emily/atap
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
404ee3fec442838b068a79df338bb5074947b599
atap/ATAPAuditor/AuditGroups/Ubuntu Linux 20.04-CIS-1.1.0.ps1
T
emily 404ee3fec4 a
2026-05-11 09:15:08 +02:00

5012 lines
155 KiB
PowerShell
Raw Blame History

function Get-IPv6Disabled{
$test1 = sysctl net.ipv6.conf.all.disable_ipv6
$test2 = sysctl net.ipv6.conf.default.disable_ipv6
$grep = grep -E '^\s*net\.ipv6\.conf\.(all|default)\.disable_ipv6\s*=\s*1\b(\s+#.*)?$'/etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d: -f2
if($test1 -match "net.ipv6.conf.all.disable_ipv6 = 1" -and $test2 -match "net.ipv6.conf.default.disable_ipv6 = 1" -and $grep -match "net.ipv6.conf.all.disable_ipv6 = 1" -and $grep -match "net.ipv6.conf.default.disable_ipv6 = 1"){
return $true
}
return $false
}
$isIPv6Disabled = Get-IPv6Disabled
[AuditTest] @{
Id = "1.1.1.1"
Task = "Ensure mounting of cramfs filesystems is disabled"
Test = {
$result1 = modprobe -n -v cramfs | grep -E '(cramfs|install)'
$result2 = lsmod | grep cramfs
if($result1 -match "install /bin/true" -and $result2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.1.2"
Task = "Ensure mounting of freevxfs filesystems is disabled"
Test = {
$result1 = modprobe -n -v freevxfs | grep -E '(freevxfs|install)'
$result2 = lsmod | grep freevxfs
if($result1 -match "install /bin/true" -and $result2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.1.3"
Task = "Ensure mounting of jffs2 filesystetms is disabled"
Test = {
$result1 = modprobe -n -v jffs2 | grep -E '(jffs2|install)'
$result2 = lsmod | grep jffs2
if($result1 -match "install /bin/true" -and $result2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.1.4"
Task = "Ensure mounting of hfs filesystetms is disabled"
Test = {
$result1 = modprobe -n -v hfs | grep -E '(hfs|install)'
$result2 = lsmod | grep hfs
if($result1 -match "install /bin/true" -and $result2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.1.5"
Task = "Ensure mounting of hfsplus filesystetms is disabled"
Test = {
$result1 = modprobe -n -v hfsplus | grep -E '(hfsplus|install)'
$result2 = lsmod | grep hfsplus
if($result1 -match "install /bin/true" -and $result2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.1.6"
Task = "Ensure mounting of squashfs filesystems is disabled"
Test = {
$result1 = modprobe -n -v squashfs | grep -E '(squashfs|install)'
$result2 = lsmod | grep squashfs
if($result1 -match "install /bin/true" -and $result2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.1.7"
Task = "Ensure mounting of udf filesystetms is disabled"
Test = {
$result1 = modprobe -n -v udf | grep -E '(udf|install)'
$result2 = lsmod | grep udf
if($result1 -match "install /bin/true" -and $result2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.2"
Task = "Ensure /tmp is configured"
Test = {
$result = findmnt -n /tmp
if($result -match "/tmp"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.3"
Task = "Ensure nodev option set on /tmp partition"
Test = {
$result = findmnt -n /tmp
if($result -match "nodev"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.4"
Task = "Ensure nosuid option set on /tmp partition"
Test = {
$result = findmnt -n /tmp
if($result -match "nosuid"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.5"
Task = "Ensure noexec option set on /tmp partition"
Test = {
$result = findmnt -n /tmp
if($result -match "noexec"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.6"
Task = "Ensure /dev/shm is configured"
Test = {
$result = findmnt -n /dev/shm
if($result -match "/dev/shm"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.7"
Task = "Ensure nodev option set on /dev/shm partition"
Test = {
$result = findmnt -n /dev/shm
if($result -match "nodev"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.8"
Task = "Ensure nosuid option set on /dev/shm partition"
Test = {
$result = findmnt -n /dev/shm
if($result -match "nosuid"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.9"
Task = "Ensure nosuid option set on /dev/shm partition"
Test = {
$result = findmnt -n /dev/shm | grep -v noexec
if($result -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.10"
Task = "Ensure separate partition exists for /var"
Test = {
$result = findmnt /var
if($result -match "/var"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.11"
Task = "Ensure separate partition exists for /var/tmp"
Test = {
$result = findmnt /var/tmp
if($result -match "/var/tmp"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.12"
Task = "Ensure /var/tmp partition includes the nodev option"
Test = {
$result = findmnt /var/tmp
if($result -match "nodev"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.13"
Task = "Ensure /var/tmp partition includes the nosuid option"
Test = {
$result = findmnt /var/tmp
if($result -match "nosuid"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.14"
Task = "Ensure /var/tmp partition includes the noexec option"
Test = {
$result = findmnt /var/tmp
if($result -match "noexec"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.15"
Task = "Ensure separate partition exists for /var/log"
Test = {
$result = findmnt /var/log
if($result -match "/var/log"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.16"
Task = "Ensure separate partition exists for /var/log/audit"
Test = {
$result = findmnt /var/log/audit
if($result -match "/var/log/audit"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.17"
Task = "Ensure separate partition exists for /home"
Test = {
$result = findmnt /home
if($result -match "/home"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.18"
Task = "Ensure /home partition includes the nodev option"
Test = {
$result = findmnt /home
if($result -match "nodev"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.19"
Task = "Ensure nodev option set on removable media partitions"
Test = {
$parentPath = Split-Path -Parent -Path $PSScriptRoot
$path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-1.1.19-1.1.21.sh"
$result=bash $path
foreach($line in $result){
if(!($line -match "nodev")){
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.20"
Task = "Ensure nosuid option set on removable media partitions"
Test = {
$parentPath = Split-Path -Parent -Path $PSScriptRoot
$path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-1.1.19-1.1.21.sh"
$result=bash $path
foreach($line in $result){
if(!($line -match "nosuid")){
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.21"
Task = "Ensure noexec option set on removable media partitions"
Test = {
$parentPath = Split-Path -Parent -Path $PSScriptRoot
$path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-1.1.19-1.1.21.sh"
$result=bash $path
foreach($line in $result){
if(!($line -match "noexec")){
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.1.22"
Task = "Ensure sticky bit is set on all world-writable directories"
Test = {
try{
$result = bash -c "df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2> /dev/null"
if($result -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "1.1.23"
Task = "Disable Automounting"
Test = {
$result = dpkg -l | grep -o autofs
if($result -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
else{
$result = systemctl is-enabled autofs
if($result -match "No such file or directory"){
return @{
Message = "Compliant"
Status = "True"
}
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.1.24"
Task = "Disable USB Storage"
Test = {
$result1 = modprobe -n -v usb-storage
$result2 = lsmod | grep usb-storage
if($result1 -match "install /bin/true" -and $result2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.2.1"
Task = "Ensure package manager repositories are configured"
Test = {
$result = apt-cache policy
if($result -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.2.2"
Task = "Ensure GPG keys are configured"
Test = {
$result = apt-key list
if($result -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.3.1"
Task = "Ensure AIDE is installed"
Test = {
$result1 = dpkg -l aide | grep '^ii'
$result2 = dpkg -l aide-common | grep '^ii'
if($result1 -eq $null -or $result2 -eq $null){
return @{
Message = "Not-Compliant"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.3.2"
Task = "Ensure filesystem integrity is regularly checked"
Test = {
$result = grep -Ers '^([^#]+\s+)?(\/usr\/s?bin\/|^\s*)aide(\.wrapper)?\s(--check|\$AIDEARGS)\b' /etc/cron.* /etc/crontab /var/spool/cron/
if($result -eq $null){
return @{
Message = "Not-Compliant"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "1.4.1"
Task = "Ensure permissions on bootloader config are not overridden"
Test = {
$output = grep -E '^\s*chmod\s+[0-7][0-7][0-7]\s+\$\{grub_cfg\}\.new' -A 1 -B1 /usr/sbin/grub-mkconfig
if($output -match 'hmod 400 ${grub_cfg}.new || true'){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.4.2"
Task = "Ensure bootloader password is set"
Test = {
$result1 = grep "^set superusers" /boot/grub/grub.cfg
$result2 = grep "^password" /boot/grub/grub.cfg
if($result1 -match "set superusers=" -and $result2 -match "password_pbkdf2"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.4.3"
Task = "Ensure permissions on bootloader config are configured"
Test = {
$result = stat /boot/grub/grub.cfg | grep "Uid: ( 0/ root) Gid: ( 0/ root)"
$result = $result | cut -d '(' -f 2
$result = $result | cut -d '/' -f 1
if($result -eq "0400" -or $result[1] -le 4){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.4.4"
Task = "Ensure authentication required for single user mode"
Test = {
$result = grep -Eq '^root:\$[0-9]' /etc/shadow || echo "root is locked"
if($result -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.5.1"
Task = "Ensure XD/NX support is enabled"
Test = {
$result = bash -c '[[ -n $(grep noexec[0-9]*=off /proc/cmdline) || -z $(grep -E -i " (pae|nx)" /proc/cpuinfo) || -n $(grep "\\sNX\\s.*\\sprotection:\\s" /var/log/dmesg | grep -v active) ]] && echo "NX Protection is not active"'
if($result -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.5.2"
Task = "Ensure address space layout randomization (ASLR) is enabled"
Test = {
$result1 = sysctl kernel.randomize_va_space
$result2 = grep -Es "^\s*kernel\.randomize_va_space\s*=\s*([0-1]|[3-9]|[1-9][0-9]+)" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /run/sysctl.d/*.conf
if($result1 -match "kernel.randomize_va_space = 2" -and $result2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.5.3"
Task = "Ensure prelink is not installed"
