diff --git a/README.md b/README.md index cce5a7e..66292cf 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,36 @@ +Please create any issues on the [Hubble](https://github.com/hubblestack/hubble) +repo. + +Table of Contents +================= + + * [Hubble](#hubble) + * [Installation (GitFS)](#installation-gitfs) + * [Schedule](#schedule) + * [Contribute](#contribute) + * [Nova](#nova) + * [Introduction](#introduction) + * [Usage](#usage) + * [Nova Topfiles](#nova-topfiles) + * [Compensating Control Configuration](#compensating-control-configuration) + * [Configuration](#configuration) + * [Development](#development) + * [Anatomy of a Nova audit module](#anatomy-of-a-nova-audit-module) + * [Nebula](#nebula) + * [Introduction](#introduction-1) + * [Usage](#usage-1) + * [Configuration](#configuration-1) + * [Pulsar](#pulsar) + * [Introduction](#introduction-2) + * [Usage](#usage-2) + * [Configuration](#configuration-2) + * [Excluding Paths](#excluding-paths) + * [Troubleshooting](#troubleshooting) + * [Under The Hood](#under-the-hood) + * [Quasar](#quasar) + * [Introduction](#introduction-3) + * [Usage](#usage-3) + # Hubble Hubble is a modular, open-source security compliance framework built on top of @@ -23,7 +56,7 @@ fileserver_backend: - git gitfs_remotes: - https://github.com/hubblestack/hubble-salt.git: - - base: v2017.4.1 + - base: v2017.8.1 - root: '' ``` @@ -34,3 +67,461 @@ minions. See `pillar.example` for sample pillar data for configuring the pulsar beacon and the splunk/slack returners. + +## Schedule + +Here is a sample cron file you can drop into cron.d in order to run the jobs +at regular intervals and return the results to splunk: + +```bash +# Recommended cron jobs for minions +# +# This file is here for your consumption, but will not automatically be +# deployed by hubble. We recommend you deploy this file on the master at +# /etc/cron.d/hubblestack_cron +# +# If you're worried about master load for running these jobs (most teams won't +# have a problem with this, unless they are several thousand servers per +# master), then use the hubblestack_masterless instructions in this repo +# instead. + +MAILTO="" +SHELL=/bin/bash +*/15 * * * * root /usr/bin/salt '*' nebula.queries fifteen_min --return +splunk_nebula_return +@hourly root /usr/bin/salt '*' nebula.queries hour --return +splunk_nebula_return +@daily root /usr/bin/salt '*' nebula.queries day --return +splunk_nebula_return +@daily root /usr/bin/salt '*' cp.cache_file +salt://hubblestack_pulsar/hubblestack_pulsar_config.yaml +@daily root /usr/bin/salt '*' cp.cache_file +salt://hubblestack_pulsar/hubblestack_pulsar_win_config.yaml +@daily root /usr/bin/salt '*' hubble.top verbose=True show_profile=True +--return splunk_nova_return +@daily root /usr/bin/salt '*' saltutil.sync_all +``` + +## Contribute + +If you are interested in contributing or offering feedback to this project feel +free to submit an issue or a pull request. We're very open to community +contribution. + + +# Nova + +## Introduction + +Nova is designed to audit the compliance and security level of a system. It is +composed of multiple modules, which ingest YAML configuration profiles to run a +single or series of audits against a system. + +## Usage + +There are four primary functions in the hubble.py module: + +1. `hubble.sync` will sync the `hubblestack_nova_profiles/` and `hubblestack_nova/` directories to the minion(s). +2. `hubble.load` will load the synced audit modules and their yaml configuration files. +3. `hubble.audit` will audit the minion(s) using the YAML profile(s) you provide as comma-separated arguments +4. `hubble.top` will audit the minion(s) using the `top.nova` configuration. + +`hubble.audit` takes two optional arguments. The first is a comma-separated +list of paths. These paths can be files or directories within the +`hubblestack_nova_profiles` directory. The second argument allows for +toggling Nova configuration, such as verbosity, level of detail, etc. + +If `hubble.audit` is run without targeting any audit configs or directories, +it will instead run `hubble.top` with no arguments. + +`hubble.audit` will return a list of audits which were successful, and a list +of audits which failed. + +Here are some example calls: + +```bash +# Run the cve scanner and the CIS profile: +salt \* hubble.audit cve.scan-v2,cis.centos-7-level-1-scored-v1 + +# Run hubble.top with the default topfile (top.nova) +salt \* hubble.top + +# Run all yaml configs and tags under salt://hubblestack_nova_profiles/foo/ +# and salt://hubblestack_nova_profiles/bar, but only run audits with tags +# starting with "CIS" +salt \* hubble.audit foo,bar tags='CIS*' +``` + +## Nova Topfiles + +Nova topfiles look very similar to saltstack topfiles, except the top-level +key is always `nova`, as nova doesn't have environments. + +```yaml +nova: + '*': + - cve.scan-v2 + - network.ssh + - network.smtp + 'web*': + - cis.centos-7-level-1-scored-v1 + - cis.centos-7-level-2-scored-v1 + 'G@os_family:debian': + - network.ssh + - cis.debian-7-level-1-scored: 'CIS*' +``` + +Additionally, all nova topfile matches are compound matches, so you never +need to define a match type like you do in saltstack topfiles. + +Each list item is a string representing the dot-separated location of a +yaml file which will be run with hubble.audit. You can also specify a +tag glob to use as a filter for just that yaml file, using a colon +after the yaml file (turning it into a dictionary). See the last two lines +in the yaml above for examples. + +Examples: + +```bash +salt '*' hubble.top +salt '*' hubble.top foo/bar/top.nova +salt '*' hubble.top foo/bar.nova verbose=True +``` + +## Compensating Control Configuration + +In some cases, your organization may want to skip certain audit checks for +certain hosts. This is supported via compensating control configuration. + +You can skip a check globally by adding a `control: ` key to the check +itself. This key should be added at the same level as `description` and +`trigger` pieces of a check. In this case, the check will never run, and will +output under the `Controlled` results key. + +Nova also supports separate control profiles, for more fine-grained control +using topfiles. You can use a separate YAML top-level key called `control`. +Generally, you'll put this top-level key inside of a separate YAML file and +only include it in the top-data for the hosts for which it is relevant. + +For these separate control configs, the audits will always run, whether they +are controlled or not. However, controlled audits which fail will be converted +from `Failure` to `Controlled` in a post-processing operation. + +The control config syntax is as follows: + +```yaml +control: + - CIS-2.1.4: This is the reason we control the check + - some_other_tag: + reason: This is the reason we control the check + - a_third_tag_with_no_reason +``` + +Note that providing a reason for the control is optional. Any of the three +formats shown in the yaml list above will work. + +Once you have your compensating control config, just target the yaml to the +hosts you want to control using your topfile. In this case, all the audits will +still run, but if any of the controlled checks fail, they will be removed from +`Failure` and added to `Controlled`, and will be treated as a Success for +the purposes of compliance percentage. + +## Configuration + +1. The directory/environment in which nova searches for audit modules are +configurable via pillar. The defaults are shown below: + +```yaml +hubblestack: + nova: + saltenv: base + module_dir: salt://hubblestack_nova + profile_dir: salt://hubblestack_nova_profiles +``` + +2. By default, `hubble.audit` will call `hubble.load` (which in turn calls +`hubble.sync`) in order to ensure that it is auditing with the most up-to-date +information. These operations are fairly fast, but if you want to avoid the +additional overhead, you can disable these behaviors via pillar (defaults are +shown, change to False to disable behaviors): + + +```yaml +hubblestack: + nova: + autosync: True + autoload: True +``` + +## Development + +If you're interested in contributing to this project this section outlines the +structure and requirements for Nova audit module development. + +### Anatomy of a Nova audit module + +```python +# -*- encoding: utf-8 -*- +''' +Loader and primary interface for nova modules + +:maintainer: HubbleStack +:maturity: 20160214 +:platform: Linux +:requires: SaltStack + +''' +from __future__ import absolute_import +import logging +``` + +All Nova plugins should include the above header, expanding the docstring to +include full documentation + +```python +import fnmatch +import salt.utils + +def __virtual__(): + if salt.utils.is_windows(): + return False, 'This audit module only runs on linux' + return True + + +def audit(data_list, tag, debug=False): + __tags__ = [] + for profile, data in data_list: + # This is where you process the dictionaries passed in by hubble.py, + # searching for data pertaining to this audit module. Modules which + # require no data should use yaml which is empty except for a + # top-level key, and should only do work if the top-level key is + # found in the data + + # We need to also inject the profile # in the data for each check so + # that it appears in verbose output + pass + + ret = {'Success': [], 'Failure': []} + for tag in __tags__: + if fnmatch.fnmatch(tag, tags): + # We should run this tag + # + ret['Success'].append(tag) + return ret +``` + +All Nova plugins require a `__virtual__()` function to determine module +compatibility, and an `audit()` function to perform the actual audit +functionality + +The `audit()` function must take three arguments, `data_list`, `tag`, and +`debug`. The `data_list` argument is a list of dictionaries passed in by +`hubble.py`. `hubble.py` gets this data from loading the specified yaml for the +audit run. Your audit module should only run if it finds its own data in this +list. The `tag` argument is a glob expression for which tags the audit function +should run. It is the job of the audit module to compare the `tag` glob with +all tags supported by this module and only run the audits which match. The +`debug` argument tells whether the module should log additional debugging +information at debug log level. + +The return value should be a dictionary, with optional keys "Success", +"Failure", and "Controlled". The values for these keys should be a list of +one-key dictionaries in the form of `{: }`, or a +list of one-key dictionaries in the form of `{: }` (in the +case of `verbose`). + + +# Nebula + +## Introduction + +Nebula is Hubble's Insight system, which ties into ``osquery``, allowing you to +query your infrastructure as if it were a database. This system can be used to +take scheduled snapshots of your systems. + +Note: Currently only supported on SaltStack 2015.8 and above. You can actually +sync the osquery execution module from a newer version of salt to 2015.5 +minions and it seems to work without issue. Officially, just upgrade to 2015.8. + +Nebula has a semi-hard dependency on the ``osqueryi`` binary. See install +requirements here https://osquery.io/downloads/ + +## Usage + +These queries have been designed to give detailed insight into system activity. + +`hubblestack_nebula/hubblestack_nebula_queries.yaml` + +```yaml +fifteen_min: + - query_name: running_procs + query: SELECT p.name AS process, p.pid AS process_id, p.cmdline, p.cwd, p.on_disk, p.resident_size AS mem_used, p.parent, g.groupname, u.username AS user, p.path, h.md5, h.sha1, h.sha256 FROM processes AS p LEFT JOIN users AS u ON p.uid=u.uid LEFT JOIN groups AS g ON p.gid=g.gid LEFT JOIN hash AS h ON p.path=h.path; + - query_name: established_outbound + query: SELECT t.iso_8601 AS _time, pos.family, h.*, ltrim(pos.local_address, ':f') AS src, pos.local_port AS src_port, pos.remote_port AS dest_port, ltrim(remote_address, ':f') AS dest, name, p.path AS file_path, cmdline, pos.protocol, lp.protocol FROM process_open_sockets AS pos JOIN processes AS p ON p.pid=pos.pid LEFT JOIN time AS t LEFT JOIN (SELECT * FROM listening_ports) AS lp ON lp.port=pos.local_port AND lp.protocol=pos.protocol LEFT JOIN hash AS h ON h.path=p.path WHERE NOT remote_address='' AND NOT remote_address='::' AND NOT remote_address='0.0.0.0' AND NOT remote_address='127.0.0.1' AND port is NULL; + - query_name: listening_procs + query: SELECT t.iso_8601 AS _time, h.md5 AS md5, p.pid, name, ltrim(address, ':f') AS address, port, p.path AS file_path, cmdline, root, parent FROM listening_ports AS lp LEFT JOIN processes AS p ON lp.pid=p.pid LEFT JOIN time AS t LEFT JOIN hash AS h ON h.path=p.path WHERE NOT address='127.0.0.1'; + - query_name: suid_binaries + query: SELECT sb.*, t.iso_8601 AS _time FROM suid_bin AS sb JOIN time AS t; +hour: + - query_name: crontab + query: SELECT c.*,t.iso_8601 AS _time FROM crontab AS c JOIN time AS t; +day: + - query_name: rpm_packages + query: SELECT rpm.name, rpm.version, rpm.release, rpm.source AS package_source, rpm.size, rpm.sha1, rpm.arch, t.iso_8601 FROM rpm_packages AS rpm JOIN time AS t; +``` + +## Configuration + +The only configuration required to use Nebula is to incorporate the Queries and +the Schedule into your minion config or pillar (pillar recommended). See the +Usage section above for more information. + +Nebula leverages the ``osquery_nebula`` execution module, which needs to be +synced to each minion. In addition, this also requires the ``osquery`` binary +to be installed. + +More information about osquery can be found at https://osquery.io. + +Note: ``osqueryd`` does not need to be running, as we handle the scheduled +queries via the cron jobs. + + +# Pulsar + +Note: After syncing a new version of a beacon to salt, the salt-minion +must be restarted to pick up the change. See +https://github.com/saltstack/salt/issues/35960 for more info + +## Introduction + +Pulsar is designed to monitor for file system events, acting as a real-time +File Integrity Monitoring (FIM) agent. Pulsar is composed of a custom Salt +beacon that watches for these events and hooks into the returner system for +alerting and reporting. + +In other words, you can recieve real-time alerts for unscheduled file system +modifications *anywhere* you want to recieve them. + +We've designed Pulsar to be lightweight and not dependent on a Salt Master. It +simply watches for events and directly sends them to one of the Pulsar +returner destinations (see Quasar for more on these). + +## Usage + +Once Pulsar is fully running there isn't anything you need to do to interact +with it. It simply runs quietly in the background and sends you alerts. + +## Configuration + +The default Pulsar configuration (found in ````) +is meant to act as a template. It works in tandem with the +```` file. Every environment will have +different needs and requirements, and we understand that, so we've designed +Pulsar to be flexible. + +** pillar.example ** + +```yaml +beacons: + pulsar: + paths: + - /var/cache/salt/minion/files/base/hubblestack_pulsar/hubblestack_pulsar_config.yaml +schedule: + cache_pulsar: + function: cp.cache_file + seconds: 86400 + args: + - salt://hubblestack_pulsar/hubblestack_pulsar_config.yaml + return_job: False +``` + +** hubblestack_pulsar_config ** + +```yaml +/etc: { recurse: True, auto_add: True } +/bin: { recurse: True, auto_add: True } +/sbin: { recurse: True, auto_add: True } +/boot: { recurse: True, auto_add: True } +/usr/bin: { recurse: True, auto_add: True } +/usr/sbin: { recurse: True, auto_add: True } +/usr/local/bin: { recurse: True, auto_add: True } +/usr/local/sbin: { recurse: True, auto_add: True } +return: slack_pulsar +checksum: sha256 +stats: True +batch: False +``` + +In order to receive Pulsar notifications you'll need to install the custom +returners found in the Quasar_ repository. + +Example of using the Slack Pulsar returner to recieve FIM notifications: + +```yaml +slack_pulsar: + as_user: true + username: calculon + channel: hubble_pulsar + api_key: xoxo-xxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxx +``` + +Tip: If you need to create a Slack bot, see: https://my.slack.com/services/new/bot + +### Excluding Paths + +There may be certain paths that you want to exclude from this real-time +FIM tool. This can be done using the ``exclude:`` keyword beneath any +defined path. + +```yaml +/var: + recurse: True + auto_add: True + exclude: + - /var/log + - /var/spool + - /var/cache + - /var/lock +``` + + +## Troubleshooting + +If inotify is reporting that it can't create watches due to lack of disk space, +but you have plenty of disk space and inodes available, then you may have to +raise the max number of inotify watches. + +To check the max number of inotify watches: + +```bash +cat /proc/sys/fs/inotify/max_user_watches +``` + +To set the max number of inotify watches: + +```bash +echo 20000 | sudo tee -a /proc/sys/fs/inotify/max_user_watches +``` + + +## Under The Hood + +Pulsar is written as a Salt beacon, which requires the ``salt-minion`` daemon +to be running. This then acts as an agent that watches for file system events +using Linux's ``inotify`` subsystem. + + +# Quasar + +## Introduction + +Quasar is Hubble's reporting system; a key component in visualizing your data. +Quasar gathers the data captured by Nova, Nebula and Pulsar and delivers it +directly to your logging or SIM/SEM system. Create dashboards, alerts and +correlations all using the SIM/SEM system you already have! + +Note: dashboards not included :) + +## Usage + +Each Quasar module has different requirements and settings. Please see your preferred module's documentation. diff --git a/_beacons/pulsar.py b/_beacons/pulsar.py index 9d9954d..6d34602 100644 --- a/_beacons/pulsar.py +++ b/_beacons/pulsar.py @@ -39,7 +39,7 @@ DEFAULT_MASK = None __virtualname__ = 'pulsar' -__version__ = 'v2017.4.1' +__version__ = 'v2017.8.1' CONFIG = None CONFIG_STALENESS = 0 @@ -255,10 +255,13 @@ def beacon(config): _append = False if _append: + config_path = config['paths'][0] + pulsar_config = config_path[config_path.rfind('/')+1:len(config_path)] sub = {'tag': event.path, 'path': event.pathname, 'change': event.maskname, - 'name': event.name} + 'name': event.name, + 'pulsar_config': pulsar_config} if config.get('checksum', False) and os.path.isfile(pathname): sum_type = config['checksum'] @@ -424,6 +427,7 @@ def _dict_update(dest, upd, recursive_update=True, merge_lists=False): dest[key] = upd[key] else: dest[key] = upd[key] + return dest else: try: diff --git a/_beacons/win_pulsar.py b/_beacons/win_pulsar.py index 73b11e4..942f13d 100644 --- a/_beacons/win_pulsar.py +++ b/_beacons/win_pulsar.py @@ -26,7 +26,7 @@ DEFAULT_TYPE = 'all' __virtualname__ = 'pulsar' -__version__ = 'v2017.4.1' +__version__ = 'v2017.8.1' CONFIG = None CONFIG_STALENESS = 0 @@ -205,6 +205,9 @@ def beacon(config): for r in ret: _append = True config_found = False + config_path = config['paths'][0] + pulsar_config = config_path[config_path.rfind('/')+1:len(config_path)] + r['pulsar_config'] = pulsar_config for path in config: if not r['Object Name'].startswith(path): continue @@ -450,9 +453,9 @@ def _remove_acl(path): def _pull_events(time_frame, checksum): events_list = [] - events_output = __salt__['cmd.run_stdout']('mode con:cols=1000 lines=1000; Get-EventLog -LogName Security ' - '-After ((Get-Date).AddSeconds(-{0})) -InstanceId 4663 | fl'.format( - time_frame), shell='powershell', python_shell=True) + events_output = __salt__['cmd.run_stdout']('mode con:cols=1000 lines=1000; Get-WinEvent -FilterHashTable @{{' + 'LogName = "security"; StartTime = [datetime]::Now.AddSeconds(-30);' + 'Id = 4663}} | fl'.format(time_frame), shell='powershell', python_shell=True) events = events_output.split('\r\n\r\n') for event in events: if event: @@ -463,12 +466,12 @@ def _pull_events(time_frame, checksum): item.replace('\t', '') k, v = item.split(':', 1) event_dict[k.strip()] = v.strip() - event_dict['Accesses'] = _get_access_translation(event_dict['Accesses']) + #event_dict['Accesses'] = _get_access_translation(event_dict['Accesses']) event_dict['Hash'] = _get_item_hash(event_dict['Object Name'], checksum) #needs hostname, checksum, filepath, time stamp, action taken # Generate the dictionary without a dictionary comp, for py2.6 tmpdict = {} - for k in ('EntryType', 'Accesses', 'TimeGenerated', 'Object Name', 'Hash'): + for k in ('Message', 'Accesses', 'TimeCreated', 'Object Name', 'Hash'): tmpdict[k] = event_dict[k] events_list.append(tmpdict) return events_list diff --git a/_modules/hubble.py b/_modules/hubble.py index 08d88a4..6fa34a2 100644 --- a/_modules/hubble.py +++ b/_modules/hubble.py @@ -32,10 +32,10 @@ import salt import salt.utils from salt.exceptions import CommandExecutionError -from salt.loader import LazyLoader +from nova_loader import NovaLazyLoader __nova__ = {} -__version__ = 'v2017.4.1' +__version__ = 'v2017.8.1' def audit(configs=None, @@ -45,7 +45,8 @@ def audit(configs=None, show_compliance=None, show_profile=None, called_from_top=None, - debug=None): + debug=None, + **kwargs): ''' Primary entry point for audit calls. @@ -94,6 +95,10 @@ def audit(configs=None, False. Configurable via `hubblestack:nova:debug` in minion config/pillar. + **kwargs + Any parameters & values that are not explicitly defined will be passed + directly through to the Nova module(s). + CLI Examples: .. code-block:: bash @@ -133,7 +138,19 @@ def audit(configs=None, configs = [os.path.join(os.path.sep, os.path.join(*(con.split('.yaml')[0]).split('.'))) for con in configs] - ret = _run_audit(configs, tags, debug=debug) + # Pass any module parameters through to the Nova module + nova_kwargs = {} + # Get values from config first (if any) and merge into nova_kwargs + nova_kwargs_config = __salt__['config.get']('hubblestack:nova:nova_kwargs', False) + if nova_kwargs_config is not False: + nova_kwargs.update(nova_kwargs_config) + # Now process arguments from CLI and merge into nova_kwargs_dict + if kwargs is not None: + nova_kwargs.update(kwargs) + + log.debug('nova_kwargs: ' + str(nova_kwargs)) + + ret = _run_audit(configs, tags, debug, **nova_kwargs) terse_results = {} verbose_results = {} @@ -218,9 +235,14 @@ def audit(configs=None, if not called_from_top and not results: results['Messages'] = 'No audits matched this host in the specified profiles.' + for error in ret.get('Errors', []): + if not results.has_key('Errors'): + results['Errors'] = [] + results['Errors'].append(error) + return results -def _run_audit(configs, tags, debug): +def _run_audit(configs, tags, debug, **kwargs): results = {} @@ -261,7 +283,7 @@ def _run_audit(configs, tags, debug): # We can revisit if this ever becomes a big bottleneck for key, func in __nova__._dict.iteritems(): try: - ret = func(data_list, tags, debug=debug) + ret = func(data_list, tags, **kwargs) except Exception as exc: log.error('Exception occurred in nova module:') log.error(traceback.format_exc()) @@ -564,7 +586,7 @@ def load(): log.debug('loading nova modules') global __nova__ - __nova__ = NovaLazyLoader() + __nova__ = NovaLazyLoader(_hubble_dir(), __opts__, __grains__, __pillar__, __salt__) ret = {'loaded': __nova__._dict.keys(), 'missing': __nova__.missing_modules, @@ -648,229 +670,3 @@ def _get_top_data(topfile): ret.extend(data) return ret - - -class NovaLazyLoader(LazyLoader): - ''' - Leverage the SaltStack LazyLoader so we don't have to reimplement - everything. Note that in general, we'll just call _load_all, so this - will not actually be a lazy loader, but leveraging the existing code is - worth it. - ''' - - def __init__(self): - super(NovaLazyLoader, self).__init__(_hubble_dir(), - opts=__opts__, - tag='nova') - self.__data__ = {} - self.__missing_data__ = {} - self._load_all() - - def refresh_file_mapping(self): - ''' - Override the default refresh_file_mapping to look for nova files - recursively, rather than only in a top-level directory - ''' - # map of suffix to description for imp - self.suffix_map = {} - suffix_order = [] # local list to determine precedence of extensions - suffix_order.append('.yaml') - for (suffix, mode, kind) in imp.get_suffixes(): - self.suffix_map[suffix] = (suffix, mode, kind) - suffix_order.append(suffix) - - # create mapping of filename (without suffix) to (path, suffix) - self.file_mapping = {} - - for mod_dir in self.module_dirs: - for dirname, dirs, files in os.walk(mod_dir): - if '.git' in dirs: - dirs.remove('.git') - for filename in files: - try: - if filename.startswith('_'): - # skip private modules - # log messages omitted for obviousness - continue - _, ext = os.path.splitext(filename) - fpath = os.path.join(dirname, filename) - f_withext = fpath.partition(mod_dir)[-1] - # Nova only supports .py and .yaml - if ext not in ['.py', '.yaml']: - continue - # Python only in the modules directory, yaml only - # in the profiles directory. This is hacky but was a - # quick fix. - nova_module_cache, nova_profile_cache = _hubble_dir() - nova_module_cache = os.path.join(nova_module_cache, '') - nova_profile_cache = os.path.join(nova_profile_cache, '') - if ext == '.py' and fpath.startswith(nova_profile_cache): - continue - if ext == '.yaml' and fpath.startswith(nova_module_cache): - continue - if f_withext in self.disabled: - #log.trace( - # 'Skipping {0}, it is disabled by configuration'.format( - # filename - # ) - #) - continue - - # if we don't have it, we want it - elif f_withext not in self.file_mapping: - self.file_mapping[f_withext] = (fpath, ext) - # if we do, we want it if we have a higher precidence ext - else: - curr_ext = self.file_mapping[f_withext][1] - #log.debug("****** curr_ext={0} ext={1} suffix_order={2}".format(curr_ext, ext, suffix_order)) - if curr_ext and suffix_order.index(ext) < suffix_order.index(curr_ext): - self.file_mapping[f_withext] = (fpath, ext) - except OSError: - continue - - def _load_module(self, name): - ''' - Override the module load code - ''' - mod = None - fpath, suffix = self.file_mapping[name] - self.loaded_files.add(name) - if suffix == '.yaml': - try: - with open(fpath) as fh_: - data = yaml.safe_load(fh_) - except Exception as exc: - self.__missing_data__[name] = str(exc) - return False - - self.__data__[name] = data - return True - try: - sys.path.append(os.path.dirname(fpath)) - desc = self.suffix_map[suffix] - # if it is a directory, we don't open a file - with salt.utils.fopen(fpath, desc[1]) as fn_: - mod = imp.load_module( - '{0}.{1}.{2}.{3}'.format( - self.loaded_base_name, - self.mod_type_check(fpath), - self.tag, - name - ), fn_, fpath, desc) - - except IOError: - raise - except ImportError as error: - log.debug( - 'Failed to import {0} {1}:\n'.format( - self.tag, name - ), - exc_info=True - ) - self.missing_modules[name] = str(error) - return False - except Exception as error: - log.error( - 'Failed to import {0} {1}, this is due most likely to a ' - 'syntax error:\n'.format( - self.tag, name - ), - exc_info=True - ) - self.missing_modules[name] = str(error) - return False - except SystemExit as error: - log.error( - 'Failed to import {0} {1} as the module called exit()\n'.format( - self.tag, name - ), - exc_info=True - ) - self.missing_modules[name] = str(error) - return False - finally: - sys.path.pop() - - mod.__grains__ = __grains__ - mod.__pillar__ = __pillar__ - mod.__opts__ = __opts__ - mod.__salt__ = __salt__ - - # pack whatever other globals we were asked to - for p_name, p_value in six.iteritems(self.pack): - setattr(mod, p_name, p_value) - - module_name = name - - # Call a module's initialization method if it exists - module_init = getattr(mod, '__init__', None) - if inspect.isfunction(module_init): - try: - module_init(self.opts) - except TypeError as e: - log.error(e) - except Exception: - err_string = '__init__ failed' - log.debug( - 'Error loading {0}.{1}: {2}'.format( - self.tag, - module_name, - err_string), - exc_info=True) - self.missing_modules[name] = err_string - return False - - # if virtual modules are enabled, we need to look for the - # __virtual__() function inside that module and run it. - if self.virtual_enable: - (virtual_ret, module_name, virtual_err) = self.process_virtual( - mod, - module_name, - ) - if virtual_err is not None: - log.debug('Error loading {0}.{1}: {2}'.format(self.tag, - module_name, - virtual_err, - )) - - # if process_virtual returned a non-True value then we are - # supposed to not process this module - if virtual_ret is not True: - # If a module has information about why it could not be loaded, record it - self.missing_modules[name] = virtual_err - return False - - # If this is a proxy minion then MOST modules cannot work. Therefore, require that - # any module that does work with salt-proxy-minion define __proxyenabled__ as a list - # containing the names of the proxy types that the module supports. - # - # Render modules and state modules are OK though - if 'proxy' in self.opts: - if self.tag in ['grains', 'proxy']: - if not hasattr(mod, '__proxyenabled__') or \ - (self.opts['proxy']['proxytype'] not in mod.__proxyenabled__ and - '*' not in mod.__proxyenabled__): - err_string = 'not a proxy_minion enabled module' - self.missing_modules[name] = err_string - return False - - if getattr(mod, '__load__', False) is not False: - log.info( - 'The functions from module {0!r} are being loaded from the ' - 'provided __load__ attribute'.format( - module_name - ) - ) - mod_dict = salt.utils.odict.OrderedDict() - # In nova we only care about the audit() function, and we want to - # store it with directory structure in the name. - for attr in getattr(mod, '__load__', dir(mod)): - if attr != 'audit': - continue - func = getattr(mod, attr) - # Save many references for lookups - self._dict[name] = func - mod_dict[name] = func - - self.loaded_modules[name] = mod_dict - return True diff --git a/_modules/nebula_osquery.py b/_modules/nebula_osquery.py index 999ba10..ed189e2 100644 --- a/_modules/nebula_osquery.py +++ b/_modules/nebula_osquery.py @@ -40,7 +40,7 @@ log = logging.getLogger(__name__) -__version__ = 'v2017.4.1' +__version__ = 'v2017.8.1' __virtualname__ = 'nebula' @@ -74,6 +74,7 @@ def queries(query_group, salt '*' nebula.queries hour verbose=True salt '*' nebula.queries hour pillar_key=sec_osqueries ''' + MAX_FILE_SIZE = 104857600 if query_file is None: if salt.utils.is_windows(): query_file = 'salt://hubblestack_nebula/hubblestack_nebula_win_queries.yaml' @@ -118,13 +119,14 @@ def queries(query_group, if salt.utils.is_windows(): win_version = __grains__['osfullname'] - if '2012' not in win_version and '2016' not in win_version: - log.error('osquery does not run on windows versions earlier than Server 2012 and Windows 8') + if '2008' not in win_version and '2012' not in win_version and '2016' not in win_version: + log.error('osquery does not run on windows versions earlier than Server 2008 and Windows 7') if query_group == 'day': ret = [] ret.append( {'fallback_osfinger': { - 'data': [{'osfinger': __grains__.get('osfinger', __grains__.get('osfullname'))}], + 'data': [{'osfinger': __grains__.get('osfinger', __grains__.get('osfullname')), + 'osrelease': __grains__.get('osrelease', __grains__.get('lsb_distrib_release'))}], 'result': True }} ) @@ -137,7 +139,7 @@ def queries(query_group, return ret else: return None - + orig_filename = query_file query_file = __salt__['cp.cache_file'](query_file) @@ -168,13 +170,13 @@ def queries(query_group, 'result': True, } - cmd = ['osqueryi', '--json', query_sql] + cmd = ['osqueryi', '--read_max', MAX_FILE_SIZE, '--json', query_sql] res = __salt__['cmd.run_all'](cmd) if res['retcode'] == 0: query_ret['data'] = json.loads(res['stdout']) else: - queury_ret['result'] = False - queury_ret['error'] = res['stderr'] + query_ret['result'] = False + query_ret['error'] = res['stderr'] if verbose: tmp = copy.deepcopy(query) @@ -186,9 +188,38 @@ def queries(query_group, if query_group == 'day' and report_version_with_day: ret.append(hubble_versions()) + for r in ret: + for query_name, query_ret in r.iteritems(): + for result in query_ret['data']: + for key, value in result.iteritems(): + if value.startswith('__JSONIFY__'): + result[key] = json.loads(value[len('__JSONIFY__'):]) + return ret +def fields(*args): + ''' + Use config.get to retrieve custom data based on the keys in the `*args` + list. + + Arguments: + + *args + List of keys to retrieve + ''' + ret = {} + for field in args: + ret['custom_{0}'.format(field)] = __salt__['config.get'](field) + # Return it as nebula data + if ret: + return [{'custom_fields': { + 'data': [ret], + 'result': True + }}] + return [] + + def version(): ''' Report version of this module diff --git a/_modules/nova_loader.py b/_modules/nova_loader.py new file mode 100644 index 0000000..b43559e --- /dev/null +++ b/_modules/nova_loader.py @@ -0,0 +1,2046 @@ +# -*- coding: utf-8 -*- +''' +The Salt loader is the core to Salt's plugin system, the loader scans +directories for python loadable code and organizes the code into the +plugin interfaces used by Salt. +''' + +# Import python libs +from __future__ import absolute_import +import os +import imp +import sys +import salt +import time +import yaml +import logging +import inspect +import tempfile +import functools +import collections +from collections import MutableMapping +from zipimport import zipimporter + +# Import salt libs +from salt.exceptions import LoaderError +from salt.template import check_render_pipe_str +from salt.utils.decorators import Depends +from salt.utils import is_proxy +import salt.utils.context +import salt.utils.lazy +import salt.utils.event +import salt.utils.odict +import salt.exceptions + +# Solve the Chicken and egg problem where grains need to run before any +# of the modules are loaded and are generally available for any usage. +import salt.modules.cmdmod + +# Import 3rd-party libs +import salt.ext.six as six +try: + import pkg_resources + HAS_PKG_RESOURCES = True +except ImportError: + HAS_PKG_RESOURCES = False + +__salt__ = { + 'cmd.run': salt.modules.cmdmod._run_quiet +} +log = logging.getLogger(__name__) + +SALT_BASE_PATH = os.path.abspath(os.path.dirname(salt.__file__)) +LOADED_BASE_NAME = 'salt.loaded' + +if six.PY3: + # pylint: disable=no-member,no-name-in-module,import-error + import importlib.machinery + SUFFIXES = [] + for suffix in importlib.machinery.EXTENSION_SUFFIXES: + SUFFIXES.append((suffix, 'rb', 3)) + for suffix in importlib.machinery.BYTECODE_SUFFIXES: + SUFFIXES.append((suffix, 'rb', 2)) + for suffix in importlib.machinery.SOURCE_SUFFIXES: + SUFFIXES.append((suffix, 'r', 1)) + # pylint: enable=no-member,no-name-in-module,import-error +else: + SUFFIXES = imp.get_suffixes() + +# Because on the cloud drivers we do `from salt.cloud.libcloudfuncs import *` +# which simplifies code readability, it adds some unsupported functions into +# the driver's module scope. +# We list un-supported functions here. These will be removed from the loaded. +LIBCLOUD_FUNCS_NOT_SUPPORTED = ( + 'parallels.avail_sizes', + 'parallels.avail_locations', + 'proxmox.avail_sizes', + 'saltify.destroy', + 'saltify.avail_sizes', + 'saltify.avail_images', + 'saltify.avail_locations', + 'rackspace.reboot', + 'openstack.list_locations', + 'rackspace.list_locations' +) + +# Will be set to pyximport module at runtime if cython is enabled in config. +pyximport = None + + +## BEGIN salt.utils.lazy +def verify_fun(lazy_obj, fun): + ''' + Check that the function passed really exists + ''' + if not fun: + raise salt.exceptions.SaltInvocationError( + 'Must specify a function to run!\n' + 'ex: manage.up' + ) + if fun not in lazy_obj: + # If the requested function isn't available, lets say why + raise salt.exceptions.CommandExecutionError(lazy_obj.missing_fun_string(fun)) + + +class LazyDict(collections.MutableMapping): + ''' + A base class of dict which will lazily load keys once they are needed + + TODO: negative caching? If you ask for 'foo' and it doesn't exist it will + look EVERY time unless someone calls load_all() + As of now this is left to the class which inherits from this base + ''' + def __init__(self): + self.clear() + + def __nonzero__(self): + # we are zero if dict is empty and loaded is true + return bool(self._dict or not self.loaded) + + def __bool__(self): + # we are zero if dict is empty and loaded is true + return self.__nonzero__() + + def clear(self): + ''' + Clear the dict + ''' + # create a dict to store loaded values in + self._dict = {} + + # have we already loded everything? + self.loaded = False + + def _load(self, key): + ''' + Load a single item if you have it + ''' + raise NotImplementedError() + + def _load_all(self): + ''' + Load all of them + ''' + raise NotImplementedError() + + def _missing(self, key): + ''' + Whether or not the key is missing (meaning we know it's not there) + ''' + return False + + def missing_fun_string(self, function_name): + ''' + Return the error string for a missing function. + + Override this to return a more meaningfull error message if possible + ''' + return '\'{0}\' is not available.'.format(function_name) + + def __setitem__(self, key, val): + self._dict[key] = val + + def __delitem__(self, key): + del self._dict[key] + + def __getitem__(self, key): + ''' + Check if the key is ttld out, then do the get + ''' + if self._missing(key): + raise KeyError(key) + + if key not in self._dict and not self.loaded: + # load the item + if self._load(key): + log.debug('LazyLoaded %s', key) + return self._dict[key] + else: + log.debug('Could not LazyLoad %s: %s', key, self.missing_fun_string(key)) + raise KeyError(key) + else: + return self._dict[key] + + def __len__(self): + # if not loaded, + if not self.loaded: + self._load_all() + return len(self._dict) + + def __iter__(self): + if not self.loaded: + self._load_all() + return iter(self._dict) +## END salt.utils.lazy + + +def static_loader( + opts, + ext_type, + tag, + pack=None, + int_type=None, + ext_dirs=True, + ext_type_dirs=None, + base_path=None, + filter_name=None, + ): + funcs = LazyLoader( + _module_dirs( + opts, + ext_type, + tag, + int_type, + ext_dirs, + ext_type_dirs, + base_path, + ), + opts, + tag=tag, + pack=pack, + ) + ret = {} + funcs._load_all() + if filter_name: + funcs = FilterDictWrapper(funcs, filter_name) + for key in funcs: + ret[key] = funcs[key] + return ret + + +def _module_dirs( + opts, + ext_type, + tag=None, + int_type=None, + ext_dirs=True, + ext_type_dirs=None, + base_path=None, + ): + if tag is None: + tag = ext_type + sys_types = os.path.join(base_path or SALT_BASE_PATH, int_type or ext_type) + ext_types = os.path.join(opts['extension_modules'], ext_type) + + ext_type_types = [] + if ext_dirs: + if ext_type_dirs is None: + ext_type_dirs = '{0}_dirs'.format(tag) + if ext_type_dirs in opts: + ext_type_types.extend(opts[ext_type_dirs]) + if HAS_PKG_RESOURCES and ext_type_dirs: + for entry_point in pkg_resources.iter_entry_points('salt.loader', ext_type_dirs): + loaded_entry_point = entry_point.load() + for path in loaded_entry_point(): + ext_type_types.append(path) + + cli_module_dirs = [] + # The dirs can be any module dir, or a in-tree _{ext_type} dir + for _dir in opts.get('module_dirs', []): + # Prepend to the list to match cli argument ordering + maybe_dir = os.path.join(_dir, ext_type) + if os.path.isdir(maybe_dir): + cli_module_dirs.insert(0, maybe_dir) + continue + + maybe_dir = os.path.join(_dir, '_{0}'.format(ext_type)) + if os.path.isdir(maybe_dir): + cli_module_dirs.insert(0, maybe_dir) + + return cli_module_dirs + ext_type_types + [ext_types, sys_types] + + +def minion_mods( + opts, + context=None, + utils=None, + whitelist=None, + initial_load=False, + loaded_base_name=None, + notify=False, + static_modules=None, + proxy=None): + ''' + Load execution modules + + Returns a dictionary of execution modules appropriate for the current + system by evaluating the __virtual__() function in each module. + + :param dict opts: The Salt options dictionary + + :param dict context: A Salt context that should be made present inside + generated modules in __context__ + + :param dict utils: Utility functions which should be made available to + Salt modules in __utils__. See `utils_dir` in + salt.config for additional information about + configuration. + + :param list whitelist: A list of modules which should be whitelisted. + :param bool initial_load: Deprecated flag! Unused. + :param str loaded_base_name: A string marker for the loaded base name. + :param bool notify: Flag indicating that an event should be fired upon + completion of module loading. + + .. code-block:: python + + import salt.config + import salt.loader + + __opts__ = salt.config.minion_config('/etc/salt/minion') + __grains__ = salt.loader.grains(__opts__) + __opts__['grains'] = __grains__ + __utils__ = salt.loader.utils(__opts__) + __salt__ = salt.loader.minion_mods(__opts__, utils=__utils__) + __salt__['test.ping']() + ''' + # TODO Publish documentation for module whitelisting + if not whitelist: + whitelist = opts.get('whitelist_modules', None) + ret = LazyLoader( + _module_dirs(opts, 'modules', 'module'), + opts, + tag='module', + pack={'__context__': context, '__utils__': utils, '__proxy__': proxy}, + whitelist=whitelist, + loaded_base_name=loaded_base_name, + static_modules=static_modules, + ) + + ret.pack['__salt__'] = ret + + # Load any provider overrides from the configuration file providers option + # Note: Providers can be pkg, service, user or group - not to be confused + # with cloud providers. + providers = opts.get('providers', False) + if providers and isinstance(providers, dict): + for mod in providers: + # sometimes providers opts is not to diverge modules but + # for other configuration + try: + funcs = raw_mod(opts, providers[mod], ret) + except TypeError: + break + else: + if funcs: + for func in funcs: + f_key = '{0}{1}'.format(mod, func[func.rindex('.'):]) + ret[f_key] = funcs[func] + + if notify: + evt = salt.utils.event.get_event('minion', opts=opts, listen=False) + evt.fire_event({'complete': True}, tag='/salt/minion/minion_mod_complete') + + return ret + + +def raw_mod(opts, name, functions, mod='modules'): + ''' + Returns a single module loaded raw and bypassing the __virtual__ function + + .. code-block:: python + + import salt.config + import salt.loader + + __opts__ = salt.config.minion_config('/etc/salt/minion') + testmod = salt.loader.raw_mod(__opts__, 'test', None) + testmod['test.ping']() + ''' + loader = LazyLoader( + _module_dirs(opts, mod, 'rawmodule'), + opts, + tag='rawmodule', + virtual_enable=False, + pack={'__salt__': functions}, + ) + # if we don't have the module, return an empty dict + if name not in loader.file_mapping: + return {} + + loader._load_module(name) # load a single module (the one passed in) + return dict(loader._dict) # return a copy of *just* the funcs for `name` + + +def engines(opts, functions, runners, proxy=None): + ''' + Return the master services plugins + ''' + pack = {'__salt__': functions, + '__runners__': runners, + '__proxy__': proxy} + return LazyLoader( + _module_dirs(opts, 'engines'), + opts, + tag='engines', + pack=pack, + ) + + +def proxy(opts, functions=None, returners=None, whitelist=None, utils=None): + ''' + Returns the proxy module for this salt-proxy-minion + ''' + ret = LazyLoader( + _module_dirs(opts, 'proxy'), + opts, + tag='proxy', + pack={'__salt__': functions, '__ret__': returners, '__utils__': utils}, + ) + + ret.pack['__proxy__'] = ret + + return ret + + +def returners(opts, functions, whitelist=None, context=None, proxy=None): + ''' + Returns the returner modules + ''' + return LazyLoader( + _module_dirs(opts, 'returners', 'returner'), + opts, + tag='returner', + whitelist=whitelist, + pack={'__salt__': functions, '__context__': context, '__proxy__': proxy or {}}, + ) + + +def utils(opts, whitelist=None, context=None, proxy=proxy): + ''' + Returns the utility modules + ''' + return LazyLoader( + _module_dirs(opts, 'utils', ext_type_dirs='utils_dirs'), + opts, + tag='utils', + whitelist=whitelist, + pack={'__context__': context, '__proxy__': proxy or {}}, + ) + + +def pillars(opts, functions, context=None): + ''' + Returns the pillars modules + ''' + ret = LazyLoader(_module_dirs(opts, 'pillar'), + opts, + tag='pillar', + pack={'__salt__': functions, + '__context__': context, + '__utils__': utils(opts)}) + ret.pack['__ext_pillar__'] = ret + return FilterDictWrapper(ret, '.ext_pillar') + + +def tops(opts): + ''' + Returns the tops modules + ''' + if 'master_tops' not in opts: + return {} + whitelist = list(opts['master_tops'].keys()) + ret = LazyLoader( + _module_dirs(opts, 'tops', 'top'), + opts, + tag='top', + whitelist=whitelist, + ) + return FilterDictWrapper(ret, '.top') + + +def wheels(opts, whitelist=None): + ''' + Returns the wheels modules + ''' + return LazyLoader( + _module_dirs(opts, 'wheel'), + opts, + tag='wheel', + whitelist=whitelist, + ) + + +def outputters(opts): + ''' + Returns the outputters modules + + :param dict opts: The Salt options dictionary + :returns: LazyLoader instance, with only outputters present in the keyspace + ''' + ret = LazyLoader( + _module_dirs(opts, 'output', ext_type_dirs='outputter_dirs'), + opts, + tag='output', + ) + wrapped_ret = FilterDictWrapper(ret, '.output') + # TODO: this name seems terrible... __salt__ should always be execution mods + ret.pack['__salt__'] = wrapped_ret + return wrapped_ret + + +def serializers(opts): + ''' + Returns the serializers modules + :param dict opts: The Salt options dictionary + :returns: LazyLoader instance, with only serializers present in the keyspace + ''' + return LazyLoader( + _module_dirs(opts, 'serializers'), + opts, + tag='serializers', + ) + + +def auth(opts, whitelist=None): + ''' + Returns the auth modules + + :param dict opts: The Salt options dictionary + :returns: LazyLoader + ''' + return LazyLoader( + _module_dirs(opts, 'auth'), + opts, + tag='auth', + whitelist=whitelist, + pack={'__salt__': minion_mods(opts)}, + ) + + +def fileserver(opts, backends): + ''' + Returns the file server modules + ''' + return LazyLoader(_module_dirs(opts, 'fileserver'), + opts, + tag='fileserver', + whitelist=backends, + pack={'__utils__': utils(opts)}) + + +def roster(opts, whitelist=None): + ''' + Returns the roster modules + ''' + return LazyLoader( + _module_dirs(opts, 'roster'), + opts, + tag='roster', + whitelist=whitelist, + ) + + +def thorium(opts, functions, runners): + ''' + Load the thorium runtime modules + ''' + pack = {'__salt__': functions, '__runner__': runners, '__context__': {}} + ret = LazyLoader(_module_dirs(opts, 'thorium'), + opts, + tag='thorium', + pack=pack) + ret.pack['__thorium__'] = ret + return ret + + +def states(opts, functions, utils, serializers, whitelist=None, proxy=None): + ''' + Returns the state modules + + :param dict opts: The Salt options dictionary + :param dict functions: A dictionary of minion modules, with module names as + keys and funcs as values. + + .. code-block:: python + + import salt.config + import salt.loader + + __opts__ = salt.config.minion_config('/etc/salt/minion') + statemods = salt.loader.states(__opts__, None, None) + ''' + ret = LazyLoader( + _module_dirs(opts, 'states'), + opts, + tag='states', + pack={'__salt__': functions, '__proxy__': proxy or {}}, + whitelist=whitelist, + ) + ret.pack['__states__'] = ret + ret.pack['__utils__'] = utils + ret.pack['__serializers__'] = serializers + return ret + + +def beacons(opts, functions, context=None, proxy=None): + ''' + Load the beacon modules + + :param dict opts: The Salt options dictionary + :param dict functions: A dictionary of minion modules, with module names as + keys and funcs as values. + ''' + return LazyLoader( + _module_dirs(opts, 'beacons'), + opts, + tag='beacons', + virtual_funcs=['__validate__'], + pack={'__context__': context, '__salt__': functions, '__proxy__': proxy or {}}, + ) + + +def search(opts, returners, whitelist=None): + ''' + Returns the search modules + + :param dict opts: The Salt options dictionary + :param returners: Undocumented + :param whitelist: Undocumented + ''' + # TODO Document returners arg + # TODO Document whitelist arg + return LazyLoader( + _module_dirs(opts, 'search', 'search'), + opts, + tag='search', + whitelist=whitelist, + pack={'__ret__': returners}, + ) + + +def log_handlers(opts): + ''' + Returns the custom logging handler modules + + :param dict opts: The Salt options dictionary + ''' + ret = LazyLoader( + _module_dirs( + opts, + 'log_handlers', + int_type='handlers', + base_path=os.path.join(SALT_BASE_PATH, 'log'), + ), + opts, + tag='log_handlers', + ) + return FilterDictWrapper(ret, '.setup_handlers') + + +def ssh_wrapper(opts, functions=None, context=None): + ''' + Returns the custom logging handler modules + ''' + return LazyLoader( + _module_dirs( + opts, + 'wrapper', + base_path=os.path.join(SALT_BASE_PATH, os.path.join('client', 'ssh')), + ), + opts, + tag='wrapper', + pack={ + '__salt__': functions, + '__grains__': opts.get('grains', {}), + '__pillar__': opts.get('pillar', {}), + '__context__': context, + }, + ) + + +def render(opts, functions, states=None): + ''' + Returns the render modules + ''' + pack = {'__salt__': functions, + '__grains__': opts.get('grains', {})} + if states: + pack['__states__'] = states + ret = LazyLoader( + _module_dirs( + opts, + 'renderers', + 'render', + ext_type_dirs='render_dirs', + ), + opts, + tag='render', + pack=pack, + ) + rend = FilterDictWrapper(ret, '.render') + + if not check_render_pipe_str(opts['renderer'], rend, opts['renderer_blacklist'], opts['renderer_whitelist']): + err = ('The renderer {0} is unavailable, this error is often because ' + 'the needed software is unavailable'.format(opts['renderer'])) + log.critical(err) + raise LoaderError(err) + return rend + + +def grain_funcs(opts, proxy=None): + ''' + Returns the grain functions + + .. code-block:: python + + import salt.config + import salt.loader + + __opts__ = salt.config.minion_config('/etc/salt/minion') + grainfuncs = salt.loader.grain_funcs(__opts__) + ''' + return LazyLoader( + _module_dirs( + opts, + 'grains', + 'grain', + ext_type_dirs='grains_dirs', + ), + opts, + tag='grains', + ) + + +def grains(opts, force_refresh=False, proxy=None): + ''' + Return the functions for the dynamic grains and the values for the static + grains. + + Since grains are computed early in the startup process, grains functions + do not have __salt__ or __proxy__ available. At proxy-minion startup, + this function is called with the proxymodule LazyLoader object so grains + functions can communicate with their controlled device. + + .. code-block:: python + + import salt.config + import salt.loader + + __opts__ = salt.config.minion_config('/etc/salt/minion') + __grains__ = salt.loader.grains(__opts__) + print __grains__['id'] + ''' + # if we have no grains, lets try loading from disk (TODO: move to decorator?) + cfn = os.path.join( + opts['cachedir'], + 'grains.cache.p' + ) + if not force_refresh: + if opts.get('grains_cache', False): + if os.path.isfile(cfn): + grains_cache_age = int(time.time() - os.path.getmtime(cfn)) + if opts.get('grains_cache_expiration', 300) >= grains_cache_age and not \ + opts.get('refresh_grains_cache', False) and not force_refresh: + log.debug('Retrieving grains from cache') + try: + serial = salt.payload.Serial(opts) + with salt.utils.fopen(cfn, 'rb') as fp_: + cached_grains = serial.load(fp_) + return cached_grains + except (IOError, OSError): + pass + else: + if force_refresh: + log.debug('Grains refresh requested. Refreshing grains.') + else: + log.debug('Grains cache last modified {0} seconds ago and ' + 'cache expiration is set to {1}. ' + 'Grains cache expired. Refreshing.'.format( + grains_cache_age, + opts.get('grains_cache_expiration', 300) + )) + else: + log.debug('Grains cache file does not exist.') + + if opts.get('skip_grains', False): + return {} + grains_deep_merge = opts.get('grains_deep_merge', False) is True + if 'conf_file' in opts: + pre_opts = {} + pre_opts.update(salt.config.load_config( + opts['conf_file'], 'SALT_MINION_CONFIG', + salt.config.DEFAULT_MINION_OPTS['conf_file'] + )) + default_include = pre_opts.get( + 'default_include', opts['default_include'] + ) + include = pre_opts.get('include', []) + pre_opts.update(salt.config.include_config( + default_include, opts['conf_file'], verbose=False + )) + pre_opts.update(salt.config.include_config( + include, opts['conf_file'], verbose=True + )) + if 'grains' in pre_opts: + opts['grains'] = pre_opts['grains'] + else: + opts['grains'] = {} + else: + opts['grains'] = {} + + grains_data = {} + funcs = grain_funcs(opts, proxy=proxy) + if force_refresh: # if we refresh, lets reload grain modules + funcs.clear() + # Run core grains + for key, fun in six.iteritems(funcs): + if not key.startswith('core.'): + continue + log.trace('Loading {0} grain'.format(key)) + ret = fun() + if not isinstance(ret, dict): + continue + if grains_deep_merge: + salt.utils.dictupdate.update(grains_data, ret) + else: + grains_data.update(ret) + + # Run the rest of the grains + for key, fun in six.iteritems(funcs): + if key.startswith('core.') or key == '_errors': + continue + try: + # Grains are loaded too early to take advantage of the injected + # __proxy__ variable. Pass an instance of that LazyLoader + # here instead to grains functions if the grains functions take + # one parameter. Then the grains can have access to the + # proxymodule for retrieving information from the connected + # device. + if fun.__code__.co_argcount == 1: + ret = fun(proxy) + else: + ret = fun() + except Exception: + if is_proxy(): + log.info('The following CRITICAL message may not be an error; the proxy may not be completely established yet.') + log.critical( + 'Failed to load grains defined in grain file {0} in ' + 'function {1}, error:\n'.format( + key, fun + ), + exc_info=True + ) + continue + if not isinstance(ret, dict): + continue + if grains_deep_merge: + salt.utils.dictupdate.update(grains_data, ret) + else: + grains_data.update(ret) + + if opts.get('proxy_merge_grains_in_module', False) and proxy: + try: + proxytype = proxy.opts['proxy']['proxytype'] + if proxytype+'.grains' in proxy: + if proxytype+'.initialized' in proxy and proxy[proxytype+'.initialized'](): + try: + proxytype = proxy.opts['proxy']['proxytype'] + ret = proxy[proxytype+'.grains']() + if grains_deep_merge: + salt.utils.dictupdate.update(grains_data, ret) + else: + grains_data.update(ret) + except Exception: + log.critical('Failed to run proxy\'s grains function!', + exc_info=True + ) + except KeyError: + pass + + grains_data.update(opts['grains']) + # Write cache if enabled + if opts.get('grains_cache', False): + cumask = os.umask(0o77) + try: + if salt.utils.is_windows(): + # Make sure cache file isn't read-only + __salt__['cmd.run']('attrib -R "{0}"'.format(cfn)) + with salt.utils.fopen(cfn, 'w+b') as fp_: + try: + serial = salt.payload.Serial(opts) + serial.dump(grains_data, fp_) + except TypeError: + # Can't serialize pydsl + pass + except (IOError, OSError): + msg = 'Unable to write to grains cache file {0}' + log.error(msg.format(cfn)) + os.umask(cumask) + + if grains_deep_merge: + salt.utils.dictupdate.update(grains_data, opts['grains']) + else: + grains_data.update(opts['grains']) + return grains_data + + +# TODO: get rid of? Does anyone use this? You should use raw() instead +def call(fun, **kwargs): + ''' + Directly call a function inside a loader directory + ''' + args = kwargs.get('args', []) + dirs = kwargs.get('dirs', []) + + funcs = LazyLoader( + [os.path.join(SALT_BASE_PATH, 'modules')] + dirs, + None, + tag='modules', + virtual_enable=False, + ) + return funcs[fun](*args) + + +def runner(opts, utils=None): + ''' + Directly call a function inside a loader directory + ''' + if utils is None: + utils = {} + ret = LazyLoader( + _module_dirs(opts, 'runners', 'runner', ext_type_dirs='runner_dirs'), + opts, + tag='runners', + pack={'__utils__': utils}, + ) + # TODO: change from __salt__ to something else, we overload __salt__ too much + ret.pack['__salt__'] = ret + return ret + + +def queues(opts): + ''' + Directly call a function inside a loader directory + ''' + return LazyLoader( + _module_dirs(opts, 'queues', 'queue', ext_type_dirs='queue_dirs'), + opts, + tag='queues', + ) + + +def sdb(opts, functions=None, whitelist=None): + ''' + Make a very small database call + ''' + return LazyLoader( + _module_dirs(opts, 'sdb'), + opts, + tag='sdb', + pack={'__sdb__': functions}, + whitelist=whitelist, + ) + + +def pkgdb(opts): + ''' + Return modules for SPM's package database + + .. versionadded:: 2015.8.0 + ''' + return LazyLoader( + _module_dirs( + opts, + 'pkgdb', + base_path=os.path.join(SALT_BASE_PATH, 'spm') + ), + opts, + tag='pkgdb' + ) + + +def pkgfiles(opts): + ''' + Return modules for SPM's file handling + + .. versionadded:: 2015.8.0 + ''' + return LazyLoader( + _module_dirs( + opts, + 'pkgfiles', + base_path=os.path.join(SALT_BASE_PATH, 'spm') + ), + opts, + tag='pkgfiles' + ) + + +def clouds(opts): + ''' + Return the cloud functions + ''' + # Let's bring __active_provider_name__, defaulting to None, to all cloud + # drivers. This will get temporarily updated/overridden with a context + # manager when needed. + functions = LazyLoader( + _module_dirs(opts, + 'clouds', + 'cloud', + base_path=os.path.join(SALT_BASE_PATH, 'cloud'), + int_type='clouds'), + opts, + tag='clouds', + pack={'__utils__': salt.loader.utils(opts), + '__active_provider_name__': None}, + ) + for funcname in LIBCLOUD_FUNCS_NOT_SUPPORTED: + log.trace( + '\'{0}\' has been marked as not supported. Removing from the list ' + 'of supported cloud functions'.format( + funcname + ) + ) + functions.pop(funcname, None) + return functions + + +def netapi(opts): + ''' + Return the network api functions + ''' + return LazyLoader( + _module_dirs(opts, 'netapi'), + opts, + tag='netapi', + ) + + +def executors(opts, functions=None, context=None, proxy=None): + ''' + Returns the executor modules + ''' + return LazyLoader( + _module_dirs(opts, 'executors', 'executor'), + opts, + tag='executor', + pack={'__salt__': functions, '__context__': context or {}, '__proxy__': proxy or {}}, + ) + + +def cache(opts, serial): + ''' + Returns the returner modules + ''' + return LazyLoader( + _module_dirs(opts, 'cache', 'cache'), + opts, + tag='cache', + pack={'__opts__': opts, '__context__': {'serial': serial}}, + ) + + +def _generate_module(name): + if name in sys.modules: + return + + code = "'''Salt loaded {0} parent module'''".format(name.split('.')[-1]) + module = imp.new_module(name) + exec(code, module.__dict__) + sys.modules[name] = module + + +def _mod_type(module_path): + if module_path.startswith(SALT_BASE_PATH): + return 'int' + return 'ext' + + +# TODO: move somewhere else? +class FilterDictWrapper(MutableMapping): + ''' + Create a dict which wraps another dict with a specific key suffix on get + + This is to replace "filter_load" + ''' + def __init__(self, d, suffix): + self._dict = d + self.suffix = suffix + + def __setitem__(self, key, val): + self._dict[key] = val + + def __delitem__(self, key): + del self._dict[key] + + def __getitem__(self, key): + return self._dict[key + self.suffix] + + def __len__(self): + return len(self._dict) + + def __iter__(self): + for key in self._dict: + if key.endswith(self.suffix): + yield key.replace(self.suffix, '') + + +class LazyLoader(LazyDict): + ''' + A pseduo-dictionary which has a set of keys which are the + name of the module and function, delimited by a dot. When + the value of the key is accessed, the function is then loaded + from disk and into memory. + + .. note:: + + Iterating over keys will cause all modules to be loaded. + + :param list module_dirs: A list of directories on disk to search for modules + :param opts dict: The salt options dictionary. + :param tag str': The tag for the type of module to load + :param func mod_type_check: A function which can be used to verify files + :param dict pack: A dictionary of function to be packed into modules as they are loaded + :param list whitelist: A list of modules to whitelist + :param bool virtual_enable: Whether or not to respect the __virtual__ function when loading modules. + :param str virtual_funcs: The name of additional functions in the module to call to verify its functionality. + If not true, the module will not load. + :returns: A LazyLoader object which functions as a dictionary. Keys are 'module.function' and values + are function references themselves which are loaded on-demand. + # TODO: + - move modules_max_memory into here + - singletons (per tag) + ''' + + mod_dict_class = salt.utils.odict.OrderedDict + + def __init__(self, + module_dirs, + opts=None, + tag='module', + loaded_base_name=None, + mod_type_check=None, + pack=None, + whitelist=None, + virtual_enable=True, + static_modules=None, + proxy=None, + virtual_funcs=None, + ): # pylint: disable=W0231 + ''' + In pack, if any of the values are None they will be replaced with an + empty context-specific dict + ''' + + self.inject_globals = {} + self.pack = {} if pack is None else pack + if opts is None: + opts = {} + self.context_dict = salt.utils.context.ContextDict() + self.opts = self.__prep_mod_opts(opts) + + self.module_dirs = module_dirs + self.tag = tag + self.loaded_base_name = loaded_base_name or LOADED_BASE_NAME + self.mod_type_check = mod_type_check or _mod_type + + if '__context__' not in self.pack: + self.pack['__context__'] = None + + for k, v in six.iteritems(self.pack): + if v is None: # if the value of a pack is None, lets make an empty dict + self.context_dict.setdefault(k, {}) + self.pack[k] = salt.utils.context.NamespacedDictWrapper(self.context_dict, k) + + self.whitelist = whitelist + self.virtual_enable = virtual_enable + self.initial_load = True + + # names of modules that we don't have (errors, __virtual__, etc.) + self.missing_modules = {} # mapping of name -> error + self.loaded_modules = {} # mapping of module_name -> dict_of_functions + self.loaded_files = set() # TODO: just remove them from file_mapping? + self.static_modules = static_modules if static_modules else [] + + if virtual_funcs is None: + virtual_funcs = [] + self.virtual_funcs = virtual_funcs + + self.disabled = set(self.opts.get('disable_{0}s'.format(self.tag), [])) + + self.refresh_file_mapping() + + super(LazyLoader, self).__init__() # late init the lazy loader + # create all of the import namespaces + _generate_module('{0}.int'.format(self.loaded_base_name)) + _generate_module('{0}.int.{1}'.format(self.loaded_base_name, tag)) + _generate_module('{0}.ext'.format(self.loaded_base_name)) + _generate_module('{0}.ext.{1}'.format(self.loaded_base_name, tag)) + + def __getitem__(self, item): + ''' + Override the __getitem__ in order to decorate the returned function if we need + to last-minute inject globals + ''' + func = super(LazyLoader, self).__getitem__(item) + if self.inject_globals: + return global_injector_decorator(self.inject_globals)(func) + else: + return func + + def __getattr__(self, mod_name): + ''' + Allow for "direct" attribute access-- this allows jinja templates to + access things like `salt.test.ping()` + ''' + # if we have an attribute named that, lets return it. + try: + return object.__getattr__(self, mod_name) # pylint: disable=no-member + except AttributeError: + pass + + # otherwise we assume its jinja template access + if mod_name not in self.loaded_modules and not self.loaded: + for name in self._iter_files(mod_name): + if name in self.loaded_files: + continue + # if we got what we wanted, we are done + if self._load_module(name) and mod_name in self.loaded_modules: + break + if mod_name in self.loaded_modules: + return self.loaded_modules[mod_name] + else: + raise AttributeError(mod_name) + + def missing_fun_string(self, function_name): + ''' + Return the error string for a missing function. + + This can range from "not available' to "__virtual__" returned False + ''' + mod_name = function_name.split('.')[0] + if mod_name in self.loaded_modules: + return '\'{0}\' is not available.'.format(function_name) + else: + try: + reason = self.missing_modules[mod_name] + except KeyError: + return '\'{0}\' is not available.'.format(function_name) + else: + if reason is not None: + return '\'{0}\' __virtual__ returned False: {1}'.format(mod_name, reason) + else: + return '\'{0}\' __virtual__ returned False'.format(mod_name) + + def refresh_file_mapping(self): + ''' + refresh the mapping of the FS on disk + ''' + # map of suffix to description for imp + self.suffix_map = {} + suffix_order = [''] # local list to determine precedence of extensions + # Prefer packages (directories) over modules (single files)! + for (suffix, mode, kind) in SUFFIXES: + self.suffix_map[suffix] = (suffix, mode, kind) + suffix_order.append(suffix) + + if self.opts.get('cython_enable', True) is True: + try: + global pyximport + pyximport = __import__('pyximport') # pylint: disable=import-error + pyximport.install() + # add to suffix_map so file_mapping will pick it up + self.suffix_map['.pyx'] = tuple() + except ImportError: + log.info('Cython is enabled in the options but not present ' + 'in the system path. Skipping Cython modules.') + # Allow for zipimport of modules + if self.opts.get('enable_zip_modules', True) is True: + self.suffix_map['.zip'] = tuple() + # allow for module dirs + self.suffix_map[''] = ('', '', imp.PKG_DIRECTORY) + + # create mapping of filename (without suffix) to (path, suffix) + # The files are added in order of priority, so order *must* be retained. + self.file_mapping = salt.utils.odict.OrderedDict() + + for mod_dir in self.module_dirs: + files = [] + try: + files = os.listdir(mod_dir) + except OSError: + continue # Next mod_dir + for filename in files: + try: + if filename.startswith('_'): + # skip private modules + # log messages omitted for obviousness + continue # Next filename + f_noext, ext = os.path.splitext(filename) + # make sure it is a suffix we support + if ext not in self.suffix_map: + continue # Next filename + if f_noext in self.disabled: + log.trace( + 'Skipping {0}, it is disabled by configuration'.format( + filename + ) + ) + continue # Next filename + fpath = os.path.join(mod_dir, filename) + # if its a directory, lets allow us to load that + if ext == '': + # is there something __init__? + subfiles = os.listdir(fpath) + for suffix in suffix_order: + if '' == suffix: + continue # Next suffix (__init__ must have a suffix) + init_file = '__init__{0}'.format(suffix) + if init_file in subfiles: + break + else: + continue # Next filename + + if f_noext in self.file_mapping: + curr_ext = self.file_mapping[f_noext][1] + #log.debug("****** curr_ext={0} ext={1} suffix_order={2}".format(curr_ext, ext, suffix_order)) + if '' in (curr_ext, ext) and curr_ext != ext: + log.error( + 'Module/package collision: \'%s\' and \'%s\'', + fpath, + self.file_mapping[f_noext][0] + ) + if not curr_ext or suffix_order.index(ext) >= suffix_order.index(curr_ext): + continue # Next filename + + # Made it this far - add it + self.file_mapping[f_noext] = (fpath, ext) + + except OSError: + continue + for smod in self.static_modules: + f_noext = smod.split('.')[-1] + self.file_mapping[f_noext] = (smod, '.o') + + def clear(self): + ''' + Clear the dict + ''' + super(LazyLoader, self).clear() # clear the lazy loader + self.loaded_files = set() + self.missing_modules = {} + self.loaded_modules = {} + # if we have been loaded before, lets clear the file mapping since + # we obviously want a re-do + if hasattr(self, 'opts'): + self.refresh_file_mapping() + self.initial_load = False + + def __prep_mod_opts(self, opts): + ''' + Strip out of the opts any logger instance + ''' + if '__grains__' not in self.pack: + self.context_dict['grains'] = opts.get('grains', {}) + self.pack['__grains__'] = salt.utils.context.NamespacedDictWrapper(self.context_dict, 'grains', override_name='grains') + + if '__pillar__' not in self.pack: + self.context_dict['pillar'] = opts.get('pillar', {}) + self.pack['__pillar__'] = salt.utils.context.NamespacedDictWrapper(self.context_dict, 'pillar', override_name='pillar') + + mod_opts = {} + for key, val in list(opts.items()): + if key == 'logger': + continue + mod_opts[key] = val + return mod_opts + + def _iter_files(self, mod_name): + ''' + Iterate over all file_mapping files in order of closeness to mod_name + ''' + # do we have an exact match? + if mod_name in self.file_mapping: + yield mod_name + + # do we have a partial match? + for k in self.file_mapping: + if mod_name in k: + yield k + + # anyone else? Bueller? + for k in self.file_mapping: + if mod_name not in k: + yield k + + def _reload_submodules(self, mod): + submodules = ( + getattr(mod, sname) for sname in dir(mod) if + isinstance(getattr(mod, sname), mod.__class__) + ) + + # reload only custom "sub"modules + for submodule in submodules: + # it is a submodule if the name is in a namespace under mod + if submodule.__name__.startswith(mod.__name__ + '.'): + reload(submodule) + self._reload_submodules(submodule) + + def _load_module(self, name): + mod = None + fpath, suffix = self.file_mapping[name] + self.loaded_files.add(name) + fpath_dirname = os.path.dirname(fpath) + try: + sys.path.append(fpath_dirname) + if suffix == '.pyx': + mod = pyximport.load_module(name, fpath, tempfile.gettempdir()) + elif suffix == '.o': + top_mod = __import__(fpath, globals(), locals(), []) + comps = fpath.split('.') + if len(comps) < 2: + mod = top_mod + else: + mod = top_mod + for subname in comps[1:]: + mod = getattr(mod, subname) + elif suffix == '.zip': + mod = zipimporter(fpath).load_module(name) + else: + desc = self.suffix_map[suffix] + # if it is a directory, we don't open a file + try: + mod_namespace = '.'.join(( + self.loaded_base_name, + self.mod_type_check(fpath), + self.tag, + name)) + except TypeError: + mod_namespace = '{0}.{1}.{2}.{3}'.format( + self.loaded_base_name, + self.mod_type_check(fpath), + self.tag, + name) + if suffix == '': + mod = imp.load_module(mod_namespace, None, fpath, desc) + # reload all submodules if necessary + if not self.initial_load: + self._reload_submodules(mod) + else: + with salt.utils.fopen(fpath, desc[1]) as fn_: + mod = imp.load_module(mod_namespace, fn_, fpath, desc) + + except IOError: + raise + except ImportError as exc: + if 'magic number' in str(exc): + log.warning('Failed to import {0} {1}. Bad magic number. If migrating ' + 'from Python2 to Python3, remove all .pyc files and try again.'.format(self.tag, name)) + log.debug( + 'Failed to import {0} {1}:\n'.format( + self.tag, name + ), + exc_info=True + ) + return False + except Exception as error: + log.error( + 'Failed to import {0} {1}, this is due most likely to a ' + 'syntax error:\n'.format( + self.tag, name + ), + exc_info=True + ) + return False + except SystemExit: + log.error( + 'Failed to import {0} {1} as the module called exit()\n'.format( + self.tag, name + ), + exc_info=True + ) + return False + finally: + sys.path.remove(fpath_dirname) + + if hasattr(mod, '__opts__'): + mod.__opts__.update(self.opts) + else: + mod.__opts__ = self.opts + + # pack whatever other globals we were asked to + for p_name, p_value in six.iteritems(self.pack): + setattr(mod, p_name, p_value) + + module_name = mod.__name__.rsplit('.', 1)[-1] + + # Call a module's initialization method if it exists + module_init = getattr(mod, '__init__', None) + if inspect.isfunction(module_init): + try: + module_init(self.opts) + except TypeError as e: + log.error(e) + except Exception: + err_string = '__init__ failed' + log.debug( + 'Error loading %s.%s: %s', + self.tag, module_name, err_string, exc_info=True + ) + self.missing_modules[module_name] = err_string + self.missing_modules[name] = err_string + return False + + # if virtual modules are enabled, we need to look for the + # __virtual__() function inside that module and run it. + if self.virtual_enable: + virtual_funcs_to_process = ['__virtual__'] + self.virtual_funcs + for virtual_func in virtual_funcs_to_process: + (virtual_ret, module_name, virtual_err) = self.process_virtual( + mod, + module_name, + ) + if virtual_err is not None: + log.trace( + 'Error loading %s.%s: %s', + self.tag, module_name, virtual_err + ) + + # if process_virtual returned a non-True value then we are + # supposed to not process this module + if virtual_ret is not True and module_name not in self.missing_modules: + # If a module has information about why it could not be loaded, record it + self.missing_modules[module_name] = virtual_err + self.missing_modules[name] = virtual_err + return False + + # If this is a proxy minion then MOST modules cannot work. Therefore, require that + # any module that does work with salt-proxy-minion define __proxyenabled__ as a list + # containing the names of the proxy types that the module supports. + # + # Render modules and state modules are OK though + if 'proxy' in self.opts: + if self.tag in ['grains', 'proxy']: + if not hasattr(mod, '__proxyenabled__') or \ + (self.opts['proxy']['proxytype'] not in mod.__proxyenabled__ and + '*' not in mod.__proxyenabled__): + err_string = 'not a proxy_minion enabled module' + self.missing_modules[module_name] = err_string + self.missing_modules[name] = err_string + return False + + if getattr(mod, '__load__', False) is not False: + log.info( + 'The functions from module \'{0}\' are being loaded from the ' + 'provided __load__ attribute'.format( + module_name + ) + ) + + # If we had another module by the same virtual name, we should put any + # new functions under the existing dictionary. + if module_name in self.loaded_modules: + mod_dict = self.loaded_modules[module_name] + else: + mod_dict = self.mod_dict_class() + + for attr in getattr(mod, '__load__', dir(mod)): + if attr.startswith('_'): + # private functions are skipped + continue + func = getattr(mod, attr) + if not inspect.isfunction(func): + # Not a function!? Skip it!!! + continue + # Let's get the function name. + # If the module has the __func_alias__ attribute, it must be a + # dictionary mapping in the form of(key -> value): + # -> + # + # It default's of course to the found callable attribute name + # if no alias is defined. + funcname = getattr(mod, '__func_alias__', {}).get(attr, attr) + try: + full_funcname = '.'.join((module_name, funcname)) + except TypeError: + full_funcname = '{0}.{1}'.format(module_name, funcname) + # Save many references for lookups + # Careful not to overwrite existing (higher priority) functions + if full_funcname not in self._dict: + self._dict[full_funcname] = func + if funcname not in mod_dict: + setattr(mod_dict, funcname, func) + mod_dict[funcname] = func + self._apply_outputter(func, mod) + + # enforce depends + try: + Depends.enforce_dependencies(self._dict, self.tag) + except RuntimeError as exc: + log.info('Depends.enforce_dependencies() failed ' + 'for reasons: {0}'.format(exc)) + + self.loaded_modules[module_name] = mod_dict + return True + + def _load(self, key): + ''' + Load a single item if you have it + ''' + # if the key doesn't have a '.' then it isn't valid for this mod dict + if not isinstance(key, six.string_types) or '.' not in key: + raise KeyError + mod_name, _ = key.split('.', 1) + if mod_name in self.missing_modules: + return True + # if the modulename isn't in the whitelist, don't bother + if self.whitelist and mod_name not in self.whitelist: + raise KeyError + + def _inner_load(mod_name): + for name in self._iter_files(mod_name): + if name in self.loaded_files: + continue + # if we got what we wanted, we are done + if self._load_module(name) and key in self._dict: + return True + return False + + # try to load the module + ret = None + reloaded = False + # re-scan up to once, IOErrors or a failed load cause re-scans of the + # filesystem + while True: + try: + ret = _inner_load(mod_name) + if not reloaded and ret is not True: + self.refresh_file_mapping() + reloaded = True + continue + break + except IOError: + if not reloaded: + self.refresh_file_mapping() + reloaded = True + continue + + return ret + + def _load_all(self): + ''' + Load all of them + ''' + for name in self.file_mapping: + if name in self.loaded_files or name in self.missing_modules: + continue + self._load_module(name) + + self.loaded = True + + def _apply_outputter(self, func, mod): + ''' + Apply the __outputter__ variable to the functions + ''' + if hasattr(mod, '__outputter__'): + outp = mod.__outputter__ + if func.__name__ in outp: + func.__outputter__ = outp[func.__name__] + + def process_virtual(self, mod, module_name, virtual_func='__virtual__'): + ''' + Given a loaded module and its default name determine its virtual name + + This function returns a tuple. The first value will be either True or + False and will indicate if the module should be loaded or not (i.e. if + it threw and exception while processing its __virtual__ function). The + second value is the determined virtual name, which may be the same as + the value provided. + + The default name can be calculated as follows:: + + module_name = mod.__name__.rsplit('.', 1)[-1] + ''' + + # The __virtual__ function will return either a True or False value. + # If it returns a True value it can also set a module level attribute + # named __virtualname__ with the name that the module should be + # referred to as. + # + # This allows us to have things like the pkg module working on all + # platforms under the name 'pkg'. It also allows for modules like + # augeas_cfg to be referred to as 'augeas', which would otherwise have + # namespace collisions. And finally it allows modules to return False + # if they are not intended to run on the given platform or are missing + # dependencies. + try: + error_reason = None + if hasattr(mod, '__virtual__') and inspect.isfunction(mod.__virtual__): + try: + start = time.time() + virtual = getattr(mod, virtual_func)() + if isinstance(virtual, tuple): + error_reason = virtual[1] + virtual = virtual[0] + if self.opts.get('virtual_timer', False): + end = time.time() - start + msg = 'Virtual function took {0} seconds for {1}'.format( + end, module_name) + log.warning(msg) + except Exception as exc: + error_reason = ('Exception raised when processing __virtual__ function' + ' for {0}. Module will not be loaded {1}'.format( + module_name, exc)) + log.error(error_reason, exc_info_on_loglevel=logging.DEBUG) + virtual = None + # Get the module's virtual name + virtualname = getattr(mod, '__virtualname__', virtual) + if not virtual: + # if __virtual__() evaluates to False then the module + # wasn't meant for this platform or it's not supposed to + # load for some other reason. + + # Some modules might accidentally return None and are + # improperly loaded + if virtual is None: + log.warning( + '{0}.__virtual__() is wrongly returning `None`. ' + 'It should either return `True`, `False` or a new ' + 'name. If you\'re the developer of the module ' + '\'{1}\', please fix this.'.format( + mod.__name__, + module_name + ) + ) + + return (False, module_name, error_reason) + + # At this point, __virtual__ did not return a + # boolean value, let's check for deprecated usage + # or module renames + if virtual is not True and module_name != virtual: + # The module is renaming itself. Updating the module name + # with the new name + log.trace('Loaded {0} as virtual {1}'.format( + module_name, virtual + )) + + if not hasattr(mod, '__virtualname__'): + salt.utils.warn_until( + 'Hydrogen', + 'The \'{0}\' module is renaming itself in its ' + '__virtual__() function ({1} => {2}). Please ' + 'set it\'s virtual name as the ' + '\'__virtualname__\' module attribute. ' + 'Example: "__virtualname__ = \'{2}\'"'.format( + mod.__name__, + module_name, + virtual + ) + ) + + if virtualname != virtual: + # The __virtualname__ attribute does not match what's + # being returned by the __virtual__() function. This + # should be considered an error. + log.error( + 'The module \'{0}\' is showing some bad usage. Its ' + '__virtualname__ attribute is set to \'{1}\' yet the ' + '__virtual__() function is returning \'{2}\'. These ' + 'values should match!'.format( + mod.__name__, + virtualname, + virtual + ) + ) + + module_name = virtualname + + # If the __virtual__ function returns True and __virtualname__ + # is set then use it + elif virtual is True and virtualname != module_name: + if virtualname is not True: + module_name = virtualname + + except KeyError: + # Key errors come out of the virtual function when passing + # in incomplete grains sets, these can be safely ignored + # and logged to debug, still, it includes the traceback to + # help debugging. + log.debug( + 'KeyError when loading {0}'.format(module_name), + exc_info=True + ) + + except Exception: + # If the module throws an exception during __virtual__() + # then log the information and continue to the next. + log.error( + 'Failed to read the virtual function for ' + '{0}: {1}'.format( + self.tag, module_name + ), + exc_info=True + ) + return (False, module_name, error_reason) + + return (True, module_name, None) + + +def global_injector_decorator(inject_globals): + ''' + Decorator used by the LazyLoader to inject globals into a function at + execute time. + + globals + Dictionary with global variables to inject + ''' + def inner_decorator(f): + @functools.wraps(f) + def wrapper(*args, **kwargs): + with salt.utils.context.func_globals_inject(f, **inject_globals): + return f(*args, **kwargs) + return wrapper + return inner_decorator + + +class NovaLazyLoader(LazyLoader): + ''' + Leverage the SaltStack LazyLoader so we don't have to reimplement + everything. Note that in general, we'll just call _load_all, so this + will not actually be a lazy loader, but leveraging the existing code is + worth it. + ''' + + def __init__(self, hubble_dir, opts, grains, pillar, salt): + self.hubble_dir = hubble_dir + self.__grains__ = grains + self.__pillar__ = pillar + self.__salt__ = salt + self.__opts__ = opts + self.__data__ = {} + self.__missing_data__ = {} + super(NovaLazyLoader, self).__init__(hubble_dir, + opts=opts, + tag='nova') + self._load_all() + + def refresh_file_mapping(self): + ''' + Override the default refresh_file_mapping to look for nova files + recursively, rather than only in a top-level directory + ''' + # map of suffix to description for imp + self.suffix_map = {} + suffix_order = [] # local list to determine precedence of extensions + suffix_order.append('.yaml') + for (suffix, mode, kind) in imp.get_suffixes(): + self.suffix_map[suffix] = (suffix, mode, kind) + suffix_order.append(suffix) + + # create mapping of filename (without suffix) to (path, suffix) + self.file_mapping = {} + + for mod_dir in self.module_dirs: + for dirname, dirs, files in os.walk(mod_dir): + if '.git' in dirs: + dirs.remove('.git') + for filename in files: + try: + if filename.startswith('_'): + # skip private modules + # log messages omitted for obviousness + continue + _, ext = os.path.splitext(filename) + fpath = os.path.join(dirname, filename) + f_withext = fpath.partition(mod_dir)[-1] + # Nova only supports .py and .yaml + if ext not in ['.py', '.yaml']: + continue + # Python only in the modules directory, yaml only + # in the profiles directory. This is hacky but was a + # quick fix. + nova_module_cache, nova_profile_cache = self.hubble_dir + nova_module_cache = os.path.join(nova_module_cache, '') + nova_profile_cache = os.path.join(nova_profile_cache, '') + if ext == '.py' and fpath.startswith(nova_profile_cache): + continue + if ext == '.yaml' and fpath.startswith(nova_module_cache): + continue + if f_withext in self.disabled: + #log.trace( + # 'Skipping {0}, it is disabled by configuration'.format( + # filename + # ) + #) + continue + + # if we don't have it, we want it + elif f_withext not in self.file_mapping: + self.file_mapping[f_withext] = (fpath, ext) + # if we do, we want it if we have a higher precidence ext + else: + curr_ext = self.file_mapping[f_withext][1] + #log.debug("****** curr_ext={0} ext={1} suffix_order={2}".format(curr_ext, ext, suffix_order)) + if curr_ext and suffix_order.index(ext) < suffix_order.index(curr_ext): + self.file_mapping[f_withext] = (fpath, ext) + except OSError: + continue + + def _load_module(self, name): + ''' + Override the module load code + ''' + mod = None + fpath, suffix = self.file_mapping[name] + self.loaded_files.add(name) + if suffix == '.yaml': + try: + with open(fpath) as fh_: + data = yaml.safe_load(fh_) + except Exception as exc: + self.__missing_data__[name] = str(exc) + return False + + self.__data__[name] = data + return True + try: + sys.path.append(os.path.dirname(fpath)) + desc = self.suffix_map[suffix] + # if it is a directory, we don't open a file + with salt.utils.fopen(fpath, desc[1]) as fn_: + mod = imp.load_module( + '{0}.{1}.{2}.{3}'.format( + self.loaded_base_name, + self.mod_type_check(fpath), + self.tag, + name + ), fn_, fpath, desc) + + except IOError: + raise + except ImportError as error: + log.debug( + 'Failed to import {0} {1}:\n'.format( + self.tag, name + ), + exc_info=True + ) + self.missing_modules[name] = str(error) + return False + except Exception as error: + log.error( + 'Failed to import {0} {1}, this is due most likely to a ' + 'syntax error:\n'.format( + self.tag, name + ), + exc_info=True + ) + self.missing_modules[name] = str(error) + return False + except SystemExit as error: + log.error( + 'Failed to import {0} {1} as the module called exit()\n'.format( + self.tag, name + ), + exc_info=True + ) + self.missing_modules[name] = str(error) + return False + finally: + sys.path.pop() + + mod.__grains__ = self.__grains__ + mod.__pillar__ = self.__pillar__ + mod.__opts__ = self.__opts__ + mod.__salt__ = self.__salt__ + + # pack whatever other globals we were asked to + for p_name, p_value in six.iteritems(self.pack): + setattr(mod, p_name, p_value) + + module_name = name + + # Call a module's initialization method if it exists + module_init = getattr(mod, '__init__', None) + if inspect.isfunction(module_init): + try: + module_init(self.opts) + except TypeError as e: + log.error(e) + except Exception: + err_string = '__init__ failed' + log.debug( + 'Error loading {0}.{1}: {2}'.format( + self.tag, + module_name, + err_string), + exc_info=True) + self.missing_modules[name] = err_string + return False + + # if virtual modules are enabled, we need to look for the + # __virtual__() function inside that module and run it. + if self.virtual_enable: + (virtual_ret, module_name, virtual_err) = self.process_virtual( + mod, + module_name, + ) + if virtual_err is not None: + log.debug('Error loading {0}.{1}: {2}'.format(self.tag, + module_name, + virtual_err, + )) + + # if process_virtual returned a non-True value then we are + # supposed to not process this module + if virtual_ret is not True: + # If a module has information about why it could not be loaded, record it + self.missing_modules[name] = virtual_err + return False + + # If this is a proxy minion then MOST modules cannot work. Therefore, require that + # any module that does work with salt-proxy-minion define __proxyenabled__ as a list + # containing the names of the proxy types that the module supports. + # + # Render modules and state modules are OK though + if 'proxy' in self.opts: + if self.tag in ['grains', 'proxy']: + if not hasattr(mod, '__proxyenabled__') or \ + (self.opts['proxy']['proxytype'] not in mod.__proxyenabled__ and + '*' not in mod.