martians") do its("value") { should eq 1 } end end control "xccdf_org.cisecurity.benchmarks_rule_4.2.5_Enable_Ignore_Broadcast_Requests" do title "Enable Ignore Broadcast Requests" desc "Setting net.ipv4.icmp_echo_ignore_broadcasts to 1 will cause the system to ignore all ICMP echo and timestamp requests to broadcast and multicast addresses." impact 1.0 describe kernel_parameter("net.ipv4.icmp_echo_ignore_broadcasts") do its("value") { should_not be_nil } end describe kernel_parameter("net.ipv4.icmp_echo_ignore_broadcasts") do its("value") { should eq 1 } end end control "xccdf_org.cisecurity.benchmarks_rule_4.2.6_Enable_Bad_Error_Message_Protection" do title "Enable Bad Error Message Protection" desc "Setting icmp_ignore_bogus_error_responses to 1 prevents the kernel from logging bogus responses (RFC-1122 non-compliant) from broadcast reframes, keeping file systems from filling up with useless log messages." impact 1.0 describe kernel_parameter("net.ipv4.icmp_ignore_bogus_error_responses") do its("value") { should_not be_nil } end describe kernel_parameter("net.ipv4.icmp_ignore_bogus_error_responses") do its("value") { should eq 1 } end end control "xccdf_org.cisecurity.benchmarks_rule_4.2.7_Enable_RFC-recommended_Source_Route_Validation" do title "Enable RFC-recommended Source Route Validation" desc "Setting net.ipv4.conf.all.rp_filter and net.ipv4.conf.default.rp_filter to 1 forces the Linux kernel to utilize reverse path filtering on a received packet to determine if the packet was valid. Essentially, with reverse path filtering, if the return packet does not go out the same interface that the corresponding source packet came from, the packet is dropped (and logged if log_martians is set)." impact 1.0 describe kernel_parameter("net.ipv4.conf.all.rp_filter") do its("value") { should_not be_nil } end describe kernel_parameter("net.ipv4.conf.all.rp_filter") do its("value") { should eq 1 } end describe kernel_parameter("net.ipv4.conf.default.rp_filter") do its("value") { should_not be_nil } end describe kernel_parameter("net.ipv4.conf.default.rp_filter") do its("value") { should eq 1 } end end control "xccdf_org.cisecurity.benchmarks_rule_4.2.8_Enable_TCP_SYN_Cookies" do title "Enable TCP SYN Cookies" desc "When tcp_syncookies is set, the kernel will handle TCP SYN packets normally until the half-open connection queue is full, at which time, the SYN cookie functionality kicks in. SYN cookies work by not using the SYN queue at all. Instead, the kernel simply replies to the SYN with a SYN|ACK, but will include a specially crafted TCP sequence number that encodes the source and destination IP address and port number and the time the packet was sent. A legitimate connection would send the ACK packet of the three way handshake with the specially crafted sequence number. This allows the server to verify that it has received a valid response to a SYN cookie and allow the connection, even though there is no corresponding SYN in the queue." impact 1.0 describe kernel_parameter("net.ipv4.tcp_syncookies") do its("value") { should_not be_nil } end describe kernel_parameter("net.ipv4.tcp_syncookies") do its("value") { should eq 1 } end end control "xccdf_org.cisecurity.benchmarks_rule_4.3.1_Deactivate_Wireless_Interfaces" do title "Deactivate Wireless Interfaces" desc "Wireless networking is used when wired networks are unavailable. CentOS contains a wireless tool kit to allow system administrators to configure and use wireless networks." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_4.4.1.1_Disable_IPv6_Router_Advertisements" do title "Disable IPv6 Router Advertisements" desc "This setting disables the systems ability to accept router advertisements" impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_4.4.1.2_Disable_IPv6_Redirect_Acceptance" do title "Disable IPv6 Redirect Acceptance" desc "This setting prevents the system from accepting ICMP redirects. ICMP redirects tell the system about alternate routes for sending traffic." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_4.4.2_Disable_IPv6" do title "Disable IPv6" desc "Although IPv6 has many advantages over IPv4, few organizations have implemented IPv6." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_4.5.1_Install_TCP_Wrappers" do title "Install TCP Wrappers" desc "TCP Wrappers provides a simple access list and standardized logging method for services capable of supporting it. In the past, services that were called from inetd and xinetd supported the use of tcp wrappers. As inetd and xinetd have been falling in disuse, any service that can support tcp wrappers will have the libwrap.so library attached to it." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_4.5.2_Create_etchosts.allow" do title "Create /etc/hosts.allow" desc "The /etc/hosts.allow file specifies which IP addresses are permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.deny file." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_4.5.3_Verify_Permissions_on_etchosts.allow" do title "Verify Permissions on /etc/hosts.allow" desc "The /etc/hosts.allow file contains networking information that is used by many applications and therefore must be readable for these applications to operate." impact 1.0 describe file("/etc/hosts.allow") do it { should exist } end describe file("/etc/hosts.allow") do it { should_not be_executable.by "group" } end describe file("/etc/hosts.allow") do it { should be_readable.by "group" } end describe file("/etc/hosts.allow") do it { should_not be_writable.by "group" } end describe file("/etc/hosts.allow") do it { should_not be_executable.by "other" } end describe file("/etc/hosts.allow") do it { should be_readable.by "other" } end describe file("/etc/hosts.allow") do it { should_not be_writable.by "other" } end describe file("/etc/hosts.allow") do it { should_not be_executable.by "owner" } end describe file("/etc/hosts.allow") do it { should be_readable.by "owner" } end describe file("/etc/hosts.allow") do it { should be_writable.by "owner" } end end control "xccdf_org.cisecurity.benchmarks_rule_4.5.4_Create_etchosts.deny" do title "Create /etc/hosts.deny" desc "The /etc/hosts.deny file specifies which IP addresses are not permitted to connect to the host. It is intended to be used in conjunction with the /etc/hosts.allow file." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_4.5.5_Verify_Permissions_on_etchosts.deny" do title "Verify Permissions on /etc/hosts.deny" desc "The /etc/hosts.deny file contains network information that is used by many system applications and therefore must be readable for these applications to operate." impact 1.0 describe file("/etc/hosts.deny") do it { should exist } end describe file("/etc/hosts.deny") do it { should_not be_executable.by "group" } end describe file("/etc/hosts.deny") do it { should be_readable.by "group" } end describe file("/etc/hosts.deny") do it { should_not be_writable.by "group" } end describe file("/etc/hosts.deny") do it { should_not be_executable.by "other" } end describe file("/etc/hosts.deny") do it { should be_readable.by "other" } end describe file("/etc/hosts.deny") do it { should_not be_writable.by "other" } end describe file("/etc/hosts.deny") do it { should_not be_executable.by "owner" } end describe file("/etc/hosts.deny") do it { should be_readable.by "owner" } end describe file("/etc/hosts.deny") do it { should be_writable.by "owner" } end end control "xccdf_org.cisecurity.benchmarks_rule_4.6.1_Disable_DCCP" do title "Disable DCCP" desc "The Datagram Congestion Control Protocol (DCCP) is a transport layer protocol that supports streaming media and telephony. DCCP provides a way to gain access to congestion control, without having to do it at the application layer, but does not provide in-sequence delivery." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_4.6.2_Disable_SCTP" do title "Disable SCTP" desc "The Stream Control Transmission Protocol (SCTP) is a transport layer protocol used to support message oriented communication, with several streams of messages in one connection. It serves a similar function as TCP and UDP, incorporating features of both. It is message-oriented like UDP, and ensures reliable in-sequence transport of messages with congestion control like TCP." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_4.6.3_Disable_RDS" do title "Disable RDS" desc "The Reliable Datagram Sockets (RDS) protocol is a transport layer protocol designed to provide low-latency, high-bandwidth communications between cluster nodes. It was developed by the Oracle Corporation." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_4.6.4_Disable_TIPC" do title "Disable TIPC" desc "The Transparent Inter-Process Communication (TIPC) protocol is designed to provide communication between cluster nodes." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_4.7_Enable_firewalld" do title "Enable firewalld" desc "IPtables is an application that allows a system administrator to configure the IP tables, chains and rules provided by the Linux kernel firewall. The firewalld service provides a dynamic firewall allowing changes to be made at anytime without disruptions cause by reloading." impact 1.0 describe service("firewalld") do it { should be_installed } end describe service("firewalld") do it { should be_enabled } end end control "xccdf_org.cisecurity.benchmarks_rule_5.1.1_Install_the_rsyslog_package" do title "Install the rsyslog package" desc "The rsyslog package is a third party package that provides many enhancements to syslog, such as multi-threading, TCP communication, message filtering and data base support." impact 1.0 describe package("rsyslog") do it { should be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_5.1.2_Activate_the_rsyslog_Service" do title "Activate the rsyslog Service" desc "The systemctl command can be used to ensure that the rsyslog service is turned on." impact 1.0 describe service("rsyslog") do it { should be_installed } end describe service("rsyslog") do it { should be_enabled } end end control "xccdf_org.cisecurity.benchmarks_rule_5.1.3_Configure_etcrsyslog.conf" do title "Configure /etc/rsyslog.conf" desc "The /etc/rsyslog.conf file specifies rules for logging and which files are to be used to log certain classes of messages." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_5.1.4_Create_and_Set_Permissions_on_rsyslog_Log_Files" do title "Create and Set Permissions on rsyslog Log Files" desc "A log file must already exist for rsyslog to be able to write to it." impact 1.0 describe "SCAP oval resource file_test could not be loaded: Cannot handle referenced value group in file_test; only single values are support at the moment" do skip "SCAP oval resource file_test could not be loaded: Cannot handle referenced value group in file_test; only single values are support at the moment" end end control "xccdf_org.cisecurity.benchmarks_rule_5.1.5_Configure_rsyslog_to_Send_Logs_to_a_Remote_Log_Host" do title "Configure rsyslog to Send Logs to a Remote Log Host" desc "The rsyslog utility supports the ability to send logs it gathers to a remote log host running syslogd(8) or to receive messages from remote hosts, reducing administrative overhead." impact 1.0 describe file("/etc/rsyslog.conf") do its("content") { should match /^\*\.\*\s+@/ } end end control "xccdf_org.cisecurity.benchmarks_rule_5.1.6_Accept_Remote_rsyslog_Messages_Only_on_Designated_Log_Hosts" do title "Accept Remote rsyslog Messages Only on Designated Log Hosts" desc "By default, rsyslog does not listen for log messages coming in from remote systems. The ModLoad tells rsyslog to load the imtcp.so module so it can listen over a network via TCP. The InputTCPServerRun option instructs rsyslogd to listen on the specified TCP port." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_5.2.1.1_Configure_Audit_Log_Storage_Size" do title "Configure Audit Log Storage Size" desc "Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_5.2.1.2_Disable_System_on_Audit_Log_Full" do title "Disable System on Audit Log Full" desc "The auditd daemon can be configured to halt the system when the audit logs are full." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_5.2.1.3_Keep_All_Auditing_Information" do title "Keep All Auditing Information" desc "Normally, auditd will hold 4 logs of maximum log file size before deleting older log files." impact 1.0 describe file("/etc/audit/auditd.conf") do its("content") { should match /^\s*max_log_file_action\s*=\s*keep_logs\s*(?:#.*)?$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_5.2.2_Enable_auditd_Service" do title "Enable auditd Service" desc "Turn on the auditd daemon to record system events." impact 1.0 describe service("auditd") do it { should be_installed } end describe service("auditd") do it { should be_enabled } end end control "xccdf_org.cisecurity.benchmarks_rule_5.2.3_Enable_Auditing_for_Processes_That_Start_Prior_to_auditd" do title "Enable Auditing for Processes That Start Prior to auditd" desc "Configure grub so that processes that are capable of being audited can be audited even if they start up prior to auditd startup." impact 1.0 describe file("/boot/grub2/grub.cfg") do its("content") { should match /^\s*linux(16)?\s+(?=[^#]*audit=1).*$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_5.2.4_Record_Events_That_Modify_Date_and_Time_Information" do title "Record Events That Modify Date and Time Information" desc "Capture events where the system date and/or time has been modified. The parameters in this section are set to determine if the adjtimex (tune kernel clock), settimeofday (Set time, using timeval and timezone structures) stime (using seconds since 1/1/1970) or clock_settime (allows for the setting of several internal clocks and timers) system calls have been executed and always write an audit record to the /var/log/audit.log file upon exit, tagging the records with the identifier \"time-change\"" impact 1.0 describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/etc\/localtime -p wa -k time-change$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-a always,exit -F arch=b32 -S clock_settime -k time-change$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change/ } end describe.one do describe file("/etc/audit/audit.rules") do its("content") { should match /^-a always,exit -F arch=b64 -S clock_settime -k time-change$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change$/ } end describe command("uname -m").stdout do its("strip") { should_not eq "x86_64" } end end end control "xccdf_org.cisecurity.benchmarks_rule_5.2.5_Record_Events_That_Modify_UserGroup_Information" do title "Record Events That Modify User/Group Information" desc "Record events affecting the group, passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier \"identity\" in the audit log file." impact 1.0 describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/etc\/group -p wa -k identity$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/etc\/passwd -p wa -k identity$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/etc\/gshadow -p wa -k identity$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/etc\/shadow -p wa -k identity$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/etc\/security\/opasswd -p wa -k identity$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_5.2.6_Record_Events_That_Modify_the_Systems_Network_Environment" do title "Record Events That Modify the System's Network Environment" desc "Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the system's host name) or setdomainname (set the system's domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre-login), /etc/hosts (file containing host names and associated IP addresses) and /etc/sysconfig/network (directory containing network interface scripts and configurations) files." impact 1.0 describe.one do describe command("uname -m").stdout do its("strip") { should_not eq "x86_64" } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale$/ } end end describe file("/etc/audit/audit.rules") do its("content") { should match /^-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/etc\/issue -p wa -k system-locale$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/etc\/issue.net -p wa -k system-locale$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/etc\/hosts -p wa -k system-locale$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/etc\/sysconfig\/network -p wa -k system-locale$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_5.2.7_Record_Events_That_Modify_the_Systems_Mandatory_Access_Controls" do title "Record Events That Modify the System's Mandatory Access Controls" desc "Monitor SELinux mandatory access controls. The parameters below monitor any write access (potential additional, deletion or modification of files in the directory) or attribute changes to the /etc/selinux directory." impact 1.0 describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/etc\/selinux\/ -p wa -k MAC-policy$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_5.2.8_Collect_Login_and_Logout_Events" do title "Collect Login and Logout Events" desc "Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier \"logins.\"" impact 1.0 describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/var\/log\/faillog -p wa -k logins$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/var\/log\/lastlog -p wa -k logins$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/var\/log\/tallylog -p wa -k logins$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_5.2.9_Collect_Session_Initiation_Information" do title "Collect Session Initiation Information" desc "Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. The /var/log/wtmp file tracks logins, logouts, shutdown and reboot events. All audit records will be tagged with the identifier \"session.\"" impact 1.0 describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/var\/run\/utmp -p wa -k session$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/var\/log\/wtmp -p wa -k session$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/var\/log\/btmp -p wa -k session$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_5.2.10_Collect_Discretionary_Access_Control_Permission_Modification_Events" do title "Collect Discretionary Access Control Permission Modification Events" desc "Monitor changes to file permissions, attributes, ownership and group. The parameters in this section track changes for system calls that affect file permissions and attributes. The chmod, fchmod and fchmodat system calls affect the permissions associated with a file. The chown, fchown, fchownat and lchown system calls affect owner and group attributes on a file. The setxattr, lsetxattr, fsetxattr (set extended file attributes) and removexattr, lremovexattr, fremovexattr (remove extended file attributes) control extended file attributes. In all cases, an audit record will only be written for non-system userids (auid >= 1000) and will ignore Daemon events (auid = 4294967295). All audit records will be tagged with the identifier \"perm_mod.\"" impact 1.0 describe file("/etc/audit/audit.rules") do its("content") { should match /^-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod$/ } end describe.one do describe command("uname -m").stdout do its("strip") { should_not eq "x86_64" } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod$/ } end end end control "xccdf_org.cisecurity.benchmarks_rule_5.2.11_Collect_Unsuccessful_Unauthorized_Access_Attempts_to_Files" do title "Collect Unsuccessful Unauthorized Access Attempts to Files" desc "Monitor for unsuccessful attempts to access files. The parameters below are associated with system calls that control creation (creat), opening (open, openat) and truncation (truncate, ftruncate) of files. An audit log record will only be written if the user is a non-privileged user (auid > = 1000), is not a Daemon event (auid=4294967295) and if the system call returned EACCES (permission denied to the file) or EPERM (some other permanent error associated with the specific system call). All audit records will be tagged with the identifier \"access.