Security Technical Implementation Guide tests based upon RHEL/hardenedlinux

tests/check-aide-baseline.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+#Tested on Aide 0.16a2-19-g16ed855
+
+CHECKDATABASE=$(grep "database=" /etc/aide/aide.conf  2>/dev/null )
+if [ $? -eq 0 ];then
+        :
+else 
+        echo "couldn""'""t found aide.conf"
+        exit 1
+fi
+
+DATABASE=$(echo $CHECKDATABASE | awk -F ':' '{printf $2}' 2>/dev/null)
+
+if [ $? -eq 0 ];then
+        :
+else 
+        echo "couldn""'""t found database location at aide.conf"
+        exit 1
+fi
+
+if [ -f "$DATABASE" ];then
+        echo "There is a baseline for aide."
+	exit 0
+else
+        echo "Can""'""t find aide baseline"
+	exit 1
+fi

tests/check-aide-cron.sh

@@ -0,0 +1,5 @@
+#1/bin/bash
+
+if [ $(grep aide /etc/crontab /etc/cron.*/* | wc -l) -ne 0 ];then
+        exit 1
+fi

tests/check-apt-gpg.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+if grep -i "gpg" /etc/apt/apt.conf.d/* | sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' | grep -i "gpg.*check.*false";then
+        exit 1
+fi

tests/check-apt-key.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+#Verify with the key fatch from https://ftp-master.debian.org/keys.html
+
+#---------------------------------------------------------------------------
+#"Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>"
+
+JESSIEARCHIVEKEY=" 126C 0D24 BD8A 2942 CC7D  F8AC 7638 D044 2B90 D010"
+CHECKTMP=$(apt-key finger | grep -B 1 "Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>" | head -n1 | awk -F '=' '{printf $2}')
+
+if [ "$CHECKTMP" == "$JESSIEARCHIVEKEY" ];then
+       echo Good
+       :
+else
+       echo bad
+       exit 1
+fi
+
+#---------------------------------------------------------------------------
+#"Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>"
+
+JESSIESECURITYKEY=" D211 6914 1CEC D440 F2EB  8DDA 9D6D 8F6B C857 C906"
+CHECKTMP=$(apt-key finger | grep -B 1 "Debian Security Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>" | head -n1 | awk -F '=' '{printf $2}')
+
+if [ "$CHECKTMP" == "$JESSIESECURITYKEY" ];then
+       echo Good
+       :
+else
+       echo bad
+       exit 1
+fi
+
+#---------------------------------------------------------------------------
+#"Jessie Stable Release Key <debian-release@lists.debian.org>"
+
+JESSIESTABLEKEY=" 75DD C3C4 A499 F1A1 8CB5  F3C8 CBF8 D6FD 518E 17E1"
+CHECKTMP=$(apt-key finger | grep -B 1 "Jessie Stable Release Key <debian-release@lists.debian.org>" | head -n1 | awk -F '=' '{printf $2}')
+
+if [ "$CHECKTMP" == "$JESSIESTABLEKEY" ];then
+       echo Good
+       :
+else
+       echo bad
+       exit 1
+fi
+
+#---------------------------------------------------------------------------
+#"Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>"
+
+SQUEEZEARCHIVEKEY=" 9FED 2BCB DCD2 9CDF 7626  78CB AED4 B06F 4730 41FA"
+CHECKTMP=$(apt-key finger | grep -B 1 "Debian Archive Automatic Signing Key (6.0/squeeze) <ftpmaster@debian.org>" | head -n1 | awk -F '=' '{printf $2}')
+
+if [ "$CHECKTMP" == "$SQUEEZEARCHIVEKEY" ];then
+       echo Good
+       :
+else
+       echo bad
+       exit 1
+fi
+
+#---------------------------------------------------------------------------
+#"Squeeze Stable Release Key <debian-release@lists.debian.org>"
+
+SQUEEZESTABLEKEY=" 0E4E DE2C 7F3E 1FC0 D033  800E 6448 1591 B983 21F9"
+CHECKTMP=$(apt-key finger | grep -B 1 "Squeeze Stable Release Key <debian-release@lists.debian.org>" | head -n1 | awk -F '=' '{printf $2}')
+
+if [ "$CHECKTMP" == "$SQUEEZESTABLEKEY" ];then
+       echo Good
+       :
+else
+       echo bad
+       exit 1
+fi
+
+#---------------------------------------------------------------------------
+#"Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>"
+
+WHEEZYARCHIVEKEY=" A1BD 8E9D 78F7 FE5C 3E65  D8AF 8B48 AD62 4692 5553"
+CHECKTMP=$(apt-key finger | grep -B 1 "Debian Archive Automatic Signing Key (7.0/wheezy) <ftpmaster@debian.org>" | head -n1 | awk -F '=' '{printf $2}')
+
+if [ "$CHECKTMP" == "$WHEEZYARCHIVEKEY" ];then
+       echo Good
+       :
+else
+       echo bad
+       exit 1
+fi
+
+#---------------------------------------------------------------------------
+#"Wheezy Stable Release Key <debian-release@lists.debian.org>"
+
+WHEEZYSTABLEKEY=" ED6D 6527 1AAC F0FF 15D1  2303 6FB2 A1C2 65FF B764"
+CHECKTMP=$(apt-key finger | grep -B 1 "Wheezy Stable Release Key <debian-release@lists.debian.org>" | head -n1 | awk -F '=' '{printf $2}')
+
+if [ "$CHECKTMP" == "$WHEEZYSTABLEKEY" ];then
+       echo Good
+       :
+else
+       echo bad
+       exit 1
+fi

tests/check-audisp.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+if dpkg -s audispd-plugins > /dev/null 2>&1;then
+        if ! sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audisp/plugins.d/syslog.conf | grep -i "active.*yes";then
+                exit 1
+        fi       
+else
+        exit 1
+fi

tests/check-auditd-package.sh

@@ -0,0 +1,112 @@
+#!/bin/bash
+#The hole idea of how to get the origin files' permission is learned from http://sysadminnotebook.blogspot.com/2012/06/how-to-reset-folder-permissions-to.html
+
+TDIR=`mktemp -d`
+cd $TDIR
+aptitude download auditd
+FILES=`dpkg -c auditd*.deb | sed -e '/^d/d' | \
+       sed '/audit.rules$/p;s/\/etc\/audit\/rules.d\/audit.rules$/\/etc\/audit\/audit.rules/'`
+DIRECTORY=`dpkg -c auditd*.deb | sed -n '/^d/p' | \
+          sed -e '/\/usr\/share\/man/d'`
+case $1 in
+        permission)
+                echo "$FILES" | while read FILE;
+                do
+                        echo "$FILE" | awk '{print $6}' | sed -e 's/^.//g' | while read line;
+                        do
+                                ORIGIN=$(echo "$FILE" | awk '{print $1}')
+                                CURRENT=$(ls -l "$line" | awk '{print $1}')
+                                if [ "$CURRENT" != "$ORIGIN" ];then
+                                        echo "ORIGIN:$FILE"
+                                        echo "CURRENT:$(ls -l $line)"
+                                        exit 1
+                                fi
+                        done
+                done
+                echo "$DIRECTORY" | while read DIR;
+                do
+                        echo "$DIR" | awk '{print $6}' | sed -e 's/^.//g' | while read line;
+                        do
+                                ORIGIN=$(echo "$DIR" | awk '{print $1}' )
+                                CURRENT=$(ls -dl "$line" | awk '{print $1}' )
+                                if [ "$CURRENT" != "$ORIGIN" ];then
+                                        echo "$ORIGIN:$DIR"
+                                        echo "$CURRENT:$(ls -dl $line)"
+                                        exit 1
+                                fi
+                        done
+                done
+        ;;
+        owner)
+                echo "$FILES" | while read FILE;
+                do
+                        echo "$FILE" | awk '{print $6}' | sed -e 's/^.//g' | while read line;
+                        do
+                                ORIGIN=$(echo "$FILE" | awk '{print $2}' | awk -F '/' '{print $1}')
+                                CURRENT=$(ls -l "$line" | awk '{print $3}')
+                                if [ "$CURRENT" != "$ORIGIN" ];then
+                                        echo "ORIGIN:$FILE"
+                                        echo "CURRENT:$(ls -l $line)"
+                                        exit 1
+                                fi
+                        done
+                done
+                echo "$DIRECTORY" | while read DIR;
+                do
+                        echo "$DIR" | awk '{print $6}' | sed -e 's/^.//g' | while read line;
+                        do
+                                ORIGIN=$(echo "$DIR" | awk '{print $2}' | awk -F '/' '{print $1}' )
+                                CURRENT=$(ls -dl "$line" | awk '{print $3}' )
+                                if [ "$CURRENT" != "$ORIGIN" ];then
+                                        echo "$ORIGIN:$DIR"
+                                        echo "$CURRENT:$(ls -dl $line)"
+                                        exit 1
+                                fi
+                        done
+                done
+        ;;
+        group-owner)
+                echo "$FILES" | while read FILE;
+                do
+                        echo "$FILE" | awk '{print $6}' | sed -e 's/^.//g' | while read line;
+                        do
+                                ORIGIN=$(echo "$FILE" | awk '{print $2}' | awk -F '/' '{print $2}')
+                                CURRENT=$(ls -l "$line" | awk '{print $4}')
+                                if [ "$CURRENT" != "$ORIGIN" ];then
+                                        echo "ORIGIN:$FILE"
+                                        echo "CURRENT:$(ls -l $line)"
+                                        exit 1
+                                fi
+                        done
+                done
+                echo "$DIRECTORY" | while read DIR;
+                do
+                        echo "$DIR" | awk '{print $6}' | sed -e 's/^.//g' | while read line;
+                        do
+                                ORIGIN=$(echo "$DIR" | awk '{print $2}' | awk -F '/' '{print $2}' )
+                                CURRENT=$(ls -dl "$line" | awk '{print $4}' )
+                                if [ "$CURRENT" != "$ORIGIN" ];then
+                                        echo "$ORIGIN:$DIR"
+                                        echo "$CURRENT:$(ls -dl $line)"
+                                        exit 1
+                                fi
+                        done
+                done
+        ;;
+        file-hashes)
+                dpkg-deb -R audit*.deb .
+                echo "$FILES" | grep "bin/" | while read FILE;
+                do
+                        echo "$FILE" | awk '{print $6}' | sed -e 's/^.//g' | while read line;
+                        do
+                                ORIGIN=$(sha512sum "$(echo "$line" | sed -e 's/^.\///g')" | awk '{print $1}')
+                                CURRENT=$(sha512sum "$line" | awk '{print $1}')
+                                if [ "$CURRENT" != "$ORIGIN" ];then
+                                        echo "ORIGIN:$FILE"
+                                        echo "CURRENT:$(ls -l $line)"
+                                        exit 1
+                                fi
+                        done
+                done
+        ;;
+esac

tests/check-auditd.sh

@@ -0,0 +1,153 @@
+#!/bin/bash
+
+case $1 in
+        space_left_action)
+                EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
+                if [ $? -eq 0 ];then
+                        ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
+                        if [ "${ACTION,,}" != "email" ];then
+                            exit 1
+                        fi
+                else
+                        exit 1
+                fi
+        ;;
+        num_logs)
+                EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
+                if [ $? -eq 0 ];then
+                        if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}') -$2 $3 ];then
+                            exit 1
+                        fi
+                else
+                        exit 1
+                fi
+        ;;
+        max_log_file)
+                EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1=)
+                if [ $? -eq 0 ];then
+                        if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1= | awk -F '=' '{print $2}') -$2 $3 ];then
+                            exit 1
+                        fi
+                else
+                        exit 1
+                fi
+        ;;
+        max_log_file_action)
+                EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
+                if [ $? -eq 0 ];then
+                        ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
+                        if [ "${ACTION,,}" != "rotate" ];then
+                            exit 1
+                        fi
+                else
+                        exit 1
+                fi
+        ;;
+        admin_space_left_action)
+                EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
+                if [ $? -eq 0 ];then
+                        ACTION=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
+                        if [ "${ACTION,,}" != "single" ];then
+                            exit 1
+                        fi
+                else
+                        exit 1
+                fi
+        ;;
+        account)
+                if ! auditctl -l | grep "/etc/passwd" ;then
+                        exit 1
+                elif ! auditctl -l | grep "/etc/shadow";then
+                        exit 1
+                elif ! auditctl -l | grep "/etc/group";then
+                        exit 1
+                elif ! auditctl -l | grep "/etc/gshadow";then
+                        exit 1
+                elif ! auditctl -l | grep "/etc/security/opasswd";then
+                        exit 1
+                fi
+        ;;
+        network)
+                if ! auditctl -l | grep "sethostname" ;then
+                        exit 1
+                elif ! auditctl -l | grep "setdomainname";then
+                        exit 1
+                elif ! auditctl -l | grep "/etc/issue.net";then
+                        exit 1
+                elif ! auditctl -l | grep "/etc/hosts";then
+                        exit 1
+                elif ! auditctl -l | grep "/etc/sysconfig";then
+                        exit 1
+                elif ! auditctl -l | grep "network";then
+                        exit 1
+                fi
+        ;;
+        apparmor-config)
+                if ! auditctl -l | grep "/etc/apparmor/" ;then
+                        exit 1
+                elif ! auditctl -l | grep "/etc/apparmor.d/";then
+                        exit 1
+                fi
+        ;;
+        failed-access-files-programs)
+                if ! auditctl -l | grep "EACCES" ;then
+                        exit 1
+                elif ! auditctl -l | grep "EPERM";then
+                        exit 1
+                fi
+        ;;
+        setuid-setgid)
+                find / -xdev -type f -perm /6000 2>/dev/null | while read line;do
+                        if ! auditctl -l | grep "$line" ;then
+                                exit 1
+                        fi
+                done
+        ;;
+        deletions)
+                if ! auditctl -l | grep "rmdir" ;then
+                        exit 1
+                elif ! auditctl -l | grep "unlink";then
+                        exit 1
+                elif ! auditctl -l | grep "unlinkat";then
+                        exit 1
+                elif ! auditctl -l | grep "rename";then
+                        exit 1
+                elif ! auditctl -l | grep "renameat";then
+                        exit 1
+                fi
+        ;;
+        kernel-modules)
+                if ! auditctl -l | egrep -e "(-w |-F path=)/sbin/insmod";then
+                        exit 1
+                elif ! auditctl -l | egrep -e "(-w |-F path=)/sbin/rmmod";then
+                        exit 1
+                elif ! auditctl -l | egrep -e "(-w |-F path=)/sbin/modprobe";then
+                        exit 1
+                elif ! auditctl -l | grep -w "init_module";then
+                        exit 1
+                elif ! auditctl -l | grep -w "delete_module";then
+                        exit 1
+                fi
+        ;;
+        action_mail_acct)
+                EXIST=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1)
+                if [ $? -eq 0 ];then
+                        ACCOUNT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/audit/auditd.conf | sed -e 's/\ //'g | grep $1 | awk -F '=' '{print $2}')
+                        if [ "${ACCOUNT,,}" != "root" ];then
+                            exit 1
+                        fi
+                else
+                        exit 1
+                fi
+        ;;
+        disk_full_action)
+                if grep -i "disk_full_action.*ignore\|disk_full_action.*suspend" /etc/audit/auditd.conf;then
+                        exit 1
+                fi
+        ;;
+        disk_error_action)
+                if grep -i "disk_error_action.*ignore\|disk_error_action.*suspend" /etc/audit/auditd.conf;then
+                        exit 1
+                fi
+        ;;
+esac

