initial cat1

Signed-off-by: Mark Bolwell <[email protected]>

.gitignore

@@ -0,0 +1,45 @@
+.env
+*.log
+*.retry
+.cache
+.vagrant
+tests/*redhat-subscription
+tests/Dockerfile
+*.iso
+*.box
+packer_cache
+delete*
+ignore*
+# VSCode
+.vscode
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# DS_Store
+.DS_Store
+._*
+
+# Linux Editors
+*~
+\#*\#
+/.emacs.desktop
+/.emacs.desktop.lock
+.elc
+auto-save-list
+tramp
+.\#*
+*.swp
+*.swo
+rh-creds.env
+travis.env
+
+# Lockdown-specific
+benchparse/
+*xccdf.xml
+*.retry
+
+# GitHub Action/Workflow files
+.github/

CONTRIBUTING.rst

@@ -0,0 +1,53 @@
+Contributing to MindPoint Group Projects
+========================================
+
+Signing your contribution
+-------------------------
+
+We've chosen to use the Developer's Certificate of Origin (DCO) method
+that is employed by the Linux Kernel Project, which provides a simple
+way to contribute to MindPoint Group projects.
+
+The process is to certify the below DCO 1.1 text
+::
+
+    Developer's Certificate of Origin 1.1
+
+    By making a contribution to this project, I certify that:
+
+    (a) The contribution was created in whole or in part by me and I
+        have the right to submit it under the open source license
+        indicated in the file; or
+
+    (b) The contribution is based upon previous work that, to the best
+        of my knowledge, is covered under an appropriate open source
+        license and I have the right under that license to submit that
+        work with modifications, whether created in whole or in part
+        by me, under the same open source license (unless I am
+        permitted to submit under a different license), as indicated
+        in the file; or
+
+    (c) The contribution was provided directly to me by some other
+        person who certified (a), (b) or (c) and I have not modified
+        it.
+
+    (d) I understand and agree that this project and the contribution
+        are public and that a record of the contribution (including all
+        personal information I submit with it, including my sign-off) is
+        maintained indefinitely and may be redistributed consistent with
+        this project or the open source license(s) involved.
+::
+
+Then, when it comes time to submit a contribution, include the
+following text in your contribution commit message:
+
+::
+
+   Signed-off-by: Joan Doe <[email protected]>
+
+::
+
+
+This message can be entered manually, or if you have configured git
+with the correct `user.name` and `user.email`, you can use the `-s`
+option to `git commit` to automatically include the signoff message.

LICENSE

@@ -0,0 +1,22 @@
+
+The MIT License
+
+Copyright (c) 2018     MindPoint Group http://www.mindpointgroup.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

cat_1/RHEL-08-010000.yml

@@ -0,0 +1,14 @@
+{{ if .Vars.RHEL_08_010000 }}
+file:
+  /etc/redhat-release:
+    exists: true
+    contains:
+    - '/.* 8.[4-8]/'
+    meta:
+    - Cat: 1
+    - CCI: CCI-000366
+    - Group_Title: SRG-OS-000480-GPOS-00227
+    - Rule_ID: SV-230221r627750_rule
+    - STIG_ID: RHEL-08-010000
+    - Vul_ID: V-230221
+{{ end }}

cat_1/RHEL-08-010020.yml

@@ -0,0 +1,42 @@
+{{ if .Vars.RHEL_08_010020 }}
+command:
+  fipscheck:
+    title: RHEL-08-010020 | Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions | fipscheck
+    exec: fips-mode-setup --check
+    exit-status: 0
+    stdout:
+    - '!/.*disabled/'
+    - '/.*enabled/'
+    meta:
+    - Cat: 1
+    - CCI: CCI-000068
+    - Rule_ID: SV-230223r627750_rule
+    - STIG_ID: RHEL-08-010020
+    - Vul_ID: V-230223
+  fips_live:
+     title: RHEL-08-010020 | Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions | fips_kernel
+     exec: grub2-editenv - list | grep fip
+     exit-status: 0
+     stdout:
+     - '/^kernelopts+.*fips=1'
+     - '/^kernelopts+.*fips=0'
+    meta:
+    - Cat: 1
+    - CCI: CCI-000068
+    - Rule_ID: SV-230223r627750_rule
+    - STIG_ID: RHEL-08-010020
+    - Vul_ID: V-230223
+file:
+  /proc/sys/crypto/fips_enabled:
+    title: RHEL-08-010020 | Verify the operating system implements DoD-approved encryption to protect the confidentiality of remote access sessions | fips_process
+    exists: true
+    contains:
+    - '1'
+    meta:
+    - Cat: 1
+    - CCI: CCI-000068
+    - Group_Title: SRG-OS-000033-GPOS-00014
+    - Rule_ID: SV-230223r627750_rule
+    - STIG_ID: RHEL-08-010020
+    - Vul_ID: V-230223
+{{ end }}

cat_1/RHEL-08-010140.yml

@@ -0,0 +1,17 @@
+{{ if not .Vars.legacy_boot }}
+  {{ if .Vars.RHEL_08_010140 }}
+file:
+  {{ .Vars.rhel8stig_bootloader_path }}/user.cfg:
+    title: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
+    exists: true
+    contains:
+    - '/^GRUB2_PASSWORD=grub.pbkdf2.sha512.{{ .Vars.rhel8stig_password_hash }}/'
+    meta:
+    - Cat: 1
+    - CCI: CCI-000213
+    - Group_Title: SRG-OS-000080-GPOS-00048
+    - Rule_ID: SV-230234r627750_rule
+    - STIG_ID: RHEL-08-010140
+    - Vul_ID: V-230234
+  {{ end }}
+{{ end }}

cat_1/RHEL-08-010150.yml

@@ -0,0 +1,17 @@
+{{ if .Vars.legacy_boot }}
+{{ if .Vars.RHEL_08_010150 }}
+file:
+  {{ .Vars.rhel8stig_bootloader_path }}/user.cfg:
+    title: RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) implemented must require authentication upon booting into single-user mode and maintenance.
+    exists: true
+    contains:
+    - '/^GRUB2_PASSWORD=grub.pbkdf2.sha512.{{ .Vars.rhel8stig_password_hash }}/'
+    meta:
+    - Cat: 1
+    - CCI: CCI-000213
+    - Group_Title: SRG-OS-000080-GPOS-00048
+    - Rule_ID: SV-230235r627750_rule
+    - STIG_ID: RHEL-08-010150
+    - Vul_ID: V-230235
+  {{ end }}
+{{ end }}

cat_1/RHEL-08-010370.yml

@@ -0,0 +1,44 @@
+{{ if .Vars.RHEL_08_010370 }}
+command:
+  gpg_check_default:
+    title: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | dnf_running
+    exec: dnf config-manager --dump | grep gpgcheck
+    exit-status: 0
+    stdout:
+    - '/^gpgcheck.*1/'
+    - '!/^gpgcheck.*0/'
+    meta:
+    - Cat: 1
+    - CCI: CCI-001749
+    - Group_Title: SRG-OS-000366-GPOS-00153
+    - Rule_ID: SV-230264r627750_rule
+    - STIG_ID: RHEL-08-010370
+    - Vul_ID: V-230264
+  gpg_check_repos:
+    title: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | repo_check
+    exec: grep -cR '.*gpgcheck.*=0' /etc/yum.repos.d/*.repo
+    exit-status: 1
+    stdout:
+    - '!/.*[1-9][0-9]*$/'
+    meta:
+    - Cat: 1
+    - CCI: CCI-001749
+    - Group_Title: SRG-OS-000366-GPOS-00153
+    - Rule_ID: SV-230264r627750_rule
+    - STIG_ID: RHEL-08-010370
+    - Vul_ID: V-230264
+file:
+  /etc/dnf/dnf.conf:
+    title: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components from a repository without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | dnf_conf
+    exists: true
+    contains:
+    - '/^gpgcheck.*1/'
+    - '!/^gpgcheck.*0/'
+    meta:
+    - Cat: 1
+    - CCI: CCI-001749
+    - Group_Title: SRG-OS-000366-GPOS-00153
+    - Rule_ID: SV-230264r627750_rule
+    - STIG_ID: RHEL-08-010370
+    - Vul_ID: V-230264
+{{ end }}

cat_1/RHEL-08-010371.yml

@@ -0,0 +1,31 @@
+{{ if .Vars.RHEL_08_010371 }}
+command:
+  localpkg_gpg_check_default:
+    title: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | dnf_runnig
+    exec: dnf config-manager --dump | grep gpgcheck
+    exit-status: 0
+    stdout:
+    - '/^localpkg_gpgcheck.*(1|[tT]rue|yes)/'
+    - '!/^localpkg_gpgcheck.*(0|[fF]alse|no)/'
+    meta:
+    - Cat: 1
+    - CCI: CCI-001749
+    - Group_Title: SRG-OS-000366-GPOS-00153
+    - Rule_ID: SV-230265r627750_rule
+    - STIG_ID: RHEL-08-010371
+    - Vul_ID: V-230265
+file:
+  /etc/dnf/dnf.conf:
+    title: RHEL 8 must prevent the installation of software, patches, service packs, device drivers, or operating system components of local packages without verification they have been digitally signed using a certificate that is issued by a Certificate Authority (CA) that is recognized and approved by the organization. | dnf_conf
+    exists: true
+    contains:
+    - '/^localpkg_gpgcheck.*(1|[tT]rue|yes)/'
+    - '!/^localpkg_gpgcheck.*(0|[fF]alse|no)/'
+    meta:
+    - Cat: 1
+    - CCI: CCI-001749
+    - Group_Title: SRG-OS-000366-GPOS-00153
+    - Rule_ID: SV-230265r627750_rule
+    - STIG_ID: RHEL-08-010371
+    - Vul_ID: V-230265
+{{ end }}

cat_1/RHEL-08-010460.yml

@@ -0,0 +1,19 @@
+{{ if .Vars.run_heavy_tests }}
+{{ if .Vars.RHEL_08_010460 }}
+command:
+  shosts_equiv_check:
+    title: The "shosts.equiv" files are used to configure host-based authentication for the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
+    exec: find / -name shosts.equiv
+    exit-status: 0
+    timeout: {{ .Vars.timeout_ms }}
+    stdout:
+    - '/.*/'
+  meta:
+    - Cat: 1
+    - CCI: CCI-000366
+    - Group_Title: SRG-OS-000480-GPOS-00227
+    - Rule_ID: SV-230283r627750_rule
+    - STIG_ID: RHEL-08-010460
+    - Vul_ID: V-230283
+  {{ end }}
+{{ end }}

cat_1/RHEL-08-010470.yml

@@ -0,0 +1,19 @@
+{{ if .Vars.run_heavy_tests }}
+  {{ if .Vars.RHEL_08_010470 }}
+command:
+  shosts_check:
+    title: The ".shosts" files are used to configure host-based authentication for individual users or the system via SSH. Host-based authentication is not sufficient for preventing unauthorized access to the system, as it does not require interactive identification and authentication of a connection request, or for the use of two-factor authentication.
+    exec: find / -name '*.shosts'
+    exit-status: 0
+    timeout: {{ .Vars.timeout_ms }}
+  stdout:
+  - '!/.*/'
+  meta:
+    - Cat: 1
+    - CCI: CCI-000366
+    - Group_Title: SRG-OS-000480-GPOS-00227
+    - Rule_ID: SV-230284r627750_rule
+    - STIG_ID: RHEL-08-010470
+    - Vul_ID: V-230284
+  {{ end }}
+{{ end }}

cat_1/RHEL-08-010820.yml

@@ -0,0 +1,19 @@
+{{ if .Vars.rhel8stig_gui }}
+{{ if .Vars.RHEL_08_010820 }}
+file:
+  /etc/gdm/custom.conf:
+    title: Unattended or automatic logon via the RHEL 8 graphical user interface must not be allowed.
+    exists: true
+    contains:
+    - '/^AutomaticLoginEnable=false/'
+    - '!/#AutomaticLoginEnable=false/'
+    - '!/^AutomaticLoginEnable=[tT]rue/'
+    meta:
+    - Cat: 1
+    - CCI: CCI-000366
+    - Group_Title: SRG-OS-000480-GPOS-00229
+    - Rule_ID: SV-230329r627750_rule
+    - STIG_ID: RHEL-08-010820
+    - Vul_ID: V-230329
+  {{ end }}
+{{ end }}

cat_1/RHEL-08-020330.yml

@@ -0,0 +1,38 @@
+{{ if .Vars.RHEL_08_020330 }}
+file:
+  /etc/pam.d/system-auth:
+    title: If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments | system-auth
+    exists: true
+    contains:
+    - '!/^.*nullok.*/'
+    meta:
+    - Cat: 1
+    - CCI: CCI-000366
+    - Rule_ID: SV-230380r627750_rule
+    - STIG_ID: RHEL-08-020330
+    - Vul_ID: V-230380
+  /etc/pam.d/password-auth:
+    title: If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments | password-auth
+    exists: true
+    contains:
+    - '!/^.*nullok.*/'
+    meta:
+    - Cat: 1
+    - CCI: CCI-000366
+    - Rule_ID: SV-230380r627750_rule
+    - STIG_ID: RHEL-08-020330
+    - Vul_ID: V-230380
+  /etc/ssh/sshd_config:
+    title: If an account has an empty password, anyone could log on and run commands with the privileges of that account. Accounts with empty passwords should never be used in operational environments | sshd_conf
+    exists: true
+    contains:
+    - '/PermitEmptyPasswords.*no/'
+    - '!/PermitEmptyPasswords.*yes/'
+    meta:
+    - Cat: 1
+    - CCI: CCI-000366
+    - Group_Title: SRG-OS-000480-GPOS-00227
+    - Rule_ID: SV-230380r627750_rule
+    - STIG_ID: RHEL-08-020330
+    - Vul_ID: V-230380
+{{ end }}