Test = {
$result = dpkg -l | grep -o prelink
if($result -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.5.4"
Task = "Ensure core dumps are restricted"
Test = {
try{
$result1 = grep -Es '^(\*|\s).*hard.*core.*(\s+#.*)?$' /etc/security/limits.conf /etc/security/limits.d/*
$result2 = sysctl fs.suid_dumpable
$result3 = grep "fs.suid_dumpable" /etc/sysctl.conf /etc/sysctl.d/*
try{
$result4 = systemctl is-enabled coredump.service
$message = "Compliant"
if($result4 -match "enabled" -or $result4 -match "masked" -or $result4 -match "disabled"){
$message = "systemd-coredump is installed"
}
}
catch{
$message = "systemd-coredump not installed"
}
if($result1 -match ".*\s*hard\s*core\s*0{1}?\s*" -and $result2 -match "fs.suid_dumpable = 0" -and $result3 -match "fs.suid_dumpable = 0"){
return @{
Message = $message
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "1.6.1.1"
Task = "Ensure AppArmor is installed"
Test = {
$result = dpkg -s apparmor | grep -E '(Status:|not installed)'
if($result -match "Status: install ok installed"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.6.1.2"
Task = "Ensure AppArmor is enabled in the bootloader configuration"
Test = {
$result1 = grep "^\s*linux" /boot/grub/grub.cfg | grep -v "apparmor=1"
$result2 = grep "^\s*linux" /boot/grub/grub.cfg | grep -v "security=apparmor"
if($result1 -eq $null -and $result2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.6.1.3"
Task = "Ensure all AppArmor Profiles are in enforce or complain mode"
Test = {
$profileMode1 = apparmor_status | grep profiles | sed '1!d' | cut -d ' ' -f 1
$profileMode2 = apparmor_status | grep profiles | sed '2!d' | cut -d ' ' -f 1
$profileMode3 = apparmor_status | grep profiles | sed '3!d' | cut -d ' ' -f 1
$result = expr $profileMode3 + $profileMode2
$unconfinedProcesses = apparmor_status | grep processes | sed '4!d' | cut -d ' ' -f 1
if($result -eq $profileMode1 -and $unconfinedProcesses -eq 0){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.6.1.4"
Task = "Ensure all AppArmor Profiles are enforcing"
Test = {
$profileMode1 = apparmor_status | grep profiles | sed '1!d' | cut -d ' ' -f 1
$profileMode2 = apparmor_status | grep profiles | sed '2!d' | cut -d ' ' -f 1
$unconfinedProcesses = apparmor_status | grep processes | sed '4!d' | cut -d ' ' -f 1
if($profileMode1 -eq $profileMode2 -and $unconfinedProcesses -eq 0){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.7.1"
Task = "Ensure message of the day is configured properly"
Test = {
$output = grep -Eis "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/motd
if($output -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.7.2"
Task = "Ensure local login warning banner is configured properly"
Test = {
$output1 = cat /etc/issue
$output2 = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue
if($output1 -ne $null -and $output2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.7.3"
Task = "Ensure remote login warning banner is configured properly"
Test = {
$output1 = cat /etc/issue.net
$output2 = grep -E -i "(\\\v|\\\r|\\\m|\\\s|$(grep '^ID=' /etc/os-release | cut -d= -f2 | sed -e 's/"//g'))" /etc/issue.net
if($output1 -ne $null -and $output2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.7.4"
Task = "Ensure permissions on /etc/motd are configured"
Test = {
$output = stat -L /etc/motd | grep "Access:\s*(0644/-rw-r--r--)\s*Uid:\s*(\s*0/\s*root)\s*Gid:\s*(\s*0/\s*root)"
if($output -eq $null -or $output -match "Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.7.5"
Task = "Ensure permissions on /etc/issue are configured"
Test = {
$output = stat -L /etc/issue | grep "Access:\s*(0644/-rw-r--r--)\s*Uid:\s*(\s*0/\s*root)\s*Gid:\s*(\s*0/\s*root)"
if($output -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.7.6"
Task = "Ensure permissions on /etc/issue.net are configured"
Test = {
$output = stat -L /etc/issue.net | grep "Access:\s*(0644/-rw-r--r--)\s*Uid:\s*(\s*0/\s*root)\s*Gid:\s*(\s*0/\s*root)"
if($output -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.8.1"
Task = "Ensure GNOME Display Manager is removed"
Test = {
$test1 = dpkg -l | grep -o gdm3
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.8.2"
Task = "Ensure GNOME Display Manager is removed"
Test = {
if(Test-Path "/etc/gdm3/greeter.dconf-defaults"){
$content = cat /etc/gdm3/greeter.dconf-defaults
$line1 = $content | grep "banner-message-enable=true"
$line2 = $content | grep "banner-message-text="
if($line1 -ne $null -and $line1[0] -ne '#' -and $line2 -ne $null -and $line2[0] -ne '#'){
return @{
Message = "Compliant"
Status = "True"
}
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.8.3"
Task = "Ensure disable-user-list is enabled"
Test = {
if(Test-Path "/etc/gdm3/greeter.dconf-defaults"){
$content = cat /etc/gdm3/greeter.dconf-defaults
$line = $content | grep "disable-user-list=true"
if($line -ne $null -and $line[0] -ne '#'){
return @{
Message = "Compliant"
Status = "True"
}
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.8.4"
Task = "Ensure XDCMP is not enabled"
Test = {
$output = grep -Eis '^\s*Enable\s*=\s*true' /etc/gdm3/custom.conf
if($output -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "1.9"
Task = "Ensure updates, patches, and additional security software are installed"
Test = {
$output = apt -s upgrade
$output = $?
if($output -match "True"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.1.1.1"
Task = "Ensure time synchronization is in use"
Test = {
$test1 = systemctl is-enabled systemd-timesyncd
$test2 = dpkg -s ntp
$test3 = dpkg -s chrony
if($test1 -match "enabled" -or $test2 -match "Status: install ok installed" -or $test3 -match "Status: install ok installed"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
$ntp = dpkg -s ntp
$ntp = $?
$chrony = dpkg -s chrony
$chrony = $?
$timesyncd = systemctl is-enabled systemd-timesyncd
if($ntp -match "False" -and $chrony -match "False"){
[AuditTest] @{
Id = "2.1.1.2"
Task = "Ensure systemd-timesyncd is configured"
Test = {
$test1 = systemctl is-enabled systemd-timesyncd.service
$time = timedatectl status
if($test1 -match "enabled" -and $time -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
}
elseif($ntp -match "False" -and $timesyncd -notmatch "enabled"){
[AuditTest] @{
Id = "2.1.1.3"
Task = "Ensure chrony is configured"
Test = {
$test1 = dpkg -s ntp | grep -E '(Status:|not installed)'
$test2 = systemctl is-enabled systemd-timesyncd
$test3 = grep -E "^(server|pool)" /etc/chrony/chrony.conf
$test4 = ps -ef | grep chronyd | grep "_chrony"
if($test1 -match "package 'ntp' is not installed" -and $test2 -match "masked" -and $test3 -ne $null -and $test4 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
}
elseif($chrony -match "False" -and $timesyncd -notmatch "enabled"){
[AuditTest] @{
Id = "2.1.1.4"
Task = "Ensure ntp is configured"
Test = {
$test1 = grep "^restrict" /etc/ntp.conf
$test2 = grep -E "^(server|pool)" /etc/ntp.conf
$test3 = grep "RUNASUSER=ntp" /etc/init.d/ntp
if($test1 -match "restrict -4 default kod notrap nomodify nopeer noquery limited" -and $test1 -match "restrict -6 default kod notrap nomodify nopeer noquery limited" -and $test2 -ne $null -and $test3 -match "RUNASUSER=ntp"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "2.1.2"
Task = "Ensure X Window System is not installed"
Test = {
$test1 = dpkg -l | grep -o xserver-xorg*
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.1.3"
Task = "Ensure Avahi Server is not installed"
Test = {
$status = dpkg -l | grep -o avahi-daemon
if($status -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.1.4"
Task = "Ensure CUPS is not installed"
Test = {
$test1 = dpkg -s cups
$test1 = $?
if($test1 -match "False"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.1.5"
Task = "Ensure DHCP Server is not installed"
Test = {
$test1 = dpkg -l | grep -o isc-dhcp-server
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.1.6"
Task = "Ensure LDAP server is not installed"
Test = {
$test1 = dpkg -l | grep -o slapd
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.1.7"
Task = "Ensure NFS is not installed"
Test = {
$test1 = dpkg -l | grep -o nfs-kernel-server
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.1.8"
Task = "Ensure DNS Server is not installed"
Test = {
$test1 = dpkg -l | grep -o bind9
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.1.9"
Task = "Ensure FTP Server is not installed"
Test = {
$test1 = dpkg -l | grep -o vsftpd
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.1.10"
Task = "Ensure HTTP server is not installed"
Test = {
$test1 = dpkg -l | grep -o apache2
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.1.11"
Task = "Ensure IMAP and POP3 server are not installed"
Test = {
$test1 = dpkg -l | grep -o dovecot-imapd
$test2 = dpkg -l | grep -o dovecot-pop3d
if($test1 -eq $null -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.1.12"
Task = "Ensure Samba is not installed"
Test = {
dpkg -s samba | grep -E '(Status:|not installed)'
$test1 = $?
if($test1 -match "False"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.1.13"
Task = "Ensure HTTP Proxy Server is not installed"
Test = {
$test1 = dpkg -l | grep -o squid
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.1.14"
Task = "Ensure SNMP Server is not installed"
Test = {
$test1 = dpkg -l | grep -o snmpd
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.1.15"
Task = "Ensure mail transfer agent is configured for local-only mode"
Test = {
$test1 = ss -lntu | grep -E ':25\s' | grep -E -v '\s(127.0.0.1|::1):25\s'
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.1.16"
Task = "Ensure rsync service is not installed"
Test = {
dpkg -s rsync | grep -E '(Status:|not installed)'
$test1 = $?
if($test1 -match "False"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.1.17"
Task = "Ensure NIS Server is not installed"
Test = {
$test1 = dpkg -s nis
$test1 = $?
if($test1 -match "False"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.2.1"
Task = "Ensure NIS Client is not installed"
Test = {
$test1 = dpkg -s nis
$test1 = $?
if($test1 -match "False"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.2.2"
Task = "Ensure rsh client is not installed"
Test = {
$test1 = dpkg -s rsh-client
$test1 = $?
if($test1 -match "False"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.2.3"
Task = "Ensure talk client is not installed"
Test = {
$test1 = dpkg -s talk
$test1 = $?