tests/check-bluetooth.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+if grep -r bluetooth /etc/modprobe.d;then
+        if ! grep -r net-pf-31 /etc/modprobe.d;then
+                exit 1
+        fi
+else
+        exit 1
+fi

tests/check-cmd-mode.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+
+if [ -d "/bin" ];then
+
+        COUNT=$(find -L /bin  -type f  -perm  /022  -exec ls -l {} \; |wc -l)
+
+        if [ $COUNT -eq 0 ];then
+                :
+        else
+                exit 1
+        fi
+fi
+if [ -d "/usr/bin" ];then
+
+        COUNT=$(find -L /usr/bin  -type f  -perm  /022  -exec ls -l {} \; |wc -l)
+
+        if [ $COUNT -eq 0 ];then
+                :
+        else
+                exit 1
+        fi
+fi
+if [ -d "/usr/local/bin" ];then
+
+        COUNT=$(find -L /usr/local/bin  -type f  -perm  /022  -exec ls -l {} \; |wc -l)
+
+        if [ $COUNT -eq 0 ];then
+                :
+        else
+                exit 1
+        fi
+fi
+if [ -d "/sbin" ];then
+
+        COUNT=$(find -L /sbin  -type f  -perm  /022  -exec ls -l {} \; |wc -l)
+
+        if [ $COUNT -eq 0 ];then
+                :
+        else
+                exit 1
+        fi
+fi
+if [ -d "/usr/sbin" ];then
+
+        COUNT=$(find -L /usr/sbin  -type f  -perm  /022  -exec ls -l {} \; |wc -l)
+
+        if [ $COUNT -eq 0 ];then
+                :
+        else
+                exit 1
+        fi
+fi
+if [ -d "/usr/local/sbin" ];then
+
+        COUNT=$(find -L /usr/local/sbin  -type f  -perm  /022  -exec ls -l {} \; |wc -l)
+
+        if [ $COUNT -eq 0 ];then
+                :
+        else
+                exit 1
+        fi
+fi

tests/check-cmd-owner.sh

@@ -0,0 +1,62 @@
+#!/bin/bash
+
+if [ -d "/bin" ];then
+
+        COUNT=$(find -L /bin  \! -user root  -exec ls -l {} \; |wc -l)
+
+        if [ $COUNT -eq 0 ];then
+                :
+        else
+                exit 1
+        fi
+fi
+if [ -d "/usr/bin" ];then
+
+        COUNT=$(find -L /usr/bin  \! -user root  -exec ls -l {} \; |wc -l)
+
+        if [ $COUNT -eq 0 ];then
+                :
+        else
+                exit 1
+        fi
+fi
+if [ -d "/usr/local/bin" ];then
+
+        COUNT=$(find -L /usr/local/bin  \! -user root  -exec ls -l {} \; |wc -l)
+
+        if [ $COUNT -eq 0 ];then
+                :
+        else
+                exit 1
+        fi
+fi
+if [ -d "/sbin" ];then
+
+        COUNT=$(find -L /sbin  \! -user root  -exec ls -l {} \; |wc -l)
+
+        if [ $COUNT -eq 0 ];then
+                :
+        else
+                exit 1
+        fi
+fi
+if [ -d "/usr/sbin" ];then
+
+        COUNT=$(find -L /usr/sbin  \! -user root  -exec ls -l {} \; |wc -l)
+
+        if [ $COUNT -eq 0 ];then
+                :
+        else
+                exit 1
+        fi
+fi
+if [ -d "/usr/local/sbin" ];then
+
+        COUNT=$(find -L /usr/local/sbin  \! -user root  -exec ls -l {} \; |wc -l)
+
+        if [ $COUNT -eq 0 ];then
+                :
+        else
+                exit 1
+        fi
+fi

tests/check-consoles.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+case $1 in
+        virtual)
+                if [ -f /etc/securetty ];then
+                        if grep '^vc/[0-9]' /etc/securetty;then
+                                exit 1
+                        fi
+                else
+                        exit 0
+                fi
+        ;;
+        serial)
+                if [ -f "/etc/securetty" ];then
+                        if grep '^ttyS[0-9]' /etc/securetty;then
+                                exit 1
+                        fi
+                else
+                        exit 0
+                fi
+        ;;
+esac

tests/check-ctrl-alt-del.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+if [ -f /etc/systemd/system/ctrl-alt-del.target ];then
+        if ! ls -l /etc/systemd/system/ctrl-alt-del.target | grep "/dev/null";then
+                exit 1
+        fi
+else
+        exit 1
+fi

tests/check-default-account.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+echo $(awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ {print $1 ":" $2}' /etc/shadow | awk -F ':' '{printf $1}' )| while read ACCOUNT
+do      
+        awk -F':' '{ if ( $3 <= 500 ) print $1 }' /etc/passwd | sed '/^root$/d' | while read ACCOUNTLIST
+        do      
+                if [ "$ACCOUNT" == "$ACCOUNTLIST" ];then
+                        echo "There is at least one default account is using"
+                        exit 1
+                fi
+        done
+done

tests/check-depends.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+case $1 in
+        smb-signing)
+                if dpkg -s samba >/dev/null 2>&1;then
+                        if ! sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' -e '/^;/d' /etc/samba/smb.conf | grep "client.*signing.*mandatory";then
+                                exit 1
+                        fi
+                fi
+        ;;
+        smb-sec)
+                if [ "$(grep "cifs.*sec=krb5a\|cifs.*sec=ntlmv2i" /etc/mtab /etc/fstab | wc -l)" != "$(grep "cifs" /etc/mtab /etc/fstab | wc -l)" ];then
+                        exit 1
+                fi
+        ;;
+        libuser)
+                if [ -f /etc/libuser.conf ];then
+                        if ! sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/libuser.conf | grep "crypt_style.*sha512";then
+                                exit 1
+                        fi
+                fi 
+        ;;
+        icmpv6)
+                if [ -a /proc/net/if_inet6 ];then
+                        if ! sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/libuser.conf | grep "crypt_style.*sha512";then
+                                exit 1
+                        fi
+                fi 
+        ;;
+esac

tests/check-gids.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+if [ $(pwck -r | grep "no group" | wc -l) -ne 0 ];then
+        exit 1
+fi

tests/check-grub-mode.sh

@@ -0,0 +1,98 @@
+#!/bin/bash
+MODE=$(ls -l /boot/grub/grub.cfg | awk '{print $1}')
+
+if [ "$(printf "%c" "$MODE")" == "-" ];then  #First char at MODE(----------)
+        :   
+else
+        exit 1
+fi
+
+TEMP=${MODE#?}                 #remove first char at MODE and save at $TEMP
+
+printf "%c" "$TEMP" | grep -w "^r$\|^-$"
+
+if [ $? -eq 0 ];then
+        :   
+else
+        exit 1
+fi
+
+TEMP=${TEMP#?}
+
+printf "%c" "$TEMP" | grep -w "^w$\|^-$"
+
+if [ $? -eq 0 ];then
+        :   
+else
+        exit 1
+fi
+
+TEMP=${TEMP#?}
+
+printf "%c" "$TEMP" | grep -w "^-$"
+
+if [ $? -eq 0 ];then
+        :   
+else
+        exit 1
+fi
+
+TEMP=${TEMP#?}
+
+printf "%c" "$TEMP" | grep -w "^-$"
+
+if [ $? -eq 0 ];then
+        :   
+else
+        exit 1
+fi
+
+TEMP=${TEMP#?}
+
+printf "%c" "$TEMP" | grep -w "^-$"
+if [ $? -eq 0 ];then
+        :
+else
+        exit 1
+fi
+
+TEMP=${TEMP#?}
+
+printf "%c" "$TEMP" | grep -w "^-$"
+
+if [ $? -eq 0 ];then
+        :
+else
+        exit 1
+fi
+
+TEMP=${TEMP#?}
+
+printf "%c" "$TEMP" | grep -w "^-$"
+
+if [ $? -eq 0 ];then
+        :
+else
+        exit 1
+fi
+
+TEMP=${TEMP#?}
+
+printf "%c" "$TEMP" | grep -w "^-$"
+
+if [ $? -eq 0 ];then
+        :
+else
+        exit 1
+fi
+
+TEMP=${TEMP#?}
+
+printf "%c" "$TEMP" | grep -w "^-$"
+
+if [ $? -eq 0 ];then
+        :
+else
+        exit 1
+fi
+

tests/check-inactive.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/default/useradd | grep INACTIVE;then
+        if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/default/useradd | grep INACTIVE | awk -F '=' '{printf $2}') -gt 35 ];then
+                exit 1
+        fi
+else
+        exit 1
+fi

tests/check-ipv6-enable.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+if [ -a /proc/net/if_inet6 ];then
+        echo bad
+        exit 1
+fi

tests/check-libs-mode.sh

@@ -0,0 +1,42 @@
+#!/bin/bash
+
+if [ -d "/lib" ];then
+
+        COUNT=$(find -L /lib  -type f  -perm  /022  -exec ls -l {} \; |wc -l)
+
+        if [ $COUNT -eq 0 ];then
+                :
+        else
+                exit 1
+        fi
+fi
+if [ -d "/lib64" ];then
+
+        COUNT=$(find -L /lib64  -type f  -perm  /022  -exec ls -l {} \; |wc -l)
+
+        if [ $COUNT -eq 0 ];then
+                :
+        else
+                exit 1
+        fi
+fi
+if [ -d "/usr/lib" ];then
+
+        COUNT=$(find -L /usr/lib  -type f  -perm  /022  -exec ls -l {} \; |wc -l)
+
+        if [ $COUNT -eq 0 ];then
+                :
+        else
+                exit 1
+        fi
+fi
+if [ -d "/usr/lib64" ];then
+
+        COUNT=$(find -L /usr/lib64  -type f  -perm  /022  -exec ls -l {} \; |wc -l)
+
+        if [ $COUNT -eq 0 ];then
+                :
+        else
+                exit 1
+        fi
+fi

tests/check-libs-owner.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+if [ -d "/lib" ];then
+
+        COUNT=$(find -L /lib  \! -user root  -exec ls -l {} \; |wc -l)
+
+        if [ $COUNT -eq 0 ];then
+                :
+        else
+                exit 1
+        fi
+fi
+if [ -d "/lib64" ];then
+
+        COUNT=$(find -L /lib64  \! -user root  -exec ls -l {} \; |wc -l)
+
+        if [ $COUNT -eq 0 ];then
+                :
+        else
+                exit 1
+        fi
+fi
+if [ -d "/usr/lib" ];then
+
+        COUNT=$(find -L /usr/lib  \! -user root  -exec ls -l {} \; |wc -l)
+
+        if [ $COUNT -eq 0 ];then
+                :
+        else
+                exit 1
+        fi
+fi
+if [ -d "/usr/lib64" ];then
+
+        COUNT=$(find -L /usr/lib64  \! -user root  -exec ls -l {} \; |wc -l)
+
+        if [ $COUNT -eq 0 ];then
+                :
+        else
+                exit 1
+        fi
+fi
+

tests/check-limits.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+case $1 in
+        core-dumps)
+                if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/security/limits.conf | grep "hard.*core";then
+                        if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/security/limits.conf | grep "hard.*core" | awk -F 'core' '{print $2}' | sed 's/\ *//g') -ne 0 ];then
+                                exit 1
+                        fi
+                else
+                        exit 1
+                fi
+        ;;
+        maxlogins)
+                if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/security/limits.conf | grep "maxlogins";then
+                        if [ $(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/security/limits.conf | grep "maxlogins" | awk -F 'maxlogins' '{print $2}' | sed 's/\ *//g') -lt 10 ];then
+                                exit 1
+                        fi
+                else
+                        exit 1
+                fi
+        ;;
+esac

