uop through 258236

Signed-off-by: wdower <[email protected]>
mitre · May 2, 2024 · 613add7 · 613add7
1 parent 6ac711c
commit 613add7
Show file tree

Hide file tree

Showing 38 changed files with 616 additions and 37 deletions.
diff --git a/controls/SV-258099.rb b/controls/SV-258099.rb
@@ -30,4 +30,13 @@
   tag 'documentable'
   tag cci: ['CCI-000196', 'CCI-000803']
   tag nist: ['IA-5 (1) (c)', 'IA-7']
+  tag 'host'
+  tag 'container'
+
+  expected_line = 'password sufficient pam_unix.so sha512'
+  pam_auth_files = input('pam_auth_files')
+
+  describe pam(pam_auth_files['password-auth']) do
+    its('lines') { should match_pam_rule(expected_line).any_with_integer_arg('rounds', '>=', input('password_hash_rounds')) }
+  end
 end
diff --git a/controls/SV-258100.rb b/controls/SV-258100.rb
@@ -30,4 +30,13 @@
   tag 'documentable'
   tag cci: ['CCI-000196', 'CCI-000803']
   tag nist: ['IA-5 (1) (c)', 'IA-7']
+  tag 'host'
+  tag 'container'
+
+  expected_line = 'password sufficient pam_unix.so sha512'
+  pam_auth_files = input('pam_auth_files')
+
+  describe pam(pam_auth_files['password-auth']) do
+    its('lines') { should match_pam_rule(expected_line).any_with_integer_arg('rounds', '>=', input('password_hash_rounds')) }
+  end
 end
diff --git a/controls/SV-258101.rb b/controls/SV-258101.rb
@@ -32,4 +32,19 @@
   tag 'documentable'
   tag cci: ['CCI-000192', 'CCI-000193', 'CCI-000194', 'CCI-000195', 'CCI-000205', 'CCI-000366', 'CCI-001619']
   tag nist: ['IA-5 (1) (a)', 'IA-5 (1) (a)', 'IA-5 (1) (a)', 'IA-5 (1) (b)', 'IA-5 (1) (a)', 'CM-6 b', 'IA-5 (1) (a)']
+  tag 'host'
+  tag 'container'
+
+  # TODO: use this pattern on the rest of the pwquality.conf settings (current implementation for the other ones dont account for multiple conmf files)
+
+  setting = 'enforce_for_root'
+
+  setting_check = command("grep #{setting} /etc/security/pwquality.conf /etc/security/pwquality.conf/*.conf").stdout.strip.match(/^:+#{setting}$/)
+
+  describe 'The root account' do
+    it 'should enforce password complexity rules' do
+      expect(setting_check).to_not be_nil, "'#{setting}' not found (or commented out) in conf file(s)"
+      expect(setting_check.length).to eq(1), "'#{setting}' set more than once in conf file(s)"
+    end
+  end
 end
diff --git a/controls/SV-258112.rb b/controls/SV-258112.rb
@@ -27,4 +27,23 @@
   tag 'documentable'
   tag cci: ['CCI-000195']
   tag nist: ['IA-5 (1) (b)']
+  tag 'host', 'container'
+
+  setting = 'difok'
+  expected_value = input('difok')
+
+  pattern = /^[^#]*#{setting}\s*=\s*(?<value>\d+)$/
+  setting_check = command("grep #{setting} /etc/security/pwquality.conf /etc/security/pwquality.conf/*.conf").stdout.strip.scan(pattern).flatten
+
+  describe 'Password settings for the root account' do
+    it 'should be set' do
+      expect(setting_check).to_not be_empty, "'#{setting}' not found (or commented out) in conf file(s)"
+    end
+    it 'should only be set once' do
+      expect(setting_check.length).to eq(1), "'#{setting}' set more than once in conf file(s)"
+    end
+    it "should be set to be >= #{expected_value}" do
+      expect(setting_check.first.to_i).to be >= expected_value, "'#{setting}' set to less than '#{expected_value}' in conf file(s)"
+    end
+  end
 end
diff --git a/controls/SV-258116.rb b/controls/SV-258116.rb
@@ -27,4 +27,9 @@
   tag 'documentable'