\"" impact 1.0 describe file("/etc/audit/audit.rules") do its("content") { should match /^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access$/ } end describe.one do describe command("uname -m").stdout do its("strip") { should_not eq "x86_64" } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access$/ } end end end control "xccdf_org.cisecurity.benchmarks_rule_5.2.12_Collect_Use_of_Privileged_Commands" do title "Collect Use of Privileged Commands" desc "Monitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands." impact 1.0 describe "SCAP oval resource textfilecontent54_test could not be loaded: OVAL resource file_test does not yet support separate object loading" do skip "SCAP oval resource textfilecontent54_test could not be loaded: OVAL resource file_test does not yet support separate object loading" end end control "xccdf_org.cisecurity.benchmarks_rule_5.2.13_Collect_Successful_File_System_Mounts" do title "Collect Successful File System Mounts" desc "Monitor the use of the mount system call. The mount (and umount) system call controls the mounting and unmounting of file systems. The parameters below configure the system to create an audit record when the mount system call is used by a non-privileged user" impact 1.0 describe file("/etc/audit/audit.rules") do its("content") { should match /^-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts$/ } end describe.one do describe command("uname -m").stdout do its("strip") { should_not eq "x86_64" } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts$/ } end end end control "xccdf_org.cisecurity.benchmarks_rule_5.2.14_Collect_File_Deletion_Events_by_User" do title "Collect File Deletion Events by User" desc "Monitor the use of system calls associated with the deletion or renaming of files and file attributes. This configuration statement sets up monitoring for the unlink (remove a file), unlinkat (remove a file attribute), rename (rename a file) and renameat (rename a file attribute) system calls and tags them with the identifier \"delete\"." impact 1.0 describe file("/etc/audit/audit.rules") do its("content") { should match /^-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete$/ } end describe.one do describe command("uname -m").stdout do its("strip") { should_not eq "x86_64" } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete$/ } end end end control "xccdf_org.cisecurity.benchmarks_rule_5.2.15_Collect_Changes_to_System_Administration_Scope_sudoers" do title "Collect Changes to System Administration Scope (sudoers)" desc "Monitor scope changes for system administrations. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier \"scope.\"" impact 1.0 describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/etc\/sudoers -p wa -k scope$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_5.2.16_Collect_System_Administrator_Actions_sudolog" do title "Collect System Administrator Actions (sudolog)" desc "Monitor the sudo log file. If the system has been properly configured to disable the use of the su command and force all administrators to have to log in first and then use sudo to execute privileged commands, then all administrator commands will be logged to /var/log/sudo.log. Any time a command is executed, an audit event will be triggered as the /var/log/sudo.log file will be opened for write and the executed administration command will be written to the log." impact 1.0 describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/var\/log\/sudo.log -p wa -k actions$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_5.2.17_Collect_Kernel_Module_Loading_and_Unloading" do title "Collect Kernel Module Loading and Unloading" desc "Monitor the loading and unloading of kernel modules. The programs insmod (install a kernel module), rmmod (remove a kernel module), and modprobe (a more sophisticated program to load and unload modules, as well as some other features) control loading and unloading of modules. The init_module (load a module) and delete_module (delete a module) system calls control loading and unloading of modules. Any execution of the loading and unloading module programs and system calls will trigger an audit record with an identifier of \"modules\"." impact 1.0 describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/sbin\/insmod -p x -k modules$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/sbin\/rmmod -p x -k modules$/ } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-w \/sbin\/modprobe -p x -k modules$/ } end describe.one do describe command("uname -m").stdout do its("strip") { should eq "x86_64" } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-a always,exit -F arch=b32 -S init_module -S delete_module -k modules$/ } end end describe.one do describe command("uname -m").stdout do its("strip") { should_not eq "x86_64" } end describe file("/etc/audit/audit.rules") do its("content") { should match /^-a always,exit -F arch=b64 -S init_module -S delete_module -k modules$/ } end end end control "xccdf_org.cisecurity.benchmarks_rule_5.2.18_Make_the_Audit_Configuration_Immutable" do title "Make the Audit Configuration Immutable" desc "Set system audit so that audit rules cannot be modified with auditctl. Setting the flag \"-e 2\" forces audit to be put in immutable mode. Audit changes can only be made on system reboot." impact 1.0 describe file("/etc/audit/audit.rules") do its("content") { should match /^-e 2$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_5.3_Configure_logrotate" do title "Configure logrotate" desc "The system includes the capability of rotating log files regularly to avoid filling up the system with logs or making the logs unmanageable large. The file /etc/logrotate.d/syslog is the configuration file used to rotate log files created by syslog or rsyslog. These files are rotated on a weekly basis via a cron job and the last 4 weeks are kept." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_6.1.1_Enable_anacron_Daemon" do title "Enable anacron Daemon" desc "The anacron daemon is used on systems that are not up 24x7. The anacron daemon will execute jobs that would have normally been run had the system not been down." impact 1.0 describe package("cronie-anacron") do it { should be_installed } end end control "xccdf_org.cisecurity.benchmarks_rule_6.1.2_Enable_crond_Daemon" do title "Enable crond Daemon" desc "The crond daemon is used to execute batch jobs on the system." impact 1.0 describe service("crond") do it { should be_installed } end describe service("crond") do it { should be_enabled } end end control "xccdf_org.cisecurity.benchmarks_rule_6.1.3_Set_UserGroup_Owner_and_Permission_on_etcanacrontab" do title "Set User/Group Owner and Permission on /etc/anacrontab" desc "The /etc/anacrontab file is used by anacron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and is the only user that can read and write the file." impact 1.0 describe file("/etc/anacrontab") do it { should exist } end describe file("/etc/anacrontab") do it { should_not be_executable.by "group" } end describe file("/etc/anacrontab") do it { should_not be_readable.by "group" } end describe file("/etc/anacrontab") do it { should_not be_writable.by "group" } end describe file("/etc/anacrontab") do it { should_not be_executable.by "other" } end describe file("/etc/anacrontab") do it { should_not be_readable.by "other" } end describe file("/etc/anacrontab") do it { should_not be_writable.by "other" } end describe file("/etc/anacrontab") do it { should exist } end describe file("/etc/anacrontab") do its("gid") { should cmp 0 } end describe file("/etc/anacrontab") do its("uid") { should cmp 0 } end end control "xccdf_org.cisecurity.benchmarks_rule_6.1.4_Set_UserGroup_Owner_and_Permission_on_etccrontab" do title "Set User/Group Owner and Permission on /etc/crontab" desc "The /etc/crontab file is used by cron to control its own jobs. The commands in this item make here sure that root is the user and group owner of the file and is the only user that can read and write the file." impact 1.0 describe file("/etc/crontab") do it { should exist } end describe file("/etc/crontab") do it { should_not be_executable.by "group" } end describe file("/etc/crontab") do it { should_not be_readable.by "group" } end describe file("/etc/crontab") do it { should_not be_writable.by "group" } end describe file("/etc/crontab") do it { should_not be_executable.by "other" } end describe file("/etc/crontab") do it { should_not be_readable.by "other" } end describe file("/etc/crontab") do it { should_not be_writable.by "other" } end describe file("/etc/crontab") do it { should exist } end describe file("/etc/crontab") do its("gid") { should cmp 0 } end describe file("/etc/crontab") do its("uid") { should cmp 0 } end end control "xccdf_org.cisecurity.benchmarks_rule_6.1.5_Set_UserGroup_Owner_and_Permission_on_etccron.hourly" do title "Set User/Group Owner and Permission on /etc/cron.hourly" desc "This directory contains system cron jobs that need to run on an hourly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory." impact 1.0 describe file("/etc/cron.hourly") do it { should exist } end describe file("/etc/cron.hourly") do it { should_not be_executable.by "group" } end describe file("/etc/cron.hourly") do it { should_not be_readable.by "group" } end describe file("/etc/cron.hourly") do it { should_not be_writable.by "group" } end describe file("/etc/cron.hourly") do it { should_not be_executable.by "other" } end describe file("/etc/cron.hourly") do it { should_not be_readable.by "other" } end describe file("/etc/cron.hourly") do it { should_not be_writable.by "other" } end describe file("/etc/cron.hourly") do it { should exist } end describe file("/etc/cron.hourly") do its("gid") { should cmp 0 } end describe file("/etc/cron.hourly") do its("uid") { should cmp 0 } end end control "xccdf_org.cisecurity.benchmarks_rule_6.1.6_Set_UserGroup_Owner_and_Permission_on_etccron.daily" do title "Set User/Group Owner and Permission on /etc/cron.daily" desc "The /etc/cron.daily directory contains system cron jobs that need to run on a daily basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory." impact 1.0 describe file("/etc/cron.daily") do it { should exist } end describe file("/etc/cron.daily") do it { should_not be_executable.by "group" } end describe file("/etc/cron.daily") do it { should_not be_readable.by "group" } end describe file("/etc/cron.daily") do it { should_not be_writable.by "group" } end describe file("/etc/cron.daily") do it { should_not be_executable.by "other" } end describe file("/etc/cron.daily") do it { should_not be_readable.by "other" } end describe