tests/check-login-defs.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+
+LOCATION=$1
+KEYWORD=$2
+OPTION=$3
+
+if [ -f "$LOCATION" ];then
+
+        RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep "$KEYWORD.*$OPTION")
+        #above line is remove any comment in the configuration file and use grep to output a exit status
+        #if matched both $KEYWORD and $OPTION there is a success exit status: 0
+
+        if [ $? -eq 0 ];then
+                if [ "$(echo $RESULT | tr "\t" "\n" | tr " " "\n" | sed -n "/$OPTION/p"| awk -F "=" '{printf $2}')" -$(echo $COMPARE) "$CONDITION" ];then
+                        exit 1
+                fi
+        else
+                exit 1
+        fi 
+
+fi

tests/check-logrotate.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+if [ $(find /etc/cron.d*/ -name logrotate | wc -l) -eq 0 ];then
+        exit 1
+fi

tests/check-mode.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+#In STIG there is only 5 kinds of permission : 0000, 0644, 0755, 0600, 0640
+LOCALTION=$1
+PERM=$2
+
+LEN=(stat $LOCALTION -c %a) 
+#if permisiion of the file or directory 
+
+
+if [ $LEN == 4 ];then
+       exit 1
+fi
+
+let FPERM=777-$PERM
+
+find $LOCALTION -perm /$(printf "%03d\n" $FPERM) | wc -l | awk -F: '($1 != "0") {print; err=1} END {exit err}'

tests/check-netrc.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+if [ -f ~/.netrc ];then
+        echo "Found .netrc in /root"
+        exit 1
+else
+        echo ".netrc no found in /root"
+fi
+for i in $(awk -F':' '{ if ( $3 >= 500 ) print $1 }' /etc/passwd);do
+        HOMEDIR=`eval "echo ~$i"`
+        if [ -f "$HOMEDIR/.netrc" ];then
+                echo "Found .netrc in $HOMEDIR"
+                exit 1
+        else
+                echo ".netrc no found in $HOMEDIR"
+        fi
+done

tests/check-nfs-all-squash.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/exports | grep -i  "all_squash";then
+        exit 1
+fi

tests/check-nfs-insecure.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+if ! sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/exports | grep insecure_locks;then
+        exit 1
+fi

tests/check-nfs.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+case $1 in
+        nodev)
+                if [ "$(mount | grep nfs | wc -l)" != "$(mount | grep "nfs.*nodev" | wc -l)" ];then
+                        exit 1
+                fi
+	;;
+	nosuid)
+	        if [ "$(mount | grep nfs | wc -l)" != "$(mount | grep "nfs.*nosuid" | wc -l)" ];then
+		        exit 1
+		fi
+	;;
+esac

tests/check-ntp-sources.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+if [ -f /etc/ntp.conf ];then
+        if ! sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ntp.conf | grep server;then
+                exit 1
+        fi
+else
+        exit 1
+fi

tests/check-package-up2date.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+#Based on http://unix.stackexchange.com/questions/175146/apt-get-update-exit-status
+#And http://unix.stackexchange.com/questions/19470/list-available-updates-but-do-not-install-them
+
+if ! { apt-get update 2>&1 || echo E: update failed ;} | grep -q '^[WE]:';then
+        echo update success
+else
+        echo update failure
+        exit 1
+fi
+
+if [ $(aptitude search '~U' | wc -l) -gt 0 ];then
+        echo Need-to-update
+        exit 1
+else 
+        echo No-Need-to-update
+        exit 0
+fi

tests/check-packages.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+case $1 in
+        xinetd)
+                if dpkg -s xinetd ;then
+                        exit 1
+                fi
+        ;;
+        telnetd)
+                if dpkg -s telnetd ;then
+                        exit 1
+                fi
+        ;;
+        rsh-server)
+                if dpkg -s rsh-server ;then
+                        exit 1
+                fi
+        ;;
+        nis)
+                if dpkg -s nis ;then
+                        exit 1
+                fi
+        ;;
+        tftpd)
+                if dpkg -s tftpd ;then
+                        exit 1
+                fi
+        ;;
+        sldap)
+                if dpkg -s sldap ;then
+                        exit 1
+                fi
+        ;;
+        sendmail)
+                if dpkg -s sendmail ;then
+                        exit 1
+                fi
+        ;;
+        x11-common)
+                if dpkg -s x11-common ;then
+                        exit 1
+                fi
+        ;;
+esac

tests/check-password-max-day.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+if [ -f "/etc/login.def" ];then
+
+        RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/login.defs | grep PASS_MAX_DAYS)
+        if [ $? -eq 0 ];then
+                if [ "$(echo $RESULT | awk '{printf $2}')" -gt "60" ];then
+                        exit 1
+                fi  
+        else
+                exit 1
+        fi  
+else
+        exit 1
+fi

tests/check-password-min-day.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+if [ -f "/etc/login.def" ];then
+
+        RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/login.defs | grep PASS_MIN_DAYS)
+        if [ $? -eq 0 ];then
+                if [ "$(echo $RESULT | awk '{printf $2}')" -lt "1" ];then
+                        exit 1
+                fi  
+        else
+                exit 1
+        fi  
+else
+        exit 1
+fi

tests/check-password-min-len.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+if [ -f "/etc/login.def" ];then
+
+        RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/login.defs | grep PASS_MIN_LEN)
+        if [ $? -eq 0 ];then
+                if [ "$(echo $RESULT | awk '{printf $2}')" -lt "14" ];then
+                        exit 1
+                fi  
+        else
+                exit 1
+        fi  
+else
+        exit 1
+fi

tests/check-password-warn-age.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+if [ -f "/etc/login.def" ];then
+
+        RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/login.defs | grep PASS_WARN_AGE)
+        if [ $? -eq 0 ];then
+                if [ "$(echo $RESULT | awk '{printf $2}')" -lt "7" ];then
+                        exit 1
+                fi  
+        else
+                exit 1
+        fi  
+else
+        exit 1
+fi

tests/check-password.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+LOCATION=$1
+KEYWORD=$2
+OPTION=$3
+COMPARE=$4
+CONDITION=$5
+
+#Example:
+#LOCATION="/etc/pam.d/common-password"  
+        #For debian is common-password ,for Gentoo and Red hat the file is system-auth
+#KEYWORD="pam_cracklib.so"
+#OPTION="ocredit"
+#COMPARE="gt"
+#CONDITION="-1"
+
+if [ -f "$LOCATION" ];then
+
+        RESULT=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' $LOCATION | grep "$KEYWORD.*$OPTION")
+	#above line is remove any comment in the configuration file and use grep to output a exit status
+	#if matched both $KEYWORD and $OPTION there is a success exit status: 0
+
+        if [ $? -eq 0 ];then
+	        if [ "$(echo $RESULT | tr "\t" "\n" | tr " " "\n" | sed -n "/$OPTION/p"| awk -F "=" '{printf $2}')" -$(echo $COMPARE) "$CONDITION" ];then
+                        exit 1
+	        fi
+        else
+                exit 1
+	fi
+
+fi