__proxyenabled__): + err_string = 'not a proxy_minion enabled module' + self.missing_modules[name] = err_string + return False + + if getattr(mod, '__load__', False) is not False: + log.info( + 'The functions from module {0!r} are being loaded from the ' + 'provided __load__ attribute'.format( + module_name + ) + ) + mod_dict = salt.utils.odict.OrderedDict() + # In nova we only care about the audit() function, and we want to + # store it with directory structure in the name. + for attr in getattr(mod, '__load__', dir(mod)): + if attr != 'audit': + continue + func = getattr(mod, attr) + # Save many references for lookups + self._dict[name] = func + mod_dict[name] = func + + self.loaded_modules[name] = mod_dict + return True diff --git a/_modules/win_pulsar.py b/_modules/win_pulsar.py index f567404..a038382 100644 --- a/_modules/win_pulsar.py +++ b/_modules/win_pulsar.py @@ -28,7 +28,7 @@ CONFIG = None CONFIG_STALENESS = 0 -__version__ = 'v2017.4.1' +__version__ = 'v2017.8.1' def __virtual__(): @@ -37,7 +37,7 @@ def __virtual__(): return __virtualname__ -def process(configfile='salt://hubblestack_pulsar/hubblestack_pulsar_config.yaml', +def process(configfile='salt://hubblestack_pulsar/hubblestack_pulsar_win_config.yaml', verbose=False): ''' Watch the configured files @@ -196,6 +196,9 @@ def process(configfile='salt://hubblestack_pulsar/hubblestack_pulsar_config.yaml for r in ret: _append = True config_found = False + config_path = config['paths'][0] + pulsar_config = config_path[config_path.rfind('/')+1:len(config_path)] + r['pulsar_config'] = pulsar_config for path in config: if not r['Object Name'].startswith(path): continue @@ -397,9 +400,9 @@ def _remove_acl(path): def _pull_events(time_frame, checksum): events_list = [] - events_output = __salt__['cmd.run_stdout']('mode con:cols=1000 lines=1000; Get-EventLog -LogName Security ' - '-After ((Get-Date).AddSeconds(-{0})) -InstanceId 4663 | fl'.format( - time_frame), shell='powershell', python_shell=True) + events_output = __salt__['cmd.run_stdout']('mode con:cols=1000 lines=1000; Get-WinEvent -FilterHashTable @{{' + 'LogName = "security"; StartTime = [datetime]::Now.AddSeconds(-30);' + 'Id = 4663}} | fl'.format(time_frame), shell='powershell', python_shell=True) events = events_output.split('\r\n\r\n') for event in events: if event: @@ -410,12 +413,12 @@ def _pull_events(time_frame, checksum): item.replace('\t', '') k, v = item.split(':', 1) event_dict[k.strip()] = v.strip() - event_dict['Accesses'] = _get_access_translation(event_dict['Accesses']) + #event_dict['Accesses'] = _get_access_translation(event_dict['Accesses']) event_dict['Hash'] = _get_item_hash(event_dict['Object Name'], checksum) #needs hostname, checksum, filepath, time stamp, action taken # Generate the dictionary without a dictionary comp, for py2.6 tmpdict = {} - for k in ('EntryType', 'Accesses', 'TimeGenerated', 'Object Name', 'Hash'): + for k in ('Message', 'Accesses', 'TimeCreated', 'Object Name', 'Hash'): tmpdict[k] = event_dict[k] events_list.append(tmpdict) return events_list diff --git a/_returners/aws_details.py b/_returners/aws_details.py deleted file mode 100644 index 9ad24d8..0000000 --- a/_returners/aws_details.py +++ /dev/null @@ -1,34 +0,0 @@ -''' -HubbleStack AWS Details - -:maintainer: HubbleStack -:platform: All -:requires: SaltStack -''' - -import requests - -def get_aws_details(): - # Gather amazon information if present - aws = {} - aws['aws_ami_id'] = None - aws['aws_instance_id'] = None - aws['aws_account_id'] = None - - try: - aws['aws_account_id'] = requests.get('http://169.254.169.254/latest/dynamic/instance-identity/document', - timeout=1).json().get('accountId', 'unknown') - # AWS account id is always an integer number - # So if it's an aws machine it must be a valid integer number - # Else it will throw an Exception - aws['aws_account_id'] = int(aws['aws_account_id']) - - aws['aws_ami_id'] = requests.get('http://169.254.169.254/latest/meta-data/ami-id', - timeout=1).text - aws['aws_instance_id'] = requests.get('http://169.254.169.254/latest/meta-data/instance-id', - timeout=1).text - except (requests.exceptions.RequestException, ValueError): - # Not on an AWS box - aws['aws_account_id'] = None - pass - return aws diff --git a/_returners/cloud_details.py b/_returners/cloud_details.py new file mode 100644 index 0000000..7213669 --- /dev/null +++ b/_returners/cloud_details.py @@ -0,0 +1,68 @@ +''' +HubbleStack Cloud Details + +:maintainer: HubbleStack +:platform: All +:requires: SaltStack +''' + +import requests + + +def get_cloud_details(): + # Gather all cloud details and return them, along with the fieldnames + + ret = [] + + aws = _get_aws_details() + azure = _get_azure_details() + + if aws: + ret.append(aws) + if azure: + ret.append(azure) + + return ret + + +def _get_aws_details(): + # Gather amazon information if present + aws = {} + aws['aws_ami_id'] = None + aws['aws_instance_id'] = None + aws['aws_account_id'] = None + + try: + aws['aws_account_id'] = requests.get('http://169.254.169.254/latest/dynamic/instance-identity/document', + timeout=1).json().get('accountId', 'unknown') + # AWS account id is always an integer number + # So if it's an aws machine it must be a valid integer number + # Else it will throw an Exception + aws['aws_account_id'] = int(aws['aws_account_id']) + + aws['aws_ami_id'] = requests.get('http://169.254.169.254/latest/meta-data/ami-id', + timeout=1).text + aws['aws_instance_id'] = requests.get('http://169.254.169.254/latest/meta-data/instance-id', + timeout=1).text + except (requests.exceptions.RequestException, ValueError): + # Not on an AWS box + aws = None + return aws + + +def _get_azure_details(): + # Gather azure information if present + azure = {} + azure['azure_vmId'] = None + + azureHeader = {'Metadata': 'true'} + + try: + r = requests.get('http://169.254.169.254/metadata/instance/compute/vmId?api-version=2017-03-01&format=text', + timeout=1, headers=azureHeader) + r.raise_for_status() + azure['azure_vmId'] = r.text + except (requests.exceptions.RequestException, ValueError): + # Not on an Azure box + azure = None + return azure diff --git a/_returners/logstash_nebula_return.py b/_returners/logstash_nebula_return.py new file mode 100644 index 0000000..9df5ce1 --- /dev/null +++ b/_returners/logstash_nebula_return.py @@ -0,0 +1,158 @@ +# -*- encoding: utf-8 -*- +''' +HubbleStack Nebula-to-Logstash (http input) returner + +:maintainer: HubbleStack +:platform: All +:requires: HubbleStack + +Deliver HubbleStack Nebula query data into Logstash using the HTTP input +plugin. Required config/pillar settings: + +.. code-block:: yaml + + hubblestack: + returner: + logstash: + - port: 8080 + proxy: {} + timeout: 10 + user: username + indexer_ssl: True + sourcetype_nebula: hubble_osquery + indexer: http://logstash.http.input.tld + password: password + custom_fields: + - site + - product_group +''' + +import json +import time +import socket +import requests +from datetime import datetime +from cloud_details import get_cloud_details +from requests.auth import HTTPBasicAuth + + +def returner(ret): + ''' + ''' + opts_list = _get_options() + + clouds = get_cloud_details() + + for opts in opts_list: + proxy = opts['proxy'] + timeout = opts['timeout'] + custom_fields = opts['custom_fields'] + + indexer = opts['indexer'] + port = opts['port'] + password = opts['password'] + user = opts['user'] + + ## assign all the things + data = ret['return'] + minion_id = ret['id'] + jid = ret['jid'] + master = __grains__['master'] + fqdn = __grains__['fqdn'] + fqdn = fqdn if fqdn else minion_id + try: + fqdn_ip4 = __grains__['fqdn_ip4'][0] + except IndexError: + fqdn_ip4 = __grains__['ipv4'][0] + if fqdn_ip4.startswith('127.'): + for ip4_addr in __grains__['ipv4']: + if ip4_addr and not ip4_addr.startswith('127.'): + fqdn_ip4 = ip4_addr + break + + if not data: + return + else: + for query in data: + for query_name, query_results in query.iteritems(): + for query_result in query_results['data']: + event = {} + payload = {} + event.update(query_result) + event.update({'query': query_name}) + event.update({'job_id': jid}) + event.update({'master': master}) + event.update({'minion_id': minion_id}) + event.update({'dest_host': fqdn}) + event.update({'dest_ip': fqdn_ip4}) + + for cloud in clouds: + event.update(cloud) + + for custom_field in custom_fields: + custom_field_name = 'custom_' + custom_field + custom_field_value = __salt__['config.get'](custom_field, '') + if isinstance(custom_field_value, str): + event.update({custom_field_name: custom_field_value}) + elif isinstance(custom_field_value, list): + custom_field_value = ','.join(custom_field_value) + event.update({custom_field_name: custom_field_value}) + + payload.update({'host': fqdn}) + payload.update({'index': opts['index']}) + payload.update({'sourcetype': opts['sourcetype']}) + payload.update({'event': event}) + + # If the osquery query includes a field called 'time' it will be checked. + # If it's within the last year, it will be used as the eventtime. + event_time = query_result.get('time', '') + try: + if (datetime.fromtimestamp(time.time()) - datetime.fromtimestamp(float(event_time))).days > 365: + event_time = '' + except: + event_time = '' + finally: + rdy = json.dumps(payload) + requests.post('{}:{}/hubble/nebula'.format(indexer, port), rdy, auth=HTTPBasicAuth(user, password)) + return + + +def _get_options(): + if __salt__['config.get']('hubblestack:returner:logstash'): + logstash_opts = [] + returner_opts = __salt__['config.get']('hubblestack:returner:logstash') + if not isinstance(returner_opts, list): + returner_opts = [returner_opts] + for opt in returner_opts: + processed = {} + processed['password'] = opt.get('password') + processed['user'] = opt.get('user') + processed['indexer'] = opt.get('indexer') + processed['port'] = str(opt.get('port', '8080')) + processed['index'] = opt.get('index') + processed['custom_fields'] = opt.get('custom_fields', []) + processed['sourcetype'] = opt.get('sourcetype_nebula', 'hubble_osquery') + processed['indexer_ssl'] = opt.get('indexer_ssl', True) + processed['proxy'] = opt.get('proxy', {}) + processed['timeout'] = opt.get('timeout', 9.05) + logstash_opts.append(processed) + return logstash_opts + else: + try: + port = __salt__['config.get']('hubblestack:returner:logstash:port') + user = __salt__['config.get']('hubblestack:returner:logstash:user') + indexer = __salt__['config.get']('hubblestack:returner:logstash:indexer') + password = __salt__['config.get']('hubblestack:returner:logstash:password') + sourcetype = __salt__['config.get']('hubblestack:nebula:returner:logstash:sourcetype') + custom_fields = __salt__['config.get']('hubblestack:nebula:returner:logstash:custom_fields', []) + except: + return None + + logstash_opts = {'password': password, 'indexer': indexer, 'sourcetype': sourcetype, 'index': index, 'custom_fields': custom_fields} + + indexer_ssl = __salt__['config.get']('hubblestack:nebula:returner:logstash:indexer_ssl', True) + logstash_opts['http_input_server_ssl'] = indexer_ssl + logstash_opts['proxy'] = __salt__['config.get']('hubblestack:nebula:returner:logstash:proxy', {}) + logstash_opts['timeout'] = __salt__['config.get']('hubblestack:nebula:returner:logstash:timeout', 9.05) + + return [logstash_opts] diff --git a/_returners/logstash_nova_return.py b/_returners/logstash_nova_return.py new file mode 100644 index 0000000..3f0a2c5 --- /dev/null +++ b/_returners/logstash_nova_return.py @@ -0,0 +1,230 @@ +# -*- encoding: utf-8 -*- +''' +HubbleStack Nova-to-Logstash (http input) returner + +:maintainer: HubbleStack +:platform: All +:requires: HubbleStack + +Deliver HubbleStack Nova data into Logstash using the HTTP input +plugin. Required config/pillar settings: + +.. code-block:: yaml + + hubblestack: + returner: + logstash: + - port: 8080 + proxy: {} + timeout: 10 + user: username + indexer_ssl: True + sourcetype_nova: hubble_audit + indexer: http://logstash.http.input.tld + password: password + custom_fields: + - site + - product_group +''' + +import json +import time +import socket +import requests +from cloud_details import get_cloud_details +from requests.auth import HTTPBasicAuth + +def returner(ret): + ''' + ''' + opts_list = _get_options() + + clouds = get_cloud_details() + + for opts in opts_list: + proxy = opts['proxy'] + timeout = opts['timeout'] + custom_fields = opts['custom_fields'] + + indexer = opts['indexer'] + port = opts['port'] + password = opts['password'] + user = opts['user'] + + data = ret['return'] + minion_id = ret['id'] + jid = ret['jid'] + fqdn = __grains__['fqdn'] + # Sometimes fqdn is blank. If it is, replace it with minion_id + fqdn = fqdn if fqdn else minion_id + master = __grains__['master'] + try: + fqdn_ip4 = __grains__['fqdn_ip4'][0] + except IndexError: + fqdn_ip4 = __grains__['ipv4'][0] + if fqdn_ip4.startswith('127.'): + for ip4_addr in __grains__['ipv4']: + if ip4_addr and not ip4_addr.startswith('127.'): + fqdn_ip4 = ip4_addr + break + + if __grains__['master']: + master = __grains__['master'] + else: + master = socket.gethostname() # We *are* the master, so use our hostname + + if not isinstance(data, dict): + log.error('Data sent to splunk_nova_return was not formed as a ' + 'dict:\n{0}'.format(data)) + return + + for fai in data.get('Failure', []): + check_id = fai.keys()[0] + payload = {} + event = {} + event.update({'check_result': 'Failure'}) + event.update({'check_id': check_id}) + event.update({'job_id': jid}) + if not isinstance(fai[check_id], dict): + event.update({'description': fai[check_id]}) + elif 'description' in fai[check_id]: + for key, value in fai[check_id].iteritems(): + if key not in ['tag']: + event[key] = value + event.update({'master': master}) + event.update({'minion_id': minion_id}) + event.update({'dest_host': fqdn}) + event.update({'dest_ip': fqdn_ip4}) + + for cloud in clouds: + event.update(cloud) + + for custom_field in custom_fields: + custom_field_name = 'custom_' + custom_field + custom_field_value = __salt__['config.get'](custom_field, '') + if isinstance(custom_field_value, str): + event.update({custom_field_name: custom_field_value}) + elif isinstance(custom_field_value, list): + custom_field_value = ','.join(custom_field_value) + event.update({custom_field_name: custom_field_value}) + + payload.update({'host': fqdn}) + payload.update({'index': opts['index']}) + payload.update({'sourcetype': opts['sourcetype']}) + payload.update({'event': event}) + + rdy = json.dumps(payload) + requests.post('{}:{}/hubble/nova'.format(indexer, port), rdy, auth=HTTPBasicAuth(user, password)) + + + for suc in data.get('Success', []): + check_id = suc.keys()[0] + payload = {} + event = {} + event.update({'check_result': 'Success'}) + event.update({'check_id': check_id}) + event.update({'job_id': jid}) + if not isinstance(suc[check_id], dict): + event.update({'description': suc[check_id]}) + elif 'description' in suc[check_id]: + for key, value in suc[check_id].iteritems(): + if key not in ['tag']: + event[key] = value + event.update({'master': master}) + event.update({'minion_id': minion_id}) + event.update({'dest_host': fqdn}) + event.update({'dest_ip': fqdn_ip4}) + + for cloud in clouds: + event.update(cloud) + + for custom_field in custom_fields: + custom_field_name = 'custom_' + custom_field + custom_field_value = __salt__['config.get'](custom_field, '') + if isinstance(custom_field_value, str): + event.update({custom_field_name: custom_field_value}) + elif isinstance(custom_field_value, list): + custom_field_value = ','.join(custom_field_value) + event.update({custom_field_name: custom_field_value}) + + payload.update({'host': fqdn}) + payload.update({'index': opts['index']}) + payload.update({'sourcetype': opts['sourcetype']}) + payload.update({'event': event}) + + rdy = json.dumps(payload) + requests.post('{}:{}/hubble/nova'.format(indexer, port), rdy, auth=HTTPBasicAuth(user, password)) + + + if data.get('Compliance', None): + payload = {} + event = {} + event.update({'job_id': jid}) + event.update({'compliance_percentage': data['Compliance']}) + event.update({'master': master}) + event.update({'minion_id': minion_id}) + event.update({'dest_host': fqdn}) + event.update({'dest_ip': fqdn_ip4}) + + for cloud in clouds: + event.update(cloud) + + for custom_field in custom_fields: + custom_field_name = 'custom_' + custom_field + custom_field_value = __salt__['config.get'](custom_field, '') + if isinstance(custom_field_value, str): + event.update({custom_field_name: custom_field_value}) + elif isinstance(custom_field_value, list): + custom_field_value = ','.join(custom_field_value) + event.update({custom_field_name: custom_field_value}) + + payload.update({'host': fqdn}) + payload.update({'index': opts['index']}) + payload.update({'sourcetype': opts['sourcetype']}) + payload.update({'event': event}) + + rdy = json.dumps(payload) + requests.post('{}:{}/hubble/nova'.format(indexer, port), rdy, auth=HTTPBasicAuth(user, password)) + + return + + +def _get_options(): + if __salt__['config.get']('hubblestack:returner:logstash'): + logstash_opts = [] + returner_opts = __salt__['config.get']('hubblestack:returner:logstash') + if not isinstance(returner_opts, list): + returner_opts = [returner_opts] + for opt in returner_opts: + processed = {} + processed['password'] = opt.get('password') + processed['user'] = opt.get('user') + processed['indexer'] = opt.get('indexer') + processed['port'] = str(opt.get('port', '8080')) + processed['index'] = opt.get('index') + processed['custom_fields'] = opt.get('custom_fields', []) + processed['sourcetype'] = opt.get('sourcetype_nova', 'hubble_audit') + processed['http_input_server_ssl'] = opt.get('indexer_ssl', True) + processed['proxy'] = opt.get('proxy', {}) + processed['timeout'] = opt.get('timeout', 9.05) + logstash_opts.append(processed) + return logstash_opts + else: + try: + port = __salt__['config.get']('hubblestack:returner:logstash:port') + user = __salt__['config.get']('hubblestack:returner:logstash:user') + indexer = __salt__['config.get']('hubblestack:returner:logstash:indexer') + password = __salt__['config.get']('hubblestack:returner:logstash:password') + sourcetype = __salt__['config.get']('hubblestack:returner:logstash:sourcetype') + custom_fields = __salt__['config.get']('hubblestack:returner:logstash:custom_fields', []) + except: + return None + + logstash_opts = {'password': password, 'indexer': indexer, 'sourcetype': sourcetype, 'index': index, 'custom_fields': custom_fields} + + indexer_ssl = __salt__['config.get']('hubblestack:nova:returner:logstash:indexer_ssl', True) + logstash_opts['http_input_server_ssl'] = indexer_ssl + logstash_opts['proxy'] = __salt__['config.get']('hubblestack:nova:returner:logstash:proxy', {}) + logstash_opts['timeout'] = __salt__['config.get']('hubblestack:nova:returner:logstash:timeout', 9.05) + + return [logstash_opts] diff --git a/_returners/logstash_pulsar_return.py b/_returners/logstash_pulsar_return.py new file mode 100644 index 0000000..d3b564d --- /dev/null +++ b/_returners/logstash_pulsar_return.py @@ -0,0 +1,234 @@ +# -*- encoding: utf-8 -*- +''' +HubbleStack Pulsar-to-Logstash (http input) returner + +:maintainer: HubbleStack +:platform: All +:requires: HubbleStack + +Deliver HubbleStack Pulsar event data into Logstash using the HTTP input +plugin. Required config/pillar settings: + +.. code-block:: yaml + + hubblestack: + returner: + logstash: + - port: 8080 + proxy: {} + timeout: 10 + user: username + indexer_ssl: True + sourcetype_pulsar: hubble_fim + indexer: http://logstash.http.input.tld + password: password + custom_fields: + - site + - product_group +''' + +import os +import time +import json +import requests +from collections import defaultdict +from cloud_details import get_cloud_details +from requests.auth import HTTPBasicAuth + + +def _dedupList(l): + deduped = [] + for i, x in enumerate(l): + if x not in l[i + 1:]: + deduped.append(x) + return deduped + + +def returner(ret): + ''' + ''' + if isinstance(ret, dict) and not ret.get('return'): + return + + opts_list = _get_options() + + clouds = get_cloud_details() + + for opts in opts_list: + proxy = opts['proxy'] + timeout = opts['timeout'] + custom_fields = opts['custom_fields'] + + indexer = opts['indexer'] + port = opts['port'] + password = opts['password'] + user = opts['user'] + + data = _dedupList(ret['return']) + minion_id = __opts__['id'] + fqdn = __grains__['fqdn'] + fqdn = fqdn if fqdn else minion_id + master = __grains__['master'] + try: + fqdn_ip4 = __grains__['fqdn_ip4'][0] + except IndexError: + fqdn_ip4 = __grains__['ipv4'][0] + if fqdn_ip4.startswith('127.'): + for ip4_addr in __grains__['ipv4']: + if ip4_addr and not ip4_addr.startswith('127.'): + fqdn_ip4 = ip4_addr + break + + alerts = [] + for item in data: + events = item + if not isinstance(events, list): + events = [events] + alerts.extend(events) + + for alert in alerts: + event = {} + payload = {} + if('change' in alert): # Linux, normal pulsar + # The second half of the change will be '|IN_ISDIR' for directories + change = alert['change'].split('|')[0] + # Skip the IN_IGNORED events + if change == 'IN_IGNORED': + continue + if len(alert['change'].split('|')) == 2: + object_type = 'directory' + else: + object_type = 'file' + + actions = defaultdict(lambda: 'unknown') + actions['IN_ACCESS'] = 'read' + actions['IN_ATTRIB'] = 'acl_modified' + actions['IN_CLOSE_NOWRITE'] = 'read' + actions['IN_CLOSE_WRITE'] = 'read' + actions['IN_CREATE'] = 'created' + actions['IN_DELETE'] = 'deleted' + actions['IN_DELETE_SELF'] = 'deleted' + actions['IN_MODIFY'] = 'modified' + actions['IN_MOVE_SELF'] = 'modified' + actions['IN_MOVED_FROM'] = 'modified' + actions['IN_MOVED_TO'] = 'modified' + actions['IN_OPEN'] = 'read' + actions['IN_MOVE'] = 'modified' + actions['IN_CLOSE'] = 'read' + + event['action'] = actions[change] + event['change_type'] = 'filesystem' + event['object_category'] = object_type + event['object_path'] = alert['path'] + event['file_name'] = alert['name'] + event['file_path'] = alert['tag'] + + if alert['stats']: # Gather more data if the change wasn't a delete + stats = alert['stats'] + event['object_id'] = stats['inode'] + event['file_acl'] = stats['mode'] + event['file_create_time'] = stats['ctime'] + event['file_modify_time'] = stats['mtime'] + event['file_size'] = stats['size'] / 1024.0 # Convert bytes to kilobytes + event['user'] = stats['user'] + event['group'] = stats['group'] + if object_type == 'file': + event['file_hash'] = alert['checksum'] + event['file_hash_type'] = alert['checksum_type'] + + else: # Windows, win_pulsar + change = alert['Accesses'] + if alert['Hash'] == 'Item is a directory': + object_type = 'directory' + else: + object_type = 'file' + + actions = defaultdict(lambda: 'unknown') + actions['Delete'] = 'deleted' + actions['Read Control'] = 'read' + actions['Write DAC'] = 'acl_modified' + actions['Write Owner'] = 'modified' + actions['Synchronize'] = 'modified' + actions['Access Sys Sec'] = 'read' + actions['Read Data'] = 'read' + actions['Write Data'] = 'modified' + actions['Append Data'] = 'modified' + actions['Read EA'] = 'read' + actions['Write EA'] = 'modified' + actions['Execute/Traverse'] = 'read' + actions['Read Attributes'] = 'read' + actions['Write Attributes'] = 'acl_modified' + actions['Query Key Value'] = 'read' + actions['Set Key Value'] = 'modified' + actions['Create Sub Key'] = 'created' + actions['Enumerate Sub-Keys'] = 'read' + actions['Notify About Changes to Keys'] = 'read' + actions['Create Link'] = 'created' + actions['Print'] = 'read' + + event['action'] = actions[change] + event['change_type'] = 'filesystem' + event['object_category'] = object_type + event['object_path'] = alert['Object Name'] + event['file_name'] = os.path.basename(alert['Object Name']) + event['file_path'] = os.path.dirname(alert['Object Name']) + # TODO: Should we be reporting 'EntryType' or 'TimeGenerated? + # EntryType reports whether attempt to change was successful. + + event.update({'master': master}) + event.update({'minion_id': minion_id}) + event.update({'dest_host': fqdn}) + event.update({'dest_ip': fqdn_ip4}) + + for cloud in clouds: + event.update(cloud) + + payload.update({'host': fqdn}) + payload.update({'index': opts['index']}) + payload.update({'sourcetype': opts['sourcetype']}) + payload.update({'event': event}) + + rdy = json.dumps(payload) + requests.post('{}:{}/hubble/pulsar'.format(indexer, port), rdy, auth=HTTPBasicAuth(user, password)) + return + + +def _get_options(): + if __salt__['config.get']('hubblestack:returner:logstash'): + logstash_opts = [] + returner_opts = __salt__['config.get']('hubblestack:returner:logstash') + if not isinstance(returner_opts, list): + returner_opts = [returner_opts] + for opt in returner_opts: + processed = {} + processed['password'] = opt.get('password') + processed['user'] = opt.get('user') + processed['indexer'] = opt.get('indexer') + processed['port'] = str(opt.get('port', '8080')) + processed['index'] = opt.get('index') + processed['custom_fields'] = opt.get('custom_fields', []) + processed['sourcetype'] = opt.get('sourcetype_pulsar', 'hubble_fim') + processed['indexer_ssl'] = opt.get('indexer_ssl', True) + processed['proxy'] = opt.get('proxy', {}) + processed['timeout'] = opt.get('timeout', 9.05) + logstash_opts.append(processed) + return logstash_opts + else: + try: + port = __salt__['config.get']('hubblestack:returner:logstash:port') + user = __salt__['config.get']('hubblestack:returner:logstash:user') + indexer = __salt__['config.get']('hubblestack:returner:logstash:indexer') + password = __salt__['config.get']('hubblestack:returner:logstash:password') + sourcetype = __salt__['config.get']('hubblestack:pulsar:returner:logstash:sourcetype') + custom_fields = __salt__['config.get']('hubblestack:pulsar:returner:logstash:custom_fields', []) + except: + return None + + logstash_opts = {'password': password, 'indexer': indexer, 'sourcetype': sourcetype, 'index': index, 'custom_fields': custom_fields} + + indexer_ssl = __salt__['config.get']('hubblestack:pulsar:returner:logstash:indexer_ssl', True) + logstash_opts['http_input_server_ssl'] = indexer_ssl + logstash_opts['proxy'] = __salt__['config.get']('hubblestack:pulsar:returner:logstash:proxy', {}) + logstash_opts['timeout'] = __salt__['config.get']('hubblestack:pulsar:returner:logstash:timeout', 9.05) + + return [logstash_opts] diff --git a/_returners/slack_pulsar_returner.py b/_returners/slack_pulsar_returner.py index 8647366..8b508ea 100644 --- a/_returners/slack_pulsar_returner.py +++ b/_returners/slack_pulsar_returner.py @@ -69,7 +69,7 @@ # Import Salt Libs import salt.returners -__version__ = 'v2017.4.1' +__version__ = 'v2017.8.1' log = logging.getLogger(__name__) diff --git a/_returners/splunk_nebula_return.py b/_returners/splunk_nebula_return.py index 1876b9a..e3d6f9b 100644 --- a/_returners/splunk_nebula_return.py +++ b/_returners/splunk_nebula_return.py @@ -39,8 +39,8 @@ - product_group ''' import socket -# Import AWS details -from aws_details import get_aws_details +# Import cloud details +from cloud_details import get_cloud_details # Imports for http event forwarder import requests @@ -50,7 +50,7 @@ import logging -__version__ = 'v2017.4.1' +__version__ = 'v2017.8.1' _max_content_bytes = 100000 http_event_collector_SSL_verify = False @@ -64,20 +64,29 @@ def returner(ret): opts_list = _get_options() - # Get aws details - aws = get_aws_details() + # Get cloud details + clouds = get_cloud_details() for opts in opts_list: logging.info('Options: %s' % json.dumps(opts)) http_event_collector_key = opts['token'] http_event_collector_host = opts['indexer'] + http_event_collector_port = opts['port'] hec_ssl = opts['http_event_server_ssl'] proxy = opts['proxy'] timeout = opts['timeout'] custom_fields = opts['custom_fields'] + # Set up the fields to be extracted at index time. The field values must be strings. + # Note that these fields will also still be available in the event data + index_extracted_fields = ['aws_instance_id', 'aws_account_id', 'azure_vmId'] + try: + index_extracted_fields.extend(opts['index_extracted_fields']) + except TypeError: + pass + # Set up the collector - hec = http_event_collector(http_event_collector_key, http_event_collector_host, http_event_server_ssl=hec_ssl, proxy=proxy, timeout=timeout) + hec = http_event_collector(http_event_collector_key, http_event_collector_host, http_event_port=http_event_collector_port, http_event_server_ssl=hec_ssl, proxy=proxy, timeout=timeout) # st = 'salt:hubble:nova' data = ret['return'] @@ -91,6 +100,11 @@ def returner(ret): fqdn_ip4 = __grains__['fqdn_ip4'][0] except IndexError: fqdn_ip4 = __grains__['ipv4'][0] + if fqdn_ip4.startswith('127.'): + for ip4_addr in __grains__['ipv4']: + if ip4_addr and not ip4_addr.startswith('127.'): + fqdn_ip4 = ip4_addr + break if not data: return @@ -108,10 +122,8 @@ def returner(ret): event.update({'dest_host': fqdn}) event.update({'dest_ip': fqdn_ip4}) - if aws['aws_account_id'] is not None: - event.update({'aws_ami_id': aws['aws_ami_id']}) - event.update({'aws_instance_id': aws['aws_instance_id']}) - event.update({'aws_account_id': aws['aws_account_id']}) + for cloud in clouds: + event.update(cloud) for custom_field in custom_fields: custom_field_name = 'custom_' + custom_field @@ -124,9 +136,20 @@ def returner(ret): payload.update({'host': fqdn}) payload.update({'index': opts['index']}) - payload.update({'sourcetype': opts['sourcetype']}) + if opts['add_query_to_sourcetype']: + payload.update({'sourcetype': "%s_%s" % (opts['sourcetype'], query_name)}) + else: + payload.update({'sourcetype': opts['sourcetype']}) payload.update({'event': event}) + # Potentially add metadata fields: + fields = {} + for item in index_extracted_fields: + if item in payload['event'] and not isinstance(payload['event'], (list, dict, tuple)): + fields[item] = str(payload['event'][item]) + if fields: + payload.update({'fields': fields}) + # If the osquery query includes a field called 'time' it will be checked. # If it's within the last year, it will be used as the eventtime. event_time = query_result.get('time', '') @@ -152,12 +175,15 @@ def _get_options(): processed = {} processed['token'] = opt.get('token') processed['indexer'] = opt.get('indexer') + processed['port'] = str(opt.get('port', '8088')) processed['index'] = opt.get('index') processed['custom_fields'] = opt.get('custom_fields', []) processed['sourcetype'] = opt.get('sourcetype_nebula', 'hubble_osquery') + processed['add_query_to_sourcetype'] = opt.get('add_query_to_sourcetype', True) processed['http_event_server_ssl'] = opt.get('hec_ssl', True) processed['proxy'] = opt.get('proxy', {}) processed['timeout'] = opt.get('timeout', 9.05) + processed['index_extracted_fields'] = opt.get('index_extracted_fields', []) splunk_opts.append(processed) return splunk_opts else: @@ -175,6 +201,7 @@ def _get_options(): splunk_opts['http_event_server_ssl'] = hec_ssl splunk_opts['proxy'] = __salt__['config.get']('hubblestack:nebula:returner:splunk:proxy', {}) splunk_opts['timeout'] = __salt__['config.get']('hubblestack:nebula:returner:splunk:timeout', 9.05) + splunk_opts['index_extracted_fields'] = __salt__['config.get']('hubblestack:nebula:returner:splunk:index_extracted_fields', []) return [splunk_opts] diff --git a/_returners/splunk_nova_return.py b/_returners/splunk_nova_return.py index 3104787..92f7a6d 100644 --- a/_returners/splunk_nova_return.py +++ b/_returners/splunk_nova_return.py @@ -39,8 +39,8 @@ - product_group ''' import socket -# Import AWS details -from aws_details import get_aws_details +# Import cloud details +from cloud_details import get_cloud_details # Imports for http event forwarder import requests @@ -49,7 +49,7 @@ import logging -__version__ = 'v2017.4.1' +__version__ = 'v2017.8.1' _max_content_bytes = 100000 http_event_collector_SSL_verify = False @@ -63,21 +63,29 @@ def returner(ret): opts_list = _get_options() - # Get aws details - aws = get_aws_details() + # Get cloud details + clouds = get_cloud_details() for opts in opts_list: - logging.info('Options: %s' % json.dumps(opts)) + log.info('Options: %s' % json.dumps(opts)) http_event_collector_key = opts['token'] http_event_collector_host = opts['indexer'] + http_event_collector_port = opts['port'] hec_ssl = opts['http_event_server_ssl'] proxy = opts['proxy'] timeout = opts['timeout'] custom_fields = opts['custom_fields'] + # Set up the fields to be extracted at index time. The field values must be strings. + # Note that these fields will also still be available in the event data + index_extracted_fields = ['aws_instance_id', 'aws_account_id', 'azure_vmId'] + try: + index_extracted_fields.extend(opts['index_extracted_fields']) + except TypeError: + pass # Set up the collector - hec = http_event_collector(http_event_collector_key, http_event_collector_host, http_event_server_ssl=hec_ssl, proxy=proxy, timeout=timeout) + hec = http_event_collector(http_event_collector_key, http_event_collector_host, http_event_port=http_event_collector_port, http_event_server_ssl=hec_ssl, proxy=proxy, timeout=timeout) # st = 'salt:hubble:nova' data = ret['return'] minion_id = ret['id'] @@ -90,12 +98,22 @@ def returner(ret): fqdn_ip4 = __grains__['fqdn_ip4'][0] except IndexError: fqdn_ip4 = __grains__['ipv4'][0] + if fqdn_ip4.startswith('127.'): + for ip4_addr in __grains__['ipv4']: + if ip4_addr and not ip4_addr.startswith('127.'): + fqdn_ip4 = ip4_addr + break if __grains__['master']: master = __grains__['master'] else: master = socket.gethostname() # We *are* the master, so use our hostname + if not isinstance(data, dict): + log.error('Data sent to splunk_nova_return was not formed as a ' + 'dict:\n{0}'.format(data)) + return + for fai in data.get('Failure', []): check_id = fai.keys()[0] payload = {} @@ -114,10 +132,8 @@ def returner(ret): event.update({'dest_host': fqdn}) event.update({'dest_ip': fqdn_ip4}) - if aws['aws_account_id'] is not None: - event.update({'aws_ami_id': aws['aws_ami_id']}) - event.update({'aws_instance_id': aws['aws_instance_id']}) - event.update({'aws_account_id': aws['aws_account_id']}) + for cloud in clouds: + event.update(cloud) for custom_field in custom_fields: custom_field_name = 'custom_' + custom_field @@ -132,6 +148,15 @@ def returner(ret): payload.update({'index': opts['index']}) payload.update({'sourcetype': opts['sourcetype']}) payload.update({'event': event}) + + # Potentially add metadata fields: + fields = {} + for item in index_extracted_fields: + if item in payload['event'] and not isinstance(payload['event'], (list, dict, tuple)): + fields[item] = str(payload['event'][item]) + if fields: + payload.update({'fields': fields}) + hec.batchEvent(payload) for suc in data.get('Success', []): @@ -152,10 +177,8 @@ def returner(ret): event.update({'dest_host': fqdn}) event.update({'dest_ip': fqdn_ip4}) - if aws['aws_account_id'] is not None: - event.update({'aws_ami_id': aws['aws_ami_id']}) - event.update({'aws_instance_id': aws['aws_instance_id']}) - event.update({'aws_account_id': aws['aws_account_id']}) + for cloud in clouds: + event.update(cloud) for custom_field in custom_fields: custom_field_name = 'custom_' + custom_field @@ -170,6 +193,15 @@ def returner(ret): payload.update({'sourcetype': opts['sourcetype']}) payload.update({'index': opts['index']}) payload.update({'event': event}) + + # Potentially add metadata fields: + fields = {} + for item in index_extracted_fields: + if item in payload['event'] and not isinstance(payload['event'], (list, dict, tuple)): + fields[item] = str(payload['event'][item]) + if fields: + payload.update({'fields': fields}) + hec.batchEvent(payload) if data.get('Compliance', None): @@ -182,10 +214,8 @@ def returner(ret): event.update({'dest_host': fqdn}) event.update({'dest_ip': fqdn_ip4}) - if aws['aws_account_id'] is not None: - event.update({'aws_ami_id': aws['aws_ami_id']}) - event.update({'aws_instance_id': aws['aws_instance_id']}) - event.update({'aws_account_id': aws['aws_account_id']}) + for cloud in clouds: + event.update(cloud) for custom_field in custom_fields: custom_field_name = 'custom_' + custom_field @@ -200,6 +230,15 @@ def returner(ret): payload.update({'sourcetype': opts['sourcetype']}) payload.update({'index': opts['index']}) payload.update({'event': event}) + + # Potentially add metadata fields: + fields = {} + for item in index_extracted_fields: + if item in payload['event'] and not isinstance(payload['event'], (list, dict, tuple)): + fields[item] = str(payload['event'][item]) + if fields: + payload.update({'fields': fields}) + hec.batchEvent(payload) hec.flushBatch() @@ -220,7 +259,7 @@ def event_return(event): elif(e['data']['fun'] != 'hubble.audit'): continue # not a call to hubble.audit, so not relevant else: - logging.debug('Logging event: %s' % str(e)) + log.debug('Logging event: %s' % str(e)) returner(e['data']) # Call the standard returner return @@ -235,12 +274,14 @@ def _get_options(): processed = {} processed['token'] = opt.get('token') processed['indexer'] = opt.get('indexer') + processed['port'] = str(opt.get('port', '8088')) processed['index'] = opt.get('index') processed['custom_fields'] = opt.get('custom_fields', []) processed['sourcetype'] = opt.get('sourcetype_nova', 'hubble_audit') processed['http_event_server_ssl'] = opt.get('hec_ssl', True) processed['proxy'] = opt.get('proxy', {}) processed['timeout'] = opt.get('timeout', 9.05) + processed['index_extracted_fields'] = opt.get('index_extracted_fields', []) splunk_opts.append(processed) return splunk_opts else: @@ -249,7 +290,7 @@ def _get_options(): indexer = __salt__['config.get']('hubblestack:nova:returner:splunk:indexer') sourcetype = __salt__['config.get']('hubblestack:nova:returner:splunk:sourcetype') index = __salt__['config.get']('hubblestack:nova:returner:splunk:index') - custom_fields = __salt__['config.get']('hubblestack:nebula:returner:splunk:custom_fields', []) + custom_fields = __salt__['config.get']('hubblestack:nova:returner:splunk:custom_fields', []) except: return None splunk_opts = {'token': token, 'indexer': indexer, 'sourcetype': sourcetype, 'index': index, 'custom_fields': custom_fields} @@ -258,6 +299,7 @@ def _get_options(): splunk_opts['http_event_server_ssl'] = hec_ssl splunk_opts['proxy'] = __salt__['config.get']('hubblestack:nova:returner:splunk:proxy', {}) splunk_opts['timeout'] = __salt__['config.get']('hubblestack:nova:returner:splunk:timeout', 9.05) + splunk_opts['index_extracted_fields'] = __salt__['config.get']('hubblestack:nova:returner:splunk:index_extracted_fields', []) return [splunk_opts] @@ -280,7 +322,7 @@ def send_splunk(event, index_override=None, sourcetype_override=None): # Add the event payload.update({'event': event}) - logging.info('Payload: %s' % json.dumps(payload)) + log.info('Payload: %s' % json.dumps(payload)) # fire it off hec.batchEvent(payload) @@ -353,8 +395,8 @@ def sendEvent(self, payload, eventtime=''): # Print debug info if flag set if http_event_collector_debug: - logger.debug(r.text) - logger.debug(data) + log.debug(r.text) + log.debug(data) def batchEvent(self, payload, eventtime=''): # Method to store the event in a batch to flush later diff --git a/_returners/splunk_pulsar_return.py b/_returners/splunk_pulsar_return.py index 7f4ff3c..954f178 100644 --- a/_returners/splunk_pulsar_return.py +++ b/_returners/splunk_pulsar_return.py @@ -38,10 +38,9 @@ - site - product_group ''' - import socket -# Import AWS details -from aws_details import get_aws_details +# Import cloud details +from cloud_details import get_cloud_details # Imports for http event forwarder import requests @@ -52,7 +51,7 @@ import logging -__version__ = 'v2017.4.1' +__version__ = 'v2017.8.1' _max_content_bytes = 100000 http_event_collector_SSL_verify = False @@ -69,20 +68,29 @@ def returner(ret): return opts_list = _get_options() - # Get aws details - aws = get_aws_details() + # Get cloud details + clouds = get_cloud_details() for opts in opts_list: logging.info('Options: %s' % json.dumps(opts)) http_event_collector_key = opts['token'] http_event_collector_host = opts['indexer'] + http_event_collector_port = opts['port'] hec_ssl = opts['http_event_server_ssl'] proxy = opts['proxy'] timeout = opts['timeout'] custom_fields = opts['custom_fields'] + # Set up the fields to be extracted at index time. The field values must be strings. + # Note that these fields will also still be available in the event data + index_extracted_fields = ['aws_instance_id', 'aws_account_id', 'azure_vmId'] + try: + index_extracted_fields.extend(opts['index_extracted_fields']) + except TypeError: + pass + # Set up the collector - hec = http_event_collector(http_event_collector_key, http_event_collector_host, http_event_server_ssl=hec_ssl, proxy=proxy, timeout=timeout) + hec = http_event_collector(http_event_collector_key, http_event_collector_host, http_event_port=http_event_collector_port, http_event_server_ssl=hec_ssl, proxy=proxy, timeout=timeout) # Check whether or not data is batched: if isinstance(ret, dict): # Batching is disabled data = [ret] @@ -99,6 +107,11 @@ def returner(ret): fqdn_ip4 = __grains__['fqdn_ip4'][0] except IndexError: fqdn_ip4 = __grains__['ipv4'][0] + if fqdn_ip4.startswith('127.'): + for ip4_addr in __grains__['ipv4']: + if ip4_addr and not ip4_addr.startswith('127.'): + fqdn_ip4 = ip4_addr + break alerts = [] for item in data: @@ -143,6 +156,7 @@ def returner(ret): event['object_path'] = alert['path'] event['file_name'] = alert['name'] event['file_path'] = alert['tag'] + event['pulsar_config'] = alert['pulsar_config'] if alert['stats']: # Gather more data if the change wasn't a delete stats = alert['stats'] @@ -193,6 +207,7 @@ def returner(ret): event['object_path'] = alert['Object Name'] event['file_name'] = os.path.basename(alert['Object Name']) event['file_path'] = os.path.dirname(alert['Object Name']) + event['file_path'] = alert['pulsar_config'] # TODO: Should we be reporting 'EntryType' or 'TimeGenerated? # EntryType reports whether attempt to change was successful. @@ -201,10 +216,8 @@ def returner(ret): event.update({'dest_host': fqdn}) event.update({'dest_ip': fqdn_ip4}) - if aws['aws_account_id'] is not None: - event.update({'aws_ami_id': aws['aws_ami_id']}) - event.update({'aws_instance_id': aws['aws_instance_id']}) - event.update({'aws_account_id': aws['aws_account_id']}) + for cloud in clouds: + event.update(cloud) for custom_field in custom_fields: custom_field_name = 'custom_' + custom_field @@ -219,6 +232,15 @@ def returner(ret): payload.update({'index': opts['index']}) payload.update({'sourcetype': opts['sourcetype']}) payload.update({'event': event}) + + # Potentially add metadata fields: + fields = {} + for item in index_extracted_fields: + if item in payload['event'] and not isinstance(payload['event'], (list, dict, tuple)): + fields[item] = str(payload['event'][item]) + if fields: + payload.update({'fields': fields}) + hec.batchEvent(payload) hec.flushBatch() @@ -243,12 +265,14 @@ def _get_options(): processed = {} processed['token'] = opt.get('token') processed['indexer'] = opt.get('indexer') + processed['port'] = str(opt.get('port', '8088')) processed['index'] = opt.get('index') processed['custom_fields'] = opt.get('custom_fields', []) processed['sourcetype'] = opt.get('sourcetype_pulsar', 'hubble_fim') processed['http_event_server_ssl'] = opt.get('hec_ssl', True) processed['proxy'] = opt.get('proxy', {}) processed['timeout'] = opt.get('timeout', 9.05) + processed['index_extracted_fields'] = opt.get('index_extracted_fields', []) splunk_opts.append(processed) return splunk_opts else: @@ -257,7 +281,7 @@ def _get_options(): indexer = __salt__['config.get']('hubblestack:pulsar:returner:splunk:indexer') sourcetype = __salt__['config.get']('hubblestack:pulsar:returner:splunk:sourcetype') index = __salt__['config.get']('hubblestack:pulsar:returner:splunk:index') - custom_fields = __salt__['config.get']('hubblestack:nebula:returner:splunk:custom_fields', []) + custom_fields = __salt__['config.get']('hubblestack:pulsar:returner:splunk:custom_fields', []) except: return None splunk_opts = {'token': token, 'indexer': indexer, 'sourcetype': sourcetype, 'index': index, 'custom_fields': custom_fields} @@ -266,6 +290,7 @@ def _get_options(): splunk_opts['http_event_server_ssl'] = hec_ssl splunk_opts['proxy'] = __salt__['config.get']('hubblestack:pulsar:returner:splunk:proxy', {}) splunk_opts['timeout'] = __salt__['config.get']('hubblestack:pulsar:returner:splunk:timeout', 9.05) + splunk_opts['index_extracted_fields'] = __salt__['config.get']('hubblestack:pulsar:returner:splunk:index_extracted_fields', []) return [splunk_opts] diff --git a/hubblestack_nebula/hubblestack_nebula_queries.yaml b/hubblestack_nebula/hubblestack_nebula_queries.yaml index cd08da3..49b85c8 100644 --- a/hubblestack_nebula/hubblestack_nebula_queries.yaml +++ b/hubblestack_nebula/hubblestack_nebula_queries.yaml @@ -1,27 +1,41 @@ fifteen_min: - query_name: running_procs - query: SELECT p.name AS process, p.pid AS process_id, p.cmdline, p.cwd, p.on_disk, p.resident_size AS mem_used, p.parent, g.groupname, u.username AS user, eu.username AS effective_username, eg.groupname AS effective_groupname, p.path, h.md5, h.sha1, h.sha256 FROM processes AS p LEFT JOIN users AS u ON p.uid=u.uid LEFT JOIN users AS eu ON p.euid=eu.uid LEFT JOIN groups AS g ON p.gid=g.gid LEFT JOIN groups AS eg ON p.gid=eg.gid LEFT JOIN hash AS h ON p.path=h.path WHERE parent IS NOT 2 AND (process NOTNULL OR parent NOTNULL); + query: SELECT t.unix_time AS query_time, p.name AS process, p.pid AS process_id, p.cmdline, p.cwd, p.on_disk, p.resident_size AS mem_used, p.start_time, p.parent, g.groupname AS 'group', g.gid AS group_id, u.username AS user, u.uid AS user_id, eu.username AS effective_username, eg.groupname AS effective_groupname, p.path, h.md5, h.sha1, h.sha256, '__JSONIFY__'||(SELECT json_group_array(json_object('fd',pof.fd, 'path',pof.path) ) FROM process_open_files AS pof WHERE pof.pid=p.pid GROUP BY pof.pid ) AS open_files, '__JSONIFY__'||(SELECT json_group_array(json_object('variable_name',pe.key, 'value',pe.value)) FROM process_envs AS pe WHERE pe.pid=p.pid GROUP BY pe.pid) AS environment FROM processes AS p LEFT JOIN users AS u ON p.uid=u.uid LEFT JOIN users AS eu ON p.euid=eu.uid LEFT JOIN groups AS g ON p.gid=g.gid LEFT JOIN groups AS eg ON p.gid=eg.gid LEFT JOIN hash AS h ON p.path=h.path LEFT JOIN time AS t WHERE parent IS NOT 2 AND (process NOTNULL OR parent NOTNULL); - query_name: established_outbound - query: SELECT t.iso_8601 AS _time, pos.family, h.*, ltrim(pos.local_address, ':f') AS src_connection_ip, pos.local_port AS src_connection_port, pos.remote_port AS dest_connection_port, ltrim(remote_address, ':f') AS dest_connection_ip, name, p.path AS file_path, cmdline, pos.protocol FROM process_open_sockets AS pos JOIN processes AS p ON p.pid=pos.pid LEFT JOIN time AS t LEFT JOIN (SELECT * FROM listening_ports) AS lp ON lp.port=pos.local_port AND lp.protocol=pos.protocol LEFT JOIN hash AS h ON h.path=p.path WHERE NOT remote_address='' AND NOT remote_address='::' AND NOT remote_address='0.0.0.0' AND NOT remote_address='127.0.0.1' AND port is NULL; + query: SELECT t.unix_time AS query_time, pos.family, h.md5, h.sha1, h.sha256, h.directory, ltrim(pos.local_address, ':f') AS src_connection_ip, pos.local_port AS src_connection_port, pos.remote_port AS dest_connection_port, ltrim(remote_address, ':f') AS dest_connection_ip, name, p.path AS file_path, cmdline, pos.protocol FROM process_open_sockets AS pos JOIN processes AS p ON p.pid=pos.pid LEFT JOIN time AS t LEFT JOIN (SELECT * FROM listening_ports) AS lp ON lp.port=pos.local_port AND lp.protocol=pos.protocol LEFT JOIN hash AS h ON h.path=p.path WHERE NOT remote_address='' AND NOT remote_address='::' AND NOT remote_address='0.0.0.0' AND NOT remote_address='127.0.0.1' AND port is NULL; - query_name: listening_procs - query: SELECT t.iso_8601 AS _time, h.md5 AS md5, p.pid AS process_id, name AS process, ltrim(address, ':f') AS address, port AS dest_port, p.path AS file_path, cmdline, p.on_disk, root, parent, CASE lp.protocol WHEN 6 THEN 'tcp' WHEN 17 THEN 'udp' ELSE lp.protocol END as transport FROM listening_ports AS lp LEFT JOIN processes AS p ON lp.pid=p.pid LEFT JOIN time AS t LEFT JOIN hash AS h ON h.path=p.path; + query: SELECT t.unix_time AS query_time, h.md5 AS md5, p.pid AS process_id, name AS process, ltrim(address, ':f') AS address, port AS dest_port, p.path AS file_path, cmdline, p.on_disk, root, parent, CASE lp.protocol WHEN 6 THEN 'tcp' WHEN 17 THEN 'udp' ELSE lp.protocol END as transport FROM listening_ports AS lp LEFT JOIN processes AS p ON lp.pid=p.pid LEFT JOIN time AS t LEFT JOIN hash AS h ON h.path=p.path; - query_name: shell_history - query: SELECT uid, gid, username, groupname, command, time, history_file FROM users JOIN groups USING (gid) JOIN shell_history USING (uid) WHERE time > strftime('%s', 'now', '-15 minutes'); + query: SELECT t.unix_time AS query_time, uid, gid, username AS user, groupname AS 'group', command, time, history_file FROM users JOIN groups USING (gid) JOIN shell_history USING (uid) LEFT JOIN time as t WHERE time > strftime('%s', 'now', '-16 minutes'); hour: - query_name: crontab - query: SELECT c.*,t.iso_8601 AS _time FROM crontab AS c JOIN time AS t; + query: SELECT t.unix_time AS query_time, c.event, c.minute, c.hour, c.day_of_month, c.month, c.day_of_week, c.command, c.path AS cron_file FROM crontab AS c JOIN time AS t; + - query_name: login_history + query: SELECT t.unix_time AS query_time, l.username AS user, l.tty, l.pid, l.type AS utmp_type, CASE l.type WHEN 1 THEN 'RUN_LVL' WHEN 2 THEN 'BOOT_TIME' WHEN 3 THEN 'NEW_TIME' WHEN 4 THEN 'OLD_TIME' WHEN 5 THEN 'INIT_PROCESS' WHEN 6 THEN 'LOGIN_PROCESS' WHEN 7 THEN 'USER_PROCESS' WHEN 8 THEN 'DEAD_PROCESS' ELSE l.type END AS utmp_type_name, l.host AS src, l.time FROM last AS l LEFT JOIN time AS t WHERE l.time > strftime('%s','now') - 3600; day: - query_name: rpm_packages - query: SELECT rpm.name, rpm.version, rpm.release, rpm.source AS package_source, rpm.size, rpm.sha1, rpm.arch, t.iso_8601 FROM rpm_packages AS rpm JOIN time AS t; + query: SELECT t.unix_time AS query_time, rpm.name, rpm.version, rpm.release, rpm.source AS package_source, rpm.size, rpm.sha1, rpm.arch FROM rpm_packages AS rpm JOIN time AS t; - query_name: deb_packages - query: SELECT deb.name, deb.version, deb.revision, deb.source AS package_source, deb.size, deb.arch, t.iso_8601 FROM deb_packages AS deb JOIN time AS t; + query: SELECT t.unix_time AS query_time, deb.name, deb.version, deb.revision, deb.source AS package_source, deb.size, deb.arch FROM deb_packages AS deb JOIN time AS t; - query_name: os_info - query: select * from os_version; + query: SELECT t.unix_time AS query_time, os.* FROM os_version AS os LEFT JOIN time AS t; - query_name: interface_addresses - query: SELECT interface, address FROM interface_addresses WHERE NOT interface='lo'; + query: SELECT t.unix_time AS query_time, ia.interface, ia.address, id.mac FROM interface_addresses AS ia JOIN interface_details AS id ON ia.interface=id.interface LEFT JOIN time AS t WHERE NOT ia.interface='lo'; - query_name: uptime - query: SELECT total_seconds AS uptime FROM uptime; + query: SELECT t.unix_time AS query_time, total_seconds AS uptime FROM uptime LEFT JOIN time as t; - query_name: suid_binaries - query: SELECT sb.*, t.iso_8601 AS _time, h.sha1, h.sha256 FROM suid_bin AS sb JOIN time AS t LEFT JOIN hash AS h ON sb.path=h.path; + query: SELECT t.unix_time AS query_time, sb.username AS user, sb.groupname AS 'group', sb.permissions, sb.path, f.uid, f.gid, f.mode AS file_acl, h.md5, h.sha1, h.sha256 FROM suid_bin AS sb JOIN time AS t LEFT JOIN hash AS h ON sb.path=h.path LEFT JOIN file AS f on sb.path=f.path; - query_name: ssh_key_files - query: SELECT u.username AS user, usk.uid, g.groupname AS groupname, f.gid, usk.path AS file_path, usk.encrypted, f.mode AS file_acl, f.device, f.size AS file_size, f.atime AS file_access_time, f.mtime AS file_modify_time, f.ctime AS file_change_time, h.md5, h.sha1, h.sha256 FROM user_ssh_keys AS usk LEFT JOIN hash AS h ON h.path=usk.path LEFT JOIN file AS f ON f.path=usk.path LEFT JOIN users AS u ON u.uid=usk.uid LEFT JOIN groups AS g ON g.gid=f.gid ; + query: SELECT t.unix_time AS query_time, u.username AS user, usk.uid, g.groupname AS 'group', f.gid, usk.path AS file_path, usk.encrypted, f.mode AS file_acl, f.size AS file_size, f.atime AS file_access_time, f.mtime AS file_modify_time, f.ctime AS file_change_time, h.md5, h.sha1, h.sha256 FROM users AS u JOIN user_ssh_keys AS usk ON u.uid=usk.uid LEFT JOIN hash AS h ON h.path=usk.path LEFT JOIN file AS f ON f.path=usk.path LEFT JOIN groups AS g ON g.gid=f.gid LEFT JOIN time AS t; + - query_name: ssh_public_keys + query: SELECT t.unix_time AS query_time, u.username AS user, ak.uid, ak.key AS ssh_public_key, ak.key_file AS object_path, g.gid, g.groupname AS 'group', f.mode AS file_acl, f.size AS file_size, f.atime AS file_access_time, f.mtime AS file_modify_time, f.ctime AS file_change_time, f.uid AS file_uid, f.gid AS file_gid, h.md5, h.sha1, h.sha256 FROM users AS u JOIN authorized_keys AS ak ON u.uid=ak.uid LEFT JOIN groups AS g ON u.gid=g.gid LEFT JOIN file AS f ON ak.key_file=f.path LEFT JOIN hash AS h ON ak.key_file=h.path LEFT JOIN time AS t; + - query_name: mounts + query: SELECT t.unix_time AS query_time, m.* FROM mounts AS m LEFT JOIN time AS t; + - query_name: iptables_rules + query: SELECT t.unix_time AS query_time, ipt.* FROM iptables as ipt LEFT JOIN time AS t; + - query_name: sysctl + query: SELECT t.unix_time AS query_time, sc.* FROM system_controls AS sc LEFT JOIN time AS t; + - query_name: kernel_info + query: SELECT t.unix_time AS query_time, ki.version, ki.arguments AS boot_arguments, ki.device AS boot_device, CASE WHEN ki.path<>'' THEN ki.path ELSE 'NOT_AVAILABLE' END AS boot_image, CASE WHEN ki.path<>'' THEN '/boot/'||ltrim(ki.path,'/boot/') ELSE '/boot/vmlinuz-'||ki.version END AS file_path, h.md5, h.sha1, h.sha256, f.filename AS file_name, f.inode, f.uid, u.username AS user, f.gid, g.groupname AS 'group', f.mode AS file_acl, f.size AS file_size, f.atime AS file_access_time, f.mtime AS file_modify_time, f.ctime AS file_change_time, f.hard_links, f.type AS file_type FROM kernel_info AS ki LEFT JOIN hash AS h ON h.path=file_path LEFT JOIN file AS f on f.path=file_path LEFT JOIN users AS u ON u.uid=f.uid LEFT JOIN groups AS g ON g.gid=f.gid LEFT JOIN time AS t; + - query_name: local_user_accounts + query: SELECT t.unix_time AS query_time, u.uid, u.username AS user, u.description AS name, u.gid, g.groupname AS 'group', ( SELECT group_concat(gs.groupname) FROM user_groups AS ugs LEFT JOIN groups AS gs ON gs.gid=ugs.gid WHERE u.uid=ugs.uid GROUP BY ugs.uid ) AS all_groups, ( SELECT group_concat(gs.gid) FROM user_groups AS ugs LEFT JOIN groups AS gs ON gs.gid=ugs.gid WHERE u.uid=ugs.uid GROUP BY ugs.uid ) AS all_gids, u.shell AS shell_path, sf.mode AS shell_acl, sf.inode AS shell_inode, sf.uid AS shell_uid, sf.gid AS shell_gid, sf.device AS shell_device, sf.size AS shell_size, sf.atime AS shell_access_time, sf.mtime AS shell_modify_time, sf.ctime AS shell_change_time, sf.hard_links AS shell_hard_links, sh.md5 AS shell_md5, sh.sha1 AS shell_sha1, sh.sha256 AS shell_sha256, u.directory AS home_path, hf.mode AS home_acl, hf.inode AS home_inode, hf.uid AS home_uid, hf.gid AS home_gid, hf.device AS home_device, hf.atime AS home_access_time, hf.mtime AS home_modify_time, hf.ctime AS home_change_time, hf.hard_links AS home_hard_links FROM users AS u LEFT JOIN groups AS g ON u.gid=g.gid LEFT JOIN file AS sf ON sf.path=u.shell LEFT JOIN file AS hf ON hf.path=u.directory LEFT JOIN hash AS sh ON sh.path=u.shell LEFT JOIN time AS t; diff --git a/hubblestack_nebula/hubblestack_nebula_win_queries.yaml b/hubblestack_nebula/hubblestack_nebula_win_queries.yaml index 9386e22..24665b1 100644 --- a/hubblestack_nebula/hubblestack_nebula_win_queries.yaml +++ b/hubblestack_nebula/hubblestack_nebula_win_queries.yaml @@ -1,11 +1,19 @@ fifteen_min: - - query_name: running_procs - query: SELECT name AS process, pid AS process_id, cmdline, on_disk, resident_size AS mem_used, parent, path FROM processes + - query_name: win_running_procs + query: SELECT t.unix_time AS query_time, p.name AS process, p.pid AS process_id, p.cmdline, p.cwd, p.on_disk, p.resident_size AS mem_used, p.parent, p.path, h.md5, h.sha1, h.sha256 FROM processes AS p LEFT JOIN time AS t LEFT JOIN hash AS h ON p.path=h.path; + - query_name: win_established_outbound + query: SELECT t.unix_time AS query_time, pos.family, h.md5, h.sha1, h.sha256, h.directory, ltrim(pos.local_address, ':f') AS src_connection_ip, pos.local_port AS src_connection_port, pos.remote_port AS dest_connection_port, ltrim(remote_address, ':f') AS dest_connection_ip, name, p.path AS file_path, cmdline, CASE pos.protocol WHEN 6 THEN 'tcp' WHEN 17 THEN 'udp' ELSE pos.protocol END as transport FROM process_open_sockets AS pos JOIN processes AS p ON p.pid=pos.pid LEFT JOIN time AS t LEFT JOIN (SELECT * FROM listening_ports) AS lp ON lp.port=pos.local_port AND lp.protocol=pos.protocol LEFT JOIN hash AS h ON h.path=p.path WHERE NOT remote_address='' AND NOT remote_address='::' AND NOT remote_address='0.0.0.0' AND NOT remote_address='127.0.0.1' AND port IS NULL; + - query_name: win_listening_procs + query: SELECT t.unix_time AS query_time, h.md5 AS md5, p.pid AS process_id, name AS process, ltrim(address, ':f') AS address, port AS dest_port, p.path AS file_path, cmdline, p.on_disk, root, parent, CASE lp.protocol WHEN 6 THEN 'tcp' WHEN 17 THEN 'udp' ELSE lp.protocol END as transport FROM listening_ports AS lp LEFT JOIN processes AS p ON lp.pid=p.pid LEFT JOIN time AS t LEFT JOIN hash AS h ON h.path=p.path; hour: - - query_name: stuff_with_things - query: SELECT * FROM processes + - query_name: win_drivers + query: SELECT t.unix_time AS query_time, d.*, h.md5, h.sha1, h.sha256 FROM drivers AS d LEFT JOIN time AS t LEFT JOIN hash AS h ON h.path = replace(d.path,'\SystemRoot','C:\Windows'); day: - - query_name: os_info - query: SELECT * FROM system_info - - query_name: interface_addresses - query: SELECT * FROM interface_addresses + - query_name: win_os_info + query: SELECT t.unix_time AS query_time, os.* FROM os_version AS os LEFT JOIN time AS t; + - query_name: win_interface_addresses + query: SELECT t.unix_time AS query_time, ia.interface, ia.address, id.mac FROM interface_addresses AS ia JOIN interface_details AS id ON ia.interface=id.interface LEFT JOIN time AS t WHERE NOT ia.interface='lo'; + - query_name: win_uptime + query: SELECT t.unix_time AS query_time, total_seconds AS uptime FROM uptime LEFT JOIN time AS t; + - query_name: win_programs + query: SELECT t.unix_time AS query_time, p.* FROM programs AS p LEFT JOIN time AS t; diff --git a/hubblestack_nova/command.py b/hubblestack_nova/command.py index 70fd6b8..7fbb766 100644 --- a/hubblestack_nova/command.py +++ b/hubblestack_nova/command.py @@ -82,15 +82,17 @@ def __virtual__(): - if salt.utils.is_windows(): - return False, 'This audit module only runs on linux' return True -def audit(data_list, tags, debug=False): +def audit(data_list, tags, **kwargs): ''' Run the command audits contained in the data_list ''' + # Consume any module_params from kwargs (Setting False as a fallback) + debug = kwargs.get('nova_debug',False) + cmd_raw = kwargs.get('cmd_raw',False) + __data__ = {} for profile, data in data_list: _merge_yaml(__data__, data, profile) @@ -106,7 +108,7 @@ def audit(data_list, tags, debug=False): if __tags__ and not __salt__['config.get']('hubblestack:nova:enable_command_module', False): - ret['Error'] = ['command module has not been explicitly enabled in ' + ret['Errors'] = ['command module has not been explicitly enabled in ' 'config. Please set hubblestack:nova:enable_command_module ' 'to True in pillar or minion config to allow this module.'] return ret @@ -132,6 +134,8 @@ def audit(data_list, tags, debug=False): found = False if cmd_ret: + if cmd_raw: + tag_data['raw'] = cmd_ret found = True if 'match_output' in command_args: diff --git a/hubblestack_nova/cve_scan.py b/hubblestack_nova/cve_scan.py index cf5bc91..1814c6b 100644 --- a/hubblestack_nova/cve_scan.py +++ b/hubblestack_nova/cve_scan.py @@ -21,7 +21,7 @@ def __virtual__(): return False, 'This module requires Linux and the oscap binary' -def audit(data_list, tags, debug=False): +def audit(data_list, tags, debug=False, **kwargs): ''' Run the network.netstat command ''' diff --git a/hubblestack_nova/cve_scan_v2.py b/hubblestack_nova/cve_scan_v2.py index 76d74a8..a7e172f 100644 --- a/hubblestack_nova/cve_scan_v2.py +++ b/hubblestack_nova/cve_scan_v2.py @@ -92,7 +92,7 @@ def __virtual__(): return not salt.utils.is_windows() -def audit(data_list, tags, debug=False): +def audit(data_list, tags, debug=False, **kwargs): ''' Main audit function. See module docstring for more information on usage. ''' diff --git a/hubblestack_nova/firewall.py b/hubblestack_nova/firewall.py index 618b707..a4563b6 100644 --- a/hubblestack_nova/firewall.py +++ b/hubblestack_nova/firewall.py @@ -99,7 +99,7 @@ def __virtual__(): return True -def audit(data_list, tags, debug=False): +def audit(data_list, tags, debug=False, **kwargs): __data__ = {} for profile, data in data_list: _merge_yaml(__data__, data, profile) diff --git a/hubblestack_nova/grep.py b/hubblestack_nova/grep.py index 243a1a0..f757cf6 100644 --- a/hubblestack_nova/grep.py +++ b/hubblestack_nova/grep.py @@ -73,7 +73,7 @@ def __virtual__(): return True -def audit(data_list, tags, debug=False): +def audit(data_list, tags, debug=False, **kwargs): ''' Run the grep audits contained in the YAML files processed by __virtual__ ''' diff --git a/hubblestack_nova/misc.py b/hubblestack_nova/misc.py index 50829b5..09341a9 100644 --- a/hubblestack_nova/misc.py +++ b/hubblestack_nova/misc.py @@ -59,7 +59,7 @@ def __virtual__(): return True -def audit(data_list, tags, debug=False): +def audit(data_list, tags, debug=False, **kwargs): ''' Run the misc audits contained in the data_list ''' @@ -87,9 +87,9 @@ def audit(data_list, tags, debug=False): function = FUNCTION_MAP.get(tag_data['function']) if not function: - if 'Error' not in ret: - ret['Error'] = [] - ret['Error'].append({tag: 'No function {0} found' + if 'Errors' not in ret: + ret['Errors'] = [] + ret['Errors'].append({tag: 'No function {0} found' .format(tag_data['function'])}) args = tag_data.get('args', []) kwargs = tag_data.get('kwargs', {}) @@ -167,6 +167,96 @@ def _get_tags(data): # Begin function definitions ############################ +def _execute_shell_command(cmd): + ''' + This function will execute passed command in /bin/shell + ''' + return __salt__['cmd.run'](cmd, python_shell=True, shell='/bin/bash') + +def check_all_ports_firewall_rules(reason=''): + ''' + Ensure firewall rule for all open ports + ''' + end_open_ports = _execute_shell_command('netstat -ln | grep "Active UNIX domain sockets (only servers)" -n | cut -d ":" -f1') + start_open_ports = _execute_shell_command('netstat -ln | grep "Active Internet connections (only servers)" -n | cut -d ":" -f1') + open_ports = _execute_shell_command('netstat -ln | awk \'FNR > ' + start_open_ports + ' && FNR < ' + end_open_ports + ' && $6 == "LISTEN" {print $4}\' | sed -e "s/.*://"') + firewall_ports = _execute_shell_command('iptables -L INPUT -v -n | awk \'FNR > 2 {print $11}\' | sed -e "s/.*://"') + if set(open_ports).issubset(set(firewall_ports)): + return True + return False + +def check_password_fields_not_empty(reason=''): + ''' + Ensure password fields are not empty + ''' + result = _execute_shell_command('cat /etc/shadow | awk -F: \'($2 == "" ) { print $1 " does not have a password "}\'') + if result == '': + return True + return result + +def ungrouped_files_or_dir(reason=''): + ''' + Ensure no ungrouped files or directories exist + ''' + result = _execute_shell_command('df --local -P | awk {\'if (NR!=1) print $6\'} | xargs -I \'{}\' find \'{}\' -xdev -nogroup') + if result == '': + return True + return result + +def unowned_files_or_dir(reason=''): + ''' + Ensure no unowned files or directories exist + ''' + result = _execute_shell_command('df --local -P | awk {\'if (NR!=1) print $6\'} | xargs -I \'{}\' find \'{}\' -xdev -nouser') + if result == '': + return True + return result + +def world_writable_file(reason=''): + ''' + Ensure no world writable files exist + ''' + result = _execute_shell_command('df --local -P | awk {\'if (NR!=1) print $6\'} | xargs -I \'{}\' find \'{}\' -xdev -type f -perm -0002') + if result == '': + return True + return result + +def system_account_non_login(reason=''): + ''' + Ensure system accounts are non-login + ''' + result = _execute_shell_command('egrep -v "^\+" /etc/passwd | awk -F: \'($1!="root" && $1!="sync" && $1!="shutdown" && $1!="halt" && $3<500 && $7!="/sbin/nologin" && $7!="/bin/false") {print}\'') + if result == '': + return True + return result + +def sticky_bit_on_world_writable_dirs(reason=''): + ''' + Ensure sticky bit is set on all world-writable directories + ''' + result = _execute_shell_command('df --local -P | awk {\'if (NR!=1) print $6\'} | xargs -I \'{}\' find \'{}\' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null') + if result == '': + return True + return result + +def default_group_for_root(reason=''): + ''' + Ensure default group for the root account is GID 0 + ''' + result = _execute_shell_command('grep "^root:" /etc/passwd | cut -f4 -d:') + result = result.strip() + if result == '0': + return True + return False + +def root_is_only_uid_0_account(reason=''): + ''' + Ensure root is the only UID 0 account + ''' + result = _execute_shell_command('cat /etc/passwd | awk -F: \'($3 == 0) { print $1 }\'') + if result.strip() == 'root': + return True + return result def test_success(): ''' @@ -190,6 +280,15 @@ def test_failure_reason(reason): FUNCTION_MAP = { + 'check_all_ports_firewall_rules': check_all_ports_firewall_rules, + 'check_password_fields_not_empty': check_password_fields_not_empty, + 'ungrouped_files_or_dir': ungrouped_files_or_dir, + 'unowned_files_or_dir': unowned_files_or_dir, + 'world_writable_file': world_writable_file, + 'system_account_non_login': system_account_non_login, + 'sticky_bit_on_world_writable_dirs': sticky_bit_on_world_writable_dirs, + 'default_group_for_root': default_group_for_root, + 'root_is_only_uid_0_account': root_is_only_uid_0_account, 'test_success': test_success, 'test_failure': test_failure, 'test_failure_reason': test_failure_reason, diff --git a/hubblestack_nova/netstat.py b/hubblestack_nova/netstat.py index 88ad883..1971767 100644 --- a/hubblestack_nova/netstat.py +++ b/hubblestack_nova/netstat.py @@ -36,7 +36,7 @@ def __virtual__(): return False, 'No network.netstat function found' -def audit(data_list, tags, debug=True): +def audit(data_list, tags, debug=True, **kwargs): ''' Run the network.netstat command ''' diff --git a/hubblestack_nova/openssl.py b/hubblestack_nova/openssl.py index 953951a..03cee7e 100644 --- a/hubblestack_nova/openssl.py +++ b/hubblestack_nova/openssl.py @@ -99,7 +99,7 @@ def __virtual__(): return True -def audit(data_list, tags, debug=True): +def audit(data_list, tags, debug=True, **kwargs): __data__ = {} for profile, data in data_list: _merge_yaml(__data__, data, profile) diff --git a/hubblestack_nova/pkg.py b/hubblestack_nova/pkg.py index c6cf198..5247e49 100644 --- a/hubblestack_nova/pkg.py +++ b/hubblestack_nova/pkg.py @@ -79,7 +79,7 @@ def __virtual__(): return True -def audit(data_list, tags, debug=False): +def audit(data_list, tags, debug=False, **kwargs): ''' Run the pkg audits contained in the YAML files processed by __virtual__ ''' diff --git a/hubblestack_nova/pkgng_audit.py b/hubblestack_nova/pkgng_audit.py index ebc212a..5477956 100644 --- a/hubblestack_nova/pkgng_audit.py +++ b/hubblestack_nova/pkgng_audit.py @@ -20,7 +20,7 @@ def __virtual__(): return True -def audit(data_list, tags, debug=False): +def audit(data_list, tags, debug=False, **kwargs): ''' Run the pkg.audit command ''' diff --git a/hubblestack_nova/service.py b/hubblestack_nova/service.py index aaa20f5..9418e3c 100644 --- a/hubblestack_nova/service.py +++ b/hubblestack_nova/service.py @@ -72,7 +72,7 @@ def __virtual__(): return True -def audit(data_list, tags, debug=False): +def audit(data_list, tags, debug=False, **kwargs): ''' Run the service audits contained in the YAML files processed by __virtual__ ''' diff --git a/hubblestack_nova/stat.py b/hubblestack_nova/stat_nova.py similarity index 98% rename from hubblestack_nova/stat.py rename to hubblestack_nova/stat_nova.py index 74e6e58..995d792 100644 --- a/hubblestack_nova/stat.py +++ b/hubblestack_nova/stat_nova.py @@ -50,6 +50,7 @@ log = logging.getLogger(__name__) +__virtualname__ = 'stat' def __virtual__(): if salt.utils.is_windows(): @@ -57,7 +58,7 @@ def __virtual__(): return True -def audit(data_list, tags, debug=False): +def audit(data_list, tags, debug=False, **kwargs): ''' Run the stat audits contained in the YAML files processed by __virtual__ ''' diff --git a/hubblestack_nova/sysctl.py b/hubblestack_nova/sysctl.py index 611975a..03b35bf 100644 --- a/hubblestack_nova/sysctl.py +++ b/hubblestack_nova/sysctl.py @@ -49,7 +49,7 @@ def __virtual__(): return True -def audit(data_list, tags, debug=False): +def audit(data_list, tags, debug=False, **kwargs): ''' Run the sysctl audits contained in the YAML files processed by __virtual__ ''' @@ -68,8 +68,8 @@ def audit(data_list, tags, debug=False): for tag in __tags__: if fnmatch.fnmatch(tag, tags): - passed = True for tag_data in __tags__[tag]: + passed = True if 'control' in tag_data: ret['Controlled'].append(tag_data) continue @@ -83,10 +83,10 @@ def audit(data_list, tags, debug=False): passed = False if str(salt_ret) != str(match_output): passed = False - if passed: - ret['Success'].append(tag_data) - else: - ret['Failure'].append(tag_data) + if passed: + ret['Success'].append(tag_data) + else: + ret['Failure'].append(tag_data) return ret diff --git a/hubblestack_nova/vulners_scanner.py b/hubblestack_nova/vulners_scanner.py new file mode 100644 index 0000000..82ac977 --- /dev/null +++ b/hubblestack_nova/vulners_scanner.py @@ -0,0 +1,145 @@ +''' +HubbleStack Nova plugin for auditing installed packages. + +The module gets the list of installed packages of the system and queries +the Vulners.com Linux Vulnerability Audit API. + +The API is described at the link below: + https://blog.vulners.com/linux-vulnerability-audit-in-vulners/ + +:maintainer: HubbleStack / avb76 +:maturity: 3/26/2017 (TODO: change the format when the release date is established) +:platform: Linux +:requires: SaltStack + +This audit module requires a YAML file inside the hubblestack_nova_profiles directory. +The file should have the following format: + +vulners_scanner: + +It does not matter what `` is, as long as the top key of the file is named `vulners_scanner`. +This allows the module to run under a certain profile, as all of the other Nova modules do. +''' + +from __future__ import absolute_import +import logging + +import sys +import requests + + +log = logging.getLogger(__name__) + + +def __virtual__(): + return not sys.platform.startswith('win') + + +def audit(data_list, tags, debug=False, **kwargs): + os_name = __grains__.get('os').lower() + os_version = __grains__.get('osmajorrelease') + + if debug: + log.debug("os_version: {0}, os_name{1}".format(os_version, os_name)) + + ret = {'Success': [], 'Failure': [], 'Controlled': []} + + for profile, data in data_list: + if 'vulners_scanner' in data: + + local_packages = _get_local_packages() + vulners_data = _vulners_query(local_packages, os=os_name, version=os_version) + if vulners_data['result'] == 'ERROR': + log.error(vulners_data['data']['error']) + vulners_data = _process_vulners(_vulners_query(local_packages, os = os_name, version = os_version)) + + total_packages = len(local_packages) + secure_packages = total_packages - len(vulners_data) + + ret['Success'] = [{'tag': 'Secure packages', + 'description': '{0} out of {1}'.format(secure_packages, total_packages)}] + ret['Failure'] = vulners_data + + return ret + + +def _get_local_packages(): + ''' + Get the packages installed on the system. + + :return: A nice list of packages. + ''' + + local_packages = __salt__['pkg.list_pkgs']() + return ['{0}-{1}'.format(pkg, local_packages[pkg]) for pkg in local_packages] + + +def _vulners_query(packages=None, os=None, version=None, url='https://vulners.com/api/v3/audit/audit/'): + ''' + Query the Vulners.com Linux Vulnerability Audit API for the provided packages. + + :param packages: The list on packages to check + :param os: The name of the operating system + :param version: The version of the operating system + :param url: The URL of the auditing API; the default value is the Vulners.com audit API + Check the following link for more details: + https://blog.vulners.com/linux-vulnerability-audit-in-vulners/ + :return: A dictionary containing the JSON data returned by the HTTP request. + ''' + + # error dict matching the error dict returned by the requests library + error = { + 'result': 'ERROR', + 'data': {'error': None} + } + + if not packages: + error['data']['error'] = 'Missing the list of packages.' + return error + if not os and not version: + error['data']['error'] = 'Missing the operating system name and version.' + return error + if not os: + error['data']['error'] = 'Missing the operating system name.' + return error + if not version: + error['data']['error'] = 'Missing the operating system version.' + return error + + + headers = { + 'Accept': 'application/json', + 'Content-Type': 'application/json' + } + + data = { + "os": os, + "package": packages, + "version": version + } + + try: + response = requests.post(url=url, headers=headers, json=data) + return response.json() + except requests.Timeout: + error['data']['error'] = 'Request to {0} timed out'.format(url) + return error + + +def _process_vulners(vulners): + ''' + Process the data returned by the API into the format accepted by `hubble.py`. + + :param vulners: The JSON data returned by the API + :return: A list of dictionaries as hubble.py swallows + ''' + + packages = vulners.get('data', {}).get('packages') + if not packages: + return [] + + return [{'tag': pkg, + 'vulnerabilities': packages[pkg], + 'description': ', '.join(packages[pkg].keys())} + for pkg in packages] + diff --git a/hubblestack_nova/win_auditpol.py b/hubblestack_nova/win_auditpol.py index 976fb16..3953f3c 100644 --- a/hubblestack_nova/win_auditpol.py +++ b/hubblestack_nova/win_auditpol.py @@ -25,7 +25,7 @@ def __virtual__(): return True -def audit(data_list, tags, debug=False): +def audit(data_list, tags, debug=False, **kwargs): ''' Runs auditpol on the local machine and audits the return data with the CIS yaml processed by __virtual__ @@ -63,6 +63,7 @@ def audit(data_list, tags, debug=False): if 'whitelist' in audit_type: if name in __auditdata__: audit_value = __auditdata__[name].lower() + tag_data['found_value'] = audit_value secret = _translate_value_type(audit_value, tag_data['value_type'], match_output) if secret: ret['Success'].append(tag_data) diff --git a/hubblestack_nova/win_firewall.py b/hubblestack_nova/win_firewall.py index dac1e48..2ac80b3 100644 --- a/hubblestack_nova/win_firewall.py +++ b/hubblestack_nova/win_firewall.py @@ -25,7 +25,7 @@ def __virtual__(): return True -def audit(data_list, tags, debug=False): +def audit(data_list, tags, debug=False, **kwargs): ''' Runs auditpol on the local machine and audits the return data with the CIS yaml processed by __virtual__ @@ -64,6 +64,7 @@ def audit(data_list, tags, debug=False): if name in __firewalldata__[tag_data['value_type'].title()]: audit_value = __firewalldata__[tag_data['value_type'].title()] audit_value = audit_value[name].lower() + tag_data['found_value'] = audit_value secret = _translate_value_type(audit_value, tag_data['value_type'], match_output) if secret: ret['Success'].append(tag_data) @@ -165,9 +166,9 @@ def _export_firewall(): def _import_firewall(): dict_return = {} - temp_vals = {} export = _export_firewall() for line in export: + temp_vals = {} vals = line.split('\n') for val in vals: if val: diff --git a/hubblestack_nova/win_gp.py b/hubblestack_nova/win_gp.py index c011310..29e5408 100644 --- a/hubblestack_nova/win_gp.py +++ b/hubblestack_nova/win_gp.py @@ -25,7 +25,7 @@ def __virtual__(): return True -def audit(data_list, tags, debug=False): +def audit(data_list, tags, debug=False, **kwargs): ''' Runs auditpol on the local machine and audits the return data with the CIS yaml processed by __virtual__ @@ -63,6 +63,7 @@ def audit(data_list, tags, debug=False): if 'whitelist' in audit_type: if name in __gpdata__: audit_value = True + tag_data['found_value'] = audit_value secret = _translate_value_type(audit_value, tag_data['value_type'], match_output) if secret: ret['Success'].append(tag_data) diff --git a/hubblestack_nova/win_pkg.py b/hubblestack_nova/win_pkg.py index fe06efb..dd540f8 100644 --- a/hubblestack_nova/win_pkg.py +++ b/hubblestack_nova/win_pkg.py @@ -25,7 +25,7 @@ def __virtual__(): return True -def audit(data_list, tags, debug=False): +def audit(data_list, tags, debug=False, **kwargs): ''' Runs auditpol on the local machine and audits the return data with the CIS yaml processed by __virtual__ @@ -67,6 +67,7 @@ def audit(data_list, tags, debug=False): if 'whitelist' in audit_type: if name in __pkgdata__: audit_value = __pkgdata__['name'] + tag_data['found_value'] = audit_value secret = _translate_value_type(audit_value, tag_data['value_type'], match_output) if secret: ret['Success'].append(tag_data) diff --git a/hubblestack_nova/win_reg.py b/hubblestack_nova/win_reg.py index 0a0bcdc..5ae5d00 100644 --- a/hubblestack_nova/win_reg.py +++ b/hubblestack_nova/win_reg.py @@ -24,9 +24,9 @@ def __virtual__(): return True -def audit(data_list, tags, debug=False): +def audit(data_list, tags, debug=False, **kwargs): ''' - Runs auditpol on the local machine and audits the return data + Runs salt reg query on the local machine and audits the return data with the CIS yaml processed by __virtual__ ''' __data__ = {} @@ -48,7 +48,10 @@ def audit(data_list, tags, debug=False): continue name = tag_data['name'] audit_type = tag_data['type'] - match_output = tag_data['match_output'].lower() + try: + match_output = int(tag_data['match_output']) + except ValueError: + match_output = tag_data['match_output'].lower() reg_dict = _reg_path_splitter(name) # Blacklisted audit (do not include) @@ -62,30 +65,33 @@ def audit(data_list, tags, debug=False): # Whitelisted audit (must include) if 'whitelist' in audit_type: current = _find_option_value_in_reg(reg_dict['hive'], reg_dict['key'], reg_dict['value']) - if isinstance(current, list): - if False in current: + if isinstance(current, dict): + tag_data['value_found'] = current + if False in current.values(): ret['Failure'].append(tag_data) else: - for key in current: - secret = _translate_value_type(key, tag_data['value_type'], match_output) - if not secret: - break + answer_list = [] + for item in current: + answer_list.append(_translate_value_type(current[item], tag_data['value_type'], match_output)) + + if False in answer_list: + ret['Failure'].append(tag_data) + else: + ret['Success'].append(tag_data) + else: + if current is not False: + secret = _translate_value_type(current, tag_data['value_type'], match_output) if secret: + tag_data['value_found'] = current ret['Success'].append(tag_data) else: + tag_data['value_found'] = current ret['Failure'].append(tag_data) - if current: - secret = _translate_value_type(current, tag_data['value_type'], match_output) - if secret: - ret['Success'].append(tag_data) + else: - tag_data['value_found'] = current + tag_data['value_found'] = None ret['Failure'].append(tag_data) - else: - tag_data['value_found'] = None - ret['Failure'].append(tag_data) - return ret @@ -164,7 +170,11 @@ def _get_tags(data): def _reg_path_splitter(reg_path): dict_return = {} dict_return['hive'], temp = reg_path.split('\\', 1) - dict_return['key'], dict_return['value'] = temp.rsplit('\\', 1) + if '\\\\*\\' in temp: + dict_return['key'], dict_return['value'] = temp.rsplit('\\\\', 1) + dict_return['value'] = '\\\\{}'.format(dict_return['value']) + else: + dict_return['key'], dict_return['value'] = temp.rsplit('\\', 1) return dict_return @@ -177,47 +187,59 @@ def _find_option_value_in_reg(reg_hive, reg_key, reg_value): ''' if reg_hive.lower() in ('hku', 'hkey_users'): key_list = [] - ret_list = [] + ret_dict = {} sid_return = __salt__['cmd.run']('reg query hku').split('\n') for line in sid_return: if '\\' in line: key_list.append(line.split('\\')[1].strip()) for sid in key_list: - reg_key.replace('', sid) + if len(sid) <= 15 or '_Classes' in sid: + continue + reg_key = reg_key.replace('', sid) reg_result = __salt__['reg.read_value'](reg_hive, reg_key, reg_value) if reg_result['success']: - ret_list.append(reg_result['vdata']) + if reg_result['vdata'] == '(value not set)': + ret_dict[sid] = False + else: + ret_dict[sid] = reg_result['vdata'] else: - ret_list.append(False) - if False in ret_list: - return False - else: - return ret_list - + ret_dict[sid] = False + return ret_dict else: reg_result = __salt__['reg.read_value'](reg_hive, reg_key, reg_value) if reg_result['success']: - return reg_result['vdata'] + if reg_result['vdata'] == '(value not set)': + return False + else: + return reg_result['vdata'] else: return False - -def _translate_evaluator(output): - '''Helper function to return valid output you would find in the registry''' - if 'enabled' in output: - return '1' - if 'disabled' in output: - return '0' - - def _translate_value_type(current, value, evaluator): - evaluator = _translate_evaluator(evaluator) - if 'all' in value: + try: + current = int(current) + except ValueError: + log.debug('registry value is a string') + current = current.lower() + if 'equal' in value: if current == evaluator: return True else: return False if 'domain' in value: pass + if 'more' in value: + if current >= evaluator: + return True + else: + return False + if 'less' in value: + if current <= evaluator and current != 0: + return True + else: + return False + if 'user' in value: + log.debug("HKEY_Users is still a work in progress") + return True diff --git a/hubblestack_nova/win_secedit.py b/hubblestack_nova/win_secedit.py index bcb4b70..70bd1f5 100644 --- a/hubblestack_nova/win_secedit.py +++ b/hubblestack_nova/win_secedit.py @@ -30,7 +30,7 @@ def __virtual__(): return True -def audit(data_list, tags, debug=False): +def audit(data_list, tags, debug=False, **kwargs): ''' Runs secedit on the local machine and audits the return data with the CIS yaml processed by __virtual__ @@ -67,7 +67,7 @@ def audit(data_list, tags, debug=False): ret['Failure'].append(tag_data) else: if name in __secdata__: - secret = _translate_value_type(sec_value, tag_data['value_type'], match_output) + secret = _translate_value_type(__secdata__[name], tag_data['value_type'], tag_data['match_output']) if secret: ret['Failure'].append(tag_data) else: @@ -77,10 +77,14 @@ def audit(data_list, tags, debug=False): if audit_type == 'whitelist': if name in __secdata__: sec_value = __secdata__[name] - if 'machine\\' in output: + tag_data['found_value'] = sec_value + if 'MACHINE\\' in name: match_output = _reg_value_translator(tag_data['match_output']) else: match_output = tag_data['match_output'] + if ',' in sec_value and '\\' in sec_value: + sec_value = sec_value.split(',') + match_output = match_output.split(',') if 'account' in tag_data['value_type']: secret = _translate_value_type(sec_value, tag_data['value_type'], match_output, __sidaccounts__) else: @@ -90,6 +94,7 @@ def audit(data_list, tags, debug=False): else: ret['Failure'].append(tag_data) else: + log.error('name {} was not in __secdata__'.format(name)) ret['Failure'].append(tag_data) return ret @@ -205,7 +210,7 @@ def _get_account_sid(): '''This helper function will get all the users and groups on the computer and return a dictionary''' win32 = __salt__['cmd.run']('Get-WmiObject win32_useraccount -Filter "localaccount=\'True\'"' - ' | Format-List -Property Name, SID', shell='powershell', + ' | Format-List -Property Name, SID', shell='powershell', python_shell=True) win32 += '\n' win32 += __salt__['cmd.run']('Get-WmiObject win32_group -Filter "localaccount=\'True\'" | ' @@ -256,7 +261,7 @@ def _translate_value_type(current, value, evaluator, __sidaccounts__=False): current = current.replace('"', '') if '"' in evaluator: evaluator = evaluator.replace('"', '') - if int(current) > int(evaluator): + if int(current) >= int(evaluator): return True else: return False @@ -269,7 +274,7 @@ def _translate_value_type(current, value, evaluator, __sidaccounts__=False): current = current.replace('"', '') if '"' in evaluator: evaluator = evaluator.replace('"', '') - if int(current) < int(evaluator): + if int(current) <= int(evaluator): if current != '0': return True else: @@ -277,9 +282,20 @@ def _translate_value_type(current, value, evaluator, __sidaccounts__=False): else: return False elif 'equal' in value: - if ',' not in evaluator: + if ',' not in evaluator and type(evaluator) != list: evaluator = _evaluator_translator(evaluator) - + if type(current) == list: + ret_final = [] + for item in current: + item = item.lower() + if item in evaluator: + ret_final.append(True) + else: + ret_final.append(False) + if False in ret_final: + return False + else: + return True if current.lower() == evaluator: return True else: @@ -322,7 +338,9 @@ def _translate_value_type(current, value, evaluator, __sidaccounts__=False): def _evaluator_translator(input_string): '''This helper function takes words from the CIS yaml and replaces them with what you actually find in the secedit dump''' - input_string = input_string.replace(' ','').lower() + if type(input_string) == str: + input_string = input_string.replace(' ','').lower() + if 'enabled' in input_string: return '1' elif 'disabled' in input_string: @@ -333,6 +351,8 @@ def _evaluator_translator(input_string): return '2' elif input_string == 'success,failure' or input_string == 'failure,success': return '3' + elif input_string in ['0','1','2','3']: + return input_string else: log.debug('error translating evaluator from enabled/disabled or success/failure.' ' Could have received incorrect string') @@ -363,7 +383,7 @@ def _account_audit(current, __sidaccounts__): def _reg_value_translator(input_string): - input_string.lower() + input_string = input_string.lower() if input_string == 'enabled': return '4,1' elif input_string == 'disabled': @@ -384,13 +404,13 @@ def _reg_value_translator(input_string): return '4,5' elif input_string == 'negotiate signing': return '4,1' - elif input_string == 'Require ntlmv2 session security, require 128-bit encryption': + elif input_string == 'require ntlmv2 session security, require 128-bit encryption': return '4,537395200' elif input_string == 'prompt for consent on the secure desktop': return '4,2' elif input_string == 'automatically deny elevation requests': return '4,0' - elif input_string == 'Defined (blank)': + elif input_string == 'defined (blank)': return '7,' else: return input_string diff --git a/hubblestack_nova_profiles/cis/amazon-201409-level-1-scored-v1-0-0.yaml b/hubblestack_nova_profiles/cis/amazon-201409-level-1-scored-v1-0-0.yaml index ff99397..5e26030 100644 --- a/hubblestack_nova_profiles/cis/amazon-201409-level-1-scored-v1-0-0.yaml +++ b/hubblestack_nova_profiles/cis/amazon-201409-level-1-scored-v1-0-0.yaml @@ -1,4 +1,4 @@ -# NOTE: This CIS Profile only includes Level 1 Scored Items for Amazon Linux AMI-2014. +# NOTE: This CIS Profile only includes Level 1 Scored Items for Amazon Linux AMI-2014 09. # NOTE: Within this file, there are a few sections that should be tailored to your # organization's specific policy. Search for '# NOTE: ' comments through the file. @@ -691,7 +691,8 @@ grep: - '/etc/ssh/sshd_config': tag: 'CIS-6.2.11' pattern: "Ciphers" - match_output: "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" + match_output: "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$" + match_output_regex: True description: 'Use Only Approved Cipher in Counter Mode (Scored)' sshd_idle_timeout: diff --git a/hubblestack_nova_profiles/cis/amazon-level-1-scored-v1-0-0.yaml b/hubblestack_nova_profiles/cis/amazon-level-1-scored-v1-0-0.yaml index f674a67..49ad425 100644 --- a/hubblestack_nova_profiles/cis/amazon-level-1-scored-v1-0-0.yaml +++ b/hubblestack_nova_profiles/cis/amazon-level-1-scored-v1-0-0.yaml @@ -691,7 +691,8 @@ grep: - '/etc/ssh/sshd_config': tag: 'CIS-6.2.11' pattern: "Ciphers" - match_output: "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" + match_output: "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$" + match_output_regex: True description: 'Use Only Approved Cipher in Counter Mode (Scored)' sshd_idle_timeout: diff --git a/hubblestack_nova_profiles/cis/amazon-level-1-scored-v2-0-0.yaml b/hubblestack_nova_profiles/cis/amazon-level-1-scored-v2-0-0.yaml new file mode 100644 index 0000000..fb449e3 --- /dev/null +++ b/hubblestack_nova_profiles/cis/amazon-level-1-scored-v2-0-0.yaml @@ -0,0 +1,1253 @@ +# NOTE: This CIS Profile only includes Level 1 Scored Items for Amazon Linux* +# NOTE: Within this file, there are a few sections that should be tailored to your +# organization's specific policy. Search for '# NOTE: ' comments through the file. + +# TODO: Checks that aren't implemented yet: +# 3.6.5 +# 4.2.4 +# 6.2.6-19 + + + +grep: + blacklist: + message_of_the_day: + data: + 'Amazon Linux*': + - /etc/motd: + pattern: '"(\\\v|\\\r|\\\m|\\\s)"' + grep_args: + - '-E' + tag: CIS-1.7.1.1 + description: Ensure message of the day is configured properly + legacy_passwd_entries_group: + data: + 'Amazon Linux*': + - /etc/group: + pattern: '^+:' + tag: CIS-6.2.4 + description: Ensure no legacy "+" entries exist in /etc/group + legacy_passwd_entries_passwd: + data: + 'Amazon Linux*': + - /etc/passwd: + pattern: '^+:' + tag: CIS-6.2.2 + description: Ensure no legacy "+" entries exist in /etc/passwd + legacy_passwd_entries_shadow: + data: + 'Amazon Linux*': + - /etc/shadow: + pattern: '^+:' + tag: CIS-6.2.3 + description: Ensure no legacy "+" entries exist in /etc/shadow + whitelist: + activate_gpg_check: + data: + 'Amazon Linux*': + - /etc/yum.conf: + match_output: gpgcheck=1 + pattern: gpgcheck + tag: CIS-1.2.3 + description: Ensure gpgcheck is globally activated + aide_filesystem_scans: + data: + 'Amazon Linux*': + - /etc/cron.d: + pattern: aide + grep_args: + - '-r' + tag: CIS-1.3.2 + description: Ensure filesystem integrity is regularly checked + single_user_mode_check: + data: + 'Amazon Linux*': + - /etc/sysconfig/init: + match_output: SINGLE=/sbin/sulogin + pattern: ^SINGLE + tag: CIS-1.4.2 + description: Ensure authentication required for single user mode + interactive_boot_check: + data: + 'Amazon Linux*': + - /etc/sysconfig/init: + match_output: PROMPT=no + pattern: "^PROMPT=" + tag: CIS-1.4.3 + description: Ensure interactive boot is not enabled + configure_ntp: + data: + 'Amazon Linux*': + - /etc/ntp.conf: + pattern: ^restrict + match_output: default + tag: CIS-2.2.1.2 + - /etc/ntp.conf: + pattern: restrict -6 default + tag: CIS-2.2.1.2 + - /etc/ntp.conf: + tag: CIS-2.2.1.2 + pattern: '^server' + - /etc/sysconfig/ntpd: + tag: CIS-2.2.1.2 + pattern: '^OPTIONS' + match_output: '-u ntp:ntp' + description: Ensure ntp is configured + configure_chrony: + data: + 'Amazon Linux*': + - /etc/chrony.conf: + tag: CIS-2.2.1.3 + pattern: '^server' + match_output: 'server *' + match_output_regex: True + - /etc/sysconfig/chronyd: + tag: CIS-2.2.1.3 + pattern: ^OPTIONS + match_output: 'OPTIONS="-u chrony"' + description: Ensure chrony is configured + local_mail: + data: + 'Amazon Linux*': + - /etc/postfix/main.cf: + pattern: ^inet_interfaces + match_output: localhost + tag: CIS-2.2.15 + description: Ensure mail transfer agent is configured for local-only mode + default_umask: + data: + 'Amazon Linux*': + - /etc/bashrc: + pattern: umask + match_pattern: '027' + tag: CIS-5.4.4 + - /etc/profile: + pattern: umask + match_pattern: '027' + tag: CIS-5.4.4 + description: Ensure default user umask is 027 or more restrictive + disable_mount_cramfs: + data: + 'Amazon Linux*': + - /etc/modprobe.d: + match_output: /bin/true + pattern: cramfs + grep_args: + - '-r' + tag: CIS-1.1.1.1 + description: Ensure mounting of cramfs filesystems is disabled + disable_mount_freevxfs: + data: + 'Amazon Linux*': + - /etc/modprobe.d: + match_output: /bin/true + pattern: freevxfs + grep_args: + - '-r' + tag: CIS-1.1.1.2 + description: Ensure mounting of freevxfs filesystems is disabled + disable_mount_jffs2: + data: + 'Amazon Linux*': + - /etc/modprobe.d: + match_output: /bin/true + pattern: jffs2 + grep_args: + - '-r' + tag: CIS-1.1.1.3 + description: Ensure mounting of jffs2 filesystems is disabled + disable_mount_hfs: + data: + 'Amazon Linux*': + - /etc/modprobe.d: + match_output: /bin/true + pattern: hfs + grep_args: + - '-r' + tag: CIS-1.1.1.4 + description: Ensure mounting of hfs filesystems is disabled + disable_mount_hfsplus: + data: + 'Amazon Linux*': + - /etc/modprobe.d: + match_output: /bin/true + pattern: hfsplus + grep_args: + - '-r' + tag: CIS-1.1.1.5 + description: Ensure mounting of hfsplus filesystems is disabled + disable_mount_squashfs: + data: + 'Amazon Linux*': + - /etc/modprobe.d: + match_output: /bin/true + pattern: squashfs + grep_args: + - '-r' + tag: CIS-1.1.1.6 + description: Ensure mounting of squashfs filesystems is disabled + disable_mount_udf: + data: + 'Amazon Linux*': + - /etc/modprobe.d: + match_output: /bin/true + pattern: udf + grep_args: + - '-r' + tag: CIS-1.1.1.7 + description: Ensure mounting of udf filesystems is disabled + disable_mount_fat: + data: + 'Amazon Linux*': + - /etc/modprobe.d: + match_output: /bin/true + pattern: vfat + grep_args: + - '-r' + tag: CIS-1.1.1.8 + description: Ensure mounting of FAT filesystems is disabled + fstab_var_tmp_partition_nodev: + data: + 'Amazon Linux*': + - /etc/fstab: + match_output: nodev + pattern: /var/tmp + tag: CIS-1.1.8 + description: Ensure nodev option set on /var/tmp partition + fstab_var_tmp_partition_nosuid: + data: + 'Amazon Linux*': + - /etc/fstab: + match_output: nosuid + pattern: /var/tmp + tag: CIS-1.1.9 + description: Ensure nosuid option set on /var/tmp partition + fstab_var_tmp_partition_noexec: + data: + 'Amazon Linux*': + - /etc/fstab: + match_output: noexec + pattern: /var/tmp + tag: CIS-1.1.10 + description: Ensure noexec option set on /var/tmp partition + fstab_dev_shm_partition_nodev: + data: + 'Amazon Linux*': + - /etc/fstab: + match_output: nodev + pattern: /dev/shm + tag: CIS-1.1.15 + description: Ensure nodev option set on /dev/shm partition + fstab_dev_shm_partition_noexec: + data: + 'Amazon Linux*': + - /etc/fstab: + match_output: noexec + pattern: /dev/shm + tag: CIS-1.1.17 + description: Ensure noexec option set on /dev/shm partition + fstab_dev_shm_partition_nosuid: + data: + 'Amazon Linux*': + - /etc/fstab: + match_output: nosuid + pattern: /dev/shm + tag: CIS-1.1.16 + description: Ensure nosuid option set on /dev/shm partition + fstab_home_partition_nodev: + data: + 'Amazon Linux*': + - /etc/fstab: + match_output: nodev + pattern: /home + tag: CIS-1.1.14 + description: Ensure nodev option set on /home partition + fstab_tmp_partition_nodev: + data: + 'Amazon Linux*': + - /etc/fstab: + match_output: nodev + pattern: /tmp + tag: CIS-1.1.3 + description: Ensure nodev option set on /tmp partition + fstab_tmp_partition_noexec: + data: + 'Amazon Linux*': + - /etc/fstab: + match_output: noexec + pattern: /tmp + tag: CIS-1.1.5 + description: Ensure noexec option set on /tmp partition + fstab_tmp_partition_nosuid: + data: + 'Amazon Linux*': + - /etc/fstab: + match_output: nosuid + pattern: /tmp + tag: CIS-1.1.4 + description: Ensure nosuid option set on /tmp partition + hosts_allow: + data: + 'Amazon Linux*': + - /etc/hosts.allow: + pattern: ALL + tag: CIS-3.4.2 + description: Ensure /etc/hosts.allow is configured + hosts_deny: + data: + 'Amazon Linux*': + - /etc/hosts.deny: + pattern: ALL + tag: CIS-3.4.3 + description: Ensure /etc/hosts.deny is configured + firewall_default_deny: + data: + 'Amazon Linux*': + - /etc/sysconfig/iptables: + pattern: :INPUT + match_output: DROP + tag: CIS-3.6.2 + - /etc/sysconfig/iptables: + pattern: :FORWARD + match_pattern: DROP + tag: CIS-3.6.2 + - /etc/sysconfig/iptables: + pattern: :OUTPUT + match_output: DROP + tag: CIS-3.6.2 + description: Ensure default deny firewall policy + firewall_accept_lo: + data: + 'Amazon Linux*': + - /etc/sysconfig/iptables: + pattern: '"\-A INPUT \-i lo \-j"' + match_output: ACCEPT + tag: CIS-3.6.3 + - /etc/sysconfig/iptables: + pattern: '"\-A OUTPUT \-o lo \-j"' + match_output: ACCEPT + tag: CIS-3.6.3 + - /etc/sysconfig/iptables: + pattern: '"\-A INPUT \-s 127.0.0.0/8 \-j"' + match_output: DROP + tag: CIS-3.6.3 + description: Ensure loopback traffic is configured + rsyslog_file_perms: + data: + 'Amazon Linux*': + - /etc/rsyslog.conf: + pattern: '^\$FileCreateMode' + match_output: '0640' + tag: CIS-4.2.1.3 + description: Ensure rsyslog default file permissions configured + rsyslog_remote_logging: + data: + 'Amazon Linux*': + - /etc/rsyslog.conf: + pattern: ^*.*[^I][^I]*@ + tag: CIS-4.2.1.4 + description: Ensure rsyslog is configured to send logs to a remote log host + syslog-ng_file_perms: + data: + 'Amazon Linux*': + - /etc/syslog-ng/syslog-ng.conf: + pattern: ^options + match_output: 'perm(0640)' + tag: CIS-4.2.2.3 + description: Ensure syslog-ng default file permissions configured + limit_password_reuse: + data: + 'Amazon Linux*': + - /etc/pam.d/system-auth: + pattern: '"^password\s+sufficient\s+pam_unix\.so.*"' + match_output: remember=5 + grep_args: + - '-E' + tag: CIS-5.3.3 + description: Ensure password reuse is limited + password_hash: + data: + 'Amazon Linux*': + - /etc/pam.d/password-auth: + pattern: '"^password\s+\w+\s+pam_unix\.so"' + match_output: sha512 + grep_args: + - '-E' + tag: CIS-5.3.4 + description: Ensure password hashing algorithm is SHA-512 + limit_su_command_access: + data: + 'Amazon Linux*': + - /etc/pam.d/su: + match_output: use_uid + pattern: pam_wheel.so + tag: CIS-5.5 + - /etc/group: + pattern: wheel + tag: CIS-5.5 + description: Ensure access to the su command is restricted + pam_pwquality_try_first_pass: + data: + 'Amazon Linux*': + - /etc/pam.d/system-auth: + match_output: try_first_pass + pattern: pam_pwquality.so + tag: CIS-5.3.1 + - /etc/pam.d/system-auth: + match_output: retry=3 + pattern: pam_pwquality.so + tag: CIS-5.3.1 + - /etc/security/pwquality.conf: + pattern: minlen + match_output: '14' + tag: CIS-5.3.1 + - /etc/security/pwquality.conf: + pattern: dcredit + match_output: '-1' + tag: CIS-5.3.1 + - /etc/security/pwquality.conf: + pattern: ucredit + match_output: '-1' + tag: CIS-5.3.1 + - /etc/security/pwquality.conf: + pattern: ocredit + match_output: '-1' + tag: CIS-5.3.1 + - /etc/security/pwquality.conf: + pattern: lcredit + match_output: '-1' + tag: CIS-5.3.1 + description: Ensure password creation requirements are configured + passwd_change_min_days: + data: + 'Amazon Linux*': + - /etc/login.defs: + match_output: '7' + pattern: PASS_MIN_DAYS + tag: CIS-5.4.1.2 + description: Ensure minimum days between password changes is 7 or more + passwd_expiration_days: + data: + 'Amazon Linux*': + - /etc/login.defs: + match_output: '90' + pattern: PASS_MAX_DAYS + tag: CIS-5.4.1.1 + description: Ensure password expiration is 90 days or less + passwd_expiry_warning: + data: + 'Amazon Linux*': + - /etc/login.defs: + match_output: '7' + pattern: PASS_WARN_AGE + tag: CIS-5.4.1.3 + description: Ensure password expiration warning days is 7 or more + passwd_inactive: + data: + 'Amazon Linux*': + - /etc/default/useradd: + pattern: INACTIVE=30 + tag: CIS-5.4.1.4 + description: Ensure inactive password lock is 30 days or less + restrict_core_dumps: + data: + 'Amazon Linux*': + - /etc/security/limits.conf: + match_output: '0' + pattern: '"* hard core"' + tag: CIS-1.5.1 + description: Ensure core dumps are restricted + sshd_approved_cipher: + data: + 'Amazon Linux*': + - /etc/ssh/sshd_config: + match_output: '^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$' + match_output_regex: True + pattern: ^Ciphers + tag: CIS-5.2.11 + description: Ensure only approved ciphers are used + sshd_approved_macs: + data: + 'Amazon Linux*': + - /etc/ssh/sshd_config: + match_output: 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' + pattern: ^MACs + tag: CIS-5.2.12 + description: Ensure only approved MAC algorithms are used + sshd_banner: + data: + 'Amazon Linux*': + - /etc/ssh/sshd_config: + match_output: "/etc/issue.net" + pattern: ^Banner + tag: CIS-5.2.16 + description: Ensure SSH warning banner is configured + sshd_disable_root_login: + data: + 'Amazon Linux*': + - /etc/ssh/sshd_config: + match_output: PermitRootLogin no + pattern: ^PermitRootLogin + tag: CIS-5.2.8 + description: Ensure SSH root login is disabled + sshd_hostbased_auth: + data: + 'Amazon Linux*': + - /etc/ssh/sshd_config: + match_output: HostbasedAuthentication no + pattern: ^HostbasedAuthentication + tag: CIS-5.2.7 + description: Ensure SSH HostbasedAuthentication is disabled + sshd_idle_timeout: + data: + 'Amazon Linux*': + - /etc/ssh/sshd_config: + match_output: ClientAliveInterval 300 + pattern: ^ClientAliveInterval + tag: CIS-5.2.13 + - /etc/ssh/sshd_config: + match_output: ClientAliveCountMax 0 + pattern: ^ClientAliveCountMax + tag: CIS-5.2.13 + description: Ensure SSH Idle Timeout Interval is configured + sshd_gracetime: + data: + 'Amazon Linux*': + - /etc/ssh/sshd_config: + pattern: ^LoginGraceTime + match_output: '60' + tag: CIS-5.2.14 + description: Ensure SSH LoginGraceTime is set to one minute or less + sshd_ignore_rhosts: + data: + 'Amazon Linux*': + - /etc/ssh/sshd_config: + match_output: IgnoreRhosts yes + pattern: ^IgnoreRhosts + tag: CIS-5.2.6 + description: Ensure SSH IgnoreRhosts is enabled + sshd_limit_access: + data: + 'Amazon Linux*': + - /etc/ssh/sshd_config: + pattern: ^AllowUsers + match_output: 'AllowUsers *' + match_output_regex: True + tag: CIS-5.2.15 + - /etc/ssh/sshd_config: + pattern: ^AllowGroups + match_output: 'AllowGroups *' + match_output_regex: True + tag: CIS-5.2.15 + - /etc/ssh/sshd_config: + pattern: ^DenyUsers + match_output: 'DenyUsers *' + match_output_regex: True + tag: CIS-5.2.15 + - /etc/ssh/sshd_config: + pattern: ^DenyGroups + match_output: 'DenyGroups *' + match_output_regex: True + tag: CIS-5.2.15 + description: Ensure SSH access is limited + sshd_loglevel_info: + data: + 'Amazon Linux*': + - /etc/ssh/sshd_config: + match_output: LogLevel INFO + pattern: ^LogLevel + tag: CIS-5.2.3 + description: Ensure SSH LogLevel is set to INFO + sshd_max_auth_retries: + data: + 'Amazon Linux*': + - /etc/ssh/sshd_config: + match_output: MaxAuthTries 4 + pattern: ^MaxAuthTries + tag: CIS-5.2.5 + description: Ensure SSH MaxAuthTries is set to 4 or less + sshd_permit_empty_passwords: + data: + 'Amazon Linux*': + - /etc/ssh/sshd_config: + match_output: PermitEmptyPasswords no + pattern: ^PermitEmptyPasswords + tag: CIS-5.2.9 + description: Ensure SSH PermitEmptyPasswords is disabled + sshd_permit_user_environment: + data: + 'Amazon Linux*': + - /etc/ssh/sshd_config: + match_output: PermitUserEnvironment no + pattern: ^PermitUserEnvironment + tag: CIS-5.2.10 + description: Ensure SSH PermitUserEnvironment is disabled + sshd_protocol_2: + data: + 'Amazon Linux*': + - /etc/ssh/sshd_config: + match_output: Protocol 2 + pattern: ^Protocol + tag: CIS-5.2.2 + description: Ensure SSH Protocol is set to 2 + sshd_x11_forwarding: + data: + 'Amazon Linux*': + - /etc/ssh/sshd_config: + match_output: X11Forwarding no + pattern: ^X11Forwarding + tag: CIS-5.2.4 + description: Ensure SSH X11 forwarding is disabled + lockout_account: + data: + 'Amazon Linux*': + - /etc/pam.d/system-auth: + pattern: '"^auth\s+required\s+pam_faillock\.so.*"' + match_output: deny=5 + grep_args: + - '-E' + tag: CIS-5.3.2 + - /etc/pam.d/password-auth: + pattern: '"^auth\s+required\s+pam_faillock\.so.*"' + match_output: deny=5 + grep_args: + - '-E' + tag: CIS-5.3.2 + description: Ensure lockout for failed password attempts is configured +pkg: + blacklist: + avahi-daemon: + data: + 'Amazon Linux*': + - avahi-daemon: CIS-2.2.3 + description: Ensure Avahi Server is not enabled + cups: + data: + 'Amazon Linux*': + - cups: CIS-2.2.4 + description: Ensure CUPS is not enabled + dhcp: + data: + 'Amazon Linux*': + - dhcp: CIS-2.2.5 + description: Ensure DHCP Server is not enabled + slapd: + data: + 'Amazon Linux*': + - openldap-servers: CIS-2.2.6 + description: Ensure LDAP server is not enabled + ftp: + data: + 'Amazon Linux*': + - perl-ftpd: CIS-2.2.9 + - proftpd: CIS-2.2.9 + - pure-ftpd: CIS-2.2.9 + - vsftpd: CIS-2.2.9 + description: Ensure FTP Server is not enabled + nis-client: + data: + 'Amazon Linux*': + - ypbind: CIS-2.3.1 + description: Ensure NIS Client is not installed + nis-server: + data: + 'Amazon Linux*': + - ypserv: CIS-2.2.16 + description: Ensure NIS Server is not enabled + rsh-client: + data: + 'Amazon Linux*': + - rsh: CIS-2.3.2 + description: Ensure rsh client is not installed + rsh-server: + data: + 'Amazon Linux*': + - rsh-server: CIS-2.1.6 + description: Ensure rsh server is not enabled + talk-client: + data: + 'Amazon Linux*': + - talk: CIS-2.3.3 + description: Ensure talk client is not installed + talk-server: + data: + 'Amazon Linux*': + - talk-server: CIS-2.1.7 + description: Ensure talk server is not enabled + telnet-client: + data: + 'Amazon Linux*': + - telnet: CIS-2.3.4 + description: Ensure telnet client is not installed + telnet-server: + data: + 'Amazon Linux*': + - telnet-server: CIS-2.1.8 + description: Ensure telnet server is not enabled + tftp-server: + data: + 'Amazon Linux*': + - tftp-server: CIS-2.1.9 + description: Ensure tftp server is not enabled + xinetd: + data: + 'Amazon Linux*': + - xinetd: CIS-2.1.11 + description: Ensure xinetd is not enabled + xorg-x11-server-common: + data: + 'Amazon Linux*': + - xorg-x11-server-common: CIS-2.2.2 + description: Ensure X Window System is not installed + prelink: + data: + 'Amazon Linux*': + - prelink: CIS-1.5.4 + description: Ensure prelink is disabled + ldap_clients: + data: + 'Amazon Linux*': + - openldap-clients: CIS-2.3.5 + description: Ensure LDAP client is not installed + whitelist: + aide: + data: + 'Amazon Linux*': + - aide: CIS-1.3.1 + description: Ensure AIDE is installed + firewalld: + data: {} + description: Enable firewalld + tcp_wrappers: + data: + 'Amazon Linux*': + - tcp_wrappers: CIS-3.4.1 + description: Ensure TCP Wrappers is installed + iptables: + data: + 'Amazon Linux*': + - iptables: CIS-3.6.1 + description: Ensure iptables is installed + syslog: + data: + 'Amazon Linux*': + - rsyslog: CIS-4.2.3 + description: Ensure rsyslog or syslog-ng is installed + syslog-ng: + data: + 'Amazon Linux*': + - syslog-ng: CIS-4.2.3 + description: Ensure rsyslog or syslog-ng is installed +service: + blacklist: + autofs: + data: + 'Amazon Linux*': + - autofs: CIS-1.1.19 + description: Disable Automounting + rsync: + data: + 'Amazon Linux*': + - rsyncd: CIS-2.1.10 + description: Ensure rsync service is not enabled + nfs: + data: + 'Amazon Linux*': + - nfs: CIS-2.2.7 + description: Ensure NFS and RPC are not enabled + rpc: + data: + 'Amazon Linux*': + - rpcbind: CIS-2.2.7 + description: Ensure NFS and RPC are not enabled + named: + data: + 'Amazon Linux*': + - named: CIS-2.2.8 + description: Ensure DNS Server is not enabled + httpd: + data: + 'Amazon Linux*': + - httpd: CIS-2.2.10 + description: Ensure HTTP server is not enabled + pop3_imap: + data: + 'Amazon Linux*': + - dovecot: CIS-2.2.11 + description: Ensure IMAP and POP3 server is not enabled + samba: + data: + 'Amazon Linux*': + - smb: CIS-2.2.12 + description: Ensure Samba is not enabled + http_proxy: + data: + 'Amazon Linux*': + - squid: CIS-2.2.13 + description: Ensure HTTP Proxy Server is not enabled + snmp: + data: + 'Amazon Linux*': + - snmpd: CIS-2.2.14 + description: Ensure SNMP Server is not enabled + chargen_disabled: + data: + 'Amazon Linux*': + - chargen-dgram: CIS-2.1.1 + - chargen-stream: CIS-2.1.1 + description: Ensure chargen services are not enabled + daytime_disabled: + data: + 'Amazon Linux*': + - daytime-dgram: CIS-2.1.2 + - daytime-stream: CIS-2.1.2 + description: Ensure daytime services are not enabled + discard_disabled: + data: + 'Amazon Linux*': + - discard-dgram: CIS-2.1.3 + - discard-stream: CIS-2.1.3 + description: Ensure discard services are not enabled + echo_disabled: + data: + 'Amazon Linux*': + - echo-dgram: CIS-2.1.4 + - echo-stream: CIS-2.1.4 + description: Ensure echo services are not enabled + time_disabled: + data: + 'Amazon Linux*': + - time-dgram: CIS-2.1.5 + - time-stream: CIS-2.1.5 + description: Ensure time services are not enabled + whitelist: + crond_running: + data: + 'Amazon Linux*': + - crond: CIS-5.1.1 + description: Ensure cron daemon is enabled + rsyslogd_running: + data: + 'Amazon Linux*': + - rsyslog: CIS-4.2.1.1 + description: Ensure rsyslog Service is enabled + syslog-ng_running: + data: + 'Amazon Linux*': + - syslog-ng: CIS-4.2.2.1 + description: Ensure syslog-ng service is enabled +stat: + at_cron_allow: + data: + 'Amazon Linux*': + - /etc/cron.deny: + gid: null + group: null + mode: null + tag: CIS-5.1.8 + uid: null + user: null + - /etc/at.deny: + gid: null + group: null + mode: null + tag: CIS-5.1.8 + uid: null + user: null + - /etc/cron.allow: + gid: 0 + group: root + mode: 600 + tag: CIS-5.1.8 + uid: 0 + user: root + - /etc/at.allow: + gid: 0 + group: root + mode: 600 + tag: CIS-5.1.8 + uid: 0 + user: root + description: Ensure at/cron is restricted to authorized users + cron_d: + data: + 'Amazon Linux*': + - /etc/cron.d: + gid: 0 + group: root + mode: 700 + tag: CIS-5.1.7 + uid: 0 + user: root + description: Ensure permissions on /etc/cron.d are configured + cron_daily: + data: + 'Amazon Linux*': + - /etc/cron.daily: + gid: 0 + group: root + mode: 700 + tag: CIS-5.1.4 + uid: 0 + user: root + description: Ensure permissions on /etc/cron.daily are configured + cron_hourly: + data: + 'Amazon Linux*': + - /etc/cron.hourly: + gid: 0 + group: root + mode: 700 + tag: CIS-5.1.3 + uid: 0 + user: root + description: Ensure permissions on /etc/cron.hourly are configured + cron_monthly: + data: + 'Amazon Linux*': + - /etc/cron.monthly: + gid: 0 + group: root + mode: 700 + tag: CIS-5.1.6 + uid: 0 + user: root + description: Ensure permissions on /etc/cron.monthly are configured + cron_weekly: + data: + 'Amazon Linux*': + - /etc/cron.weekly: + gid: 0 + group: root + mode: 700 + tag: CIS-5.1.5 + uid: 0 + user: root + description: Ensure permissions on /etc/cron.weekly are configured + crontab: + data: + 'Amazon Linux*': + - /etc/crontab: + gid: 0 + group: root + mode: 600 + tag: CIS-5.1.2 + uid: 0 + user: root + description: Ensure permissions on /etc/crontab are configured + passwd_own_perm: + data: + 'Amazon Linux*': + - /etc/passwd: + gid: 0 + group: root + mode: 644 + tag: CIS-6.1.2 + uid: 0 + user: root + description: Ensure permissions on /etc/passwd are configured + shadow_own_perm: + data: + 'Amazon Linux*': + - /etc/shadow: + gid: 0 + group: root + mode: 000 + tag: CIS-6.1.3 + uid: 0 + user: root + description: Ensure permissions on /etc/shadow are configured + group_own_perm: + data: + 'Amazon Linux*': + - /etc/group: + gid: 0 + group: root + mode: 644 + tag: CIS-6.1.4 + uid: 0 + user: root + description: Ensure permissions on /etc/group are configured + gshadow_own_perm: + data: + 'Amazon Linux*': + - /etc/gshadow: + gid: 0 + group: root + mode: 0 + tag: CIS-6.1.5 + uid: 0 + user: root + description: Ensure permissions on /etc/gshadow are configured + passwd-_own_perm: + data: + 'Amazon Linux*': + - /etc/passwd-: + gid: 0 + group: root + mode: 600 + tag: CIS-6.1.6 + uid: 0 + user: root + description: Ensure permissions on /etc/passwd- are configured + shadow-_own_perm: + data: + 'Amazon Linux*': + - /etc/shadow-: + gid: 0 + group: root + mode: 600 + tag: CIS-6.1.7 + uid: 0 + user: root + description: Ensure permissions on /etc/shadow- are configured + group-_own_perm: + data: + 'Amazon Linux*': + - /etc/group-: + gid: 0 + group: root + mode: 600 + tag: CIS-6.1.8 + uid: 0 + user: root + description: Ensure permissions on /etc/group- are configured + gshadow-_own_perm: + data: + 'Amazon Linux*': + - /etc/gshadow-: + gid: 0 + group: root + mode: 600 + tag: CIS-6.1.9 + uid: 0 + user: root + description: Ensure permissions on /etc/gshadow- are configured + grub_conf_own_perm: + data: + 'Amazon Linux*': + - /etc/grub.conf: + gid: 0 + group: root + mode: 600 + tag: CIS-1.4.1 + uid: 0 + user: root + description: Ensure permissions on bootloader config are configured + hosts_allow: + data: + 'Amazon Linux*': + - /etc/hosts.allow: + gid: 0 + group: root + mode: 644 + tag: CIS-3.4.4 + uid: 0 + user: root + description: Ensure permissions on /etc/hosts.allow are configured + hosts_deny: + data: + 'Amazon Linux*': + - /etc/hosts.deny: + gid: 0 + group: root + mode: 644 + tag: CIS-3.4.5 + uid: 0 + user: root + description: Ensure permissions on /etc/hosts.deny are configured + sshd_config: + data: + 'Amazon Linux*': + - /etc/ssh/sshd_config: + gid: 0 + group: root + mode: 600 + tag: CIS-5.2.1 + uid: 0 + user: root + description: Ensure permissions on /etc/ssh/sshd_config are configured + warning_banner_issue: + data: + 'Amazon Linux*': + - /etc/issue: + gid: 0 + group: root + mode: 644 + tag: CIS-1.7.1.5 + uid: 0 + user: root + description: Ensure permissions on /etc/issue are configured +sysctl: + bad_error_message_protection: + data: + 'Amazon Linux*': + - net.ipv4.icmp_ignore_bogus_error_responses: + match_output: '1' + tag: CIS-3.2.6 + description: Ensure bogus ICMP responses are ignored + icmp_redirect_acceptance: + data: + 'Amazon Linux*': + - net.ipv4.conf.all.accept_redirects: + match_output: '0' + tag: CIS-3.2.2 + - net.ipv4.conf.default.accept_redirects: + match_output: '0' + tag: CIS-3.2.2 + description: Ensure ICMP redirects are not accepted + ignore_broadcast_requests: + data: + 'Amazon Linux*': + - net.ipv4.icmp_echo_ignore_broadcasts: + match_output: '1' + tag: CIS-3.2.5 + description: Ensure broadcast ICMP requests are ignored + ip_forwarding: + data: + 'Amazon Linux*': + - net.ipv4.ip_forward: + match_output: '0' + tag: CIS-3.1.1 + description: Ensure IP forwarding is disabled + log_suspicious_packets: + data: + 'Amazon Linux*': + - net.ipv4.conf.all.log_martians: + match_output: '1' + tag: CIS-3.2.4 + - net.ipv4.conf.default.log_martians: + match_output: '1' + tag: CIS-3.2.4 + description: Ensure suspicious packets are logged + reverse_path_filtering: + data: + 'Amazon Linux*': + - net.ipv4.conf.all.rp_filter: + match_output: '1' + tag: CIS-3.2.7 + - net.ipv4.conf.default.rp_filter: + match_output: '1' + tag: CIS-3.2.7 + description: Ensure Reverse Path Filtering is enabled + ipv6_adverts: + data: + 'Amazon Linux*': + - net.ipv6.conf.all.accept_ra: + match_output: '0' + tag: CIS-3.3.1 + - net.ipv6.conf.default.accept_ra: + match_output: '0' + tag: CIS-3.3.1 + description: Ensure IPv6 router advertisements are not accepted + ipv6_redir: + data: + 'Amazon Linux*': + - net.ipv6.conf.all.accept_redirects: + match_output: '0' + tag: CIS-3.3.2 + - net.ipv6.conf.default.accept_redirects: + match_output: '0' + tag: CIS-3.3.2 + description: Ensure IPv6 redirects are not accepted + randomize_va_space: + data: + 'Amazon Linux*': + - kernel.randomize_va_space: + match_output: '2' + tag: CIS-1.5.3 + description: Ensure address space layout randomization (ASLR) is enabled + restrict_suid_core_dumps: + data: + 'Amazon Linux*': + - fs.suid_dumpable: + match_output: '0' + tag: CIS-1.5.1 + description: Ensure core dumps are restricted + secure_icmp_redirect_acceptance: + data: + 'Amazon Linux*': + - net.ipv4.conf.all.secure_redirects: + match_output: '0' + tag: CIS-3.2.3 + - net.ipv4.conf.default.secure_redirects: + match_output: '0' + tag: CIS-3.2.3 + description: Ensure secure ICMP redirects are not accepted + send_packet_redirect: + data: + 'Amazon Linux*': + - net.ipv4.conf.all.send_redirects: + match_output: '0' + tag: CIS-3.1.2 + - net.ipv4.conf.default.send_redirects: + match_output: '0' + tag: CIS-3.1.2 + description: Ensure packet redirect sending is disabled + source_routed_packet_acceptance: + data: + 'Amazon Linux*': + - net.ipv4.conf.all.accept_source_route: + match_output: '0' + tag: CIS-3.2.1 + - net.ipv4.conf.default.accept_source_route: + match_output: '0' + tag: CIS-3.2.1 + description: Ensure source routed packets are not accepted + tcp_syn_cookies: + data: + 'Amazon Linux*': + - net.ipv4.tcp_syncookies: + match_output: '1' + tag: CIS-3.2.8 + description: Ensure TCP SYN Cookies is enabled + +misc: + ensure_password_fields_non_empty: + data: + 'Amazon*Linux*2016*': + tag: CIS-6.2.1 + function: check_password_fields_not_empty + description: Ensure password fields are not empty + no_ungrouped_file_or_directories: + data: + 'Amazon*Linux*2016*': + tag: CIS-6.1.12 + function: ungrouped_files_or_dir + description: Ensure no ungrouped files or directories exist + no_unowned_file_or_directories: + data: + 'Amazon*Linux*2016*': + tag: CIS-6.1.11 + function: unowned_files_or_dir + description: Ensure no unowned files or directories exist + default_group_for_root_account: + data: + 'Amazon*Linux*2016*': + tag: CIS-5.4.3 + function: default_group_for_root + description: Ensure default group for the root account is GID 0 + no_world_writable_file: + data: + 'Amazon*Linux*2016*': + tag: CIS-6.1.10 + function: world_writable_file + description: Ensure no world writable files exist + system_account_non_login: + data: + 'Amazon*Linux*2016*': + tag: CIS-5.4.2 + function: system_account_non_login + description: Ensure system accounts are non-login + sticky_bit_on_world_writable_directories: + data: + 'Amazon*Linux*2016*': + tag: CIS-1.1.18 + function: sticky_bit_on_world_writable_dirs + description: Ensure sticky bit is set on all world-writable directories + root_is_only_uid_0_account: + data: + 'Amazon*Linux*2016*': + tag: CIS-6.2.5 + function: root_is_only_uid_0_account + description: Ensure root is the only UID 0 account diff --git a/hubblestack_nova_profiles/cis/centos-6-level-1-scored-v1-0-0.yaml b/hubblestack_nova_profiles/cis/centos-6-level-1-scored-v1-0-0.yaml new file mode 100644 index 0000000..9cb888f --- /dev/null +++ b/hubblestack_nova_profiles/cis/centos-6-level-1-scored-v1-0-0.yaml @@ -0,0 +1,853 @@ +# NOTE: This CIS Profile only includes Level 1 Scored Items for CentOS 6. +# NOTE: Within this file, there are a few sections that should be tailored to your +# organization's specific policy. Search for '# NOTE: ' comments through the file. + +# TODO: Checks that aren't implemented yet: +# 1.1.17 +# 1.2.1 +# 1.5.4 +# 1.5.5 +# 2.1.12-18 +# 3.2 +# 3.3 +# 3.16 +# 4.1.2 +# 4.1.4 +# 5.7 +# 6.1.2 +# 6.1.10 +# 6.3.1 +# 6.3.2 +# 7.2 +# 7.3 +# 7.5 +# 8.2 +# 9.1.11 +# 9.1.12 +# 9.2.1 +# 9.2.5-19 + + +pkg: + blacklist: + + telnet-client: + data: + 'CentOS-6': + - 'telnet': 'CIS-2.1.2' + description: 'Remove telnet Clients' + + telnet-server: + data: + 'CentOS-6': + - 'telnet-server': 'CIS-2.1.1' + description: 'Remove telnet-server' + + rsh-client: + data: + 'CentOS-6': + - 'rsh': 'CIS-2.1.4' + description: 'Remove rsh' + + rsh-server: + data: + 'CentOS-6': + - 'rsh-server': 'CIS-2.1.3' + description: 'Remove rsh-server' + + nis-client: + data: + 'CentOS-6': + - 'ypbind': 'CIS-2.1.5' + description: 'Remove NIS Client' + + nis-server: + data: + 'CentOS-6': + - 'ypserv': 'CIS-2.1.6' + description: 'Remove NIS Server' + + tftp-client: + data: + 'CentOS-6': + - 'tftp': 'CIS-2.1.7' + description: 'Remove tftp' + + tftp-server: + data: + 'CentOS-6': + - 'tftp-server': 'CIS-2.1.8' + description: 'Remove tftp-server' + + talk-client: + data: + 'CentOS-6': + - 'talk': 'CIS-2.1.9' + description: 'Remove talk' + + talk-server: + data: + 'CentOS-6': + - 'talk-server': 'CIS-2.1.10' + description: 'Remove talk-server' + + dhcp: + data: + 'CentOS-6': + - 'dhcp': 'CIS-3.5' + description: 'Remove DHCP Server' + + whitelist: + + rsyslog: + data: + 'CentOS-6': + - 'rsyslog': 'CIS-4.1.1' + description: 'Install the rsyslog package' + + anacron: + data: + 'CentOS-6': + - 'cronie-anacron': 'CIS-6.1.1' + description: 'Enable anacron Daemon' + + + +stat: + grub_conf_own: + data: + 'CentOS-6': + - '/etc/grub.conf': + tag: 'CIS-1.5.1' + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: 'Set User/Group Owner on /etc/grub.conf' + + grub_conf_perm: + data: + 'CentOS-6': + - '/etc/grub.conf': + tag: 'CIS-1.5.2' + mode: 600 + description: 'Set Permissions on /etc/grub.conf' + + hosts_allow: + data: + 'CentOS-6': + - '/etc/hosts.allow': + tag: 'CIS-5.5.3' + mode: 644 + description: 'Verify Permissions on /etc/hosts.allow' + + hosts_deny: + data: + 'CentOS-6': + - '/etc/hosts.deny': + tag: 'CIS-5.5.5' + mode: 644 + description: 'Verify Permissions on /etc/hosts.deny' + + anacrontab: + data: + 'CentOS-6': + - '/etc/anacrontab': + tag: 'CIS-6.1.3' + mode: 600 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: 'Set User/Group Owner and Permission on /etc/anacrontab' + + crontab: + data: + 'CentOS-6': + - '/etc/crontab': + tag: 'CIS-6.1.4' + mode: 600 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: 'Set User/Group Owner and Permission on /etc/crontab' + + cron_hourly: + data: + 'CentOS-6': + - '/etc/cron.hourly': + tag: 'CIS-6.1.5' + mode: 700 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: 'Set User/Group Owner and Permission on /etc/cron.hourly' + + cron_daily: + data: + 'CentOS-6': + - '/etc/cron.daily': + tag: 'CIS-6.1.6' + mode: 700 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: 'Set User/Group Owner and Permission on /etc/cron.daily' + + cron_weekly: + data: + 'CentOS-6': + - '/etc/cron.weekly': + tag: 'CIS-6.1.7' + mode: 700 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: 'Set User/Group Owner and Permission on /etc/cron.weekly' + + cron_monthly: + data: + 'CentOS-6': + - '/etc/cron.monthly': + tag: 'CIS-6.1.8' + mode: 700 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: 'Set User/Group Owner and Permission on /etc/cron.monthly' + + cron_d: + data: + 'CentOS-6': + - '/etc/cron.d': + tag: 'CIS-6.1.9' + mode: 700 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: 'Set User/Group Owner and Permission on /etc/cron.d' + + at_cron_allow: + data: + 'CentOS-6': + - '/etc/cron.deny': + tag: 'CIS-6.1.11' + mode: null + user: null + uid: null + group: null + gid: null + - '/etc/at.deny': + tag: 'CIS-6.1.11' + mode: null + user: null + uid: null + group: null + gid: null + - '/etc/cron.allow': + tag: 'CIS-6.1.11' + mode: 600 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + - '/etc/at.allow': + tag: 'CIS-6.1.11' + mode: 600 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: 'Restrict at/cron to Authorized Users' + + sshd_config: + data: + 'CentOS-6': + - '/etc/ssh/sshd_config': + tag: 'CIS-6.2.3' + mode: 600 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: 'Set Permissions on /etc/ssh/sshd_config' + + warning_banner: + data: + 'CentOS-6': + - '/etc/motd': + tag: 'CIS-8.1' + mode: 644 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + - '/etc/issue': + tag: 'CIS-8.1' + mode: 644 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + - '/etc/issue.net': + tag: 'CIS-8.1' + mode: 644 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: 'Set Warning Banner for Standard Login Services' + + passwd_perm: + data: + 'CentOS-6': + - '/etc/passwd': + tag: 'CIS-9.1.2' + mode: 644 + description: 'Verify Permissions on /etc/passwd' + + passwd_own: + data: + 'CentOS-6': + - '/etc/passwd': + tag: 'CIS-9.1.6' + user: 'root' + uid: 0 + group: 'root' + uid: 0 + description: 'Verify User/Group Ownership on /etc/passwd' + + shadow_perm: + data: + 'CentOS-6': + - '/etc/shadow': + tag: 'CIS-9.1.3' + mode: 0 + description: 'Verify Permissions on /etc/shadow' + + shadow_own: + data: + 'CentOS-6': + - '/etc/shadow': + tag: 'CIS-9.1.7' + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: 'Verify User/Group Ownership on /etc/shadow' + + gshadow_perm: + data: + 'CentOS-6': + - '/etc/gshadow': + tag: 'CIS-9.1.4' + mode: 0 + description: 'Verify Permissions on /etc/gshadow' + + gshadow_own: + data: + 'CentOS-6': + - '/etc/gshadow': + tag: 'CIS-9.1.8' + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: 'Verify User/Group Ownership on /etc/gshadow' + + group_perm: + data: + 'CentOS-6': + - '/etc/group': + tag: 'CIS-9.1.5' + mode: 644 + description: 'Verify Permissions on /etc/group' + + group_own: + data: + 'CentOS-6': + - '/etc/group': + tag: 'CIS-9.1.9' + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: 'Verify User/Group Ownership on /etc/group' + + + +sysctl: + bad_error_message_protection: + data: + CentOS-6: + - net.ipv4.icmp_ignore_bogus_error_responses: + match_output: '1' + tag: CIS-5.2.6 + description: Enable Bad Error Message Protection + exec_shield: + data: + CentOS-6: + - kernel.exec-shield: + match_output: '1' + tag: CIS-1.6.2 + description: Configure ExecShield + icmp_redirect_acceptance: + data: + CentOS-6: + - net.ipv4.conf.all.accept_redirects: + match_output: '0' + tag: CIS-5.2.2 + - net.ipv4.conf.default.accept_redirects: + match_output: '0' + tag: CIS-5.2.2 + description: Disable ICMP Redirect Acceptance + ignore_broadcast_requests: + data: + CentOS-6: + - net.ipv4.icmp_echo_ignore_broadcasts: + match_output: '1' + tag: CIS-5.2.5 + description: Enable Ignore Broadcast Requests + ip_forwarding: + data: + CentOS-6: + - net.ipv4.ip_forward: + match_output: '0' + tag: CIS-5.1.1 + description: Disable IP Forwarding + log_suspicious_packets: + data: + CentOS-6: + - net.ipv4.conf.all.log_martians: + match_output: '1' + tag: CIS-5.2.4 + - net.ipv4.conf.default.log_martians: + match_output: '1' + tag: CIS-5.2.4 + description: Log Suspicious Packets + randomize_va_space: + data: + CentOS-6: + - kernel.randomize_va_space: + match_output: '2' + tag: CIS-1.6.3 + description: Enable Randomized Virtual Memory Region Placement + send_packet_redirect: + data: + CentOS-6: + - net.ipv4.conf.all.send_redirects: + match_output: '0' + tag: CIS-5.1.2 + - net.ipv4.conf.default.send_redirects: + match_output: '0' + tag: CIS-5.1.2 + description: Disable Send Packet Redirects + source_routed_packet_acceptance: + data: + CentOS-6: + - net.ipv4.conf.all.accept_source_route: + match_output: '0' + tag: CIS-5.2.1 + - net.ipv4.conf.default.accept_source_route: + match_output: '0' + tag: CIS-5.2.1 + description: Disable Source Routed Packet Acceptance + tcp_syn_cookies: + data: + CentOS-6: + - net.ipv4.tcp_syncookies: + match_output: '1' + tag: CIS-5.2.8 + description: Enable TCP SYN Cookies + + +grep: + whitelist: + + fstab_tmp_partition: + data: + CentOS-6: + - '/etc/fstab': + tag: 'CIS-1.1.1' + pattern: '/tmp' + description: 'Create Separate Partition for /tmp' + + fstab_tmp_partition_nodev: + data: + CentOS-6: + - '/etc/fstab': + tag: 'CIS-1.1.2' + pattern: '/tmp' + match_output: 'nodev' + description: 'Set nodev option for /tmp Partition' + + fstab_tmp_partition_nosuid: + data: + CentOS-6: + - '/etc/fstab': + tag: 'CIS-1.1.3' + pattern: '/tmp' + match_output: 'nosuid' + description: 'Set nosuid option for /tmp Partition' + + fstab_tmp_partition_noexec: + data: + CentOS-6: + - '/etc/fstab': + tag: 'CIS-1.1.4' + pattern: '/tmp' + match_output: 'noexec' + description: 'Set noexec option for /tmp Partition' + + fstab_var_partition: + data: + CentOS-6: + - '/etc/fstab': + tag: 'CIS-1.1.5' + pattern: '/var' + description: 'Create Separate Partition for /var' + + fstab_var_tmp_bind_mount: + data: + CentOS-6: + - '/etc/fstab': + tag: 'CIS-1.1.6' + pattern: '/tmp' + match_output: '/var/tmp' + description: 'Bind Mount the /var/tmp directory to /tmp' + + fstab_var_log_partition: + data: + CentOS-6: + - '/etc/fstab': + tag: 'CIS-1.1.7' + pattern: '/var/log' + description: 'Create Separate Partition for /var/log' + + fstab_var_log_audit_partition: + data: + CentOS-6: + - '/etc/fstab': + tag: 'CIS-1.1.8' + pattern: '/var/log/audit' + description: 'Create Separate Partition for /var/log/audit' + + fstab_home_partition: + data: + CentOS-6: + - '/etc/fstab': + tag: 'CIS-1.1.9' + pattern: '/home' + description: 'Create Separate Partition for /home' + + fstab_home_partition_nodev: + data: + CentOS-6: + - '/etc/fstab': + tag: 'CIS-1.1.10' + pattern: '/home' + match_output: 'nodev' + description: 'Add nodev Option to /home' + + fstab_dev_shm_partition_nodev: + data: + CentOS-6: + - '/etc/fstab': + tag: 'CIS-1.1.14' + pattern: '/dev/shm' + match_output: 'nodev' + description: 'Add nodev Option to /dev/shm Partition' + + fstab_dev_shm_partition_nosuid: + data: + CentOS-6: + - '/etc/fstab': + tag: 'CIS-1.1.15' + pattern: '/dev/shm' + match_output: 'nosuid' + description: 'Add nosuid Option to /dev/shm Partition' + + fstab_dev_shm_partition_noexec: + data: + CentOS-6: + - '/etc/fstab': + tag: 'CIS-1.1.16' + pattern: '/dev/shm' + match_output: 'noexec' + description: 'Add noexec Option to /dev/shm Partition' + + activate_gpg_check: + data: + CentOS-6: + - '/etc/yum.conf': + tag: 'CIS-1.2.2' + pattern: 'gpgcheck' + match_output: 'gpgcheck=1' + description: 'Verify that gpgcheck is Globally Activated' + + boot_loader_passwd: + data: + 'CentOS-6': + - '/etc/grub.conf': + tag: 'CIS-1.5.3' + pattern: '^password' + description: 'Set Boot Loader Password' + + restrict_core_dumps: + data: + 'CentOS-6': + - '/etc/security/limits.conf': + tag: 'CIS-1.6.1' + pattern: 'hard core' + description: 'Restrict Core Dumps' + + set_daemon_umask: + data: + 'CentOS-6': + - '/etc/sysconfig/init': + tag: 'CIS-3.1' + pattern: 'umask' + match_output: 'umask 027' + description: 'Set Daemon umask' + + configure_ntp: + data: + 'CentOS-6': + - '/etc/ntp.conf': + tag: 'CIS-3.6' + pattern: 'restrict default' + - '/etc/ntp.conf': + tag: 'CIS-3.6' + pattern: 'restrict -6 default' + - '/etc/ntp.conf': + tag: 'CIS-3.6' + pattern: '^server' + - '/etc/sysconfig/ntpd': + tag: 'CIS-3.6' + pattern: 'ntp:ntp' + description: 'Configure Network Time Protocol (NTP)' + + rsyslog_remote_logging: + data: + 'CentOS-6': + - '/etc/rsyslog.conf': + tag: 'CIS-4.1.5' + pattern: "^*.*[^I][^I]*@" + description: 'Configure rsyslog to Send Logs to a Remote Log Host' + + sshd_protocol_2: + data: + 'CentOS-6': + - '/etc/ssh/sshd_config': + tag: 'CIS-6.2.1' + pattern: "^Protocol" + match_output: 'Protocol 2' + description: 'Set SSH Protocol to 2' + + sshd_loglevel_info: + data: + 'CentOS-6': + - '/etc/ssh/sshd_config': + tag: 'CIS-6.2.2' + pattern: "^LogLevel" + match_output: 'LogLevel INFO' + description: 'Set LogLevel to INFO' + + sshd_x11_forwarding: + data: + 'CentOS-6': + - '/etc/ssh/sshd_config': + tag: 'CIS-6.2.4' + pattern: "^X11Forwarding" + match_output: 'X11Forwarding no' + description: 'Disable SSH X11 Forwarding' + + # NOTE: Need to update this entry to reflect your organization's password policy + sshd_max_auth_retries: + data: + 'CentOS-6': + - '/etc/ssh/sshd_config': + tag: 'CIS-6.2.5' + pattern: "^MaxAuthTries" + match_output: "MaxAuthTries 4" + description: 'Set SSH MaxAuthTries to 4 or Less' + + sshd_ignore_rhosts: + data: + 'CentOS-6': + - '/etc/ssh/sshd_config': + tag: 'CIS-6.2.6' + pattern: "^IgnoreRhosts" + match_output: "IgnoreRhosts yes" + description: 'Set SSH IgnoreRhosts to Yes' + + sshd_hostbased_auth: + data: + 'CentOS-6': + - '/etc/ssh/sshd_config': + tag: 'CIS-6.2.7' + pattern: "^HostbasedAuthentication" + match_output: "HostbasedAuthentication no" + description: 'Set SSH HostbasedAuthentication to No' + + sshd_disable_root_login: + data: + 'CentOS-6': + - '/etc/ssh/sshd_config': + tag: 'CIS-6.2.8' + pattern: "^PermitRootLogin" + match_output: "PermitRootLogin no" + description: 'Disable SSH Root Login' + + sshd_permit_empty_passwords: + data: + 'CentOS-6': + - '/etc/ssh/sshd_config': + tag: 'CIS-6.2.9' + pattern: "^PermitEmptyPasswords" + match_output: "PermitEmptyPasswords no" + description: 'Set SSH PermitEmptyPasswords to No' + + sshd_permit_user_environment: + data: + 'CentOS-6': + - '/etc/ssh/sshd_config': + tag: 'CIS-6.2.10' + pattern: "^PermitUserEnvironment" + match_output: "PermitUserEnvironment no" + description: 'Do Not Allow Users to Set Environment Options' + + sshd_approved_cipher: + data: + 'CentOS-6': + - '/etc/ssh/sshd_config': + tag: 'CIS-6.2.11' + pattern: "Ciphers" + match_output: "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$" + match_output_regex: True + description: 'Use Only Approved Cipher in Counter Mode' + + sshd_idle_timeout: + data: + 'CentOS-6': + - '/etc/ssh/sshd_config': + tag: 'CIS-6.2.12' + pattern: "^ClientAliveInterval" + match_output: "ClientAliveInterval 300" + - '/etc/ssh/sshd_config': + tag: 'CIS-6.2.12' + pattern: "^ClientAliveCountMax" + match_output: "ClientAliveCountMax 0" + description: 'Set Idle Timeout Interval for User Login' + + sshd_limit_access: + data: + 'CentOS-6': + - '/etc/ssh/sshd_config': + tag: 'CIS-6.2.13' + pattern: '(^AllowUsers)|(^AllowGroups)|(^DenyUsers)|(^DenyGroups)' + grep_args: + - '-E' + description: 'Limit Access via SSH' + + sshd_banner: + data: + 'CentOS-6': + - '/etc/ssh/sshd_config': + tag: 'CIS-6.2.14' + pattern: "^Banner" + description: 'Set SSH Banner' + + # NOTE: Need to update this entry to reflect your organization's password policy + limit_password_reuse: + data: + 'CentOS-6': + - '/etc/pam.d/system-auth': + tag: 'CIS-6.3.4' + pattern: "pam_unix.so" + match_output: "remember=5" # number of passwords to remember + description: 'Limit Password Reuse' + + limit_su_command_access: + data: + 'CentOS-6': + - '/etc/pam.d/su': + tag: 'CIS-6.5' + pattern: "pam_wheel.so" + match_output: "use_uid" + - '/etc/group': + tag: 'CIS-6.5' + pattern: "wheel" + description: 'Restrict Access to the su Command' + + # NOTE: Need to update this entry to reflect your organization's password policy + passwd_expiration_days: + data: + 'CentOS-6': + - '/etc/login.defs': + tag: 'CIS-7.1.1' + pattern: "PASS_MAX_DAYS" + match_output: "90" + description: 'Set Password Expiration Days' + + # NOTE: Need to update this entry to reflect your organization's password policy + passwd_change_min_days: + data: + 'CentOS-6': + - '/etc/login.defs': + tag: 'CIS-7.1.2' + pattern: "PASS_MIN_DAYS" + match_output: "7" + description: 'Set Password Change Minimum Number of Days' + + # NOTE: Need to update this entry to reflect your organization's password policy + passwd_expiry_warning: + data: + 'CentOS-6': + - '/etc/login.defs': + tag: 'CIS-7.1.3' + pattern: "PASS_WARN_AGE" + match_output: "7" + description: 'Set Password Expiring Warning Days' + + default_umask: + data: + 'CentOS-6': + - '/etc/bashrc': + tag: 'CIS-7.4' + pattern: "^umask 077" + - '/etc/profile': + tag: 'CIS-7.4' + pattern: "^umask 077" + description: 'Set Default umask for Users' + + blacklist: + legacy_passwd_entries_passwd: + data: + 'CentOS-6': + - '/etc/passwd': + tag: 'CIS-9.2.2' + pattern: "^+:" + description: 'Verify No Legacy "+" Entries Exist in /etc/passwd File' + + legacy_passwd_entries_shadow: + data: + 'CentOS-6': + - '/etc/shadow': + tag: 'CIS-9.2.3' + pattern: "^+:" + description: 'Verify No Legacy "+" Entries Exist in /etc/shadow File' + + legacy_passwd_entries_group: + data: + 'CentOS-6': + - '/etc/group': + tag: 'CIS-9.2.4' + pattern: "^+:" + description: 'Verify No Legacy "+" Entries Exist in /etc/group File' diff --git a/hubblestack_nova_profiles/cis/centos-6-level-1-scored-v2-0-1.yaml b/hubblestack_nova_profiles/cis/centos-6-level-1-scored-v2-0-1.yaml index 3434304..09f1beb 100644 --- a/hubblestack_nova_profiles/cis/centos-6-level-1-scored-v2-0-1.yaml +++ b/hubblestack_nova_profiles/cis/centos-6-level-1-scored-v2-0-1.yaml @@ -1,7 +1,38 @@ -# NOTE: This CIS Profile only includes Level 1 Scored Items for CentOS6. +# NOTE: This CIS Profile only includes Level 1 Scored Items for CentOS 6. # NOTE: Within this file, there are a few sections that should be tailored to your # organization's specific policy. Search for '# NOTE: ' comments through the file. +# TODO: Checks that aren't implemented yet: +# 1.1.21 +# 1.1.22 +# 1.3.1 +# 1.3.2 +# 1.4.3 +# 1.4.4 +# 1.5.4 +# 1.7.2 +# 1.7.1.1 +# 2.1.1-5 +# 2.1.10 +# 2.2.2-4 +# 2.2.6-15 +# 2.2.1.3 +# 2.3.5 +# 3.4.1-3 +# 3.6.1-3 +# 3.6.5 +# 4.2.2.1 +# 4.2.2.3 +# 4.2.4 +# 5.3.1 +# 5.3.2 +# 5.3.4 +# 5.4.1.4 +# 5.4.2 +# 5.4.3 +# 6.1.10-12 +# 6.2.1 +# 6.2.5-19 pkg: @@ -40,11 +71,6 @@ pkg: - 'ypserv': CIS-2.2.16 description: Ensure NIS Server is not enabled - tftp-client: - data: - 'CentOS-6': - - 'tftp': CIS-2.1.7 - description: Remove tftp (Scored) tftp-server: data: 'CentOS-6': @@ -82,24 +108,8 @@ pkg: - 'rsyslog': CIS-4.2.3 description: Ensure rsyslog or syslog-ng is installed - anacron: - data: - 'CentOS-6': - - 'cronie-anacron': CIS-6.1.1 - description: Enable anacron Daemon stat: - grub_conf_own: - data: - 'CentOS-6': - - '/etc/grub.conf': - tag: CIS-1.5.1 - user: 'root' - uid: 0 - group: 'root' - gid: 0 - description: Grub must be owned by root - grub_conf_perm: data: 'CentOS-6': @@ -124,18 +134,6 @@ stat: mode: 644 description: Ensure permissions on /etc/hosts.deny are configured - anacrontab: - data: - 'CentOS-6': - - '/etc/anacrontab': - tag: CIS-6.1.3 - mode: 600 - user: 'root' - uid: 0 - group: 'root' - gid: 0 - description: /etc/anacrontab file be owned by root and must have permissions 600 - crontab: data: 'CentOS-6': @@ -208,18 +206,6 @@ stat: gid: 0 description: Ensure permissions on /etc/cron.d are configured - at_allow: - data: - 'CentOS-6': - - '/etc/at.allow': - tag: CIS-6.1.10 - mode: 600 - user: 'root' - uid: 0 - group: 'root' - gid: 0 - description: /etc/at.allow must be owned by root and have persmissions 600 - at_cron_allow: data: 'CentOS-6': @@ -244,7 +230,7 @@ stat: uid: 0 group: 'root' gid: 0 - - '/etc/at/allow': + - '/etc/at.allow': tag: CIS-5.1.8 mode: 600 user: 'root' @@ -277,30 +263,6 @@ stat: gid: 0 description: Ensure permissions on /etc/issue are configured - warning_banner-issue.net: - data: - 'CentOS-6': - - '/etc/issue.net': - tag: CIS-8.1 - mode: 644 - user: 'root' - uid: 0 - group: 'root' - gid: 0 - description: Ensure permissions on /etc/issue.net are configured - - warning_banner-motd: - data: - 'CentOS-6': - - '/etc/motd': - tag: CIS-8.1 - mode: 644 - user: 'root' - uid: 0 - group: 'root' - gid: 0 - description: Ensure permissions on /etc/motd are configured - passwd_perm: data: 'CentOS-6': @@ -387,13 +349,6 @@ sysctl: match_output: '1' tag: CIS-3.2.6 description: Ensure bogus ICMP responses are ignored - exec_shield: - data: - 'CentOS-6': - - kernel.exec-shield: - match_output: '1' - tag: CIS-1.6.2 - description: Configure ExecShield (Scored) icmp_redirect_acceptance: data: 'CentOS-6': @@ -404,6 +359,26 @@ sysctl: match_output: '0' tag: CIS-3.2.2 description: Ensure ICMP redirects are not accepted + ipv6_redirect_acceptance: + data: + 'CentOS-6': + - net.ipv6.conf.all.accept_redirects: + match_output: '0' + tag: CIS-3.3.2 + - net.ipv6.conf.default.accept_redirects: + match_output: '0' + tag: CIS-3.3.2 + description: Ensure IPv6 redirects are not accepted + icmp_secure_redirect_acceptance: + data: + 'CentOS-6': + - net.ipv4.conf.all.secure_redirects: + match_output: '0' + tag: CIS-3.2.3 + - net.ipv4.conf.default.secure_redirects: + match_output: '0' + tag: CIS-3.2.3 + description: Ensure secure ICMP redirects are not accepted ignore_broadcast_requests: data: 'CentOS-6': @@ -455,6 +430,26 @@ sysctl: match_output: '0' tag: CIS-3.2.1 description: Ensure source routed packets are not accepted + ipv6_router_advertisements: + data: + 'CentOS-6': + - net.ipv6.conf.all.accept_ra: + match_output: '0' + tag: CIS-3.3.1 + - net.ipv6.conf.default.accept_ra: + match_output: '0' + tag: CIS-3.3.1 + description: Ensure IPv6 router advertisements are not accepted + reverse_path_filtering: + data: + 'CentOS-6': + - net.ipv4.conf.all.rp_filter: + match_output: '1' + tag: CIS-3.2.7 + - net.ipv4.conf.default.rp_filter: + match_output: '1' + tag: CIS-3.2.7 + description: Ensure Reverse Path Filtering is enabled tcp_syn_cookies: data: 'CentOS-6': @@ -466,23 +461,112 @@ sysctl: grep: whitelist: - - fstab_tmp_partition: + disable_mount_cramfs: + data: + 'CentOS-6': + - /etc/modprobe.d: + match_output: /bin/true + pattern: cramfs + grep_args: + - '-r' + tag: CIS-1.1.1.1 + description: Ensure mounting of cramfs filesystems is disabled + disable_mount_freevxfs: + data: + 'CentOS-6': + - /etc/modprobe.d: + match_output: /bin/true + pattern: freevxfs + grep_args: + - '-r' + tag: CIS-1.1.1.2 + description: Ensure mounting of freevxfs filesystems is disabled + disable_mount_jffs2: + data: + 'CentOS-6': + - /etc/modprobe.d: + match_output: /bin/true + pattern: jffs2 + grep_args: + - '-r' + tag: CIS-1.1.1.3 + description: Ensure mounting of jffs2 filesystems is disabled + disable_mount_hfs: + data: + 'CentOS-6': + - /etc/modprobe.d: + match_output: /bin/true + pattern: hfs + grep_args: + - '-r' + tag: CIS-1.1.1.4 + description: Ensure mounting of hfs filesystems is disabled + disable_mount_hfsplus: + data: + 'CentOS-6': + - /etc/modprobe.d: + match_output: /bin/true + pattern: hfsplus + grep_args: + - '-r' + tag: CIS-1.1.1.5 + description: Ensure mounting of hfsplus filesystems is disabled + disable_mount_squashfs: + data: + 'CentOS-6': + - /etc/modprobe.d: + match_output: /bin/true + pattern: squashfs + grep_args: + - '-r' + tag: CIS-1.1.1.6 + description: Ensure mounting of squashfs filesystems is disabled + disable_mount_udf: + data: + 'CentOS-6': + - /etc/modprobe.d: + match_output: /bin/true + pattern: udf + grep_args: + - '-r' + tag: CIS-1.1.1.7 + description: Ensure mounting of udf filesystems is disabled + disable_mount_fat: + data: + 'CentOS-6': + - /etc/modprobe.d: + match_output: /bin/true + pattern: vfat + grep_args: + - '-r' + tag: CIS-1.1.1.8 + description: Ensure mounting of FAT filesystems is disabled + fstab_tmp_partition_nodev: data: 'CentOS-6': - '/etc/fstab': - tag: CIS-1.1.1 + tag: CIS-1.1.3 pattern: '/tmp' - description: Create Separate Partition for /tmp (Scored) + match_output: 'nodev' + description: Ensure nodev option set on /tmp partition - fstab_tmp_partition_nodev: + fstab_var_tmp_partition_nodev: data: 'CentOS-6': - '/etc/fstab': - tag: CIS-1.1.3 - pattern: '/tmp' + tag: CIS-1.1.8 + pattern: '/var/tmp' match_output: 'nodev' - description: Ensure nodev option set on /tmp partition + description: Ensure nodev option set on /var/tmp partition + + fstab_var_tmp_partition_nosuid: + data: + 'CentOS-6': + - '/etc/fstab': + tag: CIS-1.1.9 + pattern: '/var/tmp' + match_output: 'nosuid' + description: Ensure nosuid option set on /var/tmp partition fstab_tmp_partition_nosuid: data: @@ -502,47 +586,6 @@ grep: match_output: 'noexec' description: Ensure noexec option set on /tmp partition - fstab_var_partition: - data: - 'CentOS-6': - - '/etc/fstab': - tag: CIS-1.1.5 - pattern: '/var' - description: Create Separate Partition for /var (Scored) - - fstab_var_tmp_bind_mount: - data: - 'CentOS-6': - - '/etc/fstab': - tag: CIS-1.1.6 - pattern: '/tmp' - match_output: '/var/tmp' - description: Bind Mount the /var/tmp directory to /tmp (Scored) - - fstab_var_log_partition: - data: - 'CentOS-6': - - '/etc/fstab': - tag: CIS-1.1.7 - pattern: '/var/log' - description: Create Separate Partition for /var/log (Scored) - - fstab_var_log_audit_partition: - data: - 'CentOS-6': - - '/etc/fstab': - tag: CIS-1.1.8 - pattern: '/var/log/audit' - description: Create Separate Partition for /var/log/audit (Scored) - - fstab_home_partition: - data: - 'CentOS-6': - - '/etc/fstab': - tag: CIS-1.1.9 - pattern: '/home' - description: Create Separate Partition for /home (Scored) - fstab_home_partition_nodev: data: 'CentOS-6': @@ -579,6 +622,15 @@ grep: match_output: 'noexec' description: Ensure noexec option set on /dev/shm partition + fstab_var_tmp_partition_noexec: + data: + 'CentOS-6': + - '/etc/fstab': + tag: CIS-1.1.10 + pattern: '/var/tmp' + match_output: 'noexec' + description: Ensure noexec option set on /var/tmp partition + activate_gpg_check: data: 'CentOS-6': @@ -604,15 +656,6 @@ grep: pattern: 'hard core' description: Ensure core dumps are restricted - set_daemon_umask: - data: - 'CentOS-6': - - '/etc/sysconfig/init': - tag: CIS-5.4.4 - pattern: 'umask' - match_output: 'umask 027' - description: Ensure default user umask is 027 or more restrictive - configure_ntp: data: 'CentOS-6': @@ -630,13 +673,22 @@ grep: pattern: 'ntp:ntp' description: Ensure ntp is configured + rsyslog_default_file_permissions: + data: + 'CentOS-6': + - '/etc/rsyslog.conf': + tag: CIS-4.2.1.3 + pattern: "^\\$FileCreateMode" + match_output: '$FileCreateMode 0640' + description: Ensure rsyslog default file permissions configured + rsyslog_remote_logging: data: 'CentOS-6': - '/etc/rsyslog.conf': - tag: CIS-5.1.5 + tag: CIS-4.2.1.4 pattern: "^*.*[^I][^I]*@" - description: Configure rsyslog to Send Logs to a Remote Log Host (Scored) + description: Ensure rsyslog is configured to send logs to a remote log host sshd_protocol_2: data: @@ -725,7 +777,8 @@ grep: - '/etc/ssh/sshd_config': tag: CIS-5.2.11 pattern: "Ciphers" - match_output: "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" + match_output: "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$" + match_output_regex: True description: Ensure only approved ciphers are used sshd_approved_mac: @@ -763,11 +816,11 @@ grep: data: 'CentOS-6': - '/etc/ssh/sshd_config': - tag: CIS-5.2.1 + tag: CIS-5.2.15 pattern: '(^AllowUsers)|(^AllowGroups)|(^DenyUsers)|(^DenyGroups)' grep_args: - '-E' - description: Ensure permissions on /etc/ssh/sshd_config are configured + description: Ensure SSH access is limited sshd_banner: data: @@ -830,12 +883,12 @@ grep: data: 'CentOS-6': - '/etc/bashrc': - tag: CIS-7.4 + tag: CIS-5.4.4 pattern: "^umask 077" - '/etc/profile': - tag: CIS-7.4 + tag: CIS-5.4.4 pattern: "^umask 077" - description: Set Default umask for Users (Scored) + description: Ensure default user umask is 027 or more restrictive blacklist: legacy_passwd_entries_passwd: @@ -862,3 +915,15 @@ grep: pattern: "^+:" description: Ensure no legacy "+" entries exist in /etc/group +service: + whitelist: + rsyslogd_running: + data: + 'CentOS-6': + - rsyslog: CIS-4.2.1.1 + description: Ensure rsyslog Service is enabled + crond_running: + data: + 'CentOS-6': + - crond: CIS-5.1.1 + description: Ensure cron daemon is enabled \ No newline at end of file diff --git a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v1-0-0.yaml b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v1-0-0.yaml new file mode 100644 index 0000000..e9a299b --- /dev/null +++ b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v1-0-0.yaml @@ -0,0 +1,795 @@ +# NOTE: This CIS Profile only includes Level 1 Scored Items for CentOS7. +# NOTE: Within this file, there are a few sections that should be tailored to your +# organization's specific policy. Search for '# NOTE: ' comments through the file. + +# TODO: Checks that aren't implemented yet: +# 1.1.17 +# 1.2.1 +# 2.1.12-18 +# 3.16 +# 5.1.4 +# 6.1.10 +# 6.3.1 +# 6.3.2 +# 7.2 +# 7.3 +# 7.5 +# 8.2 +# 9.1.11 +# 9.1.12 +# 9.2.1 +# 9.2.5-20 + + +grep: + blacklist: + legacy_passwd_entries_group: + data: + CentOS Linux-7: + - /etc/group: + pattern: '^+:' + tag: CIS-9.2.4 + description: Verify No Legacy "+" Entries Exist in /etc/group File + legacy_passwd_entries_passwd: + data: + CentOS Linux-7: + - /etc/passwd: + pattern: '^+:' + tag: CIS-9.2.2 + description: Verify No Legacy "+" Entries Exist in /etc/passwd File + legacy_passwd_entries_shadow: + data: + CentOS Linux-7: + - /etc/shadow: + pattern: '^+:' + tag: CIS-9.2.3 + description: Verify No Legacy "+" Entries Exist in /etc/shadow File + whitelist: + activate_gpg_check: + data: + CentOS Linux-7: + - /etc/yum.conf: + match_output: gpgcheck=1 + pattern: gpgcheck + tag: CIS-1.2.2 + description: Verify that gpgcheck is Globally Activated + boot_loader_passwd: + data: + CentOS Linux-7: + - /boot/grub2/grub.cfg: + pattern: ^password + tag: CIS-1.5.3 + description: Set Boot Loader Password + configure_ntp: + data: + CentOS Linux-7: + - /etc/ntp.conf: + pattern: restrict default + tag: CIS-3.6 + - /etc/ntp.conf: + pattern: restrict -6 default + tag: CIS-3.6 + - '/etc/ntp.conf': + tag: 'CIS-3.6' + pattern: '^server' + - '/etc/sysconfig/ntpd': + tag: 'CIS-3.6' + pattern: 'ntp:ntp' + description: Configure Network Time Protocol (NTP) + default_umask: + data: + CentOS Linux-7: + - /etc/bashrc: + pattern: ^umask 077 + tag: CIS-7.4 + - /etc/profile.d/*: + pattern: ^umask 077 + tag: CIS-7.4 + description: Set Default umask for Users + fstab_dev_shm_partition_nodev: + data: + CentOS Linux-7: + - /etc/fstab: + match_output: nodev + pattern: /dev/shm + tag: CIS-1.1.14 + description: Add nodev Option to /dev/shm Partition + fstab_dev_shm_partition_noexec: + data: + CentOS Linux-7: + - /etc/fstab: + match_output: noexec + pattern: /dev/shm + tag: CIS-1.1.16 + description: Add noexec Option to /dev/shm Partition + fstab_dev_shm_partition_nosuid: + data: + CentOS Linux-7: + - /etc/fstab: + match_output: nosuid + pattern: /dev/shm + tag: CIS-1.1.15 + description: Add nosuid Option to /dev/shm Partition + fstab_home_partition: + data: + CentOS Linux-7: + - /etc/fstab: + pattern: /home + tag: CIS-1.1.9 + description: Create Separate Partition for /home + fstab_home_partition_nodev: + data: + CentOS Linux-7: + - /etc/fstab: + match_output: nodev + pattern: /home + tag: CIS-1.1.10 + description: Add nodev Option to /home + fstab_tmp_partition: + data: + CentOS Linux-7: + - /etc/fstab: + pattern: /tmp + tag: CIS-1.1.1 + description: Create Separate Partition for /tmp + fstab_tmp_partition_nodev: + data: + CentOS Linux-7: + - /etc/fstab: + match_output: nodev + pattern: /tmp + tag: CIS-1.1.2 + description: Set nodev option for /tmp Partition + fstab_tmp_partition_noexec: + data: + CentOS Linux-7: + - /etc/fstab: + match_output: noexec + pattern: /tmp + tag: CIS-1.1.4 + description: Set noexec option for /tmp Partition + fstab_tmp_partition_nosuid: + data: + CentOS Linux-7: + - /etc/fstab: + match_output: nosuid + pattern: /tmp + tag: CIS-1.1.3 + description: Set nosuid option for /tmp Partition + fstab_var_log_audit_partition: + data: + CentOS Linux-7: + - /etc/fstab: + pattern: /var/log/audit + tag: CIS-1.1.8 + description: Create Separate Partition for /var/log/audit + fstab_var_log_partition: + data: + CentOS Linux-7: + - /etc/fstab: + pattern: /var/log + tag: CIS-1.1.7 + description: Create Separate Partition for /var/log + fstab_var_partition: + data: + CentOS Linux-7: + - /etc/fstab: + pattern: /var + tag: CIS-1.1.5 + description: Create Separate Partition for /var + fstab_var_tmp_bind_mount: + data: + CentOS Linux-7: + - /etc/fstab: + match_output: /var/tmp + pattern: /tmp + tag: CIS-1.1.6 + description: Bind Mount the /var/tmp directory to /tmp + limit_password_reuse: + data: + CentOS Linux-7: + - /etc/pam.d/system-auth: + match_output: remember=5 + pattern: pam_unix.so + tag: CIS-6.3.4 + description: Limit Password Reuse + limit_su_command_access: + data: + CentOS Linux-7: + - /etc/pam.d/su: + match_output: use_uid + pattern: pam_wheel.so + tag: CIS-6.5 + - /etc/group: + pattern: wheel + tag: CIS-6.5 + description: Restrict Access to the su Command + pam_cracklib_try_first_pass: + data: {} + description: PAM cracklib policy + passwd_change_min_days: + data: + CentOS Linux-7: + - /etc/login.defs: + match_output: '7' + pattern: PASS_MIN_DAYS + tag: CIS-7.1.2 + description: Set Password Change Minimum Number of Days + passwd_expiration_days: + data: + CentOS Linux-7: + - /etc/login.defs: + match_output: '90' + pattern: PASS_MAX_DAYS + tag: CIS-7.1.1 + description: Set Password Expiration Days + passwd_expiry_warning: + data: + CentOS Linux-7: + - /etc/login.defs: + match_output: '7' + pattern: PASS_WARN_AGE + tag: CIS-7.1.3 + description: Set Password Expiring Warning Days + restrict_core_dumps: + data: + CentOS Linux-7: + - /etc/security/limits.conf: + pattern: hard core + tag: CIS-1.6.1 + description: Restrict Core Dumps + rsyslog_remote_logging: + data: + CentOS Linux-7: + - /etc/rsyslog.conf: + pattern: ^*.*[^I][^I]*@ + tag: CIS-5.1.5 + description: Configure rsyslog to Send Logs to a Remote Log Host + set_daemon_umask: + data: + CentOS Linux-7: + - /etc/sysconfig/init: + match_output: umask 027 + pattern: umask + tag: CIS-3.1 + description: Set Daemon umask + sshd_approved_cipher: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: '^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$' + match_output_regex: True + pattern: Ciphers + tag: CIS-6.2.11 + description: Use Only Approved Cipher in Counter Mode + sshd_banner: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + pattern: ^Banner + tag: CIS-6.2.14 + description: Set SSH Banner + sshd_disable_root_login: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: PermitRootLogin no + pattern: ^PermitRootLogin + tag: CIS-6.2.8 + description: Disable SSH Root Login + sshd_hostbased_auth: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: HostbasedAuthentication no + pattern: ^HostbasedAuthentication + tag: CIS-6.2.7 + description: Set SSH HostbasedAuthentication to No + sshd_idle_timeout: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: ClientAliveInterval 300 + pattern: ^ClientAliveInterval + tag: CIS-6.2.12 + - /etc/ssh/sshd_config: + match_output: ClientAliveCountMax 0 + pattern: ^ClientAliveCountMax + tag: CIS-6.2.12 + description: Set Idle Timeout Interval for User Login + sshd_ignore_rhosts: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: IgnoreRhosts yes + pattern: ^IgnoreRhosts + tag: CIS-6.2.6 + description: Set SSH IgnoreRhosts to Yes + sshd_limit_access: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + pattern: ^AllowUsers + tag: CIS-6.2.13 + - /etc/ssh/sshd_config: + pattern: ^AllowGroups + tag: CIS-6.2.13 + - /etc/ssh/sshd_config: + pattern: ^DenyUsers + tag: CIS-6.2.13 + - /etc/ssh/sshd_config: + pattern: ^DenyGroups + tag: CIS-6.2.13 + description: Limit Access via SSH + sshd_loglevel_info: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: LogLevel INFO + pattern: ^LogLevel + tag: CIS-6.2.2 + description: Set LogLevel to INFO + sshd_max_auth_retries: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: MaxAuthTries 4 + pattern: ^MaxAuthTries + tag: CIS-6.2.5 + description: Set SSH MaxAuthTries to 4 or Less + sshd_permit_empty_passwords: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: PermitEmptyPasswords no + pattern: ^PermitEmptyPasswords + tag: CIS-6.2.9 + description: Set SSH PermitEmptyPasswords to No + sshd_permit_user_environment: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: PermitUserEnvironment no + pattern: ^PermitUserEnvironment + tag: CIS-6.2.10 + description: Do Not Allow Users to Set Environment Options + sshd_protocol_2: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: Protocol 2 + pattern: ^Protocol + tag: CIS-6.2.1 + description: Set SSH Protocol to 2 + sshd_x11_forwarding: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: X11Forwarding no + pattern: ^X11Forwarding + tag: CIS-6.2.4 + description: Disable SSH X11 Forwarding +pkg: + blacklist: + avahi-daemon: + data: + CentOS Linux-7: + - avahi-daemon: CIS-3.3 + description: Disable Avahi Server + dhcp: + data: + CentOS Linux-7: + - dhcp: CIS-3.5 + description: Remove DHCP Server + nis-client: + data: + CentOS Linux-7: + - ypbind: CIS-2.1.5 + description: Remove NIS Client + nis-server: + data: + CentOS Linux-7: + - ypserv: CIS-2.1.6 + description: Remove NIS Server + rsh-client: + data: + CentOS Linux-7: + - rsh: CIS-2.1.4 + description: Remove rsh + rsh-server: + data: + CentOS Linux-7: + - rsh-server: CIS-2.1.3 + description: Remove rsh-server + talk-client: + data: + CentOS Linux-7: + - talk: CIS-2.1.9 + description: Remove talk + talk-server: + data: + CentOS Linux-7: + - talk-server: CIS-2.1.10 + description: Remove talk-server + telnet-client: + data: + CentOS Linux-7: + - telnet: CIS-2.1.2 + description: Remove telnet Clients + telnet-server: + data: + CentOS Linux-7: + - telnet-server: CIS-2.1.1 + description: Remove telnet-server + tftp-client: + data: + CentOS Linux-7: + - tftp: CIS-2.1.7 + description: Remove tftp + tftp-server: + data: + CentOS Linux-7: + - tftp-server: CIS-2.1.8 + description: Remove tftp-server + xorg-x11-server-common: + data: + CentOS Linux-7: + - xorg-x11-server-common: CIS-3.2 + description: Remove the X Window System + whitelist: + anacron: + data: + CentOS Linux-7: + - cronie-anacron: CIS-6.1.1 + description: Enable anacron Daemon + firewalld: + data: + CentOS Linux-7: + - firewalld: CIS-4.7 + description: Enable firewalld + iptables: + data: {} + description: Install IPtables + rsyslog: + data: + CentOS Linux-7: + - rsyslog: CIS-5.1.1 + description: Install the rsyslog package +stat: + anacrontab: + data: + CentOS Linux-7: + - /etc/anacrontab: + gid: 0 + group: root + mode: 600 + tag: CIS-6.1.3 + uid: 0 + user: root + description: Set User/Group Owner and Permission on /etc/anacrontab + at_cron_allow: + data: + CentOS Linux-7: + - /etc/cron.deny: + gid: null + group: null + mode: null + tag: CIS-6.1.11 + uid: null + user: null + - /etc/at.deny: + gid: null + group: null + mode: null + tag: CIS-6.1.11 + uid: null + user: null + - /etc/cron.allow: + gid: 0 + group: root + mode: 600 + tag: CIS-6.1.11 + uid: 0 + user: root + - /etc/at.allow: + gid: 0 + group: root + mode: 600 + tag: CIS-6.1.11 + uid: 0 + user: root + description: Restrict at/cron to Authorized Users + cron_d: + data: + CentOS Linux-7: + - /etc/cron.d: + gid: 0 + group: root + mode: 700 + tag: CIS-6.1.9 + uid: 0 + user: root + description: Set User/Group Owner and Permission on /etc/cron.d + cron_daily: + data: + CentOS Linux-7: + - /etc/cron.daily: + gid: 0 + group: root + mode: 700 + tag: CIS-6.1.6 + uid: 0 + user: root + description: Set User/Group Owner and Permission on /etc/cron.daily + cron_hourly: + data: + CentOS Linux-7: + - /etc/cron.hourly: + gid: 0 + group: root + mode: 700 + tag: CIS-6.1.5 + uid: 0 + user: root + description: Set User/Group Owner and Permission on /etc/cron.hourly + cron_monthly: + data: + CentOS Linux-7: + - /etc/cron.monthly: + gid: 0 + group: root + mode: 700 + tag: CIS-6.1.8 + uid: 0 + user: root + description: Set User/Group Owner and Permission on /etc/cron.monthly + cron_weekly: + data: + CentOS Linux-7: + - /etc/cron.weekly: + gid: 0 + group: root + mode: 700 + tag: CIS-6.1.7 + uid: 0 + user: root + description: Set User/Group Owner and Permission on /etc/cron.weekly + crontab: + data: + CentOS Linux-7: + - /etc/crontab: + gid: 0 + group: root + mode: 600 + tag: CIS-6.1.4 + uid: 0 + user: root + description: Set User/Group Owner and Permission on /etc/crontab + group_own: + data: + CentOS Linux-7: + - /etc/group: + gid: 0 + group: root + tag: CIS-9.1.9 + uid: 0 + user: root + description: Verify User/Group Ownership on /etc/group + group_perm: + data: + CentOS Linux-7: + - /etc/group: + mode: 644 + tag: CIS-9.1.5 + description: Verify Permissions on /etc/group + grub_conf_own: + data: + CentOS Linux-7: + - /boot/grub2/grub.cfg: + gid: 0 + group: root + tag: CIS-1.5.1 + uid: 0 + user: root + description: Set User/Group Owner on /boot/grub2/grub.cfg + grub_conf_perm: + data: + CentOS Linux-7: + - /boot/grub2/grub.cfg: + mode: 600 + tag: CIS-1.5.2 + description: Set Permissions on /boot/grub2/grub.cfg + gshadow_own: + data: + CentOS Linux-7: + - /etc/gshadow: + gid: 0 + group: root + tag: CIS-9.1.8 + uid: 0 + user: root + description: Verify User/Group Ownership on /etc/gshadow + gshadow_perm: + data: + CentOS Linux-7: + - /etc/gshadow: + mode: 0 + tag: CIS-9.1.4 + description: Verify Permissions on /etc/gshadow + hosts_allow: + data: + CentOS Linux-7: + - /etc/hosts.allow: + mode: 644 + tag: CIS-4.5.3 + description: Verify Permissions on /etc/hosts.allow + hosts_deny: + data: + CentOS Linux-7: + - /etc/hosts.deny: + mode: 644 + tag: CIS-4.5.5 + description: Verify Permissions on /etc/hosts.deny + passwd_own: + data: + CentOS Linux-7: + - /etc/passwd: + group: root + tag: CIS-9.1.6 + uid: 0 + user: root + description: Verify User/Group Ownership on /etc/passwd + passwd_perm: + data: + CentOS Linux-7: + - /etc/passwd: + mode: 644 + tag: CIS-9.1.2 + description: Verify Permissions on /etc/passwd + shadow_perm: + data: + CentOS Linux-7: + - /etc/shadow: + mode: 0 + tag: CIS-9.1.3 + description: Verify Permissions on /etc/shadow + shadow_own: + data: + CentOS Linux-7: + - /etc/shadow: + gid: 0 + group: root + tag: CIS-9.1.7 + uid: 0 + user: root + description: Verify User/Group Ownership on /etc/shadow + sshd_config: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + gid: 0 + group: root + mode: 600 + tag: CIS-6.2.3 + uid: 0 + user: root + description: Set Permissions on /etc/ssh/sshd_config + warning_banner: + data: + CentOS Linux-7: + - /etc/motd: + gid: 0 + group: root + mode: 644 + tag: CIS-8.1 + uid: 0 + user: root + - /etc/issue: + gid: 0 + group: root + mode: 644 + tag: CIS-8.1 + uid: 0 + user: root + - /etc/issue.net: + gid: 0 + group: root + mode: 644 + tag: CIS-8.1 + uid: 0 + user: root + description: Set Warning Banner for Standard Login Services +sysctl: + bad_error_message_protection: + data: + CentOS Linux-7: + - net.ipv4.icmp_ignore_bogus_error_responses: + match_output: '1' + tag: CIS-4.2.6 + description: Enable Bad Error Message Protection + exec_shield: + data: {} + description: Configure ExecShield + icmp_redirect_acceptance: + data: + CentOS Linux-7: + - net.ipv4.conf.all.accept_redirects: + match_output: '0' + tag: CIS-4.2.2 + - net.ipv4.conf.default.accept_redirects: + match_output: '0' + tag: CIS-4.2.2 + description: Disable ICMP Redirect Acceptance + ignore_broadcast_requests: + data: + CentOS Linux-7: + - net.ipv4.icmp_echo_ignore_broadcasts: + match_output: '1' + tag: CIS-4.2.5 + description: Enable Ignore Broadcast Requests + ip_forwarding: + data: + CentOS Linux-7: + - net.ipv4.ip_forward: + match_output: '0' + tag: CIS-4.1.1 + description: Disable IP Forwarding + log_suspicious_packets: + data: + CentOS Linux-7: + - net.ipv4.conf.all.log_martians: + match_output: '1' + tag: CIS-4.2.4 + - net.ipv4.conf.default.log_martians: + match_output: '1' + tag: CIS-4.2.4 + description: Log Suspicious Packets + randomize_va_space: + data: + CentOS Linux-7: + - kernel.randomize_va_space: + match_output: '2' + tag: CIS-1.6.2 + description: Enable Randomized Virtual Memory Region Placement + restrict_suid_core_dumps: + data: {} + description: Restrict SUID Core Dumps + send_packet_redirect: + data: + CentOS Linux-7: + - net.ipv4.conf.all.send_redirects: + match_output: '0' + tag: CIS-4.1.2 + - net.ipv4.conf.default.send_redirects: + match_output: '0' + tag: CIS-4.1.2 + description: Disable Send Packet Redirects + source_routed_packet_acceptance: + data: + CentOS Linux-7: + - net.ipv4.conf.all.accept_source_route: + match_output: '0' + tag: CIS-4.2.1 + - net.ipv4.conf.default.accept_source_route: + match_output: '0' + tag: CIS-4.2.1 + description: Disable Source Routed Packet Acceptance + tcp_syn_cookies: + data: + CentOS Linux-7: + - net.ipv4.tcp_syncookies: + match_output: '1' + tag: CIS-4.2.8 + description: Enable TCP SYN Cookies +service: + whitelist: + rsyslogd_running: + data: + CentOS Linux-7: + - rsyslog: CIS-5.1.2 + description: Activate the rsyslog Service + crond_running: + data: + CentOS Linux-7: + - crond: CIS-6.1.2 + description: Enable crond Daemon diff --git a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-0-0.yaml b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-0-0.yaml new file mode 100644 index 0000000..b797ed3 --- /dev/null +++ b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-0-0.yaml @@ -0,0 +1,1209 @@ +# NOTE: This CIS Profile only includes Level 1 Scored Items for CentOS 7 +# NOTE: Within this file, there are a few sections that should be tailored to your +# organization's specific policy. Search for '# NOTE: ' comments through the file. + +# TODO: Checks that aren't implemented yet: +# 1.1.21 +# 1.7.2 +# 3.6.5 +# 4.2.4 +# 5.4.2 +# 5.4.3 +# 6.1.10-12 +# 6.2.1 +# 6.2.5-19 + + + +grep: + blacklist: + message_of_the_day: + data: + CentOS Linux-7: + - /etc/motd: + pattern: '(\\v|\\r|\\m|\\s)' + tag: CIS-1.7.1.1 + description: Ensure message of the day is configured properly + legacy_passwd_entries_group: + data: + CentOS Linux-7: + - /etc/group: + pattern: '^+:' + tag: CIS-6.2.4 + description: Ensure no legacy "+" entries exist in /etc/group + legacy_passwd_entries_passwd: + data: + CentOS Linux-7: + - /etc/passwd: + pattern: '^+:' + tag: CIS-6.2.2 + description: Ensure no legacy "+" entries exist in /etc/passwd + legacy_passwd_entries_shadow: + data: + CentOS Linux-7: + - /etc/shadow: + pattern: '^+:' + tag: CIS-6.2.3 + description: Ensure no legacy "+" entries exist in /etc/shadow + whitelist: + activate_gpg_check: + data: + CentOS Linux-7: + - /etc/yum.conf: + match_output: gpgcheck=1 + pattern: gpgcheck + tag: CIS-1.2.3 + description: Ensure gpgcheck is globally activated + aide_filesystem_scans: + data: + CentOS Linux-7: + - /etc/cron.d: + pattern: aide + grep_args: + - '-r' + tag: CIS-1.3.2 + description: Ensure filesystem integrity is regularly checked + boot_loader_passwd: + data: + CentOS Linux-7: + - /etc/grub.conf: + pattern: password + tag: CIS-1.4.2 + description: Ensure bootloader password is set + chargen_disabled: + data: + CentOS Linux-7: + - /etc/xinetd.d/chargen-dgram: + pattern: disable + match_output: 'yes' + tag: CIS-2.1.1 + - /etc/xinetd.d/chargen-stream: + pattern: disable + match_output: 'yes' + tag: CIS-2.1.1 + description: Ensure chargen services are not enabled + daytime_disabled: + data: + CentOS Linux-7: + - /etc/xinetd.d/daytime-dgram: + pattern: disable + match_output: 'yes' + tag: CIS-2.1.2 + - /etc/xinetd.d/daytime-stream: + pattern: disable + match_output: 'yes' + tag: CIS-2.1.2 + description: Ensure daytime services are not enabled + discard_disabled: + data: + CentOS Linux-7: + - /etc/xinetd.d/discard-dgram: + pattern: disable + match_output: 'yes' + tag: CIS-2.1.3 + - /etc/xinetd.d/discard-stream: + pattern: disable + match_output: 'yes' + tag: CIS-2.1.3 + description: Ensure discard services are not enabled + echo_disabled: + data: + CentOS Linux-7: + - /etc/xinetd.d/echo-dgram: + pattern: disable + match_output: 'yes' + tag: CIS-2.1.4 + - /etc/xinetd.d/echo-stream: + pattern: disable + match_output: 'yes' + tag: CIS-2.1.4 + description: Ensure echo services are not enabled + time_disabled: + data: + CentOS Linux-7: + - /etc/xinetd.d/time-dgram: + pattern: disable + match_output: 'yes' + tag: CIS-2.1.5 + - /etc/xinetd.d/time-stream: + pattern: disable + match_output: 'yes' + tag: CIS-2.1.5 + description: Ensure time services are not enabled + configure_ntp: + data: + CentOS Linux-7: + - /etc/ntp.conf: + pattern: ^restrict + match_output: default + tag: CIS-2.2.1.2 + - /etc/ntp.conf: + pattern: restrict -6 default + tag: CIS-2.2.1.2 + - /etc/ntp.conf: + tag: CIS-2.2.1.2 + pattern: '^server' + - /etc/sysconfig/ntpd: + tag: CIS-2.2.1.2 + pattern: 'ntp:ntp' + description: Ensure ntp is configured + configure_chrony: + data: + CentOS Linux-7: + - /etc/chrony.conf: + tag: CIS-2.2.1.3 + pattern: '^server' + - /etc/sysconfig/chronyd: + tag: CIS-2.2.1.3 + pattern: 'chrony' + description: Ensure chrony is configured + local_mail: + data: + CentOS Linux-7: + - /etc/postfix/main.cf: + pattern: ^inet_interfaces + match_output: localhost + tag: CIS-2.2.15 + description: Ensure mail transfer agent is configured for local-only mode + default_umask: + data: + CentOS Linux-7: + - /etc/bashrc: + pattern: umask + match_pattern: '027' + tag: CIS-5.4.4 + - /etc/profile.d: + pattern: umask + match_pattern: '027' + grep_args: + - '-r' + tag: CIS-5.4.4 + description: Ensure default user umask is 027 or more restrictive + disable_mount_cramfs: + data: + CentOS Linux-7: + - /etc/modprobe.d: + match_output: /bin/true + pattern: cramfs + grep_args: + - '-r' + tag: CIS-1.1.1.1 + description: Ensure mounting of cramfs filesystems is disabled + disable_mount_freevxfs: + data: + CentOS Linux-7: + - /etc/modprobe.d: + match_output: /bin/true + pattern: freevxfs + grep_args: + - '-r' + tag: CIS-1.1.1.2 + description: Ensure mounting of freevxfs filesystems is disabled + disable_mount_jffs2: + data: + CentOS Linux-7: + - /etc/modprobe.d: + match_output: /bin/true + pattern: jffs2 + grep_args: + - '-r' + tag: CIS-1.1.1.3 + description: Ensure mounting of jffs2 filesystems is disabled + disable_mount_hfs: + data: + CentOS Linux-7: + - /etc/modprobe.d: + match_output: /bin/true + pattern: hfs + grep_args: + - '-r' + tag: CIS-1.1.1.4 + description: Ensure mounting of hfs filesystems is disabled + disable_mount_hfsplus: + data: + CentOS Linux-7: + - /etc/modprobe.d: + match_output: /bin/true + pattern: hfsplus + grep_args: + - '-r' + tag: CIS-1.1.1.5 + description: Ensure mounting of hfsplus filesystems is disabled + disable_mount_squashfs: + data: + CentOS Linux-7: + - /etc/modprobe.d: + match_output: /bin/true + pattern: squashfs + grep_args: + - '-r' + tag: CIS-1.1.1.6 + description: Ensure mounting of squashfs filesystems is disabled + disable_mount_udf: + data: + CentOS Linux-7: + - /etc/modprobe.d: + match_output: /bin/true + pattern: udf + grep_args: + - '-r' + tag: CIS-1.1.1.7 + description: Ensure mounting of udf filesystems is disabled + disable_mount_fat: + data: + CentOS Linux-7: + - /etc/modprobe.d: + match_output: /bin/true + pattern: vfat + grep_args: + - '-r' + tag: CIS-1.1.1.8 + description: Ensure mounting of FAT filesystems is disabled + fstab_var_tmp_partition_nodev: + data: + CentOS Linux-7: + - /etc/fstab: + match_output: nodev + pattern: /var/tmp + tag: CIS-1.1.8 + description: Ensure nodev option set on /var/tmp partition + fstab_var_tmp_partition_nosuid: + data: + CentOS Linux-7: + - /etc/fstab: + match_output: nosuid + pattern: /var/tmp + tag: CIS-1.1.9 + description: Ensure nosuid option set on /var/tmp partition + fstab_var_tmp_partition_noexec: + data: + CentOS Linux-7: + - /etc/fstab: + match_output: noexec + pattern: /var/tmp + tag: CIS-1.1.10 + description: Ensure noexec option set on /var/tmp partition + fstab_dev_shm_partition_nodev: + data: + CentOS Linux-7: + - /etc/fstab: + match_output: nodev + pattern: /dev/shm + tag: CIS-1.1.15 + description: Ensure nodev option set on /dev/shm partition + fstab_dev_shm_partition_noexec: + data: + CentOS Linux-7: + - /etc/fstab: + match_output: noexec + pattern: /dev/shm + tag: CIS-1.1.17 + description: Ensure noexec option set on /dev/shm partition + fstab_dev_shm_partition_nosuid: + data: + CentOS Linux-7: + - /etc/fstab: + match_output: nosuid + pattern: /dev/shm + tag: CIS-1.1.16 + description: Ensure nosuid option set on /dev/shm partition + fstab_home_partition_nodev: + data: + CentOS Linux-7: + - /etc/fstab: + match_output: nodev + pattern: /home + tag: CIS-1.1.14 + description: Ensure nodev option set on /home partition + fstab_tmp_partition_nodev: + data: + CentOS Linux-7: + - /etc/fstab: + match_output: nodev + pattern: /tmp + tag: CIS-1.1.3 + description: Ensure nodev option set on /tmp partition + fstab_tmp_partition_noexec: + data: + CentOS Linux-7: + - /etc/fstab: + match_output: noexec + pattern: /tmp + tag: CIS-1.1.5 + description: Ensure noexec option set on /tmp partition + fstab_tmp_partition_nosuid: + data: + CentOS Linux-7: + - /etc/fstab: + match_output: nosuid + pattern: /tmp + tag: CIS-1.1.4 + description: Ensure nosuid option set on /tmp partition + hosts_allow: + data: + CentOS Linux-7: + - /etc/hosts.allow: + pattern: ALL + tag: CIS-3.4.2 + description: Ensure /etc/hosts.allow is configured + hosts_deny: + data: + CentOS Linux-7: + - /etc/hosts.deny: + pattern: ALL + tag: CIS-3.4.3 + description: Ensure /etc/hosts.deny is configured + firewall_default_deny: + data: + CentOS Linux-7: + - /etc/sysconfig/iptables: + pattern: :INPUT + match_output: DROP + tag: CIS-3.6.2 + - /etc/sysconfig/iptables: + pattern: :FORWARD + match_pattern: DROP + tag: CIS-3.6.2 + - /etc/sysconfig/iptables: + pattern: :OUTPUT + match_output: DROP + tag: CIS-3.6.2 + description: Ensure default deny firewall policy + firewall_accept_lo: + data: + CentOS Linux-7: + - /etc/sysconfig/iptables: + pattern: lo + match_output: ACCEPT + tag: CIS-3.6.3 + description: Ensure loopback traffic is configured + rsyslog_file_perms: + data: + CentOS Linux-7: + - /etc/rsyslog.conf: + pattern: '^\$FileCreateMode' + match_output: '0640' + tag: CIS-4.2.1.3 + description: Ensure rsyslog default file permissions configured + rsyslog_remote_logging: + data: + CentOS Linux-7: + - /etc/rsyslog.conf: + pattern: ^*.*[^I][^I]*@ + tag: CIS-4.2.1.4 + description: Ensure rsyslog is configured to send logs to a remote log host + syslog-ng_file_perms: + data: + CentOS Linux-7: + - /etc/syslog-ng/syslog-ng.conf: + pattern: ^options + match_output: 'perm(0640)' + tag: CIS-4.2.2.3 + description: Ensure syslog-ng default file permissions configured + limit_password_reuse: + data: + CentOS Linux-7: + - /etc/pam.d/system-auth: + pattern: '"^password\s+sufficient\s+pam_unix\.so.*"' + match_output: remember=5 + grep_args: + - '-E' + tag: CIS-5.3.3 + description: Ensure password reuse is limited + password_hash: + data: + CentOS Linux-7: + - /etc/pam.d/password-auth: + pattern: '"^password\s+\w+\s+pam_unix\.so"' + match_output: sha512 + grep_args: + - '-E' + tag: CIS-5.3.4 + description: Ensure password hashing algorithm is SHA-512 + limit_su_command_access: + data: + CentOS Linux-7: + - /etc/pam.d/su: + match_output: use_uid + pattern: pam_wheel.so + tag: CIS-5.6 + - /etc/group: + pattern: wheel + tag: CIS-5.6 + description: Ensure access to the su command is restricted + pam_pwquality_try_first_pass: + data: + CentOS Linux-7: + - /etc/pam.d/system-auth: + match_output: try_first_pass + pattern: pam_pwquality.so + tag: CIS-5.3.1 + - /etc/pam.d/system-auth: + match_output: retry=3 + pattern: pam_pwquality.so + tag: CIS-5.3.1 + - /etc/security/pwquality.conf: + pattern: minlen + match_output: '14' + tag: CIS-5.3.1 + - /etc/security/pwquality.conf: + pattern: dcredit + match_output: '-1' + tag: CIS-5.3.1 + - /etc/security/pwquality.conf: + pattern: ucredit + match_output: '-1' + tag: CIS-5.3.1 + - /etc/security/pwquality.conf: + pattern: ocredit + match_output: '-1' + tag: CIS-5.3.1 + - /etc/security/pwquality.conf: + pattern: lcredit + match_output: '-1' + tag: CIS-5.3.1 + description: Ensure password creation requirements are configured + passwd_change_min_days: + data: + CentOS Linux-7: + - /etc/login.defs: + match_output: '7' + pattern: PASS_MIN_DAYS + tag: CIS-5.4.1.2 + description: Ensure minimum days between password changes is 7 or more + passwd_expiration_days: + data: + CentOS Linux-7: + - /etc/login.defs: + match_output: '90' + pattern: PASS_MAX_DAYS + tag: CIS-5.4.1.1 + description: Ensure password expiration is 90 days or less + passwd_expiry_warning: + data: + CentOS Linux-7: + - /etc/login.defs: + match_output: '7' + pattern: PASS_WARN_AGE + tag: CIS-5.4.1.3 + description: Ensure password expiration warning days is 7 or more + passwd_inactive: + data: + CentOS Linux-7: + - /etc/default/useradd: + pattern: INACTIVE=30 + tag: CIS-5.4.1.4 + description: Ensure inactive password lock is 30 days or less + restrict_core_dumps: + data: + CentOS Linux-7: + - /etc/security/limits.conf: + match_output: '0' + pattern: hard core + tag: CIS-1.5.1 + description: Ensure core dumps are restricted + sshd_approved_cipher: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: '^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$' + match_output_regex: True + pattern: Ciphers + tag: CIS-5.2.11 + description: Ensure only approved ciphers are used + sshd_approved_macs: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' + pattern: MACs + tag: CIS-5.2.12 + description: Ensure only approved MAC algorithms are used + sshd_banner: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + pattern: ^Banner + tag: CIS-5.2.16 + description: Ensure SSH warning banner is configured + sshd_disable_root_login: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: PermitRootLogin no + pattern: ^PermitRootLogin + tag: CIS-5.2.8 + description: Ensure SSH root login is disabled + sshd_hostbased_auth: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: HostbasedAuthentication no + pattern: ^HostbasedAuthentication + tag: CIS-5.2.7 + description: Ensure SSH HostbasedAuthentication is disabled + sshd_idle_timeout: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: ClientAliveInterval 300 + pattern: ^ClientAliveInterval + tag: CIS-5.2.13 + - /etc/ssh/sshd_config: + match_output: ClientAliveCountMax 0 + pattern: ^ClientAliveCountMax + tag: CIS-5.2.13 + description: Ensure SSH Idle Timeout Interval is configured + sshd_gracetime: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + pattern: ^LoginGraceTime + match_output: '60' + tag: CIS-5.2.14 + description: Ensure SSH LoginGraceTime is set to one minute or less + sshd_ignore_rhosts: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: IgnoreRhosts yes + pattern: ^IgnoreRhosts + tag: CIS-5.2.6 + description: Ensure SSH IgnoreRhosts is enabled + sshd_limit_access: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + pattern: ^AllowUsers + tag: CIS-5.2.15 + - /etc/ssh/sshd_config: + pattern: ^AllowGroups + tag: CIS-5.2.15 + - /etc/ssh/sshd_config: + pattern: ^DenyUsers + tag: CIS-5.2.15 + - /etc/ssh/sshd_config: + pattern: ^DenyGroups + tag: CIS-5.2.15 + description: Ensure SSH access is limited + sshd_loglevel_info: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: LogLevel INFO + pattern: ^LogLevel + tag: CIS-5.2.3 + description: Ensure SSH LogLevel is set to INFO + sshd_max_auth_retries: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: MaxAuthTries 4 + pattern: ^MaxAuthTries + tag: CIS-5.2.5 + description: Ensure SSH MaxAuthTries is set to 4 or less + sshd_permit_empty_passwords: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: PermitEmptyPasswords no + pattern: ^PermitEmptyPasswords + tag: CIS-5.2.9 + description: Ensure SSH PermitEmptyPasswords is disabled + sshd_permit_user_environment: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: PermitUserEnvironment no + pattern: ^PermitUserEnvironment + tag: CIS-5.2.10 + description: Ensure SSH PermitUserEnvironment is disabled + sshd_protocol_2: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: Protocol 2 + pattern: ^Protocol + tag: CIS-5.2.2 + description: Ensure SSH Protocol is set to 2 + sshd_x11_forwarding: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + match_output: X11Forwarding no + pattern: ^X11Forwarding + tag: CIS-5.2.4 + description: Ensure SSH X11 forwarding is disabled + lockout_account: + data: + CentOS Linux-7: + - /etc/pam.d/system-auth: + pattern: '"^auth\s+required\s+pam_faillock\.so.*"' + match_output: deny=5 + grep_args: + - '-E' + tag: CIS-5.3.2 + - /etc/pam.d/password-auth: + pattern: '"^auth\s+required\s+pam_faillock\.so.*"' + match_output: deny=5 + grep_args: + - '-E' + tag: CIS-5.3.2 + description: Ensure lockout for failed password attempts is configured +pkg: + blacklist: + avahi-daemon: + data: + CentOS Linux-7: + - avahi-daemon: CIS-2.2.3 + description: Ensure Avahi Server is not enabled + cups: + data: + CentOS Linux-7: + - cups: CIS-2.2.4 + description: Ensure CUPS is not enabled + dhcp: + data: + CentOS Linux-7: + - dhcp: CIS-2.2.5 + description: Ensure DHCP Server is not enabled + slapd: + data: + CentOS Linux-7: + - openldap-servers: CIS-2.2.6 + description: Ensure LDAP server is not enabled + ftp: + data: + CentOS Linux-7: + - perl-ftpd: CIS-2.2.9 + - proftpd: CIS-2.2.9 + - pure-ftpd: CIS-2.2.9 + - vsftpd: CIS-2.2.9 + description: Ensure FTP Server is not enabled + nis-client: + data: + CentOS Linux-7: + - ypbind: CIS-2.3.1 + description: Ensure NIS Client is not installed + nis-server: + data: + CentOS Linux-7: + - ypserv: CIS-2.2.16 + description: Ensure NIS Server is not enabled + rsh-client: + data: + CentOS Linux-7: + - rsh: CIS-2.3.2 + description: Ensure rsh client is not installed + rsh-server: + data: + CentOS Linux-7: + - rsh-server: CIS-2.1.6 + description: Ensure rsh server is not enabled + talk-client: + data: + CentOS Linux-7: + - talk: CIS-2.3.3 + description: Ensure talk client is not installed + talk-server: + data: + CentOS Linux-7: + - talk-server: CIS-2.1.7 + description: Ensure talk server is not enabled + telnet-client: + data: + CentOS Linux-7: + - telnet: CIS-2.3.4 + description: Ensure telnet client is not installed + telnet-server: + data: + CentOS Linux-7: + - telnet-server: CIS-2.1.8 + description: Ensure telnet server is not enabled + tftp-server: + data: + CentOS Linux-7: + - tftp-server: CIS-2.1.9 + description: Ensure tftp server is not enabled + xinetd: + data: + CentOS Linux-7: + - xinetd: CIS-2.1.11 + description: Ensure xinetd is not enabled + xorg-x11-server-common: + data: + CentOS Linux-7: + - xorg-x11-server-common: CIS-2.2.2 + description: Ensure X Window System is not installed + prelink: + data: + CentOS Linux-7: + - prelink: CIS-1.5.4 + description: Ensure prelink is disabled + ldap_clients: + data: + CentOS Linux-7: + - openldap-clients: CIS-2.3.5 + description: Ensure LDAP client is not installed + whitelist: + aide: + data: + CentOS Linux-7: + - aide: CIS-1.3.1 + description: Ensure AIDE is installed + firewalld: + data: {} + description: Enable firewalld + tcp_wrappers: + data: + CentOS Linux-7: + - tcp_wrappers: CIS-3.4.1 + description: Ensure TCP Wrappers is installed + iptables: + data: + CentOS Linux-7: + - iptables: CIS-3.6.1 + description: Ensure iptables is installed + syslog: + data: + CentOS Linux-7: + - rsyslog: CIS-4.2.3 + description: Ensure rsyslog or syslog-ng is installed + syslog-ng: + data: + CentOS Linux-7: + - syslog-ng: CIS-4.2.3 + description: Ensure rsyslog or syslog-ng is installed +service: + blacklist: + autofs: + data: + CentOS Linux-7: + - autofs: CIS-1.1.22 + description: Disable Automounting + rsync: + data: + CentOS Linux-7: + - rsyncd: CIS-2.1.10 + description: Ensure rsync service is not enabled + nfs: + data: + CentOS Linux-7: + - nfs: CIS-2.2.7 + description: Ensure NFS and RPC are not enabled + rpc: + data: + CentOS Linux-7: + - rpcbind: CIS-2.2.7 + description: Ensure NFS and RPC are not enabled + named: + data: + CentOS Linux-7: + - named: CIS-2.2.8 + description: Ensure DNS Server is not enabled + httpd: + data: + CentOS Linux-7: + - httpd: CIS-2.2.10 + description: Ensure HTTP server is not enabled + pop3_imap: + data: + CentOS Linux-7: + - dovecot: CIS-2.2.11 + description: Ensure IMAP and POP3 server is not enabled + samba: + data: + CentOS Linux-7: + - smb: CIS-2.2.12 + description: Ensure Samba is not enabled + http_proxy: + data: + CentOS Linux-7: + - squid: CIS-2.2.13 + description: Ensure HTTP Proxy Server is not enabled + snmp: + data: + CentOS Linux-7: + - snmpd: CIS-2.2.14 + description: Ensure SNMP Server is not enabled + whitelist: + crond_running: + data: + CentOS Linux-7: + - crond: CIS-5.1.1 + description: Ensure cron daemon is enabled + rsyslogd_running: + data: + CentOS Linux-7: + - rsyslog: CIS-4.2.1.1 + description: Ensure rsyslog Service is enabled + syslog-ng_running: + data: + CentOS Linux-7: + - syslog-ng: CIS-4.2.2.1 + description: Ensure syslog-ng service is enabled +stat: + at_cron_allow: + data: + CentOS Linux-7: + - /etc/cron.deny: + gid: null + group: null + mode: null + tag: CIS-5.1.8 + uid: null + user: null + - /etc/at.deny: + gid: null + group: null + mode: null + tag: CIS-5.1.8 + uid: null + user: null + - /etc/cron.allow: + gid: 0 + group: root + mode: 600 + tag: CIS-5.1.8 + uid: 0 + user: root + - /etc/at.allow: + gid: 0 + group: root + mode: 600 + tag: CIS-5.1.8 + uid: 0 + user: root + description: Ensure at/cron is restricted to authorized users + cron_d: + data: + CentOS Linux-7: + - /etc/cron.d: + gid: 0 + group: root + mode: 700 + tag: CIS-5.1.7 + uid: 0 + user: root + description: Ensure permissions on /etc/cron.d are configured + cron_daily: + data: + CentOS Linux-7: + - /etc/cron.daily: + gid: 0 + group: root + mode: 700 + tag: CIS-5.1.4 + uid: 0 + user: root + description: Ensure permissions on /etc/cron.daily are configured + cron_hourly: + data: + CentOS Linux-7: + - /etc/cron.hourly: + gid: 0 + group: root + mode: 700 + tag: CIS-5.1.3 + uid: 0 + user: root + description: Ensure permissions on /etc/cron.hourly are configured + cron_monthly: + data: + CentOS Linux-7: + - /etc/cron.monthly: + gid: 0 + group: root + mode: 700 + tag: CIS-5.1.6 + uid: 0 + user: root + description: Ensure permissions on /etc/cron.monthly are configured + cron_weekly: + data: + CentOS Linux-7: + - /etc/cron.weekly: + gid: 0 + group: root + mode: 700 + tag: CIS-5.1.5 + uid: 0 + user: root + description: Ensure permissions on /etc/cron.weekly are configured + crontab: + data: + CentOS Linux-7: + - /etc/crontab: + gid: 0 + group: root + mode: 600 + tag: CIS-5.1.2 + uid: 0 + user: root + description: Ensure permissions on /etc/crontab are configured + passwd_own_perm: + data: + CentOS Linux-7: + - /etc/passwd: + gid: 0 + group: root + mode: 644 + tag: CIS-6.1.2 + uid: 0 + user: root + description: Ensure permissions on /etc/passwd are configured + shadow_own_perm: + data: + CentOS Linux-7: + - /etc/shadow: + gid: 0 + group: root + mode: 000 + tag: CIS-6.1.3 + uid: 0 + user: root + description: Ensure permissions on /etc/shadow are configured + group_own_perm: + data: + CentOS Linux-7: + - /etc/group: + gid: 0 + group: root + mode: 644 + tag: CIS-6.1.4 + uid: 0 + user: root + description: Ensure permissions on /etc/group are configured + gshadow_own_perm: + data: + CentOS Linux-7: + - /etc/gshadow: + gid: 0 + group: root + mode: 0 + tag: CIS-6.1.5 + uid: 0 + user: root + description: Ensure permissions on /etc/gshadow are configured + passwd-_own_perm: + data: + CentOS Linux-7: + - /etc/passwd-: + gid: 0 + group: root + mode: 644 + tag: CIS-6.1.6 + uid: 0 + user: root + description: Ensure permissions on /etc/passwd- are configured + shadow-_own_perm: + data: + CentOS Linux-7: + - /etc/shadow-: + gid: 0 + group: root + mode: 000 + tag: CIS-6.1.7 + uid: 0 + user: root + description: Ensure permissions on /etc/shadow- are configured + group-_own_perm: + data: + CentOS Linux-7: + - /etc/group-: + gid: 0 + group: root + mode: 644 + tag: CIS-6.1.8 + uid: 0 + user: root + description: Ensure permissions on /etc/group- are configured + gshadow-_own_perm: + data: + CentOS Linux-7: + - /etc/gshadow-: + gid: 0 + group: root + mode: 0 + tag: CIS-6.1.9 + uid: 0 + user: root + description: Ensure permissions on /etc/gshadow- are configured + grub_conf_own_perm: + data: + CentOS Linux-7: + - /etc/grub.conf: + gid: 0 + group: root + mode: 600 + tag: CIS-1.4.1 + uid: 0 + user: root + description: Ensure permissions on bootloader config are configured + hosts_allow: + data: + CentOS Linux-7: + - /etc/hosts.allow: + gid: 0 + group: root + mode: 644 + tag: CIS-3.4.4 + uid: 0 + user: root + description: Ensure permissions on /etc/hosts.allow are configured + hosts_deny: + data: + CentOS Linux-7: + - /etc/hosts.deny: + gid: 0 + group: root + mode: 644 + tag: CIS-3.4.5 + uid: 0 + user: root + description: Ensure permissions on /etc/hosts.deny are 644 + sshd_config: + data: + CentOS Linux-7: + - /etc/ssh/sshd_config: + gid: 0 + group: root + mode: 600 + tag: CIS-5.2.1 + uid: 0 + user: root + description: Ensure permissions on /etc/ssh/sshd_config are configured + warning_banner_issue: + data: + CentOS Linux-7: + - /etc/issue: + gid: 0 + group: root + mode: 644 + tag: CIS-1.7.1.5 + uid: 0 + user: root + description: Ensure permissions on /etc/issue are configured +sysctl: + bad_error_message_protection: + data: + CentOS Linux-7: + - net.ipv4.icmp_ignore_bogus_error_responses: + match_output: '1' + tag: CIS-3.2.6 + description: Ensure bogus ICMP responses are ignored + icmp_redirect_acceptance: + data: + CentOS Linux-7: + - net.ipv4.conf.all.accept_redirects: + match_output: '0' + tag: CIS-3.2.2 + - net.ipv4.conf.default.accept_redirects: + match_output: '0' + tag: CIS-3.2.2 + description: Ensure ICMP redirects are not accepted + ignore_broadcast_requests: + data: + CentOS Linux-7: + - net.ipv4.icmp_echo_ignore_broadcasts: + match_output: '1' + tag: CIS-3.2.5 + description: Ensure broadcast ICMP requests are ignored + ip_forwarding: + data: + CentOS Linux-7: + - net.ipv4.ip_forward: + match_output: '0' + tag: CIS-3.1.1 + description: Ensure IP forwarding is disabled + log_suspicious_packets: + data: + CentOS Linux-7: + - net.ipv4.conf.all.log_martians: + match_output: '1' + tag: CIS-3.2.4 + - net.ipv4.conf.default.log_martians: + match_output: '1' + tag: CIS-3.2.4 + description: Ensure suspicious packets are logged + reverse_path_filtering: + data: + CentOS Linux-7: + - net.ipv4.conf.all.rp_filter: + match_output: '1' + tag: CIS-3.2.7 + - net.ipv4.conf.default.rp_filter: + match_output: '1' + tag: CIS-3.2.7 + description: Ensure Reverse Path Filtering is enabled + ipv6_adverts: + data: + CentOS Linux-7: + - net.ipv6.conf.all.accept_ra: + match_output: '0' + tag: CIS-3.3.1 + - net.ipv6.conf.default.accept_ra: + match_output: '0' + tag: CIS-3.3.1 + description: Ensure IPv6 router advertisements are not accepted + ipv6_redir: + data: + CentOS Linux-7: + - net.ipv6.conf.all.accept_redirects: + match_output: '0' + tag: CIS-3.3.2 + - net.ipv6.conf.default.accept_redirects: + match_output: '0' + tag: CIS-3.3.2 + description: Ensure IPv6 redirects are not accepted + randomize_va_space: + data: + CentOS Linux-7: + - kernel.randomize_va_space: + match_output: '2' + tag: CIS-1.5.3 + description: Ensure address space layout randomization (ASLR) is enabled + restrict_suid_core_dumps: + data: + CentOS Linux-7: + - fs.suid_dumpable: + match_output: '0' + tag: CIS-1.5.1 + description: Ensure core dumps are restricted + secure_icmp_redirect_acceptance: + data: + CentOS Linux-7: + - net.ipv4.conf.all.secure_redirects: + match_output: '0' + tag: CIS-3.2.3 + - net.ipv4.conf.default.secure_redirects: + match_output: '0' + tag: CIS-3.2.3 + description: Ensure secure ICMP redirects are not accepted + send_packet_redirect: + data: + CentOS Linux-7: + - net.ipv4.conf.all.send_redirects: + match_output: '0' + tag: CIS-3.1.2 + - net.ipv4.conf.default.send_redirects: + match_output: '0' + tag: CIS-3.1.2 + description: Ensure packet redirect sending is disabled + source_routed_packet_acceptance: + data: + CentOS Linux-7: + - net.ipv4.conf.all.accept_source_route: + match_output: '0' + tag: CIS-3.2.1 + - net.ipv4.conf.default.accept_source_route: + match_output: '0' + tag: CIS-3.2.1 + description: Ensure source routed packets are not accepted + tcp_syn_cookies: + data: + CentOS Linux-7: + - net.ipv4.tcp_syncookies: + match_output: '1' + tag: CIS-3.2.8 + description: Ensure TCP SYN Cookies is enabled diff --git a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-1-0.yaml b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-1-0.yaml index 104a919..f71f8f8 100644 --- a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-1-0.yaml +++ b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-1-0.yaml @@ -1,3 +1,21 @@ +# NOTE: This CIS Profile only includes Level 1 Scored Items for CentOS 7 +# NOTE: Within this file, there are a few sections that should be tailored to your +# organization's specific policy. Search for '# NOTE: ' comments through the file. + +# TODO: Checks that aren't implemented yet: +# 1.1.21 +# 1.7.1.1 +# 1.7.2 +# 3.6.5 +# 4.2.4 +# 5.4.2 +# 5.4.3 +# 6.1.10-12 +# 6.2.1 +# 6.2.5-19 + + + grep: blacklist: legacy_passwd_entries_group: @@ -48,62 +66,62 @@ grep: description: Ensure bootloader password is set chargen_disabled: data: - Red Hat Enterprise Server-7: + CentOS Linux-7: - /etc/xinetd.d/chargen-dgram: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.1 - /etc/xinetd.d/chargen-stream: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.1 description: Ensure chargen services are not enabled daytime_disabled: data: - Red Hat Enterprise Server-7: + CentOS Linux-7: - /etc/xinetd.d/daytime-dgram: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.2 - /etc/xinetd.d/daytime-stream: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.2 description: Ensure daytime services are not enabled discard_disabled: data: - Red Hat Enterprise Server-7: + CentOS Linux-7: - /etc/xinetd.d/discard-dgram: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.3 - /etc/xinetd.d/discard-stream: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.3 description: Ensure discard services are not enabled echo_disabled: data: - Red Hat Enterprise Server-7: + CentOS Linux-7: - /etc/xinetd.d/echo-dgram: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.4 - /etc/xinetd.d/echo-stream: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.4 description: Ensure echo services are not enabled time_disabled: data: - Red Hat Enterprise Server-7: + CentOS Linux-7: - /etc/xinetd.d/time-dgram: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.5 - /etc/xinetd.d/time-stream: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.5 description: Ensure time services are not enabled configure_ntp: @@ -235,6 +253,30 @@ grep: - '-r' tag: CIS-1.1.1.8 description: Ensure mounting of FAT filesystems is disabled + fstab_var_tmp_partition_nodev: + data: + CentOS Linux-7: + - /etc/fstab: + match_output: nodev + pattern: /var/tmp + tag: CIS-1.1.8 + description: Ensure nodev option set on /var/tmp partition + fstab_var_tmp_partition_nosuid: + data: + CentOS Linux-7: + - /etc/fstab: + match_output: nosuid + pattern: /var/tmp + tag: CIS-1.1.9 + description: Ensure nosuid option set on /var/tmp partition + fstab_var_tmp_partition_noexec: + data: + CentOS Linux-7: + - /etc/fstab: + match_output: noexec + pattern: /var/tmp + tag: CIS-1.1.10 + description: Ensure noexec option set on /var/tmp partition fstab_dev_shm_partition_nodev: data: CentOS Linux-7: @@ -465,7 +507,8 @@ grep: data: CentOS Linux-7: - /etc/ssh/sshd_config: - match_output: 'aes256-ctr,aes192-ctr,aes128-ctr' + match_output: '^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$' + match_output_regex: True pattern: Ciphers tag: CIS-5.2.11 description: Ensure only approved ciphers are used @@ -619,7 +662,7 @@ pkg: description: Ensure DHCP Server is not enabled slapd: data: - Red Hat Entetrprise Linux Server-7: + CentOS Linux-7: - openldap-servers: CIS-2.2.6 description: Ensure LDAP server is not enabled ftp: @@ -650,6 +693,11 @@ pkg: CentOS Linux-7: - rsh: CIS-2.3.2 description: Ensure rsh client is not installed + tftp-server2: + data: + CentOS Linux-7: + - tftp-server: CIS-2.1.6 + description: Ensure tftp server is not enabled talk-client: data: CentOS Linux-7: @@ -706,9 +754,6 @@ pkg: CentOS Linux-7: - aide: CIS-1.3.1 description: Ensure AIDE is installed - firewalld: - data: {} - description: Enable firewalld (Scored) tcp_wrappers: data: CentOS Linux-7: @@ -717,7 +762,7 @@ pkg: iptables: data: CentOS Linux-7: - - iptables: CIS-3.6.1_installed + - iptables: CIS-3.6.1 description: Ensure iptables is installed syslog: data: @@ -763,7 +808,7 @@ service: description: Ensure HTTP server is not enabled pop3_imap: data: - Red Hat Enterprise LInux Server-7: + CentOS Linux-7: - dovecot: CIS-2.2.11 description: Ensure IMAP and POP3 server is not enabled samba: @@ -782,31 +827,21 @@ service: - snmpd: CIS-2.2.14 description: Ensure SNMP Server is not enabled whitelist: - auditd_running: - data: - CentOS Linux-7: - - auditd: CIS-4.1.1.1_running - description: auditd should be running - crond_running: - data: - CentOS Linux-7: - - crond: CIS-5.1.1_running - description: Ensure cron daemon is enabled - iptables_running: - data: - CentOS Linux-7: - - iptables: CIS-3.6.1_running - description: Ensure iptables is installed rsyslogd_running: data: CentOS Linux-7: - - rsyslog: CIS-4.2.1.1_running + - rsyslog: CIS-4.2.1.1 description: Ensure rsyslog Service is enabled syslog-ng_running: data: CentOS Linux-7: - - syslog-ng: CIS-4.2.2.1_running + - syslog-ng: CIS-4.2.2.1 description: Ensure syslog-ng service is enabled + crond_running: + data: + CentOS Linux-7: + - crond: CIS-5.1.1 + description: Ensure cron daemon is enabled stat: at_cron_allow: data: @@ -1034,17 +1069,6 @@ stat: uid: 0 user: root description: Ensure permissions on /etc/ssh/sshd_config are configured - warning_banner_motd: - data: - CentOS Linux-7: - - /etc/motd: - gid: 0 - group: root - mode: 644 - tag: CIS-1.7.1.4 - uid: 0 - user: root - description: Ensure permissions on /etc/motd are configured warning_banner_issue: data: CentOS Linux-7: @@ -1056,17 +1080,6 @@ stat: uid: 0 user: root description: Ensure permissions on /etc/issue are configured - warning_banner_issue.net: - data: - CentOS Linux-7: - - /etc/issue.net: - gid: 0 - group: root - mode: 644 - tag: CIS-1.7.1.6 - uid: 0 - user: root - description: Ensure permissions on /etc/issue.net are configured sysctl: bad_error_message_protection: data: diff --git a/hubblestack_nova_profiles/cis/coreos-level-1.yaml b/hubblestack_nova_profiles/cis/coreos-level-1.yaml index 2754a1f..fa6e836 100644 --- a/hubblestack_nova_profiles/cis/coreos-level-1.yaml +++ b/hubblestack_nova_profiles/cis/coreos-level-1.yaml @@ -2,21 +2,21 @@ grep: blacklist: legacy_passwd_entries_group: data: - *CoreOS*: + '*CoreOS*': - /etc/group: pattern: '^+:' tag: CIS-6.2.4 description: Ensure no legacy "+" entries exist in /etc/group legacy_passwd_entries_passwd: data: - *CoreOS*: + '*CoreOS*': - /etc/passwd: pattern: '^+:' tag: CIS-6.2.2 description: Ensure no legacy "+" entries exist in /etc/passwd legacy_passwd_entries_shadow: data: - *CoreOS*: + '*CoreOS*': - /etc/shadow: pattern: '^+:' tag: CIS-6.2.3 @@ -24,7 +24,7 @@ grep: whitelist: activate_gpg_check: data: - *CoreOS*: + '*CoreOS*': - /etc/yum.conf: match_output: gpgcheck=1 pattern: gpgcheck @@ -32,7 +32,7 @@ grep: description: Ensure gpgcheck is globally activated aide_filesystem_scans: data: - *CoreOS*: + '*CoreOS*': - /etc/cron.d: pattern: aide grep_args: @@ -41,7 +41,7 @@ grep: description: Ensure filesystem integrity is regularly checked boot_loader_passwd: data: - *CoreOS*: + '*CoreOS*': - /etc/grub.conf: pattern: password tag: CIS-1.4.2 @@ -51,11 +51,11 @@ grep: Red Hat Enterprise Server-7: - /etc/xinetd.d/chargen-dgram: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.1 - /etc/xinetd.d/chargen-stream: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.1 description: Ensure chargen services are not enabled daytime_disabled: @@ -63,11 +63,11 @@ grep: Red Hat Enterprise Server-7: - /etc/xinetd.d/daytime-dgram: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.2 - /etc/xinetd.d/daytime-stream: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.2 description: Ensure daytime services are not enabled discard_disabled: @@ -75,11 +75,11 @@ grep: Red Hat Enterprise Server-7: - /etc/xinetd.d/discard-dgram: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.3 - /etc/xinetd.d/discard-stream: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.3 description: Ensure discard services are not enabled echo_disabled: @@ -87,11 +87,11 @@ grep: Red Hat Enterprise Server-7: - /etc/xinetd.d/echo-dgram: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.4 - /etc/xinetd.d/echo-stream: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.4 description: Ensure echo services are not enabled time_disabled: @@ -99,16 +99,16 @@ grep: Red Hat Enterprise Server-7: - /etc/xinetd.d/time-dgram: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.5 - /etc/xinetd.d/time-stream: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.5 description: Ensure time services are not enabled configure_ntp: data: - *CoreOS*: + '*CoreOS*': - /etc/ntp.conf: pattern: ^restrict match_output: default @@ -125,7 +125,7 @@ grep: description: Ensure ntp is configured configure_chrony: data: - *CoreOS*: + '*CoreOS*': - /etc/chrony.conf: tag: CIS-2.2.1.3 pattern: '^server' @@ -135,7 +135,7 @@ grep: description: Ensure chrony is configured local_mail: data: - *CoreOS*: + '*CoreOS*': - /etc/postfix/main.cf: pattern: ^inet_interfaces match_output: localhost @@ -143,7 +143,7 @@ grep: description: Ensure mail transfer agent is configured for local-only mode default_umask: data: - *CoreOS*: + '*CoreOS*': - /etc/bashrc: pattern: umask match_pattern: '027' @@ -157,7 +157,7 @@ grep: description: Ensure default user umask is 027 or more restrictive disable_mount_cramfs: data: - *CoreOS*: + '*CoreOS*': - /etc/modprobe.d: match_output: /bin/true pattern: cramfs @@ -167,7 +167,7 @@ grep: description: Ensure mounting of cramfs filesystems is disabled disable_mount_freevxfs: data: - *CoreOS*: + '*CoreOS*': - /etc/modprobe.d: match_output: /bin/true pattern: freevxfs @@ -177,7 +177,7 @@ grep: description: Ensure mounting of freevxfs filesystems is disabled disable_mount_jffs2: data: - *CoreOS*: + '*CoreOS*': - /etc/modprobe.d: match_output: /bin/true pattern: jffs2 @@ -187,7 +187,7 @@ grep: description: Ensure mounting of jffs2 filesystems is disabled disable_mount_hfs: data: - *CoreOS*: + '*CoreOS*': - /etc/modprobe.d: match_output: /bin/true pattern: hfs @@ -197,7 +197,7 @@ grep: description: Ensure mounting of hfs filesystems is disabled disable_mount_hfsplus: data: - *CoreOS*: + '*CoreOS*': - /etc/modprobe.d: match_output: /bin/true pattern: hfsplus @@ -207,7 +207,7 @@ grep: description: Ensure mounting of hfsplus filesystems is disabled disable_mount_squashfs: data: - *CoreOS*: + '*CoreOS*': - /etc/modprobe.d: match_output: /bin/true pattern: squashfs @@ -217,7 +217,7 @@ grep: description: Ensure mounting of squashfs filesystems is disabled disable_mount_udf: data: - *CoreOS*: + '*CoreOS*': - /etc/modprobe.d: match_output: /bin/true pattern: udf @@ -227,7 +227,7 @@ grep: description: Ensure mounting of udf filesystems is disabled disable_mount_fat: data: - *CoreOS*: + '*CoreOS*': - /etc/modprobe.d: match_output: /bin/true pattern: vfat @@ -237,7 +237,7 @@ grep: description: Ensure mounting of FAT filesystems is disabled fstab_dev_shm_partition_nodev: data: - *CoreOS*: + '*CoreOS*': - /etc/fstab: match_output: nodev pattern: /dev/shm @@ -245,7 +245,7 @@ grep: description: Ensure nodev option set on /dev/shm partition fstab_dev_shm_partition_noexec: data: - *CoreOS*: + '*CoreOS*': - /etc/fstab: match_output: noexec pattern: /dev/shm @@ -253,7 +253,7 @@ grep: description: Ensure noexec option set on /dev/shm partition fstab_dev_shm_partition_nosuid: data: - *CoreOS*: + '*CoreOS*': - /etc/fstab: match_output: nosuid pattern: /dev/shm @@ -261,7 +261,7 @@ grep: description: Ensure nosuid option set on /dev/shm partition fstab_home_partition_nodev: data: - *CoreOS*: + '*CoreOS*': - /etc/fstab: match_output: nodev pattern: /home @@ -269,7 +269,7 @@ grep: description: Ensure nodev option set on /home partition fstab_tmp_partition_nodev: data: - *CoreOS*: + '*CoreOS*': - /etc/fstab: match_output: nodev pattern: /tmp @@ -277,7 +277,7 @@ grep: description: Ensure nodev option set on /tmp partition fstab_tmp_partition_noexec: data: - *CoreOS*: + '*CoreOS*': - /etc/fstab: match_output: noexec pattern: /tmp @@ -285,7 +285,7 @@ grep: description: Ensure noexec option set on /tmp partition fstab_tmp_partition_nosuid: data: - *CoreOS*: + '*CoreOS*': - /etc/fstab: match_output: nosuid pattern: /tmp @@ -293,21 +293,21 @@ grep: description: Ensure nosuid option set on /tmp partition hosts_allow: data: - *CoreOS*: + '*CoreOS*': - /etc/hosts.allow: pattern: ALL tag: CIS-3.4.2 description: Ensure /etc/hosts.allow is configured hosts_deny: data: - *CoreOS*: + '*CoreOS*': - /etc/hosts.deny: pattern: ALL tag: CIS-3.4.3 description: Ensure /etc/hosts.deny is configured firewall_default_deny: data: - *CoreOS*: + '*CoreOS*': - /etc/sysconfig/iptables: pattern: :INPUT match_output: DROP @@ -323,7 +323,7 @@ grep: description: Ensure default deny firewall policy firewall_accept_lo: data: - *CoreOS*: + '*CoreOS*': - /etc/sysconfig/iptables: pattern: lo match_output: ACCEPT @@ -331,7 +331,7 @@ grep: description: Ensure loopback traffic is configured rsyslog_file_perms: data: - *CoreOS*: + '*CoreOS*': - /etc/rsyslog.conf: pattern: '^\$FileCreateMode' match_output: '0640' @@ -339,14 +339,14 @@ grep: description: Ensure rsyslog default file permissions configured rsyslog_remote_logging: data: - *CoreOS*: + '*CoreOS*': - /etc/rsyslog.conf: pattern: ^*.*[^I][^I]*@ tag: CIS-4.2.1.4 description: Ensure rsyslog is configured to send logs to a remote log host syslog-ng_file_perms: data: - *CoreOS*: + '*CoreOS*': - /etc/syslog-ng/syslog-ng.conf: pattern: ^options match_output: 'perm(0640)' @@ -354,7 +354,7 @@ grep: description: Ensure syslog-ng default file permissions configured limit_password_reuse: data: - *CoreOS*: + '*CoreOS*': - /etc/pam.d/system-auth: pattern: '"^password\s+sufficient\s+pam_unix\.so.*"' match_output: remember=5 @@ -364,7 +364,7 @@ grep: description: Ensure password reuse is limited password_hash: data: - *CoreOS*: + '*CoreOS*': - /etc/pam.d/password-auth: pattern: '"^password\s+\w+\s+pam_unix\.so"' match_output: sha512 @@ -374,7 +374,7 @@ grep: description: Ensure password hashing algorithm is SHA-512 limit_su_command_access: data: - *CoreOS*: + '*CoreOS*': - /etc/pam.d/su: match_output: use_uid pattern: pam_wheel.so @@ -385,7 +385,7 @@ grep: description: Ensure access to the su command is restricted pam_pwquality_try_first_pass: data: - *CoreOS*: + '*CoreOS*': - /etc/pam.d/system-auth: match_output: try_first_pass pattern: pam_pwquality.so @@ -417,7 +417,7 @@ grep: description: Ensure password creation requirements are configured passwd_change_min_days: data: - *CoreOS*: + '*CoreOS*': - /etc/login.defs: match_output: '7' pattern: PASS_MIN_DAYS @@ -425,7 +425,7 @@ grep: description: Ensure minimum days between password changes is 7 or more passwd_expiration_days: data: - *CoreOS*: + '*CoreOS*': - /etc/login.defs: match_output: '90' pattern: PASS_MAX_DAYS @@ -433,7 +433,7 @@ grep: description: Ensure password expiration is 90 days or less passwd_expiry_warning: data: - *CoreOS*: + '*CoreOS*': - /etc/login.defs: match_output: '7' pattern: PASS_WARN_AGE @@ -441,14 +441,14 @@ grep: description: Ensure password expiration warning days is 7 or more passwd_inactive: data: - *CoreOS*: + '*CoreOS*': - /etc/default/useradd: pattern: INACTIVE=30 tag: CIS-5.4.1.4 description: Ensure inactive password lock is 30 days or less restrict_core_dumps: data: - *CoreOS*: + '*CoreOS*': - /etc/security/limits.conf: match_output: '0' pattern: hard core @@ -456,29 +456,30 @@ grep: description: Ensure core dumps are restricted rsyslog_remote_logging: data: - *CoreOS*: + '*CoreOS*': - /etc/rsyslog.conf: pattern: ^*.*[^I][^I]*@ tag: CIS-4.2.1.4 description: Ensure rsyslog is configured to send logs to a remote log host sshd_approved_cipher: data: - *CoreOS*: + '*CoreOS*': - /etc/ssh/sshd_config: - match_output: 'aes256-ctr,aes192-ctr,aes128-ctr' + match_output: '^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$' + match_output_regex: True pattern: Ciphers tag: CIS-5.2.11 description: Ensure only approved ciphers are used sshd_banner: data: - *CoreOS*: + '*CoreOS*': - /etc/ssh/sshd_config: pattern: ^Banner tag: CIS-5.2.16 description: Ensure SSH warning banner is configured sshd_disable_root_login: data: - *CoreOS*: + '*CoreOS*': - /etc/ssh/sshd_config: match_output: PermitRootLogin no pattern: ^PermitRootLogin @@ -486,7 +487,7 @@ grep: description: Ensure SSH root login is disabled sshd_hostbased_auth: data: - *CoreOS*: + '*CoreOS*': - /etc/ssh/sshd_config: match_output: HostbasedAuthentication no pattern: ^HostbasedAuthentication @@ -494,7 +495,7 @@ grep: description: Ensure SSH HostbasedAuthentication is disabled sshd_idle_timeout: data: - *CoreOS*: + '*CoreOS*': - /etc/ssh/sshd_config: match_output: ClientAliveInterval 300 pattern: ^ClientAliveInterval @@ -506,7 +507,7 @@ grep: description: Ensure SSH Idle Timeout Interval is configured sshd_gracetime: data: - *CoreOS*: + '*CoreOS*': - /etc/ssh/sshd_config: pattern: ^LoginGraceTime match_output: '60' @@ -514,7 +515,7 @@ grep: description: Ensure SSH LoginGraceTime is set to one minute or less sshd_ignore_rhosts: data: - *CoreOS*: + '*CoreOS*': - /etc/ssh/sshd_config: match_output: IgnoreRhosts yes pattern: ^IgnoreRhosts @@ -522,7 +523,7 @@ grep: description: Ensure SSH IgnoreRhosts is enabled sshd_limit_access: data: - *CoreOS*: + '*CoreOS*': - /etc/ssh/sshd_config: pattern: ^AllowUsers tag: CIS-5.2.15 @@ -538,7 +539,7 @@ grep: description: Ensure SSH access is limited sshd_loglevel_info: data: - *CoreOS*: + '*CoreOS*': - /etc/ssh/sshd_config: match_output: LogLevel INFO pattern: ^LogLevel @@ -546,7 +547,7 @@ grep: description: Ensure SSH LogLevel is set to INFO sshd_max_auth_retries: data: - *CoreOS*: + '*CoreOS*': - /etc/ssh/sshd_config: match_output: MaxAuthTries 4 pattern: ^MaxAuthTries @@ -554,7 +555,7 @@ grep: description: Ensure SSH MaxAuthTries is set to 4 or less sshd_permit_empty_passwords: data: - *CoreOS*: + '*CoreOS*': - /etc/ssh/sshd_config: match_output: PermitEmptyPasswords no pattern: ^PermitEmptyPasswords @@ -562,7 +563,7 @@ grep: description: Ensure SSH PermitEmptyPasswords is disabled sshd_permit_user_environment: data: - *CoreOS*: + '*CoreOS*': - /etc/ssh/sshd_config: match_output: PermitUserEnvironment no pattern: ^PermitUserEnvironment @@ -570,7 +571,7 @@ grep: description: Ensure SSH PermitUserEnvironment is disabled sshd_protocol_2: data: - *CoreOS*: + '*CoreOS*': - /etc/ssh/sshd_config: match_output: Protocol 2 pattern: ^Protocol @@ -578,7 +579,7 @@ grep: description: Ensure SSH Protocol is set to 2 sshd_x11_forwarding: data: - *CoreOS*: + '*CoreOS*': - /etc/ssh/sshd_config: match_output: X11Forwarding no pattern: ^X11Forwarding @@ -586,7 +587,7 @@ grep: description: Ensure SSH X11 forwarding is disabled lockout_account: data: - *CoreOS*: + '*CoreOS*': - /etc/pam.d/system-auth: pattern: '"^auth\s+required\s+pam_faillock\.so.*"' match_output: deny=5 @@ -604,32 +605,32 @@ service: blacklist: autofs: data: - *CoreOS*: + '*CoreOS*': - autofs: CIS-1.1.22 description: Disable Automounting rsync: data: - *CoreOS*: + '*CoreOS*': - rsyncd: CIS-2.2.20 description: Ensure rsync service is not enabled nfs: data: - *CoreOS*: + '*CoreOS*': - nfs: CIS-2.2.7 description: Ensure NFS and RPC are not enabled rpc: data: - *CoreOS*: + '*CoreOS*': - rpcbind: CIS-2.2.7 description: Ensure NFS and RPC are not enabled named: data: - *CoreOS*: + '*CoreOS*': - named: CIS-2.2.8 description: Ensure DNS Server is not enabled httpd: data: - *CoreOS*: + '*CoreOS*': - httpd: CIS-2.2.10 description: Ensure HTTP server is not enabled pop3_imap: @@ -639,60 +640,57 @@ service: description: Ensure IMAP and POP3 server is not enabled samba: data: - *CoreOS*: + '*CoreOS*': - smb: CIS-2.2.12 description: Ensure Samba is not enabled http_proxy: data: - *CoreOS*: + '*CoreOS*': - squid: CIS-2.2.13 description: Ensure HTTP Proxy Server is not enabled snmp: data: - *CoreOS*: + '*CoreOS*': - snmpd: CIS-2.2.14 description: Ensure SNMP Server is not enabled whitelist: auditd_running: data: - *CoreOS*: - - auditd: CIS-4.1.1.1_running + '*CoreOS*': + - auditd: CIS-4.1.1.1 description: auditd should be running crond_running: data: - *CoreOS*: - - crond: CIS-5.1.1_running + '*CoreOS*': + - crond: CIS-5.1.1 description: Ensure cron daemon is enabled iptables_running: data: - *CoreOS*: - - iptables: CIS-3.6.1_running + '*CoreOS*': + - iptables: CIS-3.6.1 description: Ensure iptables is installed rsyslogd_running: data: - *CoreOS*: - - rsyslog: CIS-4.2.1.1_running + '*CoreOS*': + - rsyslog: CIS-4.2.1.1 description: Ensure rsyslog Service is enabled syslog-ng_running: data: - *CoreOS*: - - syslog-ng: CIS-4.2.2.1_running + '*CoreOS*': + - syslog-ng: CIS-4.2.2.1 description: Ensure syslog-ng service is enabled + sshd_approved_macs: + data: + '*CoreOS*': + - /etc/ssh/sshd_config: + match_output: 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' + pattern: ^MACs + tag: CIS-5.2.12 + description: Ensure only approved MAC algorithms are used stat: - at_allow: - data: - *CoreOS*: - - /etc/at.allow: - gid: 0 - group: root - mode: 600 - tag: CIS-5.1.8 - uid: 0 - user: root - description: /etc/at.allow must be owned by root and have persmissions 600 (Scored) at_cron_allow: data: - *CoreOS*: + '*CoreOS*': - /etc/cron.deny: gid: 0 group: root @@ -724,7 +722,7 @@ stat: description: Ensure at/cron is restricted to authorized users cron_d: data: - *CoreOS*: + '*CoreOS*': - /etc/cron.d: gid: 0 group: root @@ -735,7 +733,7 @@ stat: description: Ensure permissions on /etc/cron.d are configured cron_daily: data: - *CoreOS*: + '*CoreOS*': - /etc/cron.daily: gid: 0 group: root @@ -746,7 +744,7 @@ stat: description: Ensure permissions on /etc/cron.daily are configured cron_hourly: data: - *CoreOS*: + '*CoreOS*': - /etc/cron.hourly: gid: 0 group: root @@ -757,7 +755,7 @@ stat: description: Ensure permissions on /etc/cron.hourly are configured cron_monthly: data: - *CoreOS*: + '*CoreOS*': - /etc/cron.monthly: gid: 0 group: root @@ -768,7 +766,7 @@ stat: description: Ensure permissions on /etc/cron.monthly are configured cron_weekly: data: - *CoreOS*: + '*CoreOS*': - /etc/cron.weekly: gid: 0 group: root @@ -779,7 +777,7 @@ stat: description: Ensure permissions on /etc/cron.weekly are configured crontab: data: - *CoreOS*: + '*CoreOS*': - /etc/crontab: gid: 0 group: root @@ -790,7 +788,7 @@ stat: description: Ensure permissions on /etc/crontab are configured passwd_own_perm: data: - *CoreOS*: + '*CoreOS*': - /etc/passwd: group: root tag: CIS-6.1.2 @@ -799,7 +797,7 @@ stat: description: Ensure permissions on /etc/passwd are configured shadow_own_perm: data: - *CoreOS*: + '*CoreOS*': - /etc/shadow: gid: 0 group: root @@ -810,7 +808,7 @@ stat: description: Ensure permissions on /etc/shadow are configured group_own_perm: data: - *CoreOS*: + '*CoreOS*': - /etc/group: gid: 0 group: root @@ -821,7 +819,7 @@ stat: description: Ensure permissions on /etc/group are configured gshadow_own_perm: data: - *CoreOS*: + '*CoreOS*': - /etc/gshadow: gid: 0 group: root @@ -832,7 +830,7 @@ stat: description: Ensure permissions on /etc/gshadow are configured passwd-_own_perm: data: - *CoreOS*: + '*CoreOS*': - /etc/passwd-: group: root tag: CIS-6.1.6 @@ -841,7 +839,7 @@ stat: description: Ensure permissions on /etc/passwd- are configured shadow-_own_perm: data: - *CoreOS*: + '*CoreOS*': - /etc/shadow-: gid: 0 group: root @@ -852,7 +850,7 @@ stat: description: Ensure permissions on /etc/shadow- are configured group-_own_perm: data: - *CoreOS*: + '*CoreOS*': - /etc/group-: gid: 0 group: root @@ -863,7 +861,7 @@ stat: description: Ensure permissions on /etc/group- are configured gshadow-_own_perm: data: - *CoreOS*: + '*CoreOS*': - /etc/gshadow-: gid: 0 group: root @@ -874,7 +872,7 @@ stat: description: Ensure permissions on /etc/gshadow- are configured grub_conf_own_perm: data: - *CoreOS*: + '*CoreOS*': - /etc/grub.conf: gid: 0 group: root @@ -885,7 +883,7 @@ stat: description: Ensure permissions on bootloader config are configured hosts_allow: data: - *CoreOS*: + '*CoreOS*': - /etc/hosts.allow: gid: 0 group: root @@ -896,7 +894,7 @@ stat: description: Ensure permissions on /etc/hosts.allow are configured hosts_deny: data: - *CoreOS*: + '*CoreOS*': - /etc/hosts.deny: gid: 0 group: root @@ -907,7 +905,7 @@ stat: description: Ensure permissions on /etc/hosts.deny are 644 sshd_config: data: - *CoreOS*: + '*CoreOS*': - /etc/ssh/sshd_config: gid: 0 group: root @@ -918,7 +916,7 @@ stat: description: Ensure permissions on /etc/ssh/sshd_config are configured warning_banner_motd: data: - *CoreOS*: + '*CoreOS*': - /etc/motd: gid: 0 group: root @@ -929,7 +927,7 @@ stat: description: Ensure permissions on /etc/motd are configured warning_banner_issue: data: - *CoreOS*: + '*CoreOS*': - /etc/issue: gid: 0 group: root @@ -940,7 +938,7 @@ stat: description: Ensure permissions on /etc/issue are configured warning_banner_issue.net: data: - *CoreOS*: + '*CoreOS*': - /etc/issue.net: gid: 0 group: root @@ -952,14 +950,14 @@ stat: sysctl: bad_error_message_protection: data: - *CoreOS*: + '*CoreOS*': - net.ipv4.icmp_ignore_bogus_error_responses: match_output: '1' tag: CIS-3.2.6 description: Ensure bogus ICMP responses are ignored icmp_redirect_acceptance: data: - *CoreOS*: + '*CoreOS*': - net.ipv4.conf.all.accept_redirects: match_output: '0' tag: CIS-3.2.2 @@ -969,21 +967,21 @@ sysctl: description: Ensure ICMP redirects are not accepted ignore_broadcast_requests: data: - *CoreOS*: + '*CoreOS*': - net.ipv4.icmp_echo_ignore_broadcasts: match_output: '1' tag: CIS-3.2.5 description: Ensure broadcast ICMP requests are ignored ip_forwarding: data: - *CoreOS*: + '*CoreOS*': - net.ipv4.ip_forward: match_output: '0' tag: CIS-3.1.1 description: Ensure IP forwarding is disabled log_suspicious_packets: data: - *CoreOS*: + '*CoreOS*': - net.ipv4.conf.all.log_martians: match_output: '1' tag: CIS-3.2.4 @@ -993,7 +991,7 @@ sysctl: description: Ensure suspicious packets are logged ipv6_adverts: data: - *CoreOS*: + '*CoreOS*': - net.ipv6.conf.all.accept_ra: match_output: '0' tag: CIS-3.3.1 @@ -1003,7 +1001,7 @@ sysctl: description: Ensure IPv6 router advertisements are not accepted ipv6_redir: data: - *CoreOS*: + '*CoreOS*': - net.ipv6.conf.all.accept_redirects: match_output: '0' tag: CIS-3.3.2 @@ -1013,21 +1011,21 @@ sysctl: description: Ensure IPv6 redirects are not accepted randomize_va_space: data: - *CoreOS*: + '*CoreOS*': - kernel.randomize_va_space: match_output: '2' tag: CIS-1.5.3 description: Ensure address space layout randomization (ASLR) is enabled restrict_suid_core_dumps: data: - *CoreOS*: + '*CoreOS*': - fs.suid_dumpable: match_output: '0' tag: CIS-1.5.1 description: Ensure core dumps are restricted secure_icmp_redirect_acceptance: data: - *CoreOS*: + '*CoreOS*': - net.ipv4.conf.all.secure_redirects: match_output: '0' tag: CIS-3.2.3 @@ -1037,7 +1035,7 @@ sysctl: description: Ensure secure ICMP redirects are not accepted send_packet_redirect: data: - *CoreOS*: + '*CoreOS*': - net.ipv4.conf.all.send_redirects: match_output: '0' tag: CIS-3.1.2 @@ -1047,7 +1045,7 @@ sysctl: description: Ensure packet redirect sending is disabled source_routed_packet_acceptance: data: - *CoreOS*: + '*CoreOS*': - net.ipv4.conf.all.accept_source_route: match_output: '0' tag: CIS-3.2.1 @@ -1057,8 +1055,26 @@ sysctl: description: Ensure source routed packets are not accepted tcp_syn_cookies: data: - *CoreOS*: + '*CoreOS*': - net.ipv4.tcp_syncookies: match_output: '1' tag: CIS-3.2.8 description: Ensure TCP SYN Cookies is enabled + reverse_path_filtering: + data: + '*CoreOS*': + - net.ipv4.conf.all.rp_filter: + match_output: '1' + tag: CIS-3.2.7 + - net.ipv4.conf.default.rp_filter: + match_output: '1' + tag: CIS-3.2.7 + description: Ensure Reverse Path Filtering is enabled + +misc: + check_all_ports_firewall_rules: + data: + '*CoreOS*': + tag: CIS-3.6.5 + function: check_all_ports_firewall_rules + description: Ensure firewall rules exist for all open ports diff --git a/hubblestack_nova_profiles/cis/debian-7.yaml b/hubblestack_nova_profiles/cis/debian-7.yaml new file mode 100644 index 0000000..1e199d7 --- /dev/null +++ b/hubblestack_nova_profiles/cis/debian-7.yaml @@ -0,0 +1,719 @@ +# This profile is temporary, and is a copy-paste from the +# debian-8-level-1-scored-v1-0-0.yaml. Eventually it should be replaced +# with a Debian-7 official one. + +grep: + whitelist: + + local_only_mta: + data: + Debian*7: + - '/etc/exim4/update-exim4.conf': + tag: 'CIS-6.15' + pattern: "^dc_local_interfaces = '127.0.0.1'" + description: Configure Mail Transfer Agent for Local-Only Mode + + fstab_tmp_partition: + data: + Debian*7: + - '/etc/fstab': + tag: 'CIS-2.1' + pattern: '/tmp' + description: Create Separate Partition for /tmp + + fstab_tmp_partition_nodev: + data: + Debian*7: + - '/etc/fstab': + tag: 'CIS-2.2' + pattern: '/tmp' + match_output: 'nodev' + description: Set nodev option for /tmp Partition + + fstab_tmp_partition_nosuid: + data: + Debian*7: + - '/etc/fstab': + tag: 'CIS-2.3' + pattern: '/tmp' + match_output: 'nosuid' + description: Set nosuid option for /tmp Partition + + fstab_tmp_partition_noexec: + data: + Debian*7: + - '/etc/fstab': + tag: 'CIS-2.4' + pattern: '/tmp' + match_output: 'nosuid' + description: Set noexec option for /tmp Partition + + fstab_var_partition: + data: + Debian*7: + - '/etc/fstab': + tag: 'CIS-2.5' + pattern: '/var' + description: Create Separate Partition for /var + + fstab_var_tmp_bind_mount: + data: + Debian*7: + - '/etc/fstab': + tag: 'CIS-2.6' + pattern: '/var' + match_output: '/var/tmp' + description: Bind Mount the /var/tmp directory to /tmp + + fstab_var_log_partition: + data: + Debian*7: + - '/etc/fstab': + tag: 'CIS-2.7' + pattern: '/var/log' + description: Create Separate Partition for /var/log + + fstab_var_log_audit_partition: + data: + Debian*7: + - '/etc/fstab': + tag: 'CIS-2.8' + pattern: '/var/log/audit' + description: Create Separate Partition for /var/log/audit + + fstab_home_partition: + data: + Debian*7: + - '/etc/fstab': + tag: 'CIS-2.9' + pattern: '/home' + description: Create Separate Partition for /home + + fstab_home_partition_nodev: + data: + Debian*7: + - '/etc/fstab': + tag: 'CIS-2.10' + pattern: '/home' + match_output: 'nodev' + description: Add nodev Option to /home + + fstab_dev_shm_partition_nodev: + data: + Debian*7: + - '/etc/fstab': + tag: 'CIS-2.14' + pattern: '/dev/shm' + match_output: 'nodev' + description: Add nodev Option to /run/shm Partition + + fstab_dev_shm_partition_nosuid: + data: + Debian*7: + - '/etc/fstab': + tag: 'CIS-2.15' + pattern: '/dev/shm' + match_output: 'nosuid' + description: Add nosuid Option to /run/shm Partition + + fstab_dev_shm_partition_noexec: + data: + Debian*7: + - '/etc/fstab': + tag: 'CIS-2.16' + pattern: '/dev/shm' + match_output: 'noexec' + description: Add noexec Option to /run/shm Partition + + configure_ntp: + data: + Debian*7: + - '/etc/ntp.conf': + tag: 'CIS-6.5' + pattern: 'restrict default' + description: Configure Network Time Protocol (NTP) + + rsyslog_remote_logging: + data: + Debian*7: + - '/etc/rsyslog.conf': + tag: 'CIS-8.2.5' + pattern: "^*.*[^I][^I]*@" + description: Configure rsyslog to Send Logs to a Remote Log Host + + passwd_limit_reuse: + data: + Debian*7: + - '/etc/pam.d/common-password': + tag: 'CIS-9.2.3' + pattern: "remember" + match_output: "5" + description: Limit Password Reuse + + sshd_protocol_2: + data: + Debian*7: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.1' + pattern: "^Protocol" + match_output: 'Protocol 2' + description: Set SSH Protocol to 2 + + sshd_loglevel_info: + data: + Debian*7: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.2' + pattern: "^LogLevel" + match_output: 'LogLevel INFO' + description: Set LogLevel to INFO + + sshd_x11_forwarding: + data: + Debian*7: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.4' + pattern: "^X11Forwarding" + match_output: 'X11Forwarding no' + description: Disable SSH X11 Forwarding + + sshd_max_auth_retries: + data: + Debian*7: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.5' + pattern: "^MaxAuthTries" + match_output: "MaxAuthTries 4" + description: Set SSH MaxAuthTries to 4 or Less + + sshd_ignore_rhosts: + data: + Debian*7: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.6' + pattern: "^IgnoreRhosts" + match_output: "IgnoreRhosts yes" + description: Set SSH IgnoreRhosts to Yes + + sshd_hostbased_auth: + data: + Debian*7: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.7' + pattern: "^HostbasedAuthentication" + match_output: "HostbasedAuthentication no" + description: Set SSH HostbasedAuthentication to No + + sshd_disable_root_login: + data: + Debian*7: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.8' + pattern: "^PermitRootLogin" + match_output: "PermitRootLogin no" + description: Disable SSH Root Login + + sshd_permit_empty_passwords: + data: + Debian*7: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.9' + pattern: "^PermitEmptyPasswords" + match_output: "PermitEmptyPasswords no" + description: Set SSH PermitEmptyPasswords to No + + sshd_permit_user_environment: + data: + Debian*7: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.10' + pattern: "^PermitUserEnvironment" + match_output: "PermitUserEnvironment no" + description: Do Not Allow Users to Set Environment Options + + sshd_approved_cipher: + data: + Debian*7: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.11' + pattern: "Ciphers" + match_output: "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$" + match_output_regex: True + description: Use Only Approved Cipher in Counter Mode + + sshd_idle_timeout: + data: + Debian*7: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.12' + pattern: "^ClientAliveInterval" + match_output: "ClientAliveInterval 300" + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.12' + pattern: "^ClientAliveCountMax" + match_output: "ClientAliveCountMax 0" + description: Set Idle Timeout Interval for User Login + + sshd_limit_access: + data: + Debian*7: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.13' + pattern: "^AllowUsers" + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.13' + pattern: "^AllowGroups" + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.13' + pattern: "^DenyUsers" + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.13' + pattern: "^DenyGroups" + description: Limit Access via SSH + + sshd_banner: + data: + Debian*7: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.14' + pattern: "^Banner" + description: Set SSH Banner + + restrict_access_su: + data: + Debian*7: + - '/etc/pam.d/su': + tag: 'CIS-9.5' + pattern: "pam_wheel.so" + description: Restrict Access to the su Command + + passwd_expiration_days: + data: + Debian*7: + - '/etc/login.defs': + tag: 'CIS-10.1.1' + pattern: "PASS_MAX_DAYS" + match_output: "90" + description: Set Password Expiration Days + + passwd_change_min_days: + data: + Debian*7: + - '/etc/login.defs': + tag: 'CIS-10.1.2' + pattern: "PASS_MIN_DAYS" + match_output: "7" + description: Set Password Change Minimum Number of Days + + passwd_expiry_warning: + data: + Debian*7: + - '/etc/login.defs': + tag: 'CIS-10.1.3' + pattern: "PASS_WARN_AGE" + match_output: "7" + description: Set Password Expiring Warning Days + + default_umask: + data: + Debian*7: + - '/etc/bash.bashrc': + tag: 'CIS-10.4' + pattern: "^umask 077" + - '/etc/profile.d/*': + tag: 'CIS-10.4' + pattern: "^umask 077" + description: Set Default umask for Users + +stat: + grub_conf_own: + data: + Debian*7: + - '/boot/grub/grub.cfg': + tag: 'CIS-3.1' + user: 'root' + group: 'root' + description: Set User/Group Owner on bootloader config + + grub_conf_perm: + data: + Debian*7: + - '/boot/grub/grub.cfg': + tag: 'CIS-3.2' + mode: 600 + description: Set Permissions on bootloader config + + boot_loader_passwd: + data: + Debian*7: + - '/boot/grub/grub.cfg': + tag: 'CIS-3.3' + pattern: "^password" + description: Set Boot Loader Password + + restrict_core_dumps: + data: + Debian*7: + - '/etc/security/limits.conf': + tag: 'CIS-4.1' + pattern: 'hard core' + description: Restrict Core Dumps + + cron_hourly: + data: + Debian*7: + - '/etc/cron.hourly': + tag: 'CIS-9.1.3' + mode: 700 + user: 'root' + group: 'root' + description: Set User/Group Owner and Permission on /etc/cron.hourly + + cron_daily: + data: + Debian*7: + - '/etc/cron.daily': + tag: 'CIS-9.1.4' + mode: 700 + user: 'root' + group: 'root' + description: Set User/Group Owner and Permission on /etc/cron.daily + + cron_weekly: + data: + Debian*7: + - '/etc/cron.weekly': + tag: 'CIS-9.1.5' + mode: 700 + user: 'root' + group: 'root' + description: Set User/Group Owner and Permission on /etc/cron.weekly + + cron_monthly: + data: + Debian*7: + - '/etc/cron.monthly': + tag: 'CIS-9.1.6' + mode: 700 + user: 'root' + group: 'root' + description: Set User/Group Owner and Permission on /etc/cron.monthly + + cron_d: + data: + Debian*7: + - '/etc/cron.d': + tag: 'CIS-9.1.7' + mode: 700 + user: 'root' + group: 'root' + description: Set User/Group Owner and Permission on /etc/cron.d + + sshd_config: + data: + Debian*7: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.3' + mode: 600 + user: 'root' + group: 'root' + description: Set Permissions on /etc/ssh/sshd_config + + passwd_perm: + data: + Debian*7: + - '/etc/passwd': + tag: 'CIS-12.1' + mode: 644 + description: Verify Permissions on /etc/passwd + + passwd_own: + data: + Debian*7: + - '/etc/passwd': + tag: 'CIS-12.4' + user: 'root' + group: 'root' + description: Verify User/Group Ownership on /etc/passwd + + shadow_perm: + data: + Debian*7: + - '/etc/shadow': + tag: 'CIS-12.2' + mode: 640 + description: Verify Permissions on /etc/shadow + + shadow_own: + data: + Debian*7: + - '/etc/shadow': + tag: 'CIS-12.5' + user: 'root' + group: 'root' + description: Verify User/Group Ownership on /etc/shadow + + group_perm: + data: + Debian*7: + - '/etc/group': + tag: 'CIS-12.3' + mode: 644 + - '/etc/group': + tag: 'CIS-12.3' + user: 'root' + group: 'root' + description: Verify Permissions on /etc/group + + single_user_auth: + data: + Debian*7: + - '/etc/shadow': + tag: 'CIS-3.4' + pattern: "^root:[*\\!]:" + description: Require Authentication for Single-User Mode + + hosts_allow: + data: + Debian*7: + - '/etc/hosts.allow': + tag: 'CIS-7.4.3' + mode: 644 + description: Verify Permissions on /etc/hosts.allow + + hosts_deny: + data: + Debian*7: + - '/etc/hosts.deny': + tag: 'CIS-7.4.5' + mode: 644 + description: Verify Permissions on /etc/hosts.deny + + legacy_passwd_entries: + data: + Debian*7: + - '/etc/passwd': + tag: 'CIS-13.2' + pattern: "^+:" + description: Verify No Legacy "+" Entries Exist in /etc/passwd File + + legacy_shadow_entries: + data: + Debian*7: + - '/etc/shadow': + tag: 'CIS-13.3' + pattern: "^+:" + description: Verify No Legacy "+" Entries Exist in /etc/shadow File + + legacy_group_entries: + data: + Debian*7: + - '/etc/group': + tag: 'CIS-13.4' + pattern: "^+:" + description: Verify No Legacy "+" Entries Exist in /etc/group File + +sysctl: + randomize_va_space: + data: + Debian*7: + - 'kernel.randomize_va_space': + tag: 'CIS-4.3' + match_output: '2' + description: Enable Randomized Virtual Memory Region Placement + + ip_forwarding: + data: + Debian*7: + - 'net.ipv4.ip_forward': + tag: 'CIS-7.1.1' + match_output: '0' + description: Disable IP Forwarding + + send_packet_redirect: + data: + Debian*7: + - 'net.ipv4.conf.all.send_redirects': + tag: 'CIS-7.1.2' + match_output: '0' + - 'net.ipv4.conf.default.send_redirects': + tag: 'CIS-7.1.2' + match_output: '0' + description: Disable Send Packet Redirects + + source_routed_packet_acceptance: + data: + Debian*7: + - 'net.ipv4.conf.all.accept_source_route': + tag: 'CIS-7.2.1' + match_output: '0' + - 'net.ipv4.conf.default.accept_source_route': + tag: 'CIS-7.2.1' + match_output: '0' + description: Disable Source Routed Packet Acceptance + + icmp_redirect_acceptance: + data: + Debian*7: + - 'net.ipv4.conf.all.accept_redirects': + tag: 'CIS-7.2.2' + match_output: '0' + - 'net.ipv4.conf.default.accept_redirects': + tag: 'CIS-7.2.2' + match_output: '0' + description: Disable ICMP Redirect Acceptance + + icmp_redirect_acceptance: + data: + Debian*7: + - 'net.ipv4.conf.all.secure_redirects': + tag: 'CIS-7.2.3' + match_output: '0' + - 'net.ipv4.conf.default.secure_redirects': + tag: 'CIS-7.2.3' + match_output: '0' + description: Disable Secure ICMP Redirect Acceptance + + log_suspicious_packets: + data: + Debian*7: + - 'net.ipv4.conf.all.log_martian': + tag: 'CIS-7.2.4' + match_output: '1' + - 'net.ipv4.conf.default.log_martians': + tag: 'CIS-7.2.4' + match_output: '1' + description: Log Suspicious Packets + + ignore_broadcast_requests: + data: + Debian*7: + - 'net.ipv4.icmp_echo_ignore_broadcasts': + tag: 'CIS-7.2.5' + match_output: '1' + description: Enable Ignore Broadcast Requests + + bad_error_message_protection: + data: + Debian*7: + - 'net.ipv4.icmp_ignore_bogus_error_responses': + tag: 'CIS-7.2.6' + match_output: '1' + description: Enable Bad Error Message Protection + + source_route_validation: + data: + Debian*7: + - 'net.ipv4.conf.all.rp_filter': + tag: 'CIS-7.2.7' + match_output: '1' + - 'net.ipv4.conf.default.rp_filter': + tag: 'CIS-7.2.7' + match_output: '1' + description: Enable RFC-recommended Source Route Validation + + tcp_syn_cookies: + data: + Debian*7: + - 'net.ipv4.tcp_syncookies': + tag: 'CIS-7.2.8' + match_output: '1' + description: Enable TCP SYN Cookies + +pkg: + blacklist: + + prelink: + data: + Debian*7: + - 'prelink': 'CIS-4.4' + description: Disable Prelink + + nis: + data: + Debian*7: + - 'nis': 'CIS-5.1.1' + description: Ensure NIS is not installed + + rsh-clients: + data: + Debian*7: + - 'rsh-client': CIS-5.1.3 + - 'rsh-redone-client': CIS-5.1.3 + description: Ensure rsh client is not installed + rsh-server: + data: + Debian*7: + - 'rsh-server': CIS-5.1.2 + description: Ensure rsh server is not enabled + + talk: + data: + Debian*7: + - 'talk': 'CIS-5.1.5' + description: Ensure talk client is not installed + + telnet: + data: + Debian*7: + - 'telnet': 'CIS-5.1.6' + - 'telnet-server': 'CIS-5.1.6' + description: Ensure telnet server is not enabled + + tftp: + data: + Debian*7: + - 'tftp': 'CIS-5.1.7' + - 'atftp': 'CIS-5.1.7' + description: Ensure tftp-server is not enabled + + xinetd: + data: + Debian*7: + - 'xinetd': 'CIS-5.1.8' + description: Ensure xinetd is not enabled + + xorg-server: + data: + Debian*7: + - 'xserver-xorg-core': 'CIS-6.1' + description: Ensure the X Window system is not installed + + avahi-daemon: + data: + Debian*7: + - 'avahi-daemon': 'CIS-6.2' + description: Ensure Avahi Server is not enabled + + dhcp: + data: + Debian*7: + - 'isc-dhcp-server': 'CIS-6.4' + description: Ensure DHCP Server is not enabled + + whitelist: + + tcp_wrappers: + data: + Debian*7: + - 'tcpd': 'CIS-7.4.1' + description: Install TCP Wrappers + + iptables: + data: + Debian*7: + - 'iptables': 'CIS-7.7' + - 'iptables-persistent': 'CIS-7.7' + description: Ensure Firewall is active + + rsyslog: + data: + Debian*7: + - 'rsyslog': 'CIS-8.2.1' + description: Install the rsyslog package + + cracklib: + data: + Debian*7: + - 'libpam-cracklib': 'CIS-9.2.1' + description: Set Password Creation Requirement Parameters Using pam_cracklib diff --git a/hubblestack_nova_profiles/cis/debian-8-level-1-scored-v1-0-0.yaml b/hubblestack_nova_profiles/cis/debian-8-level-1-scored-v1-0-0.yaml index 5f1dd22..8c0683b 100644 --- a/hubblestack_nova_profiles/cis/debian-8-level-1-scored-v1-0-0.yaml +++ b/hubblestack_nova_profiles/cis/debian-8-level-1-scored-v1-0-0.yaml @@ -1,9 +1,34 @@ +# NOTE: This CIS Profile only includes Level 1 Scored Items for Debian 8 +# NOTE: Within this file, there are a few sections that should be tailored to your +# organization's specific policy. Search for '# NOTE: ' comments through the file. + +# TODO: Checks that aren't implemented yet: +# 2.17 +# 2.25 +# 3.3 +# 5.1.4 +# 5.2-6 +# 6.16 +# 8.2.2 +# 8.2.4 +# 9.1.1 +# 9.1.8 +# 10.2 +# 10.3 +# 10.5 +# 11.1 +# 11.2 +# 12.8 +# 12.9 +# 13.1 +# 13.5-20 + grep: whitelist: local_only_mta: data: - Debian-8: + Debian*8: - '/etc/exim4/update-exim4.conf': tag: 'CIS-6.15' pattern: "^dc_local_interfaces = '127.0.0.1'" @@ -11,7 +36,7 @@ grep: fstab_tmp_partition: data: - Debian-8: + Debian*8: - '/etc/fstab': tag: 'CIS-2.1' pattern: '/tmp' @@ -19,7 +44,7 @@ grep: fstab_tmp_partition_nodev: data: - Debian-8: + Debian*8: - '/etc/fstab': tag: 'CIS-2.2' pattern: '/tmp' @@ -28,7 +53,7 @@ grep: fstab_tmp_partition_nosuid: data: - Debian-8: + Debian*8: - '/etc/fstab': tag: 'CIS-2.3' pattern: '/tmp' @@ -37,7 +62,7 @@ grep: fstab_tmp_partition_noexec: data: - Debian-8: + Debian*8: - '/etc/fstab': tag: 'CIS-2.4' pattern: '/tmp' @@ -46,7 +71,7 @@ grep: fstab_var_partition: data: - Debian-8: + Debian*8: - '/etc/fstab': tag: 'CIS-2.5' pattern: '/var' @@ -54,7 +79,7 @@ grep: fstab_var_tmp_bind_mount: data: - Debian-8: + Debian*8: - '/etc/fstab': tag: 'CIS-2.6' pattern: '/var' @@ -63,7 +88,7 @@ grep: fstab_var_log_partition: data: - Debian-8: + Debian*8: - '/etc/fstab': tag: 'CIS-2.7' pattern: '/var/log' @@ -71,7 +96,7 @@ grep: fstab_var_log_audit_partition: data: - Debian-8: + Debian*8: - '/etc/fstab': tag: 'CIS-2.8' pattern: '/var/log/audit' @@ -79,7 +104,7 @@ grep: fstab_home_partition: data: - Debian-8: + Debian*8: - '/etc/fstab': tag: 'CIS-2.9' pattern: '/home' @@ -87,7 +112,7 @@ grep: fstab_home_partition_nodev: data: - Debian-8: + Debian*8: - '/etc/fstab': tag: 'CIS-2.10' pattern: '/home' @@ -96,7 +121,7 @@ grep: fstab_dev_shm_partition_nodev: data: - Debian-8: + Debian*8: - '/etc/fstab': tag: 'CIS-2.14' pattern: '/dev/shm' @@ -105,7 +130,7 @@ grep: fstab_dev_shm_partition_nosuid: data: - Debian-8: + Debian*8: - '/etc/fstab': tag: 'CIS-2.15' pattern: '/dev/shm' @@ -114,7 +139,7 @@ grep: fstab_dev_shm_partition_noexec: data: - Debian-8: + Debian*8: - '/etc/fstab': tag: 'CIS-2.16' pattern: '/dev/shm' @@ -123,24 +148,15 @@ grep: configure_ntp: data: - Debian-8: + Debian*8: - '/etc/ntp.conf': tag: 'CIS-6.5' pattern: 'restrict default' description: Configure Network Time Protocol (NTP) - keep_all_auditing_information: - data: - Debian-8: - - '/etc/audit/auditd.conf': - tag: 'CIS-8.1.1.3' - pattern: 'max_log_file_action' - match_output: 'keep_logs' - description: Keep All Auditing Information (Scored) - rsyslog_remote_logging: data: - Debian-8: + Debian*8: - '/etc/rsyslog.conf': tag: 'CIS-8.2.5' pattern: "^*.*[^I][^I]*@" @@ -148,7 +164,7 @@ grep: passwd_limit_reuse: data: - Debian-8: + Debian*8: - '/etc/pam.d/common-password': tag: 'CIS-9.2.3' pattern: "remember" @@ -157,7 +173,7 @@ grep: sshd_protocol_2: data: - Debian-8: + Debian*8: - '/etc/ssh/sshd_config': tag: 'CIS-9.3.1' pattern: "^Protocol" @@ -166,7 +182,7 @@ grep: sshd_loglevel_info: data: - Debian-8: + Debian*8: - '/etc/ssh/sshd_config': tag: 'CIS-9.3.2' pattern: "^LogLevel" @@ -175,7 +191,7 @@ grep: sshd_x11_forwarding: data: - Debian-8: + Debian*8: - '/etc/ssh/sshd_config': tag: 'CIS-9.3.4' pattern: "^X11Forwarding" @@ -184,7 +200,7 @@ grep: sshd_max_auth_retries: data: - Debian-8: + Debian*8: - '/etc/ssh/sshd_config': tag: 'CIS-9.3.5' pattern: "^MaxAuthTries" @@ -193,7 +209,7 @@ grep: sshd_ignore_rhosts: data: - Debian-8: + Debian*8: - '/etc/ssh/sshd_config': tag: 'CIS-9.3.6' pattern: "^IgnoreRhosts" @@ -202,7 +218,7 @@ grep: sshd_hostbased_auth: data: - Debian-8: + Debian*8: - '/etc/ssh/sshd_config': tag: 'CIS-9.3.7' pattern: "^HostbasedAuthentication" @@ -211,7 +227,7 @@ grep: sshd_disable_root_login: data: - Debian-8: + Debian*8: - '/etc/ssh/sshd_config': tag: 'CIS-9.3.8' pattern: "^PermitRootLogin" @@ -220,7 +236,7 @@ grep: sshd_permit_empty_passwords: data: - Debian-8: + Debian*8: - '/etc/ssh/sshd_config': tag: 'CIS-9.3.9' pattern: "^PermitEmptyPasswords" @@ -229,7 +245,7 @@ grep: sshd_permit_user_environment: data: - Debian-8: + Debian*8: - '/etc/ssh/sshd_config': tag: 'CIS-9.3.10' pattern: "^PermitUserEnvironment" @@ -238,16 +254,17 @@ grep: sshd_approved_cipher: data: - Debian-8: + Debian*8: - '/etc/ssh/sshd_config': tag: 'CIS-9.3.11' pattern: "Ciphers" - match_output: "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" + match_output: "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$" + match_output_regex: True description: Use Only Approved Cipher in Counter Mode sshd_idle_timeout: data: - Debian-8: + Debian*8: - '/etc/ssh/sshd_config': tag: 'CIS-9.3.12' pattern: "^ClientAliveInterval" @@ -260,7 +277,7 @@ grep: sshd_limit_access: data: - Debian-8: + Debian*8: - '/etc/ssh/sshd_config': tag: 'CIS-9.3.13' pattern: "^AllowUsers" @@ -277,7 +294,7 @@ grep: sshd_banner: data: - Debian-8: + Debian*8: - '/etc/ssh/sshd_config': tag: 'CIS-9.3.14' pattern: "^Banner" @@ -285,7 +302,7 @@ grep: restrict_access_su: data: - Debian-8: + Debian*8: - '/etc/pam.d/su': tag: 'CIS-9.5' pattern: "pam_wheel.so" @@ -293,7 +310,7 @@ grep: passwd_expiration_days: data: - Debian-8: + Debian*8: - '/etc/login.defs': tag: 'CIS-10.1.1' pattern: "PASS_MAX_DAYS" @@ -302,7 +319,7 @@ grep: passwd_change_min_days: data: - Debian-8: + Debian*8: - '/etc/login.defs': tag: 'CIS-10.1.2' pattern: "PASS_MIN_DAYS" @@ -311,7 +328,7 @@ grep: passwd_expiry_warning: data: - Debian-8: + Debian*8: - '/etc/login.defs': tag: 'CIS-10.1.3' pattern: "PASS_WARN_AGE" @@ -320,7 +337,7 @@ grep: default_umask: data: - Debian-8: + Debian*8: - '/etc/bash.bashrc': tag: 'CIS-10.4' pattern: "^umask 077" @@ -329,10 +346,41 @@ grep: pattern: "^umask 077" description: Set Default umask for Users + blacklist: + single_user_auth: + data: + Debian*8: + - '/etc/shadow': + tag: 'CIS-3.4' + pattern: "^root:[*\\!]:" + description: Require Authentication for Single-User Mode + + legacy_passwd_entries_group: + data: + Debian*8: + - /etc/group: + pattern: '^+:' + tag: CIS-13.4 + description: Verify No Legacy "+" Entries Exist in /etc/group File + legacy_passwd_entries_passwd: + data: + Debian*8: + - /etc/passwd: + pattern: '^+:' + tag: CIS-13.2 + description: Verify No Legacy "+" Entries Exist in /etc/passwd File + legacy_passwd_entries_shadow: + data: + Debian*8: + - /etc/shadow: + pattern: '^+:' + tag: CIS-13.3 + description: Verify No Legacy "+" Entries Exist in /etc/shadow File + stat: grub_conf_own: data: - Debian-8: + Debian*8: - '/boot/grub/grub.cfg': tag: 'CIS-3.1' user: 'root' @@ -341,7 +389,7 @@ stat: grub_conf_perm: data: - Debian-8: + Debian*8: - '/boot/grub/grub.cfg': tag: 'CIS-3.2' mode: 600 @@ -349,7 +397,7 @@ stat: boot_loader_passwd: data: - Debian-8: + Debian*8: - '/boot/grub/grub.cfg': tag: 'CIS-3.3' pattern: "^password" @@ -357,15 +405,25 @@ stat: restrict_core_dumps: data: - Debian-8: + Debian*8: - '/etc/security/limits.conf': tag: 'CIS-4.1' pattern: 'hard core' description: Restrict Core Dumps + crontab_own_perms: + data: + Debian*8: + - '/etc/crontab': + tag: 'CIS-9.1.2' + mode: 600 + user: 'root' + group: 'root' + description: Set User/Group Owner and Permission on /etc/crontab + cron_hourly: data: - Debian-8: + Debian*8: - '/etc/cron.hourly': tag: 'CIS-9.1.3' mode: 700 @@ -375,7 +433,7 @@ stat: cron_daily: data: - Debian-8: + Debian*8: - '/etc/cron.daily': tag: 'CIS-9.1.4' mode: 700 @@ -385,7 +443,7 @@ stat: cron_weekly: data: - Debian-8: + Debian*8: - '/etc/cron.weekly': tag: 'CIS-9.1.5' mode: 700 @@ -395,7 +453,7 @@ stat: cron_monthly: data: - Debian-8: + Debian*8: - '/etc/cron.monthly': tag: 'CIS-9.1.6' mode: 700 @@ -405,7 +463,7 @@ stat: cron_d: data: - Debian-8: + Debian*8: - '/etc/cron.d': tag: 'CIS-9.1.7' mode: 700 @@ -415,7 +473,7 @@ stat: sshd_config: data: - Debian-8: + Debian*8: - '/etc/ssh/sshd_config': tag: 'CIS-9.3.3' mode: 600 @@ -425,68 +483,75 @@ stat: passwd_perm: data: - Debian-8: + Debian*8: - '/etc/passwd': tag: 'CIS-12.1' mode: 644 + description: Verify Permissions on /etc/passwd + + passwd_own: + data: + Debian*8: - '/etc/passwd': tag: 'CIS-12.4' user: 'root' group: 'root' - description: Verify Permissions on /etc/passwd + description: Verify User/Group Ownership on /etc/passwd shadow_perm: data: - Debian-8: + Debian*8: - '/etc/shadow': tag: 'CIS-12.2' mode: 640 + description: Verify Permissions on /etc/shadow + + shadow_own: + data: + Debian*8: - '/etc/shadow': tag: 'CIS-12.5' user: 'root' group: 'root' - description: Verify Permissions on /etc/shadow + description: Verify User/Group Ownership on /etc/shadow group_perm: data: - Debian-8: - - '/etc/group': - tag: 'CIS-12.3' - mode: 644 + Debian*8: - '/etc/group': tag: 'CIS-12.3' user: 'root' group: 'root' description: Verify Permissions on /etc/group - blacklist: - single_user_auth: - data: - Debian-8: - - '/etc/shadow': - tag: 'CIS-3.4' - pattern: "^root:[*\\!]:" - description: Require Authentication for Single-User Mode + group_own: + data: + Debian*8: + - '/etc/group': + tag: 'CIS-12.6' + user: 'root' + group: 'root' + description: Verify User/Group Ownership on /etc/group hosts_allow: data: - Debian-8: + Debian*8: - '/etc/hosts.allow': tag: 'CIS-7.4.3' mode: 644 - description: Verify Permissions on /etc/hosts.allow + description: Verify Permissions on /etc/hosts.allow hosts_deny: data: - Debian-8: + Debian*8: - '/etc/hosts.deny': tag: 'CIS-7.4.5' mode: 644 - description: Verify Permissions on /etc/hosts.deny + description: Verify Permissions on /etc/hosts.deny legacy_passwd_entries: data: - Debian-8: + Debian*8: - '/etc/passwd': tag: 'CIS-13.2' pattern: "^+:" @@ -494,7 +559,7 @@ stat: legacy_shadow_entries: data: - Debian-8: + Debian*8: - '/etc/shadow': tag: 'CIS-13.3' pattern: "^+:" @@ -502,16 +567,24 @@ stat: legacy_group_entries: data: - Debian-8: + Debian*8: - '/etc/group': tag: 'CIS-13.4' pattern: "^+:" description: Verify No Legacy "+" Entries Exist in /etc/group File sysctl: + restrict_suid_core_dumps: + data: + Debian*8: + - fs.suid_dumpable: + match_output: '0' + tag: CIS-4.1 + description: Restrict Core Dumps + randomize_va_space: data: - Debian-8: + Debian*8: - 'kernel.randomize_va_space': tag: 'CIS-4.3' match_output: '2' @@ -519,7 +592,7 @@ sysctl: ip_forwarding: data: - Debian-8: + Debian*8: - 'net.ipv4.ip_forward': tag: 'CIS-7.1.1' match_output: '0' @@ -527,7 +600,7 @@ sysctl: send_packet_redirect: data: - Debian-8: + Debian*8: - 'net.ipv4.conf.all.send_redirects': tag: 'CIS-7.1.2' match_output: '0' @@ -538,7 +611,7 @@ sysctl: source_routed_packet_acceptance: data: - Debian-8: + Debian*8: - 'net.ipv4.conf.all.accept_source_route': tag: 'CIS-7.2.1' match_output: '0' @@ -549,7 +622,7 @@ sysctl: icmp_redirect_acceptance: data: - Debian-8: + Debian*8: - 'net.ipv4.conf.all.accept_redirects': tag: 'CIS-7.2.2' match_output: '0' @@ -558,9 +631,9 @@ sysctl: match_output: '0' description: Disable ICMP Redirect Acceptance - icmp_redirect_acceptance: + secure_icmp_redirect_acceptance: data: - Debian-8: + Debian*8: - 'net.ipv4.conf.all.secure_redirects': tag: 'CIS-7.2.3' match_output: '0' @@ -571,7 +644,7 @@ sysctl: log_suspicious_packets: data: - Debian-8: + Debian*8: - 'net.ipv4.conf.all.log_martian': tag: 'CIS-7.2.4' match_output: '1' @@ -582,7 +655,7 @@ sysctl: ignore_broadcast_requests: data: - Debian-8: + Debian*8: - 'net.ipv4.icmp_echo_ignore_broadcasts': tag: 'CIS-7.2.5' match_output: '1' @@ -590,7 +663,7 @@ sysctl: bad_error_message_protection: data: - Debian-8: + Debian*8: - 'net.ipv4.icmp_ignore_bogus_error_responses': tag: 'CIS-7.2.6' match_output: '1' @@ -598,7 +671,7 @@ sysctl: source_route_validation: data: - Debian-8: + Debian*8: - 'net.ipv4.conf.all.rp_filter': tag: 'CIS-7.2.7' match_output: '1' @@ -609,7 +682,7 @@ sysctl: tcp_syn_cookies: data: - Debian-8: + Debian*8: - 'net.ipv4.tcp_syncookies': tag: 'CIS-7.2.8' match_output: '1' @@ -620,127 +693,95 @@ pkg: prelink: data: - Debian-8: + Debian*8: - 'prelink': 'CIS-4.4' description: Disable Prelink nis: data: - Debian-8: + Debian*8: - 'nis': 'CIS-5.1.1' description: Ensure NIS is not installed rsh-clients: data: - Debian-8: + Debian*8: - 'rsh-client': CIS-5.1.3 - 'rsh-redone-client': CIS-5.1.3 description: Ensure rsh client is not installed rsh-server: data: - Debian-8: + Debian*8: - 'rsh-server': CIS-5.1.2 description: Ensure rsh server is not enabled talk: data: - Debian-8: + Debian*8: - 'talk': 'CIS-5.1.5' description: Ensure talk client is not installed telnet: data: - Debian-8: + Debian*8: - 'telnet': 'CIS-5.1.6' - 'telnet-server': 'CIS-5.1.6' description: Ensure telnet server is not enabled tftp: data: - Debian-8: + Debian*8: - 'tftp': 'CIS-5.1.7' - 'atftp': 'CIS-5.1.7' description: Ensure tftp-server is not enabled xinetd: data: - Debian-8: + Debian*8: - 'xinetd': 'CIS-5.1.8' description: Ensure xinetd is not enabled xorg-server: data: - Debian-8: + Debian*8: - 'xserver-xorg-core': 'CIS-6.1' description: Ensure the X Window system is not installed avahi-daemon: data: - Debian-8: + Debian*8: - 'avahi-daemon': 'CIS-6.2' description: Ensure Avahi Server is not enabled dhcp: data: - Debian-8: + Debian*8: - 'isc-dhcp-server': 'CIS-6.4' description: Ensure DHCP Server is not enabled - slapd: - data: - Debian-8: - - 'slapd': 'CIS-6.6' - description: Ensure LDAP is not enabled - whitelist: - apparmor: - data: - Debian-8: - - 'apparmor': 'CIS-4.5' - - 'apparmor-utils': 'CIS-4.5' - - 'apparmor-profiles': 'CIS-4.5' - description: Activate AppArmor (Scored) Lvl2 - tcp_wrappers: data: - Debian-8: + Debian*8: - 'tcpd': 'CIS-7.4.1' description: Install TCP Wrappers iptables: data: - Debian-8: + Debian*8: - 'iptables': 'CIS-7.7' - 'iptables-persistent': 'CIS-7.7' description: Ensure Firewall is active - auditd: - data: - Debian-8: - - 'auditd': 'CIS-8.1.2' - description: 'Install and Enable auditd Service (Scored)' - rsyslog: data: - Debian-8: + Debian*8: - 'rsyslog': 'CIS-8.2.1' description: Install the rsyslog package - aide: - data: - Debian-8: - - 'aide': 'CIS-8.3.1' - description: Install AIDE (Scored) Lvl2 - cracklib: data: - Debian-8: + Debian*8: - 'libpam-cracklib': 'CIS-9.2.1' description: Set Password Creation Requirement Parameters Using pam_cracklib - - openssh_server: - data: - Debian-8: - - 'openssh-server': 'CIS-9.3' - description: Configure SSH diff --git a/hubblestack_nova_profiles/cis/debian-9.yaml b/hubblestack_nova_profiles/cis/debian-9.yaml new file mode 100644 index 0000000..5f9b180 --- /dev/null +++ b/hubblestack_nova_profiles/cis/debian-9.yaml @@ -0,0 +1,751 @@ +# This profile is temporary, and is a copy-paste from the +# debian-8-level-1-scored-v1-0-0.yaml. Eventually it should be replaced +# with a Debian-9 official one. + +grep: + whitelist: + + local_only_mta: + data: + Debian*9: + - '/etc/exim4/update-exim4.conf': + tag: 'CIS-6.15' + pattern: "^dc_local_interfaces = '127.0.0.1'" + description: Configure Mail Transfer Agent for Local-Only Mode + + fstab_tmp_partition: + data: + Debian*9: + - '/etc/fstab': + tag: 'CIS-2.1' + pattern: '/tmp' + description: Create Separate Partition for /tmp + + fstab_tmp_partition_nodev: + data: + Debian*9: + - '/etc/fstab': + tag: 'CIS-2.2' + pattern: '/tmp' + match_output: 'nodev' + description: Set nodev option for /tmp Partition + + fstab_tmp_partition_nosuid: + data: + Debian*9: + - '/etc/fstab': + tag: 'CIS-2.3' + pattern: '/tmp' + match_output: 'nosuid' + description: Set nosuid option for /tmp Partition + + fstab_tmp_partition_noexec: + data: + Debian*9: + - '/etc/fstab': + tag: 'CIS-2.4' + pattern: '/tmp' + match_output: 'nosuid' + description: Set noexec option for /tmp Partition + + fstab_var_partition: + data: + Debian*9: + - '/etc/fstab': + tag: 'CIS-2.5' + pattern: '/var' + description: Create Separate Partition for /var + + fstab_var_tmp_bind_mount: + data: + Debian*9: + - '/etc/fstab': + tag: 'CIS-2.6' + pattern: '/var' + match_output: '/var/tmp' + description: Bind Mount the /var/tmp directory to /tmp + + fstab_var_log_partition: + data: + Debian*9: + - '/etc/fstab': + tag: 'CIS-2.7' + pattern: '/var/log' + description: Create Separate Partition for /var/log + + fstab_var_log_audit_partition: + data: + Debian*9: + - '/etc/fstab': + tag: 'CIS-2.8' + pattern: '/var/log/audit' + description: Create Separate Partition for /var/log/audit + + fstab_home_partition: + data: + Debian*9: + - '/etc/fstab': + tag: 'CIS-2.9' + pattern: '/home' + description: Create Separate Partition for /home + + fstab_home_partition_nodev: + data: + Debian*9: + - '/etc/fstab': + tag: 'CIS-2.10' + pattern: '/home' + match_output: 'nodev' + description: Add nodev Option to /home + + fstab_dev_shm_partition_nodev: + data: + Debian*9: + - '/etc/fstab': + tag: 'CIS-2.14' + pattern: '/dev/shm' + match_output: 'nodev' + description: Add nodev Option to /run/shm Partition + + fstab_dev_shm_partition_nosuid: + data: + Debian*9: + - '/etc/fstab': + tag: 'CIS-2.15' + pattern: '/dev/shm' + match_output: 'nosuid' + description: Add nosuid Option to /run/shm Partition + + fstab_dev_shm_partition_noexec: + data: + Debian*9: + - '/etc/fstab': + tag: 'CIS-2.16' + pattern: '/dev/shm' + match_output: 'noexec' + description: Add noexec Option to /run/shm Partition + + configure_ntp: + data: + Debian*9: + - '/etc/ntp.conf': + tag: 'CIS-6.5' + pattern: 'restrict default' + description: Configure Network Time Protocol (NTP) + + keep_all_auditing_information: + data: + Debian*9: + - '/etc/audit/auditd.conf': + tag: 'CIS-8.1.1.3' + pattern: 'max_log_file_action' + match_output: 'keep_logs' + description: Keep All Auditing Information (Scored) + + rsyslog_remote_logging: + data: + Debian*9: + - '/etc/rsyslog.conf': + tag: 'CIS-8.2.5' + pattern: "^*.*[^I][^I]*@" + description: Configure rsyslog to Send Logs to a Remote Log Host + + passwd_limit_reuse: + data: + Debian*9: + - '/etc/pam.d/common-password': + tag: 'CIS-9.2.3' + pattern: "remember" + match_output: "5" + description: Limit Password Reuse + + sshd_protocol_2: + data: + Debian*9: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.1' + pattern: "^Protocol" + match_output: 'Protocol 2' + description: Set SSH Protocol to 2 + + sshd_loglevel_info: + data: + Debian*9: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.2' + pattern: "^LogLevel" + match_output: 'LogLevel INFO' + description: Set LogLevel to INFO + + sshd_x11_forwarding: + data: + Debian*9: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.4' + pattern: "^X11Forwarding" + match_output: 'X11Forwarding no' + description: Disable SSH X11 Forwarding + + sshd_max_auth_retries: + data: + Debian*9: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.5' + pattern: "^MaxAuthTries" + match_output: "MaxAuthTries 4" + description: Set SSH MaxAuthTries to 4 or Less + + sshd_ignore_rhosts: + data: + Debian*9: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.6' + pattern: "^IgnoreRhosts" + match_output: "IgnoreRhosts yes" + description: Set SSH IgnoreRhosts to Yes + + sshd_hostbased_auth: + data: + Debian*9: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.7' + pattern: "^HostbasedAuthentication" + match_output: "HostbasedAuthentication no" + description: Set SSH HostbasedAuthentication to No + + sshd_disable_root_login: + data: + Debian*9: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.8' + pattern: "^PermitRootLogin" + match_output: "PermitRootLogin no" + description: Disable SSH Root Login + + sshd_permit_empty_passwords: + data: + Debian*9: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.9' + pattern: "^PermitEmptyPasswords" + match_output: "PermitEmptyPasswords no" + description: Set SSH PermitEmptyPasswords to No + + sshd_permit_user_environment: + data: + Debian*9: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.10' + pattern: "^PermitUserEnvironment" + match_output: "PermitUserEnvironment no" + description: Do Not Allow Users to Set Environment Options + + sshd_approved_cipher: + data: + Debian*9: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.11' + pattern: "Ciphers" + match_output: "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$" + match_output_regex: True + description: Use Only Approved Cipher in Counter Mode + + sshd_idle_timeout: + data: + Debian*9: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.12' + pattern: "^ClientAliveInterval" + match_output: "ClientAliveInterval 300" + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.12' + pattern: "^ClientAliveCountMax" + match_output: "ClientAliveCountMax 0" + description: Set Idle Timeout Interval for User Login + + sshd_limit_access: + data: + Debian*9: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.13' + pattern: "^AllowUsers" + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.13' + pattern: "^AllowGroups" + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.13' + pattern: "^DenyUsers" + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.13' + pattern: "^DenyGroups" + description: Limit Access via SSH + + sshd_banner: + data: + Debian*9: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.14' + pattern: "^Banner" + description: Set SSH Banner + + restrict_access_su: + data: + Debian*9: + - '/etc/pam.d/su': + tag: 'CIS-9.5' + pattern: "pam_wheel.so" + description: Restrict Access to the su Command + + passwd_expiration_days: + data: + Debian*9: + - '/etc/login.defs': + tag: 'CIS-10.1.1' + pattern: "PASS_MAX_DAYS" + match_output: "90" + description: Set Password Expiration Days + + passwd_change_min_days: + data: + Debian*9: + - '/etc/login.defs': + tag: 'CIS-10.1.2' + pattern: "PASS_MIN_DAYS" + match_output: "7" + description: Set Password Change Minimum Number of Days + + passwd_expiry_warning: + data: + Debian*9: + - '/etc/login.defs': + tag: 'CIS-10.1.3' + pattern: "PASS_WARN_AGE" + match_output: "7" + description: Set Password Expiring Warning Days + + default_umask: + data: + Debian*9: + - '/etc/bash.bashrc': + tag: 'CIS-10.4' + pattern: "^umask 077" + - '/etc/profile.d/*': + tag: 'CIS-10.4' + pattern: "^umask 077" + description: Set Default umask for Users + +stat: + grub_conf_own: + data: + Debian*9: + - '/boot/grub/grub.cfg': + tag: 'CIS-3.1' + user: 'root' + group: 'root' + description: Set User/Group Owner on bootloader config + + grub_conf_perm: + data: + Debian*9: + - '/boot/grub/grub.cfg': + tag: 'CIS-3.2' + mode: 600 + description: Set Permissions on bootloader config + + boot_loader_passwd: + data: + Debian*9: + - '/boot/grub/grub.cfg': + tag: 'CIS-3.3' + pattern: "^password" + description: Set Boot Loader Password + + restrict_core_dumps: + data: + Debian*9: + - '/etc/security/limits.conf': + tag: 'CIS-4.1' + pattern: 'hard core' + description: Restrict Core Dumps + + cron_hourly: + data: + Debian*9: + - '/etc/cron.hourly': + tag: 'CIS-9.1.3' + mode: 700 + user: 'root' + group: 'root' + description: Set User/Group Owner and Permission on /etc/cron.hourly + + cron_daily: + data: + Debian*9: + - '/etc/cron.daily': + tag: 'CIS-9.1.4' + mode: 700 + user: 'root' + group: 'root' + description: Set User/Group Owner and Permission on /etc/cron.daily + + cron_weekly: + data: + Debian*9: + - '/etc/cron.weekly': + tag: 'CIS-9.1.5' + mode: 700 + user: 'root' + group: 'root' + description: Set User/Group Owner and Permission on /etc/cron.weekly + + cron_monthly: + data: + Debian*9: + - '/etc/cron.monthly': + tag: 'CIS-9.1.6' + mode: 700 + user: 'root' + group: 'root' + description: Set User/Group Owner and Permission on /etc/cron.monthly + + cron_d: + data: + Debian*9: + - '/etc/cron.d': + tag: 'CIS-9.1.7' + mode: 700 + user: 'root' + group: 'root' + description: Set User/Group Owner and Permission on /etc/cron.d + + sshd_config: + data: + Debian*9: + - '/etc/ssh/sshd_config': + tag: 'CIS-9.3.3' + mode: 600 + user: 'root' + group: 'root' + description: Set Permissions on /etc/ssh/sshd_config + + passwd_perm: + data: + Debian*9: + - '/etc/passwd': + tag: 'CIS-12.1' + mode: 644 + - '/etc/passwd': + tag: 'CIS-12.4' + user: 'root' + group: 'root' + description: Verify Permissions on /etc/passwd + + shadow_perm: + data: + Debian*9: + - '/etc/shadow': + tag: 'CIS-12.2' + mode: 640 + - '/etc/shadow': + tag: 'CIS-12.5' + user: 'root' + group: 'root' + description: Verify Permissions on /etc/shadow + + group_perm: + data: + Debian*9: + - '/etc/group': + tag: 'CIS-12.3' + mode: 644 + - '/etc/group': + tag: 'CIS-12.3' + user: 'root' + group: 'root' + description: Verify Permissions on /etc/group + + blacklist: + single_user_auth: + data: + Debian*9: + - '/etc/shadow': + tag: 'CIS-3.4' + pattern: "^root:[*\\!]:" + description: Require Authentication for Single-User Mode + + hosts_allow: + data: + Debian*9: + - '/etc/hosts.allow': + tag: 'CIS-7.4.3' + mode: 644 + description: Verify Permissions on /etc/hosts.allow + + hosts_deny: + data: + Debian*9: + - '/etc/hosts.deny': + tag: 'CIS-7.4.5' + mode: 644 + description: Verify Permissions on /etc/hosts.deny + + legacy_passwd_entries: + data: + Debian*9: + - '/etc/passwd': + tag: 'CIS-13.2' + pattern: "^+:" + description: Verify No Legacy "+" Entries Exist in /etc/passwd File + + legacy_shadow_entries: + data: + Debian*9: + - '/etc/shadow': + tag: 'CIS-13.3' + pattern: "^+:" + description: Verify No Legacy "+" Entries Exist in /etc/shadow File + + legacy_group_entries: + data: + Debian*9: + - '/etc/group': + tag: 'CIS-13.4' + pattern: "^+:" + description: Verify No Legacy "+" Entries Exist in /etc/group File + +sysctl: + randomize_va_space: + data: + Debian*9: + - 'kernel.randomize_va_space': + tag: 'CIS-4.3' + match_output: '2' + description: Enable Randomized Virtual Memory Region Placement + + ip_forwarding: + data: + Debian*9: + - 'net.ipv4.ip_forward': + tag: 'CIS-7.1.1' + match_output: '0' + description: Disable IP Forwarding + + send_packet_redirect: + data: + Debian*9: + - 'net.ipv4.conf.all.send_redirects': + tag: 'CIS-7.1.2' + match_output: '0' + - 'net.ipv4.conf.default.send_redirects': + tag: 'CIS-7.1.2' + match_output: '0' + description: Disable Send Packet Redirects + + source_routed_packet_acceptance: + data: + Debian*9: + - 'net.ipv4.conf.all.accept_source_route': + tag: 'CIS-7.2.1' + match_output: '0' + - 'net.ipv4.conf.default.accept_source_route': + tag: 'CIS-7.2.1' + match_output: '0' + description: Disable Source Routed Packet Acceptance + + icmp_redirect_acceptance: + data: + Debian*9: + - 'net.ipv4.conf.all.accept_redirects': + tag: 'CIS-7.2.2' + match_output: '0' + - 'net.ipv4.conf.default.accept_redirects': + tag: 'CIS-7.2.2' + match_output: '0' + description: Disable ICMP Redirect Acceptance + + icmp_redirect_acceptance: + data: + Debian*9: + - 'net.ipv4.conf.all.secure_redirects': + tag: 'CIS-7.2.3' + match_output: '0' + - 'net.ipv4.conf.default.secure_redirects': + tag: 'CIS-7.2.3' + match_output: '0' + description: Disable Secure ICMP Redirect Acceptance + + log_suspicious_packets: + data: + Debian*9: + - 'net.ipv4.conf.all.log_martian': + tag: 'CIS-7.2.4' + match_output: '1' + - 'net.ipv4.conf.default.log_martians': + tag: 'CIS-7.2.4' + match_output: '1' + description: Log Suspicious Packets + + ignore_broadcast_requests: + data: + Debian*9: + - 'net.ipv4.icmp_echo_ignore_broadcasts': + tag: 'CIS-7.2.5' + match_output: '1' + description: Enable Ignore Broadcast Requests + + bad_error_message_protection: + data: + Debian*9: + - 'net.ipv4.icmp_ignore_bogus_error_responses': + tag: 'CIS-7.2.6' + match_output: '1' + description: Enable Bad Error Message Protection + + source_route_validation: + data: + Debian*9: + - 'net.ipv4.conf.all.rp_filter': + tag: 'CIS-7.2.7' + match_output: '1' + - 'net.ipv4.conf.default.rp_filter': + tag: 'CIS-7.2.7' + match_output: '1' + description: Enable RFC-recommended Source Route Validation + + tcp_syn_cookies: + data: + Debian*9: + - 'net.ipv4.tcp_syncookies': + tag: 'CIS-7.2.8' + match_output: '1' + description: Enable TCP SYN Cookies + +pkg: + blacklist: + + prelink: + data: + Debian*9: + - 'prelink': 'CIS-4.4' + description: Disable Prelink + + nis: + data: + Debian*9: + - 'nis': 'CIS-5.1.1' + description: Ensure NIS is not installed + + rsh-clients: + data: + Debian*9: + - 'rsh-client': CIS-5.1.3 + - 'rsh-redone-client': CIS-5.1.3 + description: Ensure rsh client is not installed + rsh-server: + data: + Debian*9: + - 'rsh-server': CIS-5.1.2 + description: Ensure rsh server is not enabled + + talk: + data: + Debian*9: + - 'talk': 'CIS-5.1.5' + description: Ensure talk client is not installed + + telnet: + data: + Debian*9: + - 'telnet': 'CIS-5.1.6' + - 'telnet-server': 'CIS-5.1.6' + description: Ensure telnet server is not enabled + + tftp: + data: + Debian*9: + - 'tftp': 'CIS-5.1.7' + - 'atftp': 'CIS-5.1.7' + description: Ensure tftp-server is not enabled + + xinetd: + data: + Debian*9: + - 'xinetd': 'CIS-5.1.8' + description: Ensure xinetd is not enabled + + xorg-server: + data: + Debian*9: + - 'xserver-xorg-core': 'CIS-6.1' + description: Ensure the X Window system is not installed + + avahi-daemon: + data: + Debian*9: + - 'avahi-daemon': 'CIS-6.2' + description: Ensure Avahi Server is not enabled + + dhcp: + data: + Debian*9: + - 'isc-dhcp-server': 'CIS-6.4' + description: Ensure DHCP Server is not enabled + + slapd: + data: + Debian*9: + - 'slapd': 'CIS-6.6' + description: Ensure LDAP is not enabled + + whitelist: + + apparmor: + data: + Debian*9: + - 'apparmor': 'CIS-4.5' + - 'apparmor-utils': 'CIS-4.5' + - 'apparmor-profiles': 'CIS-4.5' + description: Activate AppArmor (Scored) Lvl2 + + tcp_wrappers: + data: + Debian*9: + - 'tcpd': 'CIS-7.4.1' + description: Install TCP Wrappers + + iptables: + data: + Debian*9: + - 'iptables': 'CIS-7.7' + - 'iptables-persistent': 'CIS-7.7' + description: Ensure Firewall is active + + auditd: + data: + Debian*9: + - 'auditd': 'CIS-8.1.2' + description: 'Install and Enable auditd Service (Scored)' + + rsyslog: + data: + Debian*9: + - 'rsyslog': 'CIS-8.2.1' + description: Install the rsyslog package + + aide: + data: + Debian*9: + - 'aide': 'CIS-8.3.1' + description: Install AIDE (Scored) Lvl2 + + cracklib: + data: + Debian*9: + - 'libpam-cracklib': 'CIS-9.2.1' + description: Set Password Creation Requirement Parameters Using pam_cracklib + + openssh_server: + data: + Debian*9: + - 'openssh-server': 'CIS-9.3' + description: Configure SSH diff --git a/hubblestack_nova_profiles/cis/rhels-5-level-1-scored-v2-2-0.yaml b/hubblestack_nova_profiles/cis/rhels-5-level-1-scored-v2-2-0.yaml index d92ca1f..3a0514f 100644 --- a/hubblestack_nova_profiles/cis/rhels-5-level-1-scored-v2-2-0.yaml +++ b/hubblestack_nova_profiles/cis/rhels-5-level-1-scored-v2-2-0.yaml @@ -276,7 +276,8 @@ grep: data: Red Hat Enterprise Linux Server-5: - /etc/ssh/sshd_config: - match_output: 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr' + match_output: '^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$' + match_output_regex: True pattern: Ciphers tag: CIS-6.2.11 description: Ensure only approved ciphers are used diff --git a/hubblestack_nova_profiles/cis/rhels-6-level-1-scored-v1-0-0.yaml b/hubblestack_nova_profiles/cis/rhels-6-level-1-scored-v1-0-0.yaml new file mode 100644 index 0000000..a5715f3 --- /dev/null +++ b/hubblestack_nova_profiles/cis/rhels-6-level-1-scored-v1-0-0.yaml @@ -0,0 +1,845 @@ +grep: + blacklist: + legacy_passwd_entries_group: + data: + Red Hat Enterprise Linux Server-6: + - /etc/group: + pattern: '^+:' + tag: CIS-9.2.4 + description: Verify No Legacy "+" Entries Exist in /etc/group (Scored) + legacy_passwd_entries_passwd: + data: + Red Hat Enterprise Linux Server-6: + - /etc/passwd: + pattern: '^+:' + tag: CIS-9.2.2 + description: Verify No Legacy "+" Entries Exist in /etc/passwd (Scored) + legacy_passwd_entries_shadow: + data: + Red Hat Enterprise Linux Server-6: + - /etc/shadow: + pattern: '^+:' + tag: CIS-9.2.3 + description: Verify No Legacy "+" Entries Exist in /etc/shadow (Scored) + whitelist: + activate_gpg_check: + data: + Red Hat Enterprise Linux Server-6: + - /etc/yum.conf: + match_output: gpgcheck=1 + pattern: gpgcheck + tag: CIS-1.2.3 + description: Verify that gpgcheck is Globally Activated (Scored) + boot_loader_passwd: + data: + Red Hat Enterprise Linux Server-6: + - /etc/grub.conf: + pattern: ^password + tag: CIS-1.5.3 + description: Set Boot Loader Password (Scored) + configure_ntp: + data: + Red Hat Enterprise Linux Server-6: + - /etc/ntp.conf: + pattern: restrict default + tag: CIS-3.6 + - /etc/ntp.conf: + pattern: restrict -6 default + tag: CIS-3.6 + - '/etc/ntp.conf': + tag: 'CIS-3.6' + pattern: '^server' + - '/etc/sysconfig/ntpd': + tag: 'CIS-3.6' + pattern: 'ntp:ntp' + description: Configure Network Time Protocol (NTP) (Scored) + default_umask: + data: + Red Hat Enterprise Linux Server-6: + - /etc/bashrc: + pattern: ^umask 077 + tag: CIS-7.4 + - /etc/profile.d/*: + pattern: ^umask 077 + tag: CIS-7.4 + description: Set Default umask for Users (Scored) + fstab_dev_shm_partition_nodev: + data: + Red Hat Enterprise Linux Server-6: + - /etc/fstab: + match_output: nodev + pattern: /dev/shm + tag: CIS-1.1.14 + description: Add nodev Option to /dev/shm Partition (Scored) + fstab_dev_shm_partition_noexec: + data: + Red Hat Enterprise Linux Server-6: + - /etc/fstab: + match_output: noexec + pattern: /dev/shm + tag: CIS-1.1.16 + description: Add noexec Option to /dev/shm Partition (Scored) + fstab_dev_shm_partition_nosuid: + data: + Red Hat Enterprise Linux Server-6: + - /etc/fstab: + match_output: nosuid + pattern: /dev/shm + tag: CIS-1.1.15 + description: Add nosuid Option to /dev/shm Partition (Scored) + fstab_home_partition: + data: + Red Hat Enterprise Linux Server-6: + - /etc/fstab: + pattern: /home + tag: CIS-1.1.9 + description: Create Separate Partition for /home (Scored) + fstab_home_partition_nodev: + data: + Red Hat Enterprise Linux Server-6: + - /etc/fstab: + match_output: nodev + pattern: /home + tag: CIS-1.1.10 + description: Add nodev Option to /home (Scored) + fstab_tmp_partition: + data: + Red Hat Enterprise Linux Server-6: + - /etc/fstab: + pattern: /tmp + tag: CIS-1.1.1 + description: Create Separate Partition for /tmp (Scored) + fstab_tmp_partition_nodev: + data: + Red Hat Enterprise Linux Server-6: + - /etc/fstab: + match_output: nodev + pattern: /tmp + tag: CIS-1.1.2 + description: Set nodev option for /tmp Partition (Scored) + fstab_tmp_partition_noexec: + data: + Red Hat Enterprise Linux Server-6: + - /etc/fstab: + match_output: noexec + pattern: /tmp + tag: CIS-1.1.4 + description: Set noexec option for /tmp Partition (Scored) + fstab_tmp_partition_nosuid: + data: + Red Hat Enterprise Linux Server-6: + - /etc/fstab: + match_output: nosuid + pattern: /tmp + tag: CIS-1.1.3 + description: Set nosuid option for /tmp Partition (Scored) + fstab_var_log_audit_partition: + data: + Red Hat Enterprise Linux Server-6: + - /etc/fstab: + pattern: /var/log/audit + tag: CIS-1.1.8 + description: Create Separate Partition for /var/log/audit (Scored) + fstab_var_log_partition: + data: + Red Hat Enterprise Linux Server-6: + - /etc/fstab: + pattern: /var/log + tag: CIS-1.1.7 + description: Create Separate Partition for /var/log (Scored) + fstab_var_partition: + data: + Red Hat Enterprise Linux Server-6: + - /etc/fstab: + pattern: /var + tag: CIS-1.1.5 + description: Create Separate Partition for /var (Scored) + fstab_var_tmp_bind_mount: + data: + Red Hat Enterprise Linux Server-6: + - /etc/fstab: + match_output: /var/tmp + pattern: /tmp + tag: CIS-1.1.6 + description: Bind Mount the /var/tmp directory to /tmp (Scored) + limit_password_reuse: + data: + Red Hat Enterprise Linux Server-6: + - /etc/pam.d/system-auth: + match_output: remember=5 + pattern: pam_unix.so + tag: CIS-6.3.4 + description: PAM Password Reuse (Scored) + limit_su_command_access: + data: + Red Hat Enterprise Linux Server-6: + - /etc/pam.d/su: + match_output: use_uid + pattern: pam_wheel.so + tag: CIS-6.5 + - /etc/group: + pattern: wheel + tag: CIS-6.5 + description: Limit su command access (Scored) + pam_cracklib_try_first_pass: + data: + Red Hat Enterprise Linux Server-6: + - /etc/pam.d/system-auth: + match_output: try_first_pass + pattern: pam_cracklib.so + tag: CIS-6.3.2 + - /etc/pam.d/system-auth: + match_output: retry=3 + pattern: pam_cracklib.so + tag: CIS-6.3.2 + - /etc/pam.d/system-auth: + match_output: minlen=14 + pattern: pam_cracklib.so + tag: CIS-6.3.2 + - /etc/pam.d/system-auth: + match_output: dcredit=-1 + pattern: pam_cracklib.so + tag: CIS-6.3.2 + - /etc/pam.d/system-auth: + match_output: ucredit=-1 + pattern: pam_cracklib.so + tag: CIS-6.3.2 + - /etc/pam.d/system-auth: + match_output: ocredit=-1 + pattern: pam_cracklib.so + tag: CIS-6.3.2 + - /etc/pam.d/system-auth: + match_output: lcredit=-1 + pattern: pam_cracklib.so + tag: CIS-6.3.2 + description: PAM cracklib policy (Scored) + passwd_change_min_days: + data: + Red Hat Enterprise Linux Server-6: + - /etc/login.defs: + match_output: '7' + pattern: PASS_MIN_DAYS + tag: CIS-7.1.2 + description: Set Password Change Minimum Number of Days (Scored) + passwd_expiration_days: + data: + Red Hat Enterprise Linux Server-6: + - /etc/login.defs: + match_output: '90' + pattern: PASS_MAX_DAYS + tag: CIS-7.1.1 + description: Set Password Expiration Days (Scored) + passwd_expiry_warning: + data: + Red Hat Enterprise Linux Server-6: + - /etc/login.defs: + match_output: '7' + pattern: PASS_WARN_AGE + tag: CIS-7.1.3 + description: Set Password Expiring Warning Days (Scored) + restrict_core_dumps: + data: + Red Hat Enterprise Linux Server-6: + - /etc/security/limits.conf: + pattern: hard core + tag: CIS-1.6.1 + description: Restrict Core Dumps (Scored) + rsyslog_remote_logging: + data: + Red Hat Enterprise Linux Server-6: + - /etc/rsyslog.conf: + pattern: ^*.*[^I][^I]*@ + tag: CIS-5.1.5 + description: Configure rsyslog to Send Logs to a Remote Log Host (Scored) + set_daemon_umask: + data: + Red Hat Enterprise Linux Server-6: + - /etc/sysconfig/init: + match_output: umask 027 + pattern: umask + tag: CIS-3.1 + description: Set Daemon umask (Scored) + sshd_approved_cipher: + data: + Red Hat Enterprise Linux Server-6: + - /etc/ssh/sshd_config: + match_output: '^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$' + match_output_regex: True + pattern: Ciphers + tag: CIS-6.2.11 + description: Use Only Approved Cipher in Counter Mode (Scored) + sshd_banner: + data: + Red Hat Enterprise Linux Server-6: + - /etc/ssh/sshd_config: + pattern: ^Banner + tag: CIS-6.2.14 + description: Set SSH Banner (Scored) + sshd_disable_root_login: + data: + Red Hat Enterprise Linux Server-6: + - /etc/ssh/sshd_config: + match_output: PermitRootLogin no + pattern: ^PermitRootLogin + tag: CIS-6.2.8 + description: Set SSH HostbasedAuthentication to No (Scored) + sshd_hostbased_auth: + data: + Red Hat Enterprise Linux Server-6: + - /etc/ssh/sshd_config: + match_output: HostbasedAuthentication no + pattern: ^HostbasedAuthentication + tag: CIS-6.2.7 + description: Set SSH HostbasedAuthentication to No (Scored) + sshd_idle_timeout: + data: + Red Hat Enterprise Linux Server-6: + - /etc/ssh/sshd_config: + match_output: ClientAliveInterval 300 + pattern: ^ClientAliveInterval + tag: CIS-6.2.12 + - /etc/ssh/sshd_config: + match_output: ClientAliveCountMax 0 + pattern: ^ClientAliveCountMax + tag: CIS-6.2.12 + description: Set Idle Timeout Interval for User Login (Scored) + sshd_ignore_rhosts: + data: + Red Hat Enterprise Linux Server-6: + - /etc/ssh/sshd_config: + match_output: IgnoreRhosts yes + pattern: ^IgnoreRhosts + tag: CIS-6.2.6 + description: Set SSH IgnoreRhosts to Yes (Scored) + sshd_limit_access: + data: + Red Hat Enterprise Linux Server-6: + - /etc/ssh/sshd_config: + pattern: ^AllowUsers + tag: CIS-6.2.13 + - /etc/ssh/sshd_config: + pattern: ^AllowGroups + tag: CIS-6.2.13 + - /etc/ssh/sshd_config: + pattern: ^DenyUsers + tag: CIS-6.2.13 + - /etc/ssh/sshd_config: + pattern: ^DenyGroups + tag: CIS-6.2.13 + description: Limit Access via SSH (Scored) + sshd_loglevel_info: + data: + Red Hat Enterprise Linux Server-6: + - /etc/ssh/sshd_config: + match_output: LogLevel INFO + pattern: ^LogLevel + tag: CIS-6.2.2 + description: Set LogLevel to INFO (Scored) + sshd_max_auth_retries: + data: + Red Hat Enterprise Linux Server-6: + - /etc/ssh/sshd_config: + match_output: MaxAuthTries 4 + pattern: ^MaxAuthTries + tag: CIS-6.2.5 + description: Set SSH MaxAuthTries to 4 or Less (Scored) + sshd_permit_empty_passwords: + data: + Red Hat Enterprise Linux Server-6: + - /etc/ssh/sshd_config: + match_output: PermitEmptyPasswords no + pattern: ^PermitEmptyPasswords + tag: CIS-6.2.9 + description: Set SSH PermitEmptyPasswords to No (Scored) + sshd_permit_user_environment: + data: + Red Hat Enterprise Linux Server-6: + - /etc/ssh/sshd_config: + match_output: PermitUserEnvironment no + pattern: ^PermitUserEnvironment + tag: CIS-6.2.10 + description: Do Not Allow Users to Set Environment Options (Scored) + sshd_protocol_2: + data: + Red Hat Enterprise Linux Server-6: + - /etc/ssh/sshd_config: + match_output: Protocol 2 + pattern: ^Protocol + tag: CIS-6.2.1 + description: Set SSH Protocol to 2 (Scored) + sshd_x11_forwarding: + data: + Red Hat Enterprise Linux Server-6: + - /etc/ssh/sshd_config: + match_output: X11Forwarding no + pattern: ^X11Forwarding + tag: CIS-6.2.4 + description: Disable SSH X11 Forwarding (Scored) +pkg: + blacklist: + avahi-daemon: + data: + Red Hat Enterprise Linux Server-6: + - avahi-daemon: CIS-3.3 + description: Disable Avahi Server (Scored) + dhcp: + data: + Red Hat Enterprise Linux Server-6: + - dhcp: CIS-3.5 + description: Remove DHCP server (Scored) + nis: + data: + Red Hat Enterprise Linux Server-6: + - ypbind: CIS-2.1.5 + - ypserv: CIS-2.1.6 + description: Remove nis client and nis server (Scored) + rsh: + data: + Red Hat Enterprise Linux Server-6: + - rsh-server: CIS-2.1.3 + - rsh: CIS-2.1.4 + description: Remove rsh and rsh-server (Scored) + talk: + data: + Red Hat Enterprise Linux Server-6: + - talk: CIS-2.1.9 + - talk-server: CIS-2.1.10 + description: Remove talk and talk-server (Scored) + telnet: + data: + Red Hat Enterprise Linux Server-6: + - telnet-server: CIS-2.1.1 + - telnet: CIS-2.1.2 + description: Remove telnet and telnet-server (Scored) + tftp: + data: + Red Hat Enterprise Linux Server-6: + - tftp: CIS-2.1.7 + - tftp-server: CIS-2.1.8 + description: Remove tftp and tftp-server (Scored) + xinetd: + data: + Red Hat Enterprise Linux Server-6: + - xinetd: CIS-2.1.11 + description: Remove xinetd (Scored) + xorg-x11-server-common: + data: + Red Hat Enterprise Linux Server-6: + - xorg-x11-server-common: CIS-3.2 + description: Remove the X Window System (Scored) + whitelist: + aide: + data: + Red Hat Enterprise Linux Server-6: + - aide: CIS-1.3.1 + description: Install AIDE (Scored) + anacron: + data: + Red Hat Enterprise Linux Server-6: + - cronie-anacron: CIS-6.1.1 + description: Enable anacron Daemon (Scored) + firewalld: + data: {} + description: Enable firewalld (Scored) + iptables: + data: + Red Hat Enterprise Linux Server-6: + - iptables: CIS-4.7_installed + description: Install IPtables (Scored) + rsyslog: + data: + Red Hat Enterprise Linux Server-6: + - rsyslog: CIS-5.1.1 + description: Install rsyslog (Scored) +service: + whitelist: + anacron_running: + data: + Red Hat Enterprise Linux Server-6: + - cronie-anacron: CIS-6.1.1_running + description: anacron should be running + auditd_running: + data: + Red Hat Enterprise Linux Server-6: + - auditd: CIS-5.2_running + description: auditd should be running + crond_running: + data: + Red Hat Enterprise Linux Server-6: + - crond: CIS-6.1.2_running + description: crond should be running + iptables_running: + data: + Red Hat Enterprise Linux Server-6: + - iptables: CIS-4.7_running + description: rsyslogd should be running + rsyslogd_running: + data: + Red Hat Enterprise Linux Server-6: + - rsyslogd: CIS-5.1.2_running + description: rsyslogd should be running +stat: + anacrontab: + data: + Red Hat Enterprise Linux Server-6: + - /etc/anacrontab: + gid: 0 + group: root + mode: 600 + tag: CIS-6.1.3 + uid: 0 + user: root + description: /etc/anacrontab file be owned by root and must have permissions 600 + (Scored) + at_allow: + data: + Red Hat Enterprise Linux Server-6: + - /etc/at.allow: + gid: 0 + group: root + mode: 600 + tag: CIS-6.1.10 + uid: 0 + user: root + description: /etc/at.allow must be owned by root and have persmissions 600 (Scored) + at_cron_allow: + data: + Red Hat Enterprise Linux Server-6: + - /etc/cron.deny: + gid: null + group: null + mode: null + tag: CIS-6.1.11 + uid: null + user: null + - /etc/at.deny: + gid: null + group: null + mode: null + tag: CIS-6.1.11 + uid: null + user: null + - /etc/cron.allow: + gid: 0 + group: root + mode: 600 + tag: CIS-6.1.11 + uid: 0 + user: root + - /etc/at/allow: + gid: 0 + group: root + mode: 600 + tag: CIS-6.1.11 + uid: 0 + user: root + description: Restrict at/cron to authorized users (Scored) + cron_d: + data: + Red Hat Enterprise Linux Server-6: + - /etc/cron.d: + gid: 0 + group: root + mode: 700 + tag: CIS-6.1.9 + uid: 0 + user: root + description: /etc/cron.d must be owned by root and must have permissions 700 (Scored) + cron_daily: + data: + Red Hat Enterprise Linux Server-6: + - /etc/cron.daily: + gid: 0 + group: root + mode: 700 + tag: CIS-6.1.6 + uid: 0 + user: root + description: /etc/cron.daily must be owned by root and must have permissions 700 + (Scored) + cron_hourly: + data: + Red Hat Enterprise Linux Server-6: + - /etc/cron.hourly: + gid: 0 + group: root + mode: 700 + tag: CIS-6.1.5 + uid: 0 + user: root + description: /etc/cron.hourly must be owned by root and must have permissions + 700 (Scored) + cron_monthly: + data: + Red Hat Enterprise Linux Server-6: + - /etc/cron.monthly: + gid: 0 + group: root + mode: 700 + tag: CIS-6.1.8 + uid: 0 + user: root + description: /etc/cron.monthly must be owned by root and must have permissions + 700 (Scored) + cron_weekly: + data: + Red Hat Enterprise Linux Server-6: + - /etc/cron.weekly: + gid: 0 + group: root + mode: 700 + tag: CIS-6.1.7 + uid: 0 + user: root + description: /etc/cron.weekly must be owned by root and must have permissions + 700 (Scored) + crontab: + data: + Red Hat Enterprise Linux Server-6: + - /etc/crontab: + gid: 0 + group: root + mode: 600 + tag: CIS-6.1.4 + uid: 0 + user: root + description: /etc/crontab must be owned by root and have persmissions 600 (Scored) + group_own: + data: + Red Hat Enterprise Linux Server-6: + - /etc/group: + gid: 0 + group: root + tag: CIS-9.1.9 + uid: 0 + user: root + description: /etc/group must be owned by root (Scored) + group_perm: + data: + Red Hat Enterprise Linux Server-6: + - /etc/group: + mode: 644 + tag: CIS-9.1.5 + description: /etc/group must have permissions 000 (Scored) + grub_conf_own: + data: + Red Hat Enterprise Linux Server-6: + - /etc/grub.conf: + gid: 0 + group: root + tag: CIS-1.5.1 + uid: 0 + user: root + description: Grub must be owned by root (Scored) + grub_conf_perm: + data: + Red Hat Enterprise Linux Server-6: + - /etc/grub.conf: + mode: 600 + tag: CIS-1.5.2 + description: Grub must have permissions 600 (Scored) + gshadow_own: + data: + Red Hat Enterprise Linux Server-6: + - /etc/gshadow: + gid: 0 + group: root + tag: CIS-9.1.8 + uid: 0 + user: root + description: /etc/gshadow must be owned by root (Scored) + gshadow_perm: + data: + Red Hat Enterprise Linux Server-6: + - /etc/gshadow: + mode: 0 + tag: CIS-9.1.4 + description: /etc/gshadow must have permissions 000 (Scored) + hosts_allow: + data: + Red Hat Enterprise Linux Server-6: + - /etc/hosts.allow: + mode: 644 + tag: CIS-4.5.3 + description: /etc/hosts.allow must have permissions 644 (Scored) + hosts_deny: + data: + Red Hat Enterprise Linux Server-6: + - /etc/hosts.deny: + mode: 644 + tag: CIS-4.5.5 + description: /etc/hosts.deny must have persmissions 644 (Scored) + passwd_own: + data: + Red Hat Enterprise Linux Server-6: + - /etc/passwd: + group: root + tag: CIS-9.1.6 + uid: 0 + user: root + description: /etc/passwd must be owned by root (Scored) + passwd_perm: + data: + Red Hat Enterprise Linux Server-6: + - /etc/passwd: + mode: 644 + tag: CIS-9.1.2 + description: /etc/passwd must have permissions 644 (Scored) + shadow_own: + data: + Red Hat Enterprise Linux Server-6: + - /etc/shadow: + gid: 0 + group: root + tag: CIS-9.1.7 + uid: 0 + user: root + description: /etc/shadow must be owned by root (Scored) + shadow_perm: + data: + Red Hat Enterprise Linux Server-6: + - /etc/shadow: + mode: 0 + tag: CIS-9.1.3 + description: /etc/shadow must have permissions 000 (Scored) + sshd_config: + data: + Red Hat Enterprise Linux Server-6: + - /etc/ssh/sshd_config: + gid: 0 + group: root + mode: 600 + tag: CIS-6.2.3 + uid: 0 + user: root + description: /etc/ssh/sshd_config must be owned by root and must have permissions + 600 (Scored) + warning_banner: + data: + Red Hat Enterprise Linux Server-6: + - /etc/motd: + gid: 0 + group: root + mode: 644 + tag: CIS-8.1 + uid: 0 + user: root + - /etc/issue: + gid: 0 + group: root + mode: 644 + tag: CIS-8.1 + uid: 0 + user: root + - /etc/issue.net: + gid: 0 + group: root + mode: 644 + tag: CIS-8.1 + uid: 0 + user: root + description: Files containing the warning banners must be owned by root and must + have permissions 644 (Scored) +sysctl: + bad_error_message_protection: + data: + Red Hat Enterprise Linux Server-6: + - net.ipv4.icmp_ignore_bogus_error_responses: + match_output: '1' + tag: CIS-4.2.6 + description: Enable Bad Error Message Protection (Scored) + exec_shield: + data: + Red Hat Enterprise Linux Server-6: + - kernel.exec-shield: + match_output: '1' + tag: CIS-1.6.2 + description: Configure ExecShield (Scored) + icmp_redirect_acceptance: + data: + Red Hat Enterprise Linux Server-6: + - net.ipv4.conf.all.accept_redirects: + match_output: '0' + tag: CIS-4.2.2 + - net.ipv4.conf.default.accept_redirects: + match_output: '0' + tag: CIS-4.2.2 + description: Disable ICMP Redirect Acceptance (Scored) + ignore_broadcast_requests: + data: + Red Hat Enterprise Linux Server-6: + - net.ipv4.icmp_echo_ignore_broadcasts: + match_output: '1' + tag: CIS-4.2.5 + description: Enable Ignore Broadcast Requests (Scored) + ip_forwarding: + data: + Red Hat Enterprise Linux Server-6: + - net.ipv4.ip_forward: + match_output: '0' + tag: CIS-4.1.1 + description: Disable IP Forwarding (Scored) + log_suspicious_packets: + data: + Red Hat Enterprise Linux Server-6: + - net.ipv4.conf.all.log_martians: + match_output: '1' + tag: CIS-4.2.4 + - net.ipv4.conf.default.log_martians: + match_output: '1' + tag: CIS-4.2.4 + description: Log Suspicious Activity (Scored) + randomize_va_space: + data: + Red Hat Enterprise Linux Server-6: + - kernel.randomize_va_space: + match_output: '2' + tag: CIS-1.6.3 + description: Enable Randomized Virtual Memory Region Placement (Scored) + restrict_suid_core_dumps: + data: + Red Hat Enterprise Linux Server-6: + - fs.suid_dumpable: + match_output: '0' + tag: CIS-1.6.1 + description: Restrict SUID Core Dumps (Scored) + secure_icmp_redirect_acceptance: + data: + Red Hat Enterprise Linux Server-6: + - net.ipv4.conf.all.secure_redirects: + match_output: '0' + tag: CIS-4.2.3 + - net.ipv4.conf.default.secure_redirects: + match_output: '0' + tag: CIS-4.2.3 + description: Disable Secure ICMP Redirect Acceptance (Scored) + send_packet_redirect: + data: + Red Hat Enterprise Linux Server-6: + - net.ipv4.conf.all.send_redirects: + match_output: '0' + tag: CIS-4.1.2 + - net.ipv4.conf.default.send_redirects: + match_output: '0' + tag: CIS-4.1.2 + - net.ipv4.conf.default.send_redirects: + match_output: '0' + tag: CIS-4.1.2 + description: Disable Send Packet Redirect (Scored) + source_routed_packet_acceptance: + data: + Red Hat Enterprise Linux Server-6: + - net.ipv4.conf.all.accept_source_route: + match_output: '0' + tag: CIS-4.2.1 + - net.ipv4.conf.default.accept_source_route: + match_output: '0' + tag: CIS-4.2.1 + description: Disable Source Routed Packet Acceptance (Scored) + tcp_syn_cookies: + data: + Red Hat Enterprise Linux Server-6: + - net.ipv4.tcp_syncookies: + match_output: '1' + tag: CIS-4.2.8 + description: Enable TCP SYN cookies (Scored) diff --git a/hubblestack_nova_profiles/cis/rhels-6-level-1-scored-v2-0-1.yaml b/hubblestack_nova_profiles/cis/rhels-6-level-1-scored-v2-0-1.yaml index c011d54..64d12aa 100644 --- a/hubblestack_nova_profiles/cis/rhels-6-level-1-scored-v2-0-1.yaml +++ b/hubblestack_nova_profiles/cis/rhels-6-level-1-scored-v2-0-1.yaml @@ -1,853 +1,929 @@ -grep: +# NOTE: This CIS Profile only includes Level 1 Scored Items for Red Hat Enterprise Linux Server 6. +# NOTE: Within this file, there are a few sections that should be tailored to your +# organization's specific policy. Search for '# NOTE: ' comments through the file. + +# TODO: Checks that aren't implemented yet: +# 1.1.21 +# 1.1.22 +# 1.3.1 +# 1.3.2 +# 1.4.3 +# 1.4.4 +# 1.5.4 +# 1.7.2 +# 1.7.1.1 +# 2.1.1-5 +# 2.1.10 +# 2.2.2-4 +# 2.2.6-15 +# 2.2.1.3 +# 2.3.5 +# 3.4.1-3 +# 3.6.1-3 +# 3.6.5 +# 4.2.2.1 +# 4.2.2.3 +# 4.2.4 +# 5.3.1 +# 5.3.2 +# 5.3.4 +# 5.4.1.4 +# 5.4.2 +# 5.4.3 +# 6.1.10-12 +# 6.2.1 +# 6.2.5-19 + + +pkg: blacklist: - legacy_passwd_entries_group: - data: - Red Hat Enterprise Linux Server-6: - - /etc/group: - pattern: '^+:' - tag: CIS-6.2.4 - description: Ensure no legacy "+" entries exist in /etc/group - legacy_passwd_entries_passwd: - data: - Red Hat Enterprise Linux Server-6: - - /etc/passwd: - pattern: '^+:' - tag: CIS-6.2.2 - description: Ensure no legacy "+" entries exist in /etc/passwd - legacy_passwd_entries_shadow: - data: - Red Hat Enterprise Linux Server-6: - - /etc/shadow: - pattern: '^+:' - tag: CIS-6.2.3 - description: Ensure no legacy "+" entries exist in /etc/shadow - whitelist: - activate_gpg_check: - data: - Red Hat Enterprise Linux Server-6: - - /etc/yum.conf: - match_output: gpgcheck=1 - pattern: gpgcheck - tag: CIS-1.2.2 - description: Ensure gpgcheck is globally activated - boot_loader_passwd: - data: - Red Hat Enterprise Linux Server-6: - - /etc/grub.conf: - pattern: ^password - tag: CIS-1.4.2 - description: Ensure bootloader password is set - configure_ntp: - data: - Red Hat Enterprise Linux Server-6: - - /etc/ntp.conf: - pattern: restrict default - tag: CIS-3.6 - - /etc/ntp.conf: - pattern: restrict -6 default - tag: CIS-3.6 - - '/etc/ntp.conf': - tag: 'CIS-3.6' - pattern: '^server' - - '/etc/sysconfig/ntpd': - tag: 'CIS-3.6' - pattern: 'ntp:ntp' - description: Ensure ntp is configured - default_umask: - data: - Red Hat Enterprise Linux Server-6: - - /etc/bashrc: - pattern: ^umask 077 - tag: CIS-7.4 - - /etc/profile.d/*: - pattern: ^umask 077 - tag: CIS-7.4 - description: Set Default umask for Users (Scored) - fstab_dev_shm_partition_nodev: - data: - Red Hat Enterprise Linux Server-6: - - /etc/fstab: - match_output: nodev - pattern: /dev/shm - tag: CIS-1.1.15 - description: Ensure nodev option set on /dev/shm partition - fstab_dev_shm_partition_noexec: - data: - Red Hat Enterprise Linux Server-6: - - /etc/fstab: - match_output: noexec - pattern: /dev/shm - tag: CIS-1.1.17 - description: Ensure noexec option set on /dev/shm partition - fstab_dev_shm_partition_nosuid: - data: - Red Hat Enterprise Linux Server-6: - - /etc/fstab: - match_output: nosuid - pattern: /dev/shm - tag: CIS-1.1.16 - description: Ensure nosuid option set on /dev/shm partition - fstab_home_partition: - data: - Red Hat Enterprise Linux Server-6: - - /etc/fstab: - pattern: /home - tag: CIS-1.1.9 - description: Create Separate Partition for /home (Scored) - fstab_home_partition_nodev: - data: - Red Hat Enterprise Linux Server-6: - - /etc/fstab: - match_output: nodev - pattern: /home - tag: CIS-1.1.14 - description: Ensure nodev option set on /home partition - fstab_tmp_partition: - data: - Red Hat Enterprise Linux Server-6: - - /etc/fstab: - pattern: /tmp - tag: CIS-1.1.1 - description: Create Separate Partition for /tmp (Scored) - fstab_tmp_partition_nodev: - data: - Red Hat Enterprise Linux Server-6: - - /etc/fstab: - match_output: nodev - pattern: /tmp - tag: CIS-1.1.3 - description: Ensure nodev option set on /tmp partition - fstab_tmp_partition_noexec: - data: - Red Hat Enterprise Linux Server-6: - - /etc/fstab: - match_output: noexec - pattern: /tmp - tag: CIS-1.1.5 - description: Ensure noexec option set on /tmp partition - fstab_tmp_partition_nosuid: - data: - Red Hat Enterprise Linux Server-6: - - /etc/fstab: - match_output: nosuid - pattern: /tmp - tag: CIS-1.1.4 - description: Ensure nosuid option set on /tmp partition - fstab_var_log_audit_partition: - data: - Red Hat Enterprise Linux Server-6: - - /etc/fstab: - pattern: /var/log/audit - tag: CIS-1.1.8 - description: Create Separate Partition for /var/log/audit (Scored) - fstab_var_log_partition: - data: - Red Hat Enterprise Linux Server-6: - - /etc/fstab: - pattern: /var/log - tag: CIS-1.1.7 - description: Create Separate Partition for /var/log (Scored) - fstab_var_partition: - data: - Red Hat Enterprise Linux Server-6: - - /etc/fstab: - pattern: /var - tag: CIS-1.1.5 - description: Create Separate Partition for /var (Scored) - fstab_var_tmp_bind_mount: - data: - Red Hat Enterprise Linux Server-6: - - /etc/fstab: - match_output: /var/tmp - pattern: /tmp - tag: CIS-1.1.6 - description: Bind Mount the /var/tmp directory to /tmp (Scored) - limit_password_reuse: - data: - Red Hat Enterprise Linux Server-6: - - /etc/pam.d/system-auth: - match_output: remember=5 - pattern: pam_unix.so - tag: CIS-5.3.3 - description: Ensure password reuse is limited - limit_su_command_access: - data: - Red Hat Enterprise Linux Server-6: - - /etc/pam.d/su: - match_output: use_uid - pattern: pam_wheel.so - tag: CIS-5.6 - - /etc/group: - pattern: wheel - tag: CIS-5.6 - description: Ensure access to the su command is restricted - pam_cracklib_try_first_pass: - data: - Red Hat Enterprise Linux Server-6: - - /etc/pam.d/system-auth: - match_output: try_first_pass - pattern: pam_cracklib.so - tag: CIS-5.3.1 - - /etc/pam.d/system-auth: - match_output: retry=3 - pattern: pam_cracklib.so - tag: CIS-5.3.1 - - /etc/pam.d/system-auth: - match_output: minlen=14 - pattern: pam_cracklib.so - tag: CIS-5.3.1 - - /etc/pam.d/system-auth: - match_output: dcredit=-1 - pattern: pam_cracklib.so - tag: CIS-5.3.1 - - /etc/pam.d/system-auth: - match_output: ucredit=-1 - pattern: pam_cracklib.so - tag: CIS-5.3.1 - - /etc/pam.d/system-auth: - match_output: ocredit=-1 - pattern: pam_cracklib.so - tag: CIS-5.3.1 - - /etc/pam.d/system-auth: - match_output: lcredit=-1 - pattern: pam_cracklib.so - tag: CIS-5.3.1 - description: Ensure password creation requirements are configured - passwd_change_min_days: - data: - Red Hat Enterprise Linux Server-6: - - /etc/login.defs: - match_output: '7' - pattern: PASS_MIN_DAYS - tag: CIS-5.4.1.2 - description: Ensure minimum days between password changes is 7 or more - passwd_expiration_days: - data: - Red Hat Enterprise Linux Server-6: - - /etc/login.defs: - match_output: '90' - pattern: PASS_MAX_DAYS - tag: CIS-5.4.1.1 - description: Ensure password expiration is 90 days or less - passwd_expiry_warning: - data: - Red Hat Enterprise Linux Server-6: - - /etc/login.defs: - match_output: '7' - pattern: PASS_WARN_AGE - tag: CIS-5.4.1.3 - description: Ensure password expiration warning days is 7 or more - restrict_core_dumps: - data: - Red Hat Enterprise Linux Server-6: - - /etc/security/limits.conf: - pattern: hard core - tag: CIS-1.5.1 - description: Ensure core dumps are restricted - rsyslog_remote_logging: - data: - Red Hat Enterprise Linux Server-6: - - /etc/rsyslog.conf: - pattern: ^*.*[^I][^I]*@ - tag: CIS-4.2.1.4 - description: Ensure rsyslog is configured to send logs to a remote log host - set_daemon_umask: - data: - Red Hat Enterprise Linux Server-6: - - /etc/sysconfig/init: - match_output: umask 027 - pattern: umask - tag: CIS-5.4.4 - description: Ensure default user umask is 027 or more restrictive - sshd_approved_cipher: - data: - Red Hat Enterprise Linux Server-6: - - /etc/ssh/sshd_config: - match_output: 'Ciphers aes128-ctr,aes192-ctr,aes256-ctr' - pattern: Ciphers - tag: CIS-5.2.11 - description: Ensure only approved ciphers are used - sshd_banner: - data: - Red Hat Enterprise Linux Server-6: - - /etc/ssh/sshd_config: - pattern: ^Banner - tag: CIS-5.2.16 - description: Ensure SSH warning banner is configured - sshd_disable_root_login: - data: - Red Hat Enterprise Linux Server-6: - - /etc/ssh/sshd_config: - match_output: PermitRootLogin no - pattern: ^PermitRootLogin - tag: CIS-5.2.8 - description: Ensure SSH root login is disabled - sshd_hostbased_auth: - data: - Red Hat Enterprise Linux Server-6: - - /etc/ssh/sshd_config: - match_output: HostbasedAuthentication no - pattern: ^HostbasedAuthentication - tag: CIS-5.2.7 - description: Ensure SSH HostbasedAuthentication is disabled - sshd_idle_timeout: - data: - Red Hat Enterprise Linux Server-6: - - /etc/ssh/sshd_config: - match_output: ClientAliveInterval 300 - pattern: ^ClientAliveInterval - tag: CIS-5.2.13 - - /etc/ssh/sshd_config: - match_output: ClientAliveCountMax 0 - pattern: ^ClientAliveCountMax - tag: CIS-5.2.13 - description: Ensure SSH Idle Timeout Interval is configured - sshd_ignore_rhosts: - data: - Red Hat Enterprise Linux Server-6: - - /etc/ssh/sshd_config: - match_output: IgnoreRhosts yes - pattern: ^IgnoreRhosts - tag: CIS-5.2.6 - description: Ensure SSH IgnoreRhosts is enabled - sshd_limit_access: - data: - Red Hat Enterprise Linux Server-6: - - /etc/ssh/sshd_config: - pattern: ^AllowUsers - tag: CIS-5.2.1 - - /etc/ssh/sshd_config: - pattern: ^AllowGroups - tag: CIS-5.2.1 - - /etc/ssh/sshd_config: - pattern: ^DenyUsers - tag: CIS-5.2.1 - - /etc/ssh/sshd_config: - pattern: ^DenyGroups - tag: CIS-5.2.1 - description: Ensure permissions on /etc/ssh/sshd_config are configured - sshd_loglevel_info: - data: - Red Hat Enterprise Linux Server-6: - - /etc/ssh/sshd_config: - match_output: LogLevel INFO - pattern: ^LogLevel - tag: CIS-5.2.3 - description: Ensure SSH LogLevel is set to INFO - sshd_max_auth_retries: - data: - Red Hat Enterprise Linux Server-6: - - /etc/ssh/sshd_config: - match_output: MaxAuthTries 4 - pattern: ^MaxAuthTries - tag: CIS-5.2.5 - description: Ensure SSH MaxAuthTries is set to 4 or less - sshd_permit_empty_passwords: - data: - Red Hat Enterprise Linux Server-6: - - /etc/ssh/sshd_config: - match_output: PermitEmptyPasswords no - pattern: ^PermitEmptyPasswords - tag: CIS-5.2.9 - description: Ensure SSH PermitEmptyPasswords is disabled - sshd_permit_user_environment: - data: - Red Hat Enterprise Linux Server-6: - - /etc/ssh/sshd_config: - match_output: PermitUserEnvironment no - pattern: ^PermitUserEnvironment - tag: CIS-5.2.10 - description: Ensure SSH PermitUserEnvironment is disabled - sshd_protocol_2: + + telnet-client: data: - Red Hat Enterprise Linux Server-6: - - /etc/ssh/sshd_config: - match_output: Protocol 2 - pattern: ^Protocol - tag: CIS-5.2.2 - description: Ensure SSH Protocol is set to 2 - sshd_x11_forwarding: + 'Red Hat Enterprise Linux Server-6': + - 'telnet': CIS-2.3.4 + description: Ensure telnet client is not installed + telnet-server: data: - Red Hat Enterprise Linux Server-6: - - /etc/ssh/sshd_config: - match_output: X11Forwarding no - pattern: ^X11Forwarding - tag: CIS-5.2.4 - description: Ensure SSH X11 forwarding is disabled -pkg: - blacklist: - avahi-daemon: + 'Red Hat Enterprise Linux Server-6': + - 'telnet-server': CIS-2.1.8 + description: Ensure telnet server is not enabled + + rsh-server: data: - Red Hat Enterprise Linux Server-6: - - avahi-daemon: CIS-2.2.3 - description: Ensure Avahi Server is not enabled - dhcp: + 'Red Hat Enterprise Linux Server-6': + - 'rsh-server': CIS-2.1.6 + description: Ensure rsh server is not enabled + rsh-client: data: - Red Hat Enterprise Linux Server-6: - - dhcp: CIS-2.2.5 - description: Ensure DHCP Server is not enabled + 'Red Hat Enterprise Linux Server-6': + - 'rsh': CIS-2.3.2 + description: Ensure rsh client is not installed + nis-client: data: - Red Hat Enterprise Linux Server-6: - - ypbind: CIS-2.3.1 + 'Red Hat Enterprise Linux Server-6': + - 'ypbind': CIS-2.3.1 description: Ensure NIS Client is not installed nis-server: data: - Red Hat Enterprise Linux Server-6: - - ypserv: CIS-2.2.16 + 'Red Hat Enterprise Linux Server-6': + - 'ypserv': CIS-2.2.16 description: Ensure NIS Server is not enabled - rsh-client: - data: - Red Hat Enterprise Linux Server-6: - - rsh: CIS-2.3.2 - description: Ensure rsh client is not installed - rsh-server: + + tftp-server: data: - Red Hat Enterprise Linux Server-6: - - rsh-server: CIS-2.1.6 - description: Ensure rsh server is not enabled + 'Red Hat Enterprise Linux Server-6': + - 'tftp-server': CIS-2.1.9 + description: Ensure tftp server is not enabled + talk-client: data: - Red Hat Enterprise Linux Server-6: - - talk: CIS-2.3.3 + 'Red Hat Enterprise Linux Server-6': + - 'talk': CIS-2.3.3 description: Ensure talk client is not installed talk-server: data: - Red Hat Enterprise Linux Server-6: - - talk-server: CIS-2.1.7 + 'Red Hat Enterprise Linux Server-6': + - 'talk-server': CIS-2.1.7 description: Ensure talk server is not enabled - telnet-client: - data: - Red Hat Enterprise Linux Server-6: - - telnet: CIS-2.3.4 - description: Ensure telnet client is not installed - telnet-server: - data: - Red Hat Enterprise Linux Server-6: - - telnet-server: CIS-2.1.8 - description: Ensure telnet server is not enabled - tftp-client: - data: - Red Hat Enterprise Linux Server-6: - - tftp: CIS-2.1.7 - description: Remove tftp (Scored) - tftp-server: - data: - Red Hat Enterprise Linux Server-6: - - tftp-server: CIS-2.1.9 - description: Ensure tftp server is not enabled + xinetd: data: - Red Hat Enterprise Linux Server-6: - - xinetd: CIS-2.1.11 + 'Red Hat Enterprise Linux Server-6': + - 'xinetd': CIS-2.1.11 description: Ensure xinetd is not enabled - xorg-x11-server-common: + + dhcp: data: - Red Hat Enterprise Linux Server-6: - - xorg-x11-server-common: CIS-2.2.2 - description: Ensure X Window System is not installed + 'Red Hat Enterprise Linux Server-6': + - 'dhcp': CIS-2.2.5 + description: Ensure DHCP Server is not enabled + whitelist: - aide: - data: - Red Hat Enterprise Linux Server-6: - - aide: CIS-1.3.1 - description: Ensure AIDE is installed - anacron: - data: - Red Hat Enterprise Linux Server-6: - - cronie-anacron: CIS-6.1.1 - description: Enable anacron Daemon - firewalld: - data: {} - description: Enable firewalld (Scored) - iptables: - data: - Red Hat Enterprise Linux Server-6: - - iptables: CIS-3.6.1_installed - description: Ensure iptables is installed + rsyslog: data: - Red Hat Enterprise Linux Server-6: - - rsyslog: CIS-4.2.3 + 'Red Hat Enterprise Linux Server-6': + - 'rsyslog': CIS-4.2.3 description: Ensure rsyslog or syslog-ng is installed -service: - whitelist: - auditd_running: - data: - Red Hat Enterprise Linux Server-6: - - auditd: CIS-4.1.2_running - description: auditd should be running - crond_running: - data: - Red Hat Enterprise Linux Server-6: - - crond: CIS-5.1.1_running - description: Ensure cron daemon is enabled - iptables_running: - data: - Red Hat Enterprise Linux Server-6: - - iptables: CIS-3.6.1_running - description: iptables should be running - rsyslogd_running: - data: - Red Hat Enterprise Linux Server-6: - - rsyslogd: CIS-4.2.1_running - description: rsyslogd should be running + + stat: - anacrontab: - data: - Red Hat Enterprise Linux Server-6: - - /etc/anacrontab: - gid: 0 - group: root - mode: 600 - tag: CIS-6.1.3 - uid: 0 - user: root - description: /etc/anacrontab file be owned by root and must have permissions 600 - (Scored) - at_allow: - data: - Red Hat Enterprise Linux Server-6: - - /etc/at.allow: - gid: 0 - group: root - mode: 600 - tag: CIS-5.1.8 - uid: 0 - user: root - description: Ensure at/cron is restricted to authorized users - at_cron_allow: + grub_conf_perm: data: - Red Hat Enterprise Linux Server-6: - - /etc/cron.deny: - gid: null - group: null - mode: null - tag: CIS-5.1.8 - uid: null - user: null - - /etc/at.deny: - gid: null - group: null - mode: null - tag: CIS-5.1.8 - uid: null - user: null - - /etc/cron.allow: - gid: 0 - group: root - mode: 600 - tag: CIS-5.1.8 - uid: 0 - user: root - - /etc/at/allow: - gid: 0 - group: root - mode: 600 - tag: CIS-5.1.8 - uid: 0 - user: root - description: Ensure at/cron is restricted to authorized users - cron_d: + 'Red Hat Enterprise Linux Server-6': + - '/etc/grub.conf': + tag: CIS-1.4.1 + mode: 600 + description: Ensure permissions on bootloader config are configured + + hosts_allow: data: - Red Hat Enterprise Linux Server-6: - - /etc/cron.d: - gid: 0 - group: root - mode: 700 - tag: CIS-5.1.7 - uid: 0 - user: root - description: Ensure permissions on /etc/cron.d are configured - cron_daily: + 'Red Hat Enterprise Linux Server-6': + - '/etc/hosts.allow': + tag: CIS-3.4.4 + mode: 644 + description: Ensure permissions on /etc/hosts.allow are configured + + hosts_deny: data: - Red Hat Enterprise Linux Server-6: - - /etc/cron.daily: - gid: 0 - group: root - mode: 700 - tag: CIS-5.1.4 - uid: 0 - user: root - description: Ensure permissions on /etc/cron.daily are configured + 'Red Hat Enterprise Linux Server-6': + - '/etc/hosts.deny': + tag: CIS-3.4.5 + mode: 644 + description: Ensure permissions on /etc/hosts.deny are configured + + crontab: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/crontab': + tag: CIS-5.1.2 + mode: 600 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: Ensure permissions on /etc/crontab are configured + cron_hourly: data: - Red Hat Enterprise Linux Server-6: - - /etc/cron.hourly: - gid: 0 - group: root - mode: 700 - tag: CIS-5.1.3 - uid: 0 - user: root + 'Red Hat Enterprise Linux Server-6': + - '/etc/cron.hourly': + tag: CIS-5.1.3 + mode: 700 + user: 'root' + uid: 0 + group: 'root' + gid: 0 description: Ensure permissions on /etc/cron.hourly are configured - cron_monthly: + + cron_daily: data: - Red Hat Enterprise Linux Server-6: - - /etc/cron.monthly: - gid: 0 - group: root - mode: 700 - tag: CIS-5.1.6 - uid: 0 - user: root - description: Ensure permissions on /etc/cron.monthly are configured + 'Red Hat Enterprise Linux Server-6': + - '/etc/cron.daily': + tag: CIS-5.1.4 + mode: 700 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: Ensure permissions on /etc/cron.daily are configured + cron_weekly: data: - Red Hat Enterprise Linux Server-6: - - /etc/cron.weekly: - gid: 0 - group: root - mode: 700 - tag: CIS-5.1.5 - uid: 0 - user: root + 'Red Hat Enterprise Linux Server-6': + - '/etc/cron.weekly': + tag: CIS-5.1.5 + mode: 700 + user: 'root' + uid: 0 + group: 'root' + gid: 0 description: Ensure permissions on /etc/cron.weekly are configured - crontab: - data: - Red Hat Enterprise Linux Server-6: - - /etc/crontab: - gid: 0 - group: root - mode: 600 - tag: CIS-5.1.2 - uid: 0 - user: root - description: Ensure permissions on /etc/crontab are configured - group_own: - data: - Red Hat Enterprise Linux Server-6: - - /etc/group: - gid: 0 - group: root - tag: CIS-6.1.4 - uid: 0 - user: root - description: Ensure permissions on /etc/group are configured - group_perm: - data: - Red Hat Enterprise Linux Server-6: - - /etc/group: - mode: 644 - tag: CIS-6.1.8 - description: Ensure permissions on /etc/group- are configured - grub_conf_own: - data: - Red Hat Enterprise Linux Server-6: - - /etc/grub.conf: - gid: 0 - group: root - tag: CIS-1.5.1 - uid: 0 - user: root - description: Grub must be owned by root - grub_conf_perm: + + cron_monthly: data: - Red Hat Enterprise Linux Server-6: - - /etc/grub.conf: - mode: 600 - tag: CIS-1.4.1 - description: Ensure permissions on bootloader config are configured - gshadow_own: + 'Red Hat Enterprise Linux Server-6': + - '/etc/cron.monthly': + tag: CIS-5.1.6 + mode: 700 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: Ensure permissions on /etc/cron.monthly are configured + + cron_d: data: - Red Hat Enterprise Linux Server-6: - - /etc/gshadow: - gid: 0 - group: root - tag: CIS-6.1.5 - uid: 0 - user: root - description: Ensure permissions on /etc/gshadow are configured - gshadow_perm: + 'Red Hat Enterprise Linux Server-6': + - '/etc/cron.d': + tag: CIS-5.1.7 + mode: 700 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: Ensure permissions on /etc/cron.d are configured + + at_cron_allow: data: - Red Hat Enterprise Linux Server-6: - - /etc/gshadow: - mode: 0 - tag: CIS-6.1.9 - description: Ensure permissions on /etc/gshadow- are configured - hosts_allow: + 'Red Hat Enterprise Linux Server-6': + - '/etc/cron.deny': + tag: CIS-5.1.8 + mode: null + user: null + uid: null + group: null + gid: null + - '/etc/at.deny': + tag: CIS-5.1.8 + mode: null + user: null + uid: null + group: null + gid: null + - '/etc/cron.allow': + tag: CIS-5.1.8 + mode: 600 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + - '/etc/at.allow': + tag: CIS-5.1.8 + mode: 600 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: Ensure at/cron is restricted to authorized users + + sshd_config: data: - Red Hat Enterprise Linux Server-6: - - /etc/hosts.allow: - mode: 644 - tag: CIS-3.4.4 - description: Ensure permissions on /etc/hosts.allow are configured - hosts_deny: + 'Red Hat Enterprise Linux Server-6': + - '/etc/ssh/sshd_config': + tag: CIS-5.2.1 + mode: 600 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: Ensure permissions on /etc/ssh/sshd_config are configured + + warning_banner-issue: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/issue': + tag: CIS-1.7.1.5 + mode: 644 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: Ensure permissions on /etc/issue are configured + + passwd_perm: data: - Red Hat Enterprise Linux Server-6: - - /etc/hosts.deny: - mode: 644 - tag: CIS-3.4.5 - description: Ensure permissions on /etc/hosts.deny are configured + 'Red Hat Enterprise Linux Server-6': + - '/etc/passwd': + tag: CIS-6.1.2 + mode: 644 + description: Ensure permissions on /etc/passwd are configured + passwd_own: data: - Red Hat Enterprise Linux Server-6: - - /etc/passwd: - group: root - tag: CIS-6.1.6 - uid: 0 - user: root + 'Red Hat Enterprise Linux Server-6': + - '/etc/passwd': + tag: CIS-6.1.6 + user: 'root' + uid: 0 + group: 'root' + uid: 0 description: Ensure permissions on /etc/passwd- are configured - passwd_perm: + + shadow_perm: data: - Red Hat Enterprise Linux Server-6: - - /etc/passwd: - mode: 644 - tag: CIS-6.1.2 - description: Ensure permissions on /etc/passwd are configured + 'Red Hat Enterprise Linux Server-6': + - '/etc/shadow': + tag: CIS-6.1.3 + mode: 0 + description: Ensure permissions on /etc/shadow are configured + shadow_own: data: - Red Hat Enterprise Linux Server-6: - - /etc/shadow: - gid: 0 - group: root - tag: CIS-6.1.7 - uid: 0 - user: root + 'Red Hat Enterprise Linux Server-6': + - '/etc/shadow': + tag: CIS-6.1.7 + user: 'root' + uid: 0 + group: 'root' + gid: 0 description: Ensure permissions on /etc/shadow- are configured - shadow_perm: + + gshadow_perm: data: - Red Hat Enterprise Linux Server-6: - - /etc/shadow: - mode: 0 - tag: CIS-6.1.3 - description: Ensure permissions on /etc/shadow are configured - sshd_config: + 'Red Hat Enterprise Linux Server-6': + - '/etc/gshadow': + tag: CIS-6.1.9 + mode: 0 + description: Ensure permissions on /etc/gshadow- are configured + + gshadow_own: data: - Red Hat Enterprise Linux Server-6: - - /etc/ssh/sshd_config: - gid: 0 - group: root - mode: 600 - tag: CIS-5.2.1 - uid: 0 - user: root - description: Ensure permissions on /etc/ssh/sshd_config are configured - warning_banner: - data: - Red Hat Enterprise Linux Server-6: - - /etc/motd: - gid: 0 - group: root - mode: 644 - tag: CIS-1.7.1.5 - uid: 0 - user: root - - /etc/issue: - gid: 0 - group: root - mode: 644 - tag: CIS-1.7.1.5 - uid: 0 - user: root - - /etc/issue.net: - gid: 0 - group: root - mode: 644 - tag: CIS-1.7.1.5 - uid: 0 - user: root - description: Ensure permissions on /etc/issue are configured + 'Red Hat Enterprise Linux Server-6': + - '/etc/gshadow': + tag: CIS-6.1.5 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: Ensure permissions on /etc/gshadow are configured + + group_perm: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/group': + tag: CIS-6.1.8 + mode: 644 + description: Ensure permissions on /etc/group- are configured + + group_own: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/group': + tag: CIS-6.1.4 + user: 'root' + uid: 0 + group: 'root' + gid: 0 + description: Ensure permissions on /etc/group are configured + + + sysctl: bad_error_message_protection: data: - Red Hat Enterprise Linux Server-6: - - net.ipv4.icmp_ignore_bogus_error_responses: - match_output: '1' - tag: CIS-3.2.6 + 'Red Hat Enterprise Linux Server-6': + - net.ipv4.icmp_ignore_bogus_error_responses: + match_output: '1' + tag: CIS-3.2.6 description: Ensure bogus ICMP responses are ignored - exec_shield: - data: - Red Hat Enterprise Linux Server-6: - - kernel.exec-shield: - match_output: '1' - tag: CIS-1.6.2 - description: Configure ExecShield (Scored) icmp_redirect_acceptance: data: - Red Hat Enterprise Linux Server-6: - - net.ipv4.conf.all.accept_redirects: - match_output: '0' - tag: CIS-3.2.2 - - net.ipv4.conf.default.accept_redirects: - match_output: '0' - tag: CIS-3.2.2 + 'Red Hat Enterprise Linux Server-6': + - net.ipv4.conf.all.accept_redirects: + match_output: '0' + tag: CIS-3.2.2 + - net.ipv4.conf.default.accept_redirects: + match_output: '0' + tag: CIS-3.2.2 description: Ensure ICMP redirects are not accepted + ipv6_redirect_acceptance: + data: + 'Red Hat Enterprise Linux Server-6': + - net.ipv6.conf.all.accept_redirects: + match_output: '0' + tag: CIS-3.3.2 + - net.ipv6.conf.default.accept_redirects: + match_output: '0' + tag: CIS-3.3.2 + description: Ensure IPv6 redirects are not accepted + icmp_secure_redirect_acceptance: + data: + 'Red Hat Enterprise Linux Server-6': + - net.ipv4.conf.all.secure_redirects: + match_output: '0' + tag: CIS-3.2.3 + - net.ipv4.conf.default.secure_redirects: + match_output: '0' + tag: CIS-3.2.3 + description: Ensure secure ICMP redirects are not accepted ignore_broadcast_requests: data: - Red Hat Enterprise Linux Server-6: - - net.ipv4.icmp_echo_ignore_broadcasts: - match_output: '1' - tag: CIS-3.2.5 + 'Red Hat Enterprise Linux Server-6': + - net.ipv4.icmp_echo_ignore_broadcasts: + match_output: '1' + tag: CIS-3.2.5 description: Ensure broadcast ICMP requests are ignored ip_forwarding: data: - Red Hat Enterprise Linux Server-6: - - net.ipv4.ip_forward: - match_output: '0' - tag: CIS-3.1.1 + 'Red Hat Enterprise Linux Server-6': + - net.ipv4.ip_forward: + match_output: '0' + tag: CIS-3.1.1 description: Ensure IP forwarding is disabled log_suspicious_packets: data: - Red Hat Enterprise Linux Server-6: - - net.ipv4.conf.all.log_martians: - match_output: '1' - tag: CIS-3.2.4 - - net.ipv4.conf.default.log_martians: - match_output: '1' - tag: CIS-3.2.4 + 'Red Hat Enterprise Linux Server-6': + - net.ipv4.conf.all.log_martians: + match_output: '1' + tag: CIS-3.2.4 + - net.ipv4.conf.default.log_martians: + match_output: '1' + tag: CIS-3.2.4 description: Ensure suspicious packets are logged randomize_va_space: data: - Red Hat Enterprise Linux Server-6: - - kernel.randomize_va_space: - match_output: '2' - tag: CIS-1.5.3 + 'Red Hat Enterprise Linux Server-6': + - kernel.randomize_va_space: + match_output: '2' + tag: CIS-1.5.3 description: Ensure address space layout randomization (ASLR) is enabled - restrict_suid_core_dumps: - data: - Red Hat Enterprise Linux Server-6: - - fs.suid_dumpable: - match_output: '0' - tag: CIS-1.5.1 - description: Ensure core dumps are restricted - secure_icmp_redirect_acceptance: - data: - Red Hat Enterprise Linux Server-6: - - net.ipv4.conf.all.secure_redirects: - match_output: '0' - tag: CIS-3.2.3 - - net.ipv4.conf.default.secure_redirects: - match_output: '0' - tag: CIS-3.2.3 - description: Ensure secure ICMP redirects are not accepted send_packet_redirect: data: - Red Hat Enterprise Linux Server-6: - - net.ipv4.conf.all.send_redirects: - match_output: '0' - tag: CIS-3.1.2 - - net.ipv4.conf.default.send_redirects: - match_output: '0' - tag: CIS-3.1.2 - - net.ipv4.conf.default.send_redirects: - match_output: '0' - tag: CIS-3.1.2 + 'Red Hat Enterprise Linux Server-6': + - net.ipv4.conf.all.send_redirects: + match_output: '0' + tag: CIS-3.1.2 + - net.ipv4.conf.default.send_redirects: + match_output: '0' + tag: CIS-3.1.2 description: Ensure packet redirect sending is disabled source_routed_packet_acceptance: data: - Red Hat Enterprise Linux Server-6: - - net.ipv4.conf.all.accept_source_route: - match_output: '0' - tag: CIS-3.2.1 - - net.ipv4.conf.default.accept_source_route: - match_output: '0' - tag: CIS-3.2.1 + 'Red Hat Enterprise Linux Server-6': + - net.ipv4.conf.all.accept_source_route: + match_output: '0' + tag: CIS-3.2.1 + - net.ipv4.conf.default.accept_source_route: + match_output: '0' + tag: CIS-3.2.1 description: Ensure source routed packets are not accepted + ipv6_router_advertisements: + data: + 'Red Hat Enterprise Linux Server-6': + - net.ipv6.conf.all.accept_ra: + match_output: '0' + tag: CIS-3.3.1 + - net.ipv6.conf.default.accept_ra: + match_output: '0' + tag: CIS-3.3.1 + description: Ensure IPv6 router advertisements are not accepted + reverse_path_filtering: + data: + 'Red Hat Enterprise Linux Server-6': + - net.ipv4.conf.all.rp_filter: + match_output: '1' + tag: CIS-3.2.7 + - net.ipv4.conf.default.rp_filter: + match_output: '1' + tag: CIS-3.2.7 + description: Ensure Reverse Path Filtering is enabled tcp_syn_cookies: data: - Red Hat Enterprise Linux Server-6: - - net.ipv4.tcp_syncookies: - match_output: '1' - tag: CIS-3.2.8 + 'Red Hat Enterprise Linux Server-6': + - net.ipv4.tcp_syncookies: + match_output: '1' + tag: CIS-3.2.8 description: Ensure TCP SYN Cookies is enabled + + +grep: + whitelist: + disable_mount_cramfs: + data: + Red Hat Enterprise Linux Server-6: + - /etc/modprobe.d: + match_output: /bin/true + pattern: cramfs + grep_args: + - '-r' + tag: CIS-1.1.1.1 + description: Ensure mounting of cramfs filesystems is disabled + disable_mount_freevxfs: + data: + Red Hat Enterprise Linux Server-6: + - /etc/modprobe.d: + match_output: /bin/true + pattern: freevxfs + grep_args: + - '-r' + tag: CIS-1.1.1.2 + description: Ensure mounting of freevxfs filesystems is disabled + disable_mount_jffs2: + data: + Red Hat Enterprise Linux Server-6: + - /etc/modprobe.d: + match_output: /bin/true + pattern: jffs2 + grep_args: + - '-r' + tag: CIS-1.1.1.3 + description: Ensure mounting of jffs2 filesystems is disabled + disable_mount_hfs: + data: + Red Hat Enterprise Linux Server-6: + - /etc/modprobe.d: + match_output: /bin/true + pattern: hfs + grep_args: + - '-r' + tag: CIS-1.1.1.4 + description: Ensure mounting of hfs filesystems is disabled + disable_mount_hfsplus: + data: + Red Hat Enterprise Linux Server-6: + - /etc/modprobe.d: + match_output: /bin/true + pattern: hfsplus + grep_args: + - '-r' + tag: CIS-1.1.1.5 + description: Ensure mounting of hfsplus filesystems is disabled + disable_mount_squashfs: + data: + Red Hat Enterprise Linux Server-6: + - /etc/modprobe.d: + match_output: /bin/true + pattern: squashfs + grep_args: + - '-r' + tag: CIS-1.1.1.6 + description: Ensure mounting of squashfs filesystems is disabled + disable_mount_udf: + data: + Red Hat Enterprise Linux Server-6: + - /etc/modprobe.d: + match_output: /bin/true + pattern: udf + grep_args: + - '-r' + tag: CIS-1.1.1.7 + description: Ensure mounting of udf filesystems is disabled + disable_mount_fat: + data: + Red Hat Enterprise Linux Server-6: + - /etc/modprobe.d: + match_output: /bin/true + pattern: vfat + grep_args: + - '-r' + tag: CIS-1.1.1.8 + description: Ensure mounting of FAT filesystems is disabled + fstab_tmp_partition_nodev: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/fstab': + tag: CIS-1.1.3 + pattern: '/tmp' + match_output: 'nodev' + description: Ensure nodev option set on /tmp partition + + fstab_var_tmp_partition_nodev: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/fstab': + tag: CIS-1.1.8 + pattern: '/var/tmp' + match_output: 'nodev' + description: Ensure nodev option set on /var/tmp partition + + fstab_var_tmp_partition_nosuid: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/fstab': + tag: CIS-1.1.9 + pattern: '/var/tmp' + match_output: 'nosuid' + description: Ensure nosuid option set on /var/tmp partition + + fstab_tmp_partition_nosuid: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/fstab': + tag: CIS-1.1.4 + pattern: '/tmp' + match_output: 'nosuid' + description: Ensure nosuid option set on /tmp partition + + fstab_tmp_partition_noexec: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/fstab': + tag: CIS-1.1.5 + pattern: '/tmp' + match_output: 'noexec' + description: Ensure noexec option set on /tmp partition + + fstab_home_partition_nodev: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/fstab': + tag: CIS-1.1.14 + pattern: '/home' + match_output: 'nodev' + description: Ensure nodev option set on /home partition + + fstab_dev_shm_partition_nodev: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/fstab': + tag: CIS-1.1.15 + pattern: '/dev/shm' + match_output: 'nodev' + description: Ensure nodev option set on /dev/shm partition + + fstab_dev_shm_partition_nosuid: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/fstab': + tag: CIS-1.1.16 + pattern: '/dev/shm' + match_output: 'nosuid' + description: Ensure nosuid option set on /dev/shm partition + + fstab_dev_shm_partition_noexec: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/fstab': + tag: CIS-1.1.17 + pattern: '/dev/shm' + match_output: 'noexec' + description: Ensure noexec option set on /dev/shm partition + + fstab_var_tmp_partition_noexec: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/fstab': + tag: CIS-1.1.10 + pattern: '/var/tmp' + match_output: 'noexec' + description: Ensure noexec option set on /var/tmp partition + + activate_gpg_check: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/yum.conf': + tag: CIS-1.2.3 + pattern: 'gpgcheck' + match_output: 'gpgcheck=1' + description: Ensure gpgcheck is globally activated + + boot_loader_passwd: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/grub.conf': + tag: CIS-1.4.2 + pattern: '^password' + description: Ensure bootloader password is set + + restrict_core_dumps: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/security/limits.conf': + tag: CIS-1.5.1 + pattern: 'hard core' + description: Ensure core dumps are restricted + + configure_ntp: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/ntp.conf': + tag: CIS-2.2.1.2 + pattern: 'restrict default' + - '/etc/ntp.conf': + tag: CIS-2.2.1.2 + pattern: 'restrict -6 default' + - '/etc/ntp.conf': + tag: CIS-2.2.1.2 + pattern: '^server' + - '/etc/sysconfig/ntpd': + tag: CIS-2.2.1.2 + pattern: 'ntp:ntp' + description: Ensure ntp is configured + + rsyslog_default_file_permissions: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/rsyslog.conf': + tag: CIS-4.2.1.3 + pattern: "^\\$FileCreateMode" + match_output: '$FileCreateMode 0640' + description: Ensure rsyslog default file permissions configured + + rsyslog_remote_logging: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/rsyslog.conf': + tag: CIS-4.2.1.4 + pattern: "^*.