   tag cci: ['CCI-000196']
   tag nist: ['IA-5 (1) (c)']
+  tag 'host', 'container'
+
+  describe parse_config_file('/etc/libuser.conf') do
+    its('crypt_style') { should cmp 'sha512' }
+  end
 end
diff --git a/controls/SV-258117.rb b/controls/SV-258117.rb
@@ -27,4 +27,9 @@
   tag 'documentable'
   tag cci: ['CCI-000196']
   tag nist: ['IA-5 (1) (c)']
+  tag 'host', 'container'
+
+  describe login_defs do
+    its('ENCRYPT_METHOD') { should cmp 'SHA512' }
+  end
 end
diff --git a/controls/SV-258121.rb b/controls/SV-258121.rb
@@ -28,4 +28,20 @@
   tag 'documentable'
   tag cci: ['CCI-000764', 'CCI-000766', 'CCI-000767', 'CCI-000768', 'CCI-000770', 'CCI-001941', 'CCI-001942']
   tag nist: ['IA-2', 'IA-2 (2)', 'IA-2 (3)', 'IA-2 (4)', 'IA-2 (5)', 'IA-2 (8)', 'IA-2 (9)']
+  tag 'host'
+
+  only_if('This control is Not Applicable to containers', impact: 0.0) {
+    !virtualization.system.eql?('docker')
+  }
+
+  if input('smart_card_enabled')
+    describe parse_config_file('/etc/opensc.conf') do
+      its('card_drivers') { should cmp 'cac' }
+    end
+  else
+    impact 0.0
+    describe 'The system is not smartcard enabled thus this control is Not Applicable' do
+      skip 'The system is not using Smartcards / PIVs to fulfil the MFA requirement, this control is Not Applicable.'
+    end
+  end
 end
diff --git a/controls/SV-258124.rb b/controls/SV-258124.rb
@@ -25,4 +25,20 @@
   tag 'documentable'
   tag cci: ['CCI-001948']
   tag nist: ['IA-2 (11)']
+  tag 'host'
+
+  only_if('This control is Not Applicable to containers', impact: 0.0) {
+    !virtualization.system.eql?('docker')
+  }
+
+  if input('smart_card_enabled')
+    describe package('pcsc-lite') do
+      it { should be_installed }
+    end
+  else
+    impact 0.0
+    describe 'The system is not smartcard enabled thus this control is Not Applicable' do
+      skip 'The system is not using Smartcards / PIVs to fulfil the MFA requirement, this control is Not Applicable.'
+    end
+  end
 end
diff --git a/controls/SV-258125.rb b/controls/SV-258125.rb
@@ -25,4 +25,21 @@
   tag 'documentable'
   tag cci: ['CCI-001948']
   tag nist: ['IA-2 (11)']
+  tag 'host'
+
+  only_if('This control is Not Applicable to containers', impact: 0.0) {
+    !virtualization.system.eql?('docker')
+  }
+
+  if input('smart_card_enabled')
+    describe service('pcscd') do
+      it { should be_enabled }
+      it { should be_running }
+    end
+  else
+    impact 0.0
+    describe 'The system is not smartcard enabled thus this control is Not Applicable' do
+      skip 'The system is not using Smartcards / PIVs to fulfil the MFA requirement, this control is Not Applicable.'
+    end
+  end
 end
diff --git a/controls/SV-258126.rb b/controls/SV-258126.rb
@@ -30,4 +30,20 @@
   tag 'documentable'
   tag cci: ['CCI-001948', 'CCI-001953']
   tag nist: ['IA-2 (11)', 'IA-2 (12)']
+  tag 'host'
+
+  only_if('This control is Not Applicable to containers', impact: 0.0) {
+    !virtualization.system.eql?('docker')
+  }
+
+  if input('smart_card_enabled')
+    describe package('opensc') do
+      it { should be_installed }
+    end
+  else
+    impact 0.0
+    describe 'The system is not smartcard enabled thus this control is Not Applicable' do
+      skip 'The system is not using Smartcards / PIVs to fulfil the MFA requirement, this control is Not Applicable.'
+    end
+  end
 end
diff --git a/controls/SV-258129.rb b/controls/SV-258129.rb
@@ -27,4 +27,9 @@
   tag 'documentable'
   tag cci: ['CCI-000213']
   tag nist: ['AC-3']
+  tag 'host', 'container'
+
+  describe ini('/usr/lib/systemd/system/rescue.service') do
+    its('Service.ExecStart') { should match %r{^-/usr/lib/systemd/systemd-sulogin-shell rescue$} }
+  end
 end
diff --git a/controls/SV-258135.rb b/controls/SV-258135.rb
@@ -49,4 +49,31 @@
   tag 'documentable'
   tag cci: ['CCI-001744', 'CCI-002699', 'CCI-002702']
   tag nist: ['CM-3 (5)', 'SI-6 b', 'SI-6 d']
+  tag 'host'
+
+  file_integrity_tool = input('file_integrity_tool')
+
+  only_if('Control not applicable within a container', impact: 0.0) {
+    !virtualization.system.eql?('docker')
+  }
+
+  describe package(file_integrity_tool) do
+    it { should be_installed }
+  end
+  describe.one do
+    describe file("/etc/cron.daily/#{file_integrity_tool}") do
+      its('content') { should match %r{/bin/mail} }
+    end
+    describe file("/etc/cron.weekly/#{file_integrity_tool}") do
+      its('content') { should match %r{/bin/mail} }
+    end
+    describe crontab('root').where { command =~ /#{file_integrity_tool}/ } do
+      its('commands.flatten') { should include(match %r{/bin/mail}) }
+    end
+    if file("/etc/cron.d/#{file_integrity_tool}").exist?
+      describe crontab(path: "/etc/cron.d/#{file_integrity_tool}") do
+        its('commands') { should include(match %r{/bin/mail}) }
+      end
+    end
+  end
 end
diff --git a/controls/SV-258136.rb b/controls/SV-258136.rb
@@ -25,4 +25,21 @@
   tag 'documentable'
   tag cci: ['CCI-000366']
   tag nist: ['CM-6 b']
+  tag 'host'
+
+  file_integrity_tool = input('file_integrity_tool')
+
+  only_if('Control not applicable within a container', impact: 0.0) do
+    !virtualization.system.eql?('docker')
+  end
+
+  if file_integrity_tool == 'aide'
+    describe parse_config_file('/etc/aide.conf') do
+      its('ALL') { should match(/sha512/) }
+    end
+  else
+    describe 'Manual Review' do
+      skip "Review the selected file integrity tool (#{file_integrity_tool}) configuration to ensure it is using FIPS 140-2/140-3-approved cryptographic hashes for validating file contents and directories."
+    end
+  end
 end
diff --git a/controls/SV-258143.rb b/controls/SV-258143.rb
@@ -42,4 +42,21 @@
   tag 'documentable'
   tag cci: ['CCI-000366']
   tag nist: ['CM-6 b']
+  tag 'host', 'container'
+
+  if input('log_aggregator')
+    describe 'N/A' do
+      skip 'This control is NA because the system is a log aggregation server.'
+    end
+  else
+    modload = command('grep -i modload /etc/rsyslog.conf /etc/rsyslog.d/*').stdout.strip.split
+    serverrun = command('grep -i serverrun /etc/rsyslog.conf /etc/rsyslog.d/*').stdout.strip.split
+
+    describe 'Rsyslog config' do
+      it 'should not accept remote logs' do
+        expect(modload).to be_empty, "ModLoad settings found:\n\t- #{modload.join("\n\t- ")}"
+        expect(serverrun).to be_empty, "ServerRun settings found:\n\t- #{serverrun.join("\n\t- ")}"
+      end
+    end
+  end
 end
diff --git a/controls/SV-258145.rb b/controls/SV-258145.rb
@@ -28,4 +28,9 @@
   tag 'documentable'
   tag cci: ['CCI-001851']
   tag nist: ['AU-4 (1)']
+  tag 'host'
+
+  describe parse_config_file('/etc/audit/plugins.d/syslog.conf') do
+    its('active') { should cmp 'yes' }
+  end
 end
diff --git a/controls/SV-258148.rb b/controls/SV-258148.rb
@@ -30,4 +30,34 @@
   tag 'documentable'
   tag cci: ['CCI-001851']
   tag nist: ['AU-4 (1)']
+  tag 'host', 'container'
+
+  setting = 'DefaultNetstreamDriver'
+  expected_value = 'gtls'
+
+  pattern = /[^#]\$#{setting}\s*(?<value>\w+)$/
+  setting_check = command("grep -i #{setting} /etc/rsyslog.conf /etc/rsyslog.d/*.conf").stdout.strip.scan(pattern).flatten
+
+  describe 'Rsyslogd DefaultNetstreamDriver' do
+    if setting_check.empty?
