freedombone-tests 31KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149
  1. #!/bin/bash
  2. #
  3. # .---. . .
  4. # | | |
  5. # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
  6. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
  7. # ' ' --' --' -' - -' ' ' -' -' -' ' - --'
  8. #
  9. # Freedom in the Cloud
  10. #
  11. # Run tests on the system
  12. # License
  13. # =======
  14. #
  15. # Copyright (C) 2015-2016 Bob Mottram <bob@freedombone.net>
  16. #
  17. # This program is free software: you can redistribute it and/or modify
  18. # it under the terms of the GNU Affero General Public License as published by
  19. # the Free Software Foundation, either version 3 of the License, or
  20. # (at your option) any later version.
  21. #
  22. # This program is distributed in the hope that it will be useful,
  23. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  24. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  25. # GNU Affero General Public License for more details.
  26. #
  27. # You should have received a copy of the GNU Affero General Public License
  28. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  29. PROJECT_NAME='freedombone'
  30. export TEXTDOMAIN=${PROJECT_NAME}-tests
  31. export TEXTDOMAINDIR="/usr/share/locale"
  32. # Whether to run STIG tests
  33. RUN_STIG=
  34. # Whether to show both passes and fails of STIG tests
  35. SHOW_ALL_TESTS=
  36. function show_help {
  37. echo ''
  38. echo $"${PROJECT_NAME}-tests"
  39. echo ''
  40. echo $'Runs tests on the system'
  41. echo ''
  42. echo $' --stig [yes|no] Run STIG tests'
  43. echo $' --help Show help'
  44. echo ''
  45. exit 0
  46. }
  47. function test_app_function_type {
  48. filename=$1
  49. fn_type=$2
  50. app_name=$(echo "${filename}" | awk -F '-app-' '{print $2}')
  51. app_function=$(cat "${filename}" | grep "function ${fn_type}_${app_name} {" | awk -F "${fn_type}_" '{print $2}' | awk -F ' ' '{print $1}')
  52. if [ ! ${app_function} ]; then
  53. echo $"Application ${app_name} does not contain a function called '${fn_type}_${app_name}'"
  54. echo ''
  55. echo "See ${filename}"
  56. exit 72852
  57. fi
  58. }
  59. function test_app_functions {
  60. if [ $RUN_STIG ]; then
  61. return
  62. fi
  63. FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*
  64. # check that these functions exist
  65. interface_functions=( install remove backup_local backup_remote restore_local restore_remote upgrade reconfigure )
  66. # for all the app scripts
  67. for filename in $FILES
  68. do
  69. # for each expected interface function
  70. for f in "${interface_functions[@]}"
  71. do
  72. test_app_function_type ${filename} $f
  73. done
  74. done
  75. }
  76. function test_unique_onion_ports {
  77. if [ $RUN_STIG ]; then
  78. return
  79. fi
  80. # test that some services are not assigned the same onion port
  81. FILES=src/${PROJECT_NAME}-app-*
  82. ports=$(grep -r "_ONION_PORT=" $FILES | awk -F ':' '{print $2}' | uniq | awk -F '=' '{print $2}')
  83. unique_ports=$(grep -r "_ONION_PORT=" $FILES | awk -F ':' '{print $2}' | uniq | awk -F '=' '{print $2}' | uniq)
  84. if [[ "$ports" != "$unique_ports" ]]; then
  85. echo $'Some onion ports are clashing'
  86. grep -r "_ONION_PORT=" $FILES | awk -F ':' '{print $2}' | uniq
  87. exit 637252
  88. fi
  89. }
  90. function stig_log_msg {
  91. ESTATUS=$1
  92. RED=$(tput setaf 1)
  93. BOLD=$(tput bold)
  94. GREEN=$(tput setaf 2)
  95. NORMAL=$(tput sgr0)
  96. MSG="$2"
  97. if [ $ESTATUS -eq 0 ];then
  98. printf "%s %s" "$GREEN$BOLD[ PASS ]$NORMAL" "$MSG"
  99. echo
  100. else
  101. printf "%s %s" "$RED$BOLD[ FAIL ]$NORMAL" "$MSG"
  102. echo
  103. fi
  104. }
  105. function stig_spinner {
  106. local pid=$1
  107. local delay=0.1
  108. while [ "$(ps -a | awk '{print $1}' | grep "$pid")" ];
  109. do
  110. sleep $delay
  111. done
  112. printf " \b"
  113. wait $1
  114. }
  115. function test_stig {
  116. if [ ! $RUN_STIG ]; then
  117. return
  118. fi
  119. STIG_TESTS_DIR=tests
  120. if [ ! -d $STIG_TESTS_DIR ]; then
  121. STIG_TESTS_DIR=~/${PROJECT_NAME}/tests
  122. if [ ! -d $STIG_TESTS_DIR ]; then
  123. echo $'No tests were found'
  124. exit 62725
  125. fi
  126. fi
  127. CATCOLOR=1
  128. SETLANG="en"
  129. source $STIG_TESTS_DIR/output.sh
  130. ##RHEL-06-000001
  131. ##The system must use a separate file system for /tmp.