file("/etc/cron.daily") do it { should_not be_writable.by "other" } end describe file("/etc/cron.daily") do it { should exist } end describe file("/etc/cron.daily") do its("gid") { should cmp 0 } end describe file("/etc/cron.daily") do its("uid") { should cmp 0 } end end control "xccdf_org.cisecurity.benchmarks_rule_6.1.7_Set_UserGroup_Owner_and_Permission_on_etccron.weekly" do title "Set User/Group Owner and Permission on /etc/cron.weekly" desc "The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory." impact 1.0 describe file("/etc/cron.weekly") do it { should exist } end describe file("/etc/cron.weekly") do it { should_not be_executable.by "group" } end describe file("/etc/cron.weekly") do it { should_not be_readable.by "group" } end describe file("/etc/cron.weekly") do it { should_not be_writable.by "group" } end describe file("/etc/cron.weekly") do it { should_not be_executable.by "other" } end describe file("/etc/cron.weekly") do it { should_not be_readable.by "other" } end describe file("/etc/cron.weekly") do it { should_not be_writable.by "other" } end describe file("/etc/cron.weekly") do it { should exist } end describe file("/etc/cron.weekly") do its("gid") { should cmp 0 } end describe file("/etc/cron.weekly") do its("uid") { should cmp 0 } end end control "xccdf_org.cisecurity.benchmarks_rule_6.1.8_Set_UserGroup_Owner_and_Permission_on_etccron.monthly" do title "Set User/Group Owner and Permission on /etc/cron.monthly" desc "The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory." impact 1.0 describe file("/etc/cron.monthly") do it { should exist } end describe file("/etc/cron.monthly") do it { should_not be_executable.by "group" } end describe file("/etc/cron.monthly") do it { should_not be_readable.by "group" } end describe file("/etc/cron.monthly") do it { should_not be_writable.by "group" } end describe file("/etc/cron.monthly") do it { should_not be_executable.by "other" } end describe file("/etc/cron.monthly") do it { should_not be_readable.by "other" } end describe file("/etc/cron.monthly") do it { should_not be_writable.by "other" } end describe file("/etc/cron.monthly") do it { should exist } end describe file("/etc/cron.monthly") do its("gid") { should cmp 0 } end describe file("/etc/cron.monthly") do its("uid") { should cmp 0 } end end control "xccdf_org.cisecurity.benchmarks_rule_6.1.9_Set_UserGroup_Owner_and_Permission_on_etccron.d" do title "Set User/Group Owner and Permission on /etc/cron.d" desc "The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab, but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory." impact 1.0 describe file("/etc/cron.d") do it { should exist } end describe file("/etc/cron.d") do it { should_not be_executable.by "group" } end describe file("/etc/cron.d") do it { should_not be_readable.by "group" } end describe file("/etc/cron.d") do it { should_not be_writable.by "group" } end describe file("/etc/cron.d") do it { should_not be_executable.by "other" } end describe file("/etc/cron.d") do it { should_not be_readable.by "other" } end describe file("/etc/cron.d") do it { should_not be_writable.by "other" } end describe file("/etc/cron.d") do it { should exist } end describe file("/etc/cron.d") do its("gid") { should cmp 0 } end describe file("/etc/cron.d") do its("uid") { should cmp 0 } end end control "xccdf_org.cisecurity.benchmarks_rule_6.1.10_Restrict_at_Daemon" do title "Restrict at Daemon" desc "The at daemon works with the cron daemon to allow non-privileged users to submit one time only jobs at their convenience. There are two files that control at: /etc/at.allow and /etc/at.deny. If /etc/at.allow exists, then users listed in the file are the only ones that can create at jobs. If /etc/at.allow does not exist and /etc/at.deny does exist, then any user on the system, with the exception of those listed in /etc/at.deny, are allowed to execute at jobs. An empty /etc/at.deny file allows any user to create at jobs. If neither /etc/at.allow nor /etc/at.deny exist, then only superuser can create at jobs. The commands below remove the /etc/at.deny file and create an empty /etc/at.allow file that can only be read and modified by user and group root." impact 1.0 describe file("/etc/at.deny") do it { should_not exist } end describe file("/etc/at.allow") do it { should exist } end describe file("/etc/at.allow") do it { should_not be_executable.by "group" } end describe file("/etc/at.allow") do it { should_not be_readable.by "group" } end describe file("/etc/at.allow") do it { should_not be_writable.by "group" } end describe file("/etc/at.allow") do it { should_not be_executable.by "other" } end describe file("/etc/at.allow") do it { should_not be_readable.by "other" } end describe file("/etc/at.allow") do it { should_not be_writable.by "other" } end describe file("/etc/at.allow") do it { should exist } end describe file("/etc/at.allow") do its("gid") { should cmp 0 } end describe file("/etc/at.allow") do its("uid") { should cmp 0 } end end control "xccdf_org.cisecurity.benchmarks_rule_6.1.11_Restrict_atcron_to_Authorized_Users" do title "Restrict at/cron to Authorized Users" desc "Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs." impact 1.0 describe file("/etc/cron.deny") do it { should_not exist } end describe file("/etc/cron.allow") do it { should exist } end describe file("/etc/cron.allow") do it { should_not be_executable.by "group" } end describe file("/etc/cron.allow") do it { should_not be_readable.by "group" } end describe file("/etc/cron.allow") do it { should_not be_writable.by "group" } end describe file("/etc/cron.allow") do it { should_not be_executable.by "other" } end describe file("/etc/cron.allow") do it { should_not be_readable.by "other" } end describe file("/etc/cron.allow") do it { should_not be_writable.by "other" } end describe file("/etc/cron.allow") do it { should exist } end describe file("/etc/cron.allow") do its("gid") { should cmp 0 } end describe file("/etc/cron.allow") do its("uid") { should cmp 0 } end end control "xccdf_org.cisecurity.benchmarks_rule_6.2.1_Set_SSH_Protocol_to_2" do title "Set SSH Protocol to 2" desc "SSH supports two different and incompatible protocols: SSH1 and SSH2. SSH1 was the original protocol and was subject to security issues. SSH2 is more advanced and secure." impact 1.0 describe file("/etc/ssh/sshd_config") do its("content") { should match /^\s*Protocol\s+(\S+)\s*(?:#.*)?$/ } end file("/etc/ssh/sshd_config").content.to_s.scan(/^\s*Protocol\s+(\S+)\s*(?:#.*)?$/).flatten.each do |entry| describe entry do it { should eq "2" } end end end control "xccdf_org.cisecurity.benchmarks_rule_6.2.2_Set_LogLevel_to_INFO" do title "Set LogLevel to INFO" desc "The INFO parameter specifies that login and logout activity will be logged." impact 1.0 describe file("/etc/ssh/sshd_config") do its("content") { should match /^\s*LogLevel\s+(\S+)\s*(?:#.*)?$/ } end file("/etc/ssh/sshd_config").content.to_s.scan(/^\s*LogLevel\s+(\S+)\s*(?:#.*)?$/).flatten.each do |entry| describe entry do it { should eq "INFO" } end end end control "xccdf_org.cisecurity.benchmarks_rule_6.2.3_Set_Permissions_on_etcsshsshd_config" do title "Set Permissions on /etc/ssh/sshd_config" desc "The /etc/ssh/sshd_config file contains configuration specifications for sshd. The command below sets the owner and group of the file to root." impact 1.0 describe file("/etc/ssh/sshd_config") do it { should exist } end describe file("/etc/ssh/sshd_config") do its("gid") { should cmp 0 } end describe file("/etc/ssh/sshd_config") do its("uid") { should cmp 0 } end describe file("/etc/ssh/sshd_config") do it { should exist } end describe file("/etc/ssh/sshd_config") do it { should_not be_executable.by "group" } end describe file("/etc/ssh/sshd_config") do it { should_not be_readable.by "group" } end describe file("/etc/ssh/sshd_config") do it { should_not be_writable.by "group" } end describe file("/etc/ssh/sshd_config") do it { should_not be_executable.by "other" } end describe file("/etc/ssh/sshd_config") do it { should_not be_readable.by "other" } end describe file("/etc/ssh/sshd_config") do it { should_not be_writable.by "other" } end describe file("/etc/ssh/sshd_config") do it { should_not be_executable.by "owner" } end describe file("/etc/ssh/sshd_config") do it { should be_readable.by "owner" } end describe file("/etc/ssh/sshd_config") do it { should be_writable.by "owner" } end end control "xccdf_org.cisecurity.benchmarks_rule_6.2.4_Disable_SSH_X11_Forwarding" do title "Disable SSH X11 Forwarding" desc "The X11Forwarding parameter provides the ability to tunnel X11 traffic through the connection to enable remote graphic connections." impact 1.0 describe file("/etc/ssh/sshd_config") do its("content") { should match /^\s*X11Forwarding\s+(\S+)\s*(?:#.*)?$/ } end file("/etc/ssh/sshd_config").content.to_s.scan(/^\s*X11Forwarding\s+(\S+)\s*(?:#.*)?$/).flatten.each do |entry| describe entry do it { should eq "no" } end end end control "xccdf_org.cisecurity.benchmarks_rule_6.2.5_Set_SSH_MaxAuthTries_to_4_or_Less" do title "Set SSH MaxAuthTries to 4 or Less" desc "The MaxAuthTries parameter specifies the maximum number of authentication attempts permitted per connection. When the login failure count reaches half the number, error messages will be written to the syslog file detailing the login failure." impact 1.0 describe file("/etc/ssh/sshd_config") do its("content") { should match /^\s*MaxAuthTries\s+(\S+)\s*(?:#.*)?$/ } end file("/etc/ssh/sshd_config").content.to_s.scan(/^\s*MaxAuthTries\s+(\S+)\s*(?:#.*)?$/).flatten.each do |entry| describe entry do it { should cmp <= 4 } end end end control "xccdf_org.cisecurity.benchmarks_rule_6.2.6_Set_SSH_IgnoreRhosts_to_Yes" do title "Set SSH IgnoreRhosts to Yes" desc "The IgnoreRhosts parameter specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication." impact 1.0 describe file("/etc/ssh/sshd_config") do its("content") { should match /^\s*IgnoreRhosts\s+(\S+)\s*(?:#.*)?$/ } end file("/etc/ssh/sshd_config").content.to_s.scan(/^\s*IgnoreRhosts\s+(\S+)\s*(?:#.*)?