more changes to pfsense script

srg/firewall/check-stig-pfsense.py

@@ -6,8 +6,8 @@ def V_3000():
     desc = ''' The network device must log all interface access control lists (ACL) deny statements. '''
     print 'Testing Rule V_3000'
     print 'Description:{}'.format(desc)
-    print '=== Not Implemented! ==='
-    pass
+    print "[+] Enabled by default"
+    print "https://doc.pfsense.org/index.php/Firewall_Logs#Disable_Default_Block_Logging"
 
 def V_3008():
     fixtext = ''' Establish the VPN as a tunneled VPN.
@@ -18,18 +18,18 @@ Ensure all host-to-host VPN are established between trusted known hosts.
 
  '''
     desc = ''' The IAO will ensure IPSec VPNs are established as tunnel type VPNs when transporting management traffic across an ip backbone network. '''
+
     print 'Testing Rule V_3008'
     print 'Description:{}'.format(desc)
-    print '=== Not Implemented! ==='
-    pass
+    print '[?] I am pretty sure management interface cannot be accessed outside of network so this should not apply'
 
 def V_3012():
     fixtext = ''' Configure the network devices so it will require a password to gain administrative access to the device. '''
     desc = ''' Network devices must be password protected. '''
     print 'Testing Rule V_3012'
     print 'Description:{}'.format(desc)
-    print '=== Not Implemented! ==='
-    pass
+    print '[+] Password are implemented by default in pfsense.'
+    print '    Perhaps check if password hash matches default'
 
 def V_3013():
     fixtext = ''' Configure all management interfaces to the network device to display the DoD-mandated warning banner verbiage at logon regardless of the means of connection or communication. The required banner verbiage that must be displayed verbatim is as follows:
@@ -51,24 +51,39 @@ If the system is incapable of displaying the required banner verbiage due to its
     desc = ''' Network devices must display the DoD-approved logon banner warning. '''
     print 'Testing Rule V_3013'
     print 'Description:{}'.format(desc)
-    print '=== Not Implemented! ==='
-    pass
+    banner = '''You are accessing a U.S. Government (USG) Information System
+    (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+        - The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC
+        monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
+        - At any time, the USG may inspect and seize data stored on this IS.
+        - Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
+        - This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
+        - Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential.
+        See User Agreement for details.'''
+    # truncate whitespace in banner to just single ' ' character
+    banner = " ".join(banner.split())
+
+    # check if /etc/motd equals banner variable
+
+    print '[+] MOTD banner enabled for root ssh on all systems'
+    print '    see https://git.cybbh.space/vta/saltstack/blob/master/states/auth/root-ssh.sls'
+    print '    cat /etc/motd'
 
 def V_3014():
     fixtext = ''' Configure the network devices to ensure the timeout for unattended administrative access connections is no longer than 10 minutes. '''
     desc = ''' The network devices must timeout management connections for administrative access after 10 minutes or less of inactivity. '''
     print 'Testing Rule V_3014'
     print 'Description:{}'.format(desc)
-    print '=== Not Implemented! ==='
-    pass
+    print '[?] maybe implemented'
+    print '    cat /etc/sshd_config | grep "ClientAliveInterval 10"'
+    print '    cat /etc/sshd_config | grep "ClientAliveCountMax 0"'
 
 def V_3020():
     fixtext = ''' Configure the device to include DNS servers or disable domain lookup. '''
     desc = ''' Network devices must have DNS servers defined if it is configured as a client resolver. '''
     print 'Testing Rule V_3020'
     print 'Description:{}'.format(desc)
-    print '=== Not Implemented! ==='
-    pass
+    print '[?] Maybe implemented. Is the firewall configured as a client resolver? '
 
 def V_3021():
     fixtext = ''' Configure the network devices to only allow SNMP access from only addresses belonging to the management network. '''
@@ -759,7 +774,7 @@ def main():
     parser.add_argument('--V_25891', action='store_true', help='''Network device logs must include source IP, destination IP, port, protocol used and action taken.''')
     parser.add_argument('--V_28784', action='store_true', help='''A service or feature that calls home to the vendor must be disabled.''')
     parser.add_argument('--V_30638', action='store_true', help='''The IAO must ensure firewalls deployed in an IPv6 enclave meet the requirements defined by DITO and NSA milestone objective 3 guidance.''')
-    parser.add_argument('--V_72881', action='store_true', help='''The firewall must not be listening for telnet service.''') 
+    parser.add_argument('--V_72881', action='store_true', help='''The firewall must not be listening for telnet service.''')
 
 
     parser.add_argument('-a', '--all', action='store_true', help='''run all of the checks''')