if($test1 -match "False"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.2.4"
Task = "Ensure telnet client is not installed"
Test = {
$test1 = dpkg -l | grep -o telnet
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.2.5"
Task = "Ensure LDAP client is not installed"
Test = {
$test1 = dpkg -l | grep -o ldap-utils
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.2.6"
Task = "Ensure RPC is not installed"
Test = {
$test1 = dpkg -l | grep -o rpcbind
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "2.3"
Task = "Ensure nonessential services are removed or masked"
Test = {
$test1 = lsof -i -P -n | grep -v "(ESTABLISHED)"
if($test1 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.1.1"
Task = "Disable IPv6"
Test = {
if($isIPv6Disabled -eq $true){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.1.2"
Task = "Ensure wireless interfaces are disabled"
Test = {
$parentPath = Split-Path -Parent -Path $PSScriptRoot
$path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-3.1.2.sh"
$result=bash $path
if($result -match "Wireless is not enabled"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Wireless interfaces are active"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.2.1"
Task = "Ensure packet redirect sending is disabled"
Test = {
$test1 = sysctl net.ipv4.conf.all.send_redirects
$test2 = sysctl net.ipv4.conf.default.send_redirects
$test3 = grep -E "^\s*net\.ipv4\.conf\.all\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/*
$test4 = grep -E "^\s*net\.ipv4\.conf\.default\.send_redirects" /etc/sysctl.conf /etc/sysctl.d/*
if($test1 -match "net.ipv4.conf.all.send_redirects = 0" -and $test2 -match "net.ipv4.conf.default.send_redirects = 0" -and $test3 -match "net.ipv4.conf.all.send_redirects = 0" -and $test4 -match "net.ipv4.conf.default.send_redirects = 0"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.2.2"
Task = "Ensure IP forwarding is disabled"
Test = {
$test1 = sysctl net.ipv4.ip_forward
$test2 = grep -E -s "^\s*net\.ipv4\.ip_forward\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf
if($test1 -match "net.ipv4.ip_forward = 0" -and $test2 -eq $null){
if($isIPv6Disabled -ne $true){
$test1 = sysctl net.ipv6.conf.all.forwarding
$test2 = grep -E -s "^\s*net\.ipv6\.conf\.all\.forwarding\s*=\s*1" /etc/sysctl.conf /etc/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /run/sysctl.d/*.conf
if($test1 -match "net.ipv6.conf.all.forwarding = 0" -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
}
else{
return @{
Message = "Compliant"
Status = "True"
}
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.3.1"
Task = "Ensure source routed packets are not accepted"
Test = {
$test1 = sysctl net.ipv4.conf.all.accept_source_route
$test2 = sysctl net.ipv4.conf.default.accept_source_route
$test3 = grep "net\.ipv4\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/*
$test4 = grep "net\.ipv4\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/*
if($test1 -match "net.ipv4.conf.all.accept_source_route = 0" -and $test2 -match "net.ipv4.conf.default.accept_source_route = 0" -and $test3 -match "net.ipv4.conf.all.accept_source_route = 0" -and $test4 -match "net.ipv4.conf.default.accept_source_route = 0"){
if($isIPv6Disabled -eq $false){
$test1 = sysctl net.ipv6.conf.all.accept_source_route
$test2 = sysctl net.ipv6.conf.default.accept_source_route
$test3 = grep "net\.ipv6\.conf\.all\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/*
$test4 = grep "net\.ipv6\.conf\.default\.accept_source_route" /etc/sysctl.conf /etc/sysctl.d/*
if($test1 -match "net.ipv6.conf.all.accept_source_route = 0" -and $test2 -match "net.ipv6.conf.default.accept_source_route = 0" -and $test3 -match "net.ipv4.conf.all.accept_source_route = 0" -and $test4 -match "net.ipv6.conf.default.accept_source_route = 0"){
return @{
Message = "Compliant"
Status = "True"
}
}
}
else{
return @{
Message = "Compliant"
Status = "True"
}
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.3.2"
Task = "Ensure ICMP redirects are not accepted"
Test = {
$test1 = sysctl net.ipv4.conf.all.accept_redirects
$test2 = sysctl net.ipv4.conf.default.accept_redirects
$test3 = grep "net\.ipv4\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/*
$test4 = grep "net\.ipv4\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/*
if($test1 -match "net.ipv4.conf.all.accept_redirects = 0" -and $test2 -match "net.ipv4.conf.default.accept_redirects = 0" -and $test3 -match "net.ipv4.conf.all.accept_redirects = 0" -and $test4 -match "net.ipv4.conf.default.accept_redirects = 0"){
if($isIPv6Disabled -eq $false){
$test1 = sysctl net.ipv6.conf.all.accept_redirects
$test2 = sysctl net.ipv6.conf.default.accept_redirects
$test3 = grep "net\.ipv6\.conf\.all\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/*
$test4 = grep "net\.ipv6\.conf\.default\.accept_redirects" /etc/sysctl.conf /etc/sysctl.d/*
if($test1 -match "net.ipv6.conf.all.accept_redirects = 0" -and $test2 -match "net.ipv6.conf.default.accept_redirects = 0" -and $test3 -match "net.ipv6.conf.all.accept_redirects = 0" -and $test4 -match "net.ipv6.conf.default.accept_redirects = 0"){
return @{
Message = "Compliant"
Status = "True"
}
}
}
else{
return @{
Message = "Compliant"
Status = "True"
}
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.3.3"
Task = "Ensure secure ICMP redirects are not accepted"
Test = {
$test1 = sysctl net.ipv4.conf.all.secure_redirects
$test2 = sysctl net.ipv4.conf.default.secure_redirects
$test3 = grep "net\.ipv4\.conf\.all\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/*
$test4 = grep "net\.ipv4\.conf\.default\.secure_redirects" /etc/sysctl.conf /etc/sysctl.d/*
if($test1 -match "net.ipv4.conf.all.secure_redirects = 0" -and $test2 -match "net.ipv4.conf.default.secure_redirects = 0" -and $test3 -match "net.ipv4.conf.all.secure_redirects = 0" -and $test4 -match "net.ipv4.conf.default.secure_redirects = 0"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.3.4"
Task = "Ensure suspicious packets are logged"
Test = {
$test1 = sysctl net.ipv4.conf.all.log_martians
$test2 = sysctl net.ipv4.conf.default.log_martians
$test3 = grep "net\.ipv4\.conf\.all\.log_martians" /etc/sysctl.conf /etc/sysctl.d/*
$test4 = grep "net\.ipv4\.conf\.default\.log_martians" /etc/sysctl.conf /etc/sysctl.d/*
if($test1 -match "net.ipv4.conf.all.log_martians = 1" -and $test2 -match "net.ipv4.conf.default.log_martians = 1" -and $test3 -match "net.ipv4.conf.all.log_martians = 1" -and $test4 -match "net.ipv4.conf.default.log_martians = 1"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.3.5"
Task = "Ensure broadcast ICMP requests are ignored"
Test = {
$test1 = sysctl net.ipv4.icmp_echo_ignore_broadcasts
$test2 = grep "net\.ipv4\.icmp_echo_ignore_broadcasts" /etc/sysctl.conf /etc/sysctl.d/*
if($test1 -match "net.ipv4.icmp_echo_ignore_broadcasts = 1" -and $test2 -match "net.ipv4.icmp_echo_ignore_broadcasts = 1"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.3.6"
Task = "Ensure bogus ICMP responses are ignored"
Test = {
$test1 = sysctl net.ipv4.icmp_ignore_bogus_error_responses
$test2 = grep "net.ipv4.icmp_ignore_bogus_error_responses" /etc/sysctl.conf /etc/sysctl.d/*
if($test1 -match "net.ipv4.icmp_ignore_bogus_error_responses = 1" -and $test2 -match "net.ipv4.icmp_ignore_bogus_error_responses = 1"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.3.7"
Task = "Ensure Reverse Path Filtering is enabled"
Test = {
$test1 = sysctl net.ipv4.conf.all.rp_filter
$test2 = sysctl net.ipv4.conf.default.rp_filter
$test3 = grep "net\.ipv4\.conf\.all\.rp_filter" /etc/sysctl.conf /etc/sysctl.d/*
$test4 = grep "net\.ipv4\.conf\.default\.rp_filter" /etc/sysctl.conf /etc/sysctl.d/*
if($test1 -match "net.ipv4.conf.all.rp_filter = 1" -and $test2 -match "net.ipv4.conf.default.rp_filter = 1" -and $test3 -match "net.ipv4.conf.all.rp_filter=1" -and $test4 -match "net.ipv4.conf.default.rp_filter=1"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.3.8"
Task = "Ensure TCP SYN Cookies is enabled"
Test = {
$test1 = sysctl net.ipv4.tcp_syncookies
$test2 = grep "net\.ipv4\.tcp_syncookies" /etc/sysctl.conf /etc/sysctl.d/*
if($test1 -match "net.ipv4.tcp_syncookies = 1" -and $test2 -match "net.ipv4.tcp_syncookies = 1"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.3.9"
Task = "Ensure IPv6 router advertisements are not accepted"
Test = {
$test1 = sysctl net.ipv6.conf.all.accept_ra
$test2 = sysctl net.ipv6.conf.default.accept_ra
$test3 = grep "net\.ipv6\.conf\.all\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/*
$test4 = grep "net\.ipv6\.conf\.default\.accept_ra" /etc/sysctl.conf /etc/sysctl.d/*
if($test1 -match "net.ipv6.conf.all.accept_ra = 0" -and $test2 -match "net.ipv6.conf.default.accept_ra = 0" -and $test3 -match "net.ipv6.conf.all.accept_ra = 0" -and $test4 -match "net.ipv6.conf.default.accept_ra = 0"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.4.1"
Task = "Ensure DCCP is disabled"
Test = {
$test1 = modprobe -n -v dccp
$test2 = lsmod | grep dccp
if($test1 -match "install /bin/true" -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.4.2"
Task = "Ensure SCTP is disabled"
Test = {
$test1 = modprobe -n -v sctp | grep -E '(sctp|install)'
$test2 = lsmod | grep sctp
if($test1 -match "install /bin/true" -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.4.3"
Task = "Ensure RDS is disabled"
Test = {
$test1 = modprobe -n -v rds
$test2 = lsmod | grep rds
if($test1 -match "install /bin/true" -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.4.4"
Task = "Ensure TIPC is disabled"
Test = {
$test1 = modprobe -n -v tipc | grep -E '(tipc|install)'
$test2 = lsmod | grep tipc
if($test1 -match "install /bin/true" -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.5.1.1"
Task = "Ensure ufw is installed"
Test = {
$test1 = dpkg -s ufw | grep 'Status: install'
if($test1 -match "Status: install ok installed"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.5.1.2"
Task = "Ensure iptables-persistent is not installed with ufw"
Test = {
$test1 = dpkg -l | grep -o iptables-persistent
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.5.1.3"
Task = "Ensure ufw service is enabled"
Test = {
$test1 = systemctl is-enabled ufw
$test1 = $?
$test2 = ufw status | grep Status
if($test1 -match "True" -and $test2 -match "Status: active"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.5.1.4"
Task = "Ensure ufw loopback traffic is configured"
Test = {
$test1 = ufw status verbose
$result1 = $test1 -match "^Anywhere on lo\s+ALLOW IN\s+Anywhere$"
$result2 = $test1 -match "^Anywhere\s+DENY IN\s+127.0.0.0/8$"
$result3 = $test1 -match "^Anywhere (v6) on lo\s+ALLOW IN\s+Anywhere (v6)$"
$result4 = $test1 -match "^Anywhere (v6)\s+DENY IN\s+::1$"
$result5 = $test1 -match "^Anywhere\s+ALLOW OUT\s+Anywhere on lo$"
$result6 = $test1 -match "^Anywhere (v6)\s+ALLOW OUT\s+Anywhere (v6) on lo$"
if($result1 -ne $null -and $result2 -ne $null -and $result3 -ne $null -and $result4 -ne $null -and $result5 -ne $null -and $result6 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.5.1.5"
Task = "Ensure ufw outbound connections are configured"
Test = {
$test1 = ufw status numbered
if($test1 -notmatch "Status: inactive"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.5.1.7"
Task = "Ensure ufw default deny firewall policy"
Test = {
$test1 = ufw status verbose
if($test1 -match "deny" -or $test1 -match "reject"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.5.2.1"
Task = "Ensure nftables is installed"
Test = {
$test1 = dpkg -l | grep -o nftables
if($test1 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.5.2.2"
Task = "Ensure ufw is uninstalled or disabled with nftables"
Test = {
$test1 = dpkg-query -s ufw
$test1 = $?
$test2 = dpkg-query -s nftables
$test2 = $?
if($test1 -match "True" -and $test2 -match "True"){
return @{
Message = "Not-Compliant"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "3.5.2.3"
Task = "Ensure iptables are flushed with nftables"
Test = {
$test1 = iptables -L
$test2 = ip6tables -L
if($test1 -notmatch "target" -and $test2 -notmatch "target"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.5.2.4"
Task = "Ensure a nftables table exists"
Test = {
try{
$test1 = nft list tables
if($test1 -match "table"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "3.5.2.5"
Task = "Ensure nftables base chains exist"
Test = {
try{
$test1 = nft list ruleset | grep 'hook input'
$test2 = nft list ruleset | grep 'hook forward'
$test3 = nft list ruleset | grep 'hook output'
if($test1 -match "type filter hook input" -and $test2 -match "type filter hook forward" -and $test3 -match "type filter hook output"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "3.5.2.6"
Task = "Ensure nftables loopback traffic is configured"
Test = {
try{
if($isIPv6Disabled -ne $true){
$test1 = nft list ruleset | awk '/hook input/,/}/' | grep 'iif "lo" accept'
$test2 = nft list ruleset | awk '/hook input/,/}/' | grep 'ip saddr'
if($test1 -match 'iif "lo" accept' -and $test2 -match "ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop"){
return @{
Message = "Compliant"
Status = "True"
}
}
}
else{
$test = nft list ruleset | awk '/hook input/,/}/' | grep 'ip6 saddr'
if($test -match 'ip6 saddr ::1 counter packets 0 bytes 0 drop'){
return @{
Message = "Compliant"
Status = "True"
}
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "3.5.2.7"
Task = "Ensure nftables outbound and established connections are configured"
Test = {
try{
$test1 = nft list ruleset | awk '/hook input/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
$test2 = nft list ruleset | awk '/hook output/,/}/' | grep -E 'ip protocol (tcp|udp|icmp) ct state'
if($test1 -match "ip protocol tcp ct state established accept" -and $test1 -match "p protocol udp ct state established accept" -and $test1 -match "ip protocol icmp ct state established accept" -and $test2 -match "ip protocol tcp ct state established,related,new accep" -and $test2 -match "ip protocol udp ct state established,related,new accept" -and $test2 -match "ip protocol icmp ct state established,related,new accept"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "3.5.2.8"
Task = "Ensure nftables default deny firewall policy"
Test = {
try{
$test1 = nft list ruleset | grep 'hook input'
$test2 = nft list ruleset | grep 'hook forward'
$test3 = nft list ruleset | grep 'hook output'
if($test1 -match "policy drop" -and $test2 -match "policy drop" -and $test3 -match "policy drop"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "3.5.2.9"
Task = "Ensure nftables service is enabled"
Test = {
$test1 = systemctl is-enabled nftables
if($test1 -match "enabled"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.5.3.1.1"
Task = "Ensure iptables packages are installed"
Test = {
$test1 = apt list iptables iptables-persistent
$test1 = $?
if($test1 -match "True"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.5.3.1.2"
Task = "Ensure nftables is not installed with iptables"
Test = {
$test1 = dpkg -s nftables
if($test1 -match "package 'nftables' is not installed"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.5.3.1.3"
Task = "Ensure ufw is uninstalled or disabled with iptables"
Test = {
$test1 = dpkg -l | grep -o ufw
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.5.3.2.1"
Task = "Ensure iptables loopback traffic is configured"
Test = {
$test1 = iptables -L INPUT -v -n | grep "Chain\s*INPUT\s*(policy\s*DROP"
$test2 = iptables -L OUTPUT -v -n | grep "Chain\s*OUTPUT\s*(policy\s*DROP"
if($test1 -ne $null -and $test2 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.5.3.2.2"
Task = "Ensure iptables outbound and established connections are configured"
Test = {
$test1 = iptables -L -v -n
if($test1 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.5.3.2.3"
Task = "Ensure iptables default deny firewall policy"
Test = {
$output = iptables -L
$test1 = $output -match "DROP" | grep "Chain INPUT (policy DROP)"
$res1 = $?
$test2 = $output -match "DROP" | grep "Chain FORWARD (policy DROP)"
$res2 = $?
$test3 = $output -match "DROP" | grep "Chain OUTPUT (policy DROP)"
$res3 = $?
if($res1 -match "True" -and $res2 -match "True" -and $res3 -match "True"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "3.5.3.3.3"
Task = "Ensure ip6tables default deny firewall policy"
Test = {
$output = ip6tables -L
$test1 = $output -match "DROP" | grep "Chain INPUT (policy DROP)"
$res1 = $?
$test2 = $output -match "DROP" | grep "Chain FORWARD (policy DROP)"
$res2 = $?
$test3 = $output -match "DROP" | grep "Chain OUTPUT (policy DROP)"
$res3 = $?
if($isIPv6Disabled -eq $true){
return @{
Message = "Compliant"
Status = "True"
}
}
if($res1 -match "True" -and $res2 -match "True" -and $res3 -match "True"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "4.1.1.1"
Task = "Ensure auditd is installed"
Test = {
$test1 = dpkg -l | grep -o auditd
$test2 = dpkg -l | grep -o audispd-plugins
if($test1 -ne $null -and $test2 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "4.1.1.2"
Task = "Ensure auditd service is enabled"
Test = {
$test1 = systemctl is-enabled auditd
if($test1 -match "enabled"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "4.1.1.3"
Task = "Ensure auditing for processes that start prior to auditd is enabled"
Test = {
$test1 = grep "^\s*linux" /boot/grub/grub.cfg | grep -v "audit=1"
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "4.1.1.4"
Task = "Ensure audit_backlog_limit is sufficient"
Test = {
$test1 = grep "^\s*linux" /boot/grub/grub.cfg | grep -v "audit_backlog_limit="
$test2 = grep "^\s*linux" /boot/grub/grub.cfg | grep "audit_backlog_limit=" | sed 's/^.*\(audit_backlog_limit=[\/a-z]*\).*$/\1/' | cut -f2 -d'='
$test2 = [int] $test2
if($test1 -eq $null -and $test2 -ge 8192){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "4.1.2.1"
Task = "Ensure audit log storage size is configured"
Test = {
$test1 = grep max_log_file /etc/audit/auditd.conf
if($test1 -match "max_log_file"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "4.1.2.2"
Task = "Ensure audit logs are not automatically deleted"
Test = {
$test1 = grep max_log_file_action /etc/audit/auditd.conf
if($test1 -match "max_log_file_action = keep_logs"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "4.1.2.3"
Task = "Ensure system is disabled when audit logs are full"
Test = {
$test1 = grep space_left_action /etc/audit/auditd.conf
$test2 = grep action_mail_acct /etc/audit/auditd.conf
$test3 = grep admin_space_left_action /etc/audit/auditd.conf
if($test1 -match "space_left_action = email" -and $test2 -match "action_mail_acct = root" -and $test3 -match "admin_space_left_action = halt"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "4.1.3"
Task = "Ensure events that modify date and time information are collected"
Test = {
try{
$bitVersion = uname -a
#if 32 bit
if($bitVersion -match "i386"){
$output = grep time-change /etc/audit/rules.d/*.rules
$test1 = $output -match "-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change"
$test2 = $output -match "-a always,exit -F arch=b32 -S clock_settime -k time-change"
$test3 = $output -match "-w /etc/localtime -p wa -k time-change"
$output2 = auditctl -l | grep time-change
$test4 = $output2 -match "-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=time-change"
$test5 = $output2 -match "-a always,exit -F arch=b32 -S clock_settime -F key=time-change"
$test6 = $output2 -match "-w /etc/localtime -p wa -k time-change"
if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null -and $test5 -ne $null -and $test6 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
}
#64 bit
elseif($bitVersion -match "x86_64"){
$output = grep time-change /etc/audit/rules.d/*.rules
$test1 = $output -match "-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change"
$test2 = $output -match "-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change"
$test3 = $output -match "-a always,exit -F arch=b64 -S clock_settime -k time-change"
$test4 = $output -match "-a always,exit -F arch=b32 -S clock_settime -k time-change"
$test5 = $output -match "-w /etc/localtime -p wa -k time-change"
$output2 = auditctl -l | grep time-change
$test6 = $output2 -match "-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change"
$test7 = $output2 -match "-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=time-change"
$test8 = $output2 -match "-a always,exit -F arch=b64 -S clock_settime -F key=time-change"
$test9 = $output2 -match "-a always,exit -F arch=b32 -S clock_settime -F key=time-change"
$test10 = $output2 -match "-w /etc/localtime -p wa -k time-change"
if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null -and $test5 -ne $null -and $test6 -ne $null -and $test7 -ne $null -and $test8 -ne $null -and $test9 -ne $null -and $test10 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "4.1.4"
Task = "Ensure events that modify user/group information are collected"
Test = {
try{
$output = grep identity /etc/audit/rules.d/*.rules
$test1 = $output -match "-w /etc/group -p wa -k identity"
$test2 = $output -match "-w /etc/passwd -p wa -k identity"
$test3 = $output -match "-w /etc/gshadow -p wa -k identity"
$test4 = $output -match "-w /etc/shadow -p wa -k identity"
$test5 = $output -match "-w /etc/security/opasswd -p wa -k identity"
$output2 = auditctl -l | grep identity
$test6 = $output2 -match "-w /etc/group -p wa -k identity"
$test7 = $output2 -match "-w /etc/passwd -p wa -k identity"
$test8 = $output2 -match "-w /etc/gshadow -p wa -k identity"
$test9 = $output2 -match "-w /etc/shadow -p wa -k identity"
$test10 = $output2 -match "-w /etc/security/opasswd -p wa -k identity"