tests/check-postfix.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' -e 's/ //g' /etc/postfix/main.cf | grep inet_interfaces | awk -F '=' '{print $2}')" != "localhost" ];then
+        exit 1
+fi

tests/check-public-dir-owned.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+if [ $(find / -xdev -type d -perm -0002 -uid +499 -print | wc -l) -gt 0 ];then
+        exit 1
+fi

tests/check-removable.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+#for more detial to determine which sd is usb
+#http://unix.stackexchange.com/questions/60299/how-to-determine-which-sd-is-usb
+
+grep -Hv ^0$ /sys/block/*/removable | \
+sed s/removable:.*$/device\\/uevent/ | \
+xargs grep -H ^DRIVER=sd | \
+sed s/device.uevent.*$/size/ | \
+xargs grep -Hv ^0$ | \
+cut -d / -f 4 | \
+while read line ;do
+        if [ "$(mount | grep "$line" | wc -l)" != "$(mount | grep "$line.*noexec" | wc -l )" ];then
+                exit 1
+        fi
+done

tests/check-rhosts.sh

@@ -0,0 +1,23 @@
+HOSTS="/etc/hosts.equiv"
+
+if [ -f "$HOSTS" ];then
+        echo "Found hosts.equiv"
+        exit 1
+else
+        echo "hosts.equiv no found"
+fi
+if [ -f ~/.rhosts ];then
+        echo "Found .rhosts in /root"
+        exit 1
+else
+        echo ".rhosts no found in /root"
+fi
+for i in $(awk -F':' '{ if ( $3 >= 500 ) print $1 }' /etc/passwd);do
+        HOMEDIR=`eval "echo ~$i"`
+        if [ -f "$HOMEDIR/.rhosts" ];then
+                echo "Found .rhosts in $HOMEDIR"
+                exit 1
+        else
+                echo ".rhosts no found in $HOMEDIR"
+        fi 
+done

tests/check-root-uid.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+if [ $(awk -F: '($3 == 0) {print}' /etc/passwd | wc -l) -gt 1 ];then
+        exit 1
+else
+        if [ "$(awk -F: '($3 == 0) {print}' /etc/passwd | awk  -F ':' '{printf $1}')" == "root" ];then
+                exit 0
+	else 
+	        exit 1
+	fi
+fi

tests/check-rsyslog.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+case "$1" in
+
+        owned)
+                if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/rsyslog.conf | grep FileOwner | awk '{print $2}')" != "root" ];then
+                        exit 1
+                fi
+                sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/rsyslog.conf | sed  -e '/\$/d' | awk '{print $2}' | sed -e '/^:/d' -e '/|/d' -e 's/^-//g' -e '/^$/d' | \
+                while read line;do
+                        if [ -f $line ] && [ "$(ls -alh $line | awk '{print $3}')" != "root" ];then
+                                        exit 1
+                        fi
+                done
+        ;;
+        group-owned)
+                if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/rsyslog.conf | grep FileGroup | awk '{print $2}')" != "root" ];then
+                        exit 1
+                fi
+                sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/rsyslog.conf | sed  -e '/\$/d' | awk '{print $2}' | sed -e '/^:/d' -e '/|/d' -e 's/^-//g' -e '/^$/d' | \
+                while read line;do
+                        if [ -f $line ] && [ "$(ls -alh $line | awk '{print $4}')" != "root" ];then
+                                        exit 1
+                        fi
+                done
+        ;;
+        mode)
+                sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/rsyslog.conf | sed  -e '/\$/d' | awk '{print $2}' | sed -e '/^:/d' -e '/|/d' -e 's/^-//g' -e '/^$/d' | \
+                while read line;do
+                        bash check-mode.sh $line 600
+                        if [ $? -eq 1 ];then
+                                exit 1
+                        fi
+                done
+
+        ;;
+esac

tests/check-services.sh

@@ -0,0 +1,79 @@
+#!/bin/bash
+
+case $1 in
+        atd)
+                if service --status-all | grep "+.*atd";then
+                        exit 1
+                fi
+        ;;
+        avahi-daemon)
+                if service --status-all | grep "+.*avahi-daemon";then
+                        exit 1
+                fi
+        ;;
+        xinetd)
+                if service --status-all | grep "+.*xinetd";then
+                        exit 1
+                fi
+        ;;
+        telnetd)
+                if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/inetd.conf | grep telnet;then
+                        exit 1
+                fi
+        ;;
+        rshd)
+                if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/inetd.conf | grep rshd;then
+                        exit 1
+                fi
+        ;;
+        rexecd)
+                if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/inetd.conf | grep rexecd;then
+                        exit 1
+                fi
+        ;;
+        rlogind)
+                if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/inetd.conf | grep rlogind;then
+                        exit 1
+                fi
+        ;;
+        nis)
+                if service --status-all | grep "+.*\ nis$";then
+                        exit 1
+                fi
+        ;;
+        tftpd)
+                if sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/inetd.conf | grep tftpd;then
+                        exit 1
+                fi
+        ;;
+        cron)
+                if ! service --status-all | grep "+.*cron";then
+                        exit 1
+                fi
+        ;;
+        ntp)
+                if ! service --status-all | grep "+.*ntp";then
+                        exit 1
+                fi
+        ;;
+        postfix)
+                if ! service --status-all | grep "+.*postfix";then
+                        exit 1
+                fi
+        ;;
+        x11-common)
+                if service --status-all | grep "+.*x11-common";then
+                        exit 1
+                fi
+        ;;
+        bluetooth)
+                if service --status-all | grep "+.*bluetooth";then
+                        exit 1
+                fi
+        ;;
+        autofs)
+                if service --status-all | grep "+.*autofs";then
+                        exit 1
+                fi
+        ;;
+esac

tests/check-ssh-ciphers.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+FIPS="aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,aes192-cbc,aes256-cbc"
+cipher=$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i "Ciphers")
+if [ $? -eq 0 ];then
+        echo $cipher | sed -e 's/Ciphers//' | tr "," "\n" | while read line;do
+                 if ! echo $FIPS | grep $line;then
+                         exit 1
+                 fi
+        done
+else
+        exit 1
+fi