  132. mount | grep "on /tmp " >/dev/null 2>&1 &
  133. stig_spinner $!
  134. output "V-38455" $? ${SETLANG}
  135. ################
  136. ##RHEL-06-000008
  137. ##Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
  138. bash $STIG_TESTS_DIR/check-apt-key.sh >/dev/null 2>&1 &
  139. stig_spinner $!
  140. output "V-38476" $? ${SETLANG}
  141. ################
  142. ##RHEL-06-000016
  143. ##A file integrity tool must be installed.
  144. dpkg -s tripwire >/dev/null 2>&1 &
  145. stig_spinner $!
  146. output "V-38489" $? ${SETLANG}
  147. ################
  148. ##RHEL-06-000019
  149. ##There must be no .rhosts or hosts.equiv files on the system.
  150. bash $STIG_TESTS_DIR/check-rhosts.sh > /dev/null 2>&1 &
  151. stig_spinner $!
  152. output "V-38491" $? ${SETLANG}
  153. ################
  154. ##RHEL-06-000027
  155. ##The system must prevent the root account from logging in from virtual consoles.
  156. bash $STIG_TESTS_DIR/check-consoles.sh virtual > /dev/null 2>&1 &
  157. stig_spinner $!
  158. output "V-38492" $? ${SETLANG}
  159. ################
  160. ##RHEL-06-000028
  161. ##The system must prevent the root account from logging in from serial consoles.
  162. bash $STIG_TESTS_DIR/check-consoles.sh serial > /dev/null 2>&1 &
  163. stig_spinner $!
  164. output "V-38494" $? ${SETLANG}
  165. ################
  166. ##RHEL-06-000029
  167. ##Default operating system accounts, other than root, must be locked.
  168. bash $STIG_TESTS_DIR/check-default-account.sh > /dev/null 2>&1 &
  169. stig_spinner $!
  170. output "V-38496" $? ${SETLANG}
  171. ################
  172. ##RHEL-06-000031
  173. ##The /etc/passwd file must not contain password hashes.
  174. awk -F: '($2 != "x") {print; err=1} END {exit err}' /etc/passwd > /dev/null 2>&1 &
  175. stig_spinner $!
  176. output "V-38499" $? ${SETLANG}
  177. ################
  178. ##RHEL-06-000032
  179. ##The root account must be the only account having a UID of 0.
  180. bash $STIG_TESTS_DIR/check-root-uid.sh > /dev/null 2>&1 &
  181. stig_spinner $!
  182. output "V-38500" $? ${SETLANG}
  183. ################
  184. ##RHEL-06-000033
  185. ##The /etc/shadow file must be owned by root.
  186. ls -l /etc/shadow | awk '{print $3}' | grep "^root$" > /dev/null 2>&1 &
  187. stig_spinner $!
  188. output "V-38502" $? ${SETLANG}
  189. ################
  190. ##RHEL-06-000034
  191. ##The /etc/shadow file must be group-owned by root.
  192. ls -l /etc/shadow | awk '{print $4}' | grep "^root$" > /dev/null 2>&1 &
  193. stig_spinner $!
  194. output "V-38503" $? ${SETLANG}
  195. ################
  196. ##RHEL-06-000035
  197. ##The /etc/shadow file must have mode 0000.
  198. ls -l /etc/shadow | awk '{print $1}' | grep "^----------$" > /dev/null 2>&1 &
  199. stig_spinner $!
  200. output "V-38504" $? ${SETLANG}
  201. ################
  202. ##RHEL-06-000036
  203. ##The /etc/gshadow file must be owned by root.
  204. ls -l /etc/gshadow | awk '{print $3}' | grep "^root$" > /dev/null 2>&1 &
  205. stig_spinner $!
  206. output "V-38443" $? ${SETLANG}
  207. ################
  208. ##RHEL-06-000037
  209. ##The /etc/gshadow file must be group-owned by root.
  210. ls -l /etc/gshadow | awk '{print $4}' | grep "^root$" > /dev/null 2>&1 &
  211. stig_spinner $!
  212. output "V-38448" $? ${SETLANG}
  213. ################
  214. ##RHEL-06-000038
  215. ##The /etc/gshadow file must have mode 0000.
  216. ls -l /etc/gshadow | awk '{print $1}' | grep "^----------$" > /dev/null 2>&1 &
  217. stig_spinner $!
  218. output "V-38449" $? ${SETLANG}
  219. ################
  220. ##RHEL-06-000039
  221. ##The /etc/passwd file must be owned by root.
  222. ls -l /etc/passwd | awk '{print $3}' | grep "^root$" > /dev/null 2>&1 &
  223. stig_spinner $!