if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null -and $test5 -ne $null -and $test6 -ne $null -and $test7 -ne $null -and $test8 -ne $null -and $test9 -ne $null -and $test10 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "4.1.5"
Task = "Ensure events that modify the system's network environment are collected"
Test = {
try{
$bitVersion = uname -a
#if 32 bit
if($bitVersion -match "i386"){
$output = grep system-locale /etc/audit/rules.d/*.rules
$test1 = $output -match "-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale"
$test2 = $output -match "-w /etc/issue -p wa -k system-locale"
$test3 = $output -match "-w /etc/issue.net -p wa -k system-locale"
$test4 = $output -match "-w /etc/hosts -p wa -k system-locale"
$test5 = $output -match "-w /etc/network -p wa -k system-locale"
$output2 = auditctl -l | grep system-locale
$test6 = $output2 -match "-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale"
$test7 = $output2 -match "-w /etc/issue -p wa -k system-locale"
$test8 = $output2 -match "-w /etc/issue.net -p wa -k system-locale"
$test9 = $output2 -match "-w /etc/hosts -p wa -k system-locale"
$test10 = $output2 -match "-w /etc/network -p wa -k system-locale"
if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null -and $test5 -ne $null -and $test6 -ne $null -and $test7 -ne $null -and $test8 -ne $null -and $test9 -ne $null -and $test10 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
}
#64 bit
elseif($bitVersion -match "x86_64"){
$output = grep system-locale /etc/audit/rules.d/*.rules
$test1 = $output -match "-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale"
$test1_2 = $output -match "-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale"
$test2 = $output -match "-w /etc/issue -p wa -k system-locale"
$test3 = $output -match "-w /etc/issue.net -p wa -k system-locale"
$test4 = $output -match "-w /etc/hosts -p wa -k system-locale"
$test5 = $output -match "-w /etc/network -p wa -k system-locale"
$output2 = auditctl -l | grep system-locale
$test6 = $output2 -match "-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale"
$test6_2 = $output2 -match "-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale"
$test7 = $output2 -match "-w /etc/issue -p wa -k system-locale"
$test8 = $output2 -match "-w /etc/issue.net -p wa -k system-locale"
$test9 = $output2 -match "-w /etc/hosts -p wa -k system-locale"
$test10 = $output2 -match "-w /etc/network -p wa -k system-locale"
if($test1 -ne $null -and $test1_2 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null -and $test5 -ne $null -and $test6 -ne $null -and $test6_2 -ne $null -and $test7 -ne $null -and $test8 -ne $null -and $test9 -ne $null -and $test10 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "4.1.6"
Task = "Ensure events that modify the system's Mandatory Access Controls are collected"
Test = {
try{
$output = grep MAC-policy /etc/audit/rules.d/*.rules
$test1 = $output -match "-w /etc/apparmor/ -p wa -k MAC-policy"
$test2 = $output -match "-w /etc/apparmor.d/ -p wa -k MAC-policy"
$output2 = auditctl -l | grep MAC-policy
$test3 = $output2 -match "-w /etc/apparmor -p wa -k MAC-policy"
$test4 = $output2 -match "-w /etc/apparmor.d -p wa -k MAC-policy"
if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "4.1.7"
Task = "Ensure login and logout events are collected"
Test = {
try{
$output = grep logins /etc/audit/rules.d/*.rules
$test1 = $output -match "-w /var/log/faillog -p wa -k logins"
$test2 = $output -match "-w /var/log/lastlog -p wa -k logins"
$test3 = $output -match "-w /var/log/tallylog -p wa -k logins"
$output2 = auditctl -l | grep logins
$test4 = $output2 -match "-w /var/log/faillog -p wa -k logins"
$test5 = $output2 -match "-w /var/log/lastlog -p wa -k logins"
$test6 = $output2 -match "-w /var/log/tallylog -p wa -k logins"
if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null -and $test5 -ne $null -and $test6 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "4.1.8"
Task = "Ensure session initiation information is collected"
Test = {
try{
$output = grep -E '(session|logins)' /etc/audit/rules.d/*.rules
$test1 = $output -match "-w /var/run/utmp -p wa -k session"
$test2 = $output -match "-w /var/log/wtmp -p wa -k logins"
$test3 = $output -match "-w /var/log/btmp -p wa -k logins"
$output2 = auditctl -l | grep -E '(session|logins)'
$test4 = $output2 -match "-w /var/run/utmp -p wa -k session"
$test5 = $output2 -match "-w /var/log/wtmp -p wa -k logins"
$test6 = $output2 -match "-w /var/log/btmp -p wa -k logins"
if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null -and $test5 -ne $null -and $test6 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "4.1.9"
Task = "Ensure discretionary access control permission modification events are collected"
Test = {
try{
$bitVersion = uname -a
#if 32 bit
if($bitVersion -match "i386"){
$output = grep perm_mod /etc/audit/rules.d/*.rules
$test1 = $output -match "-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod"
$test2 = $output -match "-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod"
$test3 = $output -match "-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295"
$test4 = $output -match "-k perm_mod"
$output2 = auditctl -l | grep perm_mod
$test5 = $output2 -match "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1"
$test6 = $output2 -match "-F key=perm_mod"
$test7 = $output2 -match "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod"
$test8 = $output2 -match "-a always,exit -F arch=b32 -S"
$test9 = $output2 -match "setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod"
if($test1 -ne $null -and $test1_2 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null -and $test5 -ne $null -and $test6 -ne $null -and $test6_2 -ne $null -and $test7 -ne $null -and $test8 -ne $null -and $test9 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
}
#64 Bit
elseif($bitVersion -match "x86_64"){
$output = grep perm_mod /etc/audit/rules.d/*.rules
$test1 = $output -match "-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod"
$test2 = $output -match "-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod"
$test3 = $output -match "-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod"
$test4 = $output -match "-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod"
$test5 = $output -match "-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295"
$test6 = $output -match "-k perm_mod"
$test7 = $output -match "-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295"
$test8 = $output -match "-k perm_mod"
$output2 = auditctl -l | grep perm_mod
$test9 = $output2 -match "-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod"
$test10 = $output2 -match "-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -F key=perm_mod"
$test11 = $output2 -match "-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod"
$test12 = $output2 -match "-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=-1 -F key=perm_mod"
$test13 = $output2 -match "-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod"
$test14 = $output2 -match "-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=-1 -F key=perm_mod"
if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null -and $test5 -ne $null -and $test6 -ne $null -and $test7 -ne $null -and $test8 -ne $null -and $test9 -ne $null -and $test10 -ne $null -and $test11 -ne $null -and $test12 -ne $null -and $test13 -ne $null -and $test14 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "4.1.10"
Task = "Ensure unsuccessful unauthorized file access attempts are collected"
Test = {
try{
$bitVersion = uname -a
if($bitVersion -match "i386"){
$output = grep access /etc/audit/rules.d/*.rules
$test1 = $output -match "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access"
$test2 = $output -match "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access"
$output2 = auditctl -l | grep access
$test3 = $output2 -match "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access"
$test4 = $output2 -match "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access"
if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
}
elseif($bitVersion -match "x86_64"){
$output = grep access /etc/audit/rules.d/*.rules
$test1 = $output -match "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access"
$test2 = $output -match "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access"
$test3 = $output -match "-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access"
$test4 = $output -match "-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access"
$output2 = auditctl -l | grep access
$test5 = $output2 -match "-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access"
$test6 = $output2 -match "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -F key=access"
$test7 = $output2 -match "-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access"
$test8 = $output2 -match "-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -F key=access"
if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null -and $test5 -ne $null -and $test6 -ne $null -and $test7 -ne $null -and $test8 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "4.1.11"
Task = "Ensure use of privileged commands is collected"
Test = {
$results = @()
$mountPoints = mount | grep -v "/var/lib/snapd" | grep -v "cgroup on " | grep -v "noexec" | grep -v " fuse" | cut -f 3 -d ' '
foreach($mountPoint in $mountPoints){
$res=bash -c "find $($mountPoint) -xdev \( -perm -4000 -o -perm -2000 \) -type f"
$results += $res | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>=1000 -F auid!=4294967295 \ -k privileged" }'
}
$viablePaths = @()
$paths = @()
foreach($element in $results){
$viablePaths += $element | cut -d ' ' -f 4 | cut -d '=' -f 2 | grep "/etc/audit/rules.d/*.rules"
$paths += $element | cut -d ' ' -f 4 | cut -d '=' -f 2 | grep -v "/etc/audit/rules.d/*.rules"
}
$message = ""
foreach($line in $paths){
$message += "<br>$line"
}
if($viablePaths.Count -ne $results.Count){
return @{
Message = "Not all results are in path /etc/audit/rules.d/ and are .rules files. Non compliant files: <br>$($message)"
Status = "False"
}
}
return @{
Message = "Compliant"
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.1.12"
Task = "Ensure successful file system mounts are collected"
Test = {
try{
$bitVersion = uname -a
if($bitVersion -match "i386"){
$output = grep mounts /etc/audit/rules.d/*.rules
$test1 = $output -match "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts"
$output2 = auditctl -l | grep mounts
$test2 = $output2 -match "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts"
if($test1 -ne $null -and $test2 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
}
elseif($bitVersion -match "x86_64"){
$output = grep mounts /etc/audit/rules.d/*.rules
$test1 = $output -match "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts"
$test2 = $output -match "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts"
$output2 = auditctl -l | grep mounts
$test3 = $output2 -match "-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts"
$test4 = $output2 -match "-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=-1 -F key=mounts"
if($test1 -ne $null -and $test2 -ne $null -and $test3 -ne $null -and $test4 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "4.1.13"
Task = "Ensure file deletion events by users are collected"
Test = {
try{
$test1 = grep delete /etc/audit/rules.d/*.rules
$test2 = auditctl -l | grep delete