+      it 'should be set' do
+        expect(setting_check).to_not be_empty, "'#{setting}' not found (or commented out) in conf file(s)"
+      end
+    else
+      it 'should only be set once' do
+        expect(setting_check.length).to eq(1), "'#{setting}' set more than once in conf file(s)"
+      end
+      it "should be set to '#{expected_value}'" do
+        expect(setting_check.first).to eq(expected_value), "'#{setting}' set to '#{setting_check.first}' in conf file(s)"
+      end
+    end
+  end
+
+  # netstream_driver = command('grep -i $DefaultNetstreamDriver /etc/rsyslog.conf /etc/rsyslog.d/*').stdout.strip
+
+  # describe "Rsyslog config" do
+  #   it "should encrypt audit records for transfer" do
+  #     expect(modload).to be_empty, "ModLoad settings found:\n\t- #{modload.join("\n\t- ")}"
+  #   end
+  # end
 end
diff --git a/controls/SV-258158.rb b/controls/SV-258158.rb
@@ -23,4 +23,15 @@
   tag 'documentable'
   tag cci: ['CCI-001855']
   tag nist: ['AU-5 (1)']
+  tag 'host'
+
+  only_if('This control is Not Applicable to containers', impact: 0.0) {
+    !virtualization.system.eql?('docker')
+  }
+
+  admin_space_left = input('admin_space_left')
+
+  describe auditd_conf do
+    its('admin_space_left') { should cmp admin_space_left }
+  end
 end
diff --git a/controls/SV-258159.rb b/controls/SV-258159.rb
@@ -29,4 +29,15 @@
   tag 'documentable'
   tag cci: ['CCI-001855']
   tag nist: ['AU-5 (1)']
+  tag 'host'
+
+  only_if('This control is Not Applicable to containers', impact: 0.0) {
+    !virtualization.system.eql?('docker')
+  }
+
+  admin_space_left_action = input('admin_space_left_action').upcase
+
+  describe auditd_conf do
+    its('admin_space_left_action.upcase') { should cmp admin_space_left_action }
+  end
 end
diff --git a/controls/SV-258160.rb b/controls/SV-258160.rb
@@ -25,4 +25,17 @@
   tag 'documentable'
   tag cci: ['CCI-000140']
   tag nist: ['AU-5 b']
+  tag 'host'
+
+  # TODO: should probably make all audit conf inputs into one hash for ease of use
+
+  only_if('This control is Not Applicable to containers', impact: 0.0) {
+    !virtualization.system.eql?('docker')
+  }
+
+  max_log_file_action = input('max_log_file_action').upcase
+
+  describe auditd_conf do
+    its('max_log_file_action.upcase') { should cmp max_log_file_action }
+  end
 end
diff --git a/controls/SV-258168.rb b/controls/SV-258168.rb
@@ -25,4 +25,15 @@
   tag 'documentable'
   tag cci: ['CCI-000154']
   tag nist: ['AU-6 (4)']
+  tag 'host'
+
+  only_if('This control is Not Applicable to containers', impact: 0.0) {
+    !virtualization.system.eql?('docker')
+  }
+
+  freq = input('audit_flush_threshold')
+
+  describe auditd_conf do
+    its('freq.to_i') { should cmp >= freq }
+  end
 end
diff --git a/controls/SV-258170.rb b/controls/SV-258170.rb
@@ -27,4 +27,13 @@
   tag 'documentable'
   tag cci: ['CCI-000366']
   tag nist: ['CM-6 b']
+  tag 'host'
+
+  only_if('This control is Not Applicable to containers', impact: 0.0) {
+    !virtualization.system.eql?('docker')
+  }
+
+  describe auditd_conf do
+    its('write_logs.upcase') { should cmp 'YES' }
+  end
 end