*[^I][^I]*@" + description: Ensure rsyslog is configured to send logs to a remote log host + + sshd_protocol_2: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/ssh/sshd_config': + tag: CIS-5.2.2 + pattern: "^Protocol" + match_output: 'Protocol 2' + description: Ensure SSH Protocol is set to 2 + + sshd_loglevel_info: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/ssh/sshd_config': + tag: CIS-5.2.3 + pattern: "^LogLevel" + match_output: 'LogLevel INFO' + description: Ensure SSH LogLevel is set to INFO + + sshd_x11_forwarding: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/ssh/sshd_config': + tag: CIS-5.2.4 + pattern: "^X11Forwarding" + match_output: 'X11Forwarding no' + description: Ensure SSH X11 forwarding is disabled + + sshd_max_auth_retries: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/ssh/sshd_config': + tag: CIS-5.2.5 + pattern: "^MaxAuthTries" + match_output: "MaxAuthTries 4" + description: Ensure SSH MaxAuthTries is set to 4 or less + + sshd_ignore_rhosts: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/ssh/sshd_config': + tag: CIS-5.2.6 + pattern: "^IgnoreRhosts" + match_output: "IgnoreRhosts yes" + description: Ensure SSH IgnoreRhosts is enabled + + sshd_hostbased_auth: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/ssh/sshd_config': + tag: CIS-5.2.7 + pattern: "^HostbasedAuthentication" + match_output: "HostbasedAuthentication no" + description: Ensure SSH HostbasedAuthentication is disabled + + sshd_disable_root_login: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/ssh/sshd_config': + tag: CIS-5.2.8 + pattern: "^PermitRootLogin" + match_output: "PermitRootLogin no" + description: Ensure SSH root login is disabled + + sshd_permit_empty_passwords: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/ssh/sshd_config': + tag: CIS-5.2.9 + pattern: "^PermitEmptyPasswords" + match_output: "PermitEmptyPasswords no" + description: Ensure SSH PermitEmptyPasswords is disabled + + sshd_permit_user_environment: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/ssh/sshd_config': + tag: CIS-5.2.10 + pattern: "^PermitUserEnvironment" + match_output: "PermitUserEnvironment no" + description: Ensure SSH PermitUserEnvironment is disabled + + sshd_approved_cipher: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/ssh/sshd_config': + tag: CIS-5.2.11 + pattern: "Ciphers" + match_output: "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$" + match_output_regex: True + description: Ensure only approved ciphers are used + + sshd_approved_mac: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/ssh/sshd_config': + tag: CIS-5.2.12 + pattern: "MACs" + match_output: "MACs hmac-sha2-512,hmac-sha2-256" + description: Ensure only approved MAC algorithms are used + + sshd_idle_timeout: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/ssh/sshd_config': + tag: CIS-5.2.13 + pattern: "^ClientAliveInterval" + match_output: "ClientAliveInterval 300" + - '/etc/ssh/sshd_config': + tag: CIS-5.2.13 + pattern: "^ClientAliveCountMax" + match_output: "ClientAliveCountMax 0" + description: Ensure SSH Idle Timeout Interval is configured + + sshd_login_grace: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/ssh/sshd_config': + tag: CIS-5.2.14 + pattern: "LoginGraceTime" + match_output: "LoginGraceTime 60" + description: Ensure SSH LoginGraceTime is set to one minute or less + + sshd_limit_access: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/ssh/sshd_config': + tag: CIS-5.2.15 + pattern: '(^AllowUsers)|(^AllowGroups)|(^DenyUsers)|(^DenyGroups)' + grep_args: + - '-E' + description: Ensure SSH access is limited + + sshd_banner: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/ssh/sshd_config': + tag: CIS-5.2.16 + pattern: "^Banner" + description: Ensure SSH warning banner is configured + + # NOTE: Need to update this entry to reflect your organization's password policy + limit_password_reuse: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/pam.d/system-auth': + tag: CIS-5.3.3 + pattern: "pam_unix.so" + match_output: "remember=5" # number of passwords to remember + description: Ensure password reuse is limited + + limit_su_command_access: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/pam.d/su': + tag: CIS-5.6 + pattern: "pam_wheel.so" + match_output: "use_uid" # number of passwords to remember + - '/etc/group': + tag: CIS-5.6 + pattern: "wheel" + description: Ensure access to the su command is restricted + + passwd_expiration_days: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/login.defs': + tag: CIS-5.4.1.1 + pattern: "PASS_MAX_DAYS" + match_output: "90" + description: Ensure password expiration is 90 days or less + + passwd_change_min_days: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/login.defs': + tag: CIS-5.4.1.2 + pattern: "PASS_MIN_DAYS" + match_output: "7" + description: Ensure minimum days between password changes is 7 or more + + passwd_expiry_warning: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/login.defs': + tag: CIS-5.4.1.3 + pattern: "PASS_WARN_AGE" + match_output: "7" + description: Ensure password expiration warning days is 7 or more + + default_umask: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/bashrc': + tag: CIS-5.4.4 + pattern: "^umask 077" + - '/etc/profile': + tag: CIS-5.4.4 + pattern: "^umask 077" + description: Ensure default user umask is 027 or more restrictive + + blacklist: + legacy_passwd_entries_passwd: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/passwd': + tag: CIS-6.2.2 + pattern: "^+:" + description: Ensure no legacy "+" entries exist in /etc/passwd + + legacy_passwd_entries_shadow: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/shadow': + tag: CIS-6.2.3 + pattern: "^+:" + description: Ensure no legacy "+" entries exist in /etc/shadow + + legacy_passwd_entries_group: + data: + 'Red Hat Enterprise Linux Server-6': + - '/etc/group': + tag: CIS-6.2.4 + pattern: "^+:" + description: Ensure no legacy "+" entries exist in /etc/group + +service: + whitelist: + rsyslogd_running: + data: + 'Red Hat Enterprise Linux Server-6': + - rsyslog: CIS-4.2.1.1 + description: Ensure rsyslog Service is enabled + crond_running: + data: + Red Hat Enterprise Linux Server-6: + - crond: CIS-5.1.1 + description: Ensure cron daemon is enabled \ No newline at end of file diff --git a/hubblestack_nova_profiles/cis/rhels-7-level-1-scored-v1-0-0.yaml b/hubblestack_nova_profiles/cis/rhels-7-level-1-scored-v1-0-0.yaml new file mode 100644 index 0000000..e751107 --- /dev/null +++ b/hubblestack_nova_profiles/cis/rhels-7-level-1-scored-v1-0-0.yaml @@ -0,0 +1,795 @@ +# NOTE: This CIS Profile only includes Level 1 Scored Items for Red Hat Enterprise Linux Server-7. +# NOTE: Within this file, there are a few sections that should be tailored to your +# organization's specific policy. Search for '# NOTE: ' comments through the file. + +# TODO: Checks that aren't implemented yet: +# 1.1.17 +# 1.2.1 +# 2.1.12-18 +# 3.16 +# 5.1.4 +# 6.1.10 +# 6.3.1 +# 6.3.2 +# 7.2 +# 7.3 +# 7.5 +# 8.2 +# 9.1.11 +# 9.1.12 +# 9.2.1 +# 9.2.5-20 + + +grep: + blacklist: + legacy_passwd_entries_group: + data: + Red Hat Enterprise Linux Server-7: + - /etc/group: + pattern: '^+:' + tag: CIS-9.2.4 + description: Verify No Legacy "+" Entries Exist in /etc/group File + legacy_passwd_entries_passwd: + data: + Red Hat Enterprise Linux Server-7: + - /etc/passwd: + pattern: '^+:' + tag: CIS-9.2.2 + description: Verify No Legacy "+" Entries Exist in /etc/passwd File + legacy_passwd_entries_shadow: + data: + Red Hat Enterprise Linux Server-7: + - /etc/shadow: + pattern: '^+:' + tag: CIS-9.2.3 + description: Verify No Legacy "+" Entries Exist in /etc/shadow File + whitelist: + activate_gpg_check: + data: + Red Hat Enterprise Linux Server-7: + - /etc/yum.conf: + match_output: gpgcheck=1 + pattern: gpgcheck + tag: CIS-1.2.2 + description: Verify that gpgcheck is Globally Activated + boot_loader_passwd: + data: + Red Hat Enterprise Linux Server-7: + - /boot/grub2/grub.cfg: + pattern: ^password + tag: CIS-1.5.3 + description: Set Boot Loader Password + configure_ntp: + data: + Red Hat Enterprise Linux Server-7: + - /etc/ntp.conf: + pattern: restrict default + tag: CIS-3.6 + - /etc/ntp.conf: + pattern: restrict -6 default + tag: CIS-3.6 + - '/etc/ntp.conf': + tag: 'CIS-3.6' + pattern: '^server' + - '/etc/sysconfig/ntpd': + tag: 'CIS-3.6' + pattern: 'ntp:ntp' + description: Configure Network Time Protocol (NTP) + default_umask: + data: + Red Hat Enterprise Linux Server-7: + - /etc/bashrc: + pattern: ^umask 077 + tag: CIS-7.4 + - /etc/profile.d/*: + pattern: ^umask 077 + tag: CIS-7.4 + description: Set Default umask for Users + fstab_dev_shm_partition_nodev: + data: + Red Hat Enterprise Linux Server-7: + - /etc/fstab: + match_output: nodev + pattern: /dev/shm + tag: CIS-1.1.14 + description: Add nodev Option to /dev/shm Partition + fstab_dev_shm_partition_noexec: + data: + Red Hat Enterprise Linux Server-7: + - /etc/fstab: + match_output: noexec + pattern: /dev/shm + tag: CIS-1.1.16 + description: Add noexec Option to /dev/shm Partition + fstab_dev_shm_partition_nosuid: + data: + Red Hat Enterprise Linux Server-7: + - /etc/fstab: + match_output: nosuid + pattern: /dev/shm + tag: CIS-1.1.15 + description: Add nosuid Option to /dev/shm Partition + fstab_home_partition: + data: + Red Hat Enterprise Linux Server-7: + - /etc/fstab: + pattern: /home + tag: CIS-1.1.9 + description: Create Separate Partition for /home + fstab_home_partition_nodev: + data: + Red Hat Enterprise Linux Server-7: + - /etc/fstab: + match_output: nodev + pattern: /home + tag: CIS-1.1.10 + description: Add nodev Option to /home + fstab_tmp_partition: + data: + Red Hat Enterprise Linux Server-7: + - /etc/fstab: + pattern: /tmp + tag: CIS-1.1.1 + description: Create Separate Partition for /tmp + fstab_tmp_partition_nodev: + data: + Red Hat Enterprise Linux Server-7: + - /etc/fstab: + match_output: nodev + pattern: /tmp + tag: CIS-1.1.2 + description: Set nodev option for /tmp Partition + fstab_tmp_partition_noexec: + data: + Red Hat Enterprise Linux Server-7: + - /etc/fstab: + match_output: noexec + pattern: /tmp + tag: CIS-1.1.4 + description: Set noexec option for /tmp Partition + fstab_tmp_partition_nosuid: + data: + Red Hat Enterprise Linux Server-7: + - /etc/fstab: + match_output: nosuid + pattern: /tmp + tag: CIS-1.1.3 + description: Set nosuid option for /tmp Partition + fstab_var_log_audit_partition: + data: + Red Hat Enterprise Linux Server-7: + - /etc/fstab: + pattern: /var/log/audit + tag: CIS-1.1.8 + description: Create Separate Partition for /var/log/audit + fstab_var_log_partition: + data: + Red Hat Enterprise Linux Server-7: + - /etc/fstab: + pattern: /var/log + tag: CIS-1.1.7 + description: Create Separate Partition for /var/log + fstab_var_partition: + data: + Red Hat Enterprise Linux Server-7: + - /etc/fstab: + pattern: /var + tag: CIS-1.1.5 + description: Create Separate Partition for /var + fstab_var_tmp_bind_mount: + data: + Red Hat Enterprise Linux Server-7: + - /etc/fstab: + match_output: /var/tmp + pattern: /tmp + tag: CIS-1.1.6 + description: Bind Mount the /var/tmp directory to /tmp + limit_password_reuse: + data: + Red Hat Enterprise Linux Server-7: + - /etc/pam.d/system-auth: + match_output: remember=5 + pattern: pam_unix.so + tag: CIS-6.3.4 + description: Limit Password Reuse + limit_su_command_access: + data: + Red Hat Enterprise Linux Server-7: + - /etc/pam.d/su: + match_output: use_uid + pattern: pam_wheel.so + tag: CIS-6.5 + - /etc/group: + pattern: wheel + tag: CIS-6.5 + description: Restrict Access to the su Command + pam_cracklib_try_first_pass: + data: {} + description: PAM cracklib policy + passwd_change_min_days: + data: + Red Hat Enterprise Linux Server-7: + - /etc/login.defs: + match_output: '7' + pattern: PASS_MIN_DAYS + tag: CIS-7.1.2 + description: Set Password Change Minimum Number of Days + passwd_expiration_days: + data: + Red Hat Enterprise Linux Server-7: + - /etc/login.defs: + match_output: '90' + pattern: PASS_MAX_DAYS + tag: CIS-7.1.1 + description: Set Password Expiration Days + passwd_expiry_warning: + data: + Red Hat Enterprise Linux Server-7: + - /etc/login.defs: + match_output: '7' + pattern: PASS_WARN_AGE + tag: CIS-7.1.3 + description: Set Password Expiring Warning Days + restrict_core_dumps: + data: + Red Hat Enterprise Linux Server-7: + - /etc/security/limits.conf: + pattern: hard core + tag: CIS-1.6.1 + description: Restrict Core Dumps + rsyslog_remote_logging: + data: + Red Hat Enterprise Linux Server-7: + - /etc/rsyslog.conf: + pattern: ^*.*[^I][^I]*@ + tag: CIS-5.1.5 + description: Configure rsyslog to Send Logs to a Remote Log Host + set_daemon_umask: + data: + Red Hat Enterprise Linux Server-7: + - /etc/sysconfig/init: + match_output: umask 027 + pattern: umask + tag: CIS-3.1 + description: Set Daemon umask + sshd_approved_cipher: + data: + Red Hat Enterprise Linux Server-7: + - /etc/ssh/sshd_config: + match_output: '^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$' + match_output_regex: True + pattern: Ciphers + tag: CIS-6.2.11 + description: Use Only Approved Cipher in Counter Mode + sshd_banner: + data: + Red Hat Enterprise Linux Server-7: + - /etc/ssh/sshd_config: + pattern: ^Banner + tag: CIS-6.2.14 + description: Set SSH Banner + sshd_disable_root_login: + data: + Red Hat Enterprise Linux Server-7: + - /etc/ssh/sshd_config: + match_output: PermitRootLogin no + pattern: ^PermitRootLogin + tag: CIS-6.2.8 + description: Disable SSH Root Login + sshd_hostbased_auth: + data: + Red Hat Enterprise Linux Server-7: + - /etc/ssh/sshd_config: + match_output: HostbasedAuthentication no + pattern: ^HostbasedAuthentication + tag: CIS-6.2.7 + description: Set SSH HostbasedAuthentication to No + sshd_idle_timeout: + data: + Red Hat Enterprise Linux Server-7: + - /etc/ssh/sshd_config: + match_output: ClientAliveInterval 300 + pattern: ^ClientAliveInterval + tag: CIS-6.2.12 + - /etc/ssh/sshd_config: + match_output: ClientAliveCountMax 0 + pattern: ^ClientAliveCountMax + tag: CIS-6.2.12 + description: Set Idle Timeout Interval for User Login + sshd_ignore_rhosts: + data: + Red Hat Enterprise Linux Server-7: + - /etc/ssh/sshd_config: + match_output: IgnoreRhosts yes + pattern: ^IgnoreRhosts + tag: CIS-6.2.6 + description: Set SSH IgnoreRhosts to Yes + sshd_limit_access: + data: + Red Hat Enterprise Linux Server-7: + - /etc/ssh/sshd_config: + pattern: ^AllowUsers + tag: CIS-6.2.13 + - /etc/ssh/sshd_config: + pattern: ^AllowGroups + tag: CIS-6.2.13 + - /etc/ssh/sshd_config: + pattern: ^DenyUsers + tag: CIS-6.2.13 + - /etc/ssh/sshd_config: + pattern: ^DenyGroups + tag: CIS-6.2.13 + description: Limit Access via SSH + sshd_loglevel_info: + data: + Red Hat Enterprise Linux Server-7: + - /etc/ssh/sshd_config: + match_output: LogLevel INFO + pattern: ^LogLevel + tag: CIS-6.2.2 + description: Set LogLevel to INFO + sshd_max_auth_retries: + data: + Red Hat Enterprise Linux Server-7: + - /etc/ssh/sshd_config: + match_output: MaxAuthTries 4 + pattern: ^MaxAuthTries + tag: CIS-6.2.5 + description: Set SSH MaxAuthTries to 4 or Less + sshd_permit_empty_passwords: + data: + Red Hat Enterprise Linux Server-7: + - /etc/ssh/sshd_config: + match_output: PermitEmptyPasswords no + pattern: ^PermitEmptyPasswords + tag: CIS-6.2.9 + description: Set SSH PermitEmptyPasswords to No + sshd_permit_user_environment: + data: + Red Hat Enterprise Linux Server-7: + - /etc/ssh/sshd_config: + match_output: PermitUserEnvironment no + pattern: ^PermitUserEnvironment + tag: CIS-6.2.10 + description: Do Not Allow Users to Set Environment Options + sshd_protocol_2: + data: + Red Hat Enterprise Linux Server-7: + - /etc/ssh/sshd_config: + match_output: Protocol 2 + pattern: ^Protocol + tag: CIS-6.2.1 + description: Set SSH Protocol to 2 + sshd_x11_forwarding: + data: + Red Hat Enterprise Linux Server-7: + - /etc/ssh/sshd_config: + match_output: X11Forwarding no + pattern: ^X11Forwarding + tag: CIS-6.2.4 + description: Disable SSH X11 Forwarding +pkg: + blacklist: + avahi-daemon: + data: + Red Hat Enterprise Linux Server-7: + - avahi-daemon: CIS-3.3 + description: Disable Avahi Server + dhcp: + data: + Red Hat Enterprise Linux Server-7: + - dhcp: CIS-3.5 + description: Remove DHCP Server + nis-client: + data: + Red Hat Enterprise Linux Server-7: + - ypbind: CIS-2.1.5 + description: Remove NIS Client + nis-server: + data: + Red Hat Enterprise Linux Server-7: + - ypserv: CIS-2.1.6 + description: Remove NIS Server + rsh-client: + data: + Red Hat Enterprise Linux Server-7: + - rsh: CIS-2.1.4 + description: Remove rsh + rsh-server: + data: + Red Hat Enterprise Linux Server-7: + - rsh-server: CIS-2.1.3 + description: Remove rsh-server + talk-client: + data: + Red Hat Enterprise Linux Server-7: + - talk: CIS-2.1.9 + description: Remove talk + talk-server: + data: + Red Hat Enterprise Linux Server-7: + - talk-server: CIS-2.1.10 + description: Remove talk-server + telnet-client: + data: + Red Hat Enterprise Linux Server-7: + - telnet: CIS-2.1.2 + description: Remove telnet Clients + telnet-server: + data: + Red Hat Enterprise Linux Server-7: + - telnet-server: CIS-2.1.1 + description: Remove telnet-server + tftp-client: + data: + Red Hat Enterprise Linux Server-7: + - tftp: CIS-2.1.7 + description: Remove tftp + tftp-server: + data: + Red Hat Enterprise Linux Server-7: + - tftp-server: CIS-2.1.8 + description: Remove tftp-server + xorg-x11-server-common: + data: + Red Hat Enterprise Linux Server-7: + - xorg-x11-server-common: CIS-3.2 + description: Remove the X Window System + whitelist: + anacron: + data: + Red Hat Enterprise Linux Server-7: + - cronie-anacron: CIS-6.1.1 + description: Enable anacron Daemon + firewalld: + data: + Red Hat Enterprise Linux Server-7: + - firewalld: CIS-4.7 + description: Enable firewalld + iptables: + data: {} + description: Install IPtables + rsyslog: + data: + Red Hat Enterprise Linux Server-7: + - rsyslog: CIS-5.1.1 + description: Install the rsyslog package +stat: + anacrontab: + data: + Red Hat Enterprise Linux Server-7: + - /etc/anacrontab: + gid: 0 + group: root + mode: 600 + tag: CIS-6.1.3 + uid: 0 + user: root + description: Set User/Group Owner and Permission on /etc/anacrontab + at_cron_allow: + data: + Red Hat Enterprise Linux Server-7: + - /etc/cron.deny: + gid: null + group: null + mode: null + tag: CIS-6.1.11 + uid: null + user: null + - /etc/at.deny: + gid: null + group: null + mode: null + tag: CIS-6.1.11 + uid: null + user: null + - /etc/cron.allow: + gid: 0 + group: root + mode: 600 + tag: CIS-6.1.11 + uid: 0 + user: root + - /etc/at.allow: + gid: 0 + group: root + mode: 600 + tag: CIS-6.1.11 + uid: 0 + user: root + description: Restrict at/cron to Authorized Users + cron_d: + data: + Red Hat Enterprise Linux Server-7: + - /etc/cron.d: + gid: 0 + group: root + mode: 700 + tag: CIS-6.1.9 + uid: 0 + user: root + description: Set User/Group Owner and Permission on /etc/cron.d + cron_daily: + data: + Red Hat Enterprise Linux Server-7: + - /etc/cron.daily: + gid: 0 + group: root + mode: 700 + tag: CIS-6.1.6 + uid: 0 + user: root + description: Set User/Group Owner and Permission on /etc/cron.daily + cron_hourly: + data: + Red Hat Enterprise Linux Server-7: + - /etc/cron.hourly: + gid: 0 + group: root + mode: 700 + tag: CIS-6.1.5 + uid: 0 + user: root + description: Set User/Group Owner and Permission on /etc/cron.hourly + cron_monthly: + data: + Red Hat Enterprise Linux Server-7: + - /etc/cron.monthly: + gid: 0 + group: root + mode: 700 + tag: CIS-6.1.8 + uid: 0 + user: root + description: Set User/Group Owner and Permission on /etc/cron.monthly + cron_weekly: + data: + Red Hat Enterprise Linux Server-7: + - /etc/cron.weekly: + gid: 0 + group: root + mode: 700 + tag: CIS-6.1.7 + uid: 0 + user: root + description: Set User/Group Owner and Permission on /etc/cron.weekly + crontab: + data: + Red Hat Enterprise Linux Server-7: + - /etc/crontab: + gid: 0 + group: root + mode: 600 + tag: CIS-6.1.4 + uid: 0 + user: root + description: Set User/Group Owner and Permission on /etc/crontab + group_own: + data: + Red Hat Enterprise Linux Server-7: + - /etc/group: + gid: 0 + group: root + tag: CIS-9.1.9 + uid: 0 + user: root + description: Verify User/Group Ownership on /etc/group + group_perm: + data: + Red Hat Enterprise Linux Server-7: + - /etc/group: + mode: 644 + tag: CIS-9.1.5 + description: Verify Permissions on /etc/group + grub_conf_own: + data: + Red Hat Enterprise Linux Server-7: + - /boot/grub2/grub.cfg: + gid: 0 + group: root + tag: CIS-1.5.1 + uid: 0 + user: root + description: Set User/Group Owner on /boot/grub2/grub.cfg + grub_conf_perm: + data: + Red Hat Enterprise Linux Server-7: + - /boot/grub2/grub.cfg: + mode: 600 + tag: CIS-1.5.2 + description: Set Permissions on /boot/grub2/grub.cfg + gshadow_own: + data: + Red Hat Enterprise Linux Server-7: + - /etc/gshadow: + gid: 0 + group: root + tag: CIS-9.1.8 + uid: 0 + user: root + description: Verify User/Group Ownership on /etc/gshadow + gshadow_perm: + data: + Red Hat Enterprise Linux Server-7: + - /etc/gshadow: + mode: 0 + tag: CIS-9.1.4 + description: Verify Permissions on /etc/gshadow + hosts_allow: + data: + Red Hat Enterprise Linux Server-7: + - /etc/hosts.allow: + mode: 644 + tag: CIS-4.5.3 + description: Verify Permissions on /etc/hosts.allow + hosts_deny: + data: + Red Hat Enterprise Linux Server-7: + - /etc/hosts.deny: + mode: 644 + tag: CIS-4.5.5 + description: Verify Permissions on /etc/hosts.deny + passwd_own: + data: + Red Hat Enterprise Linux Server-7: + - /etc/passwd: + group: root + tag: CIS-9.1.6 + uid: 0 + user: root + description: Verify User/Group Ownership on /etc/passwd + passwd_perm: + data: + Red Hat Enterprise Linux Server-7: + - /etc/passwd: + mode: 644 + tag: CIS-9.1.2 + description: Verify Permissions on /etc/passwd + shadow_perm: + data: + Red Hat Enterprise Linux Server-7: + - /etc/shadow: + mode: 0 + tag: CIS-9.1.3 + description: Verify Permissions on /etc/shadow + shadow_own: + data: + Red Hat Enterprise Linux Server-7: + - /etc/shadow: + gid: 0 + group: root + tag: CIS-9.1.7 + uid: 0 + user: root + description: Verify User/Group Ownership on /etc/shadow + sshd_config: + data: + Red Hat Enterprise Linux Server-7: + - /etc/ssh/sshd_config: + gid: 0 + group: root + mode: 600 + tag: CIS-6.2.3 + uid: 0 + user: root + description: Set Permissions on /etc/ssh/sshd_config + warning_banner: + data: + Red Hat Enterprise Linux Server-7: + - /etc/motd: + gid: 0 + group: root + mode: 644 + tag: CIS-8.1 + uid: 0 + user: root + - /etc/issue: + gid: 0 + group: root + mode: 644 + tag: CIS-8.1 + uid: 0 + user: root + - /etc/issue.net: + gid: 0 + group: root + mode: 644 + tag: CIS-8.1 + uid: 0 + user: root + description: Set Warning Banner for Standard Login Services +sysctl: + bad_error_message_protection: + data: + Red Hat Enterprise Linux Server-7: + - net.ipv4.icmp_ignore_bogus_error_responses: + match_output: '1' + tag: CIS-4.2.6 + description: Enable Bad Error Message Protection + exec_shield: + data: {} + description: Configure ExecShield + icmp_redirect_acceptance: + data: + Red Hat Enterprise Linux Server-7: + - net.ipv4.conf.all.accept_redirects: + match_output: '0' + tag: CIS-4.2.2 + - net.ipv4.conf.default.accept_redirects: + match_output: '0' + tag: CIS-4.2.2 + description: Disable ICMP Redirect Acceptance + ignore_broadcast_requests: + data: + Red Hat Enterprise Linux Server-7: + - net.ipv4.icmp_echo_ignore_broadcasts: + match_output: '1' + tag: CIS-4.2.5 + description: Enable Ignore Broadcast Requests + ip_forwarding: + data: + Red Hat Enterprise Linux Server-7: + - net.ipv4.ip_forward: + match_output: '0' + tag: CIS-4.1.1 + description: Disable IP Forwarding + log_suspicious_packets: + data: + Red Hat Enterprise Linux Server-7: + - net.ipv4.conf.all.log_martians: + match_output: '1' + tag: CIS-4.2.4 + - net.ipv4.conf.default.log_martians: + match_output: '1' + tag: CIS-4.2.4 + description: Log Suspicious Packets + randomize_va_space: + data: + Red Hat Enterprise Linux Server-7: + - kernel.randomize_va_space: + match_output: '2' + tag: CIS-1.6.2 + description: Enable Randomized Virtual Memory Region Placement + restrict_suid_core_dumps: + data: {} + description: Restrict SUID Core Dumps + send_packet_redirect: + data: + Red Hat Enterprise Linux Server-7: + - net.ipv4.conf.all.send_redirects: + match_output: '0' + tag: CIS-4.1.2 + - net.ipv4.conf.default.send_redirects: + match_output: '0' + tag: CIS-4.1.2 + description: Disable Send Packet Redirects + source_routed_packet_acceptance: + data: + Red Hat Enterprise Linux Server-7: + - net.ipv4.conf.all.accept_source_route: + match_output: '0' + tag: CIS-4.2.1 + - net.ipv4.conf.default.accept_source_route: + match_output: '0' + tag: CIS-4.2.1 + description: Disable Source Routed Packet Acceptance + tcp_syn_cookies: + data: + Red Hat Enterprise Linux Server-7: + - net.ipv4.tcp_syncookies: + match_output: '1' + tag: CIS-4.2.8 + description: Enable TCP SYN Cookies +service: + whitelist: + rsyslogd_running: + data: + Red Hat Enterprise Linux Server-7: + - rsyslog: CIS-5.1.2 + description: Activate the rsyslog Service + crond_running: + data: + Red Hat Enterprise Linux Server-7: + - crond: CIS-6.1.2 + description: Enable crond Daemon diff --git a/hubblestack_nova_profiles/cis/rhels-7-level-1-scored-v2-1-0.yaml b/hubblestack_nova_profiles/cis/rhels-7-level-1-scored-v2-1-0.yaml index c0e3e04..d9db08d 100644 --- a/hubblestack_nova_profiles/cis/rhels-7-level-1-scored-v2-1-0.yaml +++ b/hubblestack_nova_profiles/cis/rhels-7-level-1-scored-v2-1-0.yaml @@ -1,3 +1,21 @@ +# NOTE: This CIS Profile only includes Level 1 Scored Items for Red Hat Enterprise Linux Server 7 +# NOTE: Within this file, there are a few sections that should be tailored to your +# organization's specific policy. Search for '# NOTE: ' comments through the file. + +# TODO: Checks that aren't implemented yet: +# 1.1.21 +# 1.7.1.1 +# 1.7.2 +# 3.6.5 +# 4.2.4 +# 5.4.2 +# 5.4.3 +# 6.1.10-12 +# 6.2.1 +# 6.2.5-19 + + + grep: blacklist: legacy_passwd_entries_group: @@ -48,62 +66,62 @@ grep: description: Ensure bootloader password is set chargen_disabled: data: - Red Hat Enterprise Server-7: + Red Hat Enterprise Linux Server-7: - /etc/xinetd.d/chargen-dgram: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.1 - /etc/xinetd.d/chargen-stream: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.1 description: Ensure chargen services are not enabled daytime_disabled: data: - Red Hat Enterprise Server-7: + Red Hat Enterprise Linux Server-7: - /etc/xinetd.d/daytime-dgram: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.2 - /etc/xinetd.d/daytime-stream: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.2 description: Ensure daytime services are not enabled discard_disabled: data: - Red Hat Enterprise Server-7: + Red Hat Enterprise Linux Server-7: - /etc/xinetd.d/discard-dgram: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.3 - /etc/xinetd.d/discard-stream: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.3 description: Ensure discard services are not enabled echo_disabled: data: - Red Hat Enterprise Server-7: + Red Hat Enterprise Linux Server-7: - /etc/xinetd.d/echo-dgram: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.4 - /etc/xinetd.d/echo-stream: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.4 description: Ensure echo services are not enabled time_disabled: data: - Red Hat Enterprise Server-7: + Red Hat Enterprise Linux Server-7: - /etc/xinetd.d/time-dgram: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.5 - /etc/xinetd.d/time-stream: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.5 description: Ensure time services are not enabled configure_ntp: @@ -235,6 +253,30 @@ grep: - '-r' tag: CIS-1.1.1.8 description: Ensure mounting of FAT filesystems is disabled + fstab_var_tmp_partition_nodev: + data: + Red Hat Enterprise Linux Server-7: + - /etc/fstab: + match_output: nodev + pattern: /var/tmp + tag: CIS-1.1.8 + description: Ensure nodev option set on /var/tmp partition + fstab_var_tmp_partition_nosuid: + data: + Red Hat Enterprise Linux Server-7: + - /etc/fstab: + match_output: nosuid + pattern: /var/tmp + tag: CIS-1.1.9 + description: Ensure nosuid option set on /var/tmp partition + fstab_var_tmp_partition_noexec: + data: + Red Hat Enterprise Linux Server-7: + - /etc/fstab: + match_output: noexec + pattern: /var/tmp + tag: CIS-1.1.10 + description: Ensure noexec option set on /var/tmp partition fstab_dev_shm_partition_nodev: data: Red Hat Enterprise Linux Server-7: @@ -465,7 +507,8 @@ grep: data: Red Hat Enterprise Linux Server-7: - /etc/ssh/sshd_config: - match_output: 'aes256-ctr,aes192-ctr,aes128-ctr' + match_output: '^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$' + match_output_regex: True pattern: Ciphers tag: CIS-5.2.11 description: Ensure only approved ciphers are used @@ -619,7 +662,7 @@ pkg: description: Ensure DHCP Server is not enabled slapd: data: - Red Hat Entetrprise Linux Server-7: + Red Hat Enterprise Linux Server-7: - openldap-servers: CIS-2.2.6 description: Ensure LDAP server is not enabled ftp: @@ -650,6 +693,11 @@ pkg: Red Hat Enterprise Linux Server-7: - rsh: CIS-2.3.2 description: Ensure rsh client is not installed + tftp-server2: + data: + Red Hat Enterprise Linux Server-7: + - tftp-server: CIS-2.1.6 + description: Ensure tftp server is not enabled talk-client: data: Red Hat Enterprise Linux Server-7: @@ -675,11 +723,6 @@ pkg: Red Hat Enterprise Linux Server-7: - tftp-server: CIS-2.2.20 description: Ensure tftp server is not enabled - tftp: - data: - Red Hat Enterprise Linux Server-7: - - tftp: CIS-2.2.20 - description: Ensure tftp server is not enabled xinetd: data: Red Hat Enterprise Linux Server-7: @@ -706,9 +749,6 @@ pkg: Red Hat Enterprise Linux Server-7: - aide: CIS-1.3.1 description: Ensure AIDE is installed - firewalld: - data: {} - description: Enable firewalld (Scored) tcp_wrappers: data: Red Hat Enterprise Linux Server-7: @@ -717,7 +757,7 @@ pkg: iptables: data: Red Hat Enterprise Linux Server-7: - - iptables: CIS-3.6.1_installed + - iptables: CIS-3.6.1 description: Ensure iptables is installed syslog: data: @@ -763,7 +803,7 @@ service: description: Ensure HTTP server is not enabled pop3_imap: data: - Red Hat Enterprise LInux Server-7: + Red Hat Enterprise Linux Server-7: - dovecot: CIS-2.2.11 description: Ensure IMAP and POP3 server is not enabled samba: @@ -782,31 +822,21 @@ service: - snmpd: CIS-2.2.14 description: Ensure SNMP Server is not enabled whitelist: - auditd_running: - data: - Red Hat Enterprise Linux Server-7: - - auditd: CIS-4.1.1.1_running - description: auditd should be running - crond_running: - data: - Red Hat Enterprise Linux Server-7: - - crond: CIS-5.1.1_running - description: Ensure cron daemon is enabled - iptables_running: - data: - Red Hat Enterprise Linux Server-7: - - iptables: CIS-3.6.1_running - description: Ensure iptables is installed rsyslogd_running: data: Red Hat Enterprise Linux Server-7: - - rsyslog: CIS-4.2.1.1_running + - rsyslog: CIS-4.2.1.1 description: Ensure rsyslog Service is enabled syslog-ng_running: data: Red Hat Enterprise Linux Server-7: - - syslog-ng: CIS-4.2.2.1_running + - syslog-ng: CIS-4.2.2.1 description: Ensure syslog-ng service is enabled + crond_running: + data: + Red Hat Enterprise Linux Server-7: + - crond: CIS-5.1.1 + description: Ensure cron daemon is enabled stat: at_cron_allow: data: @@ -1034,17 +1064,6 @@ stat: uid: 0 user: root description: Ensure permissions on /etc/ssh/sshd_config are configured - warning_banner_motd: - data: - Red Hat Enterprise Linux Server-7: - - /etc/motd: - gid: 0 - group: root - mode: 644 - tag: CIS-1.7.1.4 - uid: 0 - user: root - description: Ensure permissions on /etc/motd are configured warning_banner_issue: data: Red Hat Enterprise Linux Server-7: @@ -1056,17 +1075,6 @@ stat: uid: 0 user: root description: Ensure permissions on /etc/issue are configured - warning_banner_issue.net: - data: - Red Hat Enterprise Linux Server-7: - - /etc/issue.net: - gid: 0 - group: root - mode: 644 - tag: CIS-1.7.1.6 - uid: 0 - user: root - description: Ensure permissions on /etc/issue.net are configured sysctl: bad_error_message_protection: data: diff --git a/hubblestack_nova_profiles/cis/rhelw-7-level-1-scored-v2-1-0.yaml b/hubblestack_nova_profiles/cis/rhelw-7-level-1-scored-v2-1-0.yaml index 5f4a038..ddcc64e 100644 --- a/hubblestack_nova_profiles/cis/rhelw-7-level-1-scored-v2-1-0.yaml +++ b/hubblestack_nova_profiles/cis/rhelw-7-level-1-scored-v2-1-0.yaml @@ -1,3 +1,21 @@ +# NOTE: This CIS Profile only includes Level 1 Scored Items for Red Hat Enterprise Linux Workstation 7 +# NOTE: Within this file, there are a few sections that should be tailored to your +# organization's specific policy. Search for '# NOTE: ' comments through the file. + +# TODO: Checks that aren't implemented yet: +# 1.1.21 +# 1.7.1.1 +# 1.7.2 +# 3.6.5 +# 4.2.4 +# 5.4.2 +# 5.4.3 +# 6.1.10-12 +# 6.2.1 +# 6.2.5-19 + + + grep: blacklist: legacy_passwd_entries_group: @@ -48,62 +66,62 @@ grep: description: Ensure bootloader password is set chargen_disabled: data: - Red Hat Enterprise Server-7: + Red Hat Enterprise Linux Workstation-7: - /etc/xinetd.d/chargen-dgram: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.1 - /etc/xinetd.d/chargen-stream: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.1 description: Ensure chargen services are not enabled daytime_disabled: data: - Red Hat Enterprise Server-7: + Red Hat Enterprise Linux Workstation-7: - /etc/xinetd.d/daytime-dgram: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.2 - /etc/xinetd.d/daytime-stream: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.2 description: Ensure daytime services are not enabled discard_disabled: data: - Red Hat Enterprise Server-7: + Red Hat Enterprise Linux Workstation-7: - /etc/xinetd.d/discard-dgram: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.3 - /etc/xinetd.d/discard-stream: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.3 description: Ensure discard services are not enabled echo_disabled: data: - Red Hat Enterprise Server-7: + Red Hat Enterprise Linux Workstation-7: - /etc/xinetd.d/echo-dgram: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.4 - /etc/xinetd.d/echo-stream: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.4 description: Ensure echo services are not enabled time_disabled: data: - Red Hat Enterprise Server-7: + Red Hat Enterprise Linux Workstation-7: - /etc/xinetd.d/time-dgram: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.5 - /etc/xinetd.d/time-stream: pattern: disable - match_output: yes + match_output: 'yes' tag: CIS-2.1.5 description: Ensure time services are not enabled configure_ntp: @@ -225,6 +243,30 @@ grep: - '-r' tag: CIS-1.1.1.7 description: Ensure mounting of udf filesystems is disabled + fstab_var_tmp_partition_nodev: + data: + Red Hat Enterprise Linux Workstation-7: + - /etc/fstab: + match_output: nodev + pattern: /var/tmp + tag: CIS-1.1.8 + description: Ensure nodev option set on /var/tmp partition + fstab_var_tmp_partition_nosuid: + data: + Red Hat Enterprise Linux Workstation-7: + - /etc/fstab: + match_output: nosuid + pattern: /var/tmp + tag: CIS-1.1.9 + description: Ensure nosuid option set on /var/tmp partition + fstab_var_tmp_partition_noexec: + data: + Red Hat Enterprise Linux Workstation-7: + - /etc/fstab: + match_output: noexec + pattern: /var/tmp + tag: CIS-1.1.10 + description: Ensure noexec option set on /var/tmp partition fstab_dev_shm_partition_nodev: data: Red Hat Enterprise Linux Workstation-7: @@ -455,7 +497,8 @@ grep: data: Red Hat Enterprise Linux Workstation-7: - /etc/ssh/sshd_config: - match_output: 'aes256-ctr,aes192-ctr,aes128-ctr' + match_output: '^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$' + match_output_regex: True pattern: Ciphers tag: CIS-5.2.11 description: Ensure only approved ciphers are used @@ -596,7 +639,7 @@ pkg: data: Red Hat Enterprise Linux Workstation-7: - avahi-daemon: CIS-2.2.3 - description: Ensure Avahi Server is not enabledj + description: Ensure Avahi Server is not enabled dhcp: data: Red Hat Enterprise Linux Workstation-7: @@ -604,7 +647,7 @@ pkg: description: Ensure DHCP Server is not enabled slapd: data: - Red Hat Entetrprise Linux Workstation-7: + Red Hat Enterprise Linux Workstation-7: - openldap-servers: CIS-2.2.6 description: Ensure LDAP server is not enabled ftp: @@ -628,13 +671,18 @@ pkg: rsh: data: Red Hat Enterprise Linux Workstation-7: - - rsh-server: CIS-2.1.6 + - rsh-server: CIS-2.2.17 description: Ensure rsh server is not enabled rsh: data: Red Hat Enterprise Linux Workstation-7: - rsh: CIS-2.3.2 description: Ensure rsh client is not installed + tftp-server2: + data: + Red Hat Enterprise Linux Workstation-7: + - tftp-server: CIS-2.1.6 + description: Ensure tftp server is not enabled talk-client: data: Red Hat Enterprise Linux Workstation-7: @@ -643,7 +691,7 @@ pkg: talk-server: data: Red Hat Enterprise Linux Workstation-7: - - talk-server: CIS-2.1.7 + - talk-server: CIS-2.2.18 description: Ensure talk server is not enabled telnet-client: data: @@ -653,27 +701,22 @@ pkg: telnet-server: data: Red Hat Enterprise Linux Workstation-7: - - telnet-server: CIS-2.1.8 + - telnet-server: CIS-2.2.19 description: Ensure telnet server is not enabled tftp-server: data: Red Hat Enterprise Linux Workstation-7: - - tftp-server: CIS-2.1.9 - description: Ensure tftp server is not enabled - tftp: - data: - Red Hat Enterprise Linux Workstation-7: - - tftp: CIS-2.1.9 + - tftp-server: CIS-2.2.20 description: Ensure tftp server is not enabled xinetd: data: Red Hat Enterprise Linux Workstation-7: - - xinetd: CIS-2.1.11 + - xinetd: CIS-2.1.7 description: Ensure xinetd is not enabled xorg-x11-server-common: data: Red Hat Enterprise Linux Workstation-7: - - xorg-x11-server-common: CIS-2.1.11 + - xorg-x11-server-common: CIS-2.1.7 description: Ensure xinetd is not enabled prelink: data: @@ -691,9 +734,6 @@ pkg: Red Hat Enterprise Linux Workstation-7: - aide: CIS-1.3.1 description: Ensure AIDE is installed - firewalld: - data: {} - description: Enable firewalld (Scored) tcp_wrappers: data: Red Hat Enterprise Linux Workstation-7: @@ -702,7 +742,7 @@ pkg: iptables: data: Red Hat Enterprise Linux Workstation-7: - - iptables: CIS-3.6.1_installed + - iptables: CIS-3.6.1 description: Ensure iptables is installed syslog: data: @@ -719,7 +759,7 @@ service: rsync: data: Red Hat Enterprise Linux Workstation-7: - - rsyncd: CIS-2.1.10 + - rsyncd: CIS-2.2.21 description: Ensure rsync service is not enabled nfs: data: @@ -762,31 +802,21 @@ service: - snmpd: CIS-2.2.14 description: Ensure SNMP Server is not enabled whitelist: - auditd_running: - data: - Red Hat Enterprise Linux Workstation-7: - - auditd: CIS-4.1.1.1_running - description: auditd should be running - crond_running: - data: - Red Hat Enterprise Linux Workstation-7: - - crond: CIS-5.1.1_running - description: Ensure cron daemon is enabled - iptables_running: - data: - Red Hat Enterprise Linux Workstation-7: - - iptables: CIS-3.6.1_running - description: Ensure iptables is installed rsyslogd_running: data: Red Hat Enterprise Linux Workstation-7: - - rsyslog: CIS-4.2.1.1_running + - rsyslog: CIS-4.2.1.1 description: Ensure rsyslog Service is enabled syslog-ng_running: data: Red Hat Enterprise Linux Workstation-7: - - syslog-ng: CIS-4.2.2.1_running + - syslog-ng: CIS-4.2.2.1 description: Ensure syslog-ng service is enabled + crond_running: + data: + Red Hat Enterprise Linux Workstation-7: + - crond: CIS-5.1.1 + description: Ensure cron daemon is enabled stat: at_cron_allow: data: @@ -1014,17 +1044,6 @@ stat: uid: 0 user: root description: Ensure permissions on /etc/ssh/sshd_config are configured - warning_banner_motd: - data: - Red Hat Enterprise Linux Workstation-7: - - /etc/motd: - gid: 0 - group: root - mode: 644 - tag: CIS-1.7.1.4 - uid: 0 - user: root - description: Ensure permissions on /etc/motd are configured warning_banner_issue: data: Red Hat Enterprise Linux Workstation-7: @@ -1036,17 +1055,6 @@ stat: uid: 0 user: root description: Ensure permissions on /etc/issue are configured - warning_banner_issue.net: - data: - Red Hat Enterprise Linux Workstation-7: - - /etc/issue.net: - gid: 0 - group: root - mode: 644 - tag: CIS-1.7.1.6 - uid: 0 - user: root - description: Ensure permissions on /etc/issue.net are configured sysctl: bad_error_message_protection: data: diff --git a/hubblestack_nova_profiles/cis/ubuntu-1204-level-1-scored-v1-0-0.yaml b/hubblestack_nova_profiles/cis/ubuntu-1204-level-1-scored-v1-0-0.yaml new file mode 100644 index 0000000..e835401 --- /dev/null +++ b/hubblestack_nova_profiles/cis/ubuntu-1204-level-1-scored-v1-0-0.yaml @@ -0,0 +1,1025 @@ +# This is mostly a copy from the 14.04 profile, until we have time to do +# a proper profile + +grep: + whitelist: + fstab_dev_shm_partition_nodev: + data: + Ubuntu-12.04: + - /etc/fstab: + match_output: nodev + pattern: /dev/shm + tag: CIS-2.14 + description: Add nodev Option to /run/shm Partition + fstab_dev_shm_partition_noexec: + data: + Ubuntu-12.04: + - /etc/fstab: + match_output: noexec + pattern: /dev/shm + tag: CIS-2.16 + description: Add noexec Option to /run/shm Partition + fstab_dev_shm_partition_nosuid: + data: + Ubuntu-12.04: + - /etc/fstab: + match_output: nosuid + pattern: /dev/shm + tag: CIS-2.15 + description: Add nosuid Option to /run/shm Partition + fstab_home_partition: + data: + Ubuntu-12.04: + - /etc/fstab: + pattern: /home + tag: CIS-2.9 + description: Create Separate Partition for /home + fstab_home_partition_nodev: + data: + Ubuntu-12.04: + - /etc/fstab: + match_output: nodev + pattern: /home + tag: CIS-2.10 + description: Add nodev Option to /home + fstab_tmp_partition: + data: + Ubuntu-12.04: + - /etc/fstab: + pattern: /tmp + tag: CIS-2.1 + description: Create Separate Partition for /tmp + fstab_tmp_partition_nodev: + data: + Ubuntu-12.04: + - /etc/fstab: + match_output: nodev + pattern: /tmp + tag: CIS-2.2 + description: Set nodev option for /tmp Partition + fstab_tmp_partition_noexec: + data: + Ubuntu-12.04: + - /etc/fstab: + match_output: nosuid + pattern: /tmp + tag: CIS-2.4 + description: Set noexec option for /tmp Partition + fstab_tmp_partition_nosuid: + data: + Ubuntu-12.04: + - /etc/fstab: + match_output: nosuid + pattern: /tmp + tag: CIS-2.3 + description: Set nosuid option for /tmp Partition + fstab_var_log_audit_partition: + data: + Ubuntu-12.04: + - /etc/fstab: + pattern: /var/log/audit + tag: CIS-2.8 + description: Create Separate Partition for /var/log/audit + fstab_var_log_partition: + data: + Ubuntu-12.04: + - /etc/fstab: + pattern: /var/log + tag: CIS-2.7 + description: Create Separate Partition for /var/log + fstab_var_partition: + data: + Ubuntu-12.04: + - /etc/fstab: + pattern: /var + tag: CIS-2.5 + description: Create Separate Partition for /var + fstab_var_tmp_bind_mount: + data: + Ubuntu-12.04: + - /etc/fstab: + match_output: /var/tmp + pattern: /var + tag: CIS-2.6 + description: Bind Mount the /var/tmp directory to /tmp + grub_password: + data: + Ubuntu-12.04: + - /boot/grub/grub.cfg: + pattern: password + tag: CIS-3.3 + description: Set Boot Loader Password + core_hard_limit: + data: + Ubuntu-12.04: + - /etc/security/limits.conf: + match_output: '0' + pattern: hard core + tag: CIS-4.1 + description: Restrict Core Dumps + ntp_restrict_default: + data: + Ubuntu-12.04: + - /etc/ntp.conf: + pattern: '^restrict' + match_output: default + tag: CIS-6.5 + - /etc/ntp.conf: + pattern: restrict -6 default + tag: CIS-6.5 + - /etc/ntp.conf: + pattern: '^server' + tag: CIS-6.5 + - /etc/init.d/ntp: + pattern: RUNASUSER= + tag: CIS-6.5 + description: Configure Network Time Protocol (NTP) + local_mta: + data: + Ubuntu-12.04: + - /etc/postfix/main.cf: + pattern: '^inet_interfaces' + match_output: localhost + tag: CIS-6.15 + description: Configure Mail Transfer Agent for Local-Only Mode + rsync: + data: + Ubuntu-12.04: + - /etc/default/rsync: + pattern: ^RSYNC_ENABLE + match_output: 'false' + tag: CIS-6.16 + description: Ensure rsync service is not enabled + rsyslog_file_perms: + data: + Ubuntu-12.04: + - /etc/rsyslog.conf: + pattern: '^\$FileCreateMode' + match_output: '0640' + tag: CIS-8.2.4 + description: Create and Set Permissions on rsyslog Log Files + rsyslog_remote_logging: + data: + Ubuntu-12.04: + - /etc/rsyslog.conf: + pattern: ^*.*[^I][^I]*@ + tag: CIS-8.2.5 + description: Configure rsyslog to Send Logs to a Remote Log Host + pam_cracklib_settings: + data: + Ubuntu-12.04: + - /etc/pam.d/common-password: + pattern: pam_cracklib + match_output: 'retry=3' + tag: CIS-9.2.1 + - /etc/pam.d/common-password: + pattern: pam_cracklib + match_output: 'minlen=14' + tag: CIS-9.2.1 + - /etc/pam.d/common-password: + pattern: pam_cracklib + match_output: 'dcredit=-1' + tag: CIS-9.2.1 + - /etc/pam.d/common-password: + pattern: pam_cracklib + match_output: 'ucredit=-1' + tag: CIS-9.2.1 + - /etc/pam.d/common-password: + pattern: pam_cracklib + match_output: 'ocredit=-1' + tag: CIS-9.2.1 + - /etc/pam.d/common-password: + pattern: pam_cracklib + match_output: 'lcredit=-1' + tag: CIS-9.2.1 + description: Set Password Creation Requirement Parameters Using pam_cracklib + pam_password_reuse: + data: + Ubuntu-12.04: + - /etc/pam.d/common-password: + pattern: remember + match_output: 'remember=5' + tag: CIS-9.2.3 + description: Limit Password Reuse + ssh_version_2: + data: + Ubuntu-12.04: + - /etc/ssh/sshd_config: + pattern: Protocol + match_output: '2' + tag: CIS-9.3.1 + description: Set SSH Protocol to 2 + ssh_log_level: + data: + Ubuntu-12.04: + - /etc/ssh/sshd_config: + pattern: LogLevel + match_output: INFO + tag: CIS-9.3.2 + description: Set LogLevel to INFO + ssh_disable_xforward: + data: + Ubuntu-12.04: + - /etc/ssh/sshd_config: + pattern: XForwarding + match: 'no' + tag: CIS-9.3.4 + description: Disable SSH X11 Forwarding + ssh_auth_retries: + data: + Ubuntu-12.04: + - /etc/ssh/sshd_config: + pattern: MaxAuthTries + match: '4' + tag: CIS-9.3.5 + description: Set SSH MaxAuthTries to 4 or Less + ssh_ignore_rhosts: + data: + Ubuntu-12.04: + - /etc/ssh/sshd_config: + pattern: IgnoreRhosts + match: 'yes' + tag: CIS-9.3.6 + description: Set SSH IgnoreRhosts to Yes + ssh_hostbased_auth: + data: + Ubuntu-12.04: + - /etc/ssh/sshd_config: + pattern: HostbasedAuthentication + match: 'no' + tag: CIS-9.3.7 + description: Set SSH HostbasedAuthentication to No + ssh_permit_root: + data: + Ubuntu-12.04: + - /etc/ssh/sshd_config: + pattern: PermitRootLogin + match: 'no' + tag: CIS-9.3.8 + description: Disable SSH Root Login + ssh_permit_empty_pw: + data: + Ubuntu-12.04: + - /etc/ssh/sshd_config: + pattern: PermitEmptyPasswords + match: 'no' + tag: CIS-9.3.9 + description: Set SSH PermitEmptyPasswords to No + ssh_permit_user_env: + data: + Ubuntu-12.04: + - /etc/ssh/sshd_config: + pattern: PermitUserEnvironment + match: 'no' + tag: CIS-9.3.10 + description: Do Not Allow Users to Set Environment Options + ssh_restrict_cipher: + data: + Ubuntu-12.04: + - /etc/ssh/sshd_config: + pattern: Ciphers + match: '^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$' + match_output_regex: True + tag: CIS-9.3.11 + description: Use Only Approved Cipher in Counter Mode + ssh_idle_timeout: + data: + Ubuntu-12.04: + - /etc/ssh/sshd_config: + pattern: ClientAliveInterval + match: '300' + tag: CIS-9.3.12 + - /etc/ssh/sshd_config: + pattern: ClientAliveCountMax + match: 0 + tag: CIS-9.3.12 + description: Set Idle Timeout Interval for User Login + ssh_limit_access: + data: + Ubuntu-12.04: + - /etc/ssh/sshd_config: + pattern: AllowUsers + tag: CIS-9.3.13 + - /etc/ssh/sshd_config: + pattern: AllowGroups + tag: CIS-9.3.13 + - /etc/ssh/sshd_config: + pattern: DenyUsers + tag: CIS-9.3.13 + - /etc/ssh/sshd_config: + pattern: DenyGroups + tag: CIS-9.3.13 + description: Limit Access via SSH + ssh_set_banner: + data: + Ubuntu-12.04: + - /etc/sshd_conf: + pattern: Banner + match: issue + tag: CIS-9.3.14 + description: Set SSH Banner + limit_su_access: + data: + Ubuntu-12.04: + - /etc/pam.d/su: + pattern: pam_wheel.so + match_output: use_uid + tag: CIS-9.5 + - /etc/group: + pattern: wheel + tag: CIS-9.5 + description: Restrict Access to the su Command + password_max_days: + data: + Ubuntu-12.04: + - /etc/login.defs: + pattern: PASS_MAX_DAYS + match_output: '90' + tag: CIS-10.1.1 + description: Set Password Expiration Days + password_min_days: + data: + Ubuntu-12.04: + - /etc/login.defs: + pattern: PASS_MIN_DAYS + match_output: '7' + tag: CIS-10.1.2 + description: Set Password Change Minimum Number of Days + password_warn_days: + data: + Ubuntu-12.04: + - /etc/login.defs: + pattern: PASS_WARN_AGE + match_output: '7' + tag: CIS-10.1.3 + description: Set Password Expiring Warning Days + umask: + data: + Ubuntu-12.04: + - /etc/login.defs: + pattern: UMASK + match_output: '077' + tag: CIS-10.4 + description: Set Default umask for Users + blacklist: + root_passwd_set: + data: + Ubuntu-12.04: + - /etc/passwd: + pattern: '^root:[*\!]:' + tag: CIS-3.4 + description: Require Authentication for Single-User Mode + rsh_inet: + data: + Ubuntu-12.04: + - /etc/inetd.conf: + pattern: '^shell' + tag: CIS-5.1.2 + - /etc/inetd.conf: + pattern: '^login' + tag: CIS-5.1.2 + - /etc/inetd.conf: + pattern: '^exec' + tag: CIS-5.1.2 + description: Ensure rsh server is not enabled + talk: + data: + Ubuntu-12.04: + - /etc/inetd.conf: + pattern: '^talk' + tag: CIS-5.1.4 + - /etc/inetd.conf: + pattern: '^ntalk' + tag: CIS-5.1.4 + description: Ensure talk server is not enabled + telnet: + data: + Ubuntu-12.04: + - /etc/inetd.conf: + pattern: '^telnet' + tag: CIS-5.1.6 + description: Ensure Telnet Server is not Enabled + tftp: + data: + Ubuntu-12.04: + - /etc/inetd.conf: + pattern: '^tftp' + tag: CIS-5.1.7 + description: Ensure tftp-server is not enabled + chargen: + data: + Ubuntu-12.04: + - /etc/inetd.conf: + pattern: '^chargen' + tag: CIS-5.2 + description: Ensure Chargen is not Enabled + daytime: + data: + Ubuntu-12.04: + - /etc/inetd.conf: + pattern: '^daytime' + tag: CIS-5.3 + description: Ensure daytime is not Enabled + echo: + data: + Ubuntu-12.04: + - /etc/inetd.conf: + pattern: '^echo' + tag: CIS-5.4 + description: Ensure echo is not Enabled + discard: + data: + Ubuntu-12.04: + - /etc/inetd.conf: + pattern: '^discard' + tag: CIS-5.5 + description: Ensure discard is not Enabled + time: + data: + Ubuntu-12.04: + - /etc/inetd.conf: + pattern: '^time' + tag: CIS-5.6 + description: Ensure time is not Enabled + banner_os_info_motd: + data: + Ubuntu-12.04: + - /etc/motd: + pattern: '\v' + tag: CIS-11.2 + - /etc/motd: + pattern: '\r' + tag: CIS-11.2 + - /etc/motd: + pattern: '\m' + tag: CIS-11.2 + - /etc/motd: + pattern: '\s' + tag: CIS-11.2 + description: Remove OS Information from Login Warning Banners + banner_os_info_issue: + data: + Ubuntu-12.04: + - /etc/issue: + pattern: '\v' + tag: CIS-11.2 + - /etc/issue: + pattern: '\r' + tag: CIS-11.2 + - /etc/issue: + pattern: '\m' + tag: CIS-11.2 + - /etc/issue: + pattern: '\s' + tag: CIS-11.2 + description: Remove OS Information from Login Warning Banners + banner_os_info_issue_net: + data: + Ubuntu-12.04: + - /etc/issue.net: + pattern: '\v' + tag: CIS-11.2 + - /etc/issue.net: + pattern: '\r' + tag: CIS-11.2 + - /etc/issue.net: + pattern: '\m' + tag: CIS-11.2 + - /etc/issue.net: + pattern: '\s' + tag: CIS-11.2 + description: Remove OS Information from Login Warning Banners + legacy_entries_passwd: + data: + Ubuntu-12.04: + - /etc/passwd: + pattern: '^+' + tag: CIS-13.2 + description: Verify No Legacy "+" Entries Exist in /etc/passwd File + legacy_entries_shadow: + data: + Ubuntu-12.04: + - /etc/shadow: + pattern: '^+' + tag: CIS-13.3 + description: Verify No Legacy "+" Entries Exist in /etc/shadow File + legacy_entries_group: + data: + Ubuntu-12.04: + - /etc/group: + pattern: '^+' + tag: CIS-13.4 + description: Verify No Legacy "+" Entries Exist in /etc/group File + +service: + blacklist: + autofs: + data: + Ubuntu-12.04: + - autofs: CIS-2.25 + description: Disable Automounting + apport: + data: + Ubuntu-12.04: + - apport: CIS-4.1 + description: Restrict Core Dumps + whoopsie: + data: + Ubuntu-12.04: + - whoopsie: CIS-4.1 + description: Restrict Core Dumps + xinetd: + data: + Ubuntu-12.04: + - xinetd: CIS-5.1.8 + description: Ensure xinetd is not enabled + avahi_daemon: + data: + Ubuntu-12.04: + - avahi-daemon: CIS-6.2 + description: Ensure Avahi Server is not enabled + cups: + data: + Ubuntu-12.04: + - cups: CIS-6.3 + description: Ensure print server is not enabled + dhcp-server: + data: + Ubuntu-12.04: + - isc-dhcp-server: CIS-6.4 + description: Ensure DHCP Server is not enabled + whitelist: + rsyslog: + data: + Ubuntu-12.04: + - rsyslog: CIS-8.2.2 + description: Ensure the rsyslog Service is activated + cron: + data: + Ubuntu-12.04: + - cron: CIS-9.1.1 + description: Enable cron Daemon + +sysctl: + disable_suid_dumpable: + data: + Ubuntu-12.04: + - fs.suid_dumpable: + match_output: '0' + tag: CIS-4.1 + description: Restrict Core Dumps + randomize_va_space: + data: + Ubuntu-12.04: + - kernel.randomize_va_space: + match_output: '2' + tag: CIS-4.3 + description: Enable Randomized Virtual Memory Region Placement + disable_ip4_ip_forward: + data: + Ubuntu-12.04: + - net.ipv4.ip_forward: + match_output: '0' + tag: CIS-7.1.1 + description: Disable IP Forwarding + disable_packet_redirect: + data: + Ubuntu-12.04: + - net.ipv4.conf.all.send_redirects: + match_output: '0' + tag: CIS-7.1.2 + description: Disable Send Packet Redirects + disable_source_routed_packets: + data: + Ubuntu-12.04: + - net.ipv4.conf.all.accept_source_route: + match_output: '0' + tag: CIS-7.2.1 + description: Disable Source Routed Packet Acceptance + disable_icmp_redirect: + data: + Ubuntu-12.04: + - net.ipv4.conf.all.accept_redirects: + match_output: '0' + tag: CIS-7.2.2 + description: Disable ICMP Redirect Acceptance + disable_secure_icmp_redirect: + data: + Ubuntu-12.04: + - net.ipv4.conf.all.secure_redirects: + match_output: '0' + tag: CIS-7.2.3 + description: Disable Secure ICMP Redirect Acceptance + log_martians: + data: + Ubuntu-12.04: + - net.ipv4.conf.all.log_martians: + match_output: '1' + tag: CIS-7.2.4 + description: Log Suspicious Packets + ignore_broadcast: + data: + Ubuntu-12.04: + - net.ipv4.icmp_echo_ignore_broadcasts: + match_output: '1' + tag: CIS-7.2.5 + description: Enable Ignore Broadcast Requests + bogus_errors: + data: + Ubuntu-12.04: + - icmp_ignore_bogus_error_responses: + match_output: '1' + tag: CIS-7.2.6 + description: Enable Bad Error Message Protection + rp_filter: + data: + Ubuntu-12.04: + - net.ipv4.conf.all.rp_filter: + match_output: '1' + tag: CIS-7.2.7 + description: Enable RFC-recommended Source Route Validation + tcp_syncookies: + data: + Ubuntu-12.04: + - net.ipv4.tcp_syncookies: + match_output: '1' + tag: CIS-7.2.8 + description: Enable TCP SYN Cookies + +pkg: + blacklist: + prelink: + data: + Ubuntu-12.04: + - prelink: CIS-4.4 + description: Disable Prelink + nis: + data: + Ubuntu-12.04: + - nis: CIS-5.1.1 + description: Ensure NIS is not installed + talk: + data: + Ubuntu-12.04: + - talk: CIS-5.1.5 + description: Ensure Talk Client is not installed + xserver: + data: + Ubuntu-12.04: + - xserver-xorg-core\*: CIS-6.1 + description: Ensure the X Window system is not installed + biosdevname: + data: + Ubuntu-12.04: + - biosdevname: CIS-6.17 + description: Ensure biosdevname is not enabled + whitelist: + ntp: + data: + Ubuntu-12.04: + - ntp: CIS-6.5 + description: Configure Network Time Protocol (NTP) + tcpd: + data: + Ubuntu-12.04: + - tcpd: CIS-7.4.1 + description: Install TCP Wrappers + rsyslog: + data: + Ubuntu-12.04: + - rsyslog: CIS-8.2.1 + description: Install the rsyslog package + +stat: + grub_cfg_owner: + data: + Ubuntu-12.04: + - /boot/grub/grub.cfg: + gid: 0 + group: root + uid: 0 + user: root + tag: CIS-3.1 + description: Set User/Group Owner on bootloader config + grub_cfg_perms: + data: + Ubuntu-12.04: + - /boot/grub/grub.cfg: + mode: 600 + tag: CIS-3.2 + description: Set Permissions on bootloader config + hosts_allow_perms: + data: + Ubuntu-12.04: + - /etc/hosts.allow: + mode: 644 + tag: CIS-7.4.3 + description: Verify Permissions on /etc/hosts.allow + hosts_deny_perms: + data: + Ubuntu-12.04: + - /etc/hosts.deny: + mode: 644 + tag: CIS-7.4.5 + description: Verify Permissions on /etc/hosts.deny + crontab_own_perms: + data: + Ubuntu-12.04: + - /etc/crontab: + gid: 0 + group: root + uid: 0 + user: root + mode: 600 + tag: CIS-9.1.2 + description: Set User/Group Owner and Permission on /etc/crontab + cron_hourly_own_perms: + data: + Ubuntu-12.04: + - /etc/cron.hourly: + gid: 0 + group: root + uid: 0 + user: root + mode: 600 + tag: CIS-9.1.3 + description: Set User/Group Owner and Permission on /etc/cron.hourly + cron_daily_own_perms: + data: + Ubuntu-12.04: + - /etc/cron.daily: + gid: 0 + group: root + uid: 0 + user: root + mode: 600 + tag: CIS-9.1.4 + description: Set User/Group Owner and Permission on /etc/cron.daily + cron_weekly_own_perms: + data: + Ubuntu-12.04: + - /etc/cron.weekly: + gid: 0 + group: root + uid: 0 + user: root + mode: 600 + tag: CIS-9.1.5 + description: Set User/Group Owner and Permission on /etc/cron.weekly + cron_monthly_own_perms: + data: + Ubuntu-12.04: + - /etc/cron.monthly: + gid: 0 + group: root + uid: 0 + user: root + mode: 600 + tag: CIS-9.1.6 + description: Set User/Group Owner and Permission on /etc/cron.monthly + cron_d_own_perms: + data: + Ubuntu-12.04: + - /etc/cron.d: + gid: 0 + group: root + uid: 0 + user: root + mode: 700 + tag: CIS-9.1.7 + description: Set User/Group Owner and Permission on /etc/cron.d + at_cron_allow: + data: + Ubuntu-12.04: + - /etc/cron.deny: + gid: null + group: null + mode: null + tag: CIS-9.1.8 + uid: null + user: null + - /etc/at.deny: + gid: null + group: null + mode: null + tag: CIS-9.1.8 + uid: null + user: null + - /etc/cron.allow: + gid: 0 + group: root + mode: 600 + tag: CIS-9.1.8 + uid: 0 + user: root + - /etc/at.allow: + gid: 0 + group: root + mode: 600 + tag: CIS-9.1.8 + uid: 0 + user: root + description: Restrict at/cron to authorized users + sshd_config: + data: + Ubuntu-12.04: + - /etc/ssh/sshd_config: + uid: 0 + gid: 0 + user: root + group: root + mode: 600 + tag: CIS-9.3.3 + description: Set Permissions on /etc/ssh/sshd_config + banner_files: + data: + Ubuntu-12.04: + - /etc/motd: + uid: 0 + gid: 0 + user: root + group: root + mode: 644 + tag: CIS-11.1 + - /etc/issue: + uid: 0 + gid: 0 + user: root + group: root + mode: 644 + tag: CIS-11.1 + - /etc/issue.net: + uid: 0 + gid: 0 + user: root + group: root + mode: 644 + tag: CIS-11.1 + description: Set Warning Banner for Standard Login Services + passwd_perms: + data: + Ubuntu-12.04: + - /etc/passwd: + mode: 644 + tag: CIS-12.1 + description: Verify Permissions on /etc/passwd + shadow_perms: + data: + Ubuntu-12.04: + - /etc/shadow: + mode: 640 + tag: CIS-12.2 + description: Verify Permissions on /etc/shadow + group_perms: + data: + Ubuntu-12.04: + - /etc/group: + mode: 644 + tag: CIS-12.3 + description: Verify Permissions on /etc/group + passwd_owner_group: + data: + Ubuntu-12.04: + - /etc/passwd: + uid: 0 + gid: 0 + user: root + group: root + tag: CIS-12.4 + description: Verify User/Group Ownership on /etc/passwd + shadow_owner_group: + data: + Ubuntu-12.04: + - /etc/shadow: + uid: 0 + gid: 42 + user: root + group: shadow + tag: CIS-12.5 + description: Verify User/Group Ownership on /etc/shadow + group_user_group: + data: + Ubuntu-12.04: + - /etc/group: + uid: 0 + gid: 0 + user: root + group: root + tag: CIS-12.6 + description: Verify User/Group Ownership on /etc/group + +command: + rsh_client: + data: + Ubuntu-12.04: + tag: CIS-5.1.3 + commands: + - 'dpkg -s rsh-client': + match_output: is not installed + - 'dpkg -s rsh-redone-client': + match_output: is not installed + description: Ensure RSH Client is not Installed + ufw_active: + data: + Ubuntu-12.04: + tag: CIS-7.7 + commands: + - 'ufw status': + match_output: Status active + description: Ensure Firewall is active + disable_system_accts: + data: + Ubuntu-12.04: + tag: CIS-10.2 + commands: + - ? + > + egrep -v "^\+" /etc/passwd | awk -F: '($1!="root" && $1!="sync" + && $1!="shutdown" && $1!="halt" && $3<500 + && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}' + : + shell: /bin/bash + fail_if_matched: true + description: Disable System Accounts + default_root_group: + data: + Ubuntu-12.04: + tag: CIS-10.3 + commands: + - 'grep "^root:" /etc/passwd | cut -f4 -d:': + match_output: '0' + description: Set Default Group for root Account + inactive_users: + data: + Ubuntu-12.04: + tag: CIS-10.5 + commands: + - 'useradd -D | grep INACTIVE': + match_output: '35' + description: Lock Inactive User Accounts + empty_passwd_field: + data: + Ubuntu-12.04: + tag: CIS-13.1 + commands: + - ? + > + cat /etc/shadow | /usr/bin/awk -F: '($2 == "" ) { print $1 }' + : + shell: /bin/bash + fail_if_matched: true + description: Ensure Password Fields are Not Empty + uid_zero_only_root: + data: + Ubuntu-12.04: + tag: CIS-13.5 + commands: + - ? + > + cat /etc/passwd | /usr/bin/awk -F: '($1!="root" && $3==0) { print $1 }' + : + shell: /bin/bash + fail_if_matched: true + description: Verify No UID 0 Accounts Exist Other Than root + root_path: + data: + Ubuntu-12.04: + tag: CIS-13.6 + commands: + - ? + |- + if [ "`echo $PATH | grep :: `" != "" ]; then + echo "Empty Directory in PATH (::)" + fi + if [ "`echo $PATH | grep :$`" != "" ]; then + echo "Trailing : in PATH" + fi + p=`echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'` + set -- $p + while [ "$1" != "" ]; do + if [ "$1" = "." ]; then + echo "PATH contains ." + shift + continue + fi + if [ -d $1 ]; then + dirperm=`ls -ldH $1 | cut -f1 -d" "` + if [ `echo $dirperm | cut -c6 ` != "-" ]; then + echo "Group Write permission set on directory $1" + fi + if [ `echo $dirperm | cut -c9 ` != "-" ]; then + echo "Other Write permission set on directory $1" + fi + dirown=`ls -ldH $1 | awk '{print $3}'` + if [ "$dirown" != "root" ] ; then + echo $1 is not owned by root + fi + else + echo $1 is not a directory + fi + shift + done + : + shell: /bin/bash + fail_if_matched: true + description: Ensure root PATH Integrity diff --git a/hubblestack_nova_profiles/cis/ubuntu-1404-level-1-scored-v1-0-0.yaml b/hubblestack_nova_profiles/cis/ubuntu-1404-level-1-scored-v1-0-0.yaml index fd794e7..2efda90 100644 --- a/hubblestack_nova_profiles/cis/ubuntu-1404-level-1-scored-v1-0-0.yaml +++ b/hubblestack_nova_profiles/cis/ubuntu-1404-level-1-scored-v1-0-0.yaml @@ -1,3 +1,29 @@ +# NOTE: This CIS Profile only includes Level 1 Scored Items for Ubuntu 14.04 +# NOTE: Within this file, there are a few sections that should be tailored to your +# organization's specific policy. Search for '# NOTE: ' comments through the file. + +# TODO: Checks that aren't implemented yet: +# 2.17 +# 2.25 +# 3.3 +# 5.1.4 +# 5.2-6 +# 6.16 +# 6.17 +# 8.2.2 +# 8.2.4 +# 9.1.1 +# 9.1.8 +# 10.2 +# 10.3 +# 10.5 +# 11.1 +# 11.2 +# 12.8 +# 12.9 +# 13.1 +# 13.5-20 + grep: whitelist: fstab_dev_shm_partition_nodev: @@ -275,7 +301,8 @@ grep: Ubuntu-14.04: - /etc/ssh/sshd_config: pattern: Ciphers - match: 'aes128-ctr,aes192-ctr,aes256-ctr' + match: '^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$' + match_output_regex: True tag: CIS-9.3.11 description: Use Only Approved Cipher in Counter Mode ssh_idle_timeout: diff --git a/hubblestack_nova_profiles/cis/ubuntu-1604-level-1-scored-v1-0-0.yaml b/hubblestack_nova_profiles/cis/ubuntu-1604-level-1-scored-v1-0-0.yaml index 36ba734..5db2fc2 100644 --- a/hubblestack_nova_profiles/cis/ubuntu-1604-level-1-scored-v1-0-0.yaml +++ b/hubblestack_nova_profiles/cis/ubuntu-1604-level-1-scored-v1-0-0.yaml @@ -278,7 +278,8 @@ grep: Ubuntu-16.04: - /etc/ssh/sshd_config: pattern: Ciphers - match: 'aes128-ctr,aes192-ctr,aes256-ctr' + match: '^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$' + match_output_regex: True tag: CIS-9.3.11 description: Use Only Approved Cipher in Counter Mode ssh_idle_timeout: @@ -626,7 +627,7 @@ sysctl: bogus_errors: data: Ubuntu-16.04: - - icmp_ignore_bogus_error_responses: + - net.ipv4.icmp_echo_ignore_bogus_error_responses: match_output: '1' tag: CIS-7.2.6 description: Enable Bad Error Message Protection diff --git a/hubblestack_nova_profiles/cis/windows-2008r2-level-1-scored-v3-0-0.yaml b/hubblestack_nova_profiles/cis/windows-2008r2-level-1-scored-v3-0-0.yaml index f8474c2..d454c2b 100644 --- a/hubblestack_nova_profiles/cis/windows-2008r2-level-1-scored-v3-0-0.yaml +++ b/hubblestack_nova_profiles/cis/windows-2008r2-level-1-scored-v3-0-0.yaml @@ -19,7 +19,7 @@ win_secedit: tag: CIS-1.1.1 match_output: '23' value_type: 'more' - description: (l1) ensure 'enforce password history' is set to '24 or more password(s)' + description: (L1) Ensure 'Enforce password history' is set to '24 or more password(s)' maximum_password_age: data: 'Microsoft Windows Server 2008*': @@ -27,7 +27,7 @@ win_secedit: tag: CIS-1.1.2 match_output: '61' value_type: 'less' - description: (l1) ensure 'maximum password age' is set to '60 or fewer days, but not 0' + description: (L1) Ensure 'Maximum password age' is set to '60 or fewer days, but not 0' minimum_password_age: data: 'Microsoft Windows Server 2008*': @@ -35,7 +35,7 @@ win_secedit: tag: CIS-1.1.3 match_output: '1' value_type: 'more' - description: (l1) ensure 'minimum password age' is set to '1 or more day(s)' + description: (L1) Ensure 'Minimum password age' is set to '1 or more day(s)' minimum_password_length: data: 'Microsoft Windows Server 2008*': @@ -43,7 +43,7 @@ win_secedit: tag: CIS-1.1.4 match_output: '14' value_type: 'more' - description: (l1) ensure 'minimum password length' is set to '14 or more character(s)' + description: (L1) Ensure 'Minimum password length' is set to '14 or more character(s)' password_complexity: data: 'Microsoft Windows Server 2008*': @@ -51,7 +51,7 @@ win_secedit: tag: CIS-1.1.5 match_output: '1' value_type: 'equal' - description: (l1) ensure 'password must meet complexity requirements' is set to 'enabled' + description: (L1) Ensure 'Password must meet complexity requirements' is set to 'Enabled' reversible_encryption: data: 'Microsoft Windows Server 2008*': @@ -59,7 +59,7 @@ win_secedit: tag: CIS-1.1.6 match_output: '0' value_type: 'equal' - description: (l1) ensure 'store passwords using reversible encryption' is set to 'disabled' + description: (L1) Ensure 'Store passwords using reversible encryption' is set to 'Disabled' lockout_duration: data: 'Microsoft Windows Server 2008*': @@ -67,7 +67,7 @@ win_secedit: tag: CIS-1.2.1 match_output: '14' value_type: 'more' - description: (l1) ensure 'account lockout duration' is set to '15 or more minute(s)' + description: (L1) Ensure 'Account lockout duration' is set to '15 or more minute(s)' lockout_threshold: data: 'Microsoft Windows Server 2008*': @@ -75,7 +75,7 @@ win_secedit: tag: CIS-1.2.2 match_output: '11' value_type: 'less' - description: (l1) ensure 'account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0' + description: (L1) Ensure 'Account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0' reset_lockout_counter: data: 'Microsoft Windows Server 2008*': @@ -83,7 +83,7 @@ win_secedit: tag: CIS-1.2.3 match_output: '14' value_type: 'more' - description: (l1) ensure 'reset account lockout counter after' is set to '15 or more minute(s)' + description: (L1) Ensure 'Reset account lockout counter after' is set to '15 or more minute(s)' access_from_network: data: 'Microsoft Windows Server 2008*': @@ -91,7 +91,7 @@ win_secedit: tag: CIS-2.2.2 match_output: 'Administrators, Authenticated Users' value_type: 'account' - description: (l1) configure 'access this computer from the network' + description: (L1) configure 'access this computer from the network' adjust_memory_quotas: data: 'Microsoft Windows Server 2008*': @@ -99,7 +99,7 @@ win_secedit: tag: CIS-2.2.5 match_output: 'Administrators, LOCAL SERVICE, NETWORK SERVICE' value_type: 'match' - description: (l1) ensure 'adjust memory quotas for a process' is set to 'administrators, local service, network service' + description: (L1) Ensure 'Adjust Memory Quotas For A Process' is set to 'administrators, local service, network service' allow_logon_locally: data: 'Microsoft Windows Server 2008*': @@ -107,7 +107,7 @@ win_secedit: tag: CIS-2.2.6 match_output: 'Administrators' value_type: 'account' - description: (l1) configure 'allow log on locally' + description: (L1) configure 'allow log on locally' allow_log_on_through_remote_desktop_services : data: 'Microsoft Windows Server 2008*': @@ -115,7 +115,7 @@ win_secedit: tag: CIS-2.2.7 match_output: Administrators value_type: 'account' - description: (l1) configure 'allow log on through remote desktop services' + description: (L1) configure 'allow log on through remote desktop services' back_up_files_and_directories : data: 'Microsoft Windows Server 2008*': @@ -123,7 +123,7 @@ win_secedit: tag: CIS-2.2.8 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'back up files and directories' is set to 'administrators' + description: (L1) Ensure 'Back Up Files And Directories' is set to 'administrators' change_the_system_time : data: 'Microsoft Windows Server 2008*': @@ -131,7 +131,7 @@ win_secedit: tag: CIS-2.2.9 match_output: 'Administrators, LOCAL SERVICE' value_type: 'account' - description: (l1) ensure 'change the system time' is set to 'administrators, local service' + description: (L1) Ensure 'Change The System Time' is set to 'administrators, local service' change_the_time_zone : data: 'Microsoft Windows Server 2008*': @@ -139,7 +139,7 @@ win_secedit: tag: CIS-2.2.10 match_output: 'Administrators, LOCAL SERVICE' value_type: 'account' - description: (l1) ensure 'change the time zone' is set to 'administrators, local service' + description: (L1) Ensure 'Change The Time Zone' is set to 'administrators, local service' create_a_pagefile : data: 'Microsoft Windows Server 2008*': @@ -147,7 +147,7 @@ win_secedit: tag: CIS-2.2.11 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'create a pagefile' is set to 'administrators' + description: (L1) Ensure 'Create A Pagefile' is set to 'administrators' create_global_objects : data: 'Microsoft Windows Server 2008*': @@ -155,7 +155,7 @@ win_secedit: tag: CIS-2.2.13 match_output: 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' value_type: 'account' - description: (l1) ensure 'create global objects' is set to 'administrators, local service, network service, service' + description: (L1) Ensure 'Create Global Objects' is set to 'administrators, local service, network service, service' create_symbolic_links : data: 'Microsoft Windows Server 2008*': @@ -163,7 +163,7 @@ win_secedit: tag: CIS-2.2.15 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'create symbolic links' is set to 'administrators' + description: (L1) Ensure 'Create Symbolic Links' is set to 'administrators' debug_programs : data: 'Microsoft Windows Server 2008*': @@ -171,7 +171,7 @@ win_secedit: tag: CIS-2.2.16 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'debug programs' is set to 'administrators' + description: (L1) Ensure 'Debug Programs' is set to 'administrators' deny_access_to_this_computer_from_the_network : data: 'Microsoft Windows Server 2008*': @@ -179,7 +179,7 @@ win_secedit: tag: CIS-2.2.17 match_output: 'Guests' value_type: 'account' - description: (l1) ensure 'deny access to this computer from the network' to include 'guests' + description: (L1) Ensure 'Deny Access To This Computer From The Network' to include 'guests' deny_log_on_as_a_batch_job : data: 'Microsoft Windows Server 2008*': @@ -187,7 +187,7 @@ win_secedit: tag: CIS-2.2.18 match_output: 'Guests' value_type: 'account' - description: (l1) ensure 'deny log on as a batch job' to include 'guests' + description: (L1) Ensure 'Deny Log On As A Batch Job' to include 'guests' deny_log_on_as_a_service : data: 'Microsoft Windows Server 2008*': @@ -195,7 +195,7 @@ win_secedit: tag: CIS-2.2.19 match_output: 'Guests' value_type: 'account' - description: (l1) ensure 'deny log on as a service' to include 'guests' + description: (L1) Ensure 'Deny Log On As A Service' to include 'guests' deny_log_on_locally : data: 'Microsoft Windows Server 2008*': @@ -203,7 +203,7 @@ win_secedit: tag: CIS-2.2.20 match_output: 'Guests' value_type: 'account' - description: (l1) ensure 'deny log on locally' to include 'guests' + description: (L1) Ensure 'Deny Log On Locally' to include 'guests' deny_log_on_through_remote_desktop_services : data: 'Microsoft Windows Server 2008*': @@ -211,7 +211,7 @@ win_secedit: tag: CIS-2.2.21 match_output: 'Guests, LOCAL SERVICE' value_type: 'account' - description: (l1) ensure 'deny log on through remote desktop services' to include 'guests' + description: (L1) Ensure 'Deny Log On Through Remote Desktop Services' to include 'guests' force_shutdown_from_a_remote_system : data: 'Microsoft Windows Server 2008*': @@ -219,7 +219,7 @@ win_secedit: tag: CIS-2.2.23 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'force shutdown from a remote system' is set to 'administrators' + description: (L1) Ensure 'Force Shutdown From A Remote System' is set to 'administrators' generate_security_audits : data: 'Microsoft Windows Server 2008*': @@ -227,7 +227,7 @@ win_secedit: tag: CIS-2.2.24 match_output: 'LOCAL SERVICE, NETWORK SERVICE' value_type: 'account' - description: (l1) ensure 'generate security audits' is set to 'local service, network service' + description: (L1) Ensure 'Generate Security Audits' is set to 'local service, network service' impersonate_a_client_after_authentication : data: 'Microsoft Windows Server 2008*': @@ -235,7 +235,7 @@ win_secedit: tag: CIS-2.2.25 match_output: 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' value_type: 'account' - description: (l1) configure 'impersonate a client after authentication' + description: (L1) configure 'impersonate a client after authentication' increase_scheduling_priority : data: 'Microsoft Windows Server 2008*': @@ -243,7 +243,7 @@ win_secedit: tag: CIS-2.2.26 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'increase scheduling priority' is set to 'administrators' + description: (L1) Ensure 'Increase Scheduling Priority' is set to 'administrators' load_and_unload_device_drivers : data: 'Microsoft Windows Server 2008*': @@ -251,7 +251,7 @@ win_secedit: tag: CIS-2.2.27 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'load and unload device drivers' is set to 'administrators' + description: (L1) Ensure 'Load And Unload Device Drivers' is set to 'administrators' manage_auditing_and_security_log : data: 'Microsoft Windows Server 2008*': @@ -259,7 +259,7 @@ win_secedit: tag: CIS-2.2.30 match_output: '*S-1-5-32-544' #Administrators value_type: 'account' - description: (l1) configure 'manage auditing and security log' + description: (L1) configure 'manage auditing and security log' modify_firmware_environment_values : data: 'Microsoft Windows Server 2008*': @@ -267,7 +267,7 @@ win_secedit: tag: CIS-2.2.32 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'modify firmware environment values' is set to 'administrators' + description: (L1) Ensure 'Modify Firmware Environment Values' is set to 'administrators' perform_volume_maintenance_tasks : data: 'Microsoft Windows Server 2008*': @@ -275,7 +275,7 @@ win_secedit: tag: CIS-2.2.33 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'perform volume maintenance tasks' is set to 'administrators' + description: (L1) Ensure 'Perform Volume Maintenance Tasks' is set to 'administrators' profile_single_process : data: 'Microsoft Windows Server 2008*': @@ -283,7 +283,7 @@ win_secedit: tag: CIS-2.2.34 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'profile single process' is set to 'administrators' + description: (L1) Ensure 'Profile Single Process' is set to 'administrators' profile_system_performance : data: 'Microsoft Windows Server 2008*': @@ -291,7 +291,7 @@ win_secedit: tag: CIS-2.2.35 match_output: 'Administrators, NT SERVICE\WdiServiceHost' value_type: 'account' - description: (l1) ensure 'profile system performance' is set to 'administrators, nt service\wdiservicehost' + description: (L1) Ensure 'Profile System Performance' is set to 'administrators, nt service\wdiservicehost' replace_a_process_level_token : data: 'Microsoft Windows Server 2008*': @@ -299,7 +299,7 @@ win_secedit: tag: CIS-2.2.36 match_output: 'LOCAL SERVICE, NETWORK SERVICE' value_type: 'account' - description: (l1) ensure 'replace a process level token' is set to 'local service, network service' + description: (L1) Ensure 'Replace A Process Level Token' is set to 'local service, network service' restore_files_and_directories : data: 'Microsoft Windows Server 2008*': @@ -307,7 +307,7 @@ win_secedit: tag: CIS-2.2.37 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'restore files and directories' is set to 'administrators' + description: (L1) Ensure 'Restore Files And Directories' is set to 'administrators' shut_down_the_system : data: 'Microsoft Windows Server 2008*': @@ -315,7 +315,7 @@ win_secedit: tag: CIS-2.2.38 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'shut down the system' is set to 'administrators' + description: (L1) Ensure 'Shut Down The System' is set to 'administrators' take_ownership_of_files_or_other_objects : data: 'Microsoft Windows Server 2008*': @@ -323,7 +323,7 @@ win_secedit: tag: CIS-2.2.40 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'take ownership of files or other objects' is set to 'administrators' + description: (L1) Ensure 'Take Ownership Of Files Or Other Objects' is set to 'administrators' accounts_administrator_account_status : data: 'Microsoft Windows Server 2008*': @@ -331,7 +331,7 @@ win_secedit: tag: CIS-2.3.1.1 match_output: '0' value_type: 'equal' - description: (l1) ensure 'accounts - administrator account status' is set to 'disabled' + description: (L1) Ensure 'Accounts - Administrator Account Status' is set to 'Disabled' accounts_guest_account_status : data: 'Microsoft Windows Server 2008*': @@ -339,7 +339,7 @@ win_secedit: tag: CIS-2.3.1.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'accounts - guest account status' is set to 'disabled' + description: (L1) Ensure 'Accounts - Guest Account Status' is set to 'Disabled' accounts_limit_local_account_use_of_blank_passwords_to_console_logon_only : data: 'Microsoft Windows Server 2008*': @@ -347,7 +347,7 @@ win_secedit: tag: CIS-2.3.1.3 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'accounts - limit local account use of blank passwords to console logon only' is set to 'enabled' + description: (L1) Ensure 'Accounts - Limit Local Account Use Of Blank Passwords To Console Logon Only' is set to 'Enabled' audit_force_audit_policy_subcategory_settings_to_override_audit_policy_category_settings : data: 'Microsoft Windows Server 2008*': @@ -355,7 +355,7 @@ win_secedit: tag: CIS-2.3.2.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'audit - force audit policy subcategory settings (windows vista or later) to override audit policy category settings' is set to 'enabled' + description: (L1) Ensure 'Audit - Force Audit Policy Subcategory Settings (windows Vista Or Later) To Override Audit Policy Category Settings' is set to 'Enabled' audit_shut_down_system_immediately_if_unable_to_log_security_audits : data: 'Microsoft Windows Server 2008*': @@ -363,7 +363,7 @@ win_secedit: tag: CIS-2.3.2.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'audit - shut down system immediately if unable to log security audits' is set to 'disabled' + description: (L1) Ensure 'Audit - Shut Down System Immediately If Unable To Log Security Audits' is set to 'Disabled' devices_allowed_to_format_and_eject_removable_media : data: 'Microsoft Windows Server 2008*': @@ -371,7 +371,7 @@ win_secedit: tag: CIS-2.3.4.1 match_output: 'Administrators' value_type: 'equal' - description: (l1) ensure 'devices - allowed to format and eject removable media' is set to 'administrators' + description: (L1) Ensure 'Devices - Allowed To Format And Eject Removable Media' is set to 'administrators' devices_prevent_users_from_installing_printer_drivers : data: 'Microsoft Windows Server 2008*': @@ -379,7 +379,7 @@ win_secedit: tag: CIS-2.3.4.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'devices - prevent users from installing printer drivers' is set to 'enabled' + description: (L1) Ensure 'Devices - Prevent Users From Installing Printer Drivers' is set to 'Enabled' domain_member_digitally_encrypt_or_sign_secure_channel_data_ : data: 'Microsoft Windows Server 2008*': @@ -387,7 +387,7 @@ win_secedit: tag: CIS-2.3.6.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'domain member - digitally encrypt or sign secure channel data (always)' is set to 'enabled' + description: (L1) Ensure 'Domain Member - Digitally Encrypt Or Sign Secure Channel Data (always)' is set to 'Enabled' domain_member_digitally_encrypt_secure_channel_data : data: 'Microsoft Windows Server 2008*': @@ -395,7 +395,7 @@ win_secedit: tag: CIS-2.3.6.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'domain member - digitally encrypt secure channel data (when possible)' is set to 'enabled' + description: (L1) Ensure 'Domain Member - Digitally Encrypt Secure Channel Data (when Possible)' is set to 'Enabled' domain_member_digitally_sign_secure_channel_data : data: 'Microsoft Windows Server 2008*': @@ -403,7 +403,7 @@ win_secedit: tag: CIS-2.3.6.3 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'domain member - digitally sign secure channel data (when possible)' is set to 'enabled' + description: (L1) Ensure 'Domain Member - Digitally Sign Secure Channel Data (when Possible)' is set to 'Enabled' domain_member_disable_machine_account_password_changes : data: 'Microsoft Windows Server 2008*': @@ -411,7 +411,7 @@ win_secedit: tag: CIS-2.3.6.4 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'domain member - disable machine account password changes' is set to 'disabled' + description: (L1) Ensure 'Domain Member - Disable Machine Account Password Changes' is set to 'Disabled' domain_member_maximum_machine_account_password_age : data: 'Microsoft Windows Server 2008*': @@ -419,7 +419,7 @@ win_secedit: tag: CIS-2.3.6.5 match_output: '31' value_type: 'less' - description: (l1) ensure 'domain member - maximum machine account password age' is set to '30 or fewer days, but not 0' + description: (L1) Ensure 'Domain Member - Maximum Machine Account Password Age' is set to '30 or fewer days, but not 0' domain_member_require_strong_session_key : data: 'Microsoft Windows Server 2008*': @@ -427,7 +427,7 @@ win_secedit: tag: CIS-2.3.6.6 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'domain member - require strong (windows 2000 or later) session key' is set to 'enabled' + description: (L1) Ensure 'Domain Member - Require Strong (windows 2000 Or Later) Session Key' is set to 'Enabled' interactive_logon_do_not_display_last_user_name : data: 'Microsoft Windows Server 2008*': @@ -435,7 +435,7 @@ win_secedit: tag: CIS-2.3.7.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'interactive logon - do not display last user name' is set to 'enabled' + description: (L1) Ensure 'Interactive Logon - Do Not Display Last User Name' is set to 'Enabled' interactive_logon_do_not_require_ctrl+alt+del : data: 'Microsoft Windows Server 2008*': @@ -443,7 +443,7 @@ win_secedit: tag: CIS-2.3.7.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'interactive logon - do not require ctrl+alt+del' is set to 'disabled' + description: (L1) Ensure 'Interactive Logon - Do Not Require Ctrl+alt+del' is set to 'Disabled' interactive_logon_message_text_for_users_attempting_to_log_on : #NOTE: Configure this data: 'Microsoft Windows Server 2008*': @@ -451,7 +451,7 @@ win_secedit: tag: CIS-2.3.7.3 match_output: '' value_type: 'configured' - description: (l1) configure 'interactive logon - message text for users attempting to log on' + description: (L1) configure 'interactive logon - message text for users attempting to log on' interactive_logon_message_title_for_users_attempting_to_log_on : #NOTE: Configure this data: 'Microsoft Windows Server 2008*': @@ -459,7 +459,7 @@ win_secedit: tag: CIS-2.3.7.4 match_output: '' value_type: 'configured' - description: (l1) configure 'interactive logon - message title for users attempting to log on' + description: (L1) configure 'interactive logon - message title for users attempting to log on' interactive_logon_prompt_user_to_change_password_before_expiration : data: 'Microsoft Windows Server 2008*': @@ -467,7 +467,7 @@ win_secedit: tag: CIS-2.3.7.6 match_output: '15' # between 5 and 14 value_type: 'less' - description: (l1) ensure 'interactive logon - prompt user to change password before expiration' is set to 'between 5 and 14 days' + description: (L1) Ensure 'Interactive Logon - Prompt User To Change Password Before Expiration' is set to 'between 5 and 14 days' interactive_logon_require_domain_controller_authentication_to_unlock_workstation : data: 'Microsoft Windows Server 2008*': @@ -483,23 +483,23 @@ win_secedit: tag: CIS-2.3.7.8 match_output: 'Lock Workstation' # can be anything but No Action value_type: 'equal' - description: (l1) ensure 'interactive logon - smart card removal behavior' is set to 'lock workstation' or higher - microsoft_network_client_digitally_sign_communications_ : + description: (L1) Ensure 'Interactive Logon - Smart Card Removal Behavior' is set to 'lock workstation' or higher + microsoft_network_client_digitally_sign_communications_require: data: 'Microsoft Windows Server 2008*': - 'MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature': tag: CIS-2.3.8.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'microsoft network client - digitally sign communications (always)' is set to 'enabled' - microsoft_network_client_digitally_sign_communications_ : + description: (L1) Ensure 'Microsoft Network Client - Digitally Sign Communications (always)' is set to 'Enabled' + microsoft_network_client_digitally_sign_communications_enable: data: 'Microsoft Windows Server 2008*': - 'MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature': tag: CIS-2.3.8.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'microsoft network client - digitally sign communications (if server agrees)' is set to 'enabled' + description: (L1) Ensure 'Microsoft Network Client - Digitally Sign Communications (if Server Agrees)' is set to 'Enabled' microsoft_network_client_send_unencrypted_password_to_third-party_smb_servers : data: 'Microsoft Windows Server 2008*': @@ -507,7 +507,7 @@ win_secedit: tag: CIS-2.3.8.3 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'microsoft network client - send unencrypted password to third-party smb servers' is set to 'disabled' + description: (L1) Ensure 'Microsoft Network Client - Send Unencrypted Password To Third-party Smb Servers' is set to 'Disabled' microsoft_network_server_amount_of_idle_time_required_before_suspending_session : data: 'Microsoft Windows Server 2008*': @@ -515,23 +515,23 @@ win_secedit: tag: CIS-2.3.9.1 match_output: '16' value_type: 'less' - description: (l1) ensure 'microsoft network server - amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0' - microsoft_network_server_digitally_sign_communications_ : + description: (L1) Ensure 'Microsoft Network Server - Amount Of Idle Time Required Before Suspending Session' is set to '15 or fewer minute(s), but not 0' + microsoft_network_server_digitally_sign_communications_always : data: 'Microsoft Windows Server 2008*': - 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature': tag: CIS-2.3.9.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'microsoft network server - digitally sign communications (always)' is set to 'enabled' - microsoft_network_server_digitally_sign_communications_ : + description: (L1) Ensure 'Microsoft Network Server - Digitally Sign Communications (always)' is set to 'Enabled' + microsoft_network_server_digitally_sign_communications_if_client_agrees : data: 'Microsoft Windows Server 2008*': - 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature': tag: CIS-2.3.9.3 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'microsoft network server - digitally sign communications (if client agrees)' is set to 'enabled' + description: (L1) Ensure 'Microsoft Network Server - Digitally Sign Communications (if Client Agrees)' is set to 'Enabled' microsoft_network_server_disconnect_clients_when_logon_hours_expire : data: 'Microsoft Windows Server 2008*': @@ -539,7 +539,7 @@ win_secedit: tag: CIS-2.3.9.4 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'microsoft network server - disconnect clients when logon hours expire' is set to 'enabled' + description: (L1) Ensure 'Microsoft Network Server - Disconnect Clients When Logon Hours Expire' is set to 'Enabled' microsoft_network_server_server_spn_target_name_validation_level : data: 'Microsoft Windows Server 2008*': @@ -547,7 +547,7 @@ win_secedit: tag: CIS-2.3.9.5 match_output: 'Accept if provided by client' value_type: 'equal' - description: (l1) ensure 'microsoft network server - server spn target name validation level' is set to 'accept if provided by client' or higher + description: (L1) Ensure 'Microsoft Network Server - Server Spn Target Name Validation Level' is set to 'accept if provided by client' or higher network_access_allow_anonymous_sid/name_translation : data: 'Microsoft Windows Server 2008*': @@ -555,7 +555,7 @@ win_secedit: tag: CIS-2.3.10.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'network access - allow anonymous sid/name translation' is set to 'disabled' + description: (L1) Ensure 'Network Access - Allow Anonymous Sid/name Translation' is set to 'Disabled' network_access_do_not_allow_anonymous_enumeration_of_sam_accounts : data: 'Microsoft Windows Server 2008*': @@ -563,7 +563,7 @@ win_secedit: tag: CIS-2.3.10.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'network access - do not allow anonymous enumeration of sam accounts' is set to 'enabled' + description: (L1) Ensure 'Network Access - Do Not Allow Anonymous Enumeration Of Sam Accounts' is set to 'Enabled' network_access_do_not_allow_anonymous_enumeration_of_sam_accounts_and_shares : data: 'Microsoft Windows Server 2008*': @@ -571,15 +571,7 @@ win_secedit: tag: CIS-2.3.10.3 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'network access - do not allow anonymous enumeration of sam accounts and shares' is set to 'enabled' - network_access_do_not_allow_storage_of_passwords_and_credentials_for_network_authentication : - data: - 'Microsoft Windows Server 2008*': - - 'MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds': - tag: CIS-2.3.10.4 - match_output: 'Enabled' - value_type: 'equal' - description: 'Network access Do not allow storage of passwords and credentials for network authentication' + description: (L1) Ensure 'Network Access - Do Not Allow Anonymous Enumeration Of Sam Accounts And Shares' is set to 'Enabled' network_access_let_everyone_persmissions_apply_to_anonymous_users : data: 'Microsoft Windows Server 2008*': @@ -587,7 +579,7 @@ win_secedit: tag: CIS-2.3.10.5 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'network access - let everyone permissions apply to anonymous users' is set to 'disabled' + description: (L1) Ensure 'Network Access - Let Everyone Permissions Apply To Anonymous Users' is set to 'Disabled' network_access_remotely_accessible_registry_paths : data: 'Microsoft Windows Server 2008*': @@ -595,7 +587,7 @@ win_secedit: tag: CIS-2.3.10.7 match_output: 'System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion' value_type: 'equal' - description: (l1) ensure 'network access - remotely accessible registry paths' + description: (L1) Ensure 'Network Access - Remotely Accessible Registry Paths' network_access_remotely_accessible_registry_paths_and_sub-paths : data: 'Microsoft Windows Server 2008*': @@ -603,7 +595,7 @@ win_secedit: tag: CIS-2.3.10.8 match_output: 'System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration, Software\Microsoft\Windows NT\CurrentVersion\Perflib, System\CurrentControlSet\Services\SysmonLog' value_type: 'equal' - description: (l1) ensure 'network access - remotely accessible registry paths and sub-paths' + description: (L1) Ensure 'Network Access - Remotely Accessible Registry Paths And Sub-paths' network_access_restrict_anonymous_access_to_named_pipes_and_shares : data: 'Microsoft Windows Server 2008*': @@ -611,7 +603,7 @@ win_secedit: tag: CIS-2.3.10.9 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'network access - restrict anonymous access to named pipes and shares' is set to 'enabled' + description: (L1) Ensure 'Network Access - Restrict Anonymous Access To Named Pipes And Shares' is set to 'Enabled' network_access_sharing_and_security_model_for_local_accounts : data: 'Microsoft Windows Server 2008*': @@ -619,7 +611,7 @@ win_secedit: tag: CIS-2.3.10.11 match_output: 'Classic - local users authenticate as themselves' value_type: 'equal' - description: (l1) ensure 'network access - sharing and security model for local accounts' is set to 'classic - local users authenticate as themselves' + description: (L1) Ensure 'Network Access - Sharing And Security Model For Local Accounts' is set to 'classic - local users authenticate as themselves' network_security_allow_local_system_to_use_computer_identity_for_ntlm : data: 'Microsoft Windows Server 2008*': @@ -627,7 +619,7 @@ win_secedit: tag: CIS-2.3.11.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'network security - allow local system to use computer identity for ntlm' is set to 'enabled' + description: (L1) Ensure 'Network Security - Allow Local System To Use Computer Identity For Ntlm' is set to 'Enabled' network_security_allow_localsystem_null_session_fallback : data: 'Microsoft Windows Server 2008*': @@ -635,7 +627,7 @@ win_secedit: tag: CIS-2.3.11.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'network security - allow localsystem null session fallback' is set to 'disabled' + description: (L1) Ensure 'Network Security - Allow Localsystem Null Session Fallback' is set to 'Disabled' network_security_allow_pku2u_authentication_requests_to_this_computer_to_use_online_identities : data: 'Microsoft Windows Server 2008*': @@ -643,7 +635,7 @@ win_secedit: tag: CIS-2.3.11.3 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'network security - allow pku2u authentication requests to this computer to use online identities' is set to 'disabled' + description: (L1) Ensure 'Network Security - Allow Pku2u Authentication Requests To This Computer To Use Online Identities' is set to 'Disabled' network_security_configure_encryption_types_allowed_for_kerberos : data: 'Microsoft Windows Server 2008*': @@ -651,7 +643,7 @@ win_secedit: tag: CIS-2.3.11.4 match_output: 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' value_type: 'equal' - description: (l1) ensure 'network security - configure encryption types allowed for kerberos' is set to 'rc4_hmac_md5, aes128_hmac_sha1, aes256_hmac_sha1, future encryption types' + description: (L1) Ensure 'Network Security - Configure Encryption Types Allowed For Kerberos' is set to 'rc4_hmac_md5, aes128_hmac_sha1, aes256_hmac_sha1, future encryption types' network_security_do_not_store_lan_manager_hash_value_on_next_password_change : data: 'Microsoft Windows Server 2008*': @@ -659,7 +651,7 @@ win_secedit: tag: CIS-2.3.11.5 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'network security - do not store lan manager hash value on next password change' is set to 'enabled' + description: (L1) Ensure 'Network Security - Do Not Store Lan Manager Hash Value On Next Password Change' is set to 'Enabled' network_security_force_logoff_when_logon_hours_expire : data: 'Microsoft Windows Server 2008*': @@ -667,7 +659,7 @@ win_secedit: tag: CIS-2.3.11.6 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'network security - force logoff when logon hours expire' is set to 'enabled' + description: (L1) Ensure 'Network Security - Force Logoff When Logon Hours Expire' is set to 'Enabled' network_security_lan_manager_authentication_level : data: 'Microsoft Windows Server 2008*': @@ -675,7 +667,7 @@ win_secedit: tag: CIS-2.3.11.7 match_output: 'Send NTLMv2 response only. Refuse LM & NTLM' value_type: 'equal' - description: (l1) ensure 'network security - lan manager authentication level' is set to 'send ntlmv2 response only. refuse lm & ntlm' + description: (L1) Ensure 'Network Security - Lan Manager Authentication Level' is set to 'send ntlmv2 response only. refuse lm & ntlm' network_security_ldap_client_signing_requirements : data: 'Microsoft Windows Server 2008*': @@ -683,7 +675,7 @@ win_secedit: tag: CIS-2.3.11.8 match_output: 'Negotiate signing' value_type: 'equal' - description: (l1) ensure 'network security - ldap client signing requirements' is set to 'negotiate signing' or higher + description: (L1) Ensure 'Network Security - Ldap Client Signing Requirements' is set to 'negotiate signing' or higher network_security_minimum_session_security_for_ntlm_ssp_based_clients : data: 'Microsoft Windows Server 2008*': @@ -691,7 +683,7 @@ win_secedit: tag: CIS-2.3.11.9 match_output: 'Require NTLMv2 session security, Require 128-bit encryption' value_type: 'equal' - description: (l1) ensure 'network security - minimum session security for ntlm ssp based (including secure rpc) clients' is set to 'require ntlmv2 session security, require 128-bit encryption' + description: (L1) Ensure 'Network Security - Minimum Session Security For Ntlm Ssp Based (including Secure Rpc) Clients' is set to 'require ntlmv2 session security, require 128-bit encryption' network_security_minimum_session_security_for_ntlm_ssp_based_(including_secure_rpc_servers : data: 'Microsoft Windows Server 2008*': @@ -699,7 +691,7 @@ win_secedit: tag: CIS-2.3.11.10 match_output: 'Require NTLMv2 session security, Require 128-bit encryption' value_type: 'equal' - description: (l1) ensure 'network security - minimum session security for ntlm ssp based (including secure rpc) servers' is set to 'require ntlmv2 session security, require 128-bit encryption' + description: (L1) Ensure 'Network Security - Minimum Session Security For Ntlm Ssp Based (including Secure Rpc) Servers' is set to 'require ntlmv2 session security, require 128-bit encryption' shutdown_allow_system_to_be_shut_down_without_having_to_log_on : data: 'Microsoft Windows Server 2008*': @@ -707,7 +699,7 @@ win_secedit: tag: CIS-2.3.13.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'shutdown - allow system to be shut down without having to log on' is set to 'disabled' + description: (L1) Ensure 'Shutdown - Allow System To Be Shut Down Without Having To Log On' is set to 'Disabled' system_objects_require_case_insensitivity_for_non-windows_subsystems : data: 'Microsoft Windows Server 2008*': @@ -715,7 +707,7 @@ win_secedit: tag: CIS-2.3.15.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'system objects - require case insensitivity for non-windows subsystems' is set to 'enabled' + description: (L1) Ensure 'System Objects - Require Case Insensitivity For Non-windows Subsystems' is set to 'Enabled' system_objects_strengthen_default_permissions_of_internal_system_objects_(e.g._symbolic_links : data: 'Microsoft Windows Server 2008*': @@ -723,7 +715,7 @@ win_secedit: tag: CIS-2.3.15.