  224. output "V-38450" $? ${SETLANG}
  225. ################
  226. ##RHEL-06-000040
  227. ##The /etc/passwd file must be group-owned by root.
  228. ls -l /etc/passwd | awk '{print $4}' | grep "^root$" > /dev/null 2>&1 &
  229. stig_spinner $!
  230. output "V-38451" $? ${SETLANG}
  231. ################
  232. ##RHEL-06-000041
  233. ##The /etc/passwd file must have mode 0644 or less permissive.
  234. bash $STIG_TESTS_DIR/check-mode.sh /etc/passwd 644 > /dev/null 2>&1 &
  235. stig_spinner $!
  236. output "V-38457" $? ${SETLANG}
  237. ################
  238. ##RHEL-06-000042
  239. ##The /etc/group file must be owned by root.
  240. ls -l /etc/group | awk '{print $3}' | grep "^root$" > /dev/null 2>&1 &
  241. stig_spinner $!
  242. output "V-38458" $? ${SETLANG}
  243. ################
  244. ##RHEL-06-000043
  245. ##The /etc/group file must be group-owned by root.
  246. ls -l /etc/group | awk '{print $4}' | grep "^root$" > /dev/null 2>&1 &
  247. stig_spinner $!
  248. output "V-38459" $? ${SETLANG}
  249. ################
  250. ##RHEL-06-000044
  251. ##The /etc/group file must have mode 0644 or less permissive.
  252. bash $STIG_TESTS_DIR/check-mode.sh "/etc/group" 644 > /dev/null 2>&1 &
  253. stig_spinner $!
  254. output "V-38461" $? ${SETLANG}
  255. ################
  256. ##RHEL-06-000045
  257. ##Library files must have mode 0755 or less permissive.
  258. bash $STIG_TESTS_DIR/check-libs-mode.sh > /dev/null 2>&1 &
  259. stig_spinner $!
  260. output "V-38465" $? ${SETLANG}
  261. ################
  262. ##RHEL-06-000046
  263. ##Library files must be owned by root.
  264. bash $STIG_TESTS_DIR/check-libs-owner.sh > /dev/null 2>&1 &
  265. stig_spinner $!
  266. output "V-38466" $? ${SETLANG}
  267. ################
  268. ##RHEL-06-000047
  269. ##All system command files must have mode 755 or less permissive.
  270. bash $STIG_TESTS_DIR/check-cmd-mode.sh > /dev/null 2>&1 &
  271. stig_spinner $!
  272. output "V-38469" $? ${SETLANG}
  273. ################
  274. ##RHEL-06-000048
  275. ##All system command files must be owned by root.
  276. bash $STIG_TESTS_DIR/check-cmd-owner.sh > /dev/null 2>&1 &
  277. stig_spinner $!
  278. output "V-38472" $? ${SETLANG}
  279. ################
  280. ##RHEL-06-000061
  281. ##The system must disable accounts after ten consecutive unsuccessful logon attempts.
  282. bash $STIG_TESTS_DIR/check-password.sh /etc/pam.d/common-auth pam_tally deny gt 10 > /dev/null 2>&1 &
  283. stig_spinner $!
  284. output "V-38573" $? ${SETLANG}
  285. ################
  286. ##RHEL-06-000062
  287. ##The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth).
  288. sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/pam.d/* | grep password | grep pam_unix.so | grep sha512 > /dev/null 2>&1 &
  289. stig_spinner $!
  290. output "V-38574" $? ${SETLANG}
  291. ################
  292. ##RHEL-06-000063
  293. ##The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs).
  294. sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/login.defs | grep "ENCRYPT_METHOD.*SHA512" > /dev/null 2>&1 &
  295. stig_spinner $!
  296. output "V-38576" $? ${SETLANG}
  297. ################
  298. ##RHEL-06-000064
  299. ##The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf).
  300. bash $STIG_TESTS_DIR/check-depends.sh > /dev/null 2>&1 &
  301. stig_spinner $!
  302. output "V-38577" $? ${SETLANG}
  303. ################
  304. ##RHEL-06-000071
  305. ##The system must allow locking of the console screen in text mode.
  306. dpkg -s screen >/dev/null 2>&1 &
  307. stig_spinner $!
  308. output "V-38590" $? ${SETLANG}
  309. ################
  310. ##RHEL-06-000078
  311. ##The system must implement virtual address space randomization.
  312. bash $STIG_TESTS_DIR/check-sysctl.sh kernel.randomize_va_space ne 2 >/dev/null 2>&1 &
  313. stig_spinner $!
  314. output "V-38596" $? ${SETLANG}
  315. ################
  316. ##RHEL-06-000080
  317. ##The system must not send ICMPv4 redirects by default.
  318. bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.conf.default.send_redirects ne 0 >/dev/null 2>&1 &
  319. stig_spinner $!
