This repository has been archived by the owner on Apr 17, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 46
/
V-71855.rb
78 lines (65 loc) · 2.75 KB
/
V-71855.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# encoding: utf-8
#
disable_slow_controls = input(
'disable_slow_controls',
value: false,
description: 'If enabled, this attribute disables this control and other
controls that consistently take a long time to complete.')
rpm_verify_integrity_except = input(
'rpm_verify_integrity_except',
value: [],
description: 'This is a list of system files that should be allowed to change
from an rpm verify point of view.')
control "V-71855" do
title "The cryptographic hash of system files and commands must match vendor
values."
desc "
Without cryptographic integrity protections, system command and files can
be altered by unauthorized users without detection.
Cryptographic mechanisms used for protecting the integrity of information
include, for example, signed hash functions using asymmetric cryptography
enabling distribution of the public key to verify the hash information while
maintaining the confidentiality of the key used to generate the hash.
"
impact 0.7
tag "gtitle": "SRG-OS-000480-GPOS-00227"
tag "gid": "V-71855"
tag "rid": "SV-86479r2_rule"
tag "stig_id": "RHEL-07-010020"
tag "cci": ["CCI-000663"]
tag "documentable": false
tag "nist": ["SA-7", "Rev_4"]
tag "subsystems": ['rpm', 'package']
desc "check", "Verify the cryptographic hash of system files and commands
match the vendor values.
Check the cryptographic hash of system files and commands with the following
command:
Note: System configuration files (indicated by a \"c\" in the second column)
are expected to change over time. Unusual modifications should be investigated
through the system audit log.
# rpm -Va | grep '^..5'
If there is any output from the command for system binaries, this is a finding."
desc "fix", "Run the following command to determine which package owns the
file:
# rpm -qf <filename>
The package can be reinstalled from a yum repository using the command:
# sudo yum reinstall <packagename>
Alternatively, the package can be reinstalled from trusted media using the
command:
# sudo rpm -Uvh <packagename>"
tag "fix_id": "F-78207r1_fix"
if disable_slow_controls
describe "This control consistently takes a long to run and has been disabled
using the disable_slow_controls attribute." do
skip "This control consistently takes a long to run and has been disabled
using the disable_slow_controls attribute. You must enable this control for a
full accredidation for production."
end
else
# grep excludes files that are marked with 'c' attribute (config files)
describe command("rpm -Va | grep '^..5' | grep -E -v '[a-z]*c[a-z]*\\s+\\S+$' | awk 'NF>1{print $NF}'").
stdout.strip.split("\n") do
it { should all(be_in rpm_verify_integrity_except) }
end
end
end