if($test1 -match "-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete" -and $test2 -match "-a always,exit -F arch=b32 -S unlink,rename,unlinkat,renameat -F auid>=1000 -F auid!=-1 -F key=delete"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "4.1.14"
Task = "Ensure changes to system administration scope (sudoers) is collected"
Test = {
try{
$test1 = grep scope /etc/audit/rules.d/*.rules
$test2 = auditctl -l | grep scope
if($test1 -match "-w /etc/sudoers -p wa -k scope" -and $test1 -match "-w /etc/sudoers.d/ -p wa -k scope" -and $test2 -match "-w /etc/sudoers -p wa -k scope" -and $test2 -match "-w /etc/sudoers.d -p wa -k scope" ){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "4.1.15"
Task = "Ensure system administrator command executions (sudo) are collected"
Test = {
try{
$test1 = grep actions /etc/audit/rules.d/*.rules
$test2 = auditctl -l | grep actions
$res1 = "-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions"
$res2 = "-a always,exit -F arch=b32 -C euid!=uid -F euid=0 -Fauid>=1000 -F auid!=4294967295 -S execve -k actions"
$res3 = "-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F auid>=1000 -F auid!=-1 -F key=actions"
$res4 = "-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F auid>=1000 -F auid!=-1 -F key=actions"
if($test1 -match $res1 -and $test1 -match $res2 -and $test2 -match $res3 -and $test2 -match $res4){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "4.1.16"
Task = "Ensure kernel module loading and unloading is collected"
Test = {
$test1 = grep modules /etc/audit/rules.d/*.rules
$test2 = auditctl -l | grep modules
$res1 = "-w /sbin/insmod -p x -k modules"
$res2 = "-w /sbin/rmmod -p x -k modules"
$res3 = "-w /sbin/modprobe -p x -k modules"
$res4 = "-a always,exit -F arch=b64 -S init_module -S delete_module -k modules"
$res5 = "-w /sbin/insmod -p x -k modules"
$res6 = "-w /sbin/rmmod -p x -k modules"
$res7 = "-w /sbin/modprobe -p x -k modules"
$res8 = "-a always,exit -F arch=b64 -S init_module,delete_module -F key=modules"
if($test1 -match $res1 -and $test1 -match $res2 -and $test1 -match $res3 -and $test1 -match $res4 -and $test2 -match $res5 -and $test2 -match $res6 -and $test2 -match $res7 -and $test2 -match $res8){
return @{
Message = "Compliant"
Status = "True"
}
}
else{
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "4.1.17"
Task = "Ensure the audit configuration is immutable"
Test = {
$test1 = grep "^\s*[^#]" /etc/audit/rules.d/*.rules | tail -l
if($test1 -match "-e 2"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "4.2.1.1"
Task = "Ensure rsyslog is installed"
Test = {
$test1 = dpkg -s rsyslog
if($test1 -match "Status: install ok installed"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "4.2.1.2"
Task = "Ensure rsyslog Service is enabled"
Test = {
$test1 = systemctl is-enabled rsyslog
if($test1 -match "enabled"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "4.2.1.3"
Task = "Ensure logging is configured"
Test = {
$logginTypes = 0
$fileContent = cat /etc/rsyslog.conf /etc/rsyslog.d/*.conf
if($fileContent -match "^*.emerg\s*:omusrmsg:*") {$logginTypes++}
if($fileContent -match "^auth,authpriv.*\s*/var/log/auth.log") {$logginTypes++}
if($fileContent -match "^mail.*\s*-/var/log/mail") {$logginTypes++}
if($fileContent -match "^mail.info\s*-/var/log/mail.info") {$logginTypes++}
if($fileContent -match "^mail.warning\s*-/var/log/mail.warn") {$logginTypes++}
if($fileContent -match "^mail.err\s*/var/log/mail.err") {$logginTypes++}
if($fileContent -match "^news.crit\s*-/var/log/news/news.crit") {$logginTypes++}
if($fileContent -match "^news.err\s*-/var/log/news/news.err") {$logginTypes++}
if($fileContent -match "^news.notice\s*-/var/log/news/news.notice") {$logginTypes++}
if($fileContent -match "^*.=warning;*.=err\s*-/var/log/warn") {$logginTypes++}
if($fileContent -match "^*.crit\s*/var/log/warn") {$logginTypes++}
if($fileContent -match "^*.*;mail.none;news.none\s*-/var/log/messages") {$logginTypes++}
if($fileContent -match "^local0,local1.*\s*-/var/log/localmessages") {$logginTypes++}
if($fileContent -match "^local2,local3.*\s*-/var/log/localmessages") {$logginTypes++}
if($fileContent -match "^local4,local5.*\s*-/var/log/localmessages") {$logginTypes++}
if($fileContent -match "^local6,local7.*\s*-/var/log/localmessages") {$logginTypes++}
if($logginTypes -le 5){
return @{
Message = "Not enough logging types supported! Currently: " + $logginTypes
Status = "False"
}
}
if($logginTypes -le 12){
return @{
Message = "Currently configured: " + $logginTypes
Status = "Warning"
}
}
return @{
Message = "Compliant. Currently: " + $logginTypes
Status = "True"
}
}
}
[AuditTest] @{
Id = "4.2.1.4"
Task = "Ensure rsyslog default file permissions configured"
Test = {
$test1 = cat /etc/rsyslog.conf /etc/rsyslog.d/*.conf | grep "^\s*\`$FileCreateMode"
if($test1 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
# [AuditTest] @{
# Id = "4.2.1.5"
# Task = "Ensure rsyslog is configured to send logs to a remote log host"
# Test = {
# $test1 = grep -E '^\s*([^#]+\s+)?action\(([^#]+\s+)?\btarget=\"?[^#"]+\"?\b' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
# grep -E '^\s*([^#]+\s+)?action\(([^#]+\s+)?\btarget=\"?[^#"]+\"?\b' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
# if($test1 -match "target"){
# return @{
# Message = "Compliant"
# Status = "True"
# }
# }
# return @{
# Message = "Not-Compliant"
# Status = "False"
# }
# }
# }
[AuditTest] @{
Id = "4.2.2.1"
Task = "Ensure journald is configured to send logs to rsyslog"
Test = {
$test1 = grep -e ForwardToSyslog /etc/systemd/journald.conf
if($test1 -match "ForwardToSyslog=yes"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "4.2.2.2"
Task = "Ensure journald is configured to compress large log files"
Test = {
$test1 = grep -e Compress /etc/systemd/journald.conf
if($test1 -match "Compress=yes"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "4.2.2.3"
Task = "Ensure journald is configured to write logfiles to persistent disk"
Test = {
$test1 = grep -e Storage /etc/systemd/journald.conf
if($test1 -match "Storage=persistent"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "4.2.3"
Task = "Ensure permissions on all logfiles are configured"
Test = {
$fileListAll = find /var/log -type f -ls
$fileListFiltered = find /var/log -type f -ls | grep "\-....\-\-\-\-\-"
if($fileListAll.Count -eq $fileListFiltered.Count){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "$($fileListAll.Count - $fileListFiltered.Count) files grant too many permissions"
Status = "False"
}
}
}
[AuditTest] @{
Id = "4.3"
Task = "Ensure logrotate is configured"
Test = {
return @{
Message = "Review /etc/logrotate.conf and /etc/logrotate.d/rsyslog and verify logs are rotated according to site policy."
Status = "None"
}
}
}
[AuditTest] @{
Id = "4.4"
Task = "Ensure logrotate assigns appropriate permissions"
Test = {
$test1 = grep -Es "^\s*create\s+\S+" /etc/logrotate.conf /etc/logrotate.d/* | grep -E -v "\s(0)?[0-6][04]0\s"
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.1.1"
Task = "Ensure cron daemon is enabled and running"
Test = {
$test1 = systemctl is-enabled cron
$test2 = systemctl status cron | grep 'Active: active (running) '
if($test1 -eq "enabled" -and $test2 -match "running"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.1.2"
Task = "Ensure permissions on /etc/crontab are configured"
Test = {
$test1 = stat /etc/crontab
if($test1 -eq "Access: (0600/-rw-------)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.1.3"
Task = "Ensure permissions on /etc/cron.hourly are configured"
Test = {
$test1 = stat /etc/cron.hourly/
if($test1 -eq "Access: (0700/drwx------)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.1.4"
Task = "Ensure permissions on /etc/cron.daily are configured"
Test = {
$test1 = stat /etc/cron.daily/
if($test1 -eq "Access: (0700/drwx------)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.1.5"
Task = "Ensure permissions on /etc/cron.weekly are configured"
Test = {
$test1 = stat /etc/cron.weekly/
if($test1 -eq "Access: (0700/drwx------)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.1.6"
Task = "Ensure permissions on /etc/cron.monthly are configured"
Test = {
$test1 = stat /etc/cron.monthly/
if($test1 -eq "Access: (0700/drwx------)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.1.7"
Task = "Ensure permissions on /etc/cron.d are configured"
Test = {
$test1 = stat /etc/cron.d/
if($test1 -eq "Access: (0700/drwx------)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.1.8"
Task = "Ensure cron is restricted to authorized users"
Test = {
$test1 = stat /etc/cron.deny
$test1 = $?
$test2 = stat /etc/cron.allow
if($test1 -match "False" -and $test2 -match "Access: (0640/-rw-r-----)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.1.9"
Task = "Ensure at is restricted to authorized users"
Test = {
$test1 = stat /etc/at.deny
$test1 = $?
$test2 = stat /etc/at.allow | grep 0640
if($test1 -match "False" -and $test2 -eq "Access: (0640/-rw-r-----)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.2.1"
Task = "Ensure sudo is installed"
Test = {
$test1 = dpkg -s sudo
if($test1 -match "Status: install ok installed"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.2.2"
Task = "Ensure sudo commands use pty"
Test = {
$test1 = grep -Ei '^\s*Defaults\s+([^#]+,\s*)?use_pty(,\s+\S+\s*)*(\s+#.*)?$' /etc/sudoers /etc/sudoers.d/*
if($test1 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.2.3"
Task = "Ensure sudo log file exists"
Test = {
$test1 = grep -Ei '^\s*Defaults\s+logfile=\S+' /etc/sudoers /etc/sudoers.d/*
if($test1 -ne $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.3.1"
Task = "Ensure permissions on /etc/ssh/sshd_config are configured"
Test = {
try{
try{
$test1 = stat /etc/ssh/sshd_config | grep 0600
}
catch{
return @{
Message = "Path not found!"
Status = "False"
}
}
if($test1 -eq "Access: (0600/-rw-------)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Path not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "5.3.2"
Task = "Ensure permissions on SSH private host key files are configured"
Test = {
$res = bash -c "find /etc/ssh -xdev -type f -name 'ssh_host_*_key' -exec stat {} \;" | grep "Access:\s*(0600/-rw-------)\s*Uid:\s*(\s*0/\s*root)\s*Gid:\s*(\s*0/\s*root)\s*"
if($res.count -eq 3){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.3.3"
Task = "Ensure permissions on SSH public host key files are configured"
Test = {
$res = bash -c "find /etc/ssh -xdev -type f -name 'ssh_host_*_key.pub' -exec stat {} \;" | grep "Access:\s*(0644/-rw-r--r--)\s*Uid:\s*(\s*0/\s*root)\s*Gid:\s*(\s*0/\s*root)\s*"
if($res.count -eq 3){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.3.4"
Task = "Ensure SSH access is limited"
Test = {
try{
$result = bash -c "sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Ei '^\s*(allow|deny)(users|groups)\s+\S+'"
if($result -match "allowusers" -or $result -match "allowgroups" -or $result -match "denyusers" -or $result -match "denygroups"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command doesn't exist"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "5.3.5"
Task = "Ensure SSH LogLevel is appropriate"
Test = {
try{
$test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep loglevel
try{
$test2 = grep -is 'loglevel' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf | grep -Evi '(VERBOSE|INFO)'
}
catch{
return @{
Message = "Path not found!"