tests/check-ssh.sh

@@ -0,0 +1,33 @@
+#!/bin/bash
+case $1 in
+        Protocol)
+                if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -w "^Protocol" | awk '{print $2}')" -ne 2 ];then
+                        exit 1
+                fi
+        ;;
+        rhosts)
+                if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i IgnoreRhosts | awk '{print $2}')" != "yes" ];then
+                        exit 1
+                fi
+        ;;
+        hostauth)
+                if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i HostbasedAuthentication | awk '{print $2}')" != "no" ];then
+                        exit 1
+                fi
+        ;;
+        permitroot)
+                if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitRootLogin | awk '{print $2}')" != "no" ];then
+                        exit 1
+                fi
+        ;;
+        emptypassword)
+                if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitEmptyPasswords | awk '{print $2}')" != "no" ];then
+                        exit 1
+                fi
+        ;;
+        emptypasswordenvironment)
+                if [ "$(sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i PermitEmptyPasswords | awk '{print $2}')" != "no" ];then
+                        exit 1
+                fi
+        ;;
+esac

tests/check-sticky-bit.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+if [ $(find / -xdev -type d -perm -002 \! -perm -1000 | wc -l) -gt 0 ];then
+        exit 1
+fi

tests/check-sudo.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+if grep -i "NOPASSWD" /etc/sudoers /etc/sudoers.d/* | sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' | grep -i "NOPASSWD";then
+        exit 1
+elif grep -i '!authenticate' /etc/sudoers /etc/sudoers.d/* | sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' | grep -i '!authenticate';then
+        exit 1
+fi

tests/check-sysctl.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+OPTION=$1
+COMPARE=$2
+CONDITION=$3
+
+if [ "$(sysctl $OPTION | awk '{print $3}')" -$(echo $COMPARE) "$CONDITION" ];then
+        exit 1
+fi

tests/check-uniq-names.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+if [ $(pwck -rq | wc -l ) -ne 0 ];then
+        exit 1
+fi

tests/check-world-writable.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+
+if [ "$(find / -xdev -type f -perm -002 | wc -l)" -ne 0 ];then
+        exit 1
+fi

tests/porting_log

@@ -0,0 +1,164 @@
+
+######CHANGE#######
+
+#RHEL-06-000008: Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
+#Change corresponding gpg key check to Debian compatible.
+
+#RHEL-06-000011: System security patches and updates must be installed and up-to-date.
+#Change corresponding update utility to Debian compatible.
+
+#RHEL-06-000017: The system must use a Linux Security Module at boot time.
+#Change the SElinux to AppArmor
+
+#RHEL-06-000030: The system must not have accounts configured with blank or null passwords.
+#RHEL-06-000274: The system must prohibit the reuse of passwords within twenty-four iterations.
+#Change /etc/pam.d/system-auth - CentOS/RHEL/Fedora/Red Hat/Scientific Linux pam config file.
+#To /etc/pam.d/common-password - Debian / Ubuntu Linux pam config file.
+#For more Detial http://www.cyberciti.biz/tips/linux-or-unix-disable-null-passwords.html
+
+#RHEL-06-000061:The system must disable accounts after three consecutive unsuccessful logon attempts.
+#Change pam_faillock.so pam module to use pam_tally2.so
+
+#RHEL-06-000065:The system boot loader configuration file(s) must be owned by root.
+#RHEL-06-000066:The system boot loader configuration file(s) must be group-owned by root.
+#RHEL-06-000067:The system boot loader configuration file(s) must have mode 0600 or less permissive.
+#Change /etc/grub.conf to /boot/grub/grub.cfg
+
+#RHEL-06-000068:The system boot loader must require authentication.
+#Change grub-crypt --sha-512 to grub-mkpasswd-pbkdf2 
+
+#RHEL-06-000278:The system package management tool must verify permissions on all files and directories associated with the audit package.
+#RHEL-06-000279:The system package management tool must verify ownership on all files and directories associated with the audit package.
+#RHEL-06-000280:The system package management tool must verify group-ownership on all files and directories associated with the audit package.
+#RHEL-06-000281:The system package management tool must verify contents of all files associated with the audit package.
+#For auditd package, to do what we wanna do in Debian there's something different, if you wanna get the packages default permission or owner(group-owner), or the packages'contents. You should use the "aptitude download <package-name>" to download it and use "dpkg -c <package.deb>" to read.
+#There's one file is very special,if you issue the command "dpkg -c audit*.deb" you will found the audit rules file is "/etc/audit/rules.d/audit.rules", but when you extract the deb package and read the "DEBIAN/postinst" you will find the auditd package copy the "/etc/audit/audit.d/audit.rules" file to "/etc/audit/audit.rules", so we could'n only use the "dpkg -c audit*.deb | awk '{print $6}' | sed -e 's/^.//g'" to get "ALL" the files we want to check.We should manually add the "/etc/audit/audit.rules" to check
+#And the directory we check also have one thing special, the "/usr/share/man", in Debian that directory have permission 0775 by default. but the package show the 0755, so I decided to check without this directory.
+#I use the sha512sum to do the files' content checking
+
+#RHEL-06-000286:The x86 Ctrl-Alt-Delete key sequence must be disabled.
+#In Debian 8 use systemd by default, you could use "systemctl mask ctrl-alt-del.target" to disable it by link to /dev/null
+
+#RHEL-06-000514:The RPM package management tool must cryptographically verify the authenticity of all software packages during installation.
+
+
+####DEPRECATED#####
+#RHEL-06-000009:The Red Hat Network Service (rhnsd) service must not be running, unless using RHN or an RHN Satellite.
+#DEPRECATED
+
+#RHEL-06-000069:The system must require authentication upon booting into single-user and maintenance modes.
+#DEPRECATED.
+#Debian and therefore Ubuntu both require root password when booting into single user mode or recovery mode. RHEL and CentOS allows access from the console into single user mode without a password.
+
+#RHEL-06-000070:The system must not permit interactive boot.
+#DEPRECATED.Don't find any interactive boot option in debian yet.
+
+#RHEL-06-000073:The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, console login prompts.
+#DEPRECATED
+
+#RHEL-06-000079:The system must limit the ability of processes to have simultaneous write and execute access to memory.
+#DEPRECATED
+#In debian 8 amd64, system enabled NX by default,and debian 8 i386 system use PAE by default
+
+#RHEL-06-000098:The IPv6 protocol handler must not be bound to the network stack unless needed.
+#Change ipv6 checking method and disable method.
+#Use /proc/net/if_inet6 to check if ipv6  is enabled
+#Use kernel boot option in Grub "ipv6.disable=1" to disable ipv6 permanently
+
+#RHEL-06-000103:The system must employ a local IPv6 firewall.
+#RHEL-06-000106:The operating system must connect to external networks or information systems only through managed IPv6 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
+#RHEL-06-000107:The operating system must prevent public IPv6 access into an organizations internal networks,except as appropriately mediated by managed interfaces employing boundary protection devices.
+#RHEL-06-000113:The system must employ a local IPv4 firewall.
+#RHEL-06-000116:The operating system must connect to external networks or information systems only through managed IPv4 interfaces consisting of boundary protection devices arranged in accordance with an organizational security architecture.
+#RHEL-06-000117:The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices.
+#DEPRECATED. Debian 8 enable iptables (both ipv4 and ipv6) by default
+
+#RHEL-06-000183:The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux).
+#Change SELinux to Apparmor
+
+#RHEL-06-000203:The xinetd service must be disabled if no network services utilizing it are enabled.
+#Using 'service --status-all | grep "xinetd" ' instead of chkconfig
+
+#RHEL-06-000211:The telnet daemon must not be running.
+#In Debian telnet service using inetd. You could disable it by comment the telnet line in the /etc/inetd.conf
+
+#RHEL-06-000214:The rshd service must not be running.
+#In Debian rshd service using inetd. You could disable it by comment the rshd line in the /etc/inetd.conf
+
+#RHEL-06-000216:The rexecd service must not be running.
+#In Debian rexecd service using inetd. You could disable it by comment the rexecd line in the /etc/inetd.conf
+
+#RHEL-06-000218:The rlogind service must not be running.
+#In Debian rlogind service using inetd. You could disable it by comment the rlogind line in the /etc/inetd.conf
+
+#RHEL-06-000220:The ypserv package must not be installed.
+#In Debian using nis package instead of ypserv package.
+
+#RHEL-06-000221:The ypbind service must not be running.
+#In Debian using nis service instead of ypbind service.
+
+#RHEL-06-000240:The SSH daemon must be configured with the Department of Defense (DoD) login banner.
+#DEPRECATED
+
+#RHEL-06-000247:The system clock must be synchronized continuously, or at least daily.
+#In debian use ntp instead of ntpd
+
+#RHEL-06-000248:The system clock must be synchronized to an authoritative DoD time source.
+#Changing `DoD` time source to trusted time source 
+
+#RHEL-06-000261:The Automatic Bug Reporting Tool (abrtd) service must not be running.
+#DEPRECATED.
+#Didn't find abrtd-like  tool in debian yet
+
+#RHEL-06-000265:The ntpdate service must not be running.
+#DEPRECATED
+#In Debian there's no running service "ntpdate", some of ntpdate's function is include in "ntp" so  DEPRECATED.
+
+#RHEL-06-000266:The oddjobd service must not be running.
+#DEPRECATED.Debian don't have oddjob service or package
+
+#RHEL-06-000267:The qpidd service must not be running.
+#Debian don't have qpidd service by default, in RHEL this service is selected by "base" package.
+
+#RHEL-06-000268:The rdisc service must not be running.
+#Debian don't have rdisc service by default
+
+#RHEL-06-000303:The operating system must employ automated mechanisms, per organization defined frequency, to detect the addition of unauthorized components/devices into the operating system.
+#RHEL-06-000304:The operating system must employ automated mechanisms to detect the presence of unauthorized software on organizational information systems and notify designated organizational officials in accordance with the organization defined frequency.
+#RHEL-06-000305:The operating system must provide a near real-time alert when any of the organization defined list of compromise or potential compromise indicators occurs.
+#RHEL-06-000306:The operating system must detect unauthorized changes to software and information.
+#RHEL-06-000307:The operating system must ensure unauthorized, security-relevant configuration changes detected are tracked.
+#In aide package employ automated mechanisms by default.(cron.daily)
+
+#RHEL-06-000324:A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
+
+#RHEL-06-000326:The Department of Defense (DoD) login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
+#RHEL-06-000344:The system default umask in /etc/profile must be 077.
+#RHEL-06-000343:The system default umask for the csh shell must be 077.
+#RHEL-06-000342:The system default umask for the bash shell must be 077.
+#RHEL-06-000348:The FTPS/FTP service on the system must be configured with the Department of Defense (DoD) login banner.
+
+#RHEL-06-000357:The system must disable accounts after excessive login failures within a 15-minute interval.
+
+
+
+
+
+#RHEL-06-000284:The system must use and update a DoD-approved virus scan program.
+#RHEL-06-000285:The system must have a host-based intrusion detection tool installed.
+
+
+
+####SHOULD-CHECK-ON-YOU-OWN####
+
+
+#RHEL-06-000289:The netconsole service must be disabled unless required.
+#Red Hat has netconsole init script. However, under Debian / Ubuntu Linux, you need to manually configure netconsole. Type the following command to start netconsole by loading kernel netconsole module
+#RHEL-06-000297:Temporary accounts must be provisioned with an expiration date.
+#RHEL-06-000298:Emergency accounts must be provisioned with an expiration date.
+#RHEL-06-000311:The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.
+#RHEL-06-000321:The system must provide VPN connectivity for communications over untrusted networks.
+#RHEL-06-000349:The system must be configured to require the use of a CAC, PIV compliant hardware token, or Alternate Logon Token (ALT) for authentication.
+#RHEL-06-000504:The operating system must conduct backups of user-level information contained in the operating system per organization defined frequency to conduct backups consistent with recovery time and recovery point objectives.
+#RHEL-06-000505:The operating system must conduct backups of system-level information contained in the information system per organization defined frequency to conduct backups that are consistent with recovery time and recovery point objectives.
+#RHEL-06-000524:The system must provide automated support for account management functions.

tests/undone_log

@@ -0,0 +1,27 @@
+RHEL-06-000013:The system package management tool must cryptographically verify the authenticity of system software packages during installation.
+RHEL-06-000015:The system package management tool must cryptographically verify the authenticity of all software packages during installation.
+RHEL-06-000020:The system must use a Linux Security Module configured to enforce limits on system services.
+RHEL-06-000023:The system must use a Linux Security Module configured to limit the privileges of system services.
+RHEL-06-000025:All device files must be monitored by the system Linux Security Module.
+
+RHEL-06-000252:If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.
+RHEL-06-000253:The LDAP client must use a TLS connection using trust certificates signed by the site CA.
+RHEL-06-000257:The graphical desktop environment must set the idle timeout to no more than 15 minutes.
+RHEL-06-000258:The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.
+RHEL-06-000259:The graphical desktop environment must have automatic lock enabled.
+RHEL-06-000260:The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
+RHEL-06-000292:The DHCP client must be disabled if not needed.
+RHEL-06-000324:A login banner must be displayed immediately prior to, or as part of, graphical desktop environment login prompts.
+RHEL-06-000527:The login user list must be disabled.
+
+
+RHEL-06-000340:The snmpd service must use only SNMP protocol version 3 or newer.
+RHEL-06-000341:The snmpd service must not use a default password.
+
+
+RHEL-06-000508:The system must allow locking of graphical desktop sessions.
+
+RHEL-06-000516:The system package management tool must verify ownership on all files and directories associated with packages.
+RHEL-06-000517:The system package management tool must verify group-ownership on all files and directories associated with packages.
+RHEL-06-000518:The system package management tool must verify permissions on all files and directories associated with packages.
+RHEL-06-000519:The system package management tool must verify contents of all files associated with packages.