  320. output "V-38600" $? ${SETLANG}
  321. ################
  322. ##RHEL-06-000081
  323. ##The system must not send ICMPv4 redirects from any interface.
  324. bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.conf.all.send_redirects ne 0 >/dev/null 2>&1 &
  325. stig_spinner $!
  326. output "V-38601" $? ${SETLANG}
  327. ################
  328. ##RHEL-06-000082
  329. ##IP forwarding for IPv4 must not be enabled, unless the system is a router.
  330. bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.ip_forward ne 0 >/dev/null 2>&1 &
  331. stig_spinner $!
  332. output "V-38511" $? ${SETLANG}
  333. ################
  334. ##RHEL-06-000083
  335. ##The system must not accept IPv4 source-routed packets on any interface.
  336. bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.conf.all.accept_source_route ne 0 >/dev/null 2>&1 &
  337. stig_spinner $!
  338. output "V-38523" $? ${SETLANG}
  339. ################
  340. ##RHEL-06-000084
  341. ##The system must not accept ICMPv4 redirect packets on any interface.
  342. bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.conf.all.accept_redirects ne 0 >/dev/null 2>&1 &
  343. stig_spinner $!
  344. output "V-38524" $? ${SETLANG}
  345. ################
  346. ##RHEL-06-000086
  347. ##The system must not accept ICMPv4 secure redirect packets on any interface.
  348. bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.conf.all.secure_redirects ne 0 >/dev/null 2>&1 &
  349. stig_spinner $!
  350. output "V-38526" $? ${SETLANG}
  351. ################
  352. ##RHEL-06-000089
  353. ##The system must not accept IPv4 source-routed packets by default.
  354. bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.conf.default.accept_source_route ne 0 >/dev/null 2>&1 &
  355. stig_spinner $!
  356. output "V-38529" $? ${SETLANG}
  357. ################
  358. ##RHEL-06-000090
  359. ##The system must not accept ICMPv4 secure redirect packets by default.
  360. bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.conf.default.secure_redirects ne 0 >/dev/null 2>&1 &
  361. stig_spinner $!
  362. output "V-38532" $? ${SETLANG}
  363. ################
  364. ##RHEL-06-000091
  365. ##The system must ignore ICMPv4 redirect messages by default.
  366. bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.conf.default.accept_redirects ne 0 >/dev/null 2>&1 &
  367. stig_spinner $!
  368. output "V-38533" $? ${SETLANG}
  369. ################
  370. ##RHEL-06-000092
  371. ##The system must not respond to ICMPv4 sent to a broadcast address.
  372. bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.icmp_echo_ignore_broadcasts ne 1 >/dev/null 2>&1 &
  373. stig_spinner $!
  374. output "V-38535" $? ${SETLANG}
  375. ################
  376. ##RHEL-06-000093
  377. ##The system must ignore ICMPv4 bogus error responses.
  378. bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.icmp_ignore_bogus_error_responses ne 1 >/dev/null 2>&1 &
  379. stig_spinner $!
  380. output "V-38537" $? ${SETLANG}
  381. ################
  382. ##RHEL-06-000095
  383. ##The system must be configured to use TCP syncookies when experiencing a TCP SYN flood.
  384. bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.tcp_syncookies ne 1 >/dev/null 2>&1 &
  385. stig_spinner $!
  386. output "V-38539" $? ${SETLANG}
  387. ################
  388. ##RHEL-06-000096
  389. ##The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces.
  390. bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.conf.all.rp_filter ne 1 >/dev/null 2>&1 &
  391. stig_spinner $!
  392. output "V-38542" $? ${SETLANG}
  393. ################
  394. ##RHEL-06-000097
  395. ##The system must use a reverse-path filter for IPv4 network traffic when possible by default.
  396. bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv4.conf.default.rp_filter ne 1 >/dev/null 2>&1 &
  397. stig_spinner $!
  398. output "V-38544" $? ${SETLANG}
  399. ################
  400. ##RHEL-06-000099
  401. ##The system must ignore ICMPv6 redirects by default.
  402. ##If IPv6 is disabled, this is not applicable.
  403. if [ -a /proc/net/if_inet6 ];then
  404. bash $STIG_TESTS_DIR/check-sysctl.sh net.ipv6.conf.default.accept_redirects ne 1 >/dev/null 2>&1 &
  405. stig_spinner $!
  406. output "V-38548" $? ${SETLANG}
  407. fi
  408. ################
  409. ##RHEL-06-000120
  410. ##The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound
  411. iptables -L INPUT | head -n1 | grep "INPUT.*DROP" >/dev/null 2>&1 &
  412. stig_spinner $!
  413. output "V-38513" $? ${SETLANG}
  414. ################
  415. ##RHEL-06-000138
  416. ##System logs must be rotated daily.
  417. bash $STIG_TESTS_DIR/check-logrotate.sh >/dev/null 2>&1 &
  418. stig_spinner $!
  419. output "V-38624" $? ${SETLANG}
  420. ################
  421. ##RHEL-06-000203
  422. ##The xinetd service must be disabled if no network services utilizing it are enabled.
  423. bash $STIG_TESTS_DIR/check-services.sh xinetd >/dev/null 2>&1 &
  424. stig_spinner $!
  425. output "V-38582" $? ${SETLANG}
  426. ################
  427. ##RHEL-06-000204
  428. ##The xinetd service must be uninstalled if no network services utilizing it are enabled.
  429. bash $STIG_TESTS_DIR/check-packages.sh xinetd >/dev/null 2>&1 &
  430. stig_spinner $!
  431. output "V-38584" $? ${SETLANG}
  432. ################
  433. ##RHEL-06-000206
  434. ##The telnet-server package must not be installed.
  435. bash $STIG_TESTS_DIR/check-packages.sh telnetd >/dev/null 2>&1 &
  436. stig_spinner $!
  437. output "V-38587" $? ${SETLANG}
  438. ################
  439. ##RHEL-06-000211
  440. ##The telnet daemon must not be running.
  441. bash $STIG_TESTS_DIR/check-services.sh telnetd >/dev/null 2>&1 &
  442. stig_spinner $!
  443. output "V-38589" $? ${SETLANG}
  444. ################
  445. ##RHEL-06-000213
  446. ##The rsh-server package must not be installed.
  447. bash $STIG_TESTS_DIR/check-packages.sh rsh-server >/dev/null 2>&1 &
  448. stig_spinner $!
  449. output "V-38591" $? ${SETLANG}
  450. ################
  451. ##RHEL-06-000214
  452. ##The rshd service must not be running.
  453. bash $STIG_TESTS_DIR/check-services.sh rshd >/dev/null 2>&1 &
  454. stig_spinner $!
  455. output "V-38594" $? ${SETLANG}
  456. ################
  457. ##RHEL-06-000216
  458. ##The rexecd service must not be running.
  459. bash $STIG_TESTS_DIR/check-services.sh rexecd >/dev/null 2>&1 &
  460. stig_spinner $!
  461. output "V-38598" $? ${SETLANG}
  462. ################
  463. ##RHEL-06-000218
  464. ##The rlogind service must not be running.
  465. bash $STIG_TESTS_DIR/check-services.sh rlogind >/dev/null 2>&1 &
  466. stig_spinner $!
  467. output "V-38602" $? ${SETLANG}
  468. ################
  469. ##RHEL-06-000220
  470. ##The NIS(ypserv) package must not be installed.
  471. bash $STIG_TESTS_DIR/check-packages.sh nis >/dev/null 2>&1 &
  472. stig_spinner $!
  473. output "V-38603" $? ${SETLANG}
  474. ################
  475. ##RHEL-06-000221
  476. ##The nis(ypbind) service must not be running.
  477. bash $STIG_TESTS_DIR/check-services.sh nis >/dev/null 2>&1 &
  478. stig_spinner $!
  479. output "V-38604" $? ${SETLANG}
  480. ################
  481. ##RHEL-06-000224
  482. ##The cron service must be running.
  483. bash $STIG_TESTS_DIR/check-services.sh cron >/dev/null 2>&1 &
  484. stig_spinner $!
  485. output "V-38605" $? ${SETLANG}
  486. ################
  487. ##RHEL-06-000227
  488. ##The SSH daemon must be configured to use only the SSHv2 protocol.
  489. bash $STIG_TESTS_DIR/check-ssh.sh Protocol >/dev/null 2>&1 &
  490. stig_spinner $!
  491. output "V-38607" $? ${SETLANG}
  492. ################
  493. ##RHEL-06-000230
  494. ##The SSH daemon must set a timeout interval on idle sessions.
  495. sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep "ClientAliveInterval" >/dev/null 2>&1 &
  496. stig_spinner $!
  497. output "V-38608" $? ${SETLANG}
  498. ################
  499. ##RHEL-06-000231
  500. ##The SSH daemon must set a timeout count on idle sessions.
  501. sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep "ClientAliveCountMax" >/dev/null 2>&1 &
  502. stig_spinner $!
  503. output "V-38610" $? ${SETLANG}
  504. ################
  505. ##RHEL-06-000234
  506. ##The SSH daemon must ignore .rhosts files.
  507. bash $STIG_TESTS_DIR/check-ssh.sh rhosts >/dev/null 2>&1 &
  508. stig_spinner $!
  509. output "V-38611" $? ${SETLANG}
  510. ################
  511. ##RHEL-06-000236
  512. ##The SSH daemon must not allow host-based authentication.
  513. bash $STIG_TESTS_DIR/check-ssh.sh hostauth >/dev/null 2>&1 &
  514. stig_spinner $!
