rpms / scap-security-guide

Clone
Source Code
GIT

Files

  1.   9be3b2b3a7baf71e5aae9dcb7cfb5328882f332d
  2.   SOURCES
  3.   scap-security-guide-0.1.59-CIS_login_banner-PR_7624.patch
Blob Blame History Raw 
From f7f732d67e9542ee6d1c8c8cd172b2984c36f9ee Mon Sep 17 00:00:00 2001
From: Marcus Burghardt <maburgha@redhat.com>
Date: Wed, 22 Sep 2021 18:08:56 +0200
Subject: [PATCH] Included test scenarios for CIS

- accounts_maximum_age_login_defs
- banner_etc_issue
- banner_etc_motd
---
 controls/cis_rhel7.yml                                       | 4 ++--
 controls/cis_rhel8.yml                                       | 4 ++--
 .../banner_etc_issue/tests/banner_etc_issue_cis.fail.sh      | 5 +++++
 .../banner_etc_issue/tests/banner_etc_issue_cis.pass.sh      | 5 +++++
 .../tests/banner_etc_issue_disa_dod_default_banner.pass.sh   | 1 -
 ...nner_etc_issue_disa_dod_default_banner_no_newline.fail.sh | 1 -
 .../tests/banner_etc_issue_disa_dod_short.pass.sh            | 1 -
 .../tests/banner_etc_issue_disa_double_banner.fail.sh        | 1 -
 .../tests/banner_etc_issue_disa_usgcb_banner.fail.sh         | 1 -
 .../tests/banner_etc_issue_disa_with_extra_line.fail.sh      | 1 -
 .../tests/banner_etc_issue_ospp_usbcg_banner.fail.sh         | 1 -
 .../tests/banner_etc_issue_ospp_usbcg_banner.pass.sh         | 1 -
 .../banner_etc_motd/tests/banner_etc_motd_cis.fail.sh        | 5 +++++
 .../banner_etc_motd/tests/banner_etc_motd_cis.pass.sh        | 5 +++++
 .../tests/correct_cis.pass.sh                                | 5 +++++
 .../tests/incorrect_cis.fail.sh                              | 5 +++++
 16 files changed, 34 insertions(+), 12 deletions(-)
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis.fail.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_cis.pass.sh
 create mode 100644 linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_cis.fail.sh

diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml
index c3e567e80de..af8719827d0 100644
--- a/controls/cis_rhel7.yml
+++ b/controls/cis_rhel7.yml
@@ -477,7 +477,7 @@ controls:
     status: automated
     rules:
     - banner_etc_motd
-    - login_banner_text=usgcb_default
+    - login_banner_text=cis_default
 
   - id: 1.7.2
     title: Ensure local login warning banner is configured properly (Automated)
@@ -487,7 +487,7 @@ controls:
     status: automated
     rules:
     - banner_etc_issue
-    - login_banner_text=usgcb_default
+    - login_banner_text=cis_default
 
   - id: 1.7.3
     title: Ensure remote login warning banner is configured properly (Automated)
diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
index af233232a70..cbe1fc4e6a4 100644
--- a/controls/cis_rhel8.yml
+++ b/controls/cis_rhel8.yml
@@ -473,7 +473,7 @@ controls:
     status: automated
     rules:
       - banner_etc_motd
-      - login_banner_text=usgcb_default
+      - login_banner_text=cis_default
 
   - id: 1.8.1.2
     title: Ensure local login warning banner is configured properly (Automated)
@@ -483,7 +483,7 @@ controls:
     status: automated
     rules:
       - banner_etc_issue
-      - login_banner_text=usgcb_default
+      - login_banner_text=cis_default
 