Status = "False"
}
}
if(($test1 -match "loglevel VERBOSE" -or $test1 -match "loglevel INFO") -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command doesn't exist"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "5.3.6"
Task = "Ensure SSH X11 forwarding is disabled"
Test = {
try{
$test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i x11forwarding
try{
$test2 = grep -Eis '^\s*x11forwarding\s+yes' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
}
catch{
return @{
Message = "Path not found!"
Status = "False"
}
}
if($test1 -match "x11forwarding no" -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command doesn't exist"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "5.3.7"
Task = "Ensure SSH MaxAuthTries is set to 4 or less"
Test = {
try{
$test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep maxauthtries | cut -d ' ' -f 2
try{
$test2 = grep -Eis '^\s*maxauthtries\s+([5-9]|[1-9][0-9]+)' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
}
catch{
return @{
Message = "Path not found!"
Status = "False"
}
}
if($test1 -le 4 -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command doesn't exist"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "5.3.8"
Task = "Ensure SSH IgnoreRhosts is enabled"
Test = {
try{
$test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep ignorerhosts
try{
$test2 = grep -Eis '^\s*ignorerhosts\s+no\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
}
catch{
return @{
Message = "Path not found!"
Status = "False"
}
}
if($test1 -match "ignorerhosts yes" -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command doesn't exist"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "5.3.10"
Task = "Ensure SSH root login is disabled"
Test = {
try{
$test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep permitrootlogin
try{
$test2 = grep -Eis '^\s*PermitRootLogin\s+yes' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
}
catch{
return @{
Message = "Path not found!"
Status = "False"
}
}
if($test1 -match "permitrootlogin no" -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command doesn't exist"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "5.3.11"
Task = "Ensure SSH PermitEmptyPasswords is disabled"
Test = {
try{
$test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep permitemptypasswords
try{
$test2 = grep -Eis '^\s*PermitEmptyPasswords\s+yes' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
}
catch{
return @{
Message = "Path not found!"
Status = "False"
}
}
if($test1 -match "permitemptypasswords no" -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command doesn't exist"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "5.3.12"
Task = "Ensure SSH PermitUserEnvironment is disabled"
Test = {
try{
$test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep permituserenvironment
try{
$test2 = grep -Eis '^\s*PermitUserEnvironment\s+yes' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
}
catch{
return @{
Message = "Path not found!"
Status = "False"
}
}
if($test1 -match "permituserenvironment no" -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command doesn't exist"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "5.3.13"
Task = "Ensure only strong Ciphers are used"
Test = {
try{
$test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Ei '^\s*ciphers\s+([^#]+,)?(3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|arcfour|arcfour128|arcfour256|blowfish-cbc|cast128-cbc|rijndael-cbc@lysator.liu.se)\b'
try{
$test2 = grep -Eis '^\s*ciphers\s+([^#]+,)?(3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|arcfour|arcfour128|arcfour256|blowfish-cbc|cast128-cbc|rijndael-cbc@lysator.liu.se)\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
}
catch{
return @{
Message = "Path not found!"
Status = "False"
}
}
if($test1 -eq $null -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command doesn't exist"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "5.3.14"
Task = "Ensure only strong MAC algorithms are used"
Test = {
try{
$test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Ei '^\s*macs\s+([^#]+,)?(hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh\.com|hmac-md5-etm@openssh\.com|hmac-md5-96-etm@openssh\.com|hmac-ripemd160-etm@openssh\.com|hmac-sha1-etm@openssh\.com|hmac-sha1-96-etm@openssh\.com|umac-64-etm@openssh\.com|umac-128-etm@openssh\.com)\b'
try{
$test2 = grep -Eis '^\s*macs\s+([^#]+,)?(hmac-md5|hmac-md5-96|hmac-ripemd160|hmac-sha1|hmac-sha1-96|umac-64@openssh\.com|hmac-md5-etm@openssh\.com|hmac-md5-96-etm@openssh\.com|hmac-ripemd160-etm@openssh\.com|hmac-sha1-etm@openssh\.com|hmac-sha1-96-etm@openssh\.com|umac-64-etm@openssh\.com|umac-128-etm@openssh\.com)\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
}
catch{
return @{
Message = "Path not found!"
Status = "False"
}
}
if($test1 -eq $null -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command doesn't exist"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "5.3.15"
Task = "Ensure only strong Key Exchange algorithms are used"
Test = {
try{
$test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -Ei'^\s*kexalgorithms\s+([^#]+,)?(diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1)\b'
try{
$test2 = grep -Ei '^\s*kexalgorithms\s+([^#]+,)?(diffie-hellman-group1-sha1|diffie-hellman-group14-sha1|diffie-hellman-group-exchange-sha1)\b' /etc/ssh/sshd_config
}
catch{
return @{
Message = "Path not found!"
Status = "False"
}
}
if($test1 -eq $null -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command doesn't exist"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "5.3.16"
Task = "Ensure SSH Idle Timeout Interval is configured"
Test = {
try{
$test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep clientaliveinterval | cut -d ' ' -f 2
$test2 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep clientalivecountmax | cut -d ' ' -f 2
try{
$test3 = grep -Eis '^\s*clientaliveinterval\s+(0|3[0-9][1-9]|[4-9][0-9][0-9]|[1-9][0-9][0-9][0-9]+|[6-9]m|[1-9][0-9]+m)\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
$test4 = grep -Eis '^\s*ClientAliveCountMax\s+(0|[4-9]|[1-9][0-9]+)\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
}
catch{
return @{
Message = "Path not found!"
Status = "False"
}
}
if(($test1 -ge 1 -and $test1 -le 300) -and ($test2 -ge 1 -and $test2 -le 3) -and $test3 -eq $null -and $test4 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command doesn't exist"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "5.3.17"
Task = "Ensure SSH LoginGraceTime is set to one minute or less"
Test = {
try{
$test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep logingracetime | cut -d ' ' -f 2
try{
$test2 = grep -Eis '^\s*LoginGraceTime\s+(0|6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+|[^1]m)' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
}
catch{
return @{
Message = "Path not found!"
Status = "False"
}
}
if(($test1 -ge 1 -and $test1 -le 60) -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command doesn't exist"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "5.3.18"
Task = "Ensure SSH warning banner is configured"
Test = {
try{
$test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep banner
try{
$test2 = grep -Eis '^\s*Banner\s+"?none\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
}
catch{
return @{
Message = "Path not found!"
Status = "False"
}
}
if($test1 -match "banner /etc/issue.net" -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command doesn't exist"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "5.3.19"
Task = "Ensure SSH PAM is enabled"
Test = {
try{
$test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i usepam
try{
$test2 = grep -Eis '^\s*UsePAM\s+no' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
}
catch{
return @{
Message = "Path not found!"
Status = "False"
}
}
if($test1 -match "usepam yes" -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command doesn't exist"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "5.3.20"
Task = "Ensure SSH AllowTcpForwarding is disabled"
Test = {
try{
$test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i allowtcpforwarding
try{
$test2 = grep -Eis '^\s*AllowTcpForwarding\s+yes\b' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
}
catch{
return @{
Message = "Path not found!"
Status = "False"
}
}
if($test1 -match "allowtcpforwarding no" -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command doesn't exist"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "5.3.21"
Task = "Ensure SSH MaxStartups is configured"
Test = {
try{
$test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i maxstartups
try{
$test2 = grep -Eis '^\s*maxstartups\s+(((1[1-9]|[1-9][0-9][0-9]+):([0-9]+):([0-9]+))|(([0-9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0-9]+):(6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+)))' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
}
catch{
return @{
Message = "Path not found!"
Status = "False"
}
}
$value1 = $test1 | cut -d ':' -f 1
$value2 = $test1 | cut -d ':' -f 2
$value3 = $test1 | cut -d ':' -f 3
if($value1 -ge 10 -and $value2 -ge 30 -and $value3 -ge 60 -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command doesn't exist"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "5.3.22"
Task = "Ensure SSH MaxSessions is limited"
Test = {
try{
$test1 = sshd -T -C user=root -C host="$(hostname)" -C addr="$(grep $(hostname) /etc/hosts | awk '{print $1}')" | grep -i maxsessions | cut -d ' ' -f 2
try{
$test2 = grep -Eis '^\s*MaxSessions\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
}
catch{
return @{
Message = "Path not found!"