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'system objects - strengthen default permissions of internal system objects (e.g. symbolic links)' is set to 'enabled' + description: (L1) Ensure 'System Objects - Strengthen Default Permissions Of Internal System Objects (e.g. Symbolic Links)' is set to 'Enabled' system_settings_optional_subsystems : data: 'Microsoft Windows Server 2008*': @@ -731,7 +723,7 @@ win_secedit: tag: CIS-2.3.16.1 match_output: 'Defined' # blank value_type: 'equal' - description: (l1) ensure 'system settings - optional subsystems' is set to 'defined - (blank)' + description: (L1) Ensure 'System Settings - Optional Subsystems' is set to 'defined - (blank)' user_account_control_admin_approval_mode_for_the_built-in_administrator_account : data: 'Microsoft Windows Server 2008*': @@ -739,7 +731,7 @@ win_secedit: tag: CIS-2.3.17.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'user account control - admin approval mode for the built-in administrator account' is set to 'enabled' + description: (L1) Ensure 'User Account Control - Admin Approval Mode For The Built-in Administrator Account' is set to 'Enabled' user_account_control_allow_uiaccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop : data: 'Microsoft Windows Server 2008*': @@ -747,7 +739,7 @@ win_secedit: tag: CIS-2.3.17.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'user account control - allow uiaccess applications to prompt for elevation without using the secure desktop' is set to 'disabled' + description: (L1) Ensure 'User Account Control - Allow Uiaccess Applications To Prompt For Elevation Without Using The Secure Desktop' is set to 'Disabled' user_account_control_behavior_of_the_elevation_prompt_for_administrators_in_admin_approval_mode : data: 'Microsoft Windows Server 2008*': @@ -755,7 +747,7 @@ win_secedit: tag: CIS-2.3.17.3 match_output: 'Prompt for consent on the secure desktop' value_type: 'equal' - description: (l1) ensure 'user account control - behavior of the elevation prompt for administrators in admin approval mode' is set to 'prompt for consent on the secure desktop' + description: (L1) Ensure 'User Account Control - Behavior Of The Elevation Prompt For Administrators In Admin Approval Mode' is set to 'prompt for consent on the secure desktop' user_account_control_behavior_of_the_elevation_prompt_for_standard_users : data: 'Microsoft Windows Server 2008*': @@ -763,7 +755,7 @@ win_secedit: tag: CIS-2.3.17.4 match_output: 'Automatically deny elevation requests' value_type: 'equal' - description: (l1) ensure 'user account control - behavior of the elevation prompt for standard users' is set to 'automatically deny elevation requests' + description: (L1) Ensure 'User Account Control - Behavior Of The Elevation Prompt For Standard Users' is set to 'automatically deny elevation requests' user_account_control_detect_application_installations_and_prompt_for_elevation : data: 'Microsoft Windows Server 2008*': @@ -771,7 +763,7 @@ win_secedit: tag: CIS-2.3.17.5 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'user account control - detect application installations and prompt for elevation' is set to 'enabled' + description: (L1) Ensure 'User Account Control - Detect Application Installations And Prompt For Elevation' is set to 'Enabled' user_account_control_only_elevate_uiaccess_applications_that_are_installed_in_secure_locations : data: 'Microsoft Windows Server 2008*': @@ -779,7 +771,7 @@ win_secedit: tag: CIS-2.3.17.6 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'user account control - only elevate uiaccess applications that are installed in secure locations' is set to 'enabled' + description: (L1) Ensure 'User Account Control - Only Elevate Uiaccess Applications That Are Installed In Secure Locations' is set to 'Enabled' user_account_control_run_all_administrators_in_admin_approval_mode : data: 'Microsoft Windows Server 2008*': @@ -787,7 +779,7 @@ win_secedit: tag: CIS-2.3.17.7 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'user account control - run all administrators in admin approval mode' is set to 'enabled' + description: (L1) Ensure 'User Account Control - Run All Administrators In Admin Approval Mode' is set to 'Enabled' user_account_control_switch_to_the_secure_desktop_when_prompting_for_elevation : data: 'Microsoft Windows Server 2008*': @@ -795,7 +787,7 @@ win_secedit: tag: CIS-2.3.17.8 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'user account control - switch to the secure desktop when prompting for elevation' is set to 'enabled' + description: (L1) Ensure 'User Account Control - Switch To The Secure Desktop When Prompting For Elevation' is set to 'Enabled' user_account_control_virtualize_file_and_registry_write_failures_to_per-user_locations : data: 'Microsoft Windows Server 2008*': @@ -803,7 +795,7 @@ win_secedit: tag: CIS-2.3.17.9 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'user account control - virtualize file and registry write failures to per-user locations' is set to 'enabled' + description: (L1) Ensure 'User Account Control - Virtualize File And Registry Write Failures To Per-user Locations' is set to 'Enabled' blacklist: accounts_rename_administrator_account : @@ -813,7 +805,7 @@ win_secedit: tag: CIS-2.3.1.4 match_output: 'Administrator' value_type: 'equal' - description: (l1) configure 'accounts - rename administrator account' + description: (L1) configure 'accounts - rename administrator account' accounts_rename_guest_account : data: 'Microsoft Windows Server 2008*': @@ -821,7 +813,7 @@ win_secedit: tag: CIS-2.3.1.5 match_output: 'Guest' value_type: 'equal' - description: (l1) configure 'accounts - rename guest account' + description: (L1) configure 'accounts - rename guest account' network_access_named_pipes_that_can_be_accessed_anonymously : data: 'Microsoft Windows Server 2008*': @@ -829,7 +821,7 @@ win_secedit: tag: CIS-2.3.10.6 match_output: '' value_type: 'equal' - description: (l1) configure 'network access - named pipes that can be accessed anonymously' + description: (L1) configure 'network access - named pipes that can be accessed anonymously' network_access_shares_that_can_be_accessed_anonymously : data: 'Microsoft Windows Server 2008*': @@ -837,7 +829,7 @@ win_secedit: tag: CIS-2.3.10.10 match_output: '' value_type: 'equal' - description: (l1) ensure 'network access - shares that can be accessed anonymously' is set to 'none' + description: (L1) Ensure 'Network Access - Shares That Can Be Accessed Anonymously' is set to 'none' access_credential_manager: data: 'Microsoft Windows Server 2008*': @@ -845,7 +837,7 @@ win_secedit: tag: CIS-2.2.1 match_output: 'No One' value_type: 'match' - description: (l1) ensure 'access credential manager as a trusted caller' is set to 'no one' + description: (L1) Ensure 'Access Credential Manager As A Trusted Caller' is set to 'no one' act_as_operating_system: data: 'Microsoft Windows Server 2008*': @@ -853,7 +845,7 @@ win_secedit: tag: CIS-2.2.3 match_output: 'No One' value_type: 'match' - description: (l1) ensure 'act as part of the operating system' is set to 'no one' + description: (L1) Ensure 'Act As Part Of The Operating System' is set to 'no one' create_a_token_object : data: 'Microsoft Windows Server 2008*': @@ -861,7 +853,7 @@ win_secedit: tag: CIS-2.2.12 match_output: 'No One' value_type: 'account' - description: (l1) ensure 'create a token object' is set to 'no one' + description: (L1) Ensure 'Create A Token Object' is set to 'no one' create_permanent_shared_objects : data: 'Microsoft Windows Server 2008*': @@ -869,7 +861,7 @@ win_secedit: tag: CIS-2.2.14 match_output: 'No One' value_type: 'account' - description: (l1) ensure 'create permanent shared objects' is set to 'no one' + description: (L1) Ensure 'Create Permanent Shared Objects' is set to 'no one' enable_computer_and_user_accounts_to_be_trusted_for_delegation : data: 'Microsoft Windows Server 2008*': @@ -877,7 +869,7 @@ win_secedit: tag: CIS-2.2.22 match_output: 'No one' value_type: 'account' - description: (l1) configure 'enable computer and user accounts to be trusted for delegation' + description: (L1) configure 'enable computer and user accounts to be trusted for delegation' lock_pages_in_memory : data: 'Microsoft Windows Server 2008*': @@ -885,7 +877,7 @@ win_secedit: tag: CIS-2.2.28 match_output: 'No One' value_type: 'account' - description: (l1) ensure 'lock pages in memory' is set to 'no one' + description: (L1) Ensure 'Lock Pages In Memory' is set to 'no one' modify_an_object_label : data: 'Microsoft Windows Server 2008*': @@ -893,7 +885,7 @@ win_secedit: tag: CIS-2.2.31 match_output: 'No One' value_type: 'account' - description: (l1) ensure 'modify an object label' is set to 'no one' + description: (L1) Ensure 'Modify An Object Label' is set to 'no one' synchronize_directory_service_data : data: 'Microsoft Windows Server 2008*': @@ -901,250 +893,8 @@ win_secedit: tag: CIS-2.2.39 match_output: 'No One' value_type: 'account' - description: (l1) ensure 'synchronize directory service data' is set to 'no one' (dc only) + description: (L1) Ensure 'Synchronize Directory Service Data' is set to 'no one' (dc only) -#win_firewall: -# whitelist: -# windows_firewall_domain_firewall_state : -# data: -# 'Microsoft Windows Server 2008*': -# - 'Enabled': -# tag: CIS-9.1.1 -# match_output: 'True' -# value_type: 'domain' -# description: (l1) ensure 'windows firewall - domain - firewall state' is set to 'on (recommended)' -# windows_firewall_domain_inbound_connections : -# data: -# 'Microsoft Windows Server 2008*': -# - 'DefaultInboundAction': -# tag: CIS-9.1.2 -# match_output: 'Block' -# value_type: 'domain' -# description: (l1) ensure 'windows firewall - domain - inbound connections' is set to 'block (default)' -# windows_firewall_domain_outbound_connections : -# data: -# 'Microsoft Windows Server 2008*': -# - 'DefaultOutboundAction': -# tag: CIS-9.1.3 -# match_output: 'Allow' -# value_type: 'domain' -# description: (l1) ensure 'windows firewall - domain - outbound connections' is set to 'allow (default)' -# windows_firewall_domain_settings_display_a_notification : -# data: -# 'Microsoft Windows Server 2008*': -# - 'NotifyOnListen': -# tag: CIS-9.1.4 -# match_output: 'False' -# value_type: 'domain' -# description: (l1) ensure 'windows firewall - domain - settings - display a notification' is set to 'no' -# windows_firewall_domain_settings_apply_local_firewall_rules : -# data: -# 'Microsoft Windows Server 2008*': -# - 'AllowLocalFirewallRules': -# tag: CIS-9.1.5 -# match_output: 'True' -# value_type: 'domain' -# description: (l1) ensure 'windows firewall - domain - settings - apply local firewall rules' is set to 'yes (default)' -# windows_firewall_domain_settings_apply_local_connection_security_rules : -# data: -# 'Microsoft Windows Server 2008*': -# - 'AllowLocalIPsecRules': -# tag: CIS-9.1.6 -# match_output: 'True' -# value_type: 'domain' -# description: (l1) ensure 'windows firewall - domain - settings - apply local connection security rules' is set to 'yes (default)' -# windows_firewall_domain_logging_name : -# data: -# 'Microsoft Windows Server 2008*': -# - 'LogFileName': -# tag: CIS-9.1.7 -# match_output: '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log' -# value_type: 'domain' -# description: (l1) ensure 'windows firewall - domain - logging - name' is set to '%systemroot%\system32\logfiles\firewall\domainfw.log' -# windows_firewall_domain_logging_size_limit : -# data: -# 'Microsoft Windows Server 2008*': -# - 'LogMaxSizeKilobytes': -# tag: CIS-9.1.8 -# match_output: '16384' -# value_type: 'domain' -# description: (l1) ensure 'windows firewall - domain - logging - size limit (kb)' is set to '16,384 kb or greater' -# windows_firewall_domain_logging_log_dropped_packets : -# data: -# 'Microsoft Windows Server 2008*': -# - 'LogBlocked': -# tag: CIS-9.1.9 -# match_output: 'True' -# value_type: 'domain' -# description: (l1) ensure 'windows firewall - domain - logging - log dropped packets' is set to 'yes' -# windows_firewall_domain_logging_log_successful_connections : -# data: -# 'Microsoft Windows Server 2008*': -# - 'LogAllowed': -# tag: CIS-9.1.10 -# match_output: 'True' -# value_type: 'domain' -# description: (l1) ensure 'windows firewall - domain - logging - log successful connections' is set to 'yes' -# windows_firewall_private_firewall_state : -# data: -# 'Microsoft Windows Server 2008*': -# - 'Enabled': -# tag: CIS-9.2.1 -# match_output: 'True' -# value_type: 'private' -# description: (l1) ensure 'windows firewall - private - firewall state' is set to 'on (recommended)' -# windows_firewall_private_inbound_connections : -# data: -# 'Microsoft Windows Server 2008*': -# - 'DefaultInboundAction': -# tag: CIS-9.2.2 -# match_output: 'Block' -# value_type: 'private' -# description: (l1) ensure 'windows firewall - private - inbound connections' is set to 'block (default)' -# windows_firewall_private_outbound_connections : -# data: -# 'Microsoft Windows Server 2008*': -# - 'DefaultOutboundAction': -# tag: CIS-9.2.3 -# match_output: 'Allow' -# value_type: 'private' -# description: (l1) ensure 'windows firewall - private - outbound connections' is set to 'allow (default)' -# windows_firewall_private_settings_display_a_notification : -# data: -# 'Microsoft Windows Server 2008*': -# - 'NotifyOnListen': -# tag: CIS-9.2.4 -# match_output: 'False' -# value_type: 'private' -# description: (l1) ensure 'windows firewall - private - settings - display a notification' is set to 'no' -# windows_firewall_private_settings_apply_local_firewall_rules : -# data: -# 'Microsoft Windows Server 2008*': -# - 'AllowLocalFirewallRules': -# tag: CIS-9.2.5 -# match_output: 'True' -# value_type: 'private' -# description: (l1) ensure 'windows firewall - private - settings - apply local firewall rules' is set to 'yes (default)' -# windows_firewall_private_settings_apply_local_connection_security_rules : -# data: -# 'Microsoft Windows Server 2008*': -# - 'AllowLocalIPsecRules': -# tag: CIS-9.2.6 -# match_output: 'True' -# value_type: 'private' -# description: (l1) ensure 'windows firewall - private - settings - apply local connection security rules' is set to 'yes (default)' -# windows_firewall_private_logging_name : -# data: -# 'Microsoft Windows Server 2008*': -# - 'LogFileName': -# tag: CIS-9.2.7 -# match_output: '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log' -# value_type: 'private' -# description: (l1) ensure 'windows firewall - private - logging - name' is set to '%systemroot%\system32\logfiles\firewall\privatefw.log' -# windows_firewall_private_logging_size_limit : -# data: -# 'Microsoft Windows Server 2008*': -# - 'LogMaxSizeKilobytes': -# tag: CIS-9.2.8 -# match_output: '16384' -# value_type: 'private' -# description: (l1) ensure 'windows firewall - private - logging - size limit (kb)' is set to '16,384 kb or greater' -# windows_firewall_private_logging_log_dropped_packets : -# data: -# 'Microsoft Windows Server 2008*': -# - 'LogBlocked': -# tag: CIS-9.2.9 -# match_output: 'True' -# value_type: 'private' -# description: (l1) ensure 'windows firewall - private - logging - log dropped packets' is set to 'yes' -# windows_firewall_private_logging_log_successful_connections : -# data: -# 'Microsoft Windows Server 2008*': -# - 'LogAllowed': -# tag: CIS-9.2.10 -# match_output: 'True' -# value_type: 'private' -# description: (l1) ensure 'windows firewall - private - logging - log successful connections' is set to 'yes' -# windows_firewall_public_firewall_state : -# data: -# 'Microsoft Windows Server 2008*': -# - 'Enabled': -# tag: CIS-9.3.1 -# match_output: 'True' -# value_type: 'public' -# description: (l1) ensure 'windows firewall - public - firewall state' is set to 'on (recommended)' -# windows_firewall_public_inbound_connections : -# data: -# 'Microsoft Windows Server 2008*': -# - 'DefaultInboundAction': -# tag: CIS-9.3.2 -# match_output: 'Block' -# value_type: 'public' -# description: (l1) ensure 'windows firewall - public - inbound connections' is set to 'block (default)' -# windows_firewall_public_outbound_connections : -# data: -# 'Microsoft Windows Server 2008*': -# - 'DefaultOutboundAction': -# tag: CIS-9.3.3 -# match_output: 'Allow' -# value_type: 'public' -# description: (l1) ensure 'windows firewall - public - outbound connections' is set to 'allow (default)' -# windows_firewall_public_settings_display_a_notification : -# data: -# 'Microsoft Windows Server 2008*': -# - 'NotifyOnListen': -# tag: CIS-9.3.4 -# match_output: 'True' -# value_type: 'public' -# description: (l1) ensure 'windows firewall - public - settings - display a notification' is set to 'yes' -# windows_firewall_public_settings_apply_local_firewall_rules : -# data: -# 'Microsoft Windows Server 2008*': -# - 'AllowLocalFirewallRules': -# tag: CIS-9.3.5 -# match_output: 'False' -# value_type: 'public' -# description: (l1) ensure 'windows firewall - public - settings - apply local firewall rules' is set to 'no' -# windows_firewall_public_settings_apply_local_connection_security_rules : -# data: -# 'Microsoft Windows Server 2008*': -# - 'AllowLocalIPsecRules': -# tag: CIS-9.3.6 -# match_output: 'False' -# value_type: 'public' -# description: (l1) ensure 'windows firewall - public - settings - apply local connection security rules' is set to 'no' -# windows_firewall_public_logging_name : -# data: -# 'Microsoft Windows Server 2008*': -# - 'LogFileName': -# tag: CIS-9.3.7 -# match_output: '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log' -# value_type: 'public' -# description: (l1) ensure 'windows firewall - public - logging - name' is set to '%systemroot%\system32\logfiles\firewall\publicfw.log' -# windows_firewall_public_logging_size_limit_(kb : -# data: -# 'Microsoft Windows Server 2008*': -# - 'LogMaxSizeKilobytes': -# tag: CIS-9.3.8 -# match_output: '16384' -# value_type: 'public' -# description: (l1) ensure 'windows firewall - public - logging - size limit (kb)' is set to '16,384 kb or greater' -# windows_firewall_public_logging_log_dropped_packets : -# data: -# 'Microsoft Windows Server 2008*': -# - 'LogBlocked': -# tag: CIS-9.3.9 -# match_output: 'True' -# value_type: 'public' -# description: (l1) ensure 'windows firewall - public - logging - log dropped packets' is set to 'yes' -# windows_firewall_public_logging_log_successful_connections : -# data: -# 'Microsoft Windows Server 2008*': -# - 'LogAllowed': -# tag: CIS-9.3.10 -# match_output: 'True' -# value_type: 'public' -# description: (l1) ensure 'windows firewall - public - logging - log successful connections' is set to 'yes' win_auditpol: whitelist: @@ -1155,7 +905,7 @@ win_auditpol: tag: CIS-17.1.1 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit credential validation' is set to 'success and failure' + description: (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure' Audit Application Group Management : data: 'Microsoft Windows Server 2008*': @@ -1163,7 +913,7 @@ win_auditpol: tag: CIS-17.2.1 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit application group management' is set to 'success and failure' + description: (L1) Ensure 'Audit Application Group Management' is set to 'Success and Failure' Audit Computer Account Management : data: 'Microsoft Windows Server 2008*': @@ -1171,7 +921,7 @@ win_auditpol: tag: CIS-17.2.2 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit computer account management' is set to 'success and failure' + description: (L1) Ensure 'Audit Computer Account Management' is set to 'Success and Failure' Audit Other Account Management Events : data: 'Microsoft Windows Server 2008*': @@ -1179,7 +929,7 @@ win_auditpol: tag: CIS-17.2.4 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit other account management events' is set to 'success and failure' + description: (L1) Ensure 'Audit Other Account Management Events' is set to 'Success and Failure' Audit Security Group Management : data: 'Microsoft Windows Server 2008*': @@ -1187,7 +937,7 @@ win_auditpol: tag: CIS-17.2.5 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit security group management' is set to 'success and failure' + description: (L1) Ensure 'Audit Security Group Management' is set to 'Success and Failure' Audit User Account Management : data: 'Microsoft Windows Server 2008*': @@ -1195,7 +945,7 @@ win_auditpol: tag: CIS-17.2.6 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit user account management' is set to 'success and failure' + description: (L1) Ensure 'Audit User Account Management' is set to 'Success and Failure' Audit Process Creation : data: 'Microsoft Windows Server 2008*': @@ -1203,7 +953,7 @@ win_auditpol: tag: CIS-17.3.1 match_output: 'Success' value_type: 'equal' - description: (l1) ensure 'audit process creation' is set to 'success' + description: (L1) Ensure 'Audit Process Creation' is set to 'Success' Audit Account Lockout : data: 'Microsoft Windows Server 2008*': @@ -1211,7 +961,7 @@ win_auditpol: tag: CIS-17.5.1 match_output: 'Success' value_type: 'equal' - description: (l1) ensure 'audit account lockout' is set to 'success' + description: (L1) Ensure 'Audit Account Lockout' is set to 'Success' Audit Logoff : data: 'Microsoft Windows Server 2008*': @@ -1219,7 +969,7 @@ win_auditpol: tag: CIS-17.5.2 match_output: 'Success' value_type: 'equal' - description: (l1) ensure 'audit logoff' is set to 'success' + description: (L1) Ensure 'Audit Logoff' is set to 'Success' Audit Logon : data: 'Microsoft Windows Server 2008*': @@ -1227,7 +977,7 @@ win_auditpol: tag: CIS-17.5.3 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit logon' is set to 'success and failure' + description: (L1) Ensure 'Audit Logon' is set to 'Success and Failure' Audit Other Logon/Logoff Events : data: 'Microsoft Windows Server 2008*': @@ -1235,7 +985,7 @@ win_auditpol: tag: CIS-17.5.4 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit other logon/logoff events' is set to 'success and failure' + description: (L1) Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure' Audit Special Logon : data: 'Microsoft Windows Server 2008*': @@ -1243,7 +993,7 @@ win_auditpol: tag: CIS-17.5.5 match_output: 'Success' value_type: 'equal' - description: (l1) ensure 'audit special logon' is set to 'success' + description: (L1) Ensure 'Audit Special Logon' is set to 'Success' Audit Audit Policy Change : data: 'Microsoft Windows Server 2008*': @@ -1251,7 +1001,7 @@ win_auditpol: tag: CIS-17.7.1 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit audit policy change' is set to 'success and failure' + description: (L1) Ensure 'Audit Audit Policy Change' is set to 'Success and Failure' Audit Authentication Policy Change : data: 'Microsoft Windows Server 2008*': @@ -1259,7 +1009,7 @@ win_auditpol: tag: CIS-17.7.2 match_output: 'Success' value_type: 'equal' - description: (l1) ensure 'audit authentication policy change' is set to 'success' + description: (L1) Ensure 'Audit Authentication Policy Change' is set to 'Success' Audit Sensitive Privilege Use : data: 'Microsoft Windows Server 2008*': @@ -1267,7 +1017,7 @@ win_auditpol: tag: CIS-17.8.1 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit sensitive privilege use' is set to 'success and failure' + description: (L1) Ensure 'Audit Sensitive Privilege Use' is set to 'Success and Failure' Audit IPsec Driver : data: 'Microsoft Windows Server 2008*': @@ -1275,7 +1025,7 @@ win_auditpol: tag: CIS-17.9.1 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit ipsec driver' is set to 'success and failure' + description: (L1) Ensure 'Audit IPsec Driver' is set to 'Success and Failure' Audit Other System Events : data: 'Microsoft Windows Server 2008*': @@ -1283,7 +1033,7 @@ win_auditpol: tag: CIS-17.9.2 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit other system events' is set to 'success and failure' + description: (L1) Ensure 'Audit Other System Events' is set to 'Success and Failure' Audit Security State Change : data: 'Microsoft Windows Server 2008*': @@ -1291,7 +1041,7 @@ win_auditpol: tag: CIS-17.9.3 match_output: 'Success' value_type: 'equal' - description: (l1) ensure 'audit security state change' is set to 'success' + description: (L1) Ensure 'Audit Security State Change' is set to 'Success' Audit Security System Extension : data: 'Microsoft Windows Server 2008*': @@ -1299,7 +1049,7 @@ win_auditpol: tag: CIS-17.9.4 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit security system extension' is set to 'success and failure' + description: (L1) Ensure 'Audit Security System Extension' is set to 'Success and Failure' Audit System Integrity : data: 'Microsoft Windows Server 2008*': @@ -1307,7 +1057,7 @@ win_auditpol: tag: CIS-17.9.5 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit system integrity' is set to 'success and failure' + description: (L1) Ensure 'Audit System Integrity' is set to 'Success and Failure' win_reg: whitelist: @@ -1318,7 +1068,7 @@ win_reg: tag: CIS-18.2.2 match_output: 'Enabled' value_type: 'equal' - description: 'Ensure Do not allow password expiration time longer than required by policy is set to Enabled ' + description: (L1) Ensure 'Do not allow password expiration time longer than required by policy' is set to 'Enabled' (MS only) Enable Local Admin Password Management : data: 'Microsoft Windows Server 2008*': @@ -1326,7 +1076,7 @@ win_reg: tag: CIS-18.2.3 match_output: 'Enabled' value_type: 'equal' - description: 'Ensure Enable Local Admin Password Management is set to Enabled ' + description: (L1) Ensure 'Enable Local Admin Password Management' is set to 'Enabled' (MS only) Password Settings_ Password Complexity : data: 'Microsoft Windows Server 2008*': @@ -1334,7 +1084,7 @@ win_reg: tag: CIS-18.2.4 match_output: 'Enabled: Large letters + small letters + numbers + special characters' value_type: 'equal' - description: 'Ensure Password SettingS- Password Complexity is set to Enabled - Large letters + small letters + numbers + special characters ' + description: "(L1) Ensure 'Password Settings: Password Complexity' is set to 'Enabled: Large letters + small letters + numbers + special characters' (MS only)" Password Settings_ Password Length : data: 'Microsoft Windows Server 2008*': @@ -1342,7 +1092,7 @@ win_reg: tag: CIS-18.2.5 match_output: 'Enabled: 15 or more' value_type: 'equal' - description: 'Ensure Password SettingS- Password Length is set to Enabled - 15 or more ' + description: "(L1) Ensure 'Password Settings: Password Length' is set to 'Enabled: 15 or more' (MS only)" Password Settings_ Password Age : data: 'Microsoft Windows Server 2008*': @@ -1350,7 +1100,7 @@ win_reg: tag: CIS-18.2.6 match_output: 'Enabled: 30 or fewer' value_type: 'equal' - description: 'Ensure Password SettingS- Password Age is set to Enabled - 30 or fewer ' + description: "(L1) Ensure 'Password Settings: Password Age (Days)' is set to 'Enabled: 30 or fewer' (MS only)" MSS_DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing : data: @@ -1359,7 +1109,7 @@ win_reg: tag: CIS-18.3.2 match_output: 'Enabled' #: Highest protection, source routing is completely disabled' value_type: 'equal' - description: (l1) ensure 'mss - (disableipsourcerouting ipv6) ip source routing protection level (protects against packet spoofing)' is set to 'enabled - highest protection, source routing is completely disabled' + description: (L1) Ensure 'Mss - (disableipsourcerouting Ipv6) Ip Source Routing Protection Level (protects Against Packet Spoofing)' is set to 'enabled - highest protection, source routing is completely disabled' MSS_ IP source routing protection level protects against packet spoofing : data: 'Microsoft Windows Server 2008*': @@ -1367,7 +1117,7 @@ win_reg: tag: CIS-18.3.3 match_output: 'Enabled' #: Highest protection, source routing is completely disabled' value_type: 'equal' - description: (l1) ensure 'mss - (disableipsourcerouting) ip source routing protection level (protects against packet spoofing)' is set to 'enabled - highest protection, source routing is completely disabled' + description: (L1) Ensure 'Mss - (disableipsourcerouting) Ip Source Routing Protection Level (protects Against Packet Spoofing)' is set to 'enabled - highest protection, source routing is completely disabled' MSS_ Allow ICMP redirects to override OSPF generated routes : data: 'Microsoft Windows Server 2008*': @@ -1375,7 +1125,7 @@ win_reg: tag: CIS-18.3.4 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'mss - (enableicmpredirect) allow icmp redirects to override ospf generated routes' is set to 'disabled' + description: (L1) Ensure 'Mss - (enableicmpredirect) Allow Icmp Redirects To Override Ospf Generated Routes' is set to 'Disabled' MSS_ Allow the computer to ignore NetBIOS name release requests except from WINS servers : data: 'Microsoft Windows Server 2008*': @@ -1383,7 +1133,7 @@ win_reg: tag: CIS-18.3.6 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'mss - (nonamereleaseondemand) allow the computer to ignore netbios name release requests except from wins servers' is set to 'enabled' + description: (L1) Ensure 'Mss - (nonamereleaseondemand) Allow The Computer To Ignore Netbios Name Release Requests Except From Wins Servers' is set to 'Enabled' MSS_ Enable Safe DLL search mode : data: 'Microsoft Windows Server 2008*': @@ -1391,7 +1141,7 @@ win_reg: tag: CIS-18.3.8 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'mss - (safedllsearchmode) enable safe dll search mode (recommended)' is set to 'enabled' + description: (L1) Ensure 'Mss - (safedllsearchmode) Enable Safe Dll Search Mode (recommended)' is set to 'Enabled' MSS_ The time in seconds before the screen saver grace period expires : data: 'Microsoft Windows Server 2008*': @@ -1399,7 +1149,7 @@ win_reg: tag: CIS-18.3.9 match_output: 'Enabled: 5 or fewer seconds' value_type: 'equal' - description: (l1) ensure 'mss - (screensavergraceperiod) the time in seconds before the screen saver grace period expires (0 recommended)' is set to 'enabled - 5 or fewer seconds' + description: (L1) Ensure 'Mss - (screensavergraceperiod) The Time In Seconds Before The Screen Saver Grace Period Expires (0 Recommended)' is set to 'enabled - 5 or fewer seconds' MSS_ Percentage threshold for the security event log at which the system will generate a warning : data: 'Microsoft Windows Server 2008*': @@ -1407,15 +1157,7 @@ win_reg: tag: CIS-18.3.12 match_output: 'Enabled' #Enabled: 90% or less value_type: 'less' - description: (l1) ensure 'mss - (warninglevel) percentage threshold for the security event log at which the system will generate a warning' is set to 'enabled - 90% or less' - Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled : - data: - 'Microsoft Windows Server 2008*': - - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet\Disabled': - tag: CIS-18.4.9.2 - match_output: 'Enabled' - value_type: 'equal' - description: 'Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled' + description: "(L1) Ensure 'MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning' is set to 'Enabled: 90% or less'" Prohibit installation and configuration of Network Bridge on your DNS domain network : data: 'Microsoft Windows Server 2008*': @@ -1423,7 +1165,7 @@ win_reg: tag: CIS-18.4.10.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'prohibit installation and configuration of network bridge on your dns domain network' is set to 'enabled' + description: (L1) Ensure 'Prohibit Installation And Configuration Of Network Bridge On Your Dns Domain Network' is set to 'Enabled' Require domain users to elevate when setting a network : data: 'Microsoft Windows Server 2008*': @@ -1439,15 +1181,7 @@ win_reg: tag: CIS-18.4.13.1 match_output: 'Enabled' #with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' value_type: 'equal' - description: (l1) ensure 'hardened unc paths' is set to 'enabled, with "require mutual authentication" and "require integrity" set for all netlogon and sysvol shares' - Disable IPv6 : - data: - 'Microsoft Windows Server 2008*': - - 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters\DisabledComponents': - tag: CIS-18.4.18.2.1 - match_output: '255' - value_type: 'equal' - description: 'Disable IPv6 - Ensure TCPIP6 Parameter DisabledComponents is set to 0xff (255)' + description: (L1) Ensure 'Hardened Unc Paths' is set to 'enabled, with "require mutual authentication" and "require integrity" set for all netlogon and sysvol shares' Apply UAC restrictions to local accounts on network logons : data: 'Microsoft Windows Server 2008*': @@ -1463,7 +1197,7 @@ win_reg: tag: CIS-18.8.18.2 match_output: 'Enabled'# : FALSE' value_type: 'equal' - description: (l1) ensure 'configure registry policy processing - do not apply during periodic background processing' is set to 'enabled - false' + description: (L1) Ensure 'Configure Registry Policy Processing - Do Not Apply During Periodic Background Processing' is set to 'enabled - false' Configure registry policy processing_ Process even if the Group Policy objects have not changed : data: 'Microsoft Windows Server 2008*': @@ -1471,7 +1205,7 @@ win_reg: tag: CIS-18.8.18.3 match_output: 'Enabled' #: TRUE' value_type: 'equal' - description: (l1) ensure 'configure registry policy processing - process even if the group policy objects have not changed' is set to 'enabled - true' + description: (L1) Ensure 'Configure Registry Policy Processing - Process Even If The Group Policy Objects Have Not Changed' is set to 'enabled - true' Do not display network selection UI : data: 'Microsoft Windows Server 2008*': @@ -1495,7 +1229,7 @@ win_reg: tag: CIS-18.9.8.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'set the default behavior for autorun' is set to 'enabled - do not execute any autorun commands' + description: (L1) Ensure 'Set The Default Behavior For Autorun' is set to 'enabled - do not execute any autorun commands' Set the default behavior for AutoRun : data: 'Microsoft Windows Server 2008*': @@ -1503,7 +1237,7 @@ win_reg: tag: CIS-18.9.8.2 match_output: 'Enabled'# : Do not execute any autorun commands' value_type: 'equal' - description: (l1) ensure 'turn off autoplay' is set to 'enabled - all drives' + description: (L1) Ensure 'Turn Off Autoplay' is set to 'enabled - all drives' Turn off Autoplay : data: 'Microsoft Windows Server 2008*': @@ -1519,7 +1253,7 @@ win_reg: tag: CIS-18.9.13.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'enumerate administrator accounts on elevation' is set to 'disabled' + description: (L1) Ensure 'Enumerate Administrator Accounts On Elevation' is set to 'Disabled' Turn off desktop gadgets : data: 'Microsoft Windows Server 2008*': @@ -1527,7 +1261,7 @@ win_reg: tag: CIS-18.9.16.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'turn off desktop gadgets' is set to 'enabled' + description: (L1) Ensure 'Turn Off Desktop Gadgets' is set to 'Enabled' Turn off user-installed desktop gadgets : data: 'Microsoft Windows Server 2008*': @@ -1535,7 +1269,7 @@ win_reg: tag: CIS-18.9.16.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'turn off user-installed desktop gadgets' is set to 'enabled' + description: (L1) Ensure 'Turn Off User-installed Desktop Gadgets' is set to 'Enabled' Default Action and Mitigation Settings : data: 'Microsoft Windows Server 2008*': @@ -1543,7 +1277,7 @@ win_reg: tag: CIS-18.9.22.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'default action and mitigation settings' is set to 'enabled' (plus subsettings) + description: (L1) Ensure 'Default Action And Mitigation Settings' is set to 'Enabled' (plus subsettings) Default Protections for Internet Explorer : data: 'Microsoft Windows Server 2008*': @@ -1551,7 +1285,7 @@ win_reg: tag: CIS-18.9.22.3 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'default protections for internet explorer' is set to 'enabled' + description: (L1) Ensure 'Default Protections For Internet Explorer' is set to 'Enabled' Default Protections for Popular Software : data: 'Microsoft Windows Server 2008*': @@ -1559,7 +1293,7 @@ win_reg: tag: CIS-18.9.22.4 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'default protections for popular software' is set to 'enabled' + description: (L1) Ensure 'Default Protections For Popular Software' is set to 'Enabled' Default Protections for Recommended Software : data: 'Microsoft Windows Server 2008*': @@ -1567,7 +1301,7 @@ win_reg: tag: CIS-18.9.22.5 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'default protections for recommended software' is set to 'enabled' + description: (L1) Ensure 'Default Protections For Recommended Software' is set to 'Enabled' System ASLR : data: 'Microsoft Windows Server 2008*': @@ -1575,7 +1309,7 @@ win_reg: tag: CIS-18.9.22.6 match_output: 'Enabled'#: Application Opt-In' value_type: 'equal' - description: (l1) ensure 'system aslr' is set to 'enabled - application opt-in' + description: (L1) Ensure 'System Aslr' is set to 'enabled - application opt-in' System DEP : data: 'Microsoft Windows Server 2008*': @@ -1583,7 +1317,7 @@ win_reg: tag: CIS-18.9.22.7 match_output: 'Enabled'#: Application Opt-Out' value_type: 'equal' - description: (l1) ensure 'system dep' is set to 'enabled - application opt-out' + description: (L1) Ensure 'System Dep' is set to 'enabled - application opt-out' System SEHOP : data: 'Microsoft Windows Server 2008*': @@ -1591,7 +1325,7 @@ win_reg: tag: CIS-18.9.22.8 match_output: 'Enabled'#: Application Opt-Out' value_type: 'equal' - description: (l1) ensure 'system sehop' is set to 'enabled - application opt-out' + description: (L1) Ensure 'System Sehop' is set to 'enabled - application opt-out' Application_ Specify the maximum log file size : data: 'Microsoft Windows Server 2008*': @@ -1599,7 +1333,7 @@ win_reg: tag: CIS-18.9.24.1.2 match_output: 'Enabled'#_ 32768 or greater' value_type: 'equal' - description: (l1) ensure 'application - specify the maximum log file size (kb)' is set to 'enabled - 32,768 or greater' + description: (L1) Ensure 'Application - Specify The Maximum Log File Size (kb)' is set to 'enabled - 32,768 or greater' Security_ Specify the maximum log file size : data: 'Microsoft Windows Server 2008*': @@ -1607,7 +1341,7 @@ win_reg: tag: CIS-18.9.24.2.2 match_output: 'Enabled'#_ 196608 or greater' value_type: 'equal' - description: (l1) ensure 'security - specify the maximum log file size (kb)' is set to 'enabled - 196,608 or greater' + description: (L1) Ensure 'Security - Specify The Maximum Log File Size (kb)' is set to 'enabled - 196,608 or greater' Setup_ Specify the maximum log file size : data: 'Microsoft Windows Server 2008*': @@ -1615,7 +1349,7 @@ win_reg: tag: CIS-18.9.24.3.2 match_output: 'Enabled' # 32,768 or greater' value_type: 'equal' - description: (l1) ensure 'setup - specify the maximum log file size (kb)' is set to 'enabled - 32,768 or greater' + description: (L1) Ensure 'Setup - Specify The Maximum Log File Size (kb)' is set to 'enabled - 32,768 or greater' System_ Specify the maximum log file size : data: 'Microsoft Windows Server 2008*': @@ -1623,7 +1357,7 @@ win_reg: tag: CIS-18.9.24.4.2 match_output: 'Enabled'#_ 32768 or greater' value_type: 'equal' - description: (l1) ensure 'system - specify the maximum log file size (kb)' is set to 'enabled - 32,768 or greater' + description: (L1) Ensure 'System - Specify The Maximum Log File Size (kb)' is set to 'enabled - 32,768 or greater' Do not allow passwords to be saved : data: 'Microsoft Windows Server 2008*': @@ -1631,7 +1365,7 @@ win_reg: tag: CIS-18.9.48.2.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'do not allow passwords to be saved' is set to 'enabled' + description: (L1) Ensure 'Do Not Allow Passwords To Be Saved' is set to 'Enabled' Do not allow drive redirection : data: 'Microsoft Windows Server 2008*': @@ -1639,7 +1373,7 @@ win_reg: tag: CIS-18.9.48.3.3.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'do not allow drive redirection' is set to 'enabled' + description: (L1) Ensure 'Do Not Allow Drive Redirection' is set to 'Enabled' Always prompt for password upon connection : data: 'Microsoft Windows Server 2008*': @@ -1647,7 +1381,7 @@ win_reg: tag: CIS-18.9.48.3.9.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'always prompt for password upon connection' is set to 'enabled' + description: (L1) Ensure 'Always Prompt For Password Upon Connection' is set to 'Enabled' Require secure RPC communication : data: 'Microsoft Windows Server 2008*': @@ -1655,7 +1389,7 @@ win_reg: tag: CIS-18.9.48.3.9.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'require secure rpc communication' is set to 'enabled' + description: (L1) Ensure 'Require Secure Rpc Communication' is set to 'Enabled' Set client connection encryption level : data: 'Microsoft Windows Server 2008*': @@ -1663,7 +1397,7 @@ win_reg: tag: CIS-18.9.48.3.9.3 match_output: 'Enabled'#: High Level' value_type: 'equal' - description: (l1) ensure 'set client connection encryption level' is set to 'enabled - high level' + description: (L1) Ensure 'Set Client Connection Encryption Level' is set to 'enabled - high level' Prevent downloading of enclosures : data: 'Microsoft Windows Server 2008*': @@ -1671,7 +1405,7 @@ win_reg: tag: CIS-18.9.49.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'prevent downloading of enclosures' is set to 'enabled' + description: (L1) Ensure 'Prevent Downloading Of Enclosures' is set to 'Enabled' Configure Default consent : data: 'Microsoft Windows Server 2008*': @@ -1679,7 +1413,7 @@ win_reg: tag: CIS-18.9.67.2.1 match_output: 'Enabled'#: Always ask before sending data' value_type: 'equal' - description: (l1) ensure 'configure default consent' is set to 'enabled - always ask before sending data' + description: (L1) Ensure 'Configure Default Consent' is set to 'enabled - always ask before sending data' Disallow Digest authentication : data: 'Microsoft Windows Server 2008*': @@ -1687,7 +1421,7 @@ win_reg: tag: CIS-18.9.81.1.3 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'disallow digest authentication' is set to 'enabled' + description: (L1) Ensure 'Disallow Digest Authentication' is set to 'Enabled' Disallow WinRM from storing RunAs credentials : data: 'Microsoft Windows Server 2008*': @@ -1695,7 +1429,7 @@ win_reg: tag: CIS-18.9.81.2.3 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'disallow winrm from storing runas credentials' is set to 'enabled' + description: (L1) Ensure 'Disallow Winrm From Storing Runas Credentials' is set to 'Enabled' Configure Automatic Updates : data: 'Microsoft Windows Server 2008*': @@ -1703,7 +1437,7 @@ win_reg: tag: CIS-18.9.85.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'configure automatic updates' is set to 'enabled' + description: (L1) Ensure 'Configure Automatic Updates' is set to 'Enabled' Configure Automatic Updates_ Scheduled install day : data: 'Microsoft Windows Server 2008*': @@ -1711,15 +1445,15 @@ win_reg: tag: CIS-18.9.85.2 match_output: '0'# - Every day' value_type: 'equal' - description: (l1) ensure 'configure automatic updates - scheduled install day' is set to '0 - every day' + description: (L1) Ensure 'Configure Automatic Updates - Scheduled Install Day' is set to '0 - every day' Do Not Adjust Default Option To Install Updates and Shutdown Windows Dialog Box : data: 'Microsoft Windows Server 2008*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAUAsDefaultShutdownOption': tag: CIS-18.9.85.3 - match_output: '' + match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'do not adjust default option to 'install updates and shut down' in shut down windows dialog box' is set to 'disabled' + description: (L1) Ensure 'Do Not Adjust Default Option To 'install updates and shut down' in shut down windows dialog box' is set to 'Disabled' Do Not Display Install Updates and Shut Down Dialog Box : data: 'Microsoft Windows Server 2008*': @@ -1727,15 +1461,7 @@ win_reg: tag: CIS-18.9.85.4 match_output: '0'# - Every day' value_type: 'equal' - description: (l1) ensure 'do not display 'install updates and shut down' option in shut down windows dialog box' is set to 'disabled' - No Auto-Restart With Logged on Users for Scheduled Updates Installations : - data: - 'Microsoft Windows Server 2008*': - - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\U\NoAutoRebootWithLoggedOnUsers': - tag: CIS-18.9.85.5 - match_output: '0'# - Every day' - value_type: 'equal' - description: (l1) ensure 'no auto-restart with logged on users for scheduled automatic updates installations' is set to 'disabled' + description: (L1) Ensure 'Do Not Display 'install updates and shut down' option in shut down windows dialog box' is set to 'Disabled' Reschedule Automatic Updates Scheduled Installations : data: 'Microsoft Windows Server 2008*': @@ -1743,7 +1469,7 @@ win_reg: tag: CIS-18.9.85.6 match_output: '0'# - Every day' value_type: 'equal' - description: (l1) ensure 'reschedule automatic updates scheduled installations' is set to 'enabled - 1 minute' + description: (L1) Ensure 'Reschedule Automatic Updates Scheduled Installations' is set to 'enabled - 1 minute' Enable Screen Saver : data: 'Microsoft Windows Server 2008*': @@ -1751,7 +1477,7 @@ win_reg: tag: CIS-19.1.3.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'enable screen saver' is set to 'enabled' + description: (L1) Ensure 'Enable Screen Saver' is set to 'Enabled' Force specific screen saver_ Screen saver executable name : data: 'Microsoft Windows Server 2008*': @@ -1759,7 +1485,7 @@ win_reg: tag: CIS-19.1.3.2 match_output: 'Enabled'#: scrnsave.scr' value_type: 'equal' - description: (l1) ensure 'force specific screen saver - screen saver executable name' is set to 'enabled - scrnsave.scr' + description: (L1) Ensure 'Force Specific Screen Saver - Screen Saver Executable Name' is set to 'enabled - scrnsave.scr' Password protect the screen saver : data: 'Microsoft Windows Server 2008*': @@ -1767,7 +1493,7 @@ win_reg: tag: CIS-19.1.3.3 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'password protect the screen saver' is set to 'enabled' + description: (L1) Ensure 'Password Protect The Screen Saver' is set to 'Enabled' Screen saver timeout : data: 'Microsoft Windows Server 2008*': @@ -1775,7 +1501,7 @@ win_reg: tag: CIS-19.1.3.4 match_output: 'Enabled'#: 900 seconds or fewer, but not 0' value_type: 'equal' - description: (l1) ensure 'screen saver timeout' is set to 'enabled - 900 seconds or fewer, but not 0' + description: (L1) Ensure 'Screen Saver Timeout' is set to 'enabled - 900 seconds or fewer, but not 0' Notify antivirus programs when opening attachments : data: 'Microsoft Windows Server 2008*': @@ -1783,7 +1509,7 @@ win_reg: tag: CIS-19.7.4.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'notify antivirus programs when opening attachments' is set to 'enabled' + description: (L1) Ensure 'Notify Antivirus Programs When Opening Attachments' is set to 'Enabled' Prevent users from sharing files within their profile. : data: 'Microsoft Windows Server 2008*': @@ -1791,7 +1517,7 @@ win_reg: tag: CIS-19.7.25.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'prevent users from sharing files within their profile.' is set to 'enabled' + description: (L1) Ensure 'Prevent Users From Sharing Files Within Their Profile.' is set to 'Enabled' blacklist: MSS_ Enable Automatic Logon : @@ -1801,23 +1527,7 @@ win_reg: tag: CIS-18.3.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'mss - (autoadminlogon) enable automatic logon (not recommended)' is set to 'disabled' - Ensure Turn on Mapper I/O driver is set to Disabled : - data: - 'Microsoft Windows Server 2008*': - - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD\AllowLLTDIOOnDomain': - tag: CIS-18.4.8.1 - match_output: 'Enabled' - value_type: 'equal' - description: 'Ensure Turn on Mapper I/O (LLTDIO) driver is set to Disabled' - Ensure Turn on Responder (RSPNDR) driver is set to Disabled : - data: - 'Microsoft Windows Server 2008*': - - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD\AllowRspndrOnDomain': - tag: CIS-18.4.8.2 - match_output: 'Enabled' - value_type: 'equal' - description: 'Ensure Turn on Responder (RSPNDR) driver is set to Disabled' + description: "(L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'" WDigest Authentication : data: 'Microsoft Windows Server 2008*': @@ -1841,7 +1551,7 @@ win_reg: tag: CIS-18.8.5.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'allow remote access to the plug and play interface' is set to 'disabled' + description: (L1) Ensure 'Allow Remote Access To The Plug And Play Interface' is set to 'Disabled' Turn off background refresh of Group Policy : data: 'Microsoft Windows Server 2008*': @@ -1849,23 +1559,7 @@ win_reg: tag: CIS-18.8.18.4 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'turn off background refresh of group policy' is set to 'disabled' - Enumerate local users on domain-joined computers : - data: - 'Microsoft Windows Server 2008*': - - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\EnumerateLocalUsers': - tag: CIS-18.8.24.3 - match_output: 'Disabled' - value_type: 'equal' - description: 'Ensure Enumerate local users on domain-joined computers is set to Disabled' - Turn on convenience PIN sign-in : - data: - 'Microsoft Windows Server 2008*': - - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\AllowDomainPINLogon': - tag: CIS-18.8.24.5 - match_output: 'Disabled' - value_type: 'equal' - description: 'Ensure Turn on convenience PIN sign-in is set to Disabled' + description: (L1) Ensure 'Turn Off Background Refresh Of Group Policy' is set to 'Disabled' Configure Offer Remote Assistance : data: 'Microsoft Windows Server 2008*': @@ -1873,7 +1567,7 @@ win_reg: tag: CIS-18.8.30.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'configure offer remote assistance' is set to 'disabled' + description: (L1) Ensure 'Configure Offer Remote Assistance' is set to 'Disabled' Configure Solicited Remote Assistance : data: 'Microsoft Windows Server 2008*': @@ -1881,7 +1575,7 @@ win_reg: tag: CIS-18.8.30.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'configure solicited remote assistance' is set to 'disabled' + description: (L1) Ensure 'Configure Solicited Remote Assistance' is set to 'Disabled' Enumerate administrator accounts on elevation : data: 'Microsoft Windows Server 2008*': @@ -1897,7 +1591,7 @@ win_reg: tag: CIS-18.9.24.1.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'application - control event log behavior when the log file reaches its maximum size' is set to 'disabled' + description: (L1) Ensure 'Application - Control Event Log Behavior When The Log File Reaches Its Maximum Size' is set to 'Disabled' Security_ Control Event Log behavior when the log file reaches its maximum size : data: 'Microsoft Windows Server 2008*': @@ -1905,7 +1599,7 @@ win_reg: tag: CIS-18.9.24.2.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'security - control event log behavior when the log file reaches its maximum size' is set to 'disabled' + description: (L1) Ensure 'Security - Control Event Log Behavior When The Log File Reaches Its Maximum Size' is set to 'Disabled' Setup_ Control Event Log behavior when the log file reaches its maximum size : data: 'Microsoft Windows Server 2008*': @@ -1913,7 +1607,7 @@ win_reg: tag: CIS-18.9.24.3.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'setup - control event log behavior when the log file reaches its maximum size' is set to 'disabled' + description: (L1) Ensure 'Setup - Control Event Log Behavior When The Log File Reaches Its Maximum Size' is set to 'Disabled' System_ Control Event Log behavior when the log file reaches its maximum size : data: 'Microsoft Windows Server 2008*': @@ -1921,7 +1615,7 @@ win_reg: tag: CIS-18.9.24.4.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'system - control event log behavior when the log file reaches its maximum size' is set to 'disabled' + description: (L1) Ensure 'System - Control Event Log Behavior When The Log File Reaches Its Maximum Size' is set to 'Disabled' Turn off Data Execution Prevention for Explorer : data: 'Microsoft Windows Server 2008*': @@ -1929,7 +1623,7 @@ win_reg: tag: CIS-18.9.28.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'turn off heap termination on corruption' is set to 'disabled' + description: (L1) Ensure 'Turn Off Heap Termination On Corruption' is set to 'Disabled' Turn off heap termination on corruption : data: 'Microsoft Windows Server 2008*': @@ -1937,7 +1631,7 @@ win_reg: tag: CIS-18.9.28.3 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'turn off shell protocol protected mode' is set to 'disabled' + description: (L1) Ensure 'Turn Off Shell Protocol Protected Mode' is set to 'Disabled' Turn off shell protocol protected mode : data: 'Microsoft Windows Server 2008*': @@ -1953,7 +1647,7 @@ win_reg: tag: CIS-18.9.48.3.11.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'do not delete temp folders upon exit' is set to 'disabled' + description: (L1) Ensure 'Do Not Delete Temp Folders Upon Exit' is set to 'Disabled' Do not use temporary folders per session : data: 'Microsoft Windows Server 2008*': @@ -1961,7 +1655,7 @@ win_reg: tag: CIS-18.9.48.3.11.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'do not use temporary folders per session' is set to 'disabled' + description: (L1) Ensure 'Do Not Use Temporary Folders Per Session' is set to 'Disabled' Allow indexing of encrypted files : data: 'Microsoft Windows Server 2008*': @@ -1969,7 +1663,7 @@ win_reg: tag: CIS-18.9.50.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'allow indexing of encrypted files' is set to 'disabled' + description: (L1) Ensure 'Allow Indexing Of Encrypted Files' is set to 'Disabled' Allow user control over installs : data: 'Microsoft Windows Server 2008*': @@ -1977,7 +1671,7 @@ win_reg: tag: CIS-18.9.69.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'allow user control over installs' is set to 'disabled' + description: (L1) Ensure 'Allow User Control Over Installs' is set to 'Disabled' Always install with elevated privileges : data: 'Microsoft Windows Server 2008*': @@ -1985,7 +1679,7 @@ win_reg: tag: CIS-18.9.69.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'always install with elevated privileges' is set to 'disabled' + description: (L1) Ensure 'Always Install With Elevated Privileges' is set to 'Disabled' Turn on PowerShell Script Block Logging : data: 'Microsoft Windows Server 2008*': @@ -1993,7 +1687,7 @@ win_reg: tag: CIS-18.9.79.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'turn on powershell script block logging' is set to 'disabled' + description: (L1) Ensure 'Turn On Powershell Script Block Logging' is set to 'Disabled' Turn on PowerShell Transcription : data: 'Microsoft Windows Server 2008*': @@ -2001,47 +1695,47 @@ win_reg: tag: CIS-18.9.79.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'turn on powershell transcription' is set to 'disabled' - Allow Basic authentication : + description: (L1) Ensure 'Turn On Powershell Transcription' is set to 'Disabled' + Allow Basic authentication winrm client: data: 'Microsoft Windows Server 2008*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowBasic': tag: CIS-18.9.81.1.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'allow basic authentication' is set to 'disabled' - Allow unencrypted traffic : + description: (L1) Ensure 'Allow Basic Authentication' is set to 'Disabled' + Allow unencrypted traffic winrm client: data: 'Microsoft Windows Server 2008*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic': tag: CIS-18.9.81.1.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'allow unencrypted traffic' is set to 'disabled' - Allow Basic authentication : + description: (L1) Ensure 'Allow Unencrypted Traffic' is set to 'Disabled' + Allow Basic authentication winrm server: data: 'Microsoft Windows Server 2008*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\AllowBasic': tag: CIS-18.9.81.2.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'allow basic authentication' is set to 'disabled' - Allow unencrypted traffic : + description: (L1) Ensure 'Allow Basic Authentication' is set to 'Disabled' + Allow unencrypted traffic winrm server: data: 'Microsoft Windows Server 2008*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic': tag: CIS-18.9.81.2.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'allow unencrypted traffic' is set to 'disabled' + description: (L1) Ensure 'Allow Unencrypted Traffic' is set to 'Disabled' No auto-restart with logged on users for scheduled automatic updates installations : data: 'Microsoft Windows Server 2008*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsers': - tag: CIS-18.9.85.3 + tag: CIS-18.9.85.5 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'do not adjust default option to 'install updates and shut down' in shut down windows dialog box' is set to 'disabled' + description: (L1) Ensure 'No Auto-restart With Logged On Users For Scheduled Automatic Updates Installations' is set to 'Disabled' Do not preserve zone information in file attachments : data: 'Microsoft Windows Server 2008*': @@ -2049,15 +1743,15 @@ win_reg: tag: CIS-19.7.4.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'do not preserve zone information in file attachments' is set to 'disabled' - Always install with elevated privileges : + description: (L1) Ensure 'Do Not Preserve Zone Information In File Attachments' is set to 'Disabled' + Always install with elevated privileges user: data: 'Microsoft Windows Server 2008*': - 'HKEY_USERS\\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated': tag: CIS-19.7.37.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'always install with elevated privileges' is set to 'disabled' + description: (L1) Ensure 'Always Install With Elevated Privileges' is set to 'Disabled' win_pkg: @@ -2069,7 +1763,7 @@ win_pkg: tag: CIS-18.9.22.1 match_output: '5.4' value_type: 'more' - description: (l1) ensure 'emet 5.5' or higher is installed + description: (L1) Ensure 'Emet 5.5' or higher is installed LAPS AdmPwd GPO Extension / CSE is installed : data: 'Microsoft Windows Server 2008*': @@ -2077,4 +1771,247 @@ win_pkg: tag: CIS-18.2.1 match_output: 'Local Administrator Password Solution' value_type: 'equal' - description: 'Ensure LAPS AdmPwd GPO Extension / CSE is installed ' + description: '(L1) Ensure LAPS AdmPwd GPO Extension / CSE is installed (MS only)' + +win_firewall: + whitelist: + windows_firewall_domain_firewall_state : + data: + 'Microsoft Windows Server 2008*': + - 'Enabled': + tag: CIS-9.1.1 + match_output: 'True' + value_type: 'domain' + description: "(L1) Ensure 'Windows Firewall: Domain - Firewall State' is set to 'on (recommended)'" + windows_firewall_domain_inbound_connections : + data: + 'Microsoft Windows Server 2008*': + - 'DefaultInboundAction': + tag: CIS-9.1.2 + match_output: 'Block' + value_type: 'domain' + description: "(L1) Ensure 'Windows Firewall: Domain - Inbound Connections' is set to 'block (default)'" + windows_firewall_domain_outbound_connections : + data: + 'Microsoft Windows Server 2008*': + - 'DefaultOutboundAction': + tag: CIS-9.1.3 + match_output: 'Allow' + value_type: 'domain' + description: "(L1) Ensure 'Windows Firewall: Domain - Outbound Connections' is set to 'allow (default)'" + windows_firewall_domain_settings_display_a_notification : + data: + 'Microsoft Windows Server 2008*': + - 'NotifyOnListen': + tag: CIS-9.1.4 + match_output: 'False' + value_type: 'domain' + description: "(L1) Ensure 'Windows Firewall: Domain - Settings - Display A Notification' is set to 'no'" + windows_firewall_domain_settings_apply_local_firewall_rules : + data: + 'Microsoft Windows Server 2008*': + - 'AllowLocalFirewallRules': + tag: CIS-9.1.5 + match_output: 'True' + value_type: 'domain' + description: "(L1) Ensure 'Windows Firewall: Domain - Settings - Apply Local Firewall Rules' is set to 'yes (default)'" + windows_firewall_domain_settings_apply_local_connection_security_rules : + data: + 'Microsoft Windows Server 2008*': + - 'AllowLocalIPsecRules': + tag: CIS-9.1.6 + match_output: 'True' + value_type: 'domain' + description: "(L1) Ensure 'Windows Firewall: Domain - Settings - Apply Local Connection Security Rules' is set to 'yes (default)'" + windows_firewall_domain_logging_name : + data: + 'Microsoft Windows Server 2008*': + - 'LogFileName': + tag: CIS-9.1.7 + match_output: '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log' + value_type: 'domain' + description: "(L1) Ensure 'Windows Firewall: Domain - Logging - Name' is set to '%systemroot%\\system32\\logfiles\\firewall\\domainfw.log'" + windows_firewall_domain_logging_size_limit : + data: + 'Microsoft Windows Server 2008*': + - 'LogMaxSizeKilobytes': + tag: CIS-9.1.8 + match_output: '16384' + value_type: 'domain' + description: "(L1) Ensure 'Windows Firewall: Domain - Logging - Size Limit (kb)' is set to '16,384 kb or greater'" + windows_firewall_domain_logging_log_dropped_packets : + data: + 'Microsoft Windows Server 2008*': + - 'LogBlocked': + tag: CIS-9.1.9 + match_output: 'True' + value_type: 'domain' + description: "(L1) Ensure 'Windows Firewall: Domain - Logging - Log Dropped Packets' is set to 'yes'" + windows_firewall_domain_logging_log_successful_connections : + data: + 'Microsoft Windows Server 2008*': + - 'LogAllowed': + tag: CIS-9.1.10 + match_output: 'True' + value_type: 'domain' + description: "(L1) Ensure 'Windows Firewall: Domain - Logging - Log Successful Connections' is set to 'yes'" + windows_firewall_private_firewall_state : + data: + 'Microsoft Windows Server 2008*': + - 'Enabled': + tag: CIS-9.2.1 + match_output: 'True' + value_type: 'private' + description: "(L1) Ensure 'Windows Firewall: Private - Firewall State' is set to 'on (recommended)'" + windows_firewall_private_inbound_connections : + data: + 'Microsoft Windows Server 2008*': + - 'DefaultInboundAction': + tag: CIS-9.2.2 + match_output: 'Block' + value_type: 'private' + description: "(L1) Ensure 'Windows Firewall: Private - Inbound Connections' is set to 'block (default)'" + windows_firewall_private_outbound_connections : + data: + 'Microsoft Windows Server 2008*': + - 'DefaultOutboundAction': + tag: CIS-9.2.3 + match_output: 'Allow' + value_type: 'private' + description: "(L1) Ensure 'Windows Firewall: Private - Outbound Connections' is set to 'allow (default)'" + windows_firewall_private_settings_display_a_notification : + data: + 'Microsoft Windows Server 2008*': + - 'NotifyOnListen': + tag: CIS-9.2.4 + match_output: 'False' + value_type: 'private' + description: "(L1) Ensure 'Windows Firewall: Private - Settings - Display A Notification' is set to 'no'" + windows_firewall_private_settings_apply_local_firewall_rules : + data: + 'Microsoft Windows Server 2008*': + - 'AllowLocalFirewallRules': + tag: CIS-9.2.5 + match_output: 'True' + value_type: 'private' + description: "(L1) Ensure 'Windows Firewall: Private - Settings - Apply Local Firewall Rules' is set to 'yes (default)'" + windows_firewall_private_settings_apply_local_connection_security_rules : + data: + 'Microsoft Windows Server 2008*': + - 'AllowLocalIPsecRules': + tag: CIS-9.2.6 + match_output: 'True' + value_type: 'private' + description: "(L1) Ensure 'Windows Firewall: Private - Settings - Apply Local Connection Security Rules' is set to 'yes (default)'" + windows_firewall_private_logging_name : + data: + 'Microsoft Windows Server 2008*': + - 'LogFileName': + tag: CIS-9.2.7 + match_output: '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log' + value_type: 'private' + description: "(L1) Ensure 'Windows Firewall: Private - Logging - Name' is set to '%systemroot%\\system32\\logfiles\\firewall\\privatefw.log'" + windows_firewall_private_logging_size_limit : + data: + 'Microsoft Windows Server 2008*': + - 'LogMaxSizeKilobytes': + tag: CIS-9.2.8 + match_output: '16384' + value_type: 'private' + description: "(L1) Ensure 'Windows Firewall: Private - Logging - Size Limit (kb)' is set to '16,384 kb or greater'" + windows_firewall_private_logging_log_dropped_packets : + data: + 'Microsoft Windows Server 2008*': + - 'LogBlocked': + tag: CIS-9.2.9 + match_output: 'True' + value_type: 'private' + description: "(L1) Ensure 'Windows Firewall: Private - Logging - Log Dropped Packets' is set to 'yes'" + windows_firewall_private_logging_log_successful_connections : + data: + 'Microsoft Windows Server 2008*': + - 'LogAllowed': + tag: CIS-9.2.10 + match_output: 'True' + value_type: 'private' + description: "(L1) Ensure 'Windows Firewall: Private - Logging - Log Successful Connections' is set to 'yes'" + windows_firewall_public_firewall_state : + data: + 'Microsoft Windows Server 2008*': + - 'Enabled': + tag: CIS-9.3.1 + match_output: 'True' + value_type: 'public' + description: "(L1) Ensure 'Windows Firewall: Public: Firewall State' is set to 'on (recommended)'" + windows_firewall_public_inbound_connections : + data: + 'Microsoft Windows Server 2008*': + - 'DefaultInboundAction': + tag: CIS-9.3.2 + match_output: 'Block' + value_type: 'public' + description: "(L1) Ensure 'Windows Firewall: Public: Inbound Connections' is set to 'block (default)'" + windows_firewall_public_outbound_connections : + data: + 'Microsoft Windows Server 2008*': + - 'DefaultOutboundAction': + tag: CIS-9.3.3 + match_output: 'Allow' + value_type: 'public' + description: "(L1) Ensure 'Windows Firewall: Public: Outbound Connections' is set to 'allow (default)'" + windows_firewall_public_settings_display_a_notification : + data: + 'Microsoft Windows Server 2008*': + - 'NotifyOnListen': + tag: CIS-9.3.4 + match_output: 'True' + value_type: 'public' + description: "(L1) Ensure 'Windows Firewall: Public: Settings: Display A Notification' is set to 'yes'" + windows_firewall_public_settings_apply_local_firewall_rules : + data: + 'Microsoft Windows Server 2008*': + - 'AllowLocalFirewallRules': + tag: CIS-9.3.5 + match_output: 'False' + value_type: 'public' + description: "(L1) Ensure 'Windows Firewall: Public: Settings: Apply Local Firewall Rules' is set to 'no'" + windows_firewall_public_settings_apply_local_connection_security_rules : + data: + 'Microsoft Windows Server 2008*': + - 'AllowLocalIPsecRules': + tag: CIS-9.3.6 + match_output: 'False' + value_type: 'public' + description: "(L1) Ensure 'Windows Firewall: Public: Settings: Apply Local Connection Security Rules' is set to 'no'" + windows_firewall_public_logging_name : + data: + 'Microsoft Windows Server 2008*': + - 'LogFileName': + tag: CIS-9.3.7 + match_output: '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log' + value_type: 'public' + description: "(L1) Ensure 'Windows Firewall: Public: Logging: Name' is set to '%systemroot%\\system32\\logfiles\\firewall\\publicfw.log'" + windows_firewall_public_logging_size_limit_(kb : + data: + 'Microsoft Windows Server 2008*': + - 'LogMaxSizeKilobytes': + tag: CIS-9.3.8 + match_output: '16384' + value_type: 'public' + description: "(L1) Ensure 'Windows Firewall: Public: Logging: Size Limit (kb)' is set to '16,384 kb or greater'" + windows_firewall_public_logging_log_dropped_packets : + data: + 'Microsoft Windows Server 2008*': + - 'LogBlocked': + tag: CIS-9.3.9 + match_output: 'True' + value_type: 'public' + description: "(L1) Ensure 'Windows Firewall: Public: Logging: Log dropped packets' is set to 'Yes'" + windows_firewall_public_logging_log_successful_connections : + data: + 'Microsoft Windows Server 2008*': + - 'LogAllowed': + tag: CIS-9.3.10 + match_output: 'True' + value_type: 'public' + description: "(L1) Ensure 'Windows Firewall: Public: Logging: Log Successful Connections' is set to 'yes'" \ No newline at end of file diff --git a/hubblestack_nova_profiles/cis/windows-2012r2-level-1-scored-v1-0-0.yaml b/hubblestack_nova_profiles/cis/windows-2012r2-level-1-scored-v1-0-0.yaml new file mode 100644 index 0000000..dced8d3 --- /dev/null +++ b/hubblestack_nova_profiles/cis/windows-2012r2-level-1-scored-v1-0-0.yaml @@ -0,0 +1,2178 @@ +# NOTE: This CIS Profile only includes Level 1 Scored Items for Windows 2012 +# NOTE: Within this file, there are a few sections that should be tailored to your +# organization's specific policy. Search for '# NOTE: ' comments throughout the file +# NOTE: The value_types are as follows: +# 1) more = more than the number located in match_output. *Must be a number* +# 2) less = less than the number located in match_output. *Must be a number* +# 3) equal = equal to the item located in match_output. *Does not need to be a number* +# 4) account = Match account names. *Must be account names only* +# 5) configured = Must be set to company specific information. *Cannot be blank or default* + + + +win_secedit: + whitelist: + password_history_size: + data: + 'Microsoft Windows Server 2012*': + - 'PasswordHistorySize': + tag: CIS-1.1.1 + match_output: '23' + value_type: 'more' + description: 'Encorce password history must be set to 24 or more' + maximum_password_age: + data: + 'Microsoft Windows Server 2012*': + - 'MaximumPasswordAge': + tag: CIS-1.1.2 + match_output: '61' + value_type: 'less' + description: 'Set Maximum password age to 60 or fewer days but not 0' + minimum_password_age: + data: + 'Microsoft Windows Server 2012*': + - 'MinimumPasswordAge': + tag: CIS-1.1.3 + match_output: '1' + value_type: 'more' + description: 'Minimum password age must be set to 1 or more' + minimum_password_length: + data: + 'Microsoft Windows Server 2012*': + - 'MinimumPasswordLength': + tag: CIS-1.1.4 + match_output: '14' + value_type: 'more' + description: 'Minimum password length must be set to 14 or more' + password_complexity: + data: + 'Microsoft Windows Server 2012*': + - 'PasswordComplexity': + tag: CIS-1.1.5 + match_output: '1' + value_type: 'equal' + description: 'Password complexity requirements must be set to Enabled' + reversible_encryption: + data: + 'Microsoft Windows Server 2012*': + - 'ClearTextPassword': + tag: CIS-1.1.6 + match_output: '0' + value_type: 'equal' + description: 'Store passwords using reversible encryption must be set to Disabled' + lockout_duration: + data: + 'Microsoft Windows Server 2012*': + - 'LockoutDuration': + tag: CIS-1.2.1 + match_output: '14' + value_type: 'more' + description: 'Account lockout duration must be set to 15 or more' + lockout_threshold: + data: + 'Microsoft Windows Server 2012*': + - 'LockoutBadCount': + tag: CIS-1.2.2 + match_output: '11' + value_type: 'less' + description: 'Account lockout threshold must be set to 10 or less' + reset_lockout_counter: + data: + 'Microsoft Windows Server 2012*': + - 'ResetLockoutCount': + tag: CIS-1.2.3 + match_output: '14' + value_type: 'more' + description: 'Reset account lockout counter after must be set to 15 or more' + access_from_network: + data: + 'Microsoft Windows Server 2012*': + - 'SeNetworkLogonRight': + tag: CIS-2.2.2 + match_output: 'Administrators, Authenticated Users' + value_type: 'account' + description: 'Access this computer from the network must be set to Administrators Authenticated Users only' + adjust_memory_quotas: + data: + 'Microsoft Windows Server 2012*': + - 'SeIncreaseQuotaPrivilege': + tag: CIS-2.2.5 + match_output: 'Administrators, LOCAL SERVICE, NETWORK SERVICE' + value_type: 'match' + description: 'Adjust memory quotas for a proccess must be set to Administrators LOCAL and NETOWORK SERVICE' + allow_logon_locally: + data: + 'Microsoft Windows Server 2012*': + - 'SeInteractiveLogonRight': + tag: CIS-2.2.6 + match_output: 'Administrators' + value_type: 'account' + description: 'Allow log on locally must be set to Administrators' + allow_log_on_through_remote_desktop_services : + data: + 'Microsoft Windows Server 2012*': + - 'SeRemoteInteractiveLogonRight': + tag: CIS-2.2.7 + match_output: Administrators + value_type: 'account' + description: 'Allow log on through Remote Desktop Services' + back_up_files_and_directories : + data: + 'Microsoft Windows Server 2012*': + - 'SeBackupPrivilege': + tag: CIS-2.2.8 + match_output: 'Administrators' + value_type: 'account' + description: 'Back up files and directories' + change_the_system_time : + data: + 'Microsoft Windows Server 2012*': + - 'Changethesystemtime': + tag: CIS-2.2.9 + match_output: 'Administrators, LOCAL SERVICE' + value_type: 'account' + description: 'Change the system time' + change_the_time_zone : + data: + 'Microsoft Windows Server 2012*': + - 'SeSystemtimePrivilege': + tag: CIS-2.2.10 + match_output: 'Administrators, LOCAL SERVICE' + value_type: 'account' + description: 'Change the time zone' + create_a_pagefile : + data: + 'Microsoft Windows Server 2012*': + - 'SeCreatePagefilePrivilege': + tag: CIS-2.2.11 + match_output: 'Administrators' + value_type: 'account' + description: 'Create a pagefile' + create_global_objects : + data: + 'Microsoft Windows Server 2012*': + - 'SeCreateGlobalPrivilege': + tag: CIS-2.2.13 + match_output: 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' + value_type: 'account' + description: 'Create global objects' + create_symbolic_links : + data: + 'Microsoft Windows Server 2012*': + - 'SeCreateSymbolicLinkPrivilege': + tag: CIS-2.2.15 + match_output: 'Administrators' + value_type: 'account' + description: 'Create symbolic links' + debug_programs : + data: + 'Microsoft Windows Server 2012*': + - 'SeDebugPrivilege': + tag: CIS-2.2.16 + match_output: 'Administrators' + value_type: 'account' + description: 'Debug programs' + deny_access_to_this_computer_from_the_network : + data: + 'Microsoft Windows Server 2012*': + - 'SeDenyNetworkLogonRight': + tag: CIS-2.2.17 + match_output: 'Guests' + value_type: 'account' + description: 'Deny access to this computer from the network' + deny_log_on_as_a_batch_job : + data: + 'Microsoft Windows Server 2012*': + - 'SeDenyBatchLogonRight': + tag: CIS-2.2.18 + match_output: 'Guests' + value_type: 'account' + description: 'Deny log on as a batch job' + deny_log_on_as_a_service : + data: + 'Microsoft Windows Server 2012*': + - 'SeDenyServiceLogonRight': + tag: CIS-2.2.19 + match_output: 'Guests' + value_type: 'account' + description: 'Deny log on as a service' + deny_log_on_locally : + data: + 'Microsoft Windows Server 2012*': + - 'SeDenyInteractiveLogonRight': + tag: CIS-2.2.20 + match_output: 'Guests' + value_type: 'account' + description: 'Deny log on locally' + deny_log_on_through_remote_desktop_services : + data: + 'Microsoft Windows Server 2012*': + - 'SeDenyRemoteInteractiveLogonRight': + tag: CIS-2.2.21 + match_output: 'Guests, LOCAL SERVICE' + value_type: 'account' + description: 'Deny log on through Remote Desktop Services' + force_shutdown_from_a_remote_system : + data: + 'Microsoft Windows Server 2012*': + - 'SeRemoteShutdownPrivilege': + tag: CIS-2.2.23 + match_output: 'Administrators' + value_type: 'account' + description: 'Force shutdown from a remote system' + generate_security_audits : + data: + 'Microsoft Windows Server 2012*': + - 'SeAuditPrivilege': + tag: CIS-2.2.24 + match_output: 'LOCAL SERVICE, NETWORK SERVICE' + value_type: 'account' + description: 'Generate security audits' + impersonate_a_client_after_authentication : + data: + 'Microsoft Windows Server 2012*': + - 'SeImpersonatePrivilege': + tag: CIS-2.2.25 + match_output: 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' + value_type: 'account' + description: 'Impersonate a client after authentication' + increase_scheduling_priority : + data: + 'Microsoft Windows Server 2012*': + - 'SeIncreaseBasePriorityPrivilege': + tag: CIS-2.2.26 + match_output: 'Administrators' + value_type: 'account' + description: 'Increase scheduling priority' + load_and_unload_device_drivers : + data: + 'Microsoft Windows Server 2012*': + - 'SeLoadDriverPrivilege': + tag: CIS-2.2.27 + match_output: 'Administrators' + value_type: 'account' + description: 'Load and unload device drivers' + manage_auditing_and_security_log : + data: + 'Microsoft Windows Server 2012*': + - 'SeSecurityPrivilege': + tag: CIS-2.2.30 + match_output: '*S-1-5-32-544' #Administrators + value_type: 'account' + description: 'Manage auditing and security log' + modify_firmware_environment_values : + data: + 'Microsoft Windows Server 2012*': + - 'SeSystemEnvironmentPrivilege': + tag: CIS-2.2.32 + match_output: 'Administrators' + value_type: 'account' + description: 'Modify firmware environment values' + perform_volume_maintenance_tasks : + data: + 'Microsoft Windows Server 2012*': + - 'SeManageVolumePrivilege': + tag: CIS-2.2.33 + match_output: 'Administrators' + value_type: 'account' + description: 'Perform volume maintenance tasks' + profile_single_process : + data: + 'Microsoft Windows Server 2012*': + - 'SeProfileSingleProcessPrivilege': + tag: CIS-2.2.34 + match_output: 'Administrators' + value_type: 'account' + description: 'Profile single process' + profile_system_performance : + data: + 'Microsoft Windows Server 2012*': + - 'SeSystemProfilePrivilege': + tag: CIS-2.2.35 + match_output: 'Administrators, NT SERVICE\WdiServiceHost' + value_type: 'account' + description: 'Profile system performance' + replace_a_process_level_token : + data: + 'Microsoft Windows Server 2012*': + - 'SeAssignPrimaryTokenPrivilege': + tag: CIS-2.2.36 + match_output: 'LOCAL SERVICE, NETWORK SERVICE' + value_type: 'account' + description: 'Replace a process level token' + restore_files_and_directories : + data: + 'Microsoft Windows Server 2012*': + - 'SeRestorePrivilege': + tag: CIS-2.2.37 + match_output: 'Administrators' + value_type: 'account' + description: 'Restore files and directories' + shut_down_the_system : + data: + 'Microsoft Windows Server 2012*': + - 'SeShutdownPrivilege': + tag: CIS-2.2.38 + match_output: 'Administrators' + value_type: 'account' + description: 'Shut down the system' + take_ownership_of_files_or_other_objects : + data: + 'Microsoft Windows Server 2012*': + - 'SeTakeOwnershipPrivilege': + tag: CIS-2.2.40 + match_output: 'Administrators' + value_type: 'account' + description: 'Take ownership of files or other objects' + accounts_administrator_account_status : + data: + 'Microsoft Windows Server 2012*': + - 'EnableAdminAccount': + tag: CIS-2.3.1.1 + match_output: '0' + value_type: 'equal' + description: 'Accounts Administrator account status' + accounts_block_microsoft_accounts : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoConnectedUser': + tag: CIS-2.3.1.2 + match_output: 'users cant add or log on with microsoft accounts' + value_type: 'equal' + description: 'Accounts Block Microsoft accounts' + accounts_guest_account_status : + data: + 'Microsoft Windows Server 2012*': + - 'EnableGuestAccount': + tag: CIS-2.3.1.3 + match_output: 'Disabled' + value_type: 'equal' + description: 'Accounts Guest account status' + accounts_limit_local_account_use_of_blank_passwords_to_console_logon_only : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse': + tag: CIS-2.3.1.4 + match_output: 'Enabled' + value_type: 'equal' + description: 'Accounts Limit local account use of blank passwords to console logon only' + audit_force_audit_policy_subcategory_settings_to_override_audit_policy_category_settings : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy': + tag: CIS-2.3.2.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'Audit Force audit policy subcategory settings to override audit policy category settings' + audit_shut_down_system_immediately_if_unable_to_log_security_audits : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail': + tag: CIS-2.3.2.2 + match_output: 'Disabled' + value_type: 'equal' + description: 'Audit Shut down system immediately if unable to log security audits' + devices_allowed_to_format_and_eject_removable_media : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD': + tag: CIS-2.3.4.1 + match_output: 'Administrators' + value_type: 'equal' + description: 'Devices Allowed to format and eject removable media' + devices_prevent_users_from_installing_printer_drivers : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers': + tag: CIS-2.3.4.2 + match_output: 'Enabled' + value_type: 'equal' + description: 'Devices Prevent users from installing printer drivers' + domain_member_digitally_encrypt_or_sign_secure_channel_data_ : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal': + tag: CIS-2.3.6.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'Domain member Digitally encrypt or sign secure channel data ' + domain_member_digitally_encrypt_secure_channel_data : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel': + tag: CIS-2.3.6.2 + match_output: 'Enabled' + value_type: 'equal' + description: 'Domain member Digitally encrypt secure channel data ' + domain_member_digitally_sign_secure_channel_data : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel': + tag: CIS-2.3.6.3 + match_output: 'Enabled' + value_type: 'equal' + description: 'Domain member Digitally sign secure channel data ' + domain_member_disable_machine_account_password_changes : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange': + tag: CIS-2.3.6.4 + match_output: 'Disabled' + value_type: 'equal' + description: 'Domain member Disable machine account password changes' + domain_member_maximum_machine_account_password_age : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge': + tag: CIS-2.3.6.5 + match_output: '31' + value_type: 'less' + description: 'Domain member Maximum machine account password age' + domain_member_require_strong_session_key : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey': + tag: CIS-2.3.6.6 + match_output: 'Enabled' + value_type: 'equal' + description: 'Domain member Require strong session key' + interactive_logon_do_not_display_last_user_name : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName': + tag: CIS-2.3.7.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'Interactive logon Do not display last user name' + interactive_logon_do_not_require_ctrl+alt+del : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD': + tag: CIS-2.3.7.2 + match_output: 'Disabled' + value_type: 'equal' + description: 'Interactive logon Do not require CTRL+ALT+DEL' + interactive_logon_machine_inactivity_limit : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs': + tag: CIS-2.3.7.3 + match_output: '901' + value_type: 'less' + description: 'Interactive logon Machine inactivity limit' + interactive_logon_message_text_for_users_attempting_to_log_on : #NOTE: Configure this + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText': + tag: CIS-2.3.7.4 + match_output: '' + value_type: 'configured' + description: 'Interactive logon Message text for users attempting to log on' + interactive_logon_message_title_for_users_attempting_to_log_on : #NOTE: Configure this + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption': + tag: CIS-2.3.7.5 + match_output: '' + value_type: 'configured' + description: 'Interactive logon Message title for users attempting to log on' + interactive_logon_number_of_previous_logons_to_cache: + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount': + tag: CIS-2.3.7.6 + match_output: '5' + value_type: 'less' + description: 'Interactive logon Number of previous logos to cache' + interactive_logon_prompt_user_to_change_password_before_expiration : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning': + tag: CIS-2.3.7.7 + match_output: '15' # between 5 and 14 + value_type: 'less' + description: 'Interactive logon Prompt user to change password before expiration' + interactive_logon_require_domain_controller_authentication_to_unlock_workstation : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon': + tag: CIS-2.3.7.8 + match_output: 'Enabled' + value_type: 'equal' + description: 'Interactive logon Require Domain Controller Authentication to unlock workstation' + interactive_logon_smart_card_removal_behavior : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption': + tag: CIS-2.3.7.9 + match_output: 'Lock Workstation' # can be anything but No Action + value_type: 'equal' + description: 'Interactive logon Smart card removal behavior' + microsoft_network_client_digitally_sign_communications_ : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature': + tag: CIS-2.3.8.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'Microsoft network client Digitally sign communications ' + microsoft_network_client_digitally_sign_communications_ : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature': + tag: CIS-2.3.8.2 + match_output: 'Enabled' + value_type: 'equal' + description: 'Microsoft network client Digitally sign communications ' + microsoft_network_client_send_unencrypted_password_to_third-party_smb_servers : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword': + tag: CIS-2.3.8.3 + match_output: 'Disabled' + value_type: 'equal' + description: 'Microsoft network client Send unencrypted password to third-party SMB servers' + microsoft_network_server_amount_of_idle_time_required_before_suspending_session : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect': + tag: CIS-2.3.9.1 + match_output: '16' + value_type: 'less' + description: 'Microsoft network server Amount of idle time required before suspending session' + microsoft_network_server_digitally_sign_communications_ : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature': + tag: CIS-2.3.9.2 + match_output: 'Enabled' + value_type: 'equal' + description: 'Microsoft network server Digitally sign communications ' + microsoft_network_server_digitally_sign_communications_ : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature': + tag: CIS-2.3.9.3 + match_output: 'Enabled' + value_type: 'equal' + description: 'Microsoft network server Digitally sign communications ' + microsoft_network_server_disconnect_clients_when_logon_hours_expire : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff': + tag: CIS-2.3.9.4 + match_output: 'Enabled' + value_type: 'equal' + description: 'Microsoft network server Disconnect clients when logon hours expire' + microsoft_network_server_server_spn_target_name_validation_level : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\SMBServerNameHardeningLevel': + tag: CIS-2.3.9.5 + match_output: 'Accept if provided by client' + value_type: 'equal' + description: 'Microsoft network server Server SPN target name validation level' + network_access_allow_anonymous_sid/name_translation : + data: + 'Microsoft Windows Server 2012*': + - 'LSAAnonymousNameLookup': + tag: CIS-2.3.10.1 + match_output: 'Disabled' + value_type: 'equal' + description: 'Network access Allow anonymous SID/Name translation' + network_access_do_not_allow_anonymous_enumeration_of_sam_accounts : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM': + tag: CIS-2.3.10.2 + match_output: 'Enabled' + value_type: 'equal' + description: 'Network access Do not allow anonymous enumeration of SAM accounts' + network_access_do_not_allow_anonymous_enumeration_of_sam_accounts_and_shares : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous': + tag: CIS-2.3.10.3 + match_output: 'Enabled' + value_type: 'equal' + description: 'Network access Do not allow anonymous enumeration of SAM accounts and shares' + network_access_do_not_allow_storage_of_passwords_and_credentials_for_network_authentication : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds': + tag: CIS-2.3.10.4 + match_output: 'Enabled' + value_type: 'equal' + description: 'Network access Do not allow storage of passwords and credentials for network authentication' + network_access_let_everyone_persmissions_apply_to_anonymous_users : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous': + tag: CIS-2.3.10.5 + match_output: 'Disabled' + value_type: 'equal' + description: 'Network access Let Everyone permissions apply to anonymous users' + network_access_remotely_accessible_registry_paths : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine': + tag: CIS-2.3.10.7 + match_output: 'System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion' + value_type: 'equal' + description: 'Network access Remotely accessible registry paths' + network_access_remotely_accessible_registry_paths_and_sub-paths : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine': + tag: CIS-2.3.10.8 + match_output: 'System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration, Software\Microsoft\Windows NT\CurrentVersion\Perflib, System\CurrentControlSet\Services\SysmonLog' + value_type: 'equal' + description: 'Network access Remotely accessible registry paths and sub-paths' + network_access_restrict_anonymous_access_to_named_pipes_and_shares : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess': + tag: CIS-2.3.10.9 + match_output: 'Enabled' + value_type: 'equal' + description: 'Network access Restrict anonymous access to Named Pipes and Shares' + network_access_sharing_and_security_model_for_local_accounts : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest': + tag: CIS-2.3.10.11 + match_output: 'Classic - local users authenticate as themselves' + value_type: 'equal' + description: 'Network access Sharing and security model for local accounts' + network_security_allow_local_system_to_use_computer_identity_for_ntlm : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Control\Lsa\UseMachineId': + tag: CIS-2.3.11.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'Network security Allow Local System to use computer identity for NTLM' + network_security_allow_localsystem_null_session_fallback : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback': + tag: CIS-2.3.11.2 + match_output: 'Disabled' + value_type: 'equal' + description: 'Network security Allow LocalSystem NULL session fallback' + network_security_allow_pku2u_authentication_requests_to_this_computer_to_use_online_identities : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID': + tag: CIS-2.3.11.3 + match_output: 'Disabled' + value_type: 'equal' + description: 'Network Security Allow PKU2U authentication requests to this computer to use online identities' + network_security_configure_encryption_types_allowed_for_kerberos : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes': + tag: CIS-2.3.11.4 + match_output: 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' + value_type: 'equal' + description: 'Network Security Configure encryption types allowed for Kerberos' + network_security_do_not_store_lan_manager_hash_value_on_next_password_change : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash': + tag: CIS-2.3.11.5 + match_output: 'Enabled' + value_type: 'equal' + description: 'Network security Do not store LAN Manager hash value on next password change' + network_security_force_logoff_when_logon_hours_expire : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff': + tag: CIS-2.3.11.6 + match_output: 'Enabled' + value_type: 'equal' + description: 'Network security Force logoff when logon hours expire' + network_security_lan_manager_authentication_level : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel': + tag: CIS-2.3.11.7 + match_output: 'Send NTLMv2 response only. Refuse LM & NTLM' + value_type: 'equal' + description: 'Network security LAN Manager authentication level' + network_security_ldap_client_signing_requirements : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity': + tag: CIS-2.3.11.8 + match_output: 'Negotiate signing' + value_type: 'equal' + description: 'Network security LDAP client signing requirements' + network_security_minimum_session_security_for_ntlm_ssp_based_clients : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec': + tag: CIS-2.3.11.9 + match_output: 'Require NTLMv2 session security, Require 128-bit encryption' + value_type: 'equal' + description: 'Network security Minimum session security for NTLM SSP based clients' + network_security_minimum_session_security_for_ntlm_ssp_based_(including_secure_rpc_servers : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec': + tag: CIS-2.3.11.10 + match_output: 'Require NTLMv2 session security, Require 128-bit encryption' + value_type: 'equal' + description: 'Network security Minimum session security for NTLM SSP based (including secure RPC_ servers' + shutdown_allow_system_to_be_shut_down_without_having_to_log_on : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon': + tag: CIS-2.3.13.1 + match_output: 'Disabled' + value_type: 'equal' + description: 'Shutdown Allow system to be shut down without having to log on' + system_objects_require_case_insensitivity_for_non-windows_subsystems : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive': + tag: CIS-2.3.15.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'System objects Require case insensitivity for non-Windows subsystems' + system_objects_strengthen_default_permissions_of_internal_system_objects_(e.g._symbolic_links : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode': + tag: CIS-2.3.15.2 + match_output: 'Enabled' + value_type: 'equal' + description: 'System objects Strengthen default permissions of internal system objects (e.g. Symbolic Links' + user_account_control_admin_approval_mode_for_the_built-in_administrator_account : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken': + tag: CIS-2.3.17.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'User Account Control Admin Approval Mode for the Built-in Administrator account' + user_account_control_allow_uiaccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle': + tag: CIS-2.3.17.2 + match_output: 'Disabled' + value_type: 'equal' + description: 'User Account Control Allow UIAccess applications to prompt for elevation without using the secure desktop' + user_account_control_behavior_of_the_elevation_prompt_for_administrators_in_admin_approval_mode : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin': + tag: CIS-2.3.17.3 + match_output: 'Prompt for consent on the secure desktop' + value_type: 'equal' + description: 'User Account Control Behavior of the elevation prompt for administrators in Admin Approval Mode' + user_account_control_behavior_of_the_elevation_prompt_for_standard_users : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser': + tag: CIS-2.3.17.4 + match_output: 'Automatically deny elevation requests' + value_type: 'equal' + description: 'User Account Control Behavior of the elevation prompt for standard users' + user_account_control_detect_application_installations_and_prompt_for_elevation : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection': + tag: CIS-2.3.17.5 + match_output: 'Enabled' + value_type: 'equal' + description: 'User Account Control Detect application installations and prompt for elevation' + user_account_control_only_elevate_uiaccess_applications_that_are_installed_in_secure_locations : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths': + tag: CIS-2.3.17.6 + match_output: 'Enabled' + value_type: 'equal' + description: 'User Account Control Only elevate UIAccess applications that are installed in secure locations' + user_account_control_run_all_administrators_in_admin_approval_mode : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA': + tag: CIS-2.3.17.7 + match_output: 'Enabled' + value_type: 'equal' + description: 'User Account Control Run all administrators in Admin Approval Mode' + user_account_control_switch_to_the_secure_desktop_when_prompting_for_elevation : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop': + tag: CIS-2.3.17.8 + match_output: 'Enabled' + value_type: 'equal' + description: 'User Account Control Switch to the secure desktop when prompting for elevation' + user_account_control_virtualize_file_and_registry_write_failures_to_per-user_locations : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\': + tag: CIS-2.3.17.9 + match_output: 'Enabled' + value_type: 'equal' + description: 'User Account Control Virtualize file and registry write failures to per-user locations' + + blacklist: + accounts_rename_administrator_account : + data: + 'Microsoft Windows Server 2012*': + - 'NewAdministratorName': + tag: CIS-2.3.1.5 + match_output: 'Administrator' + value_type: 'equal' + description: 'Accounts Rename administrator account' + accounts_rename_guest_account : + data: + 'Microsoft Windows Server 2012*': + - 'AccountsRenameguestaccount': + tag: CIS-2.3.1.6 + match_output: 'Guest' + value_type: 'equal' + description: 'Accounts Rename guest account' + network_access_named_pipes_that_can_be_accessed_anonymously : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\': + tag: CIS-2.3.10.6 + match_output: '' + value_type: 'equal' + description: 'Network access Named Pipes that can be accessed anonymously' + network_access_shares_that_can_be_accessed_anonymously : + data: + 'Microsoft Windows Server 2012*': + - 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares': + tag: CIS-2.3.10.10 + match_output: '' + value_type: 'equal' + description: 'Network access Shares that can be accessed anonymously' + access_credential_manager: + data: + 'Microsoft Windows Server 2012*': + - 'SeTrustedCredManAccessPrivilege': + tag: CIS-2.2.1 + match_output: 'No One' + value_type: 'match' + description: 'Access Credential Manager as a trusted caller must be set to No One' + act_as_operating_system: + data: + 'Microsoft Windows Server 2012*': + - 'SeTcbPrivilege': + tag: CIS-2.2.3 + match_output: 'No One' + value_type: 'match' + description: 'Act as part of the operating system must be set to No One' + create_a_token_object : + data: + 'Microsoft Windows Server 2012*': + - 'SeCreateTokenPrivilege': + tag: CIS-2.2.12 + match_output: 'No One' + value_type: 'account' + description: 'Create a token object' + create_permanent_shared_objects : + data: + 'Microsoft Windows Server 2012*': + - 'Createpermanentsharedobjects': + tag: CIS-2.2.14 + match_output: 'No One' + value_type: 'account' + description: 'Create permanent shared objects' + enable_computer_and_user_accounts_to_be_trusted_for_delegation : + data: + 'Microsoft Windows Server 2012*': + - 'SeEnableDelegationPrivilege': + tag: CIS-2.2.22 + match_output: 'No one' + value_type: 'account' + description: 'Enable computer and user accounts to be trusted for delegation' + lock_pages_in_memory : + data: + 'Microsoft Windows Server 2012*': + - 'SeLockMemoryPrivilege': + tag: CIS-2.2.28 + match_output: 'No One' + value_type: 'account' + description: 'Lock pages in memory' + modify_an_object_label : + data: + 'Microsoft Windows Server 2012*': + - 'SeRelabelPrivilege': + tag: CIS-2.2.31 + match_output: 'No One' + value_type: 'account' + description: 'Modify an object label' + synchronize_directory_service_data : + data: + 'Microsoft Windows Server 2012*': + - 'SeSyncAgentPrivilege': + tag: CIS-2.2.39 + match_output: 'No One' + value_type: 'account' + description: 'Synchronize directory service data' + +win_firewall: + whitelist: + windows_firewall_domain_firewall_state : + data: + 'Microsoft Windows Server 2012*': + - 'Enabled': + tag: CIS-9.1.1 + match_output: 'True' + value_type: 'domain' + description: 'Windows Firewall Domain Firewall state' + windows_firewall_domain_inbound_connections : + data: + 'Microsoft Windows Server 2012*': + - 'DefaultInboundAction': + tag: CIS-9.1.2 + match_output: 'Block' + value_type: 'domain' + description: 'Windows Firewall Domain Inbound connections' + windows_firewall_domain_outbound_connections : + data: + 'Microsoft Windows Server 2012*': + - 'DefaultOutboundAction': + tag: CIS-9.1.3 + match_output: 'Allow' + value_type: 'domain' + description: 'Windows Firewall Domain Outbound connections' + windows_firewall_domain_settings_display_a_notification : + data: + 'Microsoft Windows Server 2012*': + - 'NotifyOnListen': + tag: CIS-9.1.4 + match_output: 'False' + value_type: 'domain' + description: 'Windows Firewall Domain Settings Display a notification' + windows_firewall_domain_settings_apply_local_firewall_rules : + data: + 'Microsoft Windows Server 2012*': + - 'AllowLocalFirewallRules': + tag: CIS-9.1.5 + match_output: 'True' + value_type: 'domain' + description: 'Windows Firewall Domain Settings Apply local firewall rules' + windows_firewall_domain_settings_apply_local_connection_security_rules : + data: + 'Microsoft Windows Server 2012*': + - 'AllowLocalIPsecRules': + tag: CIS-9.1.6 + match_output: 'True' + value_type: 'domain' + description: 'Windows Firewall Domain Settings Apply local connection security rules' + windows_firewall_domain_logging_name : + data: + 'Microsoft Windows Server 2012*': + - 'LogFileName': + tag: CIS-9.1.7 + match_output: '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log' + value_type: 'domain' + description: 'Windows Firewall Domain Logging Name' + windows_firewall_domain_logging_size_limit : + data: + 'Microsoft Windows Server 2012*': + - 'LogMaxSizeKilobytes': + tag: CIS-9.1.8 + match_output: '16384' + value_type: 'domain' + description: 'Windows Firewall Domain Logging Size limit' + windows_firewall_domain_logging_log_dropped_packets : + data: + 'Microsoft Windows Server 2012*': + - 'LogBlocked': + tag: CIS-9.1.9 + match_output: 'True' + value_type: 'domain' + description: 'Windows Firewall Domain Logging Log dropped packets' + windows_firewall_domain_logging_log_successful_connections : + data: + 'Microsoft Windows Server 2012*': + - 'LogAllowed': + tag: CIS-9.1.10 + match_output: 'True' + value_type: 'domain' + description: 'Windows Firewall Domain Logging Log successful connections' + windows_firewall_private_firewall_state : + data: + 'Microsoft Windows Server 2012*': + - 'Enabled': + tag: CIS-9.2.1 + match_output: 'True' + value_type: 'private' + description: 'Windows Firewall Private Firewall state' + windows_firewall_private_inbound_connections : + data: + 'Microsoft Windows Server 2012*': + - 'DefaultInboundAction': + tag: CIS-9.2.2 + match_output: 'Block' + value_type: 'private' + description: 'Windows Firewall Private Inbound connections' + windows_firewall_private_outbound_connections : + data: + 'Microsoft Windows Server 2012*': + - 'DefaultOutboundAction': + tag: CIS-9.2.3 + match_output: 'Allow' + value_type: 'private' + description: 'Windows Firewall Private Outbound connections' + windows_firewall_private_settings_display_a_notification : + data: + 'Microsoft Windows Server 2012*': + - 'NotifyOnListen': + tag: CIS-9.2.4 + match_output: 'False' + value_type: 'private' + description: 'Windows Firewall Private Settings Display a notification' + windows_firewall_private_settings_apply_local_firewall_rules : + data: + 'Microsoft Windows Server 2012*': + - 'AllowLocalFirewallRules': + tag: CIS-9.2.5 + match_output: 'True' + value_type: 'private' + description: 'Windows Firewall Private Settings Apply local firewall rules' + windows_firewall_private_settings_apply_local_connection_security_rules : + data: + 'Microsoft Windows Server 2012*': + - 'AllowLocalIPsecRules': + tag: CIS-9.2.6 + match_output: 'True' + value_type: 'private' + description: 'Windows Firewall Private Settings Apply local connection security rules' + windows_firewall_private_logging_name : + data: + 'Microsoft Windows Server 2012*': + - 'LogFileName': + tag: CIS-9.2.7 + match_output: '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log' + value_type: 'private' + description: 'Windows Firewall Private Logging Name' + windows_firewall_private_logging_size_limit : + data: + 'Microsoft Windows Server 2012*': + - 'LogMaxSizeKilobytes': + tag: CIS-9.2.8 + match_output: '16384' + value_type: 'private' + description: 'Windows Firewall Private Logging Size limit' + windows_firewall_private_logging_log_dropped_packets : + data: + 'Microsoft Windows Server 2012*': + - 'LogBlocked': + tag: CIS-9.2.9 + match_output: 'True' + value_type: 'private' + description: 'Windows Firewall Private Logging Log dropped packets' + windows_firewall_private_logging_log_successful_connections : + data: + 'Microsoft Windows Server 2012*': + - 'LogAllowed': + tag: CIS-9.2.10 + match_output: 'True' + value_type: 'private' + description: 'Windows Firewall Private Logging Log successful connections' + windows_firewall_public_firewall_state : + data: + 'Microsoft Windows Server 2012*': + - 'Enabled': + tag: CIS-9.3.1 + match_output: 'True' + value_type: 'public' + description: 'Windows Firewall Public Firewall state' + windows_firewall_public_inbound_connections : + data: + 'Microsoft Windows Server 2012*': + - 'DefaultInboundAction': + tag: CIS-9.3.2 + match_output: 'Block' + value_type: 'public' + description: 'Windows Firewall Public Inbound connections' + windows_firewall_public_outbound_connections : + data: + 'Microsoft Windows Server 2012*': + - 'DefaultOutboundAction': + tag: CIS-9.3.3 + match_output: 'Allow' + value_type: 'public' + description: 'Windows Firewall Public Outbound connections' + windows_firewall_public_settings_display_a_notification : + data: + 'Microsoft Windows Server 2012*': + - 'NotifyOnListen': + tag: CIS-9.3.4 + match_output: 'True' + value_type: 'public' + description: 'Windows Firewall Public Settings Display a notification' + windows_firewall_public_settings_apply_local_firewall_rules : + data: + 'Microsoft Windows Server 2012*': + - 'AllowLocalFirewallRules': + tag: CIS-9.3.5 + match_output: 'False' + value_type: 'public' + description: 'Windows Firewall Public Settings Apply local firewall rules' + windows_firewall_public_settings_apply_local_connection_security_rules : + data: + 'Microsoft Windows Server 2012*': + - 'AllowLocalIPsecRules': + tag: CIS-9.3.6 + match_output: 'False' + value_type: 'public' + description: 'Windows Firewall Public Settings Apply local connection security rules' + windows_firewall_public_logging_name : + data: + 'Microsoft Windows Server 2012*': + - 'LogFileName': + tag: CIS-9.3.7 + match_output: '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log' + value_type: 'public' + description: 'Windows Firewall Public Logging Name' + windows_firewall_public_logging_size_limit_(kb : + data: + 'Microsoft Windows Server 2012*': + - 'LogMaxSizeKilobytes': + tag: CIS-9.3.8 + match_output: '16384' + value_type: 'public' + description: 'Windows Firewall Public Logging Size limit' + windows_firewall_public_logging_log_dropped_packets : + data: + 'Microsoft Windows Server 2012*': + - 'LogBlocked': + tag: CIS-9.3.9 + match_output: 'True' + value_type: 'public' + description: 'Windows Firewall Public Logging Log dropped packets' + windows_firewall_public_logging_log_successful_connections : + data: + 'Microsoft Windows Server 2012*': + - 'LogAllowed': + tag: CIS-9.3.10 + match_output: 'True' + value_type: 'public' + description: 'Windows Firewall Public Logging Log successful connections' + +win_auditpol: + whitelist: + Audit Credential Validation : + data: + 'Microsoft Windows Server 2012*': + - 'Credential Validation': + tag: CIS-17.1.1 + match_output: 'Success and Failure' + value_type: 'equal' + description: 'Ensure Audit Credential Validation is set to Success and Failure' + + Audit Application Group Management : + data: + 'Microsoft Windows Server 2012*': + - 'Application Group Management': + tag: CIS-17.2.1 + match_output: 'Success and Failure' + value_type: 'equal' + description: 'Ensure Audit Application Group Management is set to Success and Failure' + + Audit Computer Account Management : + data: + 'Microsoft Windows Server 2012*': + - 'Computer Account Management': + tag: CIS-17.2.2 + match_output: 'Success and Failure' + value_type: 'equal' + description: 'Ensure Audit Computer Account Management is set to Success and Failure' + + Audit Other Account Management Events : + data: + 'Microsoft Windows Server 2012*': + - 'Other Account Management Events': + tag: CIS-17.2.4 + match_output: 'Success and Failure' + value_type: 'equal' + description: 'Ensure Audit Other Account Management Events is set to Success and Failure' + + Audit Security Group Management : + data: + 'Microsoft Windows Server 2012*': + - 'Security Group Management': + tag: CIS-17.2.5 + match_output: 'Success and Failure' + value_type: 'equal' + description: 'Ensure Audit Security Group Management is set to Success and Failure' + + Audit User Account Management : + data: + 'Microsoft Windows Server 2012*': + - 'User Account Management': + tag: CIS-17.2.6 + match_output: 'Success and Failure' + value_type: 'equal' + description: 'Ensure Audit User Account Management is set to Success and Failure' + + Audit Process Creation : + data: + 'Microsoft Windows Server 2012*': + - 'Process Creation': + tag: CIS-17.3.1 + match_output: 'Success' + value_type: 'equal' + description: 'Ensure Audit Process Creation is set to Success' + + Audit Account Lockout : + data: + 'Microsoft Windows Server 2012*': + - 'Account Lockout': + tag: CIS-17.5.1 + match_output: 'Success' + value_type: 'equal' + description: 'Ensure Audit Account Lockout is set to Success' + + Audit Logoff : + data: + 'Microsoft Windows Server 2012*': + - 'Logoff': + tag: CIS-17.5.2 + match_output: 'Success' + value_type: 'equal' + description: 'Ensure Audit Logoff is set to Success' + + Audit Logon : + data: + 'Microsoft Windows Server 2012*': + - 'Logon': + tag: CIS-17.5.3 + match_output: 'Success and Failure' + value_type: 'equal' + description: 'Ensure Audit Logon is set to Success and Failure' + + Audit Other Logon/Logoff Events : + data: + 'Microsoft Windows Server 2012*': + - 'Other Logon/Logoff Events': + tag: CIS-17.5.4 + match_output: 'Success and Failure' + value_type: 'equal' + description: 'Ensure Audit Other Logon/Logoff Events is set to Success and Failure' + + Audit Special Logon : + data: + 'Microsoft Windows Server 2012*': + - 'Special Logon': + tag: CIS-17.5.5 + match_output: 'Success' + value_type: 'equal' + description: 'Ensure Audit Special Logon is set to Success' + + Audit Removable Storage : + data: + 'Microsoft Windows Server 2012*': + - 'Removable Storage': + tag: CIS-17.6.1 + match_output: 'Success and Failure' + value_type: 'equal' + description: 'Ensure Audit Removable Storage is set to Success and Failure' + + Audit Audit Policy Change : + data: + 'Microsoft Windows Server 2012*': + - 'Audit Policy Change': + tag: CIS-17.7.1 + match_output: 'Success and Failure' + value_type: 'equal' + description: 'Ensure Audit Audit Policy Change is set to Success and Failure' + + Audit Authentication Policy Change : + data: + 'Microsoft Windows Server 2012*': + - 'Authentication Policy Change': + tag: CIS-17.7.2 + match_output: 'Success' + value_type: 'equal' + description: 'Ensure Audit Authentication Policy Change is set to Success' + + Audit Sensitive Privilege Use : + data: + 'Microsoft Windows Server 2012*': + - 'Sensitive Privilege Use': + tag: CIS-17.8.1 + match_output: 'Success and Failure' + value_type: 'equal' + description: 'Ensure Audit Sensitive Privilege Use is set to Success and Failure' + + Audit IPsec Driver : + data: + 'Microsoft Windows Server 2012*': + - 'IPsec Driver': + tag: CIS-17.9.1 + match_output: 'Success and Failure' + value_type: 'equal' + description: 'Ensure Audit IPsec Driver is set to Success and Failure' + + Audit Other System Events : + data: + 'Microsoft Windows Server 2012*': + - 'Other System Events': + tag: CIS-17.9.2 + match_output: 'Success and Failure' + value_type: 'equal' + description: 'Ensure Audit Other System Events is set to Success and Failure' + + Audit Security State Change : + data: + 'Microsoft Windows Server 2012*': + - 'Security State Change': + tag: CIS-17.9.3 + match_output: 'Success' + value_type: 'equal' + description: 'Ensure Audit Security State Change is set to Success' + + Audit Security System Extension : + data: + 'Microsoft Windows Server 2012*': + - 'Security System Extension': + tag: CIS-17.9.4 + match_output: 'Success and Failure' + value_type: 'equal' + description: 'Ensure Audit Security System Extension is set to Success and Failure' + + Audit System Integrity : + data: + 'Microsoft Windows Server 2012*': + - 'System Integrity': + tag: CIS-17.9.5 + match_output: 'Success and Failure' + value_type: 'equal' + description: 'Ensure Audit System Integrity is set to Success and Failure' + +win_reg: + whitelist: + Prevent enabling lock screen camera : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization\NoLockScreenCamera': + tag: CIS-18.1.1.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Prevent enabling lock screen camera is set to Enabled' + Prevent enabling lock screen slide show : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Personalization\NoLockScreenSlideshow': + tag: CIS-18.1.1.2 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Prevent enabling lock screen slide show is set to Enabled' + Do not allow password expiration time longer than required by policy : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd\PwdExpirationProtectionEnabled': + tag: CIS-18.2.2 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Do not allow password expiration time longer than required by policy is set to Enabled ' + Enable Local Admin Password Management : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd\AdmPwdEnabled': + tag: CIS-18.2.3 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Enable Local Admin Password Management is set to Enabled ' + Password Settings_ Password Complexity : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd\PasswordComplexity': + tag: CIS-18.2.4 + match_output: 'Enabled: Large letters + small letters + numbers + special characters' + value_type: 'equal' + description: 'Ensure Password Settings- Password Complexity is set to Enabled. Large letters + small letters + numbers + special characters ' + Password Settings_ Password Length : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd\PasswordLength': + tag: CIS-18.2.5 + match_output: 'Enabled: 15 or more' + value_type: 'equal' + description: 'Ensure Password Settings- Password Length is set to Enabled. 15 or more ' + Password Settings_ Password Age : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd\PasswordAgeDays': + tag: CIS-18.2.6 + match_output: 'Enabled: 30 or fewer' + value_type: 'equal' + description: 'Ensure Password Settings- Password Age is set to Enabled. 30 or fewer ' + MSS_DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting': + tag: CIS-18.3.2 + match_output: 'Enabled' #: Highest protection, source routing is completely disabled' + value_type: 'equal' + description: 'Ensure MSS_ IP source routing protection level is set to Enabled Highest protection source routing is completely disabled' + MSS_ IP source routing protection level protects against packet spoofing : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting': + tag: CIS-18.3.3 + match_output: 'Enabled' #: Highest protection, source routing is completely disabled' + value_type: 'equal' + description: 'Ensure MSS-IP source routing protection level is set to Enabled Highest protection source routing is completely disabled' + MSS_ Allow ICMP redirects to override OSPF generated routes : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect': + tag: CIS-18.3.4 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure MSS- Allow ICMP redirects to override OSPF generated routes is set to Disabled' + MSS_ Allow the computer to ignore NetBIOS name release requests except from WINS servers : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters\nonamereleaseondemand': + tag: CIS-18.3.6 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure MSS- Allow the computer to ignore NetBIOS name release requests except from WINS servers is set to Enabled' + MSS_ Enable Safe DLL search mode : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode': + tag: CIS-18.3.8 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure MSS- Enable Safe DLL search mode is set to Enabled' + MSS_ The time in seconds before the screen saver grace period expires : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod': + tag: CIS-18.3.9 + match_output: 'Enabled: 5 or fewer seconds' + value_type: 'equal' + description: 'Ensure MSS- The time in seconds before the screen saver grace period expires is set to Enabled. 5 or fewer seconds' + MSS_ Percentage threshold for the security event log at which the system will generate a warning : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel': + tag: CIS-18.3.12 + match_output: 'Enabled' #Enabled: 90% or less + value_type: 'less' + description: 'Ensure MSS- Percentage threshold for the security event log at which the system will generate a warning is set to Enabled. 90 or less' + Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet\Disabled': + tag: CIS-18.4.9.2 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled' + Prohibit installation and configuration of Network Bridge on your DNS domain network : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_AllowNetBridge_NLA': + tag: CIS-18.4.10.2 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Prohibit installation and configuration of Network Bridge on your DNS domain network is set to Enabled' + Require domain users to elevate when setting a network : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections\NC_StdDomainUserSetLocation': + tag: CIS-18.4.10.3 + match_output: ' is set to ' + value_type: 'equal' + description: 'Ensure Require domain users to elevate when setting a networks location is set to Enabled' + Hardened UNC Paths : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\*\NETLOGON': + tag: CIS-18.4.13.1 + match_output: 'Enabled' #with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' + value_type: 'equal' + description: 'Ensure Hardened UNC Paths is set to Enabled with Require Mutual Authentication and Require Integrity set for all NETLOGON and SYSVOL shares' + Disable IPv6 : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters\DisabledComponents': + tag: CIS-18.4.18.2.1 + match_output: '255' + value_type: 'equal' + description: 'Disable IPv6 - Ensure TCPIP6 Parameter DisabledComponents is set to 0xff (255)' + Minimize the number of simultaneous connections to the Internet or a Windows Domain : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\fMinimizeConnections': + tag: CIS-18.4.20.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Minimize the number of simultaneous connections to the Internet or a Windows Domain is set to Enabled' + Apply UAC restrictions to local accounts on network logons : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy': + tag: CIS-18.6.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled ' + Boot-Start Driver Initialization Policy : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch\DriverLoadPolicy': + tag: CIS-18.8.11.1 + match_output: 'Enabled' # Good, unknown and bad but critical' + value_type: 'equal' + description: 'Ensure Boot-Start Driver Initialization Policy is set to Enabled Good unknown and bad but critical' + Configure registry policy processing_ Do not apply during periodic background processing : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy': + tag: CIS-18.8.18.2 + match_output: 'Enabled' # FALSE' + value_type: 'equal' + description: 'Ensure Configure registry policy processing. Do not apply during periodic background processing is set to Enabled. FALSE' + Configure registry policy processing_ Process even if the Group Policy objects have not changed : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges': + tag: CIS-18.8.18.3 + match_output: 'Enabled' # TRUE' + value_type: 'equal' + description: 'Ensure Configure registry policy processing. Process even if the Group Policy objects have not changed is set to Enabled. TRUE' + Do not display network selection UI : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\DontDisplayNetworkSelectionUI': + tag: CIS-18.8.24.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Do not display network selection UI is set to Enabled' + Do not enumerate connected users on domain-joined computers : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\DontEnumerateConnectedUsers': + tag: CIS-18.8.24.2 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Do not enumerate connected users on domain-joined computers is set to Enabled' + Turn off app notifications on the lock screen : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\DisableLockScreenAppNotifications': + tag: CIS-18.8.24.4 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Turn off app notifications on the lock screen is set to Enabled' + Enable RPC Endpoint Mapper Client Authentication : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc\EnableAuthEpResolution': + tag: CIS-18.8.31.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled ' + Allow Microsoft accounts to be optional : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\MSAOptional': + tag: CIS-18.9.6.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Allow Microsoft accounts to be optional is set to Enabled' + Disallow Autoplay for non-volume devices : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer\NoAutoplayfornonVolume': + tag: CIS-18.9.8.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Disallow Autoplay for non-volume devices is set to Enabled' + Set the default behavior for AutoRun : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun': + tag: CIS-18.9.8.2 + match_output: 'Enabled' # Do not execute any autorun commands' + value_type: 'equal' + description: 'Ensure Set the default behavior for AutoRun is set to Enabled. Do not execute any autorun commands' + Turn off Autoplay : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun': + tag: CIS-18.9.8.3 + match_output: 'Enabled' # All drives + value_type: 'equal' + description: 'Ensure Turn off Autoplay is set to Enabled. All drives' + Do not display the password reveal button : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI\DisablePasswordReveal': + tag: CIS-18.9.13.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Do not display the password reveal button is set to Enabled' + Default Action and Mitigation Settings : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings\AntiDetours': + tag: CIS-18.9.22.2 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Default Action and Mitigation Settings is set to Enabled ' + Default Protections for Internet Explorer : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults\IE': + tag: CIS-18.9.22.3 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Default Protections for Internet Explorer is set to Enabled' + Default Protections for Popular Software : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults': + tag: CIS-18.9.22.4 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Default Protections for Popular Software is set to Enabled' + Default Protections for Recommended Software : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults': + tag: CIS-18.9.22.5 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Default Protections for Recommended Software is set to Enabled' + System ASLR : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings\ASLR': + tag: CIS-18.9.22.6 + match_output: 'Enabled' # Application Opt-In' + value_type: 'equal' + description: 'Ensure System ASLR is set to Enabled. Application Opt-In' + System DEP : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings\DEP': + tag: CIS-18.9.22.7 + match_output: 'Enabled' # Application Opt-Out' + value_type: 'equal' + description: 'Ensure System DEP is set to Enabled. Application Opt-Out' + System SEHOP : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings\SEHOP': + tag: CIS-18.9.22.8 + match_output: 'Enabled' # Application Opt-Out' + value_type: 'equal' + description: 'Ensure System SEHOP is set to Enabled. Application Opt-Out' + Application_ Specify the maximum log file size : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application\MaxSize': + tag: CIS-18.9.24.1.2 + match_output: 'Enabled' # 32768 or greater' + value_type: 'equal' + description: 'Ensure Application Specify the maximum log file size is set to Enabled. 32768 or greater' + Security_ Specify the maximum log file size : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security\MaxSize': + tag: CIS-18.9.24.2.2 + match_output: 'Enabled' # 196608 or greater' + value_type: 'equal' + description: 'Ensure Security_ Specify the maximum log file size is set to Enabled. 196608 or greater' + Setup_ Specify the maximum log file size : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup\MaxSize': + tag: CIS-18.9.24.3.2 + match_output: 'Enabled' # 32,768 or greater' + value_type: 'equal' + description: 'Ensure Setup Specify the maximum log file size is set to Enabled. 32768 or greater' + System_ Specify the maximum log file size : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System\MaxSize': + tag: CIS-18.9.24.4.2 + match_output: 'Enabled' # 32768 or greater + value_type: 'equal' + description: 'Ensure System_ Specify the maximum log file size is set to Enabled. 32768 or greater' + Configure Windows SmartScreen : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\EnableSmartScreen': + tag: CIS-18.9.28.2 + match_output: 'Enabled' # Require approval from an administrator before running downloaded unknown software' + value_type: 'equal' + description: 'Ensure Configure Windows SmartScreen is set to Enabled. Require approval from an administrator before running downloaded unknown software' + Do not allow passwords to be saved : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving': + tag: CIS-18.9.48.2.2 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Do not allow passwords to be saved is set to Enabled' + Do not allow drive redirection : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm': + tag: CIS-18.9.48.3.3.2 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Do not allow drive redirection is set to Enabled' + Always prompt for password upon connection : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword': + tag: CIS-18.9.48.3.9.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Always prompt for password upon connection is set to Enabled' + Require secure RPC communication : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fEncryptRPCTraffic': + tag: CIS-18.9.48.3.9.2 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Require secure RPC communication is set to Enabled' + Set client connection encryption level : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel': + tag: CIS-18.9.48.3.9.3 + match_output: 'Enabled' # High Level' + value_type: 'equal' + description: 'Ensure Set client connection encryption level is set to Enabled. High Level' + Prevent downloading of enclosures : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload': + tag: CIS-18.9.49.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Prevent downloading of enclosures is set to Enabled' + Prevent the usage of SkyDrive for file storage : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Skydrive\DisableFileSync': + tag: CIS-18.9.54.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Prevent the usage of SkyDrive for file storage is set to Enabled' + Turn off the offer to update to the latest version of Windows : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore\DisableOSUpgrade': + tag: CIS-18.9.58.2 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Turn off the offer to update to the latest version of Windows is set to Enabled' + Configure Default consent : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent': + tag: CIS-18.9.67.2.1 + match_output: 'Enabled' # Always ask before sending data' + value_type: 'equal' + description: 'Ensure Configure Default consent is set to Enabled. Always ask before sending data' + Disallow Digest authentication : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowDigest': + tag: CIS-18.9.81.1.3 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Disallow Digest authentication is set to Enabled' + Disallow WinRM from storing RunAs credentials : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\DisableRunAs': + tag: CIS-18.9.81.2.3 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Disallow WinRM from storing RunAs credentials is set to Enabled' + Configure Automatic Updates : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate': + tag: CIS-18.9.85.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Configure Automatic Updates is set to Enabled' + Configure Automatic Updates_ Scheduled install day : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallDay': + tag: CIS-18.9.85.2 + match_output: '0' # Every day' + value_type: 'equal' + description: 'Ensure Configure Automatic Updates- Scheduled install day is set to 0 - Every day' + Enable screen saver : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_USERS\\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActive': + tag: CIS-19.1.3.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Enable screen saver is set to Enabled' + Force specific screen saver_ Screen saver executable name : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_USERS\\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE': + tag: CIS-19.1.3.2 + match_output: 'Enabled' # scrnsave.scr' + value_type: 'equal' + description: 'Ensure Force specific screen saver Screen saver executable name is set to Enabled. scrnsave.scr' + Password protect the screen saver : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_USERS\\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure': + tag: CIS-19.1.3.3 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Password protect the screen saver is set to Enabled' + Screen saver timeout : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_USERS\\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut': + tag: CIS-19.1.3.4 + match_output: 'Enabled' # 900 seconds or fewer, but not 0' + value_type: 'equal' + description: 'Ensure Screen saver timeout is set to Enabled. 900 seconds or fewer but not 0' + Turn off toast notifications on the lock screen : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_USERS\\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications\NoToastApplicationNotificationOnLockScreen': + tag: CIS-19.5.1.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Turn off toast notifications on the lock screen is set to Enabled' + Notify antivirus programs when opening attachments : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_USERS\\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ScanWithAntiVirus': + tag: CIS-19.7.4.2 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Notify antivirus programs when opening attachments is set to Enabled' + Prevent users from sharing files within their profile. : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_USERS\[USER SID]\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInplaceSharing': + tag: CIS-19.7.25.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Prevent users from sharing files within their profile. is set to Enabled' + + blacklist: + MSS_ Enable Automatic Logon : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon': + tag: CIS-18.3.1 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure MSS_ Enable Automatic Logon is set to Disabled' + Ensure Turn on Mapper I/O driver is set to Disabled : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD\AllowLLTDIOOnDomain': + tag: CIS-18.4.8.1 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Turn on Mapper I/O (LLTDIO) driver is set to Disabled' + Ensure Turn on Responder (RSPNDR) driver is set to Disabled : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD\AllowRspndrOnDomain': + tag: CIS-18.4.8.2 + match_output: 'Enabled' + value_type: 'equal' + description: 'Ensure Turn on Responder (RSPNDR) driver is set to Disabled' + WDigest Authentication : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential': + tag: CIS-18.6.2 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure WDigest Authentication is set to Disabled' + Ensure Include command line in process creation events : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled': + tag: CIS-18.8.2.1 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Include command line in process creation events is set to Disabled' + Turn off background refresh of Group Policy : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableBkGndGroupPolicy': + tag: CIS-18.8.18.4 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Turn off background refresh of Group Policy is set to Disabled' + Enumerate local users on domain-joined computers : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\EnumerateLocalUsers': + tag: CIS-18.8.24.3 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Enumerate local users on domain-joined computers is set to Disabled' + Turn on convenience PIN sign-in : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\AllowDomainPINLogon': + tag: CIS-18.8.24.5 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Turn on convenience PIN sign-in is set to Disabled' + Configure Offer Remote Assistance : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited': + tag: CIS-18.8.30.1 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Configure Offer Remote Assistance is set to Disabled' + Configure Solicited Remote Assistance : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp': + tag: CIS-18.8.30.2 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Configure Solicited Remote Assistance is set to Disabled' + Enumerate administrator accounts on elevation : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators': + tag: CIS-18.9.13.2 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Enumerate administrator accounts on elevation is set to Disabled' + Application_ Control Event Log behavior when the log file reaches its maximum size : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application\Retention': + tag: CIS-18.9.24.1.1 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Application- Control Event Log behavior when the log file reaches its maximum size is set to Disabled' + Security_ Control Event Log behavior when the log file reaches its maximum size : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security\Retention': + tag: CIS-18.9.24.2.1 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Security_ Control Event Log behavior when the log file reaches its maximum size is set to Disabled' + Setup_ Control Event Log behavior when the log file reaches its maximum size : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup\Retention': + tag: CIS-18.9.24.3.1 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Setup- Control Event Log behavior when the log file reaches its maximum size is set to Disabled' + System_ Control Event Log behavior when the log file reaches its maximum size : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System\Retention': + tag: CIS-18.9.24.4.1 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure System- Control Event Log behavior when the log file reaches its maximum size is set to Disabled' + Turn off Data Execution Prevention for Explorer : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer\NoDataExecutionPrevention': + tag: CIS-18.9.28.3 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Turn off Data Execution Prevention for Explorer is set to Disabled' + Turn off heap termination on corruption : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer\NoHeapTerminationOnCorruption': + tag: CIS-18.9.28.4 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Turn off heap termination on corruption is set to Disabled' + Turn off shell protocol protected mode : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior': + tag: CIS-18.9.28.5 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Turn off shell protocol protected mode is set to Disabled' + Do not delete temp folders upon exit : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\DeleteTempDirsOnExit': + tag: CIS-18.9.48.3.11.1 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Do not delete temp folders upon exit is set to Disabled' + Do not use temporary folders per session : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\PerSessionTempDir': + tag: CIS-18.9.48.3.11.2 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Do not use temporary folders per session is set to Disabled' + Allow indexing of encrypted files : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems': + tag: CIS-18.9.50.2 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Allow indexing of encrypted files is set to Disabled' + Turn off Automatic Download and Install of updates : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore\AutoDownload': + tag: CIS-18.9.58.1 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Turn off Automatic Download and Install of updates is set to Disabled' + Automatically send memory dumps for OS-generated error reports : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\Windows Error Reporting\AutoApproveOSDumps': + tag: CIS-18.9.67.3 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Automatically send memory dumps for OS-generated error reports is set to Disabled' + Allow user control over installs : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableUserControl': + tag: CIS-18.9.69.1 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Allow user control over installs is set to Disabled' + Always install with elevated privileges : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated': + tag: CIS-18.9.69.2 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Always install with elevated privileges is set to Disabled' + Sign-in last interactive user automatically after a system-initiated restart : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableAutomaticRestartSignOn': + tag: CIS-18.9.70.1 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled' + Turn on PowerShell Script Block Logging : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging': + tag: CIS-18.9.79.1 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Turn on PowerShell Script Block Logging is set to Disabled' + Turn on PowerShell Transcription : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\EnableTranscripting': + tag: CIS-18.9.79.2 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Turn on PowerShell Transcription is set to Disabled' + Allow Basic authentication : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowBasic': + tag: CIS-18.9.81.1.1 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Allow Basic authentication is set to Disabled' + Allow unencrypted traffic : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic': + tag: CIS-18.9.81.1.2 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Allow unencrypted traffic is set to Disabled' + Allow Basic authentication : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\AllowBasic': + tag: CIS-18.9.81.2.1 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Allow Basic authentication is set to Disabled' + Allow unencrypted traffic : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic': + tag: CIS-18.9.81.2.2 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Allow unencrypted traffic is set to Disabled' + No auto-restart with logged on users for scheduled automatic updates installations : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsers': + tag: CIS-18.9.85.3 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure No auto-restart with logged on users for scheduled automatic updates installations is set to Disabled' + Do not preserve zone information in file attachments : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_USERS\\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation': + tag: CIS-19.7.4.1 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Do not preserve zone information in file attachments is set to Disabled' + Always install with elevated privileges : + data: + 'Microsoft Windows Server 2012*': + - 'HKEY_USERS\\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated': + tag: CIS-19.7.37.1 + match_output: 'Disabled' + value_type: 'equal' + description: 'Ensure Always install with elevated privileges is set to Disabled' + +win_pkg: + whitelist: + EMET 5.5 : + data: + 'Microsoft Windows Server 2012*': + - 'EMET': + tag: CIS-18.9.22.1 + match_output: '5.4' + value_type: 'more' + description: 'Ensure EMET 5.5 or higher is installed' + LAPS AdmPwd GPO Extension / CSE is installed : + data: + 'Microsoft Windows Server 2012*': + - 'Navigate to Control Panel\Program\Programs and Features and confirm "lAPS" is listed in the Name column.': + tag: CIS-18.2.1 + match_output: 'Local Administrator Password Solution' + value_type: 'equal' + description: 'Ensure LAPS AdmPwd GPO Extension / CSE is installed ' diff --git a/hubblestack_nova_profiles/cis/windows-2012r2-level-1-scored-v2-0-0.yaml b/hubblestack_nova_profiles/cis/windows-2012r2-level-1-scored-v2-0-0.yaml index d10dbb8..1ea8894 100644 --- a/hubblestack_nova_profiles/cis/windows-2012r2-level-1-scored-v2-0-0.yaml +++ b/hubblestack_nova_profiles/cis/windows-2012r2-level-1-scored-v2-0-0.yaml @@ -19,7 +19,7 @@ win_secedit: tag: CIS-1.1.1 match_output: '23' value_type: 'more' - description: (l1) ensure 'enforce password history' is set to '24 or more password(s)' + description: (L1) Ensure 'enforce password history' is set to '24 or more password(s)' maximum_password_age: data: 'Microsoft Windows Server 2012*': @@ -27,7 +27,7 @@ win_secedit: tag: CIS-1.1.2 match_output: '61' value_type: 'less' - description: (l1) ensure 'maximum password age' is set to '60 or fewer days, but not 0' + description: (L1) Ensure 'maximum password age' is set to '60 or fewer days, but not 0' minimum_password_age: data: 'Microsoft Windows Server 2012*': @@ -35,7 +35,7 @@ win_secedit: tag: CIS-1.1.3 match_output: '1' value_type: 'more' - description: (l1) ensure 'minimum password age' is set to '1 or more day(s)' + description: (L1) Ensure 'minimum password age' is set to '1 or more day(s)' minimum_password_length: data: 'Microsoft Windows Server 2012*': @@ -43,7 +43,7 @@ win_secedit: tag: CIS-1.1.4 match_output: '14' value_type: 'more' - description: (l1) ensure 'minimum password length' is set to '14 or more character(s)' + description: (L1) Ensure 'minimum password length' is set to '14 or more character(s)' password_complexity: data: 'Microsoft Windows Server 2012*': @@ -51,7 +51,7 @@ win_secedit: tag: CIS-1.1.5 match_output: '1' value_type: 'equal' - description: (l1) ensure 'password must meet complexity requirements' is set to 'enabled' + description: (L1) Ensure 'password must meet complexity requirements' is set to 'enabled' reversible_encryption: data: 'Microsoft Windows Server 2012*': @@ -59,7 +59,7 @@ win_secedit: tag: CIS-1.1.6 match_output: '0' value_type: 'equal' - description: (l1) ensure 'store passwords using reversible encryption' is set to 'disabled' + description: (L1) Ensure 'store passwords using reversible encryption' is set to 'disabled' lockout_duration: data: 'Microsoft Windows Server 2012*': @@ -67,7 +67,7 @@ win_secedit: tag: CIS-1.2.1 match_output: '14' value_type: 'more' - description: (l1) ensure 'account lockout duration' is set to '15 or more minute(s)' + description: (L1) Ensure 'account lockout duration' is set to '15 or more minute(s)' lockout_threshold: data: 'Microsoft Windows Server 2012*': @@ -75,7 +75,7 @@ win_secedit: tag: CIS-1.2.2 match_output: '11' value_type: 'less' - description: (l1) ensure 'account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0' + description: (L1) Ensure 'account lockout threshold' is set to '10 or fewer invalid logon attempt(s), but not 0' reset_lockout_counter: data: 'Microsoft Windows Server 2012*': @@ -83,7 +83,7 @@ win_secedit: tag: CIS-1.2.3 match_output: '14' value_type: 'more' - description: (l1) ensure 'reset account lockout counter after' is set to '15 or more minute(s)' + description: (L1) Ensure 'reset account lockout counter after' is set to '15 or more minute(s)' access_from_network: data: 'Microsoft Windows Server 2012*': @@ -99,7 +99,7 @@ win_secedit: tag: CIS-2.2.5 match_output: 'Administrators, LOCAL SERVICE, NETWORK SERVICE' value_type: 'match' - description: (l1) ensure 'adjust memory quotas for a process' is set to 'administrators, local service, network service' + description: (L1) Ensure 'adjust memory quotas for a process' is set to 'administrators, local service, network service' allow_logon_locally: data: 'Microsoft Windows Server 2012*': @@ -123,7 +123,7 @@ win_secedit: tag: CIS-2.2.8 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'back up files and directories' is set to 'administrators' + description: (L1) Ensure 'back up files and directories' is set to 'administrators' change_the_system_time : data: 'Microsoft Windows Server 2012*': @@ -131,7 +131,7 @@ win_secedit: tag: CIS-2.2.9 match_output: 'Administrators, LOCAL SERVICE' value_type: 'account' - description: (l1) ensure 'change the system time' is set to 'administrators, local service' + description: (L1) Ensure 'change the system time' is set to 'administrators, local service' change_the_time_zone : data: 'Microsoft Windows Server 2012*': @@ -139,7 +139,7 @@ win_secedit: tag: CIS-2.2.10 match_output: 'Administrators, LOCAL SERVICE' value_type: 'account' - description: (l1) ensure 'change the time zone' is set to 'administrators, local service' + description: (L1) Ensure 'change the time zone' is set to 'administrators, local service' create_a_pagefile : data: 'Microsoft Windows Server 2012*': @@ -147,7 +147,7 @@ win_secedit: tag: CIS-2.2.11 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'create a pagefile' is set to 'administrators' + description: (L1) Ensure 'create a pagefile' is set to 'administrators' create_global_objects : data: 'Microsoft Windows Server 2012*': @@ -155,7 +155,7 @@ win_secedit: tag: CIS-2.2.13 match_output: 'Administrators, LOCAL SERVICE, NETWORK SERVICE, SERVICE' value_type: 'account' - description: (l1) ensure 'create global objects' is set to 'administrators, local service, network service, service' + description: (L1) Ensure 'create global objects' is set to 'administrators, local service, network service, service' create_symbolic_links : data: 'Microsoft Windows Server 2012*': @@ -171,7 +171,7 @@ win_secedit: tag: CIS-2.2.16 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'debug programs' is set to 'administrators' + description: (L1) Ensure 'debug programs' is set to 'administrators' deny_access_to_this_computer_from_the_network : data: 'Microsoft Windows Server 2012*': @@ -187,7 +187,7 @@ win_secedit: tag: CIS-2.2.18 match_output: 'Guests' value_type: 'account' - description: (l1) ensure 'deny log on as a batch job' to include 'guests' + description: (L1) Ensure 'deny log on as a batch job' to include 'guests' deny_log_on_as_a_service : data: 'Microsoft Windows Server 2012*': @@ -195,7 +195,7 @@ win_secedit: tag: CIS-2.2.19 match_output: 'Guests' value_type: 'account' - description: (l1) ensure 'deny log on as a service' to include 'guests' + description: (L1) Ensure 'deny log on as a service' to include 'guests' deny_log_on_locally : data: 'Microsoft Windows Server 2012*': @@ -203,7 +203,7 @@ win_secedit: tag: CIS-2.2.20 match_output: 'Guests' value_type: 'account' - description: (l1) ensure 'deny log on locally' to include 'guests' + description: (L1) Ensure 'deny log on locally' to include 'guests' deny_log_on_through_remote_desktop_services : data: 'Microsoft Windows Server 2012*': @@ -211,7 +211,7 @@ win_secedit: tag: CIS-2.2.21 match_output: 'Guests, LOCAL SERVICE' value_type: 'account' - description: (l1) ensure 'deny log on through remote desktop services' to include 'guests, local account' + description: (L1) Ensure 'deny log on through remote desktop services' to include 'guests, local account' force_shutdown_from_a_remote_system : data: 'Microsoft Windows Server 2012*': @@ -219,7 +219,7 @@ win_secedit: tag: CIS-2.2.23 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'force shutdown from a remote system' is set to 'administrators' + description: (L1) Ensure 'force shutdown from a remote system' is set to 'administrators' generate_security_audits : data: 'Microsoft Windows Server 2012*': @@ -227,7 +227,7 @@ win_secedit: tag: CIS-2.2.24 match_output: 'LOCAL SERVICE, NETWORK SERVICE' value_type: 'account' - description: (l1) ensure 'generate security audits' is set to 'local service, network service' + description: (L1) Ensure 'generate security audits' is set to 'local service, network service' impersonate_a_client_after_authentication : data: 'Microsoft Windows Server 2012*': @@ -243,7 +243,7 @@ win_secedit: tag: CIS-2.2.26 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'increase scheduling priority' is set to 'administrators' + description: (L1) Ensure 'increase scheduling priority' is set to 'administrators' load_and_unload_device_drivers : data: 'Microsoft Windows Server 2012*': @@ -251,12 +251,12 @@ win_secedit: tag: CIS-2.2.27 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'load and unload device drivers' is set to 'administrators' + description: (L1) Ensure 'load and unload device drivers' is set to 'administrators' manage_auditing_and_security_log : data: 'Microsoft Windows Server 2012*': - 'SeSecurityPrivilege': - tag: CIS-2.2.30 + tag: CIS-2.2.29 match_output: '*S-1-5-32-544' #Administrators value_type: 'account' description: (l1) configure 'manage auditing and security log' @@ -264,66 +264,66 @@ win_secedit: data: 'Microsoft Windows Server 2012*': - 'SeSystemEnvironmentPrivilege': - tag: CIS-2.2.32 + tag: CIS-2.2.31 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'modify firmware environment values' is set to 'administrators' + description: (L1) Ensure 'modify firmware environment values' is set to 'administrators' perform_volume_maintenance_tasks : data: 'Microsoft Windows Server 2012*': - 'SeManageVolumePrivilege': - tag: CIS-2.2.33 + tag: CIS-2.2.32 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'perform volume maintenance tasks' is set to 'administrators' + description: (L1) Ensure 'perform volume maintenance tasks' is set to 'administrators' profile_single_process : data: 'Microsoft Windows Server 2012*': - 'SeProfileSingleProcessPrivilege': - tag: CIS-2.2.34 + tag: CIS-2.2.33 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'profile single process' is set to 'administrators' + description: (L1) Ensure 'profile single process' is set to 'administrators' profile_system_performance : data: 'Microsoft Windows Server 2012*': - 'SeSystemProfilePrivilege': - tag: CIS-2.2.35 + tag: CIS-2.2.34 match_output: 'Administrators, NT SERVICE\WdiServiceHost' value_type: 'account' - description: (l1) ensure 'profile system performance' is set to 'administrators, nt service\wdiservicehost' + description: (L1) Ensure 'profile system performance' is set to 'administrators, nt service\wdiservicehost' replace_a_process_level_token : data: 'Microsoft Windows Server 2012*': - 'SeAssignPrimaryTokenPrivilege': - tag: CIS-2.2.36 + tag: CIS-2.2.35 match_output: 'LOCAL SERVICE, NETWORK SERVICE' value_type: 'account' - description: (l1) ensure 'replace a process level token' is set to 'local service, network service' + description: (L1) Ensure 'replace a process level token' is set to 'local service, network service' restore_files_and_directories : data: 'Microsoft Windows Server 2012*': - 'SeRestorePrivilege': - tag: CIS-2.2.37 + tag: CIS-2.2.36 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'restore files and directories' is set to 'administrators' + description: (L1) Ensure 'restore files and directories' is set to 'administrators' shut_down_the_system : data: 'Microsoft Windows Server 2012*': - 'SeShutdownPrivilege': - tag: CIS-2.2.38 + tag: CIS-2.2.37 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'shut down the system' is set to 'administrators' + description: (L1) Ensure 'shut down the system' is set to 'administrators' take_ownership_of_files_or_other_objects : data: 'Microsoft Windows Server 2012*': - 'SeTakeOwnershipPrivilege': - tag: CIS-2.2.40 + tag: CIS-2.2.39 match_output: 'Administrators' value_type: 'account' - description: (l1) ensure 'take ownership of files or other objects' is set to 'administrators' + description: (L1) Ensure 'take ownership of files or other objects' is set to 'administrators' accounts_administrator_account_status : data: 'Microsoft Windows Server 2012*': @@ -331,7 +331,7 @@ win_secedit: tag: CIS-2.3.1.1 match_output: '0' value_type: 'equal' - description: (l1) ensure 'accounts - administrator account status' is set to 'disabled' + description: (L1) Ensure 'accounts - administrator account status' is set to 'disabled' accounts_block_microsoft_accounts : data: 'Microsoft Windows Server 2012*': @@ -339,7 +339,7 @@ win_secedit: tag: CIS-2.3.1.2 match_output: 'users cant add or log on with microsoft accounts' value_type: 'equal' - description: (l1) ensure 'accounts - - block microsoft accounts' is set to 'users can't add or log on with microsoft accounts' + description: (L1) Ensure 'accounts - - block microsoft accounts' is set to 'users can't add or log on with microsoft accounts' accounts_guest_account_status : data: 'Microsoft Windows Server 2012*': @@ -347,7 +347,7 @@ win_secedit: tag: CIS-2.3.1.3 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'accounts - guest account status' is set to 'disabled' + description: (L1) Ensure 'accounts - guest account status' is set to 'disabled' accounts_limit_local_account_use_of_blank_passwords_to_console_logon_only : data: 'Microsoft Windows Server 2012*': @@ -355,7 +355,7 @@ win_secedit: tag: CIS-2.3.1.4 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'accounts - limit local account use of blank passwords to console logon only' is set to 'enabled' + description: (L1) Ensure 'accounts - limit local account use of blank passwords to console logon only' is set to 'enabled' audit_force_audit_policy_subcategory_settings_to_override_audit_policy_category_settings : data: 'Microsoft Windows Server 2012*': @@ -363,7 +363,7 @@ win_secedit: tag: CIS-2.3.2.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'audit - force audit policy subcategory settings (windows vista or later) to override audit policy category settings' is set to 'enabled' + description: (L1) Ensure 'audit - force audit policy subcategory settings (windows vista or later) to override audit policy category settings' is set to 'enabled' audit_shut_down_system_immediately_if_unable_to_log_security_audits : data: 'Microsoft Windows Server 2012*': @@ -371,7 +371,7 @@ win_secedit: tag: CIS-2.3.2.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'audit - shut down system immediately if unable to log security audits' is set to 'disabled' + description: (L1) Ensure 'audit - shut down system immediately if unable to log security audits' is set to 'disabled' devices_allowed_to_format_and_eject_removable_media : data: 'Microsoft Windows Server 2012*': @@ -379,7 +379,7 @@ win_secedit: tag: CIS-2.3.4.1 match_output: 'Administrators' value_type: 'equal' - description: (l1) ensure 'devices - allowed to format and eject removable media' is set to 'administrators' + description: (L1) Ensure 'devices - allowed to format and eject removable media' is set to 'administrators' devices_prevent_users_from_installing_printer_drivers : data: 'Microsoft Windows Server 2012*': @@ -387,7 +387,7 @@ win_secedit: tag: CIS-2.3.4.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'devices - prevent users from installing printer drivers' is set to 'enabled' + description: (L1) Ensure 'devices - prevent users from installing printer drivers' is set to 'enabled' domain_member_digitally_encrypt_or_sign_secure_channel_data_ : data: 'Microsoft Windows Server 2012*': @@ -395,7 +395,7 @@ win_secedit: tag: CIS-2.3.6.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'domain member - digitally encrypt or sign secure channel data (always)' is set to 'enabled' + description: (L1) Ensure 'domain member - digitally encrypt or sign secure channel data (always)' is set to 'enabled' domain_member_digitally_encrypt_secure_channel_data : data: 'Microsoft Windows Server 2012*': @@ -403,7 +403,7 @@ win_secedit: tag: CIS-2.3.6.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'domain member - digitally encrypt secure channel data (when possible)' is set to 'enabled' + description: (L1) Ensure 'domain member - digitally encrypt secure channel data (when possible)' is set to 'enabled' domain_member_digitally_sign_secure_channel_data : data: 'Microsoft Windows Server 2012*': @@ -411,7 +411,7 @@ win_secedit: tag: CIS-2.3.6.3 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'domain member - digitally sign secure channel data (when possible)' is set to 'enabled' + description: (L1) Ensure 'domain member - digitally sign secure channel data (when possible)' is set to 'enabled' domain_member_disable_machine_account_password_changes : data: 'Microsoft Windows Server 2012*': @@ -419,7 +419,7 @@ win_secedit: tag: CIS-2.3.6.4 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'domain member - disable machine account password changes' is set to 'disabled' + description: (L1) Ensure 'domain member - disable machine account password changes' is set to 'disabled' domain_member_maximum_machine_account_password_age : data: 'Microsoft Windows Server 2012*': @@ -427,7 +427,7 @@ win_secedit: tag: CIS-2.3.6.5 match_output: '31' value_type: 'less' - description: (l1) ensure 'domain member - maximum machine account password age' is set to '30 or fewer days, but not 0' + description: (L1) Ensure 'domain member - maximum machine account password age' is set to '30 or fewer days, but not 0' domain_member_require_strong_session_key : data: 'Microsoft Windows Server 2012*': @@ -435,7 +435,7 @@ win_secedit: tag: CIS-2.3.6.6 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'domain member - require strong (windows 2000 or later) session key' is set to 'enabled' + description: (L1) Ensure 'domain member - require strong (windows 2000 or later) session key' is set to 'enabled' interactive_logon_do_not_display_last_user_name : data: 'Microsoft Windows Server 2012*': @@ -443,7 +443,7 @@ win_secedit: tag: CIS-2.3.7.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'interactive logon - do not display last user name' is set to 'enabled' + description: (L1) Ensure 'interactive logon - do not display last user name' is set to 'enabled' interactive_logon_do_not_require_ctrl+alt+del : data: 'Microsoft Windows Server 2012*': @@ -451,7 +451,7 @@ win_secedit: tag: CIS-2.3.7.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'interactive logon - do not require ctrl+alt+del' is set to 'disabled' + description: (L1) Ensure 'interactive logon - do not require ctrl+alt+del' is set to 'disabled' interactive_logon_machine_inactivity_limit : data: 'Microsoft Windows Server 2012*': @@ -459,7 +459,7 @@ win_secedit: tag: CIS-2.3.7.3 match_output: '901' value_type: 'less' - description: (l1) ensure 'interactive logon - machine inactivity limit' is set to '900 or fewer second(s), but not 0' + description: (L1) Ensure 'interactive logon - machine inactivity limit' is set to '900 or fewer second(s), but not 0' interactive_logon_message_text_for_users_attempting_to_log_on : #NOTE: Configure this data: 'Microsoft Windows Server 2012*': @@ -491,7 +491,7 @@ win_secedit: tag: CIS-2.3.7.7 match_output: '15' # between 5 and 14 value_type: 'less' - description: (l1) ensure 'interactive logon - prompt user to change password before expiration' is set to 'between 5 and 14 days' + description: (L1) Ensure 'interactive logon - prompt user to change password before expiration' is set to 'between 5 and 14 days' interactive_logon_require_domain_controller_authentication_to_unlock_workstation : data: 'Microsoft Windows Server 2012*': @@ -507,23 +507,23 @@ win_secedit: tag: CIS-2.3.7.9 match_output: 'Lock Workstation' # can be anything but No Action value_type: 'equal' - description: (l1) ensure 'interactive logon - smart card removal behavior' is set to 'lock workstation' or higher - microsoft_network_client_digitally_sign_communications_ : + description: (L1) Ensure 'interactive logon - smart card removal behavior' is set to 'lock workstation' or higher + microsoft_network_client_digitally_sign_communications_always : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature': tag: CIS-2.3.8.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'microsoft network client - digitally sign communications (always)' is set to 'enabled' - microsoft_network_client_digitally_sign_communications_ : + description: (L1) Ensure 'microsoft network client - digitally sign communications (always)' is set to 'enabled' + microsoft_network_client_digitally_sign_communications_if_server_agrees : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature': tag: CIS-2.3.8.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'microsoft network client - digitally sign communications (if server agrees)' is set to 'enabled' + description: (L1) Ensure 'microsoft network client - digitally sign communications (if server agrees)' is set to 'enabled' microsoft_network_client_send_unencrypted_password_to_third-party_smb_servers : data: 'Microsoft Windows Server 2012*': @@ -531,7 +531,7 @@ win_secedit: tag: CIS-2.3.8.3 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'microsoft network client - send unencrypted password to third-party smb servers' is set to 'disabled' + description: (L1) Ensure 'microsoft network client - send unencrypted password to third-party smb servers' is set to 'disabled' microsoft_network_server_amount_of_idle_time_required_before_suspending_session : data: 'Microsoft Windows Server 2012*': @@ -539,23 +539,23 @@ win_secedit: tag: CIS-2.3.9.1 match_output: '16' value_type: 'less' - description: (l1) ensure 'microsoft network server - amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0' - microsoft_network_server_digitally_sign_communications_ : + description: (L1) Ensure 'microsoft network server - amount of idle time required before suspending session' is set to '15 or fewer minute(s), but not 0' + microsoft_network_server_digitally_sign_communications_always : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature': tag: CIS-2.3.9.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'microsoft network server - digitally sign communications (always)' is set to 'enabled' - microsoft_network_server_digitally_sign_communications_ : + description: (L1) Ensure 'microsoft network server - digitally sign communications (always)' is set to 'enabled' + microsoft_network_server_digitally_sign_communications_if_client_agrees : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature': tag: CIS-2.3.9.3 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'microsoft network server - digitally sign communications (if client agrees)' is set to 'enabled' + description: (L1) Ensure 'microsoft network server - digitally sign communications (if client agrees)' is set to 'enabled' microsoft_network_server_disconnect_clients_when_logon_hours_expire : data: 'Microsoft Windows Server 2012*': @@ -563,7 +563,7 @@ win_secedit: tag: CIS-2.3.9.4 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'microsoft network server - disconnect clients when logon hours expire' is set to 'enabled' + description: (L1) Ensure 'microsoft network server - disconnect clients when logon hours expire' is set to 'enabled' microsoft_network_server_server_spn_target_name_validation_level : data: 'Microsoft Windows Server 2012*': @@ -571,255 +571,247 @@ win_secedit: tag: CIS-2.3.9.5 match_output: 'Accept if provided by client' value_type: 'equal' - description: (l1) ensure 'microsoft network server - server spn target name validation level' is set to 'accept if provided by client' or higher + description: (L1) Ensure 'microsoft network server - server spn target name validation level' is set to 'accept if provided by client' or higher network_access_allow_anonymous_sid/name_translation : data: 'Microsoft Windows Server 2012*': - 'LSAAnonymousNameLookup': - tag: CIS-2.3.10.1 + tag: CIS-2.3.11.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'network access - allow anonymous sid/name translation' is set to 'disabled' + description: (L1) Ensure 'network access - allow anonymous sid/name translation' is set to 'disabled' network_access_do_not_allow_anonymous_enumeration_of_sam_accounts : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM': - tag: CIS-2.3.10.2 + tag: CIS-2.3.11.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'network access - do not allow anonymous enumeration of sam accounts' is set to 'enabled' + description: (L1) Ensure 'network access - do not allow anonymous enumeration of sam accounts' is set to 'enabled' network_access_do_not_allow_anonymous_enumeration_of_sam_accounts_and_shares : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous': - tag: CIS-2.3.10.3 - match_output: 'Enabled' - value_type: 'equal' - description: (l1) ensure 'network access - do not allow anonymous enumeration of sam accounts and shares' is set to 'enabled' - network_access_do_not_allow_storage_of_passwords_and_credentials_for_network_authentication : - data: - 'Microsoft Windows Server 2012*': - - 'MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds': - tag: CIS-2.3.10.4 + tag: CIS-2.3.11.3 match_output: 'Enabled' value_type: 'equal' - description: 'Network access Do not allow storage of passwords and credentials for network authentication' + description: (L1) Ensure 'network access - do not allow anonymous enumeration of sam accounts and shares' is set to 'enabled' network_access_let_everyone_persmissions_apply_to_anonymous_users : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous': - tag: CIS-2.3.10.5 + tag: CIS-2.3.11.5 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'network access - let everyone permissions apply to anonymous users' is set to 'disabled' + description: (L1) Ensure 'network access - let everyone permissions apply to anonymous users' is set to 'disabled' network_access_remotely_accessible_registry_paths : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine': - tag: CIS-2.3.10.7 + tag: CIS-2.3.11.7 match_output: 'System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion' value_type: 'equal' - description: (l1) ensure 'network access - remotely accessible registry paths' + description: (L1) Ensure 'network access - remotely accessible registry paths' network_access_remotely_accessible_registry_paths_and_sub-paths : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine': - tag: CIS-2.3.10.8 + tag: CIS-2.3.11.8 match_output: 'System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration, Software\Microsoft\Windows NT\CurrentVersion\Perflib, System\CurrentControlSet\Services\SysmonLog' value_type: 'equal' - description: (l1) ensure 'network access - remotely accessible registry paths and sub-paths' + description: (L1) Ensure 'network access - remotely accessible registry paths and sub-paths' network_access_restrict_anonymous_access_to_named_pipes_and_shares : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess': - tag: CIS-2.3.10.9 + tag: CIS-2.3.11.9 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'network access - restrict anonymous access to named pipes and shares' is set to 'enabled' + description: (L1) Ensure 'network access - restrict anonymous access to named pipes and shares' is set to 'enabled' network_access_sharing_and_security_model_for_local_accounts : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest': - tag: CIS-2.3.10.11 + tag: CIS-2.3.11.11 match_output: 'Classic - local users authenticate as themselves' value_type: 'equal' - description: (l1) ensure 'network access - sharing and security model for local accounts' is set to 'classic - local users authenticate as themselves' + description: (L1) Ensure 'network access - sharing and security model for local accounts' is set to 'classic - local users authenticate as themselves' network_security_allow_local_system_to_use_computer_identity_for_ntlm : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Control\Lsa\UseMachineId': - tag: CIS-2.3.11.1 + tag: CIS-2.3.12.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'network security - allow local system to use computer identity for ntlm' is set to 'enabled' + description: (L1) Ensure 'network security - allow local system to use computer identity for ntlm' is set to 'enabled' network_security_allow_localsystem_null_session_fallback : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback': - tag: CIS-2.3.11.2 + tag: CIS-2.3.12.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'network security - allow localsystem null session fallback' is set to 'disabled' + description: (L1) Ensure 'network security - allow localsystem null session fallback' is set to 'disabled' network_security_allow_pku2u_authentication_requests_to_this_computer_to_use_online_identities : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID': - tag: CIS-2.3.11.3 + tag: CIS-2.3.12.3 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'network security - allow pku2u authentication requests to this computer to use online identities' is set to 'disabled' + description: (L1) Ensure 'network security - allow pku2u authentication requests to this computer to use online identities' is set to 'disabled' network_security_configure_encryption_types_allowed_for_kerberos : data: 'Microsoft Windows Server 2012*': - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes': - tag: CIS-2.3.11.4 + tag: CIS-2.3.12.4 match_output: 'RC4_HMAC_MD5, AES128_HMAC_SHA1, AES256_HMAC_SHA1, Future encryption types' value_type: 'equal' - description: (l1) ensure 'network security - configure encryption types allowed for kerberos' is set to 'rc4_hmac_md5, aes128_hmac_sha1, aes256_hmac_sha1, future encryption types' + description: (L1) Ensure 'network security - configure encryption types allowed for kerberos' is set to 'rc4_hmac_md5, aes128_hmac_sha1, aes256_hmac_sha1, future encryption types' network_security_do_not_store_lan_manager_hash_value_on_next_password_change : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash': - tag: CIS-2.3.11.5 + tag: CIS-2.3.12.5 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'network security - do not store lan manager hash value on next password change' is set to 'enabled' + description: (L1) Ensure 'network security - do not store lan manager hash value on next password change' is set to 'enabled' network_security_force_logoff_when_logon_hours_expire : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff': - tag: CIS-2.3.11.6 + tag: CIS-2.3.12.6 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'network security - force logoff when logon hours expire' is set to 'enabled' + description: (L1) Ensure 'network security - force logoff when logon hours expire' is set to 'enabled' network_security_lan_manager_authentication_level : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel': - tag: CIS-2.3.11.7 + tag: CIS-2.3.12.7 match_output: 'Send NTLMv2 response only. Refuse LM & NTLM' value_type: 'equal' - description: (l1) ensure 'network security - lan manager authentication level' is set to 'send ntlmv2 response only. refuse lm & ntlm' + description: (L1) Ensure 'network security - lan manager authentication level' is set to 'send ntlmv2 response only. refuse lm & ntlm' network_security_ldap_client_signing_requirements : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity': - tag: CIS-2.3.11.8 + tag: CIS-2.3.12.8 match_output: 'Negotiate signing' value_type: 'equal' - description: (l1) ensure 'network security - ldap client signing requirements' is set to 'negotiate signing' or higher + description: (L1) Ensure 'network security - ldap client signing requirements' is set to 'negotiate signing' or higher network_security_minimum_session_security_for_ntlm_ssp_based_clients : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec': - tag: CIS-2.3.11.9 + tag: CIS-2.3.12.9 match_output: 'Require NTLMv2 session security, Require 128-bit encryption' value_type: 'equal' - description: (l1) ensure 'network security - minimum session security for ntlm ssp based (including secure rpc) clients' is set to 'require ntlmv2 session security, require 128-bit encryption' + description: (L1) Ensure 'network security - minimum session security for ntlm ssp based (including secure rpc) clients' is set to 'require ntlmv2 session security, require 128-bit encryption' network_security_minimum_session_security_for_ntlm_ssp_based_(including_secure_rpc_servers : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec': - tag: CIS-2.3.11.10 + tag: CIS-2.3.12.10 match_output: 'Require NTLMv2 session security, Require 128-bit encryption' value_type: 'equal' - description: (l1) ensure 'network security - minimum session security for ntlm ssp based (including secure rpc) servers' is set to 'require ntlmv2 session security, require 128-bit encryption' + description: (L1) Ensure 'network security - minimum session security for ntlm ssp based (including secure rpc) servers' is set to 'require ntlmv2 session security, require 128-bit encryption' shutdown_allow_system_to_be_shut_down_without_having_to_log_on : data: 'Microsoft Windows Server 2012*': - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon': - tag: CIS-2.3.13.1 + tag: CIS-2.3.14.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'shutdown - allow system to be shut down without having to log on' is set to 'disabled' + description: (L1) Ensure 'shutdown - allow system to be shut down without having to log on' is set to 'disabled' system_objects_require_case_insensitivity_for_non-windows_subsystems : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive': - tag: CIS-2.3.15.1 + tag: CIS-2.3.16.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'system objects - require case insensitivity for non-windows subsystems' is set to 'enabled' + description: (L1) Ensure 'system objects - require case insensitivity for non-windows subsystems' is set to 'enabled' system_objects_strengthen_default_permissions_of_internal_system_objects_(e.g._symbolic_links : data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode': - tag: CIS-2.3.15.2 + tag: CIS-2.3.16.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'system objects - strengthen default permissions of internal system objects (e.g. symbolic links)' is set to 'enabled' + description: (L1) Ensure 'system objects - strengthen default permissions of internal system objects (e.g. symbolic links)' is set to 'enabled' user_account_control_admin_approval_mode_for_the_built-in_administrator_account : data: 'Microsoft Windows Server 2012*': - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken': - tag: CIS-2.3.17.1 + tag: CIS-2.3.18.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'user account control - admin approval mode for the built-in administrator account' is set to 'enabled' + description: (L1) Ensure 'user account control - admin approval mode for the built-in administrator account' is set to 'enabled' user_account_control_allow_uiaccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop : data: 'Microsoft Windows Server 2012*': - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle': - tag: CIS-2.3.17.2 + tag: CIS-2.3.18.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'user account control - allow uiaccess applications to prompt for elevation without using the secure desktop' is set to 'disabled' + description: (L1) Ensure 'user account control - allow uiaccess applications to prompt for elevation without using the secure desktop' is set to 'disabled' user_account_control_behavior_of_the_elevation_prompt_for_administrators_in_admin_approval_mode : data: 'Microsoft Windows Server 2012*': - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin': - tag: CIS-2.3.17.3 + tag: CIS-2.3.18.3 match_output: 'Prompt for consent on the secure desktop' value_type: 'equal' - description: (l1) ensure 'user account control - behavior of the elevation prompt for administrators in admin approval mode' is set to 'prompt for consent on the secure desktop' + description: (L1) Ensure 'user account control - behavior of the elevation prompt for administrators in admin approval mode' is set to 'prompt for consent on the secure desktop' user_account_control_behavior_of_the_elevation_prompt_for_standard_users : data: 'Microsoft Windows Server 2012*': - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser': - tag: CIS-2.3.17.4 + tag: CIS-2.3.18.4 match_output: 'Automatically deny elevation requests' value_type: 'equal' - description: (l1) ensure 'user account control - behavior of the elevation prompt for standard users' is set to 'automatically deny elevation requests' + description: (L1) Ensure 'user account control - behavior of the elevation prompt for standard users' is set to 'automatically deny elevation requests' user_account_control_detect_application_installations_and_prompt_for_elevation : data: 'Microsoft Windows Server 2012*': - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection': - tag: CIS-2.3.17.5 + tag: CIS-2.3.18.5 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'user account control - detect application installations and prompt for elevation' is set to 'enabled' + description: (L1) Ensure 'user account control - detect application installations and prompt for elevation' is set to 'enabled' user_account_control_only_elevate_uiaccess_applications_that_are_installed_in_secure_locations : data: 'Microsoft Windows Server 2012*': - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths': - tag: CIS-2.3.17.6 + tag: CIS-2.3.18.6 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'user account control - only elevate uiaccess applications that are installed in secure locations' is set to 'enabled' + description: (L1) Ensure 'user account control - only elevate uiaccess applications that are installed in secure locations' is set to 'enabled' user_account_control_run_all_administrators_in_admin_approval_mode : data: 'Microsoft Windows Server 2012*': - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA': - tag: CIS-2.3.17.7 + tag: CIS-2.3.18.7 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'user account control - run all administrators in admin approval mode' is set to 'enabled' + description: (L1) Ensure 'user account control - run all administrators in admin approval mode' is set to 'enabled' user_account_control_switch_to_the_secure_desktop_when_prompting_for_elevation : data: 'Microsoft Windows Server 2012*': - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop': - tag: CIS-2.3.17.8 + tag: CIS-2.3.18.8 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'user account control - switch to the secure desktop when prompting for elevation' is set to 'enabled' + description: (L1) Ensure 'user account control - switch to the secure desktop when prompting for elevation' is set to 'enabled' user_account_control_virtualize_file_and_registry_write_failures_to_per-user_locations : data: 'Microsoft Windows Server 2012*': - 'MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\': - tag: CIS-2.3.17.9 + tag: CIS-2.3.18.9 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'user account control - virtualize file and registry write failures to per-user locations' is set to 'enabled' + description: (L1) Ensure 'user account control - virtualize file and registry write failures to per-user locations' is set to 'enabled' blacklist: accounts_rename_administrator_account : @@ -841,8 +833,8 @@ win_secedit: network_access_named_pipes_that_can_be_accessed_anonymously : data: 'Microsoft Windows Server 2012*': - - 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\': - tag: CIS-2.3.10.6 + - 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes': + tag: CIS-2.3.11.6 match_output: '' value_type: 'equal' description: (l1) configure 'network access - named pipes that can be accessed anonymously' @@ -850,10 +842,10 @@ win_secedit: data: 'Microsoft Windows Server 2012*': - 'MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares': - tag: CIS-2.3.10.10 + tag: CIS-2.3.11.10 match_output: '' value_type: 'equal' - description: (l1) ensure 'network access - shares that can be accessed anonymously' is set to 'none' + description: (L1) Ensure 'network access - shares that can be accessed anonymously' is set to 'none' access_credential_manager: data: 'Microsoft Windows Server 2012*': @@ -861,7 +853,7 @@ win_secedit: tag: CIS-2.2.1 match_output: 'No One' value_type: 'match' - description: (l1) ensure 'access credential manager as a trusted caller' is set to 'no one' + description: (L1) Ensure 'access credential manager as a trusted caller' is set to 'no one' act_as_operating_system: data: 'Microsoft Windows Server 2012*': @@ -869,7 +861,7 @@ win_secedit: tag: CIS-2.2.3 match_output: 'No One' value_type: 'match' - description: (l1) ensure 'act as part of the operating system' is set to 'no one' + description: (L1) Ensure 'act as part of the operating system' is set to 'no one' create_a_token_object : data: 'Microsoft Windows Server 2012*': @@ -877,7 +869,7 @@ win_secedit: tag: CIS-2.2.12 match_output: 'No One' value_type: 'account' - description: (l1) ensure 'create a token object' is set to 'no one' + description: (L1) Ensure 'create a token object' is set to 'no one' create_permanent_shared_objects : data: 'Microsoft Windows Server 2012*': @@ -885,7 +877,7 @@ win_secedit: tag: CIS-2.2.14 match_output: 'No One' value_type: 'account' - description: (l1) ensure 'create permanent shared objects' is set to 'no one' + description: (L1) Ensure 'create permanent shared objects' is set to 'no one' enable_computer_and_user_accounts_to_be_trusted_for_delegation : data: 'Microsoft Windows Server 2012*': @@ -901,23 +893,15 @@ win_secedit: tag: CIS-2.2.28 match_output: 'No One' value_type: 'account' - description: (l1) ensure 'lock pages in memory' is set to 'no one' + description: (L1) Ensure 'lock pages in memory' is set to 'no one' modify_an_object_label : data: 'Microsoft Windows Server 2012*': - 'SeRelabelPrivilege': - tag: CIS-2.2.31 - match_output: 'No One' - value_type: 'account' - description: (l1) ensure 'modify an object label' is set to 'no one' - synchronize_directory_service_data : - data: - 'Microsoft Windows Server 2012*': - - 'SeSyncAgentPrivilege': - tag: CIS-2.2.39 + tag: CIS-2.2.30 match_output: 'No One' value_type: 'account' - description: (l1) ensure 'synchronize directory service data' is set to 'no one' (dc only) + description: (L1) Ensure 'modify an object label' is set to 'no one' win_firewall: whitelist: @@ -928,7 +912,7 @@ win_firewall: tag: CIS-9.1.1 match_output: 'True' value_type: 'domain' - description: (l1) ensure 'windows firewall - domain - firewall state' is set to 'on (recommended)' + description: (L1) Ensure 'windows firewall - domain - firewall state' is set to 'on (recommended)' windows_firewall_domain_inbound_connections : data: 'Microsoft Windows Server 2012*': @@ -936,7 +920,7 @@ win_firewall: tag: CIS-9.1.2 match_output: 'Block' value_type: 'domain' - description: (l1) ensure 'windows firewall - domain - inbound connections' is set to 'block (default)' + description: (L1) Ensure 'windows firewall - domain - inbound connections' is set to 'block (default)' windows_firewall_domain_outbound_connections : data: 'Microsoft Windows Server 2012*': @@ -944,63 +928,71 @@ win_firewall: tag: CIS-9.1.3 match_output: 'Allow' value_type: 'domain' - description: (l1) ensure 'windows firewall - domain - outbound connections' is set to 'allow (default)' + description: (L1) Ensure 'windows firewall - domain - outbound connections' is set to 'allow (default)' windows_firewall_domain_settings_display_a_notification : data: 'Microsoft Windows Server 2012*': - - 'NotifyOnListen': + - 'DisplayANotification': tag: CIS-9.1.4 match_output: 'False' value_type: 'domain' - description: (l1) ensure 'windows firewall - domain - settings - display a notification' is set to 'no' + description: (L1) Ensure 'windows firewall - domain - settings - display a notification' is set to 'no' + windows_firewall_domain_settings_allow_unicast_response : + data: + 'Microsoft Windows Server 2012*': + - 'AllowUnicastResponse': + tag: CIS-9.1.5 + match_output: 'False' + value_type: 'domain' + description: "(L1) Set 'Windows Firewall: Domain: Allow unicast response' to 'No'" windows_firewall_domain_settings_apply_local_firewall_rules : data: 'Microsoft Windows Server 2012*': - 'AllowLocalFirewallRules': - tag: CIS-9.1.5 + tag: CIS-9.1.6 match_output: 'True' value_type: 'domain' - description: (l1) ensure 'windows firewall - domain - settings - apply local firewall rules' is set to 'yes (default)' + description: (L1) Ensure 'windows firewall - domain - settings - apply local firewall rules' is set to 'yes (default)' windows_firewall_domain_settings_apply_local_connection_security_rules : data: 'Microsoft Windows Server 2012*': - 'AllowLocalIPsecRules': - tag: CIS-9.1.6 + tag: CIS-9.1.7 match_output: 'True' value_type: 'domain' - description: (l1) ensure 'windows firewall - domain - settings - apply local connection security rules' is set to 'yes (default)' + description: (L1) Ensure 'windows firewall - domain - settings - apply local connection security rules' is set to 'yes (default)' windows_firewall_domain_logging_name : data: 'Microsoft Windows Server 2012*': - 'LogFileName': - tag: CIS-9.1.7 + tag: CIS-9.1.8 match_output: '%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log' value_type: 'domain' - description: (l1) ensure 'windows firewall - domain - logging - name' is set to '%systemroot%\system32\logfiles\firewall\domainfw.log' + description: (L1) Ensure 'windows firewall - domain - logging - name' is set to '%systemroot%\system32\logfiles\firewall\domainfw.log' windows_firewall_domain_logging_size_limit : data: 'Microsoft Windows Server 2012*': - 'LogMaxSizeKilobytes': - tag: CIS-9.1.8 + tag: CIS-9.1.9 match_output: '16384' value_type: 'domain' - description: (l1) ensure 'windows firewall - domain - logging - size limit (kb)' is set to '16,384 kb or greater' + description: (L1) Ensure 'windows firewall - domain - logging - size limit (kb)' is set to '16,384 kb or greater' windows_firewall_domain_logging_log_dropped_packets : data: 'Microsoft Windows Server 2012*': - 'LogBlocked': - tag: CIS-9.1.9 + tag: CIS-9.1.10 match_output: 'True' value_type: 'domain' - description: (l1) ensure 'windows firewall - domain - logging - log dropped packets' is set to 'yes' + description: (L1) Ensure 'windows firewall - domain - logging - log dropped packets' is set to 'yes' windows_firewall_domain_logging_log_successful_connections : data: 'Microsoft Windows Server 2012*': - 'LogAllowed': - tag: CIS-9.1.10 + tag: CIS-9.1.11 match_output: 'True' value_type: 'domain' - description: (l1) ensure 'windows firewall - domain - logging - log successful connections' is set to 'yes' + description: (L1) Ensure 'windows firewall - domain - logging - log successful connections' is set to 'yes' windows_firewall_private_firewall_state : data: 'Microsoft Windows Server 2012*': @@ -1008,7 +1000,7 @@ win_firewall: tag: CIS-9.2.1 match_output: 'True' value_type: 'private' - description: (l1) ensure 'windows firewall - private - firewall state' is set to 'on (recommended)' + description: (L1) Ensure 'windows firewall - private - firewall state' is set to 'on (recommended)' windows_firewall_private_inbound_connections : data: 'Microsoft Windows Server 2012*': @@ -1016,7 +1008,7 @@ win_firewall: tag: CIS-9.2.2 match_output: 'Block' value_type: 'private' - description: (l1) ensure 'windows firewall - private - inbound connections' is set to 'block (default)' + description: (L1) Ensure 'windows firewall - private - inbound connections' is set to 'block (default)' windows_firewall_private_outbound_connections : data: 'Microsoft Windows Server 2012*': @@ -1024,63 +1016,71 @@ win_firewall: tag: CIS-9.2.3 match_output: 'Allow' value_type: 'private' - description: (l1) ensure 'windows firewall - private - outbound connections' is set to 'allow (default)' + description: (L1) Ensure 'windows firewall - private - outbound connections' is set to 'allow (default)' windows_firewall_private_settings_display_a_notification : data: 'Microsoft Windows Server 2012*': - - 'NotifyOnListen': + - 'DisplayANotification': tag: CIS-9.2.4 match_output: 'False' value_type: 'private' - description: (l1) ensure 'windows firewall - private - settings - display a notification' is set to 'no' + description: (L1) Ensure 'windows firewall - private - settings - display a notification' is set to 'no' + windows_firewall_private_settings_allow_unicast_response : + data: + 'Microsoft Windows Server 2012*': + - 'AllowUnicastResponse': + tag: CIS-9.2.5 + match_output: 'False' + value_type: 'private' + description: "(L1) Set 'Windows Firewall: private: Allow unicast response' to 'No'" windows_firewall_private_settings_apply_local_firewall_rules : data: 'Microsoft Windows Server 2012*': - 'AllowLocalFirewallRules': - tag: CIS-9.2.5 + tag: CIS-9.2.6 match_output: 'True' value_type: 'private' - description: (l1) ensure 'windows firewall - private - settings - apply local firewall rules' is set to 'yes (default)' + description: (L1) Ensure 'windows firewall - private - settings - apply local firewall rules' is set to 'yes (default)' windows_firewall_private_settings_apply_local_connection_security_rules : data: 'Microsoft Windows Server 2012*': - 'AllowLocalIPsecRules': - tag: CIS-9.2.6 + tag: CIS-9.2.7 match_output: 'True' value_type: 'private' - description: (l1) ensure 'windows firewall - private - settings - apply local connection security rules' is set to 'yes (default)' + description: (L1) Ensure 'windows firewall - private - settings - apply local connection security rules' is set to 'yes (default)' windows_firewall_private_logging_name : data: 'Microsoft Windows Server 2012*': - 'LogFileName': - tag: CIS-9.2.7 + tag: CIS-9.2.8 match_output: '%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log' value_type: 'private' - description: (l1) ensure 'windows firewall - private - logging - name' is set to '%systemroot%\system32\logfiles\firewall\privatefw.log' + description: (L1) Ensure 'windows firewall - private - logging - name' is set to '%systemroot%\system32\logfiles\firewall\privatefw.log' windows_firewall_private_logging_size_limit : data: 'Microsoft Windows Server 2012*': - 'LogMaxSizeKilobytes': - tag: CIS-9.2.8 + tag: CIS-9.2.9 match_output: '16384' value_type: 'private' - description: (l1) ensure 'windows firewall - private - logging - size limit (kb)' is set to '16,384 kb or greater' + description: (L1) Ensure 'windows firewall - private - logging - size limit (kb)' is set to '16,384 kb or greater' windows_firewall_private_logging_log_dropped_packets : data: 'Microsoft Windows Server 2012*': - 'LogBlocked': - tag: CIS-9.2.9 + tag: CIS-9.2.10 match_output: 'True' value_type: 'private' - description: (l1) ensure 'windows firewall - private - logging - log dropped packets' is set to 'yes' + description: (L1) Ensure 'windows firewall - private - logging - log dropped packets' is set to 'yes' windows_firewall_private_logging_log_successful_connections : data: 'Microsoft Windows Server 2012*': - 'LogAllowed': - tag: CIS-9.2.10 + tag: CIS-9.2.11 match_output: 'True' value_type: 'private' - description: (l1) ensure 'windows firewall - private - logging - log successful connections' is set to 'yes' + description: (L1) Ensure 'windows firewall - private - logging - log successful connections' is set to 'yes' windows_firewall_public_firewall_state : data: 'Microsoft Windows Server 2012*': @@ -1088,7 +1088,7 @@ win_firewall: tag: CIS-9.3.1 match_output: 'True' value_type: 'public' - description: (l1) ensure 'windows firewall - public - firewall state' is set to 'on (recommended)' + description: (L1) Ensure 'windows firewall - public - firewall state' is set to 'on (recommended)' windows_firewall_public_inbound_connections : data: 'Microsoft Windows Server 2012*': @@ -1096,7 +1096,7 @@ win_firewall: tag: CIS-9.3.2 match_output: 'Block' value_type: 'public' - description: (l1) ensure 'windows firewall - public - inbound connections' is set to 'block (default)' + description: (L1) Ensure 'windows firewall - public - inbound connections' is set to 'block (default)' windows_firewall_public_outbound_connections : data: 'Microsoft Windows Server 2012*': @@ -1104,63 +1104,71 @@ win_firewall: tag: CIS-9.3.3 match_output: 'Allow' value_type: 'public' - description: (l1) ensure 'windows firewall - public - outbound connections' is set to 'allow (default)' + description: (L1) Ensure 'windows firewall - public - outbound connections' is set to 'allow (default)' windows_firewall_public_settings_display_a_notification : data: 'Microsoft Windows Server 2012*': - - 'NotifyOnListen': + - 'DisplayANotification': tag: CIS-9.3.4 match_output: 'True' value_type: 'public' - description: (l1) ensure 'windows firewall - public - settings - display a notification' is set to 'yes' + description: (L1) Ensure 'windows firewall - public - settings - display a notification' is set to 'yes' + windows_firewall_public_settings_allow_unicast_response : + data: + 'Microsoft Windows Server 2012*': + - 'AllowUnicastResponse': + tag: CIS-9.3.5 + match_output: 'False' + value_type: 'public' + description: "(L1) Set 'Windows Firewall: Public: Allow unicast response' to 'No'" windows_firewall_public_settings_apply_local_firewall_rules : data: 'Microsoft Windows Server 2012*': - 'AllowLocalFirewallRules': - tag: CIS-9.3.5 + tag: CIS-9.3.6 match_output: 'False' value_type: 'public' - description: (l1) ensure 'windows firewall - public - settings - apply local firewall rules' is set to 'no' + description: (L1) Ensure 'windows firewall - public - settings - apply local firewall rules' is set to 'no' windows_firewall_public_settings_apply_local_connection_security_rules : data: 'Microsoft Windows Server 2012*': - 'AllowLocalIPsecRules': - tag: CIS-9.3.6 + tag: CIS-9.3.7 match_output: 'False' value_type: 'public' - description: (l1) ensure 'windows firewall - public - settings - apply local connection security rules' is set to 'no' + description: (L1) Ensure 'windows firewall - public - settings - apply local connection security rules' is set to 'no' windows_firewall_public_logging_name : data: 'Microsoft Windows Server 2012*': - 'LogFileName': - tag: CIS-9.3.7 + tag: CIS-9.3.8 match_output: '%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log' value_type: 'public' - description: (l1) ensure 'windows firewall - public - logging - name' is set to '%systemroot%\system32\logfiles\firewall\publicfw.log' + description: (L1) Ensure 'windows firewall - public - logging - name' is set to '%systemroot%\system32\logfiles\firewall\publicfw.log' windows_firewall_public_logging_size_limit_(kb : data: 'Microsoft Windows Server 2012*': - 'LogMaxSizeKilobytes': - tag: CIS-9.3.8 + tag: CIS-9.3.9 match_output: '16384' value_type: 'public' - description: (l1) ensure 'windows firewall - public - logging - size limit (kb)' is set to '16,384 kb or greater' + description: (L1) Ensure 'windows firewall - public - logging - size limit (kb)' is set to '16,384 kb or greater' windows_firewall_public_logging_log_dropped_packets : data: 'Microsoft Windows Server 2012*': - 'LogBlocked': - tag: CIS-9.3.9 + tag: CIS-9.3.10 match_output: 'True' value_type: 'public' - description: (l1) ensure 'windows firewall - public - logging - log dropped packets' is set to 'yes' + description: (L1) Ensure 'windows firewall - public - logging - log dropped packets' is set to 'yes' windows_firewall_public_logging_log_successful_connections : data: 'Microsoft Windows Server 2012*': - 'LogAllowed': - tag: CIS-9.3.10 + tag: CIS-9.3.11 match_output: 'True' value_type: 'public' - description: (l1) ensure 'windows firewall - public - logging - log successful connections' is set to 'yes' + description: (L1) Ensure 'windows firewall - public - logging - log successful connections' is set to 'yes' win_auditpol: whitelist: @@ -1171,52 +1179,43 @@ win_auditpol: tag: CIS-17.1.1 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit credential validation' is set to 'success and failure' - - Audit Application Group Management : - data: - 'Microsoft Windows Server 2012*': - - 'Application Group Management': - tag: CIS-17.2.1 - match_output: 'Success and Failure' - value_type: 'equal' - description: (l1) ensure 'audit application group management' is set to 'success and failure' + description: (L1) Ensure 'audit credential validation' is set to 'success and failure' Audit Computer Account Management : data: 'Microsoft Windows Server 2012*': - 'Computer Account Management': - tag: CIS-17.2.2 + tag: CIS-17.2.1 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit computer account management' is set to 'success and failure' + description: (L1) Ensure 'audit computer account management' is set to 'success and failure' Audit Other Account Management Events : data: 'Microsoft Windows Server 2012*': - 'Other Account Management Events': - tag: CIS-17.2.4 + tag: CIS-17.2.3 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit other account management events' is set to 'success and failure' + description: (L1) Ensure 'audit other account management events' is set to 'success and failure' Audit Security Group Management : data: 'Microsoft Windows Server 2012*': - 'Security Group Management': - tag: CIS-17.2.5 + tag: CIS-17.2.4 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit security group management' is set to 'success and failure' + description: (L1) Ensure 'audit security group management' is set to 'success and failure' Audit User Account Management : data: 'Microsoft Windows Server 2012*': - 'User Account Management': - tag: CIS-17.2.6 + tag: CIS-17.2.5 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit user account management' is set to 'success and failure' + description: (L1) Ensure 'audit User Account management' is set to 'success and failure' Audit Process Creation : data: @@ -1225,7 +1224,7 @@ win_auditpol: tag: CIS-17.3.1 match_output: 'Success' value_type: 'equal' - description: (l1) ensure 'audit process creation' is set to 'success' + description: (L1) Ensure 'audit process creation' is set to 'success' Audit Account Lockout : data: @@ -1234,7 +1233,7 @@ win_auditpol: tag: CIS-17.5.1 match_output: 'Success' value_type: 'equal' - description: (l1) ensure 'audit account lockout' is set to 'success' + description: (L1) Ensure 'audit account lockout' is set to 'success' Audit Logoff : data: @@ -1243,7 +1242,7 @@ win_auditpol: tag: CIS-17.5.2 match_output: 'Success' value_type: 'equal' - description: (l1) ensure 'audit logoff' is set to 'success' + description: (L1) Ensure 'audit logoff' is set to 'success' Audit Logon : data: @@ -1252,7 +1251,7 @@ win_auditpol: tag: CIS-17.5.3 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit logon' is set to 'success and failure' + description: (L1) Ensure 'audit logon' is set to 'success and failure' Audit Other Logon/Logoff Events : data: @@ -1261,7 +1260,7 @@ win_auditpol: tag: CIS-17.5.4 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit other logon/logoff events' is set to 'success and failure' + description: (L1) Ensure 'audit other logon/logoff events' is set to 'success and failure' Audit Special Logon : data: @@ -1270,7 +1269,7 @@ win_auditpol: tag: CIS-17.5.5 match_output: 'Success' value_type: 'equal' - description: (l1) ensure 'audit special logon' is set to 'success' + description: (L1) Ensure 'audit special logon' is set to 'success' Audit Removable Storage : data: @@ -1279,7 +1278,7 @@ win_auditpol: tag: CIS-17.6.1 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit removable storage' is set to 'success and failure' + description: (L1) Ensure 'audit removable storage' is set to 'success and failure' Audit Audit Policy Change : data: @@ -1288,7 +1287,7 @@ win_auditpol: tag: CIS-17.7.1 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit audit policy change' is set to 'success and failure' + description: (L1) Ensure 'audit audit policy change' is set to 'success and failure' Audit Authentication Policy Change : data: @@ -1297,7 +1296,7 @@ win_auditpol: tag: CIS-17.7.2 match_output: 'Success' value_type: 'equal' - description: (l1) ensure 'audit authentication policy change' is set to 'success' + description: (L1) Ensure 'audit authentication policy change' is set to 'success' Audit Sensitive Privilege Use : data: @@ -1306,7 +1305,7 @@ win_auditpol: tag: CIS-17.8.1 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit sensitive privilege use' is set to 'success and failure' + description: (L1) Ensure 'audit sensitive privilege use' is set to 'success and failure' Audit IPsec Driver : data: @@ -1315,7 +1314,7 @@ win_auditpol: tag: CIS-17.9.1 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit ipsec driver' is set to 'success and failure' + description: (L1) Ensure 'audit ipsec driver' is set to 'success and failure' Audit Other System Events : data: @@ -1324,7 +1323,7 @@ win_auditpol: tag: CIS-17.9.2 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit other system events' is set to 'success and failure' + description: (L1) Ensure 'audit other system events' is set to 'success and failure' Audit Security State Change : data: @@ -1333,7 +1332,7 @@ win_auditpol: tag: CIS-17.9.3 match_output: 'Success' value_type: 'equal' - description: (l1) ensure 'audit security state change' is set to 'success' + description: (L1) Ensure 'audit security state change' is set to 'success' Audit Security System Extension : data: @@ -1342,7 +1341,7 @@ win_auditpol: tag: CIS-17.9.4 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit security system extension' is set to 'success and failure' + description: (L1) Ensure 'audit security system extension' is set to 'success and failure' Audit System Integrity : data: @@ -1351,7 +1350,7 @@ win_auditpol: tag: CIS-17.9.5 match_output: 'Success and Failure' value_type: 'equal' - description: (l1) ensure 'audit system integrity' is set to 'success and failure' + description: (L1) Ensure 'audit system integrity' is set to 'success and failure' win_reg: whitelist: @@ -1371,156 +1370,76 @@ win_reg: match_output: 'Enabled' value_type: 'equal' description: 'Ensure Prevent enabling lock screen slide show is set to Enabled' - Do not allow password expiration time longer than required by policy : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd\PwdExpirationProtectionEnabled': - tag: CIS-18.2.2 - match_output: 'Enabled' - value_type: 'equal' - description: 'Ensure Do not allow password expiration time longer than required by policy is set to Enabled ' - Enable Local Admin Password Management : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd\AdmPwdEnabled': - tag: CIS-18.2.3 - match_output: 'Enabled' - value_type: 'equal' - description: 'Ensure Enable Local Admin Password Management is set to Enabled ' - Password Settings_ Password Complexity : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd\PasswordComplexity': - tag: CIS-18.2.4 - match_output: 'Enabled: Large letters + small letters + numbers + special characters' - value_type: 'equal' - description: 'Ensure Password Settings - Password Complexity is set to Enabled - Large letters + small letters + numbers + special characters ' - Password Settings_ Password Length : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd\PasswordLength': - tag: CIS-18.2.5 - match_output: 'Enabled: 15 or more' - value_type: 'equal' - description: 'Ensure Password Settings - Password Length is set to Enabled - 15 or more ' - Password Settings_ Password Age : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft Services\AdmPwd\PasswordAgeDays': - tag: CIS-18.2.6 - match_output: 'Enabled: 30 or fewer' - value_type: 'equal' - description: 'Ensure Password Settings - Password Age is set to Enabled - 30 or fewer ' MSS_DisableIPSourceRouting IPv6 IP source routing protection level protects against packet spoofing : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting': - tag: CIS-18.3.2 + tag: CIS-2.3.10.2 match_output: 'Enabled' #: Highest protection, source routing is completely disabled' value_type: 'equal' - description: (l1) ensure 'mss - (disableipsourcerouting ipv6) ip source routing protection level (protects against packet spoofing)' is set to 'enabled - highest protection, source routing is completely disabled' + description: (L1) Ensure 'mss - (disableipsourcerouting ipv6) ip source routing protection level (protects against packet spoofing)' is set to 'enabled - highest protection, source routing is completely disabled' MSS_ IP source routing protection level protects against packet spoofing : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting': - tag: CIS-18.3.3 + tag: CIS-2.3.10.3 match_output: 'Enabled' #: Highest protection, source routing is completely disabled' value_type: 'equal' - description: (l1) ensure 'mss - (disableipsourcerouting) ip source routing protection level (protects against packet spoofing)' is set to 'enabled - highest protection, source routing is completely disabled' - MSS_ Allow ICMP redirects to override OSPF generated routes : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\EnableICMPRedirect': - tag: CIS-18.3.4 - match_output: 'Disabled' - value_type: 'equal' - description: (l1) ensure 'mss - (enableicmpredirect) allow icmp redirects to override ospf generated routes' is set to 'disabled' - MSS_ Allow the computer to ignore NetBIOS name release requests except from WINS servers : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters\nonamereleaseondemand': - tag: CIS-18.3.6 - match_output: 'Enabled' - value_type: 'equal' - description: (l1) ensure 'mss - (nonamereleaseondemand) allow the computer to ignore netbios name release requests except from wins servers' is set to 'enabled' + description: (L1) Ensure 'mss - (disableipsourcerouting) ip source routing protection level (protects against packet spoofing)' is set to 'enabled - highest protection, source routing is completely disabled'ed' MSS_ Enable Safe DLL search mode : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode': - tag: CIS-18.3.8 + tag: CIS-2.3.10.7 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'mss - (safedllsearchmode) enable safe dll search mode (recommended)' is set to 'enabled' + description: (L1) Ensure 'mss - (safedllsearchmode) enable safe dll search mode (recommended)' is set to 'enabled' MSS_ The time in seconds before the screen saver grace period expires : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod': - tag: CIS-18.3.9 + tag: CIS-2.3.10.8 match_output: 'Enabled: 5 or fewer seconds' value_type: 'equal' - description: (l1) ensure 'mss - (screensavergraceperiod) the time in seconds before the screen saver grace period expires (0 recommended)' is set to 'enabled - 5 or fewer seconds' + description: (L1) Ensure 'mss - (screensavergraceperiod) the time in seconds before the screen saver grace period expires (0 recommended)' is set to 'enabled - 5 or fewer seconds' MSS_ Percentage threshold for the security event log at which the system will generate a warning : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel': - tag: CIS-18.3.12 + tag: CIS-2.3.10.11 match_output: 'Enabled' #Enabled: 90% or less value_type: 'less' - description: (l1) ensure 'mss - (warninglevel) percentage threshold for the security event log at which the system will generate a warning' is set to 'enabled - 90% or less' - Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Peernet\Disabled': - tag: CIS-18.4.9.2 - match_output: 'Enabled' - value_type: 'equal' - description: 'Ensure Turn off Microsoft Peer-to-Peer Networking Services is set to Enabled' + description: (L1) Ensure 'mss - (warninglevel) percentage threshold for the security event log at which the system will generate a warning' is set to 'enabled - 90% or less' Prohibit installation and configuration of Network Bridge on your DNS domain network : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Network Connections\NC_AllowNetBridge_NLA': - tag: CIS-18.4.10.2 + tag: CIS-18.3.10.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'prohibit installation and configuration of network bridge on your dns domain network' is set to 'enabled' + description: (L1) Ensure 'prohibit installation and configuration of network bridge on your dns domain network' is set to 'enabled' Require domain users to elevate when setting a network : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Network Connections\NC_StdDomainUserSetLocation': - tag: CIS-18.4.10.3 + tag: CIS-18.3.10.3 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'require domain users to elevate when setting a network's location' is set to 'enabled' + description: (L1) Ensure 'require domain users to elevate when setting a network's location' is set to 'enabled' Hardened UNC Paths : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths\\*\NETLOGON': - tag: CIS-18.4.13.1 + tag: CIS-18.3.13.1 match_output: 'Enabled' #with "Require Mutual Authentication" and "Require Integrity" set for all NETLOGON and SYSVOL shares' value_type: 'equal' - description: (l1) ensure 'hardened unc paths' is set to 'enabled, with "require mutual authentication" and "require integrity" set for all netlogon and sysvol shares' - Disable IPv6 : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters\DisabledComponents': - tag: CIS-18.4.18.2.1 - match_output: '255' - value_type: 'equal' - description: 'Disable IPv6 - Ensure TCPIP6 Parameter DisabledComponents is set to 0xff (255)' - Minimize the number of simultaneous connections to the Internet or a Windows Domain : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy\fMinimizeConnections': - tag: CIS-18.4.20.1 - match_output: 'Enabled' - value_type: 'equal' - description: (l1) ensure 'minimize the number of simultaneous connections to the internet or a windows domain' is set to 'enabled' + description: (L1) Ensure 'hardened unc paths' is set to 'enabled, with "require mutual authentication" and "require integrity" set for all netlogon and sysvol shares' Apply UAC restrictions to local accounts on network logons : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy': - tag: CIS-18.6.1 + tag: CIS-18.5.1 match_output: 'Enabled' value_type: 'equal' description: 'Ensure Apply UAC restrictions to local accounts on network logons is set to Enabled ' @@ -1528,55 +1447,55 @@ win_reg: data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Policies\EarlyLaunch\DriverLoadPolicy': - tag: CIS-18.8.11.1 + tag: CIS-18.7.11.1 match_output: 'Enabled' #: Good, unknown and bad but critical' value_type: 'equal' - description: (l1) ensure 'boot-start driver initialization policy' is set to 'enabled - good, unknown and bad but critical' + description: (L1) Ensure 'boot-start driver initialization policy' is set to 'enabled - good, unknown and bad but critical' Configure registry policy processing_ Do not apply during periodic background processing : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoBackgroundPolicy': - tag: CIS-18.8.18.2 + tag: CIS-18.7.18.2 match_output: 'Enabled'# : FALSE' value_type: 'equal' - description: (l1) ensure 'configure registry policy processing - do not apply during periodic background processing' is set to 'enabled - false' + description: (L1) Ensure 'configure registry policy processing - do not apply during periodic background processing' is set to 'enabled - false' Configure registry policy processing_ Process even if the Group Policy objects have not changed : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\NoGPOListChanges': - tag: CIS-18.8.18.3 + tag: CIS-18.7.18.3 match_output: 'Enabled' #: TRUE' value_type: 'equal' - description: (l1) ensure 'configure registry policy processing - process even if the group policy objects have not changed' is set to 'enabled - true' + description: (L1) Ensure 'configure registry policy processing - process even if the group policy objects have not changed' is set to 'enabled - true' Do not display network selection UI : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\DontDisplayNetworkSelectionUI': - tag: CIS-18.8.24.1 + tag: CIS-18.7.24.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'do not display network selection ui' is set to 'enabled' + description: (L1) Ensure 'do not display network selection ui' is set to 'enabled' Do not enumerate connected users on domain-joined computers : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\DontEnumerateConnectedUsers': - tag: CIS-18.8.24.2 + tag: CIS-18.7.24.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'do not enumerate connected users on domain-joined computers' is set to 'enabled' + description: (L1) Ensure 'do not enumerate connected users on domain-joined computers' is set to 'enabled' Turn off app notifications on the lock screen : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\DisableLockScreenAppNotifications': - tag: CIS-18.8.24.4 + tag: CIS-18.7.24.4 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'turn off app notifications on the lock screen' is set to 'enabled' + description: (L1) Ensure 'turn off app notifications on the lock screen' is set to 'enabled' Enable RPC Endpoint Mapper Client Authentication : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc\EnableAuthEpResolution': - tag: CIS-18.8.31.1 + tag: CIS-18.7.31.1 match_output: 'Enabled' value_type: 'equal' description: 'Ensure Enable RPC Endpoint Mapper Client Authentication is set to Enabled ' @@ -1584,242 +1503,194 @@ win_reg: data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\MSAOptional': - tag: CIS-18.9.6.1 + tag: CIS-18.8.5.1 match_output: 'Enabled' value_type: 'equal' description: 'Ensure Allow Microsoft accounts to be optional is set to Enabled' - Disallow Autoplay for non-volume devices : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer\NoAutoplayfornonVolume': - tag: CIS-18.9.8.1 - match_output: 'Enabled' - value_type: 'equal' - description: (l1) ensure 'disallow autoplay for non-volume devices' is set to 'enabled' - Set the default behavior for AutoRun : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoAutorun': - tag: CIS-18.9.8.2 - match_output: 'Enabled'# : Do not execute any autorun commands' - value_type: 'equal' - description: (l1) ensure 'set the default behavior for autorun' is set to 'enabled - do not execute any autorun commands' Turn off Autoplay : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun': - tag: CIS-18.9.8.3 + tag: CIS-18.8.7.2 match_output: 'Enabled: All drives' value_type: 'equal' - description: (l1) ensure 'turn off autoplay' is set to 'enabled - all drives' + description: (L1) Ensure 'turn off autoplay' is set to 'enabled - all drives' Do not display the password reveal button : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CredUI\DisablePasswordReveal': - tag: CIS-18.9.13.1 - match_output: 'Enabled' - value_type: 'equal' - description: (l1) ensure 'do not display the password reveal button' is set to 'enabled' - Default Action and Mitigation Settings : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings\AntiDetours': #, HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings\BannedFunctions, HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings\DeepHooks, HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings\ExploitAction': - tag: CIS-18.9.22.2 + tag: CIS-18.8.11.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'default action and mitigation settings' is set to 'enabled' (plus subsettings) + description: (L1) Ensure 'do not display the password reveal button' is set to 'enabled' Default Protections for Internet Explorer : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults\IE': - tag: CIS-18.9.22.3 + tag: CIS-18.8.20.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'default protections for internet explorer' is set to 'enabled' + description: (L1) Ensure 'default protections for internet explorer' is set to 'enabled' Default Protections for Popular Software : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults': - tag: CIS-18.9.22.4 + tag: CIS-18.8.20.3 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'default protections for popular software' is set to 'enabled' + description: (L1) Ensure 'default protections for popular software' is set to 'enabled' Default Protections for Recommended Software : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\Defaults': - tag: CIS-18.9.22.5 + tag: CIS-18.8.20.4 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'default protections for recommended software' is set to 'enabled' + description: (L1) Ensure 'default protections for recommended software' is set to 'enabled' System ASLR : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings\ASLR': - tag: CIS-18.9.22.6 + tag: CIS-18.8.20.5 match_output: 'Enabled'#: Application Opt-In' value_type: 'equal' - description: (l1) ensure 'system aslr' is set to 'enabled - application opt-in' + description: (L1) Ensure 'system aslr' is set to 'enabled - application opt-in' System DEP : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings\DEP': - tag: CIS-18.9.22.7 + tag: CIS-18.8.20.6 match_output: 'Enabled'#: Application Opt-Out' value_type: 'equal' - description: (l1) ensure 'system dep' is set to 'enabled - application opt-out' + description: (L1) Ensure 'system dep' is set to 'enabled - application opt-out' System SEHOP : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\EMET\SysSettings\SEHOP': - tag: CIS-18.9.22.8 + tag: CIS-18.8.20.7 match_output: 'Enabled'#: Application Opt-Out' value_type: 'equal' - description: (l1) ensure 'system sehop' is set to 'enabled - application opt-out' + description: (L1) Ensure 'system sehop' is set to 'enabled - application opt-out' Application_ Specify the maximum log file size : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application\MaxSize': - tag: CIS-18.9.24.1.2 + tag: CIS-18.8.22.1.2 match_output: 'Enabled'#_ 32768 or greater' value_type: 'equal' - description: (l1) ensure 'application - specify the maximum log file size (kb)' is set to 'enabled - 32,768 or greater' + description: (L1) Ensure 'application - specify the maximum log file size (kb)' is set to 'enabled - 32,768 or greater' Security_ Specify the maximum log file size : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security\MaxSize': - tag: CIS-18.9.24.2.2 + tag: CIS-18.8.22.2.2 match_output: 'Enabled'#_ 196608 or greater' value_type: 'equal' - description: (l1) ensure 'security - specify the maximum log file size (kb)' is set to 'enabled - 196,608 or greater' + description: (L1) Ensure 'security - specify the maximum log file size (kb)' is set to 'enabled - 196,608 or greater' Setup_ Specify the maximum log file size : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup\MaxSize': - tag: CIS-18.9.24.3.2 + tag: CIS-18.8.22.3.2 match_output: 'Enabled' # 32,768 or greater' value_type: 'equal' - description: (l1) ensure 'setup - specify the maximum log file size (kb)' is set to 'enabled - 32,768 or greater' + description: (L1) Ensure 'setup - specify the maximum log file size (kb)' is set to 'enabled - 32,768 or greater' System_ Specify the maximum log file size : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System\MaxSize': - tag: CIS-18.9.24.4.2 + tag: CIS-18.8.22.4.2 match_output: 'Enabled'#_ 32768 or greater' value_type: 'equal' - description: (l1) ensure 'system - specify the maximum log file size (kb)' is set to 'enabled - 32,768 or greater' + description: (L1) Ensure 'system - specify the maximum log file size (kb)' is set to 'enabled - 32,768 or greater' Configure Windows SmartScreen : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\EnableSmartScreen': - tag: CIS-18.9.28.2 + tag: CIS-18.8.26.2 match_output: 'Enabled: Require approval from an administrator before running downloaded unknown software' value_type: 'equal' - description: (l1) ensure 'configure windows smartscreen' is set to 'enabled - require approval from an administrator before running downloaded unknown software' + description: (L1) Ensure 'configure windows smartscreen' is set to 'enabled - require approval from an administrator before running downloaded unknown software' Do not allow passwords to be saved : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving': - tag: CIS-18.9.48.2.2 + tag: CIS-18.8.45.2.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'do not allow passwords to be saved' is set to 'enabled' + description: (L1) Ensure 'do not allow passwords to be saved' is set to 'enabled' Do not allow drive redirection : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fDisableCdm': - tag: CIS-18.9.48.3.3.2 + tag: CIS-18.8.45.3.3.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'do not allow drive redirection' is set to 'enabled' + description: (L1) Ensure 'do not allow drive redirection' is set to 'enabled' Always prompt for password upon connection : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword': - tag: CIS-18.9.48.3.9.1 + tag: CIS-18.8.45.3.9.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'always prompt for password upon connection' is set to 'enabled' + description: (L1) Ensure 'always prompt for password upon connection' is set to 'enabled' Require secure RPC communication : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\fEncryptRPCTraffic': - tag: CIS-18.9.48.3.9.2 + tag: CIS-18.8.45.3.9.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'require secure rpc communication' is set to 'enabled' + description: (L1) Ensure 'require secure rpc communication' is set to 'enabled' Set client connection encryption level : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\MinEncryptionLevel': - tag: CIS-18.9.48.3.9.3 + tag: CIS-18.8.45.3.9.3 match_output: 'Enabled'#: High Level' value_type: 'equal' - description: (l1) ensure 'set client connection encryption level' is set to 'enabled - high level' - Prevent downloading of enclosures : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer\Feeds\DisableEnclosureDownload': - tag: CIS-18.9.49.1 - match_output: 'Enabled' - value_type: 'equal' - description: (l1) ensure 'prevent downloading of enclosures' is set to 'enabled' + description: (L1) Ensure 'set client connection encryption level' is set to 'enabled - high level' Prevent the usage of SkyDrive for file storage : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Skydrive\DisableFileSync': - tag: CIS-18.9.54.1 + tag: CIS-18.8.40.1 match_output: 'Enabled' value_type: 'equal' description: 'Ensure Prevent the usage of SkyDrive for file storage is set to Enabled' - Turn off the offer to update to the latest version of Windows : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore\DisableOSUpgrade': - tag: CIS-18.9.58.2 - match_output: 'Enabled' - value_type: 'equal' - description: (l1) ensure 'turn off the offer to update to the latest version of windows' is set to 'enabled' - Configure Default consent : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent\DefaultConsent': - tag: CIS-18.9.67.2.1 - match_output: 'Enabled'#: Always ask before sending data' - value_type: 'equal' - description: (l1) ensure 'configure default consent' is set to 'enabled - always ask before sending data' Disallow Digest authentication : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowDigest': - tag: CIS-18.9.81.1.3 + tag: CIS-18.8.77.1.3 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'disallow digest authentication' is set to 'enabled' + description: (L1) Ensure 'disallow digest authentication' is set to 'enabled' Disallow WinRM from storing RunAs credentials : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\DisableRunAs': - tag: CIS-18.9.81.2.3 + tag: CIS-18.8.77.2.3 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'disallow winrm from storing runas credentials' is set to 'enabled' + description: (L1) Ensure 'disallow winrm from storing runas credentials' is set to 'enabled' Configure Automatic Updates : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate': - tag: CIS-18.9.85.1 + tag: CIS-18.8.81.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'configure automatic updates' is set to 'enabled' + description: (L1) Ensure 'configure automatic updates' is set to 'enabled' Configure Automatic Updates_ Scheduled install day : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\ScheduledInstallDay': - tag: CIS-18.9.85.2 + tag: CIS-18.8.81.2 match_output: '0'# - Every day' value_type: 'equal' - description: (l1) ensure 'configure automatic updates - scheduled install day' is set to '0 - every day' + description: (L1) Ensure 'configure automatic updates - scheduled install day' is set to '0 - every day' Enable screen saver : data: 'Microsoft Windows Server 2012*': @@ -1827,7 +1698,7 @@ win_reg: tag: CIS-19.1.3.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'enable screen saver' is set to 'enabled' + description: (L1) Ensure 'enable screen saver' is set to 'enabled' Force specific screen saver_ Screen saver executable name : data: 'Microsoft Windows Server 2012*': @@ -1835,7 +1706,7 @@ win_reg: tag: CIS-19.1.3.2 match_output: 'Enabled'#: scrnsave.scr' value_type: 'equal' - description: (l1) ensure 'force specific screen saver - screen saver executable name' is set to 'enabled - scrnsave.scr' + description: (L1) Ensure 'force specific screen saver - screen saver executable name' is set to 'enabled - scrnsave.scr' Password protect the screen saver : data: 'Microsoft Windows Server 2012*': @@ -1843,7 +1714,7 @@ win_reg: tag: CIS-19.1.3.3 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'password protect the screen saver' is set to 'enabled' + description: (L1) Ensure 'password protect the screen saver' is set to 'enabled' Screen saver timeout : data: 'Microsoft Windows Server 2012*': @@ -1851,7 +1722,7 @@ win_reg: tag: CIS-19.1.3.4 match_output: 'Enabled'#: 900 seconds or fewer, but not 0' value_type: 'equal' - description: (l1) ensure 'screen saver timeout' is set to 'enabled - 900 seconds or fewer, but not 0' + description: (L1) Ensure 'screen saver timeout' is set to 'enabled - 900 seconds or fewer, but not 0' Turn off toast notifications on the lock screen : data: 'Microsoft Windows Server 2012*': @@ -1859,7 +1730,7 @@ win_reg: tag: CIS-19.5.1.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'turn off toast notifications on the lock screen' is set to 'enabled' + description: (L1) Ensure 'turn off toast notifications on the lock screen' is set to 'enabled' Notify antivirus programs when opening attachments : data: 'Microsoft Windows Server 2012*': @@ -1867,7 +1738,7 @@ win_reg: tag: CIS-19.7.4.2 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'notify antivirus programs when opening attachments' is set to 'enabled' + description: (L1) Ensure 'notify antivirus programs when opening attachments' is set to 'enabled' Prevent users from sharing files within their profile. : data: 'Microsoft Windows Server 2012*': @@ -1875,273 +1746,201 @@ win_reg: tag: CIS-19.7.25.1 match_output: 'Enabled' value_type: 'equal' - description: (l1) ensure 'prevent users from sharing files within their profile.' is set to 'enabled' + description: (L1) Ensure 'prevent users from sharing files within their profile.' is set to 'enabled' blacklist: MSS_ Enable Automatic Logon : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon': - tag: CIS-18.3.1 + tag: CIS-2.3.10.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'mss - (autoadminlogon) enable automatic logon (not recommended)' is set to 'disabled' - Ensure Turn on Mapper I/O driver is set to Disabled : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD\AllowLLTDIOOnDomain': - tag: CIS-18.4.8.1 - match_output: 'Enabled' - value_type: 'equal' - description: 'Ensure Turn on Mapper I/O (LLTDIO) driver is set to Disabled' - Ensure Turn on Responder (RSPNDR) driver is set to Disabled : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\LLTD\AllowRspndrOnDomain': - tag: CIS-18.4.8.2 - match_output: 'Enabled' - value_type: 'equal' - description: 'Ensure Turn on Responder (RSPNDR) driver is set to Disabled' + description: (L1) Ensure 'mss - (autoadminlogon) enable automatic logon (not recommended)' is set to 'disabled' WDigest Authentication : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential': - tag: CIS-18.6.2 + tag: CIS-18.5.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'wdigest authentication' is set to 'disabled' + description: (L1) Ensure 'wdigest authentication' is set to 'disabled' Ensure Include command line in process creation events is Disabled: data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit\ProcessCreationIncludeCmdLine_Enabled': - tag: CIS-18.8.2.1 + tag: CIS-18.7.2.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'include command line in process creation events' is set to 'disabled' + description: (L1) Ensure 'include command line in process creation events' is set to 'disabled' Turn off background refresh of Group Policy : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableBkGndGroupPolicy': - tag: CIS-18.8.18.4 + tag: CIS-18.7.18.4 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'turn off background refresh of group policy' is set to 'disabled' + description: (L1) Ensure 'turn off background refresh of group policy' is set to 'disabled' Enumerate local users on domain-joined computers : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\EnumerateLocalUsers': - tag: CIS-18.8.24.3 + tag: CIS-18.7.24.3 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'enumerate local users on domain-joined computers' is set to 'disabled' + description: (L1) Ensure 'enumerate local users on domain-joined computers' is set to 'disabled' Turn on convenience PIN sign-in : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System\AllowDomainPINLogon': - tag: CIS-18.8.24.5 + tag: CIS-18.7.24.5 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'turn on convenience pin sign-in' is set to 'disabled' + description: (L1) Ensure 'turn on convenience pin sign-in' is set to 'disabled' Configure Offer Remote Assistance : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\fAllowUnsolicited': - tag: CIS-18.8.30.1 + tag: CIS-18.7.30.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'configure offer remote assistance' is set to 'disabled' + description: (L1) Ensure 'configure offer remote assistance' is set to 'disabled' Configure Solicited Remote Assistance : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\policies\Microsoft\Windows NT\Terminal Services\fAllowToGetHelp': - tag: CIS-18.8.30.2 + tag: CIS-18.7.30.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'configure solicited remote assistance' is set to 'disabled' + description: (L1) Ensure 'configure solicited remote assistance' is set to 'disabled' Enumerate administrator accounts on elevation : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators': - tag: CIS-18.9.13.2 + tag: CIS-18.8.11.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'enumerate administrator accounts on elevation' is set to 'disabled' + description: (L1) Ensure 'enumerate administrator accounts on elevation' is set to 'disabled' Application_ Control Event Log behavior when the log file reaches its maximum size : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Application\Retention': - tag: CIS-18.9.24.1.1 + tag: CIS-18.8.22.1.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'application - control event log behavior when the log file reaches its maximum size' is set to 'disabled' + description: (L1) Ensure 'application - control event log behavior when the log file reaches its maximum size' is set to 'disabled' Security_ Control Event Log behavior when the log file reaches its maximum size : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Security\Retention': - tag: CIS-18.9.24.2.1 + tag: CIS-18.8.22.2.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'security - control event log behavior when the log file reaches its maximum size' is set to 'disabled' + description: (L1) Ensure 'security - control event log behavior when the log file reaches its maximum size' is set to 'disabled' Setup_ Control Event Log behavior when the log file reaches its maximum size : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\Setup\Retention': - tag: CIS-18.9.24.3.1 + tag: CIS-18.8.22.3.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'setup - control event log behavior when the log file reaches its maximum size' is set to 'disabled' + description: (L1) Ensure 'setup - control event log behavior when the log file reaches its maximum size' is set to 'disabled' System_ Control Event Log behavior when the log file reaches its maximum size : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\EventLog\System\Retention': - tag: CIS-18.9.24.4.1 + tag: CIS-18.8.22.4.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'system - control event log behavior when the log file reaches its maximum size' is set to 'disabled' + description: (L1) Ensure 'system - control event log behavior when the log file reaches its maximum size' is set to 'disabled' Turn off Data Execution Prevention for Explorer : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer\NoDataExecutionPrevention': - tag: CIS-18.9.28.3 - match_output: 'Disabled' - value_type: 'equal' - description: (l1) ensure 'turn off data execution prevention for explorer' is set to 'disabled' - Turn off heap termination on corruption : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer\NoHeapTerminationOnCorruption': - tag: CIS-18.9.28.4 + tag: CIS-18.8.26.3 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'turn off heap termination on corruption' is set to 'disabled' + description: (L1) Ensure 'turn off data execution prevention for explorer' is set to 'disabled' Turn off shell protocol protected mode : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\PreXPSP2ShellProtocolBehavior': - tag: CIS-18.9.28.5 + tag: CIS-18.8.26.5 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'turn off shell protocol protected mode' is set to 'disabled' - Do not delete temp folders upon exit : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\DeleteTempDirsOnExit': - tag: CIS-18.9.48.3.11.1 - match_output: 'Disabled' - value_type: 'equal' - description: (l1) ensure 'do not delete temp folders upon exit' is set to 'disabled' + description: (L1) Ensure 'turn off shell protocol protected mode' is set to 'disabled' Do not use temporary folders per session : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Terminal Services\PerSessionTempDir': - tag: CIS-18.9.48.3.11.2 + tag: CIS-18.8.45.3.11.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'do not use temporary folders per session' is set to 'disabled' + description: (L1) Ensure 'do not use temporary folders per session' is set to 'disabled' Allow indexing of encrypted files : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Windows Search\AllowIndexingEncryptedStoresOrItems': - tag: CIS-18.9.50.2 - match_output: 'Disabled' - value_type: 'equal' - description: (l1) ensure 'allow indexing of encrypted files' is set to 'disabled' - Turn off Automatic Download and Install of updates : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore\AutoDownload': - tag: CIS-18.9.58.1 - match_output: 'Disabled' - value_type: 'equal' - description: (l1) ensure 'turn off automatic download of updates on win8 machines' is set to 'disabled' - Automatically send memory dumps for OS-generated error reports : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\Windows Error Reporting\AutoApproveOSDumps': - tag: CIS-18.9.67.3 - match_output: 'Disabled' - value_type: 'equal' - description: 'Ensure Automatically send memory dumps for OS-generated error reports is set to Disabled' - Allow user control over installs : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\EnableUserControl': - tag: CIS-18.9.69.1 + tag: CIS-18.8.47.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'allow user control over installs' is set to 'disabled' - Always install with elevated privileges : + description: (L1) Ensure 'allow indexing of encrypted files' is set to 'disabled' + Always install with elevated privileges system: data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated': - tag: CIS-18.9.69.2 + tag: CIS-18.8.65.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'always install with elevated privileges' is set to 'disabled' + description: (L1) Ensure 'always install with elevated privileges' is set to 'disabled' Sign-in last interactive user automatically after a system-initiated restart : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableAutomaticRestartSignOn': - tag: CIS-18.9.70.1 + tag: CIS-18.8.66.1 match_output: 'Disabled' value_type: 'equal' description: 'Ensure Sign-in last interactive user automatically after a system-initiated restart is set to Disabled' - Turn on PowerShell Script Block Logging : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging\EnableScriptBlockLogging': - tag: CIS-18.9.79.1 - match_output: 'Disabled' - value_type: 'equal' - description: (l1) ensure 'turn on powershell script block logging' is set to 'disabled' - Turn on PowerShell Transcription : - data: - 'Microsoft Windows Server 2012*': - - 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription\EnableTranscripting': - tag: CIS-18.9.79.2 - match_output: 'Disabled' - value_type: 'equal' - description: (l1) ensure 'turn on powershell transcription' is set to 'disabled' - Allow Basic authentication : + Allow Basic authentication winrm client: data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowBasic': - tag: CIS-18.9.81.1.1 + tag: CIS-18.8.77.1.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'allow basic authentication' is set to 'disabled' - Allow unencrypted traffic : + description: (L1) Ensure 'allow basic authentication' is set to 'disabled' + Allow unencrypted traffic winrm client: data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Client\AllowUnencryptedTraffic': - tag: CIS-18.9.81.1.2 + tag: CIS-18.8.77.1.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'allow unencrypted traffic' is set to 'disabled' - Allow Basic authentication : + description: (L1) Ensure 'allow unencrypted traffic' is set to 'disabled' + Allow Basic authentication winrm service: data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\AllowBasic': - tag: CIS-18.9.81.2.1 + tag: CIS-18.8.77.2.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'allow basic authentication' is set to 'disabled' - Allow unencrypted traffic : + description: (L1) Ensure 'allow basic authentication' is set to 'disabled' + Allow unencrypted traffic winrm service: data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WinRM\Service\AllowUnencryptedTraffic': - tag: CIS-18.9.81.2.2 + tag: CIS-18.8.77.2.2 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'allow unencrypted traffic' is set to 'disabled' + description: (L1) Ensure 'allow unencrypted traffic' is set to 'disabled' No auto-restart with logged on users for scheduled automatic updates installations : data: 'Microsoft Windows Server 2012*': - 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoRebootWithLoggedOnUsers': - tag: CIS-18.9.85.3 + tag: CIS-18.8.81.5 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'no auto-restart with logged on users for scheduled automatic updates installations' is set to 'disabled' + description: (L1) Ensure 'no auto-restart with logged on users for scheduled automatic updates installations' is set to 'disabled' Do not preserve zone information in file attachments : data: 'Microsoft Windows Server 2012*': @@ -2149,15 +1948,15 @@ win_reg: tag: CIS-19.7.4.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'do not preserve zone information in file attachments' is set to 'disabled' - Always install with elevated privileges : + description: (L1) Ensure 'do not preserve zone information in file attachments' is set to 'disabled' + Always install with elevated privileges user: data: 'Microsoft Windows Server 2012*': - 'HKEY_USERS\\Software\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated': tag: CIS-19.7.37.1 match_output: 'Disabled' value_type: 'equal' - description: (l1) ensure 'always install with elevated privileges' is set to 'disabled' + description: (L1) Ensure 'always install with elevated privileges' is set to 'disabled' win_pkg: @@ -2166,15 +1965,7 @@ win_pkg: data: 'Microsoft Windows Server 2012*': - 'EMET': - tag: CIS-18.9.22.1 + tag: CIS-18.8.20.1 match_output: '5.4' value_type: 'more' - description: (l1) ensure 'emet 5.5' or higher is installed - LAPS AdmPwd GPO Extension / CSE is installed : - data: - 'Microsoft Windows Server 2012*': - - 'Navigate to Control Panel\Program\Programs and Features and confirm "lAPS" is listed in the Name column.': - tag: CIS-18.2.1 - match_output: 'Local Administrator Password Solution' - value_type: 'equal' - description: 'Ensure LAPS AdmPwd GPO Extension / CSE is installed ' + description: (L1) Ensure 'emet 5.5' or higher is installed diff --git a/hubblestack_nova_profiles/cve/vulners_scanner.yaml b/hubblestack_nova_profiles/cve/vulners_scanner.yaml new file mode 100644 index 0000000..2c9dbe6 --- /dev/null +++ b/hubblestack_nova_profiles/cve/vulners_scanner.yaml @@ -0,0 +1 @@ +vulners_scanner: 'This string does not matter.' \ No newline at end of file diff --git a/hubblestack_nova_profiles/stig/rhel-6-x86_64-mac-1-classified.yaml b/hubblestack_nova_profiles/stig/rhel-6-x86_64-mac-1-classified.yaml new file mode 100644 index 0000000..00aa5b0 --- /dev/null +++ b/hubblestack_nova_profiles/stig/rhel-6-x86_64-mac-1-classified.yaml @@ -0,0 +1,2078 @@ +#################################################################################################### +# This is the Hubblestack Nova Auditing profile for the DISA SIGS: +# +# Source: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-07-22/MAC-1_Classified/ +# OS Finger: Red Hat Enterprise Linux Server-6 +# ARCH: x86_64 (audit rules do not support b32 rules) +# Audit Level: MAC-I Classified +# +# Installation/Update: +# 1. Place this file in the stig folder under your nova_profiles location +# 2. Remove any old / unwanted STIG profiles +# 3. Clear minion cache: salt \* saltutil.clear_cache +# 4. sync_all: salt \* saltutil.sync_all +# 5. hubble.sync: salt \* hubble.sync +# +# Coverage: +# Total of 175 items in the 2016-07-22 MAC-1 Classified report +# 170 of the 175 controls are contained in this profile. The missing controls +# are related to gconftool and the /etc/gconf/gconf.xml.mandatory file. +# +# Usage: +# To perform a hubble audit using the top.nova file: +# salt hubble.audit +# +# To perform a hubble audit using all profiles within a folder (sub-folder under nova_profiles): +# salt hubble.audit +# e.g. salt \* hubble.audit stig +# +# To perform a hubble audit for a specific Audit ID: +# salt hubble.audit +# e.g. salt \* hubble.audit stig V-38491 +# +# The Description field is structured following this scheme: +# (Severity) <Optional: Check type, if there is more than one performed> +# e.g. (MEDIUM) The system must ignore ICMPv6 redirects by default. (sysctl.conf) +# +# Tailoring: +# You may need to tailor some of these inspections to your system/site to account +# for: +# 1. Your environmental configuration +# ex: using McAfee AV Scan vs ClamAV +# 2. Compensating controls you may have +# 3. Tailoring you've done for your specific system/environment +# +# For control most commonly modified, we've added a comment that starts with "NOTE: " +# +################################################################################################# +command: + no_rhosts_files_on_system: + data: + 'Red Hat Enterprise Linux Server-6': + tag: V-38491 + commands: + - 'find / -name ".rhosts"': + match_output: .rhosts + fail_if_matched: True + description: (HIGH) There must be no .rhosts files on the system. Run 'find / -name ".rhosts"'' to find the offending files. + audit_all_discretionary_access_control_modifications_using_lremovexattr: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38559 + commands: + - 'grep "lremovexattr" /etc/audit/audit.rules | grep "auid>=500"': + match_output: '^-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod' + match_output_regex: True + - 'grep "lremovexattr" /etc/audit/audit.rules | grep "auid=0"': + match_output: '^-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid=0 -k perm_mod' + match_output_regex: True + aggregation: 'and' + description: (LOW) The audit system must be configured to audit all discretionary access control permission modifications using lremovexattr. + audit_all_discretionary_access_control_modifications_using_lsetxattr: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38561 + commands: + - 'grep "lsetxattr" /etc/audit/audit.rules | grep "auid>=500"': + match_output: '^-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod' + match_output_regex: True + - 'grep "lsetxattr" /etc/audit/audit.rules | grep "auid=0"': + match_output: '^-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid=0 -k perm_mod' + match_output_regex: True + aggregation: 'and' + description: (LOW) The audit system must be configured to audit all discretionary access control permission modifications using lsetxattr. + audit_all_discretionary_access_control_modifications_using_setxattr: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38565 + commands: + - 'grep -E "\ssetxattr\s" /etc/audit/audit.rules | grep "auid>=500"': + match_output: '^-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod' + match_output_regex: True + - 'grep -E "\ssetxattr\s" /etc/audit/audit.rules | grep "auid=0"': + match_output: '^-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid=0 -k perm_mod' + match_output_regex: True + aggregation: 'and' + description: (LOW) The audit system must be configured to audit all discretionary access control permission modifications using setxattr. + audit_all_discretionary_access_control_modifications_using_lchown: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38558 + commands: + - 'grep "lchown" /etc/audit/audit.rules | grep "auid>=500"': + match_output: '^-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod' + match_output_regex: True + - 'grep "lchown" /etc/audit/audit.rules | grep "auid=0"': + match_output: '^-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid=0 -k perm_mod' + match_output_regex: True + aggregation: 'and' + description: (LOW) The audit system must be configured to audit all discretionary access control permission modifications using lchown. + audit_all_discretionary_access_control_modifications_using_fchown: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38552 + commands: + - 'grep "fchown" /etc/audit/audit.rules | grep "auid>=500"': + match_output: '^-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod' + match_output_regex: True + - 'grep "fchown" /etc/audit/audit.rules | grep "auid=0"': + match_output: '^-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid=0 -k perm_mod' + match_output_regex: True + aggregation: 'and' + description: (LOW) The audit system must be configured to audit all discretionary access control permission modifications using fchown. + audit_all_discretionary_access_control_modifications_using_fchmodat: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38550 + commands: + - 'grep "fchmodat" /etc/audit/audit.rules | grep "auid>=500"': + match_output: '^-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod' + match_output_regex: True + - 'grep "fchmodat" /etc/audit/audit.rules | grep "auid=0"': + match_output: '^-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid=0 -k perm_mod' + match_output_regex: True + aggregation: 'and' + description: (LOW) The audit system must be configured to audit all discretionary access control permission modifications using fchmodat. + audit_all_discretionary_access_control_modifications_using_chmod: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38543 + commands: + - 'grep -E "\schmod\s" /etc/audit/audit.rules | grep "auid>=500"': + match_output: '^-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod' + match_output_regex: True + - 'grep -E "\schmod\s" /etc/audit/audit.rules | grep "auid=0"': + match_output: '^-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid=0 -k perm_mod' + match_output_regex: True + aggregation: 'and' + description: (LOW) The audit system must be configured to audit all discretionary access control permission modifications using chmod. + audit_all_discretionary_access_control_modifications_using_fchmod: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38547 + commands: + - 'grep -E "\sfchmod\s" /etc/audit/audit.rules | grep "auid>=500"': + match_output: '^-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod' + match_output_regex: True + - 'grep -E "\sfchmod\s" /etc/audit/audit.rules | grep "auid=0"': + match_output: '^-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid=0 -k perm_mod' + match_output_regex: True + aggregation: 'and' + description: (LOW) The audit system must be configured to audit all discretionary access control permission modifications using fchmod. + audit_all_discretionary_access_control_modifications_using_fsetxattr: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38557 + commands: + - 'grep "fsetxattr" /etc/audit/audit.rules | grep "auid>=500"': + match_output: '^-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod' + match_output_regex: True + - 'grep "fsetxattr" /etc/audit/audit.rules | grep "auid=0"': + match_output: '^-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid=0 -k perm_mod' + match_output_regex: True + aggregation: 'and' + description: (LOW) The audit system must be configured to audit all discretionary access control permission modifications using fsetxattr. + audit_all_discretionary_access_control_modifications_using_fremovexattr: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38556 + commands: + - 'grep "fremovexattr" /etc/audit/audit.rules | grep "auid>=500"': + match_output: '^-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod' + match_output_regex: True + - 'grep "fremovexattr" /etc/audit/audit.rules | grep "auid=0"': + match_output: '^-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid=0 -k perm_mod' + match_output_regex: True + aggregation: 'and' + description: (LOW) The audit system must be configured to audit all discretionary access control permission modifications using fremovexattr. + audit_all_discretionary_access_control_modifications_using_removexattr: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38563 + commands: + - 'grep -E "\sremovexattr\s" /etc/audit/audit.rules | grep "auid>=500"': + match_output: '^-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod' + match_output_regex: True + - 'grep -E "\sremovexattr\s" /etc/audit/audit.rules | grep "auid=0"': + match_output: '^-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid=0 -k perm_mod' + match_output_regex: True + aggregation: 'and' + description: (LOW) The audit system must be configured to audit all discretionary access control permission modifications using removexattr. + audit_all_discretionary_access_control_modifications_using_fchownat: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38554 + commands: + - 'grep "fchownat" /etc/audit/audit.rules | grep "auid>=500"': + match_output: '^-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod' + match_output_regex: True + - 'grep "fchownat" /etc/audit/audit.rules | grep "auid=0"': + match_output: '^-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid=0 -k perm_mod' + match_output_regex: True + aggregation: 'and' + description: (LOW) The audit system must be configured to audit all discretionary access control permission modifications using fchownat. + audit_all_discretionary_access_control_modifications_using_chown: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38545 + commands: + - 'grep -E "\schown\s" /etc/audit/audit.rules | grep "auid>=500"': + match_output: '^-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod' + match_output_regex: True + - 'grep -E "\schown\s" /etc/audit/audit.rules | grep "auid=0"': + match_output: '^-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid=0 -k perm_mod' + match_output_regex: True + aggregation: 'and' + description: (LOW) The audit system must be configured to audit all discretionary access control permission modifications using chown. + audit_clock_settime: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38527 + commands: + - 'grep "clock_settime" /etc/audit/audit.rules': + match_output: '^-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules' + match_output_regex: True + description: (LOW) The audit system must be configured to audit all attempts to alter system time through clock_settime. + audit_stime: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38525 + commands: + - 'grep "settimeofday" /etc/audit/audit.rules': + match_output: '^-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules' + match_output_regex: True + description: (LOW) The audit system must be configured to audit all attempts to alter system time through stime. On a 64-bit system, the "-S stime" is not necessary. + audit_settimeofday: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38522 + commands: + - 'grep "settimeofday" /etc/audit/audit.rules': + match_output: '^-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules' + match_output_regex: True + description: (LOW) The audit system must be configured to audit all attempts to alter system time through settimeofday. + audit_adjtimex: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38635 + commands: + - 'grep "adjtimex" /etc/audit/audit.rules': + match_output: '^-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules' + match_output_regex: True + description: (LOW) The audit system must be configured to audit all attempts to alter system time through adjtimex. + audit_account_disabling_actions: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38536 + commands: + - 'grep -E "^-w\s+/etc/group" /etc/audit/audit.rules': + match_output: '^-w /etc/group -p wa -k audit_account_changes' + match_output_regex: True + - 'grep -E "^-w\s+/etc/passwd" /etc/audit/audit.rules': + match_output: '^-w /etc/passwd -p wa -k audit_account_changes' + match_output_regex: True + - 'grep -E "^-w\s+/etc/shadow" /etc/audit/audit.rules': + match_output: '^-w /etc/shadow -p wa -k audit_account_changes' + match_output_regex: True + - 'grep -E "^-w\s+/etc/gshadow" /etc/audit/audit.rules': + match_output: '^-w /etc/gshadow -p wa -k audit_account_changes' + match_output_regex: True + - 'grep -E "^-w\s+/etc/security/opasswd" /etc/audit/audit.rules': + match_output: '^-w /etc/security/opasswd -p wa -k audit_account_changes' + match_output_regex: True + aggregation: 'and' + description: (LOW) The operating system must automatically audit account disabling actions. + audit_account_termination_actions: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38538 + commands: + - 'grep -E "^-w\s+/etc/group" /etc/audit/audit.rules': + match_output: '^-w /etc/group -p wa -k audit_account_changes' + match_output_regex: True + - 'grep -E "^-w\s+/etc/passwd" /etc/audit/audit.rules': + match_output: '^-w /etc/passwd -p wa -k audit_account_changes' + match_output_regex: True + - 'grep -E "^-w\s+/etc/shadow" /etc/audit/audit.rules': + match_output: '^-w /etc/shadow -p wa -k audit_account_changes' + match_output_regex: True + - 'grep -E "^-w\s+/etc/gshadow" /etc/audit/audit.rules': + match_output: '^-w /etc/gshadow -p wa -k audit_account_changes' + match_output_regex: True + - 'grep -E "^-w\s+/etc/security/opasswd" /etc/audit/audit.rules': + match_output: '^-w /etc/security/opasswd -p wa -k audit_account_changes' + match_output_regex: True + aggregation: 'and' + description: (LOW) The operating system must automatically audit account termination. + audit_account_creation_actions: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38531 + commands: + - 'grep -E "^-w\s+/etc/group" /etc/audit/audit.rules': + match_output: '^-w /etc/group -p wa -k audit_account_changes' + match_output_regex: True + - 'grep -E "^-w\s+/etc/passwd" /etc/audit/audit.rules': + match_output: '^-w /etc/passwd -p wa -k audit_account_changes' + match_output_regex: True + - 'grep -E "^-w\s+/etc/shadow" /etc/audit/audit.rules': + match_output: '^-w /etc/shadow -p wa -k audit_account_changes' + match_output_regex: True + - 'grep -E "^-w\s+/etc/gshadow" /etc/audit/audit.rules': + match_output: '^-w /etc/gshadow -p wa -k audit_account_changes' + match_output_regex: True + - 'grep -E "^-w\s+/etc/security/opasswd" /etc/audit/audit.rules': + match_output: '^-w /etc/security/opasswd -p wa -k audit_account_changes' + match_output_regex: True + aggregation: 'and' + description: (LOW) The operating system must automatically audit account creation. + audit_account_modification_actions: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38534 + commands: + - 'grep -E "^-w\s+/etc/group" /etc/audit/audit.rules': + match_output: '^-w /etc/group -p wa -k audit_account_changes' + match_output_regex: True + - 'grep -E "^-w\s+/etc/passwd" /etc/audit/audit.rules': + match_output: '^-w /etc/passwd -p wa -k audit_account_changes' + match_output_regex: True + - 'grep -E "^-w\s+/etc/shadow" /etc/audit/audit.rules': + match_output: '^-w /etc/shadow -p wa -k audit_account_changes' + match_output_regex: True + - 'grep -E "^-w\s+/etc/gshadow" /etc/audit/audit.rules': + match_output: '^-w /etc/gshadow -p wa -k audit_account_changes' + match_output_regex: True + - 'grep -E "^-w\s+/etc/security/opasswd" /etc/audit/audit.rules': + match_output: '^-w /etc/security/opasswd -p wa -k audit_account_changes' + match_output_regex: True + aggregation: 'and' + description: (LOW) The operating system must automatically audit account modification. + audit_selinux_modification_actions: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38541 + commands: + - 'grep -E "^-w\s+/etc/selinux/" /etc/audit/audit.rules': + match_output: '^-w /etc/selinux/ -p wa -k MAC-policy' + match_output_regex: True + description: (LOW) The audit system must be configured to audit modifications to the systems Mandatory Access Control (MAC) configuration (SELinux). + audit_sudoers_modification_actions: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38578 + commands: + - 'grep -E "^-w\s+/etc/sudoers" /etc/audit/audit.rules': + match_output: '^-w /etc/sudoers -p wa -k actions' + match_output_regex: True + description: (LOW) The audit system must be configured to audit changes to the /etc/sudoers file. + audit_localtime_modification_actions: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38530 + commands: + - 'grep -E "^-w\s+/etc/localtime" /etc/audit/audit.rules': + match_output: '^-w /etc/localtime -p wa -k audit_time_rules' + match_output_regex: True + description: (LOW) The audit system must be configured to audit all attempts to alter system time through /etc/localtime. + audit_user_deletions_of_files_programs: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38575 + commands: + - 'grep "unlink" /etc/audit/audit.rules | grep "auid>=500"': + match_output: '^-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete' + match_output_regex: True + - 'grep "unlink" /etc/audit/audit.rules | grep "auid=0"': + match_output: '^-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid=0 -k delete' + match_output_regex: True + aggregation: 'and' + description: (LOW) The audit system must be configured to audit user deletions of files and programs. + audit_successful_file_system_mounts: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38568 + commands: + - 'grep -E "\-S mount" /etc/audit/audit.rules | grep "auid>=500"': + match_output: '^-a always,exit -F arch=b64 -S mount -S umount2 -F auid>=500 -F auid!=4294967295 -k export' + match_output_regex: True + - 'grep -E "\-S mount" /etc/audit/audit.rules | grep "auid=0"': + match_output: '^-a always,exit -F arch=b64 -S mount -S umount2 -F auid=0 -k export' + match_output_regex: True + aggregation: 'and' + description: (LOW) The audit system must be configured to audit successful file system mounts. + audit_loading_unloading_dynamic_kernel_modules: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38580 + commands: + - 'grep "^-w /sbin/insmod" /etc/audit/audit.rules': + match_output: '^-w /sbin/insmod -p x -k modules' + match_output_regex: True + - 'grep "^-w /sbin/rmmod" /etc/audit/audit.rules': + match_output: '^-w /sbin/rmmod -p x -k modules' + match_output_regex: True + - 'grep "^-w /sbin/modprobe" /etc/audit/audit.rules': + match_output: '^-w /sbin/modprobe -p x -k modules' + match_output_regex: True + - 'grep -E "\-S init_module" /etc/audit/audit.rules': + match_output: '^-a always,exit -F arch=b64 -S init_module -S delete_module -S finit_module -k modules' + match_output_regex: True + aggregation: 'and' + description: (MEDIUM) The audit system must be configured to audit the loading and unloading of dynamic kernel modules. + cryptographically_verify_packages_repos: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38487 + commands: + - 'grep "gpgcheck" /etc/yum.repos.d/*': + match_output: ^.*\:gpgcheck=0 + match_output_regex: True + match_output_by_line: True + description: (LOW) The system package management tool must cryptographically verify the authenticity of all software packages during installation. (repos.d directory files) + rds_protocol_disabled: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38516 + commands: + - 'grep -E "^install\s+rds\s+/bin/true" /etc/modprobe.d/*': + match_output: ^.*\:install rds /bin/true + match_output_regex: True + match_output_by_line: True + description: (LOW) The Reliable Datagram Sockets (RDS) protocol must be disabled unless required. + disable_usb_devices: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38490 + commands: + - 'grep -E "^install\s+usb-storage\s+/bin/true" /etc/modprobe.d/*': + match_output: ^.*\:install usb-storage /bin/true + match_output_regex: True + match_output_by_line: True + description: (MEDIUM) The operating system must enforce requirements for the connection of mobile devices to operating systems. + disable_ipv6_modprobe: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38546 + commands: + - 'grep -E "^options\s+ipv6\s+disable" /etc/modprobe.d/*': + match_output: ^.*\:options\s+ipv6\s+disable\s*=\s*1 + match_output_regex: True + match_output_by_line: True + description: (MEDIUM) The IPv6 protocol handler must not be bound to the network stack unless needed. (modprobe) + disable_tipc_modprobe: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38517 + commands: + - 'grep -E "^install\s+tipc\s+/bin/true" /etc/modprobe.d/*': + match_output: ^.*\:install tipc /bin/true + match_output_regex: True + match_output_by_line: True + description: (MEDIUM) The Transparent Inter-Process Communication (TIPC) protocol must be disabled unless required. (modprobe) + disable_sctp_modprobe: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38515 + commands: + - 'grep -E "^install\s+sctp\s+/bin/true" /etc/modprobe.d/*': + match_output: ^.*\:install sctp /bin/true + match_output_regex: True + match_output_by_line: True + description: (MEDIUM) The Stream Control Transmission Protocol (SCTP) must be disabled unless required. (modprobe) + disable_dccp_modprobe: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38514 + commands: + - 'grep -E "^install\s+dccp\s+/bin/true" /etc/modprobe.d/*': + match_output: ^.*\:install dccp /bin/true + match_output_regex: True + match_output_by_line: True + description: (MEDIUM) The Datagram Congestion Control Protocol (DCCP) must be disabled unless required. (modprobe) + enable_auditing_at_boot_time: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38438 + commands: + - 'grep -E "^[^#]\s*kernel.*" /boot/grub/grub.conf': + match_output: ^[^#]\s*kernel.*audit=1.* + match_output_regex: True + match_output_by_line: True + description: (LOW) Auditing must be enabled at boot by setting a kernel parameter. + no_hashes_in_etc_passwd: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38499 + commands: + - 'grep -v -i "^\S[^:]*:x:" /etc/passwd': + match_output: .* + match_output_regex: True + fail_if_matched: True + description: (MEDIUM) The /etc/passwd file must not contain password hashes. + only_one_acct_with_uid_of_0: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38500 + commands: + - 'grep -i "^\S[^:]*:x:0:" /etc/passwd | wc -l': + match_output: '1' + match_output_regex: True + description: (MEDIUM) The root account must be the only account having a UID of 0. + backup_audit_records: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38520 + commands: + - 'grep -E "^\*\.\*\s+" /etc/rsyslog.conf': + match_output: ^\*\.\*\s+(@|@@|:omrelp:)\S*.* + match_output_regex: True + match_output_by_line: True + description: (MEDIUM) The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited. + backup_audit_records_2: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38521 + commands: + - 'grep -E "^\*\.\*\s+" /etc/rsyslog.conf': + match_output: ^\*\.\*\s+(@|@@|:omrelp:)\S*.* + match_output_regex: True + match_output_by_line: True + description: (MEDIUM) The operating system must back up audit records on an organization defined frequency onto a different system or media than the system being audited. + dhcp_disabled: + # NOTE: may need to tailor this control is dhcp is needed + data: + Red Hat Enterprise Linux Server-6: + tag: V-38679 + commands: + - 'grep -E "^BOOTPROTO" /etc/sysconfig/network-scripts/ifcfg-*': + match_output: ^.*\:BOOTPROTO\s*=\s*none + match_output_regex: True + match_output_by_line: True + description: (MEDIUM) The DHCP client must be disabled if not needed. + disable_accounts_3_consec_unsuccessful_logons: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38573 + commands: + - 'grep -E "^auth\s+required\s+pam_faillock\.so\s+preauth" /etc/pam.d/system-auth': + match_output: ^auth\s+required\s+pam_faillock\.so\s+preauth\s+silent\s+deny=3\s+unlock_time=900\s+fail_interval=900.* + match_output_regex: True + - 'grep -E "^auth\s+\[default=die\]\s+pam_faillock\.so" /etc/pam.d/system-auth': + match_output: ^auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail\s+deny=3\s+unlock_time=900\s+fail_interval=900.* + match_output_regex: True + - 'grep -E "^account\s+required\s+pam_faillock\.so" /etc/pam.d/system-auth': + match_output: ^account\s+required\s+pam_faillock\.so.* + match_output_regex: True + aggregation: 'and' + description: (MEDIUM) The system must disable accounts after three consecutive unsuccessful logon attempts. + require_admin_action_after_3_consec_unsuccessful_logons: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38592 + commands: + - 'grep -E "^auth\s+required\s+pam_faillock\.so\s+preauth" /etc/pam.d/system-auth': + match_output: ^auth\s+required\s+pam_faillock\.so\s+preauth\s+silent\s+deny=3\s+unlock_time=900\s+fail_interval=900.* + match_output_regex: True + - 'grep -E "^auth\s+\[default=die\]\s+pam_faillock\.so" /etc/pam.d/system-auth': + match_output: ^auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail\s+deny=3\s+unlock_time=900\s+fail_interval=900.* + match_output_regex: True + - 'grep -E "^account\s+required\s+pam_faillock\.so" /etc/pam.d/system-auth': + match_output: ^account\s+required\s+pam_faillock\.so.* + match_output_regex: True + aggregation: 'and' + description: (MEDIUM) The system must require administrator action to unlock an account locked by excessive failed login attempts. + disable_for_15_min_unsuccessful_logons: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38501 + commands: + - 'grep -E "^auth\s+required\s+pam_faillock\.so\s+preauth" /etc/pam.d/system-auth': + match_output: ^auth\s+required\s+pam_faillock\.so\s+preauth\s+silent\s+deny=3\s+unlock_time=900\s+fail_interval=900.* + match_output_regex: True + - 'grep -E "^auth\s+\[default=die\]\s+pam_faillock\.so" /etc/pam.d/system-auth': + match_output: ^auth\s+\[default=die\]\s+pam_faillock\.so\s+authfail\s+deny=3\s+unlock_time=900\s+fail_interval=900.* + match_output_regex: True + - 'grep -E "^account\s+required\s+pam_faillock\.so" /etc/pam.d/system-auth': + match_output: ^account\s+required\s+pam_faillock\.so.* + match_output_regex: True + aggregation: 'and' + description: (MEDIUM) The system must disable accounts after excessive login failures within a 15-minute interval. + rsyslog_gen_files_owned_by_root: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38518 + commands: + - 'grep "^\$FileOwner.*" /etc/rsyslog.conf': + match_output: ^\$FileOwner\s+root.* + match_output_regex: True + description: (MEDIUM) All rsyslog-generated log files must be owned by root. + rlogind_not_running_chkconfig: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38602 + commands: + - 'chkconfig --list rlogind': + match_output: ^rlogind.*:on\s+.* + match_output_regex: True + fail_if_matched: False + description: (HIGH) The rlogind service must not be running. (chkconfig) + rshd_not_running_chkconfig: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38594 + commands: + - 'chkconfig --list rsh': + match_output: ^rsh.*:on\s+.* + match_output_regex: True + fail_if_matched: True + description: (HIGH) The rshd service must not be running. (chkconfig) + rexecd_not_running_chkconfig: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38598 + commands: + - 'chkconfig --list rexec': + match_output: ^rexec.*:on\s+.* + match_output_regex: True + fail_if_matched: True + description: (HIGH) The rexecd service must not be running. (chkconfig) + telnet_not_running_chkconfig: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38589 + commands: + - 'chkconfig --list telnet': + match_output: ^telnet.*:on\s+.* + match_output_regex: True + fail_if_matched: True + description: (HIGH) The telnet daemon must not be running. (chkconfig) + qpidd_not_running_chkconfig: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38648 + commands: + - 'chkconfig --list qpidd': + match_output: ^qpidd.*:on\s+.* + match_output_regex: True + fail_if_matched: True + description: (LOW) The qpidd service must not be running. (chkconfig) + atd_not_running_chkconfig: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38641 + commands: + - 'chkconfig --list atd': + match_output: ^atd.*:on\s+.* + match_output_regex: True + fail_if_matched: True + description: (LOW) The atd service must not be running. (chkconfig) + abrtd_not_running_chkconfig: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38640 + commands: + - 'chkconfig --list abrtd': + match_output: ^abrtd.*:on\s+.* + match_output_regex: True + fail_if_matched: True + description: (LOW) The Automatic Bug Reporting Tool (abrtd) service must not be running. (chkconfig) + oddjobd_not_running_chkconfig: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38646 + commands: + - 'chkconfig --list oddjobd': + match_output: ^oddjobd.*:on\s+.* + match_output_regex: True + fail_if_matched: True + description: (LOW) The oddjobd service must not be running. (chkconfig) + ntpdate_not_running_chkconfig: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38644 + commands: + - 'chkconfig --list ntpdate': + match_output: ^ntpdate.*:on\s+.* + match_output_regex: True + fail_if_matched: True + description: (LOW) The ntpdate service must not be running. (chkconfig) + rdisc_not_running_chkconfig: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38650 + commands: + - 'chkconfig --list rdisc': + match_output: ^rdisc.*:on\s+.* + match_output_regex: True + fail_if_matched: True + description: (LOW) The rdisc service must not be running. (chkconfig) + netconsole_not_running_chkconfig: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38672 + commands: + - 'chkconfig --list netconsole': + match_output: ^netconsole.*:on\s+.* + match_output_regex: True + fail_if_matched: True + description: (LOW) The netconsole service must not be running. (chkconfig) + avahi-daemon_not_running_chkconfig: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38618 + commands: + - 'chkconfig --list avahi-daemon': + match_output: ^avahi-daemon.*:on\s+.* + match_output_regex: True + fail_if_matched: True + description: (LOW) The avahi service must not be running. (chkconfig) + autofs_not_running_chkconfig: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38437 + commands: + - 'chkconfig --list autofs': + match_output: ^autofs.*:on\s+.* + match_output_regex: True + fail_if_matched: True + description: (LOW) Automated file system mounting tools must not be enabled unless needed. (chkconfig) + ypbind_not_running_chkconfig: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38604 + commands: + - 'chkconfig --list ypbind': + match_output: ^ypbind.*:on\s+.* + match_output_regex: True + fail_if_matched: True + description: (MEDIUM) The ypbind service must not be running. (chkconfig) + bluetooth_not_running_chkconfig: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38691 + commands: + - 'chkconfig --list bluetooth': + match_output: ^bluetooth.*:on\s+.* + match_output_regex: True + fail_if_matched: True + description: (MEDIUM) The bluetooth service must be disabled. (chkconfig) + xinetd_not_running_chkconfig: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38582 + commands: + - 'chkconfig --list xinetd': + match_output: ^xinetd.*:on\s+.* + match_output_regex: True + fail_if_matched: True + description: (MEDIUM) The xinetd service must be disabled if no network services utilizing it are enabled. (chkconfig) + postfix_enabled_chkconfig: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38669 + commands: + - 'chkconfig --list postfix': + match_output: ^postfix.*3:on\s+4:on\s+5:on\s+.* + match_output_regex: True + fail_if_matched: False + description: (LOW) The postfix service must be running for mail delivery. (chkconfig) + vpn_enabled_chkconfig: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38687 + commands: + - 'chkconfig --list ipsec': + match_output: ^ipsec.*3:on\s+4:on\s+5:on\s+.* + match_output_regex: True + fail_if_matched: False + description: (LOW) The system must provide VPN connectivity for communications over untrusted networks. (chkconfig) + iptables_enabled_chkconfig: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38555 + commands: + - 'chkconfig --list iptables': + match_output: ^iptables.*3:on\s+4:on\s+5:on\s+.* + match_output_regex: True + fail_if_matched: False + description: (MEDIUM) The system must employ a local IPv4 firewall. (chkconfig) + cron_enabled_chkconfig: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38605 + commands: + - 'chkconfig --list crond': + match_output: ^crond.*3:on\s+4:on\s+5:on\s+.* + match_output_regex: True + fail_if_matched: False + description: (MEDIUM) The cron service must be running. (chkconfig) + ntpd_enabled_chkconfig: + data: + Red Hat Enterprise Linux Server-6: + tag: V-38620 + commands: + - 'chkconfig --list ntpd': + match_output: ^ntpd.*3:on\s+4:on\s+5:on\s+.* + match_output_regex: True + fail_if_matched: False + description: (MEDIUM) The system clock must be synchronized continuously, or at least daily. (chkconfig) + +grep: + blacklist: + rpm_cryptographically_verify_packages: + data: + Red Hat Enterprise Linux Server-6: + - /etc/rpmrc: + pattern: nosignature + tag: V-38462 + - /usr/lib/rpm/rpmrc: + pattern: nosignature + tag: V-38462 + - /usr/lib/rpm/redhat/rpmrc: + pattern: nosignature + tag: V-38462 + - /root/.rpmrc: + pattern: nosignature + tag: V-38462 + description: (HIGH) The RPM package management tool must cryptographically verify the authenticity of all software packages during installation. + null_passwords_cannot_be_used: + data: + Red Hat Enterprise Linux Server-6: + - /etc/pam.d/system-auth: + tag: V-38497 + pattern: nullok + - /etc/pam.d/system-auth-ac: + tag: V-38497 + pattern: nullok + - /etc/pam.d/password-auth: + tag: V-38497 + pattern: nullok + - /etc/pam.d/password-auth-ac: + tag: V-38497 + pattern: nullok + - /etc/pam.d/sshd: + tag: V-38497 + pattern: nullok + description: (HIGH) The system must not allow null passwords to be used. + nfs_no_insecure_file_locking: + data: + Red Hat Enterprise Linux Server-6: + - /etc/exports: + tag: V-38677 + pattern: insecure_locks + description: (HIGH) The NFS server must not have the insecure file locking option enabled. + etc_hosts_equiv_should_not_exist: + data: + Red Hat Enterprise Linux Server-6: + - /etc/hosts.equiv: + tag: V-38491 + pattern: .* + match_on_file_missing: False + description: (HIGH) There must be no /etc/hosts.equiv file on the system. + prevent_root_login_serial_consoles: + data: + Red Hat Enterprise Linux Server-6: + - /etc/securetty: + tag: V-38494 + pattern: ^ttyS\d* + match_on_file_missing: False + description: (LOW) The system must prevent the root account from logging in from serial consoles. + prevent_root_login_virtual_consoles: + data: + Red Hat Enterprise Linux Server-6: + - /etc/securetty: + tag: V-38492 + pattern: ^vc/\d* + match_on_file_missing: False + description: (MEDIUM) The system must prevent the root account from logging in from virtual consoles. + must_user_selinux_at_boot_time: + data: + Red Hat Enterprise Linux Server-6: + - /boot/grub/grub.conf: + tag: V-51337 + pattern: ^[^#].*kernel.*selinux=0.* + match_on_file_missing: False + description: (MEDIUM) The system must use a Linux Security Module at boot time. + boot_loader_must_require_authentication: + data: + Red Hat Enterprise Linux Server-6: + - /boot/grub/grub.conf: + tag: V-38585 + pattern: ^[^#]password\s+--encrypted.* + match_on_file_missing: False + description: (MEDIUM) The system boot loader must require authentication. + + whitelist: + x86_ctrl_alt_del_disabled: + data: + Red Hat Enterprise Linux Server-6: + - /etc/init/control-alt-delete.override: + tag: V-38668 + pattern: ^exec /usr/bin/logger + match_output: security.info "Control-Alt-Delete pressed" + description: (HIGH) The x86 Ctrl-Alt-Delete key sequence must be disabled. + sshd_use_only_SSHv2_protocol: + data: + Red Hat Enterprise Linux Server-6: + - /etc/ssh/sshd_config: + tag: V-38607 + pattern: ^Protocol + match_output: ^Protocol\s+2 + match_output_regex: True + grep_args: + - '-E' + - '-i' + description: (HIGH) The SSH daemon must be configured to use only the SSHv2 protocol. + sshd_no_empty_passwords: + data: + Red Hat Enterprise Linux Server-6: + - /etc/ssh/sshd_config: + tag: V-38614 + pattern: ^PermitEmptyPasswords + match_output: ^PermitEmptyPasswords\s+no + match_output_regex: True + grep_args: + - '-E' + - '-i' + description: (HIGH) The SSH daemon must not allow authentication using an empty password. + sshd_no_user_env_settings: + data: + Red Hat Enterprise Linux Server-6: + - /etc/ssh/sshd_config: + tag: V-38616 + pattern: ^PermitUserEnvironment + match_output: ^PermitUserEnvironment\s+no + match_output_regex: True + grep_args: + - '-E' + - '-i' + description: (LOW) The SSH daemon must not permit user environment settings. + sshd_timeout_count_idle_sessions: + data: + Red Hat Enterprise Linux Server-6: + - /etc/ssh/sshd_config: + tag: V-38610 + pattern: ^ClientAliveCountMax + match_output: ^ClientAliveCountMax\s+0 + match_output_regex: True + grep_args: + - '-E' + - '-i' + description: (LOW) The SSH daemon must set a timeout count on idle sessions. + sshd_timeout_idle_sessions: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/ssh/sshd_config': + tag: V-38608 + pattern: ^ClientAliveInterval.* + match_output: ^ClientAliveInterval\s+900.* + match_output_regex: True + grep_args: + - '-E' + - '-i' + description: (LOW) The SSH daemon must set a timeout interval on idle sessions. + sshd_ignore_rhosts_files: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/ssh/sshd_config': + tag: V-38611 + pattern: ^IgnoreRhosts.* + match_output: ^IgnoreRhosts\s+yes.* + match_output_regex: True + grep_args: + - '-E' + - '-i' + description: (MEDIUM) The SSH daemon must ignore .rhosts files. + sshd_not_allow_host-based_auth: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/ssh/sshd_config': + tag: V-38612 + pattern: ^HostbasedAuthentication.* + match_output: ^HostbasedAuthentication\s+no.* + match_output_regex: True + grep_args: + - '-E' + - '-i' + description: (MEDIUM) The SSH daemon must not allow host-based authentication. + tftp_daemon_operate_in_secure_mode: + data: + Red Hat Enterprise Linux Server-6: + - /etc/xinetd.d/tftp: + tag: V-38701 + pattern: ^server_args + match_output: -s + match_on_file_missing: True + description: (HIGH) The TFTP daemon must operate in secure mode which provides access only to a single directory on the host file system. + csh_default_umask: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/csh.cshrc': + tag: V-38649 + pattern: ^umask 077 + match_on_file_missing: True + description: (LOW) The system default umask for the csh shell must be 077. + default_daemon_umask: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/init.d/functions': + tag: V-38642 + pattern: ^umask + match_output: ^umask (022|027) + match_output_regex: True + match_on_file_missing: True + description: (LOW) The system default umask for daemons must be 022 or 027. + etc_profile_default_umask: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/profile': + tag: V-38647 + pattern: ^umask 077 + match_on_file_missing: True + description: (LOW) The system default umask in /etc/profile must be 077. + default_login_defs_umask: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/login.defs': + tag: V-38645 + pattern: ^UMASK + match_output: ^UMASK.*077 + match_output_regex: True + description: (LOW) The system default umask in /etc/login.defs must be 077. + selinux_policy: + # NOTE: This check may need to be tailored to your organization/system needs + data: + Red Hat Enterprise Linux Server-6: + - '/etc/selinux/config': + tag: V-51369 + pattern: ^SELINUXTYPE.* + match_output: ^.*targeted|^.*mls + match_output_regex: True + description: (LOW) The system must use a Linux Security Module configured to limit the privleges of system services. + enforce_selinux_policy: + # NOTE: This check may need to be tailored to your organization/system needs + data: + Red Hat Enterprise Linux Server-6: + - '/etc/selinux/config': + tag: V-51363 + pattern: ^SELINUX=.* + match_output: ^SELINUX\s*=\senforcing + match_output_regex: True + description: (MEDIUM) The system must use a Linux Security Module configured to enforce limits on system services. + etc_bashrc_default_umask: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/bashrc': + tag: V-38651 + pattern: '^umask 077' + match_on_file_missing: True + description: (LOW) The system default umask for the bash shell must be 077. + smb_client_signing: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/samba/smb.conf': + tag: V-38656 + pattern: '^client signing' + match_output: ^.*mandatory + match_output_regex: True + match_on_file_missing: True + description: (LOW) The system must use SMB client signing for connecting to samba servers using smbclient. + password_warn_age: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/login.defs': + tag: V-38480 + pattern: '^PASS_WARN_AGE' + match_output: ^PASS_WARN_AGE\s*7$ + match_output_regex: True + match_on_file_missing: False + description: (LOW) Users must be warned 7 days in advance of password expiration. + password_min_days: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/login.defs': + tag: V-38477 + pattern: '^PASS_MIN_DAYS' + match_output: ^PASS_MIN_DAYS\s+1$ + match_output_regex: True + match_on_file_missing: False + description: (MEDIUM) The system must require passwords to contain a minimum of 15 characters. (login.defs) + password_max_days: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/login.defs': + tag: V-38479 + pattern: '^PASS_MAX_DAYS' + match_output: ^PASS_MAX_DAYS\s+60$ + match_output_regex: True + match_on_file_missing: False + description: (MEDIUM) User passwords must be changed at least every 60 days. + password_min_length_login_defs: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/login.defs': + tag: V-38475 + pattern: '^PASS_MIN_LEN' + match_output: ^PASS_MIN_LEN\s+15$ + match_output_regex: True + match_on_file_missing: False + description: (MEDIUM) The system must require passwords to contain a minimum of 15 characters. (login.defs) + require_num_in_password_pam_d: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/pam.d/system-auth': + tag: V-38475 + pattern: '^password.*pam_cracklib\.so' + match_output: ^password.*pam_cracklib\.so.*minlen=15.* + match_output_regex: True + match_on_file_missing: False + description: (MEDIUM) The system must require passwords to contain at least one numeric character. (pam module) + require_num_in_password: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/pam.d/system-auth': + tag: V-38482 + pattern: '^password.*pam_cracklib\.so' + match_output: ^password.*pam_cracklib\.so.*dcredit=-1.* + match_output_regex: True + match_on_file_missing: False + description: (LOW) The system must require passwords to contain at least one numeric character. + require_lower_case_in_password: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/pam.d/system-auth': + tag: V-38571 + pattern: '^password.*pam_cracklib\.so' + match_output: ^password.*pam_cracklib\.so.*lcredit=-1.* + match_output_regex: True + match_on_file_missing: False + description: (LOW) The system must require passwords to contain at least one lower-case alphabetic character. + require_special_char_in_password: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/pam.d/system-auth': + tag: V-38570 + pattern: '^password.*pam_cracklib\.so' + match_output: ^password.*pam_cracklib\.so.*ocredit=-1.* + match_output_regex: True + match_on_file_missing: False + description: (LOW) The system must require passwords to contain at least one special character. + require_diff_char_during_password_change: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/pam.d/system-auth': + tag: V-38572 + pattern: '^password.*pam_cracklib\.so' + match_output: ^password.*pam_cracklib\.so.*difok=8.* + match_output_regex: True + match_on_file_missing: False + description: (LOW) The system must require at least eight characters be changed between the old and new passwords during a password change. + require_upper_in_password: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/pam.d/system-auth': + tag: V-38569 + pattern: ^password.*pam_cracklib\.so + match_output: ^password.*pam_cracklib\.so.*ucredit=-1.* + match_output_regex: True + match_on_file_missing: False + description: (LOW) The system must require passwords to contain at least one uppercase alphabetic character. + remember_passwords: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/pam.d/system-auth': + tag: V-38658 + pattern: ^password.*pam_pwhistory\.so + match_output: ^password.*pam_pwhistory\.so.*remember=5.* + match_output_regex: True + match_on_file_missing: False + description: (MEDIUM) The system must prohibit the reuse of passwords within five iterations. + showfailed_logons: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/pam.d/system-auth': + tag: V-51875 + pattern: ^session.*pam_lastlog\.so + match_output: ^session.*pam_lastlog\.so.*showfailed.* + match_output_regex: True + match_on_file_missing: False + description: (MEDIUM) The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access. + showfailed_logons: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/pam.d/system-auth': + tag: V-51875 + pattern: ^session.*pam_lastlog\.so + match_output: ^session.*pam_lastlog\.so.*showfailed.* + match_output_regex: True + match_on_file_missing: False + description: (MEDIUM) The operating system, upon successful logon/access, must display to the user the number of unsuccessful logon/access attempts since the last successful logon/access. + fips_140_2_crypto_system-auth: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/pam.d/system-auth': + tag: V-38574 + pattern: ^password.*pam_unix\.so + match_output: ^password.*pam_unix\.so.*sha512.* + match_output_regex: True + match_on_file_missing: False + description: (MEDIUM) The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (system-auth). + fips_140_2_crypto_libuser: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/libuser.conf': + tag: V-38577 + pattern: ^crypt_style.* + match_output: ^crypt_style\s*=\s*sha512.* + match_output_regex: True + match_on_file_missing: False + description: (MEDIUM) The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (libuser.conf). + fips_140_2_crypto_logindefs: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/login.defs': + tag: V-38576 + pattern: ^ENCRYPT_METHOD.* + match_output: ^ENCRYPT_METHOD\s+SHA512.* + match_output_regex: True + match_on_file_missing: False + description: (MEDIUM) The system must use a FIPS 140-2 approved cryptographic hashing algorithm for generating account password hashes (login.defs). + audit_partition: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/fstab': + tag: V-38467 + pattern: ^[^#].*/var/log/audit.* + match_output: ^[^#]\S*\s*/var/log/audit + match_output_regex: True + description: (LOW) The system must use a separate file system for the system audit data path. + log_partition: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/fstab': + tag: V-38463 + pattern: ^[^#].*/var/log\s*.* + match_output: ^[^#]\S*\s*/var/log\s*.* + match_output_regex: True + description: (LOW) The system must use a separate file system for /var/log. + home_partition: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/fstab': + tag: V-38473 + pattern: ^[^#].*/home\s*.* + match_output: ^[^#]\S*\s*/home\s*.* + match_output_regex: True + description: (LOW) The system must use a separate file system for /var/home. + var_partition: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/fstab': + tag: V-38456 + pattern: ^[^#].*/var\s*.* + match_output: ^[^#]\S*\s*/var\s*.* + match_output_regex: True + description: (LOW) The system must use a separate file system for /var. + tmp_partition: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/fstab': + tag: V-38455 + pattern: ^[^#].*/tmp\s*.* + match_output: ^[^#]\S*\s*/tmp\s*.* + match_output_regex: True + description: (LOW) The system must use a separate file system for /tmp. + disable_core_dumps: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/security/limits.conf': + tag: V-38675 + pattern: ^[^#].*core.* + match_output: ^\*\s+hard\s+core\s+0.* + match_output_regex: True + description: (LOW) Process core dumps must be disabled unless needed. + limit_users_to_10_logins: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/security/limits.conf': + tag: V-38684 + pattern: ^[^#].*maxlogins.* + match_output: ^\*\s+hard\s+maxlogins\s+10.* + match_output_regex: True + description: (LOW) The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements. + disable_user_after_inactivity: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/default/useradd': + tag: V-38694 + pattern: ^INACTIVE.* + match_output: ^INACTIVE\s*=\s*35 + match_output_regex: True + description: (LOW) The operating system must manage information system identifiers for users and devices by disabling the user identifier after an organization defined time period of inactivity. + lock_user_after_inactivity: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/default/useradd': + tag: V-38692 + pattern: ^INACTIVE.* + match_output: ^INACTIVE\s*=\s*35 + match_output_regex: True + description: (LOW) Accounts must be locked upon 35 days of inactivity. + log_martian_packets_grep: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/sysctl.conf': + tag: V-38528 + pattern: ^net\.ipv4\.conf\.all\.log_martians.* + match_output: ^net\.ipv4\.conf\.all\.log_martians\s*=\s*1 + match_output_regex: True + description: (LOW) The system must log Martian packets. (sysctl.conf) + ignore_ICMPv4_redirect_grep: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/sysctl.conf': + tag: V-38533 + pattern: ^net\.ipv4\.icmp_echo_ignore_broadcasts.* + match_output: ^net\.ipv4\.icmp_echo_ignore_broadcasts\s*=\s*1 + match_output_regex: True + description: (LOW) The system must not respond to ICMPv4 sent to a broadcast address. (sysctl.conf) + ignore_ICMPv4_broadcast_grep: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/sysctl.conf': + tag: V-38535 + pattern: ^net\.ipv4\.conf\.default\.accept_redirects.* + match_output: ^net\.ipv4\.conf\.default\.accept_redirects\s*=\s*0 + match_output_regex: True + description: (LOW) The system must ignore ICMPv4 redirect messages by default. (sysctl.conf) + ignore_ICMPv4_bogus_error_responses_grep: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/sysctl.conf': + tag: V-38537 + pattern: ^net\.ipv4\.icmp_ignore_bogus_error_responses.* + match_output: ^net\.ipv4\.icmp_ignore_bogus_error_responses\s*=\s*1 + match_output_regex: True + description: (LOW) The system must ignore ICMPv4 bogus error responses. (sysctl.conf) + not_accept_icmpv4_secure_redirect_grep: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/sysctl.conf': + tag: V-38526 + pattern: ^net\.ipv4\.conf\.all\.secure_redirects.* + match_output: ^net\.ipv4\.conf\.all\.secure_redirects\s*=\s*0 + match_output_regex: True + description: (MEDIUM) The system must not accept ICMPv4 secure redirect packets on any interface. (sysctl.conf) + not_accept_icmpv4_secure_redirect_default_grep: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/sysctl.conf': + tag: V-38532 + pattern: ^net\.ipv4\.conf\.default\.secure_redirects.* + match_output: ^net\.ipv4\.conf\.default\.secure_redirects\s*=\s*0 + match_output_regex: True + description: (MEDIUM) The system must not accept ICMPv4 secure redirect packets on any interface. (sysctl.conf) + not_accept_icmpv4_redirect_grep: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/sysctl.conf': + tag: V-38524 + pattern: ^net\.ipv4\.conf\.all\.accept_redirects.* + match_output: ^net\.ipv4\.conf\.all\.accept_redirects\s*=\s*0 + match_output_regex: True + description: (MEDIUM) The system must not accept ICMPv4 redirect packets on any interface. (sysctl.conf) + not_send_icmpv4_redirect_grep: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/sysctl.conf': + tag: V-38601 + pattern: ^net\.ipv4\.conf\.all\.send_redirects.* + match_output: ^net\.ipv4\.conf\.all\.send_redirects\s*=\s*0 + match_output_regex: True + description: (MEDIUM) The system must not send ICMPv4 redirect packets from any interface. (sysctl.conf) + not_send_icmpv4_redirect_default_grep: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/sysctl.conf': + tag: V-38600 + pattern: ^net\.ipv4\.conf\.default\.send_redirects.* + match_output: ^net\.ipv4\.conf\.default\.send_redirects\s*=\s*0 + match_output_regex: True + description: (MEDIUM) The system must not send ICMPv4 redirect packets by default. (sysctl.conf) + not_accept_icmpv4_source-routed_sysctl_grep: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/sysctl.conf': + tag: V-38523 + pattern: ^net\.ipv4\.conf\.all\.accept_source_route.* + match_output: ^net\.ipv4\.conf\.all\.accept_source_route\s*=\s*0 + match_output_regex: True + description: (MEDIUM) The system must not accept ICMPv4 source-routed packets on any interface. (sysctl.conf) + not_accept_icmpv4_source-routed_default_grep: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/sysctl.conf': + tag: V-38529 + pattern: ^net\.ipv4\.conf\.default\.accept_source_route.* + match_output: ^net\.ipv4\.conf\.default\.accept_source_route\s*=\s*0 + match_output_regex: True + description: (MEDIUM) The system must not accept ICMPv4 source-routed packets by default. (sysctl.conf) + reverse-path_filter_for_all_ipv4_traffic: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/sysctl.conf': + tag: V-38542 + pattern: ^net\.ipv4\.conf\.all\.rp_filter.* + match_output: ^net\.ipv4\.conf\.all\.rp_filter\s*=\s*1.* + match_output_regex: True + description: (MEDIUM) The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces. (sysctl.conf) + reverse-path_filter_for_ipv4_traffic_default: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/sysctl.conf': + tag: V-38544 + pattern: ^net\.ipv4\.conf\.default\.rp_filter.* + match_output: ^net\.ipv4\.conf\.default\.rp_filter\s*=\s*1.* + match_output_regex: True + description: (MEDIUM) The system must use a reverse-path filter for IPv4 network traffic when possible by default. (sysctl.conf) + ip_forwarding_not_enabled_config: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/sysctl.conf': + tag: V-38511 + pattern: ^net\.ipv4\.ip_forward.* + match_output: ^net\.ipv4\.ip_forward\s*=\s*0.* + match_output_regex: True + description: (MEDIUM) IP forwarding for IPv4 must not be enabled, unless the system is a router. (sysctl.conf) + do_not_use_ipv6_unless_needed_grep: + # NOTE: may need to be tailored + data: + Red Hat Enterprise Linux Server-6: + - '/etc/sysctl.conf': + tag: V-38546 + pattern: ^net\.ipv6\.conf\.all\.disable_ipv6.* + match_output: ^net\.ipv6\.conf\.all\.disable_ipv6\s*=\s*1.* + match_output_regex: True + description: (MEDIUM) The IPv6 protocol handler must not be bound to the network stack unless needed. (sysctl.conf) + ignore_ICMPv6_redirects_default_grep: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/sysctl.conf': + tag: V-38548 + pattern: ^net\.ipv6\.conf\.default\.accept_redirects.* + match_output: ^net\.ipv6\.conf\.default\.accept_redirects\s*=\s*0.* + match_output_regex: True + description: (MEDIUM) The system must ignore ICMPv6 redirects by default. (sysctl.conf) + use_tcp_syncookies: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/sysctl.conf': + tag: V-38539 + pattern: ^net\.ipv4\.tcp_syncookies.* + match_output: ^net\.ipv4\.tcp_syncookies\s*=\s*1.* + match_output_regex: True + description: (MEDIUM) The system must be configured to use TCP syncookies when experiencing a TCP SYN flood. (sysctl.conf) + x_windows_not_enabled: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/inittab': + tag: V-38674 + pattern: ^id.* + match_output: ^id\:3\:initdefault\:.* + match_output_regex: True + description: (MEDIUM) X Windows must not be enabled unless required. + audit_alert_space_left_action: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/audit/auditd.conf': + tag: V-38470 + pattern: ^space_left_action.* + match_output: ^space_left_action\s+=\s+(email|syslog|SYSLOG).* + match_output_regex: True + grep_args: + - '-E' + - '-i' + description: (MEDIUM) The audit system must alert designated staff members when the audit storage volume approaches capacity. + audit_admin_space_left: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/audit/auditd.conf': + tag: V-54381 + pattern: ^admin_space_left_action.* + match_output: ^admin_space_left_action\s+=\s+(single|SINGLE|suspend|SUSPEND|halt|HALT).* + match_output_regex: True + grep_args: + - '-E' + - '-i' + description: (MEDIUM) The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low. + audit_action_mail_acct: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/audit/auditd.conf': + tag: V-38680 + pattern: ^action_mail_acct.* + match_output: ^action_mail_acct\s*=\s*root.* + match_output_regex: True + grep_args: + - '-E' + - '-i' + description: (MEDIUM) The audit system must identify staff members to receive notifications of audit log storage volume capacity issues. + audit_log_retention: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/audit/auditd.conf': + tag: V-38636 + pattern: ^num_logs.* + match_output: ^num_logs\s*=\s*\d+.* + match_output_regex: True + grep_args: + - '-E' + - '-i' + description: (MEDIUM) The system must retain enough rotated audit logs to cover the required log retention period. + audit_max_log_file_size: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/audit/auditd.conf': + tag: V-38633 + pattern: ^max_log_file.* + match_output: ^max_log_file\s*=\s*\d+.* + match_output_regex: True + grep_args: + - '-E' + - '-i' + description: (MEDIUM) The system must set a maximum audit log file size. + firewall_INPUT_chain_drop_policy: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/sysconfig/iptables': + tag: V-38513 + pattern: ^\:INPUT.* + match_output: ^\:INPUT\s+DROP\s+\[0\:0\].* + match_output_regex: True + grep_args: + - '-E' + - '-i' + description: (MEDIUM) The systems local IPv4 firewall must implement a deny-all, allow-by-exception policy for inbound packets. + sshd_login_banner: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/ssh/sshd_config': + tag: V-38615 + pattern: ^Banner.* + match_output: ^Banner\s+/etc/issue$ + match_output_regex: True + description: (MEDIUM) The SSH daemon must be configured with the Department of Defense (DoD) login banner. + sshd_block_root_remote_login: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/ssh/sshd_config': + tag: V-38613 + pattern: ^PermitRootLogin.* + match_output: ^PermitRootLogin\s(no|NO|No)$ + match_output_regex: True + description: (MEDIUM) The system must not permit root logins using remote access programs such as ssh. + sync_system_clock: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/ntp.conf': + tag: V-38621 + pattern: ^server.* + match_output: ^server\s+\S* + match_output_regex: True + description: (MEDIUM) The system clock must be synchronized to an authoritative DoD time source. + require_root_pw_in_su_mode: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/sysconfig/init': + tag: V-38586 + pattern: ^SINGLE.* + match_output: ^SINGLE\s*=\s*/sbin/sulogin + match_output_regex: True + description: (MEDIUM) The system clock must be synchronized to an authoritative DoD time source. + do_not_permit_interactive_boot: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/sysconfig/init': + tag: V-38588 + pattern: ^PROMPT.* + match_output: ^PROMPT\s*=\s*(no|NO|No) + match_output_regex: True + description: (MEDIUM) The system must not permit interactive boot. + cryptographically_verify_packages_yum_conf: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/yum.conf': + tag: V-38483 + pattern: ^gpgcheck.* + match_output: ^gpgcheck\s*=\s*1 + match_output_regex: True + description: (MEDIUM) The system package management tool must cryptographically verify the authenticity of system software packages during installation. (yum.conf) + mail_relaying_must_be_restricted: + data: + Red Hat Enterprise Linux Server-6: + - '/etc/postfix/main.cf': + tag: V-38622 + pattern: ^inet_interfaces.* + match_output: ^inet_interfaces\s*=\s*localhost\s*$ + match_output_regex: True + description: (MEDIUM) Mail relaying must be restricted. + +pkg: + blacklist: + rsh-server_not_installed: + data: + Red Hat Enterprise Linux Server-6: + - rsh-server: V-38591 + description: (HIGH) The rsh-server package must not be installed. + telnet-server_not_installed: + data: + Red Hat Enterprise Linux Server-6: + - telnet-server: V-38587 + - telnet: V-38587 + description: (HIGH) The telnet-server and telnet package must not be installed. + xorg-x11-server-common_not_installed: + data: + Red Hat Enterprise Linux Server-6: + - xorg-x11-server-common: V-38676 + description: (LOW) The xorg-x11-server-common package must not be installed. + openldap-servers_not_installed: + data: + Red Hat Enterprise Linux Server-6: + - openldap-servers: V-38627 + description: (LOW) The openldap-servers package must not be installed unless required. + xinetd_not_installed: + data: + Red Hat Enterprise Linux Server-6: + - xinetd: V-38584 + description: (LOW) The xinetd service must be uninstalled if no network services utilizing it are enabled. + sendmail_not_installed: + data: + Red Hat Enterprise Linux Server-6: + - sendmail: V-38671 + description: (MEDIUM) The sendmail package must be removed. + tftp-server_not_installed: + data: + Red Hat Enterprise Linux Server-6: + - tftp-server: V-38606 + description: (MEDIUM) The tftp-server package must not be installed unless required. + ypserv_not_installed: + data: + Red Hat Enterprise Linux Server-6: + - ypserv: V-38603 + description: (MEDIUM) The ypserv package must not be installed. + + whitelist: + approved_virus_scan_program: + # NOTE: This will need to be udated for your respective organization. + # This particular check is validating that clamav package is installed. + # This is a multi-part check to verify V-38666. Under the stat section, + # there is a check to verify cron.daily script for clamav inspection. + data: + Red Hat Enterprise Linux Server-6: + - clamav: V-38666 + - clamd: V-38666 + description: (HIGH) The system must use and update a DoD-approved virus scan program. (pkg) + screen_software_must_be_installed: + data: + Red Hat Enterprise Linux Server-6: + - screen: V-38590 + description: (LOW) The system must allow locking of the console screen in text mode. (pkg) + provide_vpn_for_untrusted_networks: + data: + Red Hat Enterprise Linux Server-6: + - openswan: V-38687 + description: (LOW) The system must provide VPN connectivity for communications over untrusted networks. (pkg) + file_integrity_aide: + # NOTE: this control may need to be tailored to your environment, checking + # for the specific file integrity tool that you use. + data: + Red Hat Enterprise Linux Server-6: + - aide: V-38489 + description: (MEDIUM) A file integrity tool must be installed. (pkg) + +service: + blacklist: + rlogind_not_running_service: + data: + Red Hat Enterprise Linux Server-6: + - rlogin: V-38602 + description: (High) The rlogind service must not be running. (Service) + rshd_not_running_service: