added inputs to allow indication of operational requirements document…

…ed with ISSO (#45)

Signed-off-by: kemley76 <kemley@mitre.org>

controls/SV-257792.rb

@@ -44,13 +44,21 @@
     !virtualization.system.eql?('docker')
   }
 
-  grub_stdout = command('grubby --info=ALL').stdout
-  setting = /vsyscall\s*=\s*none/
+  if input('vsyscall_required')
+    impact 0.0
+    describe 'N/A' do
+      skip "Profile inputs indicate that this parameter's setting is a documented operational requirement"
+    end
+  else
+
+    grub_stdout = command('grubby --info=ALL').stdout
+    setting = /vsyscall\s*=\s*none/
 
-  describe 'GRUB config' do
-    it 'should disable vsyscall' do
-      expect(parse_config(grub_stdout)['args']).to match(setting), 'Current GRUB configuration does not disable this setting'
-      expect(parse_config_file('/etc/default/grub')['GRUB_CMDLINE_LINUX']).to match(setting), 'Setting not configured to persist between kernel updates'
+    describe 'GRUB config' do
+      it 'should disable vsyscall' do
+        expect(parse_config(grub_stdout)['args']).to match(setting), 'Current GRUB configuration does not disable this setting'
+        expect(parse_config_file('/etc/default/grub')['GRUB_CMDLINE_LINUX']).to match(setting), 'Setting not configured to persist between kernel updates'
+      end
     end
   end
 end

controls/SV-257803.rb

@@ -42,26 +42,34 @@
     !virtualization.system.eql?('docker')
   }
 
-  parameter = 'kernel.core_pattern'
-  value = 1
-  regexp = /^\s*#{parameter}\s*=\s*#{value}\s*$/
+  if input('storing_core_dumps_required')
+    impact 0.0
+    describe 'N/A' do
+      skip "Profile inputs indicate that this parameter's setting is a documented operational requirement"
+    end
+  else
 
-  describe kernel_parameter(parameter) do
-    its('value') { should eq value }
-  end
+    parameter = 'kernel.core_pattern'
+    value = 1
+    regexp = /^\s*#{parameter}\s*=\s*#{value}\s*$/
+
+    describe kernel_parameter(parameter) do
+      its('value') { should eq value }
+    end
 
-  search_results = command("/usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F #{parameter}").stdout.strip.split("\n")
+    search_results = command("/usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F #{parameter}").stdout.strip.split("\n")
 
-  correct_result = search_results.any? { |line| line.match(regexp) }
-  incorrect_results = search_results.map(&:strip).reject { |line| line.match(regexp) }
+    correct_result = search_results.any? { |line| line.match(regexp) }
+    incorrect_results = search_results.map(&:strip).reject { |line| line.match(regexp) }
 
-  describe 'Kernel config files' do
-    it "should configure '#{parameter}'" do
-      expect(correct_result).to eq(true), 'No config file was found that correctly sets this action'
-    end
-    unless incorrect_results.nil?
-      it 'should not have incorrect or conflicting setting(s) in the config files' do
-        expect(incorrect_results).to be_empty, "Incorrect or conflicting setting(s) found:\n\t- #{incorrect_results.join("\n\t- ")}"
+    describe 'Kernel config files' do
+      it "should configure '#{parameter}'" do
+        expect(correct_result).to eq(true), 'No config file was found that correctly sets this action'
+      end
+      unless incorrect_results.nil?
+        it 'should not have incorrect or conflicting setting(s) in the config files' do
+          expect(incorrect_results).to be_empty, "Incorrect or conflicting setting(s) found:\n\t- #{incorrect_results.join("\n\t- ")}"
+        end
       end
     end
   end

controls/SV-257804.rb

@@ -28,8 +28,16 @@
     !virtualization.system.eql?('docker')
   }
 
-  describe kernel_module('atm') do
-    it { should be_disabled }
-    it { should be_blacklisted }
+  if input('atm_required')
+    impact 0.0
+    describe 'N/A' do
+      skip "Profile inputs indicate that this parameter's setting is a documented operational requirement"
+    end
+  else
+
+    describe kernel_module('atm') do
+      it { should be_disabled }
+      it { should be_blacklisted }
+    end
   end
 end

controls/SV-257805.rb

@@ -28,8 +28,16 @@
     !virtualization.system.eql?('docker')
   }
 
-  describe kernel_module('can') do
-    it { should be_disabled }
-    it { should be_blacklisted }
+  if input('can_required')
+    impact 0.0
+    describe 'N/A' do
+      skip "Profile inputs indicate that this parameter's setting is a documented operational requirement"
+    end
+  else
+
+    describe kernel_module('can') do
+      it { should be_disabled }
+      it { should be_blacklisted }
+    end
   end
 end