   # NEEDS RULE
   # https://github.com/ComplianceAsCode/content/issues/5225
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis.fail.sh
new file mode 100644
index 00000000000..891412871a4
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_cis, xccdf_org.ssgproject.content_profile_cis_server_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l2
+
+# cis_default banner
+echo "Authorized uses only. All activity will not be monitored and reported." > /etc/issue
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis.pass.sh
new file mode 100644
index 00000000000..bc0f5a7a087
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_cis.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_cis, xccdf_org.ssgproject.content_profile_cis_server_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l2
+
+# cis_default banner
+echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner.pass.sh
index eb84c2137ac..7aaf57e3818 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner.pass.sh
@@ -1,5 +1,4 @@
 #!/bin/bash
-#
 # profiles = xccdf_org.ssgproject.content_profile_stig
 
 # dod_default banner
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh
index 00121bae969..872c269ef60 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_default_banner_no_newline.fail.sh
@@ -1,5 +1,4 @@
 #!/bin/bash
-#
 # profiles = xccdf_org.ssgproject.content_profile_stig
 
 # dod_default banner
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.pass.sh
index 23ec0f120f1..96eb5fafb01 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_dod_short.pass.sh
@@ -1,5 +1,4 @@
 #!/bin/bash
-#
 # profiles = xccdf_org.ssgproject.content_profile_stig
 
 # dod_short banner
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_double_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_double_banner.fail.sh
index 8b9c6832eb9..4c426b1747e 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_double_banner.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_double_banner.fail.sh
@@ -1,5 +1,4 @@
 #!/bin/bash
-#
 # profiles = xccdf_org.ssgproject.content_profile_stig
 
 # dod_default|dod_short banner
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_usgcb_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_usgcb_banner.fail.sh
index 5fbc75c237e..7a47ac1e9df 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_usgcb_banner.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_usgcb_banner.fail.sh
@@ -1,5 +1,4 @@
 #!/bin/bash
-#
 # profiles = xccdf_org.ssgproject.content_profile_stig
 
 # usgcb_default banner
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh
index dfa48bd61a5..0baaf2df69d 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_disa_with_extra_line.fail.sh
@@ -1,5 +1,4 @@
 #!/bin/bash
-#
 # profiles = xccdf_org.ssgproject.content_profile_stig
 
 # dod_default|dod_short banner
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh
index 0f962279bee..9857d182c9d 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.fail.sh
@@ -1,5 +1,4 @@
 #!/bin/bash
-#
 # profiles = xccdf_org.ssgproject.content_profile_stig
 
 echo "This is not the expected banner" > /etc/issue
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh
index 9bb0319323f..eed92346bf2 100644
--- a/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_issue/tests/banner_etc_issue_ospp_usbcg_banner.pass.sh
@@ -1,5 +1,4 @@
 #!/bin/bash
-#
 # profiles = xccdf_org.ssgproject.content_profile_stig
 
 # dod_banners banner
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis.fail.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis.fail.sh
new file mode 100644
index 00000000000..4a8ea3f8b7b
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_cis, xccdf_org.ssgproject.content_profile_cis_server_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l2
+
+# cis_default banner
+echo "Authorized uses only. All activity will not be monitored and reported." > /etc/motd
diff --git a/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis.pass.sh b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis.pass.sh
new file mode 100644
index 00000000000..1cacc28d732
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-banners/banner_etc_motd/tests/banner_etc_motd_cis.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_cis, xccdf_org.ssgproject.content_profile_cis_server_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l1, xccdf_org.ssgproject.content_profile_cis_workstation_l2
+
+# cis_default banner
+echo "Authorized uses only. All activity may be monitored and reported." > /etc/motd
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_cis.pass.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_cis.pass.sh
new file mode 100644
index 00000000000..bf4c7277ebc
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/correct_cis.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_cis
+
+rm -f /etc/login.defs
+echo "PASS_MAX_DAYS        365" > /etc/login.defs
diff --git a/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_cis.fail.sh b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_cis.fail.sh
new file mode 100644
index 00000000000..482a9cc49d3
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-restrictions/password_expiration/accounts_maximum_age_login_defs/tests/incorrect_cis.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_cis
+
+rm -f /etc/login.defs
+echo "PASS_MAX_DAYS        375" > /etc/login.defs

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation