[FOR TESTING PURPOSES] testing delta formatting

README.md

@@ -1,13 +1,136 @@
-# Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide
-"This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]."
----
-Name: Canonical_Ubuntu_20-04_LTS_STIG
-Author: The Authors
-Status: accepted on 2021-03-23
-Copyright: The Authors
-Copyright Email: [email protected]
-Version: 0.1.0
-Release: 1 Benchmark Date: 10 Mar 2021
-Reference: https://cyber.mil
-Reference by: DISA
-Reference source: STIG.DOD.MIL
+# canonical-ubuntu-20.04-lts-stig-baseline
+
+InSpec profile to validate the secure configuration of Ubuntu 20.04, against [DISA](https://iase.disa.mil/stigs/)'s Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide (STIG) Version 1, Release 6.
+
+## Getting Started  
+It is intended and recommended that InSpec run this profile from a __"runner"__ host (such as a DevOps orchestration server, an administrative management system, or a developer's workstation/laptop) against the target remotely over __ssh__.
+
+__For the best security of the runner, always install on the runner the _latest version_ of InSpec and supporting Ruby language components.__ 
+
+Latest versions and installation options are available at the [InSpec](http://inspec.io/) site. 
+
+## Tailoring to Your Environment
+The following inputs must be configured in an inputs ".yml" file for the profile to run correctly for your specific environment. More information about InSpec inputs can be found in the [InSpec Profile Documentation](https://www.inspec.io/docs/reference/profiles/).
+
+```yaml
+temporary_accounts: []
+banner_text: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
+
+    By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+
+    -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+
+    -At any time, the USG may inspect and seize data stored on this IS.
+
+    -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+
+    -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+
+    -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'
+  sudo_accounts: [ "ubuntu" ]
+  tmout: 600
+  action_mail_acct: root
+  audit_tools: [
+      '/sbin/auditctl',
+      '/sbin/aureport',
+      '/sbin/ausearch',
+      '/sbin/autrace',
+      '/sbin/auditd',
+      '/sbin/audispd',
+      '/sbin/augenrules'
+    ]
+  standard_audit_log_size: 8894028
+  aide_conf_path: '/etc/aide/aide.conf'
+  action_mail_acct: root
+  maxlogins: 10
+  is_kdump_required: false
+  is_system_networked: true
+  sssd_conf_path: '/etc/sssd/sssd.conf'
+  allowed_ca_fingerprints_regex: (9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)
+  allowed_network_interfaces: [
+      'lo',
+      'eth0'
+    ]
+  audit_sp_remote_server: '192.0.0.1'
+  approved_wireless_interfaces: []
+  fips_config_file: '/proc/sys/crypto/fips_enabled'
+  chrony_config_file: '/etc/chrony/chrony.conf'
+  useradd_config_file: '/etc/default/useradd'
+  rsyslog_config_file: '/etc/rsyslog.d/50-default.conf'
+  auditoffload_config_file: '/etc/cron.weekly/audit-offload'
+  audispremote_config_file: '/etc/audisp/plugins.d/au-remote.conf'
+  gdm3_config_file: '/etc/gdm3/greeter.dconf-defaults'
+```
+
+# Running This Baseline Directly from Github
+
+```
+# How to run
+inspec exec https://github.com/mitre/canonical-ubuntu-20.04-lts-stig-baseline/archive/master.tar.gz --target=ssh://<your_target_host_name_or_ip_address> --user=<target_account_with_administrative_privileges> --password=<password_for_target_account> --sudo --sudo-password=<sudo_password_for_target_if_required> --input-file=<path_to_your_inputs_file/name_of_your_inputs_file.yml> --reporter=cli json:<path_to_your_output_file/name_of_your_output_file.json>
+```
+
+### Different Run Options
+
+  [Full exec options](https://docs.chef.io/inspec/cli/#options-3)
+
+## Running This Baseline from a local Archive copy 
+
+If your runner is not always expected to have direct access to GitHub, use the following steps to create an archive bundle of this baseline and all of its dependent tests:
+
+(Git is required to clone the InSpec profile using the instructions below. Git can be downloaded from the [Git](https://git-scm.com/book/en/v2/Getting-Started-Installing-Git) site.)
+
+When the __"runner"__ host uses this profile baseline for the first time, follow these steps: 
+
+```
+mkdir profiles
+cd profiles
+git clone https://github.com/mitre/canonical-ubuntu-20.04-lts-stig-baseline
+inspec archive canonical-ubuntu-20.04-lts-stig-baseline
+inspec exec <name of generated archive> --target=ssh://<your_target_host_name_or_ip_address> --user=<target_account_with_administrative_privileges> --password=<password_for_target_account> --sudo --sudo-password=<sudo_password_for_target_if_required> --input-file=<path_to_your_inputs_file/name_of_your_inputs_file.yml> --reporter=cli json:<path_to_your_output_file/name_of_your_output_file.json>
+```
+For every successive run, follow these steps to always have the latest version of this baseline:
+
+```
+cd canonical-ubuntu-20.04-lts-stig-baseline
+git pull
+cd ..
+inspec archive canonical-ubuntu-20.04-lts-stig-baseline --overwrite
+inspec exec <name of generated archive> --target=ssh://<your_target_host_name_or_ip_address> --user=<target_account_with_administrative_privileges> --password=<password_for_target_account> --sudo --sudo-password=<sudo_password_for_target_if_required> --input-file=<path_to_your_inputs_file/name_of_your_inputs_file.yml> --reporter=cli json:<path_to_your_output_file/name_of_your_output_file.json>
+```
+
+## Viewing the JSON Results
+
+The JSON results output file can be loaded into __[heimdall-lite](https://heimdall-lite.mitre.org/)__ for a user-interactive, graphical view of the InSpec results. 
+
+The JSON InSpec results file may also be loaded into a __[full heimdall server](https://github.com/mitre/heimdall)__, allowing for additional functionality such as to store and compare multiple profile runs.
+
+## Authors
+* 
+
+## Special Thanks 
+* Mohamed El-Sharkawi - [HackerShark](https://github.com/HackerShark)
+
+## Contributing and Getting Help
+To report a bug or feature request, please open an [issue](https://github.com/mitre/canonical-ubuntu-20.04-lts-stig-baseline/issues/new).
+
+### NOTICE
+
+© 2018-2020 The MITRE Corporation.
+
+Approved for Public Release; Distribution Unlimited. Case Number 18-3678.
+
+### NOTICE
+
+MITRE hereby grants express written permission to use, reproduce, distribute, modify, and otherwise leverage this software to the extent permitted by the licensed terms provided in the LICENSE.md file included with this project.
+
+### NOTICE  
+
+This software was produced for the U. S. Government under Contract Number HHSM-500-2012-00008I, and is subject to Federal Acquisition Regulation Clause 52.227-14, Rights in Data-General.  
+
+No other use other than that granted to the U. S. Government, or to those acting on behalf of the U. S. Government under that Clause is authorized without the express written permission of The MITRE Corporation. 
+
+For further information, please contact The MITRE Corporation, Contracts Management Office, 7515 Colshire Drive, McLean, VA  22102-7539, (703) 983-6000.  
+
+### NOTICE
+
+DISA STIGs are published by DISA IASE, see: https://iase.disa.mil/Pages/privacy_policy.aspx   