  515. output "V-38612" $? ${SETLANG}
  516. ################
  517. ##RHEL-06-000237
  518. ##The system must not permit root logins using remote access programs such as ssh.
  519. bash $STIG_TESTS_DIR/check-ssh.sh permitroot >/dev/null 2>&1 &
  520. stig_spinner $!
  521. output "V-38613" $? ${SETLANG}
  522. ################
  523. ##RHEL-06-000239
  524. ##The SSH daemon must not allow authentication using an empty password.
  525. bash $STIG_TESTS_DIR/check-ssh.sh emptypassword >/dev/null 2>&1 &
  526. stig_spinner $!
  527. output "V-38615" $? ${SETLANG}
  528. ################
  529. ##RHEL-06-000241
  530. ##The SSH daemon must not permit user environment settings.
  531. bash $STIG_TESTS_DIR/check-ssh.sh emptypasswordenvironment >/dev/null 2>&1 &
  532. stig_spinner $!
  533. output "V-38616" $? ${SETLANG}
  534. ################
  535. ##RHEL-06-000247
  536. ##The system clock must be synchronized continuously, or at least daily.
  537. bash $STIG_TESTS_DIR/check-services.sh ntp >/dev/null 2>&1 &
  538. stig_spinner $!
  539. output "V-38620" $? ${SETLANG}
  540. ################
  541. ##RHEL-06-000248
  542. ##The system clock must be synchronized to an authoritative time source.
  543. bash $STIG_TESTS_DIR/check-ntp-sources.sh >/dev/null 2>&1 &
  544. stig_spinner $!
  545. output "V-38621" $? ${SETLANG}
  546. ################
  547. ##RHEL-06-000252
  548. ##If the system is using LDAP for authentication or account information, the system must use a TLS connection using FIPS 140-2 approved cryptographic algorithms.
  549. #Waiting to figure out
  550. #stig_spinner $!
  551. #output "V-38625" $? ${SETLANG}
  552. ################
  553. ##RHEL-06-000253
  554. ##The LDAP client must use a TLS connection using trust certificates signed by the site CA.
  555. #Waiting to figure out
  556. #stig_spinner $!
  557. #output "V-38626" $? ${SETLANG}
  558. ################
  559. ##RHEL-06-000256
  560. ##The openldap-servers package must not be installed unless required.
  561. bash $STIG_TESTS_DIR/check-packages.sh sldap>/dev/null 2>&1 &
  562. stig_spinner $!
  563. output "V-38627" $? ${SETLANG}
  564. ################
  565. ##RHEL-06-000257
  566. ##The graphical desktop environment must set the idle timeout to no more than 15 minutes.
  567. #stig_spinner $!
  568. #output "V-38629" $? ${SETLANG}
  569. ################
  570. ##RHEL-06-000258
  571. ##The graphical desktop environment must automatically lock after 15 minutes of inactivity and the system must require user reauthentication to unlock the environment.
  572. #stig_spinner $!
  573. #output "V-38630" $? ${SETLANG}
  574. ################
  575. ##RHEL-06-000259
  576. ##The graphical desktop environment must have automatic lock enabled.
  577. #stig_spinner $!
  578. #output "V-38638" $? ${SETLANG}
  579. ################
  580. ##RHEL-06-000260
  581. ##The system must display a publicly-viewable pattern during a graphical desktop environment session lock.
  582. #stig_spinner $!
  583. #output "V-38639" $? ${SETLANG}
  584. ################
  585. ##RHEL-06-000262
  586. ##The atd service must be disabled.
  587. bash $STIG_TESTS_DIR/check-services.sh atd >/dev/null 2>&1 &
  588. stig_spinner $!
  589. output "V-38641" $? ${SETLANG}
  590. ################
  591. ##RHEL-06-000269
  592. ##Remote file systems must be mounted with the nodev option.
  593. if [ "$(mount | grep nfs | wc -l)" -gt 0 ];then
  594. bash $STIG_TESTS_DIR/check-nfs.sh nodev >/dev/null 2>&1 &
  595. stig_spinner $!
  596. output "V-38652" $? ${SETLANG}
  597. fi
  598. ################
  599. ##RHEL-06-000270
  600. ##Remote file systems must be mounted with the nosuid option.
  601. if [ "$(mount | grep nfs | wc -l)" -gt 0 ];then
  602. bash $STIG_TESTS_DIR/check-nfs.sh nosuid >/dev/null 2>&1 &
  603. stig_spinner $!
  604. output "V-38654" $? ${SETLANG}
  605. fi
  606. ################
  607. ##RHEL-06-000271
  608. ##The noexec option must be added to removable media partitions.
  609. if [ "$(grep -Hv ^0$ /sys/block/*/removable | sed s/removable:.*$/device\\/uevent/ | xargs grep -H ^DRIVER=sd | sed s/device.uevent.*$/size/ | xargs grep -Hv ^0$ | cut -d / -f 4 | wc -l)" -gt 0 ];then
  610. bash $STIG_TESTS_DIR/check-removable.sh >/dev/null 2>&1 &
  611. stig_spinner $!
