>From c2485bfe85671b6823cbfb01f97998cc702dac5c Mon Sep 17 00:00:00 2001 From: Shawn Wells Date: Sun, 15 Sep 2013 16:34:00 -0400 Subject: [PATCH 14/22] New remediation template: create_kernel_module_disabled Created bash remediation template for kernel_module_disabled checks testing by: oscap xccdf eval --profile stig-rhel6-server --results /var/www/html/ssg-results/results.xml --report /var/www/html/ssg-results/report.html --cpe-dict ssg-rhel6-cpe-dictionary.xml ssg-rhel6-xccdf.xml ; oscap xccdf generate fix --result-id xccdf_org.open-scap_testresult_stig-rhel6-server /var/www/html/ssg-results/results.xml > /var/www/html/ssg-results/script.sh bash /var/www/html/ssg-results/script.sh oscap xccdf eval --profile stig-rhel6-server --results /var/www/html/ssg-results/results.xml --report /var/www/html/ssg-results/report.html --cpe-dict ssg-rhel6-cpe-dictionary.xml ssg-rhel6-xccdf.xml ; oscap xccdf generate fix --result-id xccdf_org.open-scap_testresult_stig-rhel6-server /var/www/html/ssg-results/results.xml > /var/www/html/ssg-results/script.sh ... and then seeing everything turn green --- .../fixes/bash/kernel_module_cramfs_disabled.sh | 1 + .../fixes/bash/kernel_module_dccp_disabled.sh | 1 + .../fixes/bash/kernel_module_freevxfs_disabled.sh | 1 + .../input/fixes/bash/kernel_module_hfs_disabled.sh | 1 + .../fixes/bash/kernel_module_hfsplus_disabled.sh | 1 + .../fixes/bash/kernel_module_jffs2_disabled.sh | 1 + .../input/fixes/bash/kernel_module_rds_disabled.sh | 1 + .../fixes/bash/kernel_module_sctp_disabled.sh | 1 + .../fixes/bash/kernel_module_squashfs_disabled.sh | 1 + .../fixes/bash/kernel_module_tipc_disabled.sh | 1 + .../input/fixes/bash/kernel_module_udf_disabled.sh | 1 + .../bash/kernel_module_usb-storage_disabled.sh | 1 + RHEL6/input/fixes/bash/templates/Makefile | 5 ++- .../templates/create_kernel_module_disabled.py | 40 ++++++++++++++++++++ .../bash/templates/template_kernel_module_disabled | 1 + 15 files changed, 57 insertions(+), 1 deletions(-) create mode 100644 RHEL6/input/fixes/bash/kernel_module_cramfs_disabled.sh create mode 100644 RHEL6/input/fixes/bash/kernel_module_dccp_disabled.sh create mode 100644 RHEL6/input/fixes/bash/kernel_module_freevxfs_disabled.sh create mode 100644 RHEL6/input/fixes/bash/kernel_module_hfs_disabled.sh create mode 100644 RHEL6/input/fixes/bash/kernel_module_hfsplus_disabled.sh create mode 100644 RHEL6/input/fixes/bash/kernel_module_jffs2_disabled.sh create mode 100644 RHEL6/input/fixes/bash/kernel_module_rds_disabled.sh create mode 100644 RHEL6/input/fixes/bash/kernel_module_sctp_disabled.sh create mode 100644 RHEL6/input/fixes/bash/kernel_module_squashfs_disabled.sh create mode 100644 RHEL6/input/fixes/bash/kernel_module_tipc_disabled.sh create mode 100644 RHEL6/input/fixes/bash/kernel_module_udf_disabled.sh create mode 100644 RHEL6/input/fixes/bash/kernel_module_usb-storage_disabled.sh create mode 100755 RHEL6/input/fixes/bash/templates/create_kernel_module_disabled.py create mode 100644 RHEL6/input/fixes/bash/templates/template_kernel_module_disabled diff --git a/RHEL6/input/fixes/bash/kernel_module_cramfs_disabled.sh b/RHEL6/input/fixes/bash/kernel_module_cramfs_disabled.sh new file mode 100644 index 0000000..1518a90 --- /dev/null +++ b/RHEL6/input/fixes/bash/kernel_module_cramfs_disabled.sh @@ -0,0 +1 @@ +echo "install cramfs /bin/false" > /etc/modprobe.d/cramfs.conf diff --git a/RHEL6/input/fixes/bash/kernel_module_dccp_disabled.sh b/RHEL6/input/fixes/bash/kernel_module_dccp_disabled.sh new file mode 100644 index 0000000..e3444d5 --- /dev/null +++ b/RHEL6/input/fixes/bash/kernel_module_dccp_disabled.sh @@ -0,0 +1 @@ +echo "install dccp /bin/false" > /etc/modprobe.d/dccp.conf diff --git a/RHEL6/input/fixes/bash/kernel_module_freevxfs_disabled.sh b/RHEL6/input/fixes/bash/kernel_module_freevxfs_disabled.sh new file mode 100644 index 0000000..a57473c --- /dev/null +++ b/RHEL6/input/fixes/bash/kernel_module_freevxfs_disabled.sh @@ -0,0 +1 @@ +echo "install freevxfs /bin/false" > /etc/modprobe.d/freevxfs.conf diff --git a/RHEL6/input/fixes/bash/kernel_module_hfs_disabled.sh b/RHEL6/input/fixes/bash/kernel_module_hfs_disabled.sh new file mode 100644 index 0000000..10ac958 --- /dev/null +++ b/RHEL6/input/fixes/bash/kernel_module_hfs_disabled.sh @@ -0,0 +1 @@ +echo "install hfs /bin/false" > /etc/modprobe.d/hfs.conf diff --git a/RHEL6/input/fixes/bash/kernel_module_hfsplus_disabled.sh b/RHEL6/input/fixes/bash/kernel_module_hfsplus_disabled.sh new file mode 100644 index 0000000..20806af --- /dev/null +++ b/RHEL6/input/fixes/bash/kernel_module_hfsplus_disabled.sh @@ -0,0 +1 @@ +echo "install hfsplus /bin/false" > /etc/modprobe.d/hfsplus.conf diff --git a/RHEL6/input/fixes/bash/kernel_module_jffs2_disabled.sh b/RHEL6/input/fixes/bash/kernel_module_jffs2_disabled.sh new file mode 100644 index 0000000..678e2c2 --- /dev/null +++ b/RHEL6/input/fixes/bash/kernel_module_jffs2_disabled.sh @@ -0,0 +1 @@ +echo "install jffs2 /bin/false" > /etc/modprobe.d/jffs2.conf diff --git a/RHEL6/input/fixes/bash/kernel_module_rds_disabled.sh b/RHEL6/input/fixes/bash/kernel_module_rds_disabled.sh new file mode 100644 index 0000000..0ec2208 --- /dev/null +++ b/RHEL6/input/fixes/bash/kernel_module_rds_disabled.sh @@ -0,0 +1 @@ +echo "install rds /bin/false" > /etc/modprobe.d/rds.conf diff --git a/RHEL6/input/fixes/bash/kernel_module_sctp_disabled.sh b/RHEL6/input/fixes/bash/kernel_module_sctp_disabled.sh new file mode 100644 index 0000000..2f18600 --- /dev/null +++ b/RHEL6/input/fixes/bash/kernel_module_sctp_disabled.sh @@ -0,0 +1 @@ +echo "install sctp /bin/false" > /etc/modprobe.d/sctp.conf diff --git a/RHEL6/input/fixes/bash/kernel_module_squashfs_disabled.sh b/RHEL6/input/fixes/bash/kernel_module_squashfs_disabled.sh new file mode 100644 index 0000000..f3a1fdd --- /dev/null +++ b/RHEL6/input/fixes/bash/kernel_module_squashfs_disabled.sh @@ -0,0 +1 @@ +echo "install squashfs /bin/false" > /etc/modprobe.d/squashfs.conf diff --git a/RHEL6/input/fixes/bash/kernel_module_tipc_disabled.sh b/RHEL6/input/fixes/bash/kernel_module_tipc_disabled.sh new file mode 100644 index 0000000..f7a54b3 --- /dev/null +++ b/RHEL6/input/fixes/bash/kernel_module_tipc_disabled.sh @@ -0,0 +1 @@ +echo "install tipc /bin/false" > /etc/modprobe.d/tipc.conf