controls/SV-238196.rb

@@ -0,0 +1,68 @@
+control "SV-238196" do
+  title "The Ubuntu operating system must provision temporary user accounts with an expiration time
+of 72 hours or less. "
+  desc "If temporary user accounts remain active when no longer needed or for an excessive period,
+these accounts may be used to gain unauthorized access. To mitigate this risk, automated
+termination of all temporary accounts must be set upon account creation.
+
+Temporary
+accounts are established as part of normal account activation procedures when there is a need
+for short-term accounts without the demand for immediacy in account activation.
+
+If
+temporary accounts are used, the operating system must be configured to automatically
+terminate these types of accounts after a DoD-defined time period of 72 hours.
+
+To address
+access requirements, many operating systems may be integrated with enterprise-level
+authentication/access mechanisms that meet or exceed access control policy requirements."
+  desc "check", "Verify that the Ubuntu operating system expires temporary user accounts within 72 hours or
+less.
+
+For every existing temporary account, run the following command to obtain its
+account expiration information:
+
+$ sudo chage -l system_account_name | grep expires
+
+
+Password expires : Aug 07, 2019
+Account expires : Aug 07, 2019
+
+Verify that each of these
+accounts has an expiration date set within 72 hours of account creation.
+
+If any temporary
+account does not expire within 72 hours of that account's creation, this is a finding."
+  desc "fix", "If a temporary account must be created, configure the system to terminate the account after a
+72-hour time period with the following command to set an expiration date on it.
+
+Substitute
+\"system_account_name\" with the account to be created.
+
+$ sudo chage -E $(date -d \"+3 days\"
++%F) system_account_name"
+  impact 0.5
+  tag severity: "medium "
+  tag gtitle: "SRG-OS-000002-GPOS-00002 "
+  tag gid: "V-238196 "
+  tag rid: "SV-238196r653763_rule "
+  tag stig_id: "UBTU-20-010000 "
+  tag fix_id: "F-41365r653762_fix "
+  tag cci: ["CCI-000016"]
+  tag nist: ["AC-2 (2)"]
+
+  temporary_accounts = input('temporary_accounts')
+
+  if temporary_accounts.empty?
+    describe 'Temporary accounts' do
+      subject { temporary_accounts }
+      it { should be_empty }
+    end
+  else
+    temporary_accounts.each do |acct|
+      describe command("chage -l #{acct} | grep 'Account expires'") do
+        its('stdout.strip') { should_not match /:\s*never/ }
+      end
+    end
+  end
+end

controls/SV-238197.rb

@@ -0,0 +1,109 @@
+control "SV-238197" do
+  title "The Ubuntu operating system must enable the graphical user logon banner to display the
+Standard Mandatory DoD Notice and Consent Banner before granting local access to the system
+via a graphical user logon. "
+  desc "Display of a standardized and approved use notification before granting access to the Ubuntu
+operating system ensures privacy and security notification verbiage used is consistent
+with applicable federal laws, Executive Orders, directives, policies, regulations,
+standards, and guidance.
+
+System use notifications are required only for access via logon
+interfaces with human users and are not required when such human interfaces do not exist.
+
+
+The banner must be formatted in accordance with applicable DoD policy. Use the following
+verbiage for operating systems that can accommodate banners of 1300 characters:
+
+\"You are
+accessing a U.S. Government (USG) Information System (IS) that is provided for
+USG-authorized use only.
+
+By using this IS (which includes any device attached to this IS),
+you consent to the following conditions:
+
+-The USG routinely intercepts and monitors
+communications on this IS for purposes including, but not limited to, penetration testing,
+COMSEC monitoring, network operations and defense, personnel misconduct (PM), law
+enforcement (LE), and counterintelligence (CI) investigations.
+
+-At any time, the USG may
+inspect and seize data stored on this IS.
+
+-Communications using, or data stored on, this IS
+are not private, are subject to routine monitoring, interception, and search, and may be
+disclosed or used for any USG-authorized purpose.
+
+-This IS includes security measures
+(e.g., authentication and access controls) to protect USG interests--not for your personal
+benefit or privacy.
+
+-Notwithstanding the above, using this IS does not constitute consent
+to PM, LE or CI investigative searching or monitoring of the content of privileged
+communications, or work product, related to personal representation or services by
+attorneys, psychotherapists, or clergy, and their assistants. Such communications and
+work product are private and confidential. See User Agreement for details.\"
+
+Use the
+following verbiage for operating systems that have severe limitations on the number of
+characters that can be displayed in the banner:
+
+\"I've read & consent to terms in IS user
+agreem't.\""
+  desc "check", "Verify the Ubuntu operating system is configured to display the Standard Mandatory DoD
+Notice and Consent Banner before granting access to the operating system via a graphical user
+logon.
+
+Note: If the system does not have a graphical user interface installed, this
+requirement is Not Applicable.
+
+Check that the operating banner message for the graphical
+user logon is enabled with the following command:
+
+$ grep ^banner-message-enable
+/etc/gdm3/greeter.dconf-defaults
+
+banner-message-enable=true
+
+If the line is
+commented out or set to \"false\", this is a finding."
+  desc "fix", "Edit the \"/etc/gdm3/greeter.dconf-defaults\" file.
+
+Look for the
+\"banner-message-enable\" parameter under the \"[org/gnome/login-screen]\" section and
+uncomment it (remove the leading \"#\" characters):
+
+Note: The lines are all near the bottom of
+the file but not adjacent to each other.
+
+[org/gnome/login-screen]
+
+
+banner-message-enable=true
+
+Update the GDM with the new configuration:
+
+$ sudo dconf
+update
+$ sudo systemctl restart gdm3"
+  impact 0.5
+  tag severity: "medium "
+  tag gtitle: "SRG-OS-000023-GPOS-00006 "
+  tag gid: "V-238197 "
+  tag rid: "SV-238197r653766_rule "
+  tag stig_id: "UBTU-20-010002 "
+  tag fix_id: "F-41366r653765_fix "
+  tag cci: ["CCI-000048"]
+  tag nist: ["AC-8 a"]
+
+  xorg_status = command('which Xorg').exit_status
+  if xorg_status == 0
+    describe 'banner-message-enable must be set to true' do
+      subject { command('grep banner-message-enable /etc/dconf/db/local.d/*') }
+      its('stdout') { should match /(banner-message-enable).+=.+(true)/ }
+    end
+  else
+    describe command('which Xorg').exit_status do
+      skip("GUI not installed.\nwhich Xorg exit_status: " + command('which Xorg').exit_status.to_s)
+    end
+  end
+end