  612. output "V-38655" $? ${SETLANG}
  613. fi
  614. ################
  615. ##RHEL-06-000272
  616. ##The system must use SMB client signing for connecting to samba servers using smbclient.
  617. bash $STIG_TESTS_DIR/check-depends.sh smb-signing >/dev/null 2>&1 &
  618. stig_spinner $!
  619. output "V-38656" $? ${SETLANG}
  620. ################
  621. ##RHEL-06-000273
  622. ##The system must use SMB client signing for connecting to samba servers using mount.cifs.
  623. bash $STIG_TESTS_DIR/check-depends.sh smb-sec >/dev/null 2>&1 &
  624. stig_spinner $!
  625. output "V-38657" $? ${SETLANG}
  626. ################
  627. ##RHEL-06-000282
  628. ##There must be no world-writable files on the system.
  629. bash $STIG_TESTS_DIR/check-world-writable.sh >/dev/null 2>&1 &
  630. stig_spinner $!
  631. output "V-38643" $? ${SETLANG}
  632. ################
  633. ##RHEL-06-000286
  634. ##The x86 Ctrl-Alt-Delete key sequence must be disabled.
  635. bash $STIG_TESTS_DIR/check-ctrl-alt-del.sh >/dev/null 2>&1 &
  636. stig_spinner $!
  637. output "V-38668" $? ${SETLANG}
  638. ################
  639. ##RHEL-06-000288
  640. ##The sendmail package must be removed.
  641. bash $STIG_TESTS_DIR/check-packages.sh sendmail >/dev/null 2>&1 &
  642. stig_spinner $!
  643. output "V-38671" $? ${SETLANG}
  644. ################
  645. ##RHEL-06-000290
  646. ##X Windows must not be enabled unless required.
  647. bash $STIG_TESTS_DIR/check-services.sh x11-common >/dev/null 2>&1 &
  648. stig_spinner $!
  649. output "V-38674" $? ${SETLANG}
  650. ################
  651. ##RHEL-06-000302
  652. ##A file integrity tool must be used at least weekly to check for unauthorized file changes, particularly the addition of unauthorized system libraries or binaries, or for unauthorized modification to authorized system libraries or binaries.
  653. bash $STIG_TESTS_DIR/check-aide-cron.sh > /dev/null 2>&1 &
  654. stig_spinner $!
  655. output "V-38695" $? ${SETLANG}
  656. ################
  657. ##RHEL-06-000308
  658. ##Process core dumps must be disabled unless needed.
  659. bash $STIG_TESTS_DIR/check-limits.sh core-dumps > /dev/null 2>&1 &
  660. stig_spinner $!
  661. output "V-38675" $? ${SETLANG}
  662. ################
  663. ##RHEL-06-000309
  664. ##The NFS server must not have the insecure file locking option enabled.
  665. bash $STIG_TESTS_DIR/check-nfs-insecure.sh > /dev/null 2>&1 &
  666. stig_spinner $!
  667. output "V-38677" $? ${SETLANG}
  668. ################
  669. ##RHEL-06-000319
  670. ##The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
  671. bash $STIG_TESTS_DIR/check-limits.sh maxlogins > /dev/null 2>&1 &
  672. stig_spinner $!
  673. output "V-38684" $? ${SETLANG}
  674. ################
  675. ##RHEL-06-000320
  676. ##The systems local firewall must implement a deny-all, allow-by-exception policy for forwarded packets.
  677. iptables -L FORWARD | head -n1 | grep "FORWARD.*DROP" >/dev/null 2>&1 &
  678. stig_spinner $!
  679. output "V-38686" $? ${SETLANG}
  680. ################
  681. ##RHEL-06-000331
  682. ##The Bluetooth service must be disabled.
  683. bash $STIG_TESTS_DIR/check-services.sh bluetooth >/dev/null 2>&1 &
  684. stig_spinner $!
  685. output "V-38691" $? ${SETLANG}
  686. ################
  687. ##RHEL-06-000336
  688. ##The sticky bit must be set on all public directories.
  689. bash $STIG_TESTS_DIR/check-sticky-bit.sh >/dev/null 2>&1 &
  690. stig_spinner $!
  691. output "V-38697" $? ${SETLANG}
  692. ################
  693. ##RHEL-06-000337
  694. ##All public directories must be owned by a system account.
  695. bash $STIG_TESTS_DIR/check-public-dir-owned.sh >/dev/null 2>&1 &
  696. stig_spinner $!
  697. output "V-38699" $? ${SETLANG}
  698. ################
  699. ##RHEL-06-000345
  700. ##The system default umask in /etc/login.defs must be 077.