controls/SV-257806.rb

@@ -28,8 +28,16 @@
     !virtualization.system.eql?('docker')
   }
 
-  describe kernel_module('firewire_core') do
-    it { should be_disabled }
-    it { should be_blacklisted }
+  if input('firewire_required')
+    impact 0.0
+    describe 'N/A' do
+      skip "Profile inputs indicate that this parameter's setting is a documented operational requirement"
+    end
+  else
+
+    describe kernel_module('firewire_core') do
+      it { should be_disabled }
+      it { should be_blacklisted }
+    end
   end
 end

controls/SV-257807.rb

@@ -38,8 +38,17 @@
   only_if('This control is Not Applicable to containers', impact: 0.0) {
     !virtualization.system.eql?('docker')
   }
-  describe kernel_module('sctp') do
-    it { should be_disabled }
-    it { should be_blacklisted }
+
+  if input('sctp_required')
+    impact 0.0
+    describe 'N/A' do
+      skip "Profile inputs indicate that this parameter's setting is a documented operational requirement"
+    end
+  else
+
+    describe kernel_module('sctp') do
+      it { should be_disabled }
+      it { should be_blacklisted }
+    end
   end
 end

controls/SV-257808.rb

@@ -32,8 +32,16 @@
     !virtualization.system.eql?('docker')
   }
 
-  describe kernel_module('tipc') do
-    it { should be_disabled }
-    it { should be_blacklisted }
+  if input('tipc_required')
+    impact 0.0
+    describe 'N/A' do
+      skip "Profile inputs indicate that this parameter's setting is a documented operational requirement"
+    end
+  else
+
+    describe kernel_module('tipc') do
+      it { should be_disabled }
+      it { should be_blacklisted }
+    end
   end
 end

controls/SV-257812.rb

@@ -32,7 +32,15 @@
     !virtualization.system.eql?('docker')
   }
 
-  describe parse_config_file('/etc/systemd/coredump.conf') do
-    its('Coredump.ProcessSizeMax') { should cmp '0' }
+  if input('core_dumps_required')
+    impact 0.0
+    describe 'N/A' do
+      skip "Profile inputs indicate that this parameter's setting is a documented operational requirement"
+    end
+  else
+
+    describe parse_config_file('/etc/systemd/coredump.conf') do
+      its('Coredump.ProcessSizeMax') { should cmp '0' }
+    end
   end
 end

controls/SV-257813.rb

@@ -30,7 +30,15 @@
     !virtualization.system.eql?('docker')
   }
 
-  describe parse_config_file('/etc/systemd/coredump.conf') do
-    its('Coredump.Storage') { should cmp 'none' }
+  if input('storing_core_dumps_required')
+    impact 0.0
+    describe 'N/A' do
+      skip "Profile inputs indicate that this parameter's setting is a documented operational requirement"
+    end
+  else
+
+    describe parse_config_file('/etc/systemd/coredump.conf') do
+      its('Coredump.Storage') { should cmp 'none' }
+    end
   end
 end

controls/SV-257814.rb

@@ -32,27 +32,35 @@
     !virtualization.system.eql?('docker')
   }
 
-  setting = 'core'
-  expected_value = input('core_dump_expected_value')
+  if input('core_dumps_required')
+    impact 0.0
+    describe 'N/A' do
+      skip "Profile inputs indicate that this parameter's setting is a documented operational requirement"
+    end
+  else
+
+    setting = 'core'
+    expected_value = input('core_dump_expected_value')
 
-  limits_files = command('ls /etc/security/limits.d/*.conf').stdout.strip.split
-  limits_files.append('/etc/security/limits.conf')
+    limits_files = command('ls /etc/security/limits.d/*.conf').stdout.strip.split
+    limits_files.append('/etc/security/limits.conf')
 
-  # make sure that at least one limits.conf file has the correct setting
-  globally_set = limits_files.any? { |lf| !limits_conf(lf).read_params['*'].nil? && limits_conf(lf).read_params['*'].include?(['hard', setting.to_s, expected_value.to_s]) }
+    # make sure that at least one limits.conf file has the correct setting
+    globally_set = limits_files.any? { |lf| !limits_conf(lf).read_params['*'].nil? && limits_conf(lf).read_params['*'].include?(['hard', setting.to_s, expected_value.to_s]) }
 