diff --git a/RHEL6/input/fixes/bash/kernel_module_udf_disabled.sh b/RHEL6/input/fixes/bash/kernel_module_udf_disabled.sh new file mode 100644 index 0000000..0781ecd --- /dev/null +++ b/RHEL6/input/fixes/bash/kernel_module_udf_disabled.sh @@ -0,0 +1 @@ +echo "install udf /bin/false" > /etc/modprobe.d/udf.conf diff --git a/RHEL6/input/fixes/bash/kernel_module_usb-storage_disabled.sh b/RHEL6/input/fixes/bash/kernel_module_usb-storage_disabled.sh new file mode 100644 index 0000000..1d9a36d --- /dev/null +++ b/RHEL6/input/fixes/bash/kernel_module_usb-storage_disabled.sh @@ -0,0 +1 @@ +echo "install usb-storage /bin/false" > /etc/modprobe.d/usb-storage.conf diff --git a/RHEL6/input/fixes/bash/templates/Makefile b/RHEL6/input/fixes/bash/templates/Makefile index 9d317f4..33a0ed1 100644 --- a/RHEL6/input/fixes/bash/templates/Makefile +++ b/RHEL6/input/fixes/bash/templates/Makefile @@ -1,4 +1,4 @@ -templates: sysctls services +templates: sysctls services kernel_modules sysctls: ./create_sysctl_bash.py ../../../checks/templates/sysctl_values.csv @@ -10,6 +10,9 @@ services: compare: diff output/ ../ | grep -v "Only in ../" +kernel_modules: + ./create_kernel_module_disabled.py ../../../checks/templates/kernel_modules_disabled.csv + copy: cp output/*.sh ../ diff --git a/RHEL6/input/fixes/bash/templates/create_kernel_module_disabled.py b/RHEL6/input/fixes/bash/templates/create_kernel_module_disabled.py new file mode 100755 index 0000000..3f74a8d --- /dev/null +++ b/RHEL6/input/fixes/bash/templates/create_kernel_module_disabled.py @@ -0,0 +1,40 @@ +#!/usr/bin/python + +# +# create_kernel_modules_disabled.py +# automatically generate checks for disabled kernel modules +# +# NOTE: The file 'template_kernel_module_disabled' should be located in the +# same working directory as this script. The template contains the following +# tags that *must* be replaced successfully in order for the checks to work. +# +# KERNMODULE - the name of the kernel module that should be disabled +# + +import sys, csv, re + +def output_checkfile(kerninfo): + # get the items out of the list + kernmod = kerninfo[0] + with open("./template_kernel_module_disabled", 'r') as templatefile: + filestring = templatefile.read() + filestring = filestring.replace("KERNMODULE", kernmod) + with open("./output/kernel_module_" + kernmod + "_disabled.sh", 'wb+') as outputfile: + outputfile.write(filestring) + outputfile.close() + +def main(): + if len(sys.argv) < 2: + print "Provide a CSV file containing lines of the format: kernmod" + sys.exit(1) + with open(sys.argv[1], 'r') as f: + # put the CSV line's items into a list + lines = csv.reader(f) + for line in lines: + output_checkfile(line) + + sys.exit(0) + +if __name__ == "__main__": + main() + diff --git a/RHEL6/input/fixes/bash/templates/template_kernel_module_disabled b/RHEL6/input/fixes/bash/templates/template_kernel_module_disabled new file mode 100644 index 0000000..9fbfcc1 --- /dev/null +++ b/RHEL6/input/fixes/bash/templates/template_kernel_module_disabled @@ -0,0 +1 @@ +echo "install KERNMODULE /bin/false" > /etc/modprobe.d/KERNMODULE.conf -- 1.7.1