  701. ##For more detial :http://stackoverflow.com/questions/10220531/how-to-set-system-wide-umask
  702. sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/login.defs | grep -i "umask.*077" >/dev/null 2>&1 &
  703. stig_spinner $!
  704. output "V-38645" $? ${SETLANG}
  705. ################
  706. ##RHEL-06-000346
  707. ##The system default umask for daemons must be 027 or 022.
  708. ##For more detial :http://unix.stackexchange.com/questions/36220/how-to-set-umask-for-a-system-user
  709. sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/init.d/rc | grep -i "umask.*027\|umask.*022" >/dev/null 2>&1 &
  710. stig_spinner $!
  711. output "V-38646" $? ${SETLANG}
  712. ################
  713. ##RHEL-06-000347
  714. ##There must be no .netrc files on the system.
  715. bash $STIG_TESTS_DIR/check-netrc.sh >/dev/null 2>&1 &
  716. stig_spinner $!
  717. output "V-38619" $? ${SETLANG}
  718. ################
  719. ##RHEL-06-000372
  720. ##The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access.
  721. sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/pam.d/common-session | grep -i "pam_lastlog.so.*showfailed" > /dev/null 2>&1 &
  722. stig_spinner $!
  723. output "V-38501" $? ${SETLANG}
  724. ################
  725. ##RHEL-06-000507
  726. ##The operating system, upon successful logon, must display to the user the date and time of the last logon or access via ssh.
  727. sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/ssh/sshd_config | grep -i "^PrintLastLog.*yes" > /dev/null 2>&1 &
  728. stig_spinner $!
  729. output "V-38484" $? ${SETLANG}
  730. ################
  731. ##RHEL-06-000514
  732. ##The package management tool must cryptographically verify the authenticity of all software packages during installation.
  733. bash $STIG_TESTS_DIR/check-apt-gpg.sh > /dev/null 2>&1 &
  734. stig_spinner $!
  735. output "V-38462" $? ${SETLANG}
  736. ################
  737. ##RHEL-06-000515
  738. ##The NFS server must not have the all_squash option enabled.
  739. bash $STIG_TESTS_DIR/check-nfs-all-squash.sh > /dev/null 2>&1 &
  740. stig_spinner $!
  741. output "V-38460" $? ${SETLANG}
  742. ################
  743. ##RHEL-06-000523
  744. ##The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.
  745. ip6tables -L INPUT | head -n1 | grep "INPUT.*DROP" > /dev/null 2>&1 &
  746. stig_spinner $!
  747. output "V-38444" $? ${SETLANG}
  748. ################
  749. ##RHEL-06-000526
  750. ##Automated file system mounting tools must not be enabled unless needed.
  751. bash $STIG_TESTS_DIR/check-services.sh autofs >/dev/null 2>&1 &
  752. stig_spinner $!
  753. output "V-38437" $? ${SETLANG}
  754. ################
  755. ##RHEL-06-000528
  756. ##The noexec option must be added to the /tmp partition.
  757. sed -e '/^#/d' -e '/^[ \t][ \t]*#/d' -e 's/#.*$//' -e '/^$/d' /etc/fstab | grep "/tmp.*noexec" >/dev/null 2>&1 &
  758. stig_spinner $!
  759. output "V-57569" $? ${SETLANG}
  760. ################
  761. ##RHEL-06-000529
  762. ##The sudo command must require authentication.
  763. bash $STIG_TESTS_DIR/check-sudo.sh >/dev/null 2>&1 &
  764. stig_spinner $!
  765. output "V-58901" $? ${SETLANG}
  766. ################
  767. show_passes_fails=
  768. if [ $SHOW_ALL_TESTS ]; then
  769. show_passes_fails=1
  770. else
  771. if [ $FAILS -gt 0 ]; then
  772. show_passes_fails=1
  773. fi
  774. fi
  775. if [ $show_passes_fails ]; then
  776. echo ''
  777. echo $"Passes: $PASSES"
  778. echo $"Fails: $FAILS"
  779. if [ $FAILS -gt 0 ]; then
  780. exit 792353
  781. fi
  782. fi
  783. }
  784. while [[ $# > 1 ]]
  785. do
  786. key="$1"
  787. case $key in
  788. -h|--help)
  789. show_help
  790. ;;
  791. -s|--stig)
  792. shift
  793. if [[ "$1" == 'showall' ]]; then
  794. SHOW_ALL_TESTS=1
  795. fi
  796. RUN_STIG=1
  797. ;;
  798. *)
  799. # unknown option
  800. ;;
  801. esac
  802. shift
  803. done
  804. if [ ! $RUN_STIG ]; then
  805. echo $'Running tests'
  806. fi
  807. test_app_functions
  808. test_unique_onion_ports
  809. test_stig
  810. if [ ! $RUN_STIG ]; then
  811. echo $'All tests passed'
  812. fi
  813. exit 0