-  # make sure that no limits.conf file has a value that contradicts the global set
-  failing_files = limits_files.select { |lf|
-    limits_conf(lf).read_params.values.flatten(1).any? { |l|
-      l[1].eql?(setting) && !l[2].to_i.eql?(expected_value)
+    # make sure that no limits.conf file has a value that contradicts the global set
+    failing_files = limits_files.select { |lf|
+      limits_conf(lf).read_params.values.flatten(1).any? { |l|
+        l[1].eql?(setting) && !l[2].to_i.eql?(expected_value)
+      }
     }
-  }
-  describe 'Limits files' do
-    it 'should disallow core dumps by default' do
-      expect(globally_set).to eq(true), "No correct global ('*') setting found"
-    end
-    it 'should not have any conflicting settings' do
-      expect(failing_files).to be_empty, "Files with incorrect '#{setting}' settings:\n\t- #{failing_files.join("\n\t- ")}"
+    describe 'Limits files' do
+      it 'should disallow core dumps by default' do
+        expect(globally_set).to eq(true), "No correct global ('*') setting found"
+      end
+      it 'should not have any conflicting settings' do
+        expect(failing_files).to be_empty, "Files with incorrect '#{setting}' settings:\n\t- #{failing_files.join("\n\t- ")}"
+      end
     end
   end
 end

controls/SV-257815.rb

@@ -36,14 +36,22 @@
     !virtualization.system.eql?('docker')
   }
 
-  s = systemd_service('systemd-coredump.socket')
-
-  describe.one do
-    describe s do
-      its('params.LoadState') { should eq 'masked' }
+  if input('core_dumps_required')
+    impact 0.0
+    describe 'N/A' do
+      skip "Profile inputs indicate that this parameter's setting is a documented operational requirement"
     end
-    describe s do
-      its('params.LoadState') { should eq 'not-found' }
+  else
+
+    s = systemd_service('systemd-coredump.socket')
+
+    describe.one do
+      describe s do
+        its('params.LoadState') { should eq 'masked' }
+      end
+      describe s do
+        its('params.LoadState') { should eq 'not-found' }
+      end
     end
   end
 end

controls/SV-257836.rb

@@ -27,7 +27,13 @@
   tag nist: ['CM-6 b']
   tag 'host', 'container'
 
-  describe package('quagga') do
-    it { should_not be_installed }
+  if input('quagga_required')
+    describe package('quagga') do
+      it { should be_installed }
+    end
+  else
+    describe package('quagga') do
+      it { should_not be_installed }
+    end
   end
 end

controls/SV-257880.rb

@@ -38,8 +38,17 @@
   only_if('This control is Not Applicable to containers', impact: 0.0) {
     !virtualization.system.eql?('docker')
   }
-  describe kernel_module('cramfs') do
-    it { should be_disabled }
-    it { should be_blacklisted }
+
+  if input('cramfs_required')
+    impact 0.0
+    describe 'N/A' do
+      skip "Profile inputs indicate that this parameter's setting is a documented operational requirement"
+    end
+  else
+
+    describe kernel_module('cramfs') do
+      it { should be_disabled }
+      it { should be_blacklisted }
+    end
   end
 end

controls/SV-257971.rb

@@ -45,26 +45,34 @@
     !virtualization.system.eql?('docker')
   }
 
-  parameter = 'net.ipv6.conf.all.accept_ra'
-  value = 0
-  regexp = /^\s*#{parameter}\s*=\s*#{value}\s*$/
+  if input('accept_ra_required')
+    impact 0.0
+    describe 'N/A' do
+      skip "Profile inputs indicate that this parameter's setting is a documented operational requirement"
+    end
+  else
 
-  describe kernel_parameter(parameter) do
-    its('value') { should eq value }
-  end
+    parameter = 'net.ipv6.conf.all.accept_ra'
+    value = 0
+    regexp = /^\s*#{parameter}\s*=\s*#{value}\s*$/
+
+    describe kernel_parameter(parameter) do
+      its('value') { should eq value }
+    end
 
-  search_results = command("/usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F #{parameter}").stdout.strip.split("\n")
+    search_results = command("/usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F #{parameter}").stdout.strip.split("\n")
 
-  correct_result = search_results.any? { |line| line.match(regexp) }
-  incorrect_results = search_results.map(&:strip).reject { |line| line.match(regexp) }
+    correct_result = search_results.any? { |line| line.match(regexp) }
+    incorrect_results = search_results.map(&:strip).reject { |line| line.match(regexp) }
 
-  describe 'Kernel config files' do
-    it "should configure '#{parameter}'" do
-      expect(correct_result).to eq(true), 'No config file was found that correctly sets this action'
-    end
-    unless incorrect_results.nil?
-      it 'should not have incorrect or conflicting setting(s) in the config files' do
-        expect(incorrect_results).to be_empty, "Incorrect or conflicting setting(s) found:\n\t- #{incorrect_results.join("\n\t- ")}"
+    describe 'Kernel config files' do
+      it "should configure '#{parameter}'" do
+        expect(correct_result).to eq(true), 'No config file was found that correctly sets this action'
+      end
+      unless incorrect_results.nil?
+        it 'should not have incorrect or conflicting setting(s) in the config files' do
+          expect(incorrect_results).to be_empty, "Incorrect or conflicting setting(s) found:\n\t- #{incorrect_results.join("\n\t- ")}"
+        end
       end
     end
   end