emily/atap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
404ee3fec442838b068a79df338bb5074947b599
atap/ATAPAuditor/AuditGroups/SUSE Linux Enterprise 15-CIS-1.1.1.ps1
T
emily 404ee3fec4 a
2026-05-11 09:15:08 +02:00

3541 lines
102 KiB
PowerShell
Raw Blame History

$parentPath = Split-Path -Parent -Path $PSScriptRoot
$scriptPath = $parentPath + "/Helpers/ShellScripts/SLE_15/"
$rcTrue = "True"
$rcCompliant = "Compliant"
$rcFalse = "False"
$rcNone = "None"
$rcNonCompliant = "Non-Compliant"
$rcNonCompliantManualReviewRequired = "Manual Review Required"
$rcCompliantIPv6isDisabled = "IPv6 is disabled"
$rcFirewallStatus1 = "Using firewalld with iptables"
$rcFirewallStatus2 = "Using nftables"
$rcFirewallStatus3 = "Using iptables"
$retCompliant = @{
Message = $rcCompliant
Status = $rcTrue
}
$retNonCompliant = @{
Message = $rcNonCompliant
Status = $rcFalse
}
$retCompliantIPv6Disabled = @{
Message = $rcCompliantIPv6isDisabled
Status = $rcTrue
}
$retNonCompliantManualReviewRequired = @{
Message = $rcNonCompliantManualReviewRequired
Status = $rcNone
}
$retUsingFW1 = @{
Message = $rcFirewallStatus1
Status = $rcNone
}
$retUsingFW2 = @{
Message = $rcFirewallStatus2
Status = $rcNone
}
$retUsingFW3 = @{
Message = $rcFirewallStatus3
Status = $rcNone
}
$IPv6Status_script = @'
#!/bin/bash
[ -n "$passing" ] && passing=""
[ -z "$(grep "^\s*linux" /boot/grub2/grub.cfg | grep -v ipv6.disabled=1)" ] && passing="true"
grep -Eq "^\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" /etc/sysctl.conf /etc/sysctl.d/*.conf && grep -Eq "^\s*net\.ipv6\.conf\.default\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" /etc/sysctl.conf /etc/sysctl.d/*.conf && sysctl net.ipv6.conf.all.disable_ipv6 | grep -Eq "^\s*net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" && sysctl net.ipv6.conf.default.disable_ipv6 | grep -Eq "^\s*net\.ipv6\.conf\.default\.disable_ipv6\s*=\s*1\b(\s+#.*)?$" && passing="true"
if [ "$passing" = true ] ; then
echo "IPv6 is disabled on the system"
else
echo "IPv6 is enabled on the system"
fi
'@
$IPv6Status = bash -c $IPv6Status_script
if ($IPv6Status -match "enabled") {
$IPv6Status = "enabled"
} else {
$IPv6Status = "disabled"
}
# Firewall evaluation
function GetFirewallStatus {
# 0 = init. value, undefined
# 1 = using firewalld with iptabes as backend
# 2 = using nftables
# 3 = using iptables
$FirewallStatus = 0
# Testing for firewalld with iptables as backend
$test1 = rpm -q firewalld iptables
$test2 = rpm -q nftables
$test3 = systemctl status nftables | grep "active (running)"
$test4 = systemctl is-enabled nftables
$test5 = systemctl is-enabled firewalld
$test6 = firewall-cmd --state
if($test1 -match "firewalld-" -and $test1 -match "iptables-" -and (!($test2 -match "nftables-") -or !($test3 -match "active (running)")) -and !($test4 -match "enabled") -and $test5 -match "enabled" -and $test6 -match "running") {
return 1
}
# Testing for nftables
$test1 = rpm -q nftables
$test2 = rpm -q firewalld
$test3 = systemctl status firewalld | grep "active (running)"
$test4 = systemctl is-enabled firewalld
$test5 = systemctl is-enabled nftables
if($test1 -match "nftables-" -and !($test2 -match "firewalld-" -or $test3 -match "active (running)") -and !($test4 -match "enabled") -and $test5 -match "enabled") {
return 2
}
# Testing for iptables
$test1 = rpm -q iptables
$test2 = rpm -q nftables
$test3 = rpm -q firewalld
$test4 = systemctl status firewalld | grep "active (running)"
$test5 = systemctl is-enabled firewalld
if($test1 -match "iptables-" -and $test2 -match "not installed" -and $test3 -match "not installed" -and !($test4 -match "running (active)") -and !($test5 -match "enabled")) {
return 3
}
return $FirewallStatus
}
$FirewallStatus = GetFirewallStatus
### Chapter 1 - Initial Setup
[AuditTest] @{
Id = "1.1.1.1"
Task = "Ensure mounting of squashfs filesystems is disabled"
Test = {
$result1 = modprobe -n -v squashfs | grep -E '(suqashfs|install)'
$result2 = lsmod | grep squashfs
if ($result1 -match "install /bin/true" -and $result2 -eq $null) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.1.1.2"
Task = "Ensure mounting of udf filesystems is disabled"
Test = {
$result1 = modprobe -n -v udf | grep -E '(udf|install)'
$result2 = lsmod | grep udf
if ($result1 -match "install /bin/true" -and $result2 -eq $null) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.1.1.3"
Task = "Ensure mounting of FAT filesystems is disabled"
Test = {
$result1 = modprobe -n -v fat | grep -E '(fat|install)'
$result2 = lsmod | grep udf
$result3 = modprobe -n -v vfat | grep -E '(vfat|install)'
$result4 = lsmod | grep udf
$result5 = modprobe -n -v msdos | grep -E '(msdos|install)'
$result6 = lsmod | grep udf
if ($result1 -match "install /bin/true" -and $result2 -eq $null -and $result3 -match "install /bin/true" -and $result4 -eq $null -and $result5 -match "install /bin/true" -and $result6 -eq $null) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "Ensure /tmp is configured"
Test = {
$result1 = mount | grep -E '\s/tmp\s'
if ($result1 -match "/tmp") {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "Ensure noexec option set on /tmp partition"
Test = {
$result1 = mount | grep -E '\s/tmp\s' | grep -v noexec
if ($result1 -eq $null) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "Ensure nodev option set on /tmp partition"
Test = {
$result1 = mount | grep -E '\s/tmp\s' | grep -v nodev
if ($result1 -eq $null) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.1.5"
Task = "Ensure nosuid option set on /tmp partition"
Test = {
$result1 = mount | grep -E '\s/tmp\s' | grep -v nosuid
if ($result1 -eq $null) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.1.6"
Task = "Ensure /dev/shm is configured"
Test = {
$result1 = mount | grep -E '\s/dev/shm\s'
$result2 = grep -E '\s/dev/shm\s' /etc/fstab
if ($result1 -ne $null -and $result2 -ne $null) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.1.7"
Task = "Ensure noexec option set on /dev/shm partition"
Test = {
$result1 = mount | grep -E '\s/dev/shm\s' | grep -v noexec
if ($result1 -eq $null) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.1.8"
Task = "Ensure nodev option set on /dev/shm partition"
Test = {
$result1 = mount | grep -E '\s/dev/shm\s' | grep -v nodev
if ($result1 -eq $null) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.1.9"
Task = "Ensure nosuid option set on /dev/shm partition"
Test = {
$result1 = mount | grep -E '\s/dev/shm\s' | grep -v nosuid
if ($result1 -eq $null) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.1.10"
Task = "Ensure separate partition exists for /var"
Test = {
$result1 = mount | grep -E '\s/var\s'
if ($result1 -ne $null) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.1.11"
Task = "Ensure separate partition exists for /var/tmp"
Test = {
$result1 = mount | grep /var/tmp
if ($result1 -ne $null) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.1.12"
Task = "Ensure noexec option set on /var/tmp partition"
Test = {
$result1 = mount | grep -E '\s/var/tmp\s' | grep -v noexec
if ($result1 -eq $null) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.1.13"
Task = "Ensure nodev option set on /var/tmp partition"
Test = {
$result1 = mount | grep -E '\s/var/tmp\s' | grep -v nodev
if ($result1 -eq $null) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.1.14"
Task = "Ensure nosuid option set on /var/tmp partition"
Test = {
$result1 = mount | grep -E '\s/var/tmp\s' | grep -v nosuid
if ($result1 -eq $null) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.1.15"
Task = "Ensure separate partition exists for /var/log"
Test = {
$result1 = mount | grep -E '\s/var/log\s'
if ($result1 -ne $null) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.1.16"
Task = "Ensure separate partition exists for /var/log/audit"
Test = {
$result1 = mount | grep /var/log/audit
if ($result1 -ne $null) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.1.17"
Task = "Ensure separate partition exists for /home"
Test = {
$result1 = mount | grep /home
if ($result1 -ne $null) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.1.18"
Task = "Ensure nodev option set on /home partition"
Test = {
$result1 = mount | grep -E '\s/home\s' | grep -v nodev
if ($result1 -eq $null) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.1.19"
Task = "Ensure noexec option set on removable media partitions"
Test = {
return $retNonCompliantManualReviewRequired
}
}
[AuditTest] @{
Id = "1.1.20"
Task = "Ensure nodev option set on removable media partitions"
Test = {
return $retNonCompliantManualReviewRequired
}
}
[AuditTest] @{
Id = "1.1.21"
Task = "Ensure nosuid option set on removable media partitions"
Test = {
return $retNonCompliantManualReviewRequired
}
}
[AuditTest] @{
Id = "1.1.22"
Task = "Ensure sticky bit is set on all world-writable directories"
Test = {
$result_script = @'
#!/bin/bash
df --local -P 2>/dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null
'@
$result = bash -c $result_script
if ($result -ne $null) {
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "1.1.23"
Task = "Disable Automounting"
Test = {
$result = systemctl is-enabled autofs
if ($result -match "enabled") {
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "1.2.1"
Task = "Ensure GPG keys are configured"
Test = {
return $retNonCompliantManualReviewRequired
}
}
[AuditTest] @{
Id = "1.2.2"
Task = "Ensure package manager repositories are configured"
Test = {
return $retNonCompliantManualReviewRequired
}
}
[AuditTest] @{
Id = "1.2.3"
Task = "Ensure gpgcheck is globally activated"
Test = {
$result = grep ^\s*gpgcheck /etc/zypp/zypp.conf
if ($result -match "gpgcheck=1") {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.3.1"
Task = "Ensure sudo is installed"
Test = {
$result = rpm -q sudo
if ($result -match "sudo-") {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.3.2"
Task = "Ensure sudo commands use pty"
Test = {
$result = grep -Ei '^\s*Defaults\s+([^#]\S+,\s*)?use_pty\b' /etc/sudoers /etc/sudoers.d/*
if ($result -match "Defaults user_pty") {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.3.3"
Task = "Ensure sudo log file exists"
Test = {
$result = grep -Ei '^\s*Defaults\s+([^#;]+,\s*)?logfile\s*=\s*(")?[^#;]+(")?' /etc/sudoers /etc/sudoers.d/*
if ($result -match "Defaults logfile=") {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.4.1"
Task = "Ensure aide is installed"
Test = {
$result = rpm -q aide
if ($result -match "aide-") {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.4.2"
Task = "Ensure filesystem integrity is regularly checked"
Test = {
$result1 = crontab -u root -l | grep aide
$result2 = grep -r aide /etc/cron.* /etc/crontab
if ($result1 -ne $null -or $result2 -ne $null) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.5.1"
Task = "Ensure bootloader password is set"
Test = {
$result1 = grep "^\s*set superusers" /boot/grub2/grub.cfg
$result2 = grep "^\s*password" /boot/grub2/grub.cfg
if ($result1 -match "set superusers=" -and $result2 -match "password_pbkdf2 ") {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.5.2"
Task = "Ensure permissions on bootloader config are configured"
Test = {
$result = stat /boot/grub2/grub.cfg | grep "Uid: "
$result = $result | cut -d '(' -f 2
$result = $result | cut -d '/' -f 1
if($result -eq "0400" -or $result[1] -le 4){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.5.3"
Task = "Ensure authentication required for single user mode"
Test = {
$result1 = grep /systemd-sulogin-shell /usr/lib/systemdm/system/rescue.service
$result2 = grep /systemd-sulogin-shell /usr/lib/systemdm/system/rescue.service
if($result1 -ne $null -and $result2 -ne $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.6.1"
Task = "Ensure core dumps are restricted"
Test = {
$result1 = grep -E "^\s*\*\s+hard\s+core" /etc/security/limits.conf
$result2 = sysctl fs.suid_dumpable
$result3 = grep "fs\.suid_dumpable" /etc/sysctl.conf /etc/sysctl.d/*
if($result1 -match "hard core 0" -and $result2 -match "fs.suid_dumpable = 0" -and $result3 -match "fs.suid_dumpable = 0") {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
# 1.6.2 implemented for journalctl only
[AuditTest] @{
Id = "1.6.2"
Task = "Ensure XD/NX support is enabled"
Test = {
$result1 = journalctl | grep 'protection: active'
if($result1 -match "protection: active") {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.6.3"
Task = "Ensure address space layout randomization (ASLR) is enabled"
Test = {
$result1 = sysctl kernel.randomize_va_space
$result2 = grep "kernel\.randomize_va_space" /etc/sysctl.conf /etc/sysctl.d/*
if($result1 -match "kernel.randomize_va_space = 2" -and $result2 -match "kernel.randomize_va_space = 2") {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.6.4"
Task = "Ensure prelink is disabled"
Test = {
$result1 = rpm -q prelink
if($result1 -match "package prelink is not installed") {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.7.1.1"
Task = "Ensure AppArmor is installed"
Test = {
$result1 = rpm -q apparmor-docs apparmor-parser apparmor-profiles apparmor-utils libapparmor1
if($result1 -ne $null -or $result2 -ne $null) {
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "1.7.1.2"
Task = "Ensure AppArmor is enabled in the bootloader configuration"
Test = {
$result1 = grep "^\s*linux" /boot/grub2/grub.cfg | grep -v "apparmor=1"
$result2 = grep "^\s*linux" /boot/grub2/grub.cfg | grep -v "security=apparmor"
if($result1 -eq $null -and $result2 -eq $null) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.7.1.3"
Task = "Ensure all AppArmor Profiles are in enforce or complain mode"
Test = {
$profileMode1 = apparmor_status | grep profiles | sed '1!d' | cut -d ' ' -f 1
$profileMode2 = apparmor_status | grep profiles | sed '2!d' | cut -d ' ' -f 1
$profileMode3 = apparmor_status | grep profiles | sed '3!d' | cut -d ' ' -f 1
$result = expr $profileMode3 + $profileMode2
$unconfinedProcesses = apparmor_status | grep processes | sed '4!d' | cut -d ' ' -f 1
if ($result -eq $profileMode1 -and $unconfinedProcesses -eq 0) {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.7.1.4"
Task = "Ensure all AppArmor Profiles are enforcing"
Test = {
$profileMode1 = apparmor_status | grep profiles | sed '1!d' | cut -d ' ' -f 1
$profileMode2 = apparmor_status | grep profiles | sed '2!d' | cut -d ' ' -f 1
$unconfinedProcesses = apparmor_status | grep processes | sed '4!d' | cut -d ' ' -f 1
if($profileMode1 -eq $profileMode2 -and $unconfinedProcesses -eq 0){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.8.1.1"
Task = "Ensure message of the day is configured properly"
Test = {
$result = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/motd 2>/dev/null
if($result -eq $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.8.1.2"
Task = "Ensure local login warning is configured peoperly"
Test = {
$result = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue
if($result -eq $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.8.1.3"
Task = "Ensure remote login warning banner is configured properly"
Test = {
$script = $scriptPath + "CIS-SEL15-1.8.1.3.sh"
$result = bash $script
if($result -eq $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.8.1.4"
Task = "Ensure permissions on /etc/motd are configured"
Test = {
$result = stat -L /etc/motd | grep "0644"
if($result -eq $null -or $result -match "0644"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.8.1.5"
Task = "Ensure permissions on /etc/issue are configured"
Test = {
$result = stat -L /etc/issue | grep "0644"
if($result -ne $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
if (Test-Path -Path '/etc/issue.net') {
[AuditTest] @{
Id = "1.8.1.6"
Task = "Ensure permissions on /etc/issue.net are configured"
Test = {
$result = stat -L /etc/issue.net | grep "0644"
if($result -ne $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
}
[AuditTest] @{
Id = "1.9"
Task = "Ensure updates, patches, and additional security software are installed"
Test = {
$output = zypper list-updates
$output = $?
if($output -match "True"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "1.10"
Task = "Ensure GDM is removed or login is configured"
Test = {
$result = rpm -q gdm
if($result -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
### Chapter 2 - Services
[AuditTest] @{
Id = "2.1.1"
Task = "Ensure xinetd is not installed"
Test = {
$result = rpm -q xinetd
if($result -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.2.1.1"
Task = "Ensure time synchronization is in use"
Test = {
$result = rpm -q chrony
if($result -match "chrony-"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.2.1.2"
Task = "Ensure systemd-timesyncd is configured"
Test = {
$result = systemctl is-enabled systemd-timesyncd.service
if($result -match "enabled"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.2.1.3"
Task = "Ensure chrony is configured"
Test = {
$result1 = grep -E "^(server|pool)" /etc/chrony.conf
$result2 = grep ^OPTIONS /etc/sysconfig/chronyd
if($result1 -match "server " -and $result2 -match "-u chrony") {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.2.2"
Task = "Ensure X11 Server components are not installed"
Test = {
$result = rpm -qa xorg-x11-server*
if($result -eq $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.2.4"
Task = "Ensure CUPS is not installed"
Test = {
$result = rpm -q cups
if($result -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.2.5"
Task = "Ensure DHCP Server is not installed"
Test = {
$result = rpm -q dhcp
if($result -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.2.6"
Task = "Ensure LDAP server is not installed"
Test = {
$result = rpm -q openldap2
if($result -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.2.7"
Task = "Ensure nfs-utils is not installed or the nfs-server service is masked"
Test = {
$result1 = rpm -q nfs-utils
$result2 = rpm -q nfs-kernel-server
if($result1 -match "not installed" -and $result2 -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.2.8"
Task = "Ensure rpcbind is not installed or the rpcbind services are masked"
Test = {
$result = rpm -q rpcbind
if($result -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.2.9"
Task = "Ensure DNS Server is not installed"
Test = {
$result = rpm -q bind
if($result -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.2.10"
Task = "Ensure FTP Server is not installed"
Test = {
$result = rpm -q vsftpd
if($result -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.2.11"
Task = "Ensure HTTP Server is not installed"
Test = {
$result = rpm -q apache2
if($result -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.2.12"
Task = "Ensure HTTP Server is not installed"
Test = {
$result = rpm -q dovecot
if($result -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.2.13"
Task = "Ensure Samba is not installed"
Test = {
$result = rpm -q samba
if($result -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.2.14"
Task = "Ensure HTTP Proxy Server is not installed"
Test = {
$result = rpm -q squid
if($result -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.2.15"
Task = "Ensure net-snmp is not installed"
Test = {
$result = rpm -q net-snmp
if($result -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.2.16"
Task = "Ensure mail transfer agent is configured for local-only mode"
Test = {
$result = ss -lntu | grep -E ':25\s' | grep -E -v '\s(127.0.0.1|\[?::1\]?):25\s'
if($result -eq $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.2.17"
Task = "Ensure rsync is not installed or the rsyncd service is masked"
Test = {
$result = rpm -q rsync
if($result -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.2.18"
Task = "Ensure NIS server is not installed"
Test = {
$result = rpm -q ypserv
if($result -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.2.19"
Task = "Ensure telnet-server is not installed"
Test = {
$result = rpm -q telnet-server
if($result -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.3.1"
Task = "Ensure NIS Client is not installed"
Test = {
$result = rpm -q ypbind
if($result -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.3.2"
Task = "Ensure rsh client is not installed"
Test = {
$result = rpm -q rsh
if($result -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.3.3"
Task = "Ensure talk client is not installed"
Test = {
$result = rpm -q talk
if($result -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.3.4"
Task = "Ensure telnet client is not installed"
Test = {
$result = rpm -q telnet
if($result -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.3.5"
Task = "Ensure LDAP client is not installed"
Test = {
$result = rpm -q openldap2-clients
if($result -match "not installed"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "2.4"
Task = "Ensure nonessential services are removed or masked"
Test = {
return $retNonCompliantManualReviewRequired
}
}
## Chapter 3 - Network Configuration
# sysctl wird ignoriert
[AuditTest] @{
Id = "3.1.1"
Task = "Disable IPv6"
Test = {
if ($IPv6Status -match "disable") {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.1.2"
Task = "Ensure wireless interfaces are disabled"
Test = {
$result = ip link show up
if($result -eq $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.2.1"
Task = "Ensure IP forwarding is disabled"
Test = {
if ($IPv6Status -match "disable") {
$result1 = sysctl net.ipv4.ip_forward
$result2 = grep -E -s "^\s*net\.ipv4\.ip_forward\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf
if($result1 -match "net.ipv4.ip_forward = 0" -and $result2 -eq $null){
return $retCompliant
} else {
return $retNonCompliant
}
} else {
$result1 = sysctl net.ipv4.ip_forward
$result2 = grep -E -s "^\s*net\.ipv4\.ip_forward\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf
$result3 = sysctl net.ipv6.conf.all.forwarding
$result4 = grep -E -s "^\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf
if($result1 -match "net.ipv4.ip_forward = 0" -and $result2 -eq $null -and $result3 -match "net.ipv6.conf.all.forwarding = 0" -and $result4 -eq $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
}
[AuditTest] @{
Id = "3.2.2"
Task = "Ensure packet redirect sending is disabled"
Test = {
$result1 = sysctl net.ipv4.conf.all.send_redirects
$result2 = sysctl net.ipv4.conf.default.send_redirects
$result3 = grep "net\.ipv4\.conf\.all\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/*
$result4 = grep "net\.ipv4\.conf\.default\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/*
if($result1 -match "net.ipv4.conf.all.send_redirects = 0" -and $result2 -match "net.ipv4.conf.default.send_redirects = 0" -and $result3 -match "net.ipv4.conf.all.send_redirects = 0" -and $result4 -match "net.ipv4.conf.default.send_redirects= 0"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.3.1"
Task = "Ensure source routed packets are not accepted"
Test = {
if ($IPv6Status -match "disable") {
$result1 = sysctl net.ipv4.conf.all.accept_source_route
$result2 = sysctl net.ipv4.conf.default.accept_source_route
$result3 = grep "net\.ipv4\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/*
$result4 = grep "net\.ipv4\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/*
if($result1 -match "net.ipv4.conf.all.accept_source_route = 0" -and $result2 -match "net.ipv4.conf.default.accept_source_route = 0" -and $result3 -match "net.ipv4.conf.all.accept_source_route= 0" -and $result4 -match "net.ipv4.conf.default.accept_source_route= 0"){
return $retCompliant
} else {
return $retNonCompliant
}
} else {
$result1 = sysctl net.ipv4.conf.all.accept_source_route
$result2 = sysctl net.ipv4.conf.default.accept_source_route
$result3 = grep "net\.ipv4\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/*
$result4 = grep "net\.ipv4\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/*
$result5 = sysctl net.ipv6.conf.all.accept_source_route
$result6 = sysctl net.ipv6.conf.default.accept_source_route
$result7 = grep "net\.ipv6\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/*
$result8 = grep "net\.ipv6\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/*
if($result1 -match "net.ipv4.conf.all.accept_source_route = 0" -and $result2 -match "net.ipv4.conf.default.accept_source_route = 0" -and $result3 -match "net.ipv4.conf.all.accept_source_route= 0" -and $result4 -match "net.ipv4.conf.default.accept_source_route= 0" -and $result5 -match "net.ipv6.conf.all.accept_source_route = 0" -and $result6 -match "net.ipv6.conf.default.accept_source_route = 0" -and $result7 -match "net.ipv4.conf.all.accept_source_route= 0" -and $result8 -match "net.ipv6.conf.default.accept_source_route= 0"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
}
[AuditTest] @{
Id = "3.3.2"
Task = "Ensure ICMP redirects are not accepted"
Test = {
$result1 = sysctl net.ipv4.conf.all.accept_redirects
$result2 = sysctl net.ipv4.conf.default.accept_redirects
$result3 = grep "net\.ipv4\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/*
$result4 = grep "net\.ipv4\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/*
if($result1 -match "net.ipv4.conf.all.accept_redirects = 0" -and $result2 -match "net.ipv4.conf.default.accept_redirects = 0" -and $result3 -match "net.ipv4.conf.all.accept_redirects= 0" -and $result4 -match "net.ipv4.conf.default.accept_redirects= 0"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.3.3"
Task = "Ensure secure ICMP redirects are not accepted"
Test = {
$result1 = sysctl net.ipv4.conf.all.secure_redirects
$result2 = sysctl net.ipv4.conf.default.accept_redirects
$result3 = grep "net\.ipv4\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/*
$result4 = grep "net\.ipv4\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/*
if($result1 -match "net.ipv4.conf.all.accept_redirects = 0" -and $result2 -match "net.ipv4.conf.default.accept_redirects = 0" -and $result3 -match "net.ipv4.conf.all.accept_redirects= 0" -and $result4 -match "net.ipv4.conf.default.accept_redirects= 0"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.3.4"
Task = "Ensure suspicious packets are logged"
Test = {
$result1 = sysctl net.ipv4.conf.all.log_martians
$result2 = sysctl net.ipv4.conf.default.log_martians
$result3 = grep "net\.ipv4\.conf\.all\.log_martians" /etc/sysctl.conf /etc/sysctl.d/*
$result4 = grep "net\.ipv4\.conf\.default\.log_martians" /etc/sysctl.conf /etc/sysctl.d/*
if($result1 -match "net.ipv4.conf.all.log_martians = 1" -and $result2 -match "net.ipv4.conf.default.log_martians = 1" -and $result3 -match "net.ipv4.conf.all.log_martians = 1" -and $result4 -match "net.ipv4.conf.default.log_martians = 1"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.3.5"
Task = "Ensure broadcast ICMP requests are ignored"
Test = {
$result1 = sysctl net.ipv4.icmp_echo_ignore_broadcasts
$result2 = grep "net\.ipv4\.icmp_echo_ignore_broadcasts" /etc/sysctl.conf /etc/sysctl.d/*
if($result1 -match "net.ipv4.icmp_echo_ignore_broadcasts = 1" -and $result2 -match "net.ipv4.icmp_echo_ignore_broadcasts = 1"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.3.6"
Task = "Ensure bogus ICMP responses are ignored"
Test = {
$result1 = sysctl net.ipv4.icmp_ignore_bogus_error_responses
$result2 = grep "net.ipv4.icmp_ignore_bogus_error_responses" /etc/sysctl.conf /etc/sysctl.d/*
if($result1 -match "net.ipv4.icmp_ignore_bogus_error_responses = 1" -and $result2 -match "net.ipv4.icmp_ignore_bogus_error_responses = 1"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.3.7"
Task = "Ensure Reverse Path Filtering is enabled"
Test = {
$result1 = sysctl net.ipv4.conf.all.rp_filter
$result2 = sysctl net.ipv4.conf.default.rp_filter
$result3 = grep "net\.ipv4\.conf\.all\.rp_filter" /etc/sysctl.conf /etc/sysctl.d/*
$result4 = grep "net\.ipv4\.conf\.default\.rp_filter" /etc/sysctl.conf /etc/sysctl.d/*
if($result1 -match "net.ipv4.conf.all.rp_filter = 1" -and $result2 -match "net.ipv4.conf.default.rp_filter = 1" -and $result3 -match "net.ipv4.conf.all.rp_filter = 1" -and $result4 -match "net.ipv4.conf.default.rp_filter = 1"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.3.8"
Task = "Ensure TCP SYN Cookies is enabled"
Test = {
$result1 = sysctl net.ipv4.tcp_syncookies
$result2 = grep "net\.ipv4\.tcp_syncookies" /etc/sysctl.conf /etc/sysctl.d/*
if($result1 -match "net.ipv4.tcp_syncookies = 1" -and $result2 -match "net.ipv4.tcp_syncookies = 1"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.3.9"
Task = "Ensure IPv6 router advertisements are not accepted"
Test = {
if ($IPv6Status -match "disabled") {
return $retCompliantIPv6Disabled
}
$result1 = sysctl net.ipv6.conf.all.accept_ra
$result2 = sysctl net.ipv6.conf.default.accept_ra
$result3 = grep "net\.ipv6\.conf\.all\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/*
$result4 = grep "net\.ipv6\.conf\.default\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/*
if($result1 -match "net.ipv6.conf.all.accept_ra = 0" -and $result2 -match "net.ipv6.conf.default.accept_ra = 0" -and $result3 -match "net.ipv6.conf.all.accept_ra = 0" -and $result4 -match "net.ipv6.conf.default.accept_ra = 0"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.4.1"
Task = "Ensure TCP SYN Cookies is enabled"
Test = {
$result1 = modprobe -n -v dccp
$result2 = lsmod | grep dccp
if($result1 -match "install /bin/true" -and $result2 -eq $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.4.2"
Task = "Ensure SCTP is disabled"
Test = {
$result1 = modprobe -n -v sctp
$result2 = lsmod | grep sctp
if($result1 -match "install /bin/true" -and $result2 -eq $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
### Chapter 3.5.1.X firewalld
if( ($FirewallStatus -eq 0) -or ($FirewallStatus -eq 1) ){
[AuditTest] @{
Id = "3.5.1.1"
Task = "Ensure FirewallD is installed"
Test = {
if ($FirewallStatus -match 2) {
return $retUsingFW2
}
if ($FirewallStatus -match 3) {
return $retUsingFW3
}
$result = rpm -q firewalld iptables
if($result -match "firewalld-" -and $result -match "iptables-"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.5.1.2"
Task = "Ensure nftables is not installed or stopped and masked"
Test = {
if ($FirewallStatus -match 2) {
return $retUsingFW2
}
if ($FirewallStatus -match 3) {
return $retUsingFW3
}
$result1 = rpm -q nftables
$result21 = systemctl status nftables | grep "active (running)"
$result22 = systemctl is-enabled nftables
if($result1 -match "not installed" -or (!($result21 -match "active (running)") -and !($result22 -match "enabled"))){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.5.1.3"
Task = "Ensure firewalld service is enabled and running"
Test = {
if ($FirewallStatus -match 2) {
return $retUsingFW2
}
if ($FirewallStatus -match 3) {
return $retUsingFW3
}
$result1 = systemctl is-enabled firewalld
$result2 = firewall-cmd --state
if($result1 -match "enabled" -and $result2 -match "running"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.5.1.4"
Task = "Ensure default zone is set"
Test = {
if ($FirewallStatus -match 2) {
return $retUsingFW2
}
if ($FirewallStatus -match 3) {
return $retUsingFW3
}
$result = firewall-cmd --get-default-zone
if($result -ne $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.5.1.5"
Task = "Ensure network interfaces are assigned to appropriate zone"
Test = {
if ($FirewallStatus -match 2) {
return $retUsingFW2
}
if ($FirewallStatus -match 3) {
return $retUsingFW3
}
return $retNonCompliantManualReviewRequired
}
}
[AuditTest] @{
Id = "3.5.1.6"
Task = "Ensure unnecessary services and ports are not accepted"
Test = {
if ($FirewallStatus -match 2) {
return $retUsingFW2
}
if ($FirewallStatus -match 3) {
return $retUsingFW3
}
return $retNonCompliantManualReviewRequired
}
}
}
### Chapter 3.5.2.X nftables
if( ($FirewallStatus -eq 0) -or ($FirewallStatus -eq 2) ){
[AuditTest] @{
Id = "3.5.2.1"
Task = "Ensure nftables is installed"
Test = {
if ($FirewallStatus -match 1) {
return $retUsingFW1
}
if ($FirewallStatus -match 3) {
return $retUsingFW3
}
$result = rpm -q nftables
if($result -match "nftables-"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.5.2.2"
Task = "Ensure firewalld is not installed or stopped and masked"
Test = {
if ($FirewallStatus -match 1) {
return $retUsingFW1
}
if ($FirewallStatus -match 3) {
return $retUsingFW3
}
$result1 = rpm -q firewalld
$result21 = systemctl status firewalld | grep "Active: " | grep -v "active (running) "
$result22 = systemctl is-enabled firewalld
if($result1 -match "not installed" -or ($result21 -eq $null -and $result22 -match "masked")){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.5.2.3"
Task = "Ensure iptables are flushed"
Test = {
if ($FirewallStatus -match 1) {
return $retUsingFW1
}
if ($FirewallStatus -match 3) {
return $retUsingFW3
}
return $retNonCompliantManualReviewRequired
}
}
[AuditTest] @{
Id = "3.5.2.4"
Task = "Ensure a table exists"
Test = {
if ($FirewallStatus -match 1) {
return $retUsingFW1
}
if ($FirewallStatus -match 3) {
return $retUsingFW3
}
$result = nft list tables
if($result -match "table inet filter") {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.5.2.5"
Task = "Ensure base chain exist"
Test = {
if ($FirewallStatus -match 1) {
return $retUsingFW1
}
if ($FirewallStatus -match 3) {
return $retUsingFW3
}
$result1 = nft list ruleset | grep 'hook input'
$result2 = nft list ruleset | grep 'hook forward'
$result3 = nft list ruleset | grep 'hook output'
if($result1 -match "type filter hook input priority 0;" -and $result2 -match "type filter hook forward priority 0;" -and $result3 -match "type filter hook output priority 0;") {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.5.2.6"
Task = "Ensure loopback traffic is configured"
Test = {
if ($FirewallStatus -match 1) {
return $retUsingFW1
}
if ($FirewallStatus -match 3) {
return $retUsingFW3
}
$result1 = nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept'
$result2 = nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr'
if($result1 -match "iif ""lo"" accept" -and $result2 -match "ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop") {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.5.2.7"
Task = "Ensure outbound and established connections are configured"
Test = {
if ($FirewallStatus -match 1) {
return $retUsingFW1
}
if ($FirewallStatus -match 3) {
return $retUsingFW3
}
return $retNonCompliantManualReviewRequired
}
}
[AuditTest] @{
Id = "3.5.2.8"
Task = "Ensure default deny firewall policy"
Test = {
if ($FirewallStatus -match 1) {
return $retUsingFW1
}
if ($FirewallStatus -match 3) {
return $retUsingFW3
}
$result1 = nft list ruleset | grep 'hook input'
$result2 = nft list ruleset | grep 'hook forward'
$result3 = nft list ruleset | grep 'hook output'
if($result1 -match "type filter hook input priority 0; policy drop;" -and $result2 -match "type filter hook forward priority 0; policy drop;" -and $result3 -match "type filter hook output priority 0; policy drop;") {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.5.2.9"
Task = "Ensure nftables service is enabled"
Test = {
if ($FirewallStatus -match 1) {
return $retUsingFW1
}
if ($FirewallStatus -match 3) {
return $retUsingFW3
}
$result = systemctl is-enabled nftables
if($result -match "enabled") {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.5.2.10"
Task = "Ensure nftables rules are permanent"
Test = {
if ($FirewallStatus -match 1) {
return $retUsingFW1
}
if ($FirewallStatus -match 3) {
return $retUsingFW3
}
$retNonCompliantManualReviewRequired
}
}
}
### Chapter 3.5.3.X iptables
if( ($FirewallStatus -eq 0) -or ($FirewallStatus -eq 3) ){
[AuditTest] @{
Id = "3.5.3.1.1"
Task = "Ensure iptables package is installed"
Test = {
if ($FirewallStatus -match 1) {
return $retUsingFW1
}
if ($FirewallStatus -match 2) {
return $retUsingFW2
}
$result = rpm -q iptables
if($result -match "iptables-") {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.5.3.1.2"
Task = "Ensure nftables is not installed"
Test = {
if ($FirewallStatus -match 1) {
return $retUsingFW1
}
if ($FirewallStatus -match 2) {
return $retUsingFW2
}
$result = rpm -q nftables
if($result -match "not installed") {
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.5.3.1.3"
Task = "Ensure firewalld is not installed or stopped and masked"
Test = {
if ($FirewallStatus -match 1) {
return $retUsingFW1
}
if ($FirewallStatus -match 2) {
return $retUsingFW2
}
$result1 = rpm -q firewalld
$result21 = systemctl status firewalld | grep "Active: " | grep -v "active (running) "
$result22 = systemctl is-enabled firewalld
if($result1 -match "not installed" -or ($result21 -eq $null -and $result22 -match "masked")){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.5.3.2.1"
Task = "Ensure default deny firewall policy"
Test = {
if ($FirewallStatus -match 1) {
return $retUsingFW1
}
if ($FirewallStatus -match 2) {
return $retUsingFW2
}
$output = iptables -L
$test11 = $output -match "DROP" | grep "Chain INPUT (policy DROP)"
$result11 = $?
$test12 = $output -match "REJECT" | grep "Chain INPUT (policy REJECT)"
$result12 = $?
$test21 = $output -match "DROP" | grep "Chain FORWARD (policy DROP)"
$result21 = $?
$test22 = $output -match "REJECT" | grep "Chain FORWARD (policy REJECT)"
$result22 = $?
$test31 = $output -match "DROP" | grep "Chain OUTPUT (policy DROP)"
$result31 = $?
$test32 = $output -match "REJECT" | grep "Chain OUTPUT (policy REJECT)"
$result32 = $?
if(($result11 -match "True" -or $result12 -match "True") -and ($result21 -match "True" -or $result22 -match "True") -and ($result31 -match "True" -or $result32 -match "True")){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.5.3.2.2"
Task = "Ensure iptables loopback traffic is configured"
Test = {
if ($FirewallStatus -match 1) {
return $retUsingFW1
}
if ($FirewallStatus -match 2) {
return $retUsingFW2
}
$test1 = iptables -L INPUT -v -n | grep "Chain\s*INPUT\s*(policy\s*DROP"
$test2 = iptables -L OUTPUT -v -n | grep "Chain\s*OUTPUT\s*(policy\s*DROP"
if($test1 -ne $null -and $test2 -ne $null){
return $retCompliant
}
return $retNonCompliant
}
}
[AuditTest] @{
Id = "3.5.3.2.3"
Task = "Ensure outbound and established connections are configured"
Test = {
if ($FirewallStatus -match 1) {
return $retUsingFW1
}
if ($FirewallStatus -match 2) {
return $retUsingFW2
}
$retNonCompliantManualReviewRequired
}
}
[AuditTest] @{
Id = "3.5.3.2.4"
Task = "Ensure firewall rules exist for all open ports"
Test = {
if ($FirewallStatus -match 1) {
return $retUsingFW1
}
if ($FirewallStatus -match 2) {
return $retUsingFW2
}
$retNonCompliantManualReviewRequired
}
}
[AuditTest] @{
Id = "3.5.3.3.1"
Task = "Ensure IPv6 default deny firewall policy"
Test = {
if ($FirewallStatus -match 1) {
return $retUsingFW1
}
if ($FirewallStatus -match 2) {
return $retUsingFW2
}
if ($IPv6Status -match "disabled") {
return $retCompliantIPv6Disabled
}
$output = ip6tables -L
$test11 = $output -match "DROP" | grep "Chain INPUT (policy DROP)"
$result11 = $?
$test12 = $output -match "REJECT" | grep "Chain INPUT (policy REJECT)"
$result12 = $?
$test21 = $output -match "DROP" | grep "Chain FORWARD (policy DROP)"
$result21 = $?
$test22 = $output -match "REJECT" | grep "Chain FORWARD (policy REJECT)"
$result22 = $?
$test31 = $output -match "DROP" | grep "Chain OUTPUT (policy DROP)"
$result31 = $?
$test32 = $output -match "REJECT" | grep "Chain OUTPUT (policy REJECT)"
$result32 = $?
if(($result11 -match "True" -or $result12 -match "True") -and ($result21 -match "True" -or $result22 -match "True") -and ($result31 -match "True" -or $result32 -match "True")){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.5.3.3.2"
Task = "Ensure IPv6 loopback traffic is configured"
Test = {
if ($FirewallStatus -match 1) {
return $retUsingFW1
}
if ($FirewallStatus -match 2) {
return $retUsingFW2
}
if ($IPv6Status -match "disabled") {
return $retCompliantIPv6Disabled
}
$output1 = ip6tables -L INPUT -v -n
$test1 = $output1 | grep "ACCEPT\s*all\s*lo\s**\s*::/0\s*::/0"
$test2 = $output1 | grep "DROP\s*all\s**\s**\s*::1\s*::/0"
$output2 = ip6tables -L OUTPUT -v -n
$test3 = $output2 | grep "ACCEPT\s*all\s*lo\s**\s*::/0\s*::/0"
if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "3.5.3.3.3"
Task = "Ensure IPv6 outbound and established connections are configured"
Test = {
if ($FirewallStatus -match 1) {
return $retUsingFW1
}
if ($FirewallStatus -match 2) {
return $retUsingFW2
}
if ($IPv6Status -match "disabled") {
return $retCompliantIPv6Disabled
}
return $retNonCompliantManualReviewRequired
}
}
[AuditTest] @{
Id = "3.5.3.3.4"
Task = "Ensure IPv6 firewall rules exist for all open ports"
Test = {
if ($FirewallStatus -match 1) {
return $retUsingFW1
}
if ($FirewallStatus -match 2) {
return $retUsingFW2
}
if ($IPv6Status -match "disabled") {
return $retCompliantIPv6Disabled
}
return $retNonCompliantManualReviewRequired
}
}
}
## Chapter 4 Logging and Auditing
[AuditTest] @{
Id = "4.1.1.1"
Task = "Ensure auditd is installed"
Test = {
$test = rpm -q audit
if($test -match "audit-"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.1.1.2"
Task = "Ensure auditd service is enabled and running"
Test = {
$test1 = systemctl is-enabled auditd
$test2 = systemctl status auditd | grep 'Active: active (running) '
if($test1 -match "enabled" -and $test2 -ne $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.1.1.3"
Task = "Ensure auditing for processes that start prior to auditd is enabled"
Test = {
$test = grep "^\s*linux" /boot/grub2/grub.cfg | grep -v "audit=1"
if($test -eq $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.1.2.1"
Task = "Ensure audit log storage size is configured"
Test = {
return $retNonCompliantManualReviewRequired
}
}
[AuditTest] @{
Id = "4.1.2.2"
Task = "Ensure audit logs are not automatically deleted"
Test = {
$test = grep max_log_file_action /etc/audit/auditd.conf
if($test -match "max_log_file_action = keep_logs"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.1.2.3"
Task = "Ensure system is disabled when audit logs are full"
Test = {
$test1 = grep space_left_action /etc/audit/auditd.conf
$test2 = grep action_mail_acct /etc/audit/auditd.conf
$test3 = grep admin_space_left_action /etc/audit/auditd.conf
if($test1 -match "space_left_action = email" -and $test2 -match "action_mail_acct = root" -and $test3 -match "admin_space_left_action = halt"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.1.2.4"
Task = "Ensure system is disabled when audit logs are full"
Test = {
return $retNonCompliantManualReviewRequired
}
}
[AuditTest] @{
Id = "4.1.3"
Task = "Ensure system is disabled when audit logs are full"
Test = {
$test1 = grep time-change /etc/audit/rules.d/*.rules
$test2 = auditctl -l | grep time-change
if($test1 -match "/etc/audit/rules.d/time_change.rules:-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change" -and
$test1 -match "/etc/audit/rules.d/time_change.rules:-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change" -and
$test1 -match "/etc/audit/rules.d/time_change.rules:-a always,exit -F arch=b64 -S clock_settime -k time-change" -and
$test1 -match "/etc/audit/rules.d/time_change.rules:-a always,exit -F arch=b32 -S clock_settime -k time-change" -and
$test1 -match "/etc/audit/rules.d/time_change.rules:-w /etc/localtime -p wa -k time-change" -and
$test2 -match "-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change" -and
$test2 -match "-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=time-change" -and
$test2 -match "-a always,exit -F arch=b64 -S clock_settime -F key=time-change" -and
$test2 -match "-a always,exit -F arch=b32 -S clock_settime -F key=time-change" -and
$test2 -match "-w /etc/localtime -p wa -k time-change"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.1.4"
Task = "Ensure events that modify user/group information are collected"
Test = {
$test1 = grep identity /etc/audit/rules.d/*.rules
$test2 = auditctl -l | grep identity
if($test1 -match "/etc/audit/rules.d/identity.rules:-w /etc/group -p wa -k identity" -and
$test1 -match "/etc/audit/rules.d/identity.rules:-w /etc/passwd -p wa -k identity" -and
$test1 -match "/etc/audit/rules.d/identity.rules:-w /etc/shadow -p wa -k identity" -and
$test1 -match "/etc/audit/rules.d/identity.rules:-w /etc/security/opasswd -p wa -k identity" -and
$test2 -match "-w /etc/group -p wa -k identity" -and
$test2 -match "-w /etc/passwd -p wa -k identity" -and
$test2 -match "-w /etc/shadow -p wa -k identity" -and
$test2 -match "-w /etc/security/opasswd -p wa -k identity"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.1.5"
Task = "Ensure events that modify the system's network environment are collected"
Test = {
$test1 = grep system-locale /etc/audit/rules.d/*.rules
$test2 = auditctl -l | grep system-locale
if($test1 -match "/etc/audit/rules.d/system-locale.rules:-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale" -and
$test1 -match "/etc/audit/rules.d/system-locale.rules:-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale" -and
$test1 -match "/etc/audit/rules.d/system-locale.rules:-w /etc/issue -p wa -k system-locale" -and
$test1 -match "/etc/audit/rules.d/system-locale.rules:-w /etc/issue.net -p wa -k system-locale" -and
$test1 -match "/etc/audit/rules.d/system-locale.rules:-w /etc/hosts -p wa -k system-locale" -and
$test1 -match "/etc/audit/rules.d/system-locale.rules:-w /etc/sysconfig/network -p wa -k system-locale" -and
$test2 -match "-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale" -and
$test2 -match "-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale" -and
$test2 -match "-w /etc/issue -p wa -k system-locale" -and
$test2 -match "-w /etc/issue.net -p wa -k system-locale" -and
$test2 -match "-w /etc/hosts -p wa -k system-locale" -and
$test2 -match "-w /etc/sysconfig/network -p wa -k system-locale"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.1.6"
Task = "Ensure events that modify the system's Mandatory Access Controls are collected"
Test = {
$test1 = grep MAC-policy /etc/audit/rules.d/*.rules
$test2 = auditctl -l | grep MAC-policy
if($test1 -match "/etc/audit/rules.d/MAC_policy.rules:-w /etc/selinux/ -p wa -k MAC-policy" -and $test1 -match "/etc/audit/rules.d/MAC_policy.rules:-w /usr/share/selinux/ -p wa -k MAC-policy" -and $test2 -match "-w /etc/selinux/ -p wa -k MAC-policy" -and $test2 -match "-w /usr/share/selinux/ -p wa -k MAC-policy"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.1.7"
Task = "Ensure login and logout events are collected"
Test = {
$test1 = grep logins /etc/audit/rules.d/*.rules
$test2 = auditctl -l | grep logins
if($test1 -match "/etc/audit/rules.d/logins.rules:-w /var/log/faillog -p wa -k logins" -and
$test1 -match "/etc/audit/rules.d/logins.rules:-w /var/log/lastlog -p wa -k logins" -and
$test1 -match "/etc/audit/rules.d/logins.rules:-w /var/log/tallylog -p wa -k logins" -and
$test2 -match "-w /var/log/faillog -p wa -k logins" -and
$test2 -match "-w /var/log/lastlog -p wa -k logins" -and
$test2 -match "-w /var/log/tallylog -p wa -k logins"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.1.8"
Task = "Ensure session initiation information is collected"
Test = {
$test1 = grep -E '(session|logins)' /etc/audit/rules.d/*.rules
$test2 = auditctl -l | grep -E '(session|logins)'
if($test1 -match "/etc/audit/rules.d/session.rules:-w /var/run/utmp -p wa -k session" -and
$test1 -match "/etc/audit/rules.d/session.rules:-w /var/log/wtmp -p wa -k logins" -and
$test1 -match "/etc/audit/rules.d/session.rules:-w /var/log/btmp -p wa -k logins" -and
$test2 -match "-w /var/run/utmp -p wa -k session" -and
$test2 -match "-w /var/log/wtmp -p wa -k logins" -and
$test2 -match "-w /var/log/btmp -p wa -k logins"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.1.9"
Task = "Ensure discretionary access control permission modification events are collected"
Test = {
$test1 = grep perm_mod /etc/audit/rules.d/*.rules
$test2 = auditctl -l | grep perm_mod
if($test1 -match "/etc/audit/rules.d/perm_mod.rules:-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod" -and
$test1 -match "/etc/audit/rules.d/perm_mod.rules:-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod" -and
$test1 -match "/etc/audit/rules.d/perm_mod.rules:-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod" -and
$test1 -match "/etc/audit/rules.d/perm_mod.rules:-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod" -and
$test1 -match "/etc/audit/rules.d/perm_mod.rules:-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod" -and
$test1 -match "/etc/audit/rules.d/perm_mod.rules:-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod" -and
$test2 -match "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod" -and
$test2 -match "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod" -and
$test2 -match "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod" -and
$test2 -match "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod" -and
$test2 -match "-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod" -and
$test2 -match "-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.1.10"
Task = "Ensure discretionary access control permission modification events are collected"
Test = {
$test1 = grep access /etc/audit/rules.d/*.rules
$test2 = auditctl -l | grep access
if($test1 -match "/etc/audit/rules.d/access.rules:-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access" -and
$test1 -match "/etc/audit/rules.d/access.rules:-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access" -and
$test1 -match "/etc/audit/rules.d/access.rules:-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access" -and
$test1 -match "/etc/audit/rules.d/access.rules:-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access" -and
$test2 -match "/etc/audit/rules.d/access.rules:-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access" -and
$test2 -match "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access" -and
$test2 -match "-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access" -and
$test2 -match "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.1.11"
Task = "Ensure use of privileged commands is collected"
Test = {
return $retNonCompliantManualReviewRequired
}
}
[AuditTest] @{
Id = "4.1.12"
Task = "Ensure successful file system mounts are collected"
Test = {
$test1 = grep mounts /etc/audit/rules.d/*.rules
$test2 = auditctl -l | grep mounts
if($test1 -match "/etc/audit/rules.d/mounts.rules:-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" -and
$test1 -match "/etc/audit/rules.d/mounts.rules:-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts" -and
$test2 -match "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts" -and
$test2 -match "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.1.13"
Task = "Ensure file deletion events by users are collected"
Test = {
$test1 = grep delete /etc/audit/rules.d/*.rules
$test2 = auditctl -l | grep delete
if($test1 -match "/etc/audit/rules.d/deletion.rules:-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete" -and
$test1 -match "/etc/audit/rules.d/deletion.rules:-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete" -and
$test2 -match "-a always,exit -F arch=b64 -S rename,unlink,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete" -and
$test2 -match "-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.1.14"
Task = "Ensure changes to system administration scope (sudoers) is collected"
Test = {
$test1 = grep scope /etc/audit/rules.d/*.rules
$test2 = auditctl -l | grep scope
if($test1 -match "/etc/audit/rules.d/scope.rules:-w /etc/sudoers -p wa -k scope" -and
$test1 -match "/etc/audit/rules.d/scope.rules:-w /etc/sudoers.d/ -p wa -k scope" -and
$test2 -match "-w /etc/sudoers -p wa -k scope" -and
$test2 -match "-w /etc/sudoers.d -p wa -k scope"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.1.15"
Task = "Ensure system administrator actions (sudolog) are collected"
Test = {
$test1 = grep -E "^\s*-w\s+$(grep -r logfile /etc/sudoers* | sed -e 's/.*logfile=//;s/,? .*//')\s+-p\s+wa\s+-k\s+actions" /etc/audit/rules.d/*.rules
$test2 = auditctl -l | grep actions
$test3 = echo "-w $(grep -r logfile /etc/sudoers* | sed -e 's/.*logfile=//;s/,? .*//') -p wa -k actions"
if($test1 -match $test3 -and $test2 -match $test3){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.1.16"
Task = "Ensure kernel module loading and unloading is collected"
Test = {
$test1 = grep modules /etc/audit/rules.d/*.rules
$test2 = auditctl -l | grep modules
if($test1 -match "/etc/audit/rules.d/modules.rules:-w /sbin/insmod -p x -k modules" -and
$test1 -match "/etc/audit/rules.d/modules.rules:-w /sbin/rmmod -p x -k modules" -and
$test1 -match "/etc/audit/rules.d/modules.rules:-w /sbin/modprobe -p x -k modules" -and
$test1 -match "/etc/audit/rules.d/modules.rules:-a always,exit -F arch=b64 -S init_module -S delete_module -k modules" -and
$test2 -match "-w /sbin/insmod -p x -k modules" -and
$test2 -match "-w /sbin/rmmod -p x -k modules" -and
$test2 -match "-w /sbin/modprobe -p x -k modules" -and
$test2 -match "-a always,exit -F arch=b64 -S init_module,delete_module -F key=modules"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.1.17"
Task = "Ensure the audit configuration is immutable"
Test = {
$test = grep "^\s*[^#]" /etc/audit/rules.d/*.rules | tail -1
if($test -match "-e 2"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.2.1.1"
Task = "Ensure rsyslog is installed"
Test = {
$test = rpm -q rsyslog
if($test -match "rsyslog-"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.2.1.2"
Task = "Ensure rsyslog Service is enabled and running"
Test = {
$test1 = systemctl is-enabled rsyslog
$test2 = systemctl status rsyslog | grep 'active (running) '
if($test1 -match "enabled" -and $test2 -ne $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.2.1.3"
Task = "Ensure rsyslog default file permissions configured"
Test = {
$test = grep ^\$FileCreateMode /etc/rsyslog.conf /etc/rsyslog.d/*.conf
if($test -match "FileCreateMode"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.2.1.4"
Task = "Ensure logging is configured"
Test = {
return $retNonCompliantManualReviewRequired
}
}
[AuditTest] @{
Id = "4.2.1.5"
Task = "Ensure rsyslog is configured to send logs to a remote log host"
Test = {
$test = grep "^*.*[^I][^I]*@" /etc/rsyslog.conf /etc/rsyslog.d/*.conf
if($test -ne $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.2.1.6"
Task = "Ensure remote rsyslog messages are only accepted on designated log hosts"
Test = {
$test1 = grep '$ModLoad imtcp' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
$test2 = grep '$InputTCPServerRun' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
if($test1 -match "ModLoad imtcp" -and $test2 -match "InputTCPServerRun 514"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.2.2.1"
Task = "Ensure journald is configured to send logs to rsyslog"
Test = {
$test = grep -E ^\s*ForwardToSyslog /etc/systemd/journald.conf
if($test -match "ForwardToSyslog=yes"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.2.2.2"
Task = "Ensure journald is configured to compress large log files"
Test = {
$test = grep -E ^\s*Compress /etc/systemd/journald.conf
if($test -match "Compress=yes"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.2.2.3"
Task = "Ensure journald is configured to write logfiles to persistent disk"
Test = {
$test = grep -E ^\s*Storage /etc/systemd/journald.conf
if($test -match "Storage=persistent"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.2.3"
Task = "Ensure permissions on all logfiles are configured"
Test = {
$test = find /var/log -type f -perm /g+wx,o+rwx -exec ls -l '{}' \;
if($test -eq $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "4.2.4"
Task = "Ensure logrotate is configured"
Test = {
return $retNonCompliantManualReviewRequired
}
}
[AuditTest] @{
Id = "5.1.1"
Task = "Ensure cron daemon is enabled and running"
Test = {
$test1 = systemctl is-enabled cron
$test2 = systemctl status cron | grep 'Active: active (running) '
if($test1 -eq $null -and $test2 -match "active (running)"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.1.2"
Task = "Ensure permissions on /etc/crontab are configured"
Test = {
$test = stat /etc/crontab
if($test -match "0600/-rw-"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.1.3"
Task = "Ensure permissions on /etc/cron.hourly are configured"
Test = {
$test = stat /etc/cron.hourly/
if($test -match "0700/drwx"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.1.4"
Task = "Ensure permissions on /etc/cron.daily are configured"
Test = {
$test = stat /etc/cron.daily
if($test -match "0700/drwx"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.1.5"
Task = "Ensure permissions on /etc/cron.weekly are configured"
Test = {
$test = stat /etc/cron.weekly
if($test -match "0700/drwx"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.1.6"
Task = "Ensure permissions on /etc/cron.monthly are configured"
Test = {
$test = stat /etc/cron.weekly
if($test -match "0700/drwx"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.1.7"
Task = "Ensure permissions on /etc/cron.d are configured"
Test = {
$test = stat /etc/cron.weekly
if($test -match "0700/drwx"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.1.8"
Task = "Ensure cron is restricted to authorized users"
Test = {
$test = stat /etc/cron.deny
if($test -match "cannot stat"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.1.9"
Task = "Ensure cron is restricted to authorized users"
Test = {
$test1 = stat /etc/at.deny
$test2 = stat /etc/at.allow
if($test1 -match "cannot stat" -and $test2 -match "0600/-rw-"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.2.1"
Task = "Ensure permissions on /etc/ssh/sshd_config are configured"
Test = {
$test1 = stat /etc/ssh/sshd_config
if($test1 -match "0600/-rw-"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
### TODO ...
[AuditTest] @{
Id = "5.2.2"
Task = "Ensure permissions on SSH private host key files are configured"
Test = {
return $retCompliant
}
}
### TODO...
[AuditTest] @{
Id = "5.2.3"
Task = "Ensure permissions on SSH public host key files are configured"
Test = {
return $retCompliant
}
}
[AuditTest] @{
Id = "5.2.4"
Task = "Ensure SSH access is limited"
Test = {
$test = sshd -T | grep -E '^\s*(allow|deny)(users|groups)\s+\S+'
if($test -match "allowusers " -or $test -match "allowgroups " -or $test -match "denyusers " -or $test -match "denygroups "){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.2.5"
Task = "Ensure SSH LogLevel is appropriate"
Test = {
$test = sshd -T | grep loglevel
if($test -match "loglevel\s+VERBOSE" -or $test -match "loglevel\s+INFO"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.2.6"
Task = "Ensure SSH X11 forwarding is disabled"
Test = {
$test = sshd -T | grep -i x11forwarding
if($test -match "x11forwarding no"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
### TODO
[AuditTest] @{
Id = "5.2.7"
Task = "Ensure SSH MaxAuthTries is set to 4 or less"
Test = {
$test = sshd -T | grep maxauthtries | grep maxauthtries | cut -d ' ' -f 2
if($test -le 4){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.2.8"
Task = "Ensure SSH IgnoreRhosts is enabled"
Test = {
$test = sshd -T | grep ignorerhosts
if($test -match "ignorehosts yes"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.2.9"
Task = "Ensure SSH HostbasedAuthentication is disabled"
Test = {
$test = sshd -T | grep hostbasedauthentication
if($test -match "hostbasedauthentication no"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.2.10"
Task = "Ensure SSH root login is disabled"
Test = {
$test = sshd -T | grep permitrootlogin
if($test -match "permitrootlogin no"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.2.11"
Task = "Ensure SSH PermitEmptyPasswords is disabled"
Test = {
$test = sshd -T | grep permitemptypasswords
if($test -match "permitemptypasswords no"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.2.12"
Task = "Ensure SSH PermitUserEnvironment is disabled"
Test = {
$test = sshd -T | grep permituserenvironment
if($test -match "permituserenvironment no"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.2.13"
Task = "Ensure only strong Ciphers are used"
Test = {
$test = sshd -T | grep ciphers
if($test -match "3des-cbc" -or $test -match "aes128-cbc" -or $test -match "aes192-cbc" -or $test -match "aes256-cbc"){
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "5.2.14"
Task = "Ensure only strong MAC algorithms are used"
Test = {
$test = sshd -T | grep -i "MACs"
if($test -match "hmac-md5" -or
$test -match "hmac-md5-96" -or
$test -match "hmac-ripemd160" -or
$test -match "hmac-sha1" -or
$test -match "hmac-sha1-96" -or
$test -match "umac-64@openssh.com" -or
$test -match "umac-128@openssh.com" -or
$test -match "hmac-md5-etm@openssh.com" -or
$test -match "hmac-md5-96-etm@openssh.com" -or
$test -match "hmac-ripemd160-etm@openssh.com" -or
$test -match "hmac-sha1-etm@openssh.com" -or
$test -match "hmac-sha1-96-etm@openssh.com" -or
$test -match "umac-64-etm@openssh.com" -or
$test -match "umac-128-etm@openssh.com"){
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "5.2.15"
Task = "Ensure only strong Key Exchange algorithms are used"
Test = {
$test = sshd -T | grep kexalgorithms
if($test -match "diffie-hellman-group1-sha1" -or
$test -match "diffie-hellman-group14-sha1" -or
$test -match "diffie-hellman-group-exchange-sha1"){
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "5.2.16"
Task = "Ensure SSH Idle Timeout Interval is configured"
Test = {
$test1 = sshd -T | grep clientaliveinterval | cut -d ' ' -f 2
$test2 = sshd -T | grep clientaliveinterval | cut -d ' ' -f 2
if($test1 -ge 1 -and $test1 -le 300 -and $test2 -ge 1 -and $test2 -le 3){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.2.17"
Task = "Ensure SSH LoginGraceTime is set to one minute or less"
Test = {
$test = sshd -T | grep logingracetime | cut -d ' ' -f 2
if($test -ge 1 -and $test1 -le 60){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
if (Test-Path -Path '/etc/issue.net') {
[AuditTest] @{
Id = "5.2.18"
Task = "Ensure SSH warning banner is configured"
Test = {
$test = sshd -T | grep banner
if($test -match "banner /etc/issue.net"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
}
[AuditTest] @{
Id = "5.2.19"
Task = "Ensure SSH PAM is enabled"
Test = {
$test = sshd -T | grep -i usepam
if($test -match "usepam yes"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.2.20"
Task = "Ensure SSH AllowTcpForwarding is disabled"
Test = {
$test = sshd -T | grep -i allowtcpforwarding
if($test -match "allowtcpforwarding no"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.2.21"
Task = "Ensure SSH MaxStartups is configured"
Test = {
$test = sshd -T | grep -i maxstartups
if($test -match "maxstartups 10:30:60"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.2.22"
Task = "Ensure SSH MaxSessions is limited"
Test = {
$test = sshd -T | grep -i maxsessions | cut -d ' ' -f 2
if($test -le 10){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
# unfertig; nochmal drüber gehen TODO
[AuditTest] @{
Id = "5.3.1"
Task = "Ensure password creation requirements are configured"
Test = {
$test1 = grep -P '^\s*password\s+(requisite|required)\s+pam_cracklib.so\s+([^#]+\s+)*minlen=(1[4-9]|[1-9][0-9]+)\b' /etc/pam.d/common-password
$test2 = grep -P '^\s*password\s+(?:requisite|required)\s+pam_cracklib\.so\s+(?:[^#]+\s+)*(?:(?!\2|\3|\4))(dcredit=-[1-9]|ucredit=-[1-9]|ocredit=-[1-9]|lcredit=-[1-9])\s+(?:[^#]+\s+)*(?:(?!\1|\3|\4))(dcredit=-[1-9]|ucredit=-[1-9]|ocredit=-[1-9]|lcredit=-[1-9])\s+(?:[^#]+\s+)*(?:(?!\1|\2|\4))(dcredit=-[1-9]|ucredit=-[1-9]|ocredit=-[1-9]|lcredit=-[1-9])\s+(?:[^#]+\s+)*(?!\1|\2|\3)(dcredit=-[1-9]|ucredit=-[1-9]|ocredit=-[1-9]|lcredit=-[1-9])' /etc/pam.d/common-password
if($test2 -match "dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1" -and $test1 -match "minlen=14"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
# unfertig; nochmal drüber gehen TODO
[AuditTest] @{
Id = "5.3.2"
Task = "Ensure lockout for failed password attempts is configured"
Test = {
$test = grep -E '^\s*auth\s+\S+\s+pam_(tally2|unix)\.so' /etc/pam.d/login
if($test -match "deny=5"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.3.3"
Task = "Ensure password reuse is limited"
Test = {
$test = grep -P '^\s*password\s+(requisite|required)\s+pam_pwhistory\.so\s+([^#]+\s+)*remember=([5-9]|[1-9][0-9]+)\b' /etc/pam.d/common-password | cut -d= -f2
if($test -ge 5){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.4.1.1"
Task = "Ensure password hashing algorithm is SHA-512"
Test = {
$test = grep -Ei '^\s*^\s*ENCRYPT_METHOD\s+SHA512' /etc/login.defs
if($test -match "SHA512"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.4.1.2"
Task = "Ensure password expiration is 365 days or less"
Test = {
$test1 = grep ^\s*PASS_MAX_DAYS /etc/login.defs | cut -f2
$test2_script = @'
#!/bin/bash
for line in $(grep -E ^[^:]+:[^\*] /etc/shadow | cut -d: -f5)
do
if [ $line -gt 365 ]
then
echo "FAIL"
fi
done
'@
$test2 = bash -c $test2_script
if($test1 -gt 365 -or $test2 -match "FAIL"){
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "5.4.1.3"
Task = "Ensure minimum days between password changes is configured"
Test = {
$test1 = grep ^\s*PASS_MIN_DAYS /etc/login.defs | cut -f2
$test2_script = @'
#!/bin/bash
for line in $(grep -E ^[^:]+:[^\*] /etc/shadow | cut -d: -f4)
do
if [ $line -lt 1 ]
then
echo "FAIL"
fi
done
'@
$test2 = bash -c $test2_script
if($test1 -lt 1 -or $test2 -match "FAIL"){
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "5.4.1.4"
Task = "Ensure password expiration warning days is 7 or more"
Test = {
$test1 = grep ^\s*PASS_WARN_AGE /etc/login.defs | cut -f2
$test2_script = @'
#!/bin/bash
for line in $(grep -E ^[^:]+:[^\*] /etc/shadow | cut -d: -f6)
do
if [ $line -lt 7 ]
then
echo "FAIL"
fi
done
'@
$test2 = bash -c $test2_script
if($test1 -lt 7 -or $test2 -match "FAIL"){
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "5.4.1.5"
Task = "Ensure inactive password lock is 30 days or less"
Test = {
$test1 = useradd -D | grep INACTIVE | cut -d= -f2
$test2_script = @'
#!/bin/bash
for line in $(grep -E ^[^:]+:[^\*] /etc/shadow | cut -d: -f7)
do
if [ $line -ge 30 ]
then
echo "FAIL"
fi
done
'@
$test2 = bash -c $test2_script
if($test1 -gt 30 -or $test1 -eq -1 -or $test2 -match "FAIL"){
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "5.4.1.6"
Task = "Ensure all users last password change date is in the past"
Test = {
$test_script = @'
#!/bin/bash
for usr in $(cut -d: -f1 /etc/shadow); do
[[ $(chage --list $usr | grep '^Last password change' | cut -d: -f2) > $(date) ]] && echo "$usr :$(chage --list $usr | grep '^Last password change' | cut -d: -f2)"; done
'@
$test = bash -c $test_script
if($test -ne $null){
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "5.4.2"
Task = "Ensure system accounts are secured"
Test = {
$script1 = $scriptPath + "CIS-SEL15-5.4.2_1.sh"
$test1 = bash $script1
$script2 = $scriptPath + "CIS-SEL15-5.4.2_2.sh"
$test2 = bash $script2
if($test1 -eq $null -and $test2 -eq $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.4.3"
Task = "Ensure default group for the root account is GID 0"
Test = {
$test = grep "^root:" /etc/passwd | cut -f4
if($test -eq 0){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.4.4"
Task = "Ensure default user shell timeout is configured"
Test = {
$script = $scriptPath + "CIS-SEL15-5.4.4.sh"
$test1 = bash $script
$test2 = grep -PR '^\s*([^$#;]+\s+)*TMOUT=(9[0-9][1-9]|0+|[1-9]\d{3,})\b\s*(\S+\s*)*(\s+#.*)?$' /etc/profile* /etc/bashrc.bashrc*
if($test1 -match "configured in file: /etc/profile.d/" -and $test2 -eq $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.4.5"
Task = "Ensure default user umask is configured"
Test = {
$test1 = grep -RPi '(^|^[^#]*)\s*umask\s+([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b|[0-7][01][0-7]\b|[0-7][0-7][0-6]\b|(u=[rwx]{0,3},)?(g=[rwx]{0,3},)?o=[rwx]+\b|(u=[rwx]{1,3},)?g=[^rx]{1,3}(,o=[rwx]{0,3})?\b)' /etc/login.defs /etc/default/login /etc/profile* /etc/bash.bashrc*
$test2 = grep -REi '^\s*UMASK\s+\s*(0[0-7][2-7]7|[0-7][2-7]7|u=(r?|w?|x?)(r?|w?|x?)(r?|w?|x?),g=(r?x?|x?r?),o=)\b' /etc/login.defs /etc/default/login /etc/profile* /etc/bash.bashrc*
if(($test1 -eq $null -or $test1 -match "No such file or directory") -and $test2 -match "UMASK\s*027"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "5.5"
Task = "Ensure root login is restricted to system console"
Test = {
return $retNonCompliantManualReviewRequired
}
}
#TODO
[AuditTest] @{
Id = "5.6"
Task = "Ensure access to the su command is restricted"
Test = {
$test1 = grep -RPi '(^|^[^#]*)\s*umask\s+([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b|[0-7][01][0-7]\b|[0-7][0-7][0-6]\b|(u=[rwx]{0,3},)?(g=[rwx]{0,3},)?o=[rwx]+\b|(u=[rwx]{1,3},)?g=[^rx]{1,3}(,o=[rwx]{0,3})?\b)' /etc/login.defs /etc/default/login /etc/profile* /etc/bash.bashrc*
$test2 = grep -REi '^\s*UMASK\s+\s*(0[0-7][2-7]7|[0-7][2-7]7|u=(r?|w?|x?)(r?|w?|x?)(r?|w?|x?),g=(r?x?|x?r?),o=)\b' /etc/login.defs /etc/default/login /etc/profile* /etc/bash.bashrc*
if(($test1 -eq $null -or $test1 -match "No such file or directory") -and $test2 -match "UMASK\s*027"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
### Chapter 6 - System Maintenance
[AuditTest] @{
Id = "6.1.1"
Task = "Audit system file permissions"
Test = {
return $retNonCompliantManualReviewRequired
}
}
[AuditTest] @{
Id = "6.1.2"
Task = "Ensure permissions on /etc/passwd are configured"
Test = {
$test1 = stat /etc/passwd
if($test1 -match "0644"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "6.1.3"
Task = "Ensure permissions on /etc/shadow are configured"
Test = {
$test1 = stat /etc/shadow
if($test1 -match "0640"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "6.1.4"
Task = "Ensure permissions on /etc/group are configured"
Test = {
$test1 = stat /etc/group
if($test1 -match "0644"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "6.1.5"
Task = "Ensure permissions on /etc/passwd- are configured"
Test = {
$test1 = stat /etc/passwd-
if($test1 -match "0644"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "6.1.6"
Task = "Ensure permissions on /etc/shadow- are configured"
Test = {
$test1 = stat /etc/shadow-
if($test1 -match "0640"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "6.1.7"
Task = "Ensure permissions on /etc/group- are configured"
Test = {
$test1 = stat /etc/group-
if($test1 -match "0644"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "6.1.8"
Task = "Ensure no world writable files exist"
Test = {
$test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002
if($test1 -eq $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "6.1.9"
Task = "Ensure no unowned files or directories exist"
Test = {
$test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002
if($test1 -eq $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "6.1.10"
Task = "Ensure no ungrouped files or directories exist"
Test = {
$test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup
if($test1 -eq $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "6.1.11"
Task = "Audit SUID executables"
Test = {
return $retNonCompliantManualReviewRequired
}
}
[AuditTest] @{
Id = "6.1.12"
Task = "Audit SGID executables"
Test = {
return $retNonCompliantManualReviewRequired
}
}
[AuditTest] @{
Id = "6.2.1"
Task = "Ensure accounts in /etc/passwd use shadowed passwords"
Test = {
$script1 = $scriptPath + "CIS-SEL15-6.2.1.sh"
$test1 = bash $script1
if($test1 -eq $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "6.2.2"
Task = "Ensure /etc/shadow password fields are not empty"
Test = {
$script1 = $scriptPath + "CIS-SEL15-6.2.2.sh"
$test1 = bash $script1
if($test1 -eq $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "6.2.3"
Task = "Ensure root is the only UID 0 account"
Test = {
$test1_script = @'
#!/bin/bash
awk -F: '($3 == 0) { print $1 }' /etc/passwd
'@
$test1 = bash -c $test1_script
if($test1 -match "root"){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "6.2.4"
Task = "Ensure root PATH Integrity"
Test = {
$test_script = @'
#!/bin/bash
if echo "$PATH" | grep -q "::" ; then
echo "Empty Directory in PATH (::)"
fi
if echo "$PATH" | grep -q ":$" ; then
echo "Trailing : in PATH"
fi
for x in $(echo "$PATH" | tr ":" " ") ; do
if [ -d "$x" ] ; then
ls -ldH "$x" | awk '
$9 == "." {print "PATH contains current working directory (.)"}
$3 != "root" {print $9, "is not owned by root"}
substr($1,6,1) != "-" {print $9, "is group writable"}
substr($1,9,1) != "-" {print $9, "is world writable"}'
else
echo "$x is not a directory"
fi
done
'@
$test = bash -c $test_script
if($test -ne $null){
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "6.2.5"
Task = "Ensure all users' home directories exist"
Test = {
$script1 = $scriptPath + "CIS-SEL15-6.2.5.sh"
$test = bash $script1
if($test -match "does not exist"){
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "6.2.6"
Task = "Ensure users' home directories permissions are 750 or more restrictive"
Test = {
$script1 = $scriptPath + "CIS-SEL15-6.2.6.sh"
$test = bash $script1
if($test -ne $null){
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "6.2.7"
Task = "Ensure users own their home directories"
Test = {
$script1 = $scriptPath + "CIS-SEL15-6.2.7.sh"
$test = bash $script1
if($test -eq $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
[AuditTest] @{
Id = "6.2.8"
Task = "Ensure users' dot files are not group or world writable"
Test = {
$script1 = $scriptPath + "CIS-SEL15-6.2.8.sh"
$test = bash $script1
if($test -ne $null){
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "6.2.9"
Task = "Ensure no users have .forward files"
Test = {
$script1 = $scriptPath + "CIS-SEL15-6.2.9.sh"
$test = bash $script1
if($test -ne $null){
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "6.2.10"
Task = "Ensure no users have .netrc files"
Test = {
$script1 = $scriptPath + "CIS-SEL15-6.2.10.sh"
$test = bash $script1
if($test -ne $null){
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "6.2.11"
Task = "Ensure users' .netrc Files are not group or world accessible"
Test = {
$script1 = $scriptPath + "CIS-SEL15-6.2.11.sh"
$test = bash $script1
if($test -ne $null){
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "6.2.12"
Task = "Ensure no users have .rhosts files"
Test = {
$script1 = $scriptPath + "CIS-SEL15-6.2.12.sh"
$test = bash $script1
if($test -ne $null){
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "6.2.13"
Task = "Ensure all groups in /etc/passwd exist in /etc/group"
Test = {
$test_script = @'
#!/bin/bash
for i in $(cut -s -d: -f4 /etc/passwd | sort -u ); do
grep -q -P "^.*?:[^:]*:$i:" /etc/group
if [ $? -ne 0 ]; then
echo "Group $i is referenced by /etc/passwd but does not exist in /etc/group"
fi
done
'@
$test = bash -c $test_script
if($test -ne $null){
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "6.2.14"
Task = "Ensure no duplicate UIDs exist"
Test = {
$test_script = @'
#!/bin/bash
cut -f3 -d":" /etc/passwd | sort -n | uniq -c | while read x ; do
[ -z "$x" ] && break
set - $x
if (( $1 > 1 )); then
users=$(awk -F: '($3 == n) { print $1 }' n=$2 /etc/passwd | xargs)
echo "Duplicate UID ($2): $users"
fi
done
'@
$test = bash -c $test_script
if($test -ne $null){
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "6.2.15"
Task = "Ensure no duplicate GIDs exist"
Test = {
$test_script = @'
#!/bin/bash
cut -d: -f3 /etc/group | sort | uniq -d | while read x ; do
echo "Duplicate GID ($x) in /etc/group"
done
'@
$test = bash -c $test_script
if($test -ne $null){
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "6.2.16"
Task = "Ensure no duplicate user names exist"
Test = {
$test_script = @'
#!/bin/bash
cut -d: -f1 /etc/passwd | sort | uniq -d | while read x ; do
echo "Duplicate login name ${x} in /etc/passwd"
done
'@
$test = bash -c $test_script
if($test -ne $null){
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "6.2.17"
Task = "Ensure no duplicate group names exist"
Test = {
$test_script = @'
#!/bin/bash
cut -d: -f1 /etc/group | sort | uniq -d | while read x ; do
echo "Duplicate group name ${x} in /etc/group"
done
'@
$test = bash -c $test_script
if($test -ne $null){
return $retNonCompliant
} else {
return $retCompliant
}
}
}
[AuditTest] @{
Id = "6.2.18"
Task = "Ensure shadow group is empty"
Test = {
$script1 = $scriptPath + "CIS-SEL15-6.2.18_1.sh"
$test1 = bash $script1
$script2 = $scriptPath + "CIS-SEL15-6.2.18_2.sh"
$test2 = bash $script2
if($test1 -eq $null -and $test2 -eq $null){
return $retCompliant
} else {
return $retNonCompliant
}
}
}
Reference in New Issue View Git Blame Copy Permalink