Status = "False"
}
}
if($test1 -le 10 -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command doesn't exist"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "5.4.1"
Task = "Ensure password creation requirements are configured"
Test = {
$test1 = grep '^\s*minlen\s*' /etc/security/pwquality.conf | cut -d ' ' -f 3
$test2 = grep '^\s*minclass\s*' /etc/security/pwquality.conf | cut -d ' ' -f 3
$test3 = grep -E '^\s*password\s+(requisite|required)\s+pam_pwquality\.so\s+(\S+\s+)*retry=[1-3]\s*(\s+\S+\s*)*(\s+#.*)?$' /etc/pam.d/common-password | cut -d '=' -f 2
if($test1 -ge 14 -and $test2 -eq 4 -and $test3 -le 3){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.4.2"
Task = "Ensure lockout for failed password attempts is configured"
Test = {
$test1 = grep "pam_tally2" /etc/pam.d/common-auth
$test2 = grep -E "pam_(tally2|deny)\.so" /etc/pam.d/common-account
if($test1 -ne $null -and $test2 -match "pam_deny.so" -and $test2 -match "pam_tally2.so"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.4.3"
Task = "Ensure password reuse is limited"
Test = {
$test1 = grep -E '^\s*password\s+required\s+pam_pwhistory\.so\s+([^#]+\s+)?remember=([5-9]|[1-9][0-9]+)\b' /etc/pam.d/common-password | cut -d '=' -f 2
if($test1 -ge 5){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.4.4"
Task = "Ensure password hashing algorithm is SHA-512"
Test = {
$test1 = grep -E '^\s*password\s+(\[success=1\s+default=ignore\]|required)\s+pam_unix\.so\s+([^#]+\s+)?sha512\b' /etc/pam.d/common-password
if($test1 -match "password" -and $test1 -match "success=1" -and $test1 -match "default=ignore" -and $test1 -match "sha512"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.5.1.1"
Task = "Ensure minimum days between password changes is configured"
Test = {
$test1 = grep PASS_MIN_DAYS /etc/login.defs | cut -d ' ' -f 2
$test2 = awk -F : '(/^[^:]+:[^!*]/ && $4 < 1){print $1 " " $4}' /etc/shadow
if($test1 -ge 1 -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.5.1.2"
Task = "Ensure password expiration is 365 days or less"
Test = {
try{
$res=grep PASS_MAX_DAYS /etc/login.defs | tail -1 | cut -d ' ' -f 1
$res=$res.substring($res.Length -3)
$min=grep PASS_MIN_DAYS /etc/login.defs | tail -1 | cut -d ' ' -f 2
$min=$min.substring($min.Length -1)
$test1 = awk -F: '(/^[^:]+:[^!*]/ && ($5>365 || $5~/([0-1]|-1|\s*)/)){print $1 " " $5}' /etc/shadow
if($res -le 365 -and $res -gt $min -and $test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "5.5.1.3"
Task = "Ensure password expiration warning days is 7 or more"
Test = {
$test1 = grep PASS_WARN_AGE /etc/login.defs | cut -d ' ' -f 2
$test2 = bash -c "awk -F: '(/^[^:]+:[^!*]/ && `$6<7){print `$1 " " `$6}' /etc/shadow"
if($test1 -ge 7 -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.5.1.4"
Task = "Ensure inactive password lock is 30 days or less"
Test = {
$test1 = useradd -D | grep INACTIVE | cut -d '=' -2
if($test1 -le 30){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.5.1.5"
Task = "Ensure all users last password change date is in the past"
Test = {
$parentPath = Split-Path -Parent -Path $PSScriptRoot
$path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-5.5.1.5.sh"
$result=bash $path
if($result -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.5.2"
Task = "Ensure system accounts are secured"
Test = {
$test1 = awk -F: '$1!~/(root|sync|shutdown|halt|^\+)/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}' /etc/login.defs)"' && $7!~/((\/usr)?\/sbin\/nologin)/ && $7!~/(\/bin)?\/false/ {print}' /etc/passwd
$test2 = awk -F: '($1!~/(root|^\+)/ && $3<'"$(awk '/^\s*UID_MIN/{print $2}'/etc/login.defs)"') {print $1}' /etc/passwd | xargs -I '{}' passwd -S '{}' | awk '($2!~/LK?/) {print $1}'
if($test1 -eq $null -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.5.3"
Task = "Ensure default group for the root account is GID 0"
Test = {
$test1 = grep "^root:" /etc/passwd | cut -f4 -d ':'
if($test1 -eq 0){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "5.7"
Task = "Ensure access to the su command is restricted"
Test = {
$test1 = grep pam_wheel.so /etc/pam.d/su
if($test1 -match "^\s*auth\s+required\s+pam_wheel.so\s+use_uid\s+group="){
$test2 = $test1 | cut -d '=' -f 2
$test3 = grep $test2 /etc/group | cut -d ':' -f 4
if($test3 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.1.1"
Task = "Audit system file permissions"
Test = {
$test1 = dpkg --verify $(dpkg --get-selections | awk '{print $1}')
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.1.2"
Task = "Ensure permissions on /etc/passwd are configured"
Test = {
$test1 = stat /etc/passwd
if($test1 -eq "Access: (0644/-rw-r--r--)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.1.3"
Task = "Ensure permissions on /etc/passwd- are configured"
Test = {
$test1 = stat /etc/passwd-
if($test1 -eq "Access: (0644/-rw-r--r--)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.1.4"
Task = "Ensure permissions on /etc/group are configured"
Test = {
$test1 = stat /etc/group
if($test1 -eq "Access: (0644/-rw-r--r--)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.1.5"
Task = "Ensure permissions on /etc/group- are configured"
Test = {
$test1 = stat /etc/group- | grep 0644
if($test1 -eq "Access: (0644/-rw-r--r--)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.1.6"
Task = "Ensure permissions on /etc/shadow are configured"
Test = {
$test1 = stat /etc/shadow | grep 0640
if($test1 -eq "Access: (0640/-rw-r-----)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+0/\s+root)"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.1.7"
Task = "Ensure permissions on /etc/shadow- are configured"
Test = {
$test1 = stat /etc/shadow- | grep 0640
if($test1 -eq "Access: (0640/-rw-r-----)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+42/\s+shadow)"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.1.8"
Task = "Ensure permissions on /etc/gshadow are configured"
Test = {
$test1 = stat /etc/gshadow | grep 0640
if($test1 -eq "Access: (0640/-rw-r-----)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+42/\s+shadow)"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.1.9"
Task = "Ensure permissions on /etc/gshadow- are configured"
Test = {
$test1 = stat /etc/gshadow- | grep 0640
if($test1 -eq "Access: (0640/-rw-r-----)\s+Uid: (\s+0/\s+root)\s+Gid: (\s+42/\s+shadow)"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.1.10"
Task = "Ensure no world writable files exist"
Test = {
#$partitions = mapfile -t partitions < (sudo fdisk -l | grep -o '/dev/[^ ]*')
$test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -0002
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.1.11"
Task = "Ensure no unowned files or directories exist"
Test = {
try{
$test1 = df --local -P | awk "{if (NR -ne 1) { print `$6 }}" | xargs -I '{}' find '{}' -xdev -nouser
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
catch{
return @{
Message = "Command not found!"
Status = "False"
}
}
}
}
[AuditTest] @{
Id = "6.1.12"
Task = "Ensure no ungrouped files or directories exist"
Test = {
$test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -nogroup
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.1.13"
Task = "Audit SUID executables"
Test = {
$test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -4000
$message = ""
foreach($line in $test1){
$message += "<br>$line"
}
return @{
Message = "Please review following list of files: $($message)"
Status = "None"
}
}
}
[AuditTest] @{
Id = "6.1.14"
Task = "Audit SGID executables"
Test = {
$test1 = df --local -P | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type f -perm -2000
$message = ""
foreach($line in $test1){
$message += "<br>$line"
}
return @{
Message = "Please review following list of files: $($message)"
Status = "None"
}
}
}
[AuditTest] @{
Id = "6.2.1"
Task = "Ensure accounts in /etc/passwd use shadowed passwords"
Test = {
$test1 = awk -F: '($2 != "x" ) { print $1 " is not set to shadowed passwords "}'/etc/passwd
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.2.2"
Task = "Ensure password fields are not empty"
Test = {
$test1 = awk -F: '($2 == "" ) { print $1 " does not have a password "}' /etc/shadow
if($test1 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.2.3"
Task = "Ensure all groups in /etc/passwd exist in /etc/group"
Test = {
$parentPath = Split-Path -Parent -Path $PSScriptRoot
$path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.3.sh"
$result=bash $path
if($result -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.2.4"
Task = "Ensure all users' home directories exist"
Test = {
$parentPath = Split-Path -Parent -Path $PSScriptRoot
$path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.4.sh"
$result=bash $path
if($result -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
# [AuditTest] @{
# Id = "6.2.5"
# Task = "Ensure users own their home directories"
# Test = {
# Write-Error "Test"
# $parentPath = Split-Path -Parent -Path $PSScriptRoot
# $path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.5.sh"
# $result=bash $path
# Write-Error "Test"
# if($result -eq $null){
# return @{
# Message = "Compliant"
# Status = "True"
# }
# }
# return @{
# Message = "Not-Compliant"
# Status = "False"
# }
# }
# }
[AuditTest] @{
Id = "6.2.6"
Task = "Ensure users' home directories permissions are 750 or more restrictive"
Test = {
$parentPath = Split-Path -Parent -Path $PSScriptRoot
$path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.6.sh"
$result=bash $path
if($result -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.2.7"
Task = "Ensure users' dot files are not group or world writable"
Test = {
$parentPath = Split-Path -Parent -Path $PSScriptRoot
$path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.7.sh"
$result=bash $path
if($result -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.2.8"
Task = "Ensure no users have .netrc files"
Test = {
$parentPath = Split-Path -Parent -Path $PSScriptRoot
$path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.8.sh"
$result=bash $path
if($result -match "FAILED"){
return @{
Message = "Not-Compliant. Permissions need to get updated."
Status = "False"
}
}
if($result -match "WARNING" -and $result -notmatch "FAILED"){
return @{
Message = "Some changed should be made."
Status = "Warning"
}
}
if($result -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.2.9"
Task = "Ensure no users have .forward files"
Test = {
$parentPath = Split-Path -Parent -Path $PSScriptRoot
$path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.9.sh"
$result=bash $path
if($result -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.2.10"
Task = "Ensure no users have .rhosts files"
Test = {
$parentPath = Split-Path -Parent -Path $PSScriptRoot
$path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.10.sh"
$result=bash $path
if($result -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.2.11"
Task = "Ensure root is the only UID 0 account"
Test = {
$test1 = awk -F: '($3 == 0) { print $1 }' /etc/passwd
if($test1 -match "root"){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.2.12"
Task = "Ensure root PATH Integrity"
Test = {
$parentPath = Split-Path -Parent -Path $PSScriptRoot
$path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.12.sh"
$result=bash $path
if($result -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.2.13"
Task = "Ensure no duplicate UIDs exist"
Test = {
$parentPath = Split-Path -Parent -Path $PSScriptRoot
$path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.13.sh"
$result=bash $path
if($result -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.2.14"
Task = "Ensure no duplicate GIDs exist"
Test = {
$parentPath = Split-Path -Parent -Path $PSScriptRoot
$path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.14.sh"
$result=bash $path
if($result -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.2.15"
Task = "Ensure no duplicate user names exist"
Test = {
$parentPath = Split-Path -Parent -Path $PSScriptRoot
$path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.15.sh"
$result=bash $path
if($result -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.2.16"
Task = "Ensure no duplicate group names exist"
Test = {
$parentPath = Split-Path -Parent -Path $PSScriptRoot
$path = $parentPath+"/Helpers/ShellScripts/CIS-Ubuntu-6.2.16.sh"
$result=bash $path
if($result -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
[AuditTest] @{
Id = "6.2.17"
Task = "Ensure shadow group is empty"
Test = {
$test1 = awk -F: '($1=="shadow") {print $NF}' /etc/group
$test2 = awk -F: -v GID="$(awk -F: '($1=="shadow") {print $3}' /etc/group)" '($4==GID) {print $1}' /etc/passwd
if($test1.Length -eq 0 -and $test2 -eq $null){
return @{
Message = "Compliant"
Status = "True"
}
}
return @{
Message = "Not-Compliant"
Status = "False"
}
}
}
Reference in New Issue View Git Blame Copy Permalink