Rspec HTML Reports - CIS 5 Access, Authentication and Authorization

OS	ubuntu
Release	18.04
Arch	x86_64
Cloud	AZ
Target	51.140.231.26

# Example Duration Status

5.1.1 Ensure cron daemon is enabled

0.17411

passed

5.1.2 Ensure permissions on /etc/crontab are configured

0.55935

passed

5.1.3 Ensure permissions on /etc/cron.hourly are configured

0.55834

passed

5.1.4 Ensure permissions on /etc/cron.daily are configured

0.57245

passed

5.1.5 Ensure permissions on /etc/cron.weekly are configured

0.58043

passed

5.1.6 Ensure permissions on /etc/cron.monthly are configured

0.57008

passed

5.1.7 Ensure permissions on /etc/cron.d are configured

0.57788

passed

5.1.8 Ensure at/cron is restricted to authorized users

0.57924

passed

5.4.2 Ensure system accounts are non-login

0.19648

passed

5.4.5 Ensure default user shell timeout is 900 seconds or less

0.19006

passed

5.2 SSH Server Configuration 5.2.1 Ensure permissions on /etc/ssh/sshd_config are configured

0.58612

passed

5.2 SSH Server Configuration 5.2.2 Ensure SSH Protocol is set to 2

0.19242

passed

5.2 SSH Server Configuration 5.2.3 Ensure SSH LogLevel is set to INFO

0.19332

passed

5.2 SSH Server Configuration 5.2.4 Ensure SSH X11 forwarding is disabled

0.19830

passed

5.2 SSH Server Configuration 5.2.5 Ensure SSH MaxAuthTries is set to 4 or less

0.19468

passed

5.2 SSH Server Configuration 5.2.6 Ensure SSH IgnoreRhosts is enabled

0.19855

passed

5.2 SSH Server Configuration 5.2.7 Ensure SSH HostbasedAuthentication is disabled

0.19419

passed

5.2 SSH Server Configuration 5.2.8 Ensure SSH root login is disabled

0.19877

passed

5.2 SSH Server Configuration 5.2.9 Ensure SSH PermitEmptyPasswords is disabled

0.19840

passed

5.2 SSH Server Configuration 5.2.10 Ensure SSH PermitUserEnvironment is disabled

0.20197

passed

5.2 SSH Server Configuration 5.2.13 Ensure SSH Idle Timeout Interval is configured

0.40359

passed

5.2 SSH Server Configuration 5.2.14 Ensure SSH LoginGraceTime is set to one minute or less

0.19326

passed

5.2 SSH Server Configuration 5.2.15 Ensure SSH warning banner is configured

0.19989

passed

5.2 SSH Server Configuration 5.2.11 Ensure only approved ciphers are used [] should be empty

0.00111

passed

5.2 SSH Server Configuration 5.2.12 Ensure only approved MAC algorithms are used [] should be empty

0.00096

passed

5.3 Configure PAM 5.3.1 Ensure password creation requirements are configured contains the pam_pwquality library

0.19785

passed

5.3 Configure PAM 5.3.1 Ensure password creation requirements are configured File "/etc/security/pwquality.conf" content should match /^minlen = (1[4-9]|2[0-9]|3[0-2])/

0.19864

passed

5.3 Configure PAM 5.3.1 Ensure password creation requirements are configured File "/etc/security/pwquality.conf" content should match /^dcredit = -1/

0.00111

passed

5.3 Configure PAM 5.3.1 Ensure password creation requirements are configured File "/etc/security/pwquality.conf" content should match /^ucredit = -1/

0.00099

passed

5.3 Configure PAM 5.3.1 Ensure password creation requirements are configured File "/etc/security/pwquality.conf" content should match /^ocredit = -1/

0.00097

passed

5.3 Configure PAM 5.3.1 Ensure password creation requirements are configured File "/etc/security/pwquality.conf" content should match /^lcredit = -1/

0.00098

passed

5.3 Configure PAM 5.3.2 Ensure lockout for failed password attempts is configured expect either pam_tally2 or pam_faillock to be installed

RSpec::Expectations::ExpectationNotMetError


expected: true
     got: false

(compared using ==)

Diff:[0m
[0m[34m@@ -1,2 +1,2 @@
[0m[31m-true
[0m[32m+false
[0m

Backtrace:

./spec/cis/5.Access_Authentication_Authorization_spec.rb:198:in `block (4 levels) in '

				installed = pam_tally2 or pam_faillock
--->				expect(installed).to eq true
			end
		
			if (os[:family] == 'redhat' or os[:family] == 'amazon')
				if (pam_faillock) 

0.00175

failed

5.3 Configure PAM 5.3.2 Ensure lockout for failed password attempts is configured contains the pam_tally2 library contains the config (?-mix:^auth\s+required\s+pam_tally2.so.*deny=\d+)

0.18768

passed

5.3 Configure PAM 5.3.2 Ensure lockout for failed password attempts is configured contains the pam_tally2 library contains the config (?-mix:^auth\s+required\s+pam_tally2.so.*unlock_time=)

0.19838

passed

5.3 Configure PAM 5.3.3 Ensure password reuse is limited contains the pam_pwhistory library

0.20312

passed

5.3 Configure PAM 5.3.4 Ensure password hashing algorithm is SHA-512 contains the sha512 flag

0.19952

passed

5.4.1 Set Shadow Password Suite Parameters 5.4.1.1 Ensure password expiration is 365 days or less

0.20510

passed

5.4.1 Set Shadow Password Suite Parameters 5.4.1.2 Ensure minimum days between password changes is 7 or more

0.20414

passed

5.4.1 Set Shadow Password Suite Parameters 5.4.1.3 Ensure password expiration warning days is 7 or more

0.20625

passed

5.4.1 Set Shadow Password Suite Parameters 5.4.1.4 Ensure inactive password lock is 30 days or less

0.20453

passed

5.4.1 Set Shadow Password Suite Parameters 5.4.1.5 Ensure all users last password change date is in the past

7.28140

passed

5.4.3 Ensure default group for the root account is GID 0 (Scored) User "root" should exist

0.22370

passed

5.4.3 Ensure default group for the root account is GID 0 (Scored) User "root" should have uid 0

0.21840

passed

5.4.3 Ensure default group for the root account is GID 0 (Scored) User "root" should belong to primary group "root"

0.25133

passed

5.4.4 Ensure default user umask is 027 or more restrictive should have at least one umask entry set

0.00060

passed

5.4.4 Ensure default user umask is 027 or more restrictive expects /etc/login.defs: to have umask 027

0.00030

passed

5.5 Ensure root login is restricted to system console cannot foresee physical consoles - not applicable to cloud

Skipped: No reason given

0.00002

pending

5.6 Ensure access to the su command is restricted File "/etc/pam.d/su" content should match /^auth\s+required\s+pam_wheel.so/

0.21411

passed