$/).flatten.each do |entry| describe entry do it { should eq "yes" } end end end control "xccdf_org.cisecurity.benchmarks_rule_6.2.7_Set_SSH_HostbasedAuthentication_to_No" do title "Set SSH HostbasedAuthentication to No" desc "The HostbasedAuthentication parameter specifies if authentication is allowed through trusted hosts via the user of .rhosts, or /etc/hosts.equiv, along with successful public key client host authentication. This option only applies to SSH Protocol Version 2." impact 1.0 describe file("/etc/ssh/sshd_config") do its("content") { should match /^\s*HostbasedAuthentication\s+(\S+)\s*(?:#.*)?$/ } end file("/etc/ssh/sshd_config").content.to_s.scan(/^\s*HostbasedAuthentication\s+(\S+)\s*(?:#.*)?$/).flatten.each do |entry| describe entry do it { should eq "no" } end end end control "xccdf_org.cisecurity.benchmarks_rule_6.2.8_Disable_SSH_Root_Login" do title "Disable SSH Root Login" desc "The PermitRootLogin parameter specifies if the root user can log in using ssh(1). The default is no." impact 1.0 describe file("/etc/ssh/sshd_config") do its("content") { should match /^\s*PermitRootLogin\s+(\S+)\s*(?:#.*)?$/ } end file("/etc/ssh/sshd_config").content.to_s.scan(/^\s*PermitRootLogin\s+(\S+)\s*(?:#.*)?$/).flatten.each do |entry| describe entry do it { should eq "no" } end end end control "xccdf_org.cisecurity.benchmarks_rule_6.2.9_Set_SSH_PermitEmptyPasswords_to_No" do title "Set SSH PermitEmptyPasswords to No" desc "The PermitEmptyPasswords parameter specifies if the server allows login to accounts with empty password strings." impact 1.0 describe file("/etc/ssh/sshd_config") do its("content") { should match /^\s*PermitEmptyPasswords\s+(\S+)\s*(?:#.*)?$/ } end file("/etc/ssh/sshd_config").content.to_s.scan(/^\s*PermitEmptyPasswords\s+(\S+)\s*(?:#.*)?$/).flatten.each do |entry| describe entry do it { should eq "no" } end end end control "xccdf_org.cisecurity.benchmarks_rule_6.2.10_Do_Not_Allow_Users_to_Set_Environment_Options" do title "Do Not Allow Users to Set Environment Options" desc "The PermitUserEnvironment option allows users to present environment options to the ssh daemon." impact 1.0 describe file("/etc/ssh/sshd_config") do its("content") { should match /^\s*PermitUserEnvironment\s+(\S+)\s*(?:#.*)?$/ } end file("/etc/ssh/sshd_config").content.to_s.scan(/^\s*PermitUserEnvironment\s+(\S+)\s*(?:#.*)?$/).flatten.each do |entry| describe entry do it { should eq "no" } end end end control "xccdf_org.cisecurity.benchmarks_rule_6.2.11_Use_Only_Approved_Cipher_in_Counter_Mode" do title "Use Only Approved Cipher in Counter Mode" desc "This variable limits the types of ciphers that SSH can use during communication." impact 1.0 describe file("/etc/ssh/sshd_config") do its("content") { should match /^\s*Ciphers\s+(\S+)\s*(?:#.*)?$/ } end file("/etc/ssh/sshd_config").content.to_s.scan(/^\s*Ciphers\s+(\S+)\s*(?:#.*)?$/).flatten.each do |entry| describe entry do it { should eq "aes128-ctr,aes192-ctr,aes256-ctr" } end end end control "xccdf_org.cisecurity.benchmarks_rule_6.2.12_Set_Idle_Timeout_Interval_for_User_Login" do title "Set Idle Timeout Interval for User Login" desc "The two options ClientAliveInterval and ClientAliveCountMax control the timeout of ssh sessions. When the ClientAliveInterval variable is set, ssh sessions that have no activity for the specified length of time are terminated. When the ClientAliveCountMax variable is set, sshd will send client alive messages at every ClientAliveInterval interval. When the number of consecutive client alive messages are sent with no response from the client, the ssh session is terminated. For example, if the ClientAliveInterval is set to 15 seconds and the ClientAliveCountMax is set to 3, the client ssh session will be terminated after 45 seconds of idle time." impact 1.0 describe file("/etc/ssh/sshd_config") do its("content") { should match /^\s*ClientAliveInterval\s+(\S+)\s*(?:#.*)?$/ } end file("/etc/ssh/sshd_config").content.to_s.scan(/^\s*ClientAliveInterval\s+(\S+)\s*(?:#.*)?$/).flatten.each do |entry| describe entry do it { should cmp == 300 } end end describe file("/etc/ssh/sshd_config") do its("content") { should match /^\s*ClientAliveCountMax\s+(\S+)\s*(?:#.*)?$/ } end file("/etc/ssh/sshd_config").content.to_s.scan(/^\s*ClientAliveCountMax\s+(\S+)\s*(?:#.*)?$/).flatten.each do |entry| describe entry do it { should cmp == 0 } end end end control "xccdf_org.cisecurity.benchmarks_rule_6.2.13_Limit_Access_via_SSH" do title "Limit Access via SSH" desc "There are several options available to limit which users and group can access the system via SSH. It is recommended that at least of the following options be leveraged:\n \n AllowUsers\n \n The AllowUsers variable gives the system administrator the option of allowing specific users to ssh into the system. The list consists of comma separated user names. Numeric userIDs are not recognized with this variable. If a system administrator wants to restrict user access further by only allowing the allowed users to log in from a particular host, the entry can be specified in the form of user@host.\n \n AllowGroups\n \n The AllowGroups variable gives the system administrator the option of allowing specific groups of users to ssh into the system. The list consists of comma separated user names. Numeric groupIDs are not recognized with this variable.\n \n DenyUsers\n \n The DenyUsers variable gives the system administrator the option of denying specific users to ssh into the system. The list consists of comma separated user names. Numeric userIDs are not recognized with this variable. If a system administrator wants to restrict user access further by specifically denying a user's access from a particular host, the entry can be specified in the form of user@host.\n \n DenyGroups\n \n The DenyGroups variable gives the system administrator the option of denying specific groups of users to ssh into the system. The list consists of comma separated group names. Numeric groupIDs are not recognized with this variable." impact 1.0 describe file("/etc/ssh/sshd_config") do its("content") { should match /^\s*(AllowUsers|AllowGroups|DenyUsers|DenyGroups)\s+/ } end end control "xccdf_org.cisecurity.benchmarks_rule_6.2.14_Set_SSH_Banner" do title "Set SSH Banner" desc "The Banner parameter specifies a file whose contents must be sent to the remote user before authentication is permitted. By default, no banner is displayed." impact 1.0 describe file("/etc/ssh/sshd_config") do its("content") { should match /^\s*Banner\s+(\S+)\s*(?:#.*)?$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_6.3.1_Upgrade_Password_Hashing_Algorithm_to_SHA-512" do title "Upgrade Password Hashing Algorithm to SHA-512" desc "The commands below change password encryption from md5 to sha512 (a much stronger hashing algorithm). All existing accounts will need to perform a password change to upgrade the stored hashes to the new algorithm." impact 1.0 describe file("/etc/libuser.conf") do its("content") { should match /^[\s]*crypt_style[\s]+=[\s]+(?i)sha512[\s]*$/ } end describe file("/etc/login.defs") do its("content") { should match /^[\s]*ENCRYPT_METHOD[\s]+SHA512[\s]*$/ } end describe file("/etc/pam.d/system-auth") do its("content") { should match /^[\s]*password[\s]+(?:(?:required)|(?:sufficient))[\s]+pam_unix\.so[\s]+.*sha512.*$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_6.3.2_Set_Password_Creation_Requirement_Parameters_Using_pam_pwquality" do title "Set Password Creation Requirement Parameters Using pam_pwquality" desc "The pam_pwquality module checks of the strength of passwords. It performs checks such as making sure a password is not a dictionary word, it is a certain length, contains a mix of characters (e.g. alphabet, numeric, other) and more. The following are definitions of the pam_pwquality.so options.\n \n try_first_pass - retrieve the password from a previous stacked PAM module. If not available, then prompt the user for a password.\n \n retry=3 - Allow 3 tries before sending back a failure.\n The following options are set in the /etc/security/pwquality.conf file:\n \n minlen=14 - password must be 14 characters or more\n dcredit=-1 - provide at least 1 digit\n ucredit=-1 - provide at least one uppercase character\n ocredit=-1 - provide at least one special character\n lcredit=-1 - provide at least one lowercase character\n The setting shown above is one possible policy. Alter these values to conform to your own organization's password policies." impact 1.0 describe file("/etc/pam.d/system-auth") do its("content") { should match /^\s*password\s+(?:required|requisite)\s+pam_pwquality.so\s+(?:\S+\s+)*try_first_pass(?:\s+\S+)*\s*$/ } end describe file("/etc/pam.d/system-auth") do its("content") { should match /^\s*password\s+(?:required|requisite)\s+pam_pwquality.so\s+(?:\S+\s+)*retry=[123](?:\s+\S+)*\s*$/ } end describe file("/etc/security/pwquality.conf") do its("content") { should match /^\s*minlen\s*=\s*(1[4-9]|[2-9][0-9]|[1-9][0-9]{2,})\s*$/ } end describe file("/etc/security/pwquality.conf") do its("content") { should match /^\s*dcredit\s*=\s*-[1-9][0-9]*\s*$/ } end describe file("/etc/security/pwquality.conf") do its("content") { should match /^\s*ucredit\s*=\s*-[1-9][0-9]*\s*$/ } end describe file("/etc/security/pwquality.conf") do its("content") { should match /^\s*ocredit\s*=\s*-[1-9][0-9]*\s*$/ } end describe file("/etc/security/pwquality.conf") do its("content") { should match /^\s*lcredit\s*=\s*-[1-9][0-9]*\s*$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_6.3.3_Set_Lockout_for_Failed_Password_Attempts" do title "Set Lockout for Failed Password Attempts" desc "Lock out userIDs after n unsuccessful consecutive login attempts. The first sets of changes are made to the main PAM configuration files /etc/pam.d/system-auth and /etc/pam.d/password-auth. The second set of changes are applied to the program specific PAM configuration file (in this case, the ssh daemon). The second set of changes must be applied to each program that will lock out userID's. Set the lockout number to the policy in effect at your site." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_6.3.4_Limit_Password_Reuse" do title "Limit Password Reuse" desc "The /etc/security/opasswd file stores the users' old passwords and can be checked to ensure that users are not recycling recent passwords." impact 1.0 describe file("/etc/pam.d/system-auth") do its("content") { should match /^\s*password\s+sufficient\s+pam_unix.so(\s+[^\s]+)*\s+remember=5(\s+[^\s]+)*\s*$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_6.4_Restrict_root_Login_to_System_Console" do title "Restrict root Login to System Console" desc "The file /etc/securetty contains a list of valid terminals that may be logged in directly as root." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_6.5_Restrict_Access_to_the_su_Command" do title "Restrict Access to the su Command" desc "The su command allows a user to run a command or shell as another user. The program has been superseded by sudo, which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su, the su command will only allow users in the wheel group to execute su." impact 1.0 describe file("/etc/pam.d/su") do its("content") { should match /^\s*auth\s+required\s+pam_wheel.so\s+use_uid\s*$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_7.1.1_Set_Password_Expiration_Days" do title "Set Password Expiration Days" desc "The PASS_MAX_DAYS parameter in /etc/login.defs allows an administrator to force passwords to expire once they reach a defined age. It is recommended that the PASS_MAX_DAYS parameter be set to less than or equal to 90 days." impact 1.0 describe file("/etc/login.defs") do its("content") { should match /^PASS_MAX_DAYS\s+(90|[1-7][0-9]|[1-9])$/ } end shadow.users(/.*/).entries.each do |entry| describe entry do its("max_days") { should cmp <= 90 } end end end control "xccdf_org.cisecurity.benchmarks_rule_7.1.2_Set_Password_Change_Minimum_Number_of_Days" do title "Set Password Change Minimum Number of Days" desc "The PASS_MIN_DAYS parameter in /etc/login.defs allows an administrator to prevent users from changing their password until a minimum number of days have passed since the last time the user changed their password. It is recommended that PASS_MIN_DAYS parameter be set to 7 or more days." impact 1.0 describe file("/etc/login.defs") do its("content") { should match /^PASS_MIN_DAYS\s+([7-9]|[1-9][0-9]+)$/ } end shadow.users(/.*/).entries.each do |entry| describe entry do its("min_days") { should cmp >= 7 } end end end control "xccdf_org.cisecurity.benchmarks_rule_7.1.3_Set_Password_Expiring_Warning_Days" do title "Set Password Expiring Warning Days" desc "The PASS_WARN_AGE parameter in /etc/login.defs allows an administrator to notify users that their password will expire in a defined number of days. It is recommended that the PASS_WARN_AGE parameter be set to 7 or more days." impact 1.0 describe file("/etc/login.defs") do its("content") { should match /^PASS_WARN_AGE\s+([7-9]|[1-9][0-9]+)$/ } end shadow.users(/.*/).entries.each do |entry| describe entry do its("warn_days") { should cmp >= 7 } end end end control "xccdf_org.cisecurity.benchmarks_rule_7.2_Disable_System_Accounts" do title "Disable System Accounts" desc "There are a number of accounts provided with the CentOS that are used to manage applications and are not intended to provide an interactive shell." impact 1.0 describe passwd.users(/^(?!root|sync|shutdown|halt).*$/) do its("lines") { should_not be_empty } end describe passwd.users(/^(?!root|sync|shutdown|halt).*$/).uids({:<==>1000}).shells({:!==>"/sbin/nologin"}) do its("lines") { should be_empty } end end control "xccdf_org.cisecurity.benchmarks_rule_7.3_Set_Default_Group_for_root_Account" do title "Set Default Group for root Account" desc "The usermod command can be used to specify which group the root user belongs to. This affects permissions of files that are created by the root user." impact 1.0 describe passwd.users("root") do its("lines") { should_not be_empty } end describe passwd.users("root").gids(0) do its("lines") { should_not be_empty } end end control "xccdf_org.cisecurity.benchmarks_rule_7.4_Set_Default_umask_for_Users" do title "Set Default umask for Users" desc "The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .cshrc, etc.) in their home directories." impact 1.0 describe file("/etc/bashrc") do its("content") { should match /^\s*umask\s+077\s*$/ } end describe "SCAP oval resource textfilecontent54_test could not be loaded: Attribute operation is not yet supported for SCAP::OVAL::Objects: textfilecontent54_object/filename" do skip "SCAP oval resource textfilecontent54_test could not be loaded: Attribute operation is not yet supported for SCAP::OVAL::Objects: textfilecontent54_object/filename" end end control "xccdf_org.cisecurity.benchmarks_rule_7.5_Lock_Inactive_User_Accounts" do title "Lock Inactive User Accounts" desc "User accounts that have been inactive for over a given period of time can be automatically disabled. It is recommended that accounts that are inactive for 35 or more days be disabled." impact 1.0 describe file("/etc/default/useradd") do its("content") { should match /^INACTIVE=35$/ } end end control "xccdf_org.cisecurity.benchmarks_rule_8.1_Set_Warning_Banner_for_Standard_Login_Services" do title "Set Warning Banner for Standard Login Services" desc "The contents of the /etc/issue file are displayed prior to the login prompt on the system's console and serial devices, and also prior to logins via telnet. The contents of the /etc/motd file is generally displayed after all successful logins, no matter where the user is logging in from, but is thought to be less useful because it only provides notification to the user after the machine has been accessed." impact 1.0 describe file("/etc/motd") do it { should exist } end describe file("/etc/motd") do it { should_not be_executable.by "group" } end describe file("/etc/motd") do it { should be_readable.by "group" } end describe file("/etc/motd") do it { should_not be_writable.by "group" } end describe file("/etc/motd") do it { should_not be_executable.by "other" } end describe file("/etc/motd") do it { should be_readable.by "other" } end describe file("/etc/motd") do it { should_not be_writable.by "other" } end describe file("/etc/motd") do it { should_not be_executable.by "owner" } end describe file("/etc/motd") do it { should be_readable.by "owner" } end describe file("/etc/motd") do it { should be_writable.by "owner" } end describe file("/etc/motd") do it { should exist } end describe file("/etc/motd") do its("gid") { should cmp 0 } end describe file("/etc/motd") do its("uid") { should cmp 0 } end describe file("/etc/issue") do it { should exist } end describe file("/etc/issue") do it { should_not be_executable.by "group" } end describe file("/etc/issue") do it { should be_readable.by "group" } end describe file("/etc/issue") do it { should_not be_writable.by "group" } end describe file("/etc/issue") do it { should_not be_executable.by "other" } end describe file("/etc/issue") do it { should be_readable.by "other" } end describe file("/etc/issue") do it { should_not be_writable.by "other" } end describe file("/etc/issue") do it { should_not be_executable.by "owner" } end describe file("/etc/issue") do it { should be_readable.by "owner" } end describe file("/etc/issue") do it { should be_writable.by "owner" } end describe file("/etc/issue") do it { should exist } end describe file("/etc/issue") do its("gid") { should cmp 0 } end describe file("/etc/issue") do its("uid") { should cmp 0 } end describe file("/etc/issue.net") do it { should exist } end describe file("/etc/issue.net") do it { should_not be_executable.by "group" } end describe file("/etc/issue.net") do it { should be_readable.by "group" } end describe file("/etc/issue.net") do it { should_not be_writable.by "group" } end describe file("/etc/issue.net") do it { should_not be_executable.by "other" } end describe file("/etc/issue.net") do it { should be_readable.by "other" } end describe file("/etc/issue.net") do it { should_not be_writable.by "other" } end describe file("/etc/issue.net") do it { should_not be_executable.by "owner" } end describe file("/etc/issue.net") do it { should be_readable.by "owner" } end describe file("/etc/issue.net") do it { should be_writable.by "owner" } end describe file("/etc/issue.net") do it { should exist } end describe file("/etc/issue.net") do its("gid") { should cmp 0 } end describe file("/etc/issue.net") do its("uid") { should cmp 0 } end end control "xccdf_org.cisecurity.benchmarks_rule_8.2_Remove_OS_Information_from_Login_Warning_Banners" do title "Remove OS Information from Login Warning Banners" desc "Unix-based systems have typically displayed information about the OS release and patch level upon logging in to the system. This information can be useful to developers who are developing software for a particular OS platform. If mingetty(8) supports the following options, they display operating system information: \n \\m - machine architecture (uname -m) \\r - operating system release (uname -r) \\s - operating system name \\v - operating system version (uname -v)" impact 1.0 describe file("/etc/motd") do its("content") { should_not match /(\\v|\\r|\\m|\\s)/ } end describe file("/etc/issue") do its("content") { should_not match /(\\v|\\r|\\m|\\s)/ } end describe file("/etc/issue.net") do its("content") { should_not match /(\\v|\\r|\\m|\\s)/ } end end control "xccdf_org.cisecurity.benchmarks_rule_8.3_Set_GNOME_Warning_Banner" do title "Set GNOME Warning Banner" desc "The GNOME Display Manager is used for login session management. See the manual page gdm(1) for more information. The remediation action for this item sets a warning message for GDM users before they log in." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_9.1.1_Verify_System_File_Permissions" do title "Verify System File Permissions" desc "The RPM package manager has a number of useful options. One of these, the -V (or -verify) option, can be used to verify that system packages are correctly installed. The -V option can be used to verify a particular package or to verify all system packages (-Va). If no output is returned, the package is installed correctly. The following table describes the meaning of output from the verify option: Code Meaning S File size differs. M File mode differs (includes permissions and file type). 5 The MD5 checksum differs. D The major and minor version numbers differ on a device file. L A mismatch occurs in a link. U The file ownership differs. G The file group owner differs. T The file time (mtime) differs. The rpm -qf command can be used to determine which package a particular file belongs to. For example the following command determines which package the /etc/passwd file belongs to: # rpm -qf /etc/passwdsetup-2.5.58-7.el5 To verify the settings for the package that controls the /etc/passwd file, run the following: # rpm -V setup-2.5.58-7.el5.M...... c /etc/passwdS.5....T c /etc/printcap Note that you can feed the output of the rpm -qf command to the rpm -V command: # rpm -V `rpm -qf /etc/passwd`.M...... c /etc/passwdS.5....T c /etc/printcap" impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_9.1.2_Verify_Permissions_on_etcpasswd" do title "Verify Permissions on /etc/passwd" desc "The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate." impact 1.0 describe file("/etc/passwd") do it { should exist } end describe file("/etc/passwd") do it { should_not be_executable.by "group" } end describe file("/etc/passwd") do it { should be_readable.by "group" } end describe file("/etc/passwd") do it { should_not be_writable.by "group" } end describe file("/etc/passwd") do it { should_not be_executable.by "other" } end describe file("/etc/passwd") do it { should be_readable.by "other" } end describe file("/etc/passwd") do it { should_not be_writable.by "other" } end describe file("/etc/passwd") do it { should_not be_executable.by "owner" } end describe file("/etc/passwd") do it { should be_readable.by "owner" } end describe file("/etc/passwd") do it { should be_writable.by "owner" } end end control "xccdf_org.cisecurity.benchmarks_rule_9.1.3_Verify_Permissions_on_etcshadow" do title "Verify Permissions on /etc/shadow" desc "The /etc/shadow file is used to store the information about user accounts that is critical to the security of those accounts, such as the hashed password and other security information." impact 1.0 describe file("/etc/shadow") do it { should exist } end describe file("/etc/shadow") do it { should_not be_executable.by "group" } end describe file("/etc/shadow") do it { should_not be_readable.by "group" } end describe file("/etc/shadow") do it { should_not be_writable.by "group" } end describe file("/etc/shadow") do it { should_not be_executable.by "other" } end describe file("/etc/shadow") do it { should_not be_readable.by "other" } end describe file("/etc/shadow") do it { should_not be_writable.by "other" } end describe file("/etc/shadow") do it { should_not be_executable.by "owner" } end describe file("/etc/shadow") do it { should_not be_readable.by "owner" } end describe file("/etc/shadow") do it { should_not be_writable.by "owner" } end end control "xccdf_org.cisecurity.benchmarks_rule_9.1.4_Verify_Permissions_on_etcgshadow" do title "Verify Permissions on /etc/gshadow" desc "The /etc/gshadow file contains information about group accounts that is critical to the security of those accounts, such as the hashed password and other security information." impact 1.0 describe file("/etc/gshadow") do it { should exist } end describe file("/etc/gshadow") do it { should_not be_executable.by "group" } end describe file("/etc/gshadow") do it { should_not be_readable.by "group" } end describe file("/etc/gshadow") do it { should_not be_writable.by "group" } end describe file("/etc/gshadow") do it { should_not be_executable.by "other" } end describe file("/etc/gshadow") do it { should_not be_readable.by "other" } end describe file("/etc/gshadow") do it { should_not be_writable.by "other" } end describe file("/etc/gshadow") do it { should_not be_executable.by "owner" } end describe file("/etc/gshadow") do it { should_not be_readable.by "owner" } end describe file("/etc/gshadow") do it { should_not be_writable.by "owner" } end end control "xccdf_org.cisecurity.benchmarks_rule_9.1.5_Verify_Permissions_on_etcgroup" do title "Verify Permissions on /etc/group" desc "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else." impact 1.0 describe file("/etc/group") do it { should exist } end describe file("/etc/group") do it { should_not be_executable.by "group" } end describe file("/etc/group") do it { should be_readable.by "group" } end describe file("/etc/group") do it { should_not be_writable.by "group" } end describe file("/etc/group") do it { should_not be_executable.by "other" } end describe file("/etc/group") do it { should be_readable.by "other" } end describe file("/etc/group") do it { should_not be_writable.by "other" } end describe file("/etc/group") do it { should_not be_executable.by "owner" } end describe file("/etc/group") do it { should be_readable.by "owner" } end describe file("/etc/group") do it { should be_writable.by "owner" } end end control "xccdf_org.cisecurity.benchmarks_rule_9.1.6_Verify_UserGroup_Ownership_on_etcpasswd" do title "Verify User/Group Ownership on /etc/passwd" desc "The /etc/passwd file contains a list of all the valid userIDs defined in the system, but not the passwords. The command below sets the owner and group of the file to root." impact 1.0 describe file("/etc/passwd") do it { should exist } end describe file("/etc/passwd") do its("gid") { should cmp 0 } end describe file("/etc/passwd") do its("uid") { should cmp 0 } end end control "xccdf_org.cisecurity.benchmarks_rule_9.1.7_Verify_UserGroup_Ownership_on_etcshadow" do title "Verify User/Group Ownership on /etc/shadow" desc "The /etc/shadow file contains the one-way cipher text passwords for each user defined in the /etc/passwd file. The command below sets the user and group ownership of the file to root." impact 1.0 describe file("/etc/shadow") do it { should exist } end describe file("/etc/shadow") do its("gid") { should cmp 0 } end describe file("/etc/shadow") do its("uid") { should cmp 0 } end end control "xccdf_org.cisecurity.benchmarks_rule_9.1.8_Verify_UserGroup_Ownership_on_etcgshadow" do title "Verify User/Group Ownership on /etc/gshadow" desc "The /etc/gshadow file contains information about group accounts that is critical to the security of those accounts, such as the hashed password and other security information." impact 1.0 describe file("/etc/gshadow") do it { should exist } end describe file("/etc/gshadow") do its("gid") { should cmp 0 } end describe file("/etc/gshadow") do its("uid") { should cmp 0 } end end control "xccdf_org.cisecurity.benchmarks_rule_9.1.9_Verify_UserGroup_Ownership_on_etcgroup" do title "Verify User/Group Ownership on /etc/group" desc "The /etc/group file contains a list of all the valid groups defined in the system. The command below allows read/write access for root and read access for everyone else." impact 1.0 describe file("/etc/group") do it { should exist } end describe file("/etc/group") do its("gid") { should cmp 0 } end describe file("/etc/group") do its("uid") { should cmp 0 } end end control "xccdf_org.cisecurity.benchmarks_rule_9.1.10_Find_World_Writable_Files" do title "Find World Writable Files" desc "Unix-based systems support variable settings to control access to files. World writable files are the least secure. See the chmod(2) man page for more information." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_9.1.11_Find_Un-owned_Files_and_Directories" do title "Find Un-owned Files and Directories" desc "Sometimes when administrators delete users from the password file they neglect to remove all files owned by those users from the system." impact 1.0 describe "SCAP oval resource file_test could not be loaded: Cannot handle referenced value group in file_test; only single values are support at the moment" do skip "SCAP oval resource file_test could not be loaded: Cannot handle referenced value group in file_test; only single values are support at the moment" end end control "xccdf_org.cisecurity.benchmarks_rule_9.1.12_Find_Un-grouped_Files_and_Directories" do title "Find Un-grouped Files and Directories" desc "Sometimes when administrators delete users from the password file they neglect to remove all files owned by those users from the system." impact 1.0 describe "SCAP oval resource file_test could not be loaded: Cannot handle referenced value group in file_test; only single values are support at the moment" do skip "SCAP oval resource file_test could not be loaded: Cannot handle referenced value group in file_test; only single values are support at the moment" end end control "xccdf_org.cisecurity.benchmarks_rule_9.1.13_Find_SUID_System_Executables" do title "Find SUID System Executables" desc "The owner of a file can set the file's permissions to run with the owner's or group's permissions, even if the user running the program is not the owner or a member of the group. The most common reason for a SUID program is to enable users to perform functions (such as changing their password) that require root privileges." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_9.1.14_Find_SGID_System_Executables" do title "Find SGID System Executables" desc "The owner of a file can set the file's permissions to run with the owner's or group's permissions, even if the user running the program is not the owner or a member of the group. The most common reason for a SGID program is to enable users to perform functions (such as changing their password) that require root privileges." impact 0.0 end control "xccdf_org.cisecurity.benchmarks_rule_9.2.1_Ensure_Password_Fields_are_Not_Empty" do title "Ensure Password Fields are Not Empty" desc "An account with an empty password field means that anybody may log in as that user without providing a password." impact 1.0 shadow.users(/.*/).entries.each do |entry| describe entry do its("passwords") { should cmp /.+/ } end end end control "xccdf_org.cisecurity.benchmarks_rule_9.2.2_Verify_No_Legacy__Entries_Exist_in_etcpasswd_File" do title "Verify No Legacy \"+\" Entries Exist in /etc/passwd File" desc "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on CentOS 7 systems, but may exist in files that have been imported from other platforms." impact 1.0 describe file("/etc/passwd") do its("content") { should_not match /^+:/ } end end control "xccdf_org.cisecurity.benchmarks_rule_9.2.3_Verify_No_Legacy__Entries_Exist_in_etcshadow_File" do title "Verify No Legacy \"+\" Entries Exist in /etc/shadow File" desc "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on CentOS 7 systems, but may exist in files that have been imported from other platforms." impact 1.0 describe file("/etc/shadow") do its("content") { should_not match /^+:/ } end end control "xccdf_org.cisecurity.benchmarks_rule_9.2.4_Verify_No_Legacy__Entries_Exist_in_etcgroup_File" do title "Verify No Legacy \"+\" Entries Exist in /etc/group File" desc "The character + in various files used to be markers for systems to insert data from NIS maps at a certain point in a system configuration file. These entries are no longer required on CentOS 7 systems, but may exist in files that have been imported from other platforms." impact 1.0 describe file("/etc/group") do its("content") { should_not match /^+:/ } end end control "xccdf_org.cisecurity.benchmarks_rule_9.2.5_Verify_No_UID_0_Accounts_Exist_Other_Than_root" do title "Verify No UID 0 Accounts Exist Other Than root" desc "Any account with UID 0 has superuser privileges on the system." impact 1.0 describe file("/etc/passwd") do its("content") { should_not match /^(?!root:)[^:]*:[^:]*:0/ } end end control "xccdf_org.cisecurity.benchmarks_rule_9.2.6_Ensure_root_PATH_Integrity" do title "Ensure root PATH Integrity" desc "The root user can execute any command on the system and could be fooled into executing programs unintentionally if the PATH is not set correctly." impact 1.0 describe os_env("PATH").content.to_s.split(":") do it { should_not be_empty } end os_env("PATH").content.to_s.split(":").each do |entry| describe entry do it { should_not eq "" } end end describe os_env("PATH").content.to_s.split(":") do it { should_not be_empty } end os_env("PATH").content.to_s.split(":").each do |entry| describe entry do it { should_not eq "." } end end os_env("PATH").content.to_s.split(":").each do |entry| describe file(entry) do it { should exist } end describe file(entry) do it { should_not be_writable.by "group" } end describe file(entry) do it { should_not be_writable.by "other" } end describe file(entry) do its("uid") { should cmp 0 } end end end control "xccdf_org.cisecurity.benchmarks_rule_9.2.7_Check_Permissions_on_User_Home_Directories" do title "Check Permissions on User Home Directories" desc "While the system administrator can establish secure permissions for users' home directories, the users can easily override these." impact 1.0 passwd.users(/^(?!root|halt|sync|shutdown).*/).shells({:!==>"/sbin/nologin"}).homes.map { |x| x.to_s.split(":") }.flatten.each do |entry| describe file(entry) do it { should exist } end describe file(entry) do it { should_not be_writable.by "group" } end describe file(entry) do it { should_not be_executable.by "other" } end describe file(entry) do it { should_not be_readable.by "other" } end describe file(entry) do it { should_not be_writable.by "other" } end end end control "xccdf_org.cisecurity.benchmarks_rule_9.2.8_Check_User_Dot_File_Permissions" do title "Check User Dot File Permissions" desc "While the system administrator can establish secure permissions for users' \"dot\" files, the users can easily override these." impact 1.0 describe "SCAP oval resource file_test could not be loaded: Don't know how to concat file reference paths for \\..+, with operation pattern match" do skip "SCAP oval resource file_test could not be loaded: Don't know how to concat file reference paths for \\..+, with operation pattern match" end end control "xccdf_org.cisecurity.benchmarks_rule_9.2.9_Check_Permissions_on_User_.netrc_Files" do title "Check Permissions on User .netrc Files" desc "While the system administrator can establish secure permissions for users' .netrc files, the users can easily override these." impact 1.0 passwd.users(/^(?!root|halt|sync|shutdown).*/).shells({:!==>"/sbin/nologin"}).homes.map { |x| x.to_s.split(":") }.flatten.map { |x| x + '/' + ".netrc"}.each do |entry| describe file(entry) do it { should exist } end describe file(entry) do it { should_not be_executable.by "group" } end describe file(entry) do it { should_not be_readable.by "group" } end describe file(entry) do it { should_not be_writable.by "group" } end describe file(entry) do it { should_not be_executable.by "other" } end describe file(entry) do it { should_not be_readable.by "other" } end describe file(entry) do it { should_not be_writable.by "other" } end end end control "xccdf_org.cisecurity.benchmarks_rule_9.2.10_Check_for_Presence_of_User_.rhosts_Files" do title "Check for Presence of User .rhosts Files" desc "While no .rhosts files are shipped with CentOS 7, users can easily create them." impact 1.0 passwd.users(/^(?!root|halt|sync|shutdown).*/).shells({:!==>"/sbin/nologin"}).homes.map { |x| x.to_s.split(":") }.flatten.map { |x| x + '/' + ".rhosts"}.each do |entry| describe file(entry) do it { should_not exist } end end end control "xccdf_org.cisecurity.benchmarks_rule_9.2.11_Check_Groups_in_etcpasswd" do title "Check Groups in /etc/passwd" desc "Over time, system administration errors and changes can lead to groups being defined in /etc/passwd but not in /etc/group." impact 1.0 describe "SCAP oval resource textfilecontent54_test could not be loaded: Cannot handle referenced value group in textfilecontent54_test; only single values are support at the moment" do skip "SCAP oval resource textfilecontent54_test could not be loaded: Cannot handle referenced value group in textfilecontent54_test; only single values are support at the moment" end end control "xccdf_org.cisecurity.benchmarks_rule_9.2.12_Check_That_Users_Are_Assigned_Valid_Home_Directories" do title "Check That Users Are Assigned Valid Home Directories" desc "Users can be defined in /etc/passwd without a home directory or with a home directory does not actually exist." impact 1.0 passwd.users(/^(?!root|halt|sync|shutdown).*/).shells({:!==>"/sbin/nologin"}).homes.map { |x| x.to_s.split(":") }.flatten.each do |entry| describe file(entry) do it { should exist } end end end control "xccdf_org.cisecurity.benchmarks_rule_9.2.13_Check_User_Home_Directory_Ownership" do title "Check User Home Directory Ownership" desc "The user home directory is space defined for the particular user to set local environment variables and to store personal files." impact 1.0 describe "SCAP oval resource invalidhomedirownership_test is not yet supported." do skip "SCAP oval resource invalidhomedirownership_test is not yet supported." end end control "xccdf_org.cisecurity.benchmarks_rule_9.2.14_Check_for_Duplicate_UIDs" do title "Check for Duplicate UIDs" desc "Although the useradd program will not let you create a duplicate User ID (UID), it is possible for an administrator to manually edit the /etc/passwd file and change the UID field." impact 1.0 describe passwd.users(/.*/).uids do its("length") { should_not eq 0 } end a = passwd.users(/.*/).uids.uniq.length describe passwd.users(/.*/).uids do its("length") { should cmp == a } end end control "xccdf_org.cisecurity.benchmarks_rule_9.2.15_Check_for_Duplicate_GIDs" do title "Check for Duplicate GIDs" desc "Although the groupadd program will not let you create a duplicate Group ID (GID), it is possible for an administrator to manually edit the /etc/group file and change the GID field." impact 1.0 describe file("/etc/group").content.to_s.scan(/^[^:]+:[^:]+:([\d]+):[^:]*$/).flatten do its("length") { should_not eq 0 } end a = file("/etc/group").content.to_s.scan(/^[^:]+:[^:]+:([\d]+):[^:]*$/).flatten.uniq.length describe file("/etc/group").content.to_s.scan(/^[^:]+:[^:]+:([\d]+):[^:]*$/).flatten do its("length") { should cmp == a } end end control "xccdf_org.cisecurity.benchmarks_rule_9.2.16_Check_That_Reserved_UIDs_Are_Assigned_to_System_Accounts" do title "Check That Reserved UIDs Are Assigned to System Accounts" desc "Traditionally, UNIX systems establish \"reserved\" UIDs (0-999 range) that are intended for system accounts." impact 1.0 describe passwd.users(/^(?!root|bin|daemon|adm|lp|sync|shutdown|halt|mail|news|uucp|operator|games|gopher|ftp|nobody|nscd|vcsa|rpc|mailnull|smmsp|pcap|ntp|dbus|avahi|sshd|rpcuser|nfsnobody|haldaemon|avahi-autoipd|distcache|apache|oprofile|webalizer|dovecot|squid|named|xfs|gdm|sabayon|usbmuxd|rtkit|abrt|saslauth|pulse|postfix|tcpdump).*$/) do its("lines") { should_not be_empty } end end control "xccdf_org.cisecurity.benchmarks_rule_9.2.17_Check_for_Duplicate_User_Names" do title "Check for Duplicate User Names" desc "Although the useradd program will not let you create a duplicate user name, it is possible for an administrator to manually edit the /etc/passwd file and change the user name." impact 1.0 describe passwd.users(/.*/).users do its("length") { should_not eq 0 } end a = passwd.users(/.*/).users.uniq.length describe passwd.users(/.*/).users do its("length") { should cmp == a } end end control "xccdf_org.cisecurity.benchmarks_rule_9.2.18_Check_for_Duplicate_Group_Names" do title "Check for Duplicate Group Names" desc "Although the groupadd program will not let you create a duplicate group name, it is possible for an administrator to manually edit the /etc/group file and change the group name." impact 1.0 describe file("/etc/group").content.to_s.scan(/^([^:]+):[^:]+:[\d]+:[^:]*$/).flatten do its("length") { should_not eq 0 } end a = file("/etc/group").content.to_s.scan(/^([^:]+):[^:]+:[\d]+:[^:]*$/).flatten.uniq.length describe file("/etc/group").content.to_s.scan(/^([^:]+):[^:]+:[\d]+:[^:]*$/).flatten do its("length") { should cmp == a } end end control "xccdf_org.cisecurity.benchmarks_rule_9.2.19_Check_for_Presence_of_User_.netrc_Files" do title "Check for Presence of User .netrc Files" desc "The .netrc file contains data for logging into a remote host for file transfers via FTP." impact 1.0 passwd.users(/^(?!root|halt|sync|shutdown).*/).shells({:!==>"/sbin/nologin"}).homes.map { |x| x.to_s.split(":") }.flatten.map { |x| x + '/' + ".netrc"}.each do |entry| describe file(entry) do it { should_not exist } end end end control "xccdf_org.cisecurity.benchmarks_rule_9.2.20_Check_for_Presence_of_User_.forward_Files" do title "Check for Presence of User .forward Files" desc "The .forward file specifies an email address to forward the user's mail to." impact 1.0 passwd.users(/^(?!root|halt|sync|shutdown).*/).shells({:!==>"/sbin/nologin"}).homes.map { |x| x.to_s.split(":") }.flatten.map { |x| x + '/' + ".forward"}.each do |entry| describe file(entry) do it { should_not exist } end end end