CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Remove post scan from remediate log.

Browse Source 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
This commit is contained in:
reyesj2
2024-01-17 16:23:20 -05:00
parent 739feb25a4
commit df921892a3
1 changed files with 10 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
salt/stig/files/so-stig
View File

@@ -24,18 +24,19 @@ logCmd() {
apply_stigs(){ apply_stigs(){
if [ ! -f $stig_log/pre-oscap-report.html ]; then if [ ! -f $stig_log/pre-oscap-report.html ]; then
echo "Running an OSCAP eval before modifying system for the first time"
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/pre-oscap-results.xml --report $stig_log/pre-oscap-report.html /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/pre-oscap-results.xml --report $stig_log/pre-oscap-report.html /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml
fi fi
echo "Manually applying STIGs not remediated by OSCAP"
echo "Setting Ctrl-Alt-Del action to none OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction" echo -e "\nRunning custom OSCAP profile to remediate applicable STIGs\n"
logCmd "oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/results.xml $stig_conf/sos-oscap.xml"
# Setting Ctrl-Alt-Del action to none OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_burstaction
if ! grep -q "^CtrlAltDelBurstAction=none$" /etc/systemd/system.conf; then if ! grep -q "^CtrlAltDelBurstAction=none$" /etc/systemd/system.conf; then
sed -i 's/#CtrlAltDelBurstAction=reboot-force/CtrlAltDelBurstAction=none/g' /etc/systemd/system.conf sed -i 's/#CtrlAltDelBurstAction=reboot-force/CtrlAltDelBurstAction=none/g' /etc/systemd/system.conf
logCmd "grep CtrlAltDelBurstAction /etc/systemd/system.conf" logCmd "grep CtrlAltDelBurstAction /etc/systemd/system.conf"
fi fi
# Setting ctrl-alt-del.target to masked or /dev/null OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot
echo "Setting ctrl-alt-del.target to masked or /dev/null OSCAP rule id: xccdf_org.ssgproject.content_rule_disable_ctrlaltdel_reboot"
if systemctl is-enabled ctrl-alt-del.target | grep -q masked; then if systemctl is-enabled ctrl-alt-del.target | grep -q masked; then
echo "ctrl-alt-del.target is already masked" echo "ctrl-alt-del.target is already masked"
else else
@@ -43,11 +44,11 @@ apply_stigs(){
logCmd "ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target" logCmd "ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target"
fi fi
echo "Remove nullok from password-auth & system-auth OSCAP rule id: xccdf_org.ssgproject.content_rule_no_empty_passwords" # Remove nullok from password-auth & system-auth OSCAP rule id: xccdf_org.ssgproject.content_rule_no_empty_passwords
sed -i 's/ nullok//g' /etc/pam.d/password-auth sed -i 's/ nullok//g' /etc/pam.d/password-auth
sed -i 's/ nullok//g' /etc/pam.d/system-auth sed -i 's/ nullok//g' /etc/pam.d/system-auth
echo "Setting PermitEmptyPasswords no in /etc/ssh/sshd_config OSCAP rule id: xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords" # Setting PermitEmptyPasswords no in /etc/ssh/sshd_config OSCAP rule id: xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
if grep -q "^#PermitEmptyPasswords no$" /etc/ssh/sshd_config; then if grep -q "^#PermitEmptyPasswords no$" /etc/ssh/sshd_config; then
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
logCmd "grep PermitEmptyPasswords /etc/ssh/sshd_config" logCmd "grep PermitEmptyPasswords /etc/ssh/sshd_config"
@@ -55,7 +56,7 @@ apply_stigs(){
logCmd "echo 'PermitEmptyPasswords no' >> /etc/ssh/sshd_config" logCmd "echo 'PermitEmptyPasswords no' >> /etc/ssh/sshd_config"
fi fi
echo "Setting PermitUserEnvironment no in /etc/ssh/sshd_config STIG rule id: SV-248650r877377" # Setting PermitUserEnvironment no in /etc/ssh/sshd_config STIG rule id: SV-248650r877377
if grep -q "^#PermitUserEnvironment no$" /etc/ssh/sshd_config; then if grep -q "^#PermitUserEnvironment no$" /etc/ssh/sshd_config; then
sed -i 's/#PermitUserEnvironment no/PermitUserEnvironment no/g' /etc/ssh/sshd_config sed -i 's/#PermitUserEnvironment no/PermitUserEnvironment no/g' /etc/ssh/sshd_config
logCmd "grep PermitUserEnvironment /etc/ssh/sshd_config" logCmd "grep PermitUserEnvironment /etc/ssh/sshd_config"
@@ -63,11 +64,9 @@ apply_stigs(){
logCmd "echo 'PermitUserEnvironment no' >> /etc/ssh/sshd_config" logCmd "echo 'PermitUserEnvironment no' >> /etc/ssh/sshd_config"
fi fi
echo "Running custom OSCAP profile to remediate applicable STIGs"
logCmd "oscap xccdf eval --remediate --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/results.xml $stig_conf/sos-oscap.xml"
echo "Running OSCAP scan to verify application of STIGs" echo "Running OSCAP scan to verify application of STIGs"
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/post-oscap-results.xml --report $stig_log/post-oscap-report.html /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig --results $stig_log/post-oscap-results.xml --report $stig_log/post-oscap-report.html /usr/share/xml/scap/ssg/content/ssg-ol9-ds.xml > /dev/null 2>&1
} }
if is_feature_enabled "stig" >/dev/null 2>&1; then if is_feature_enabled "stig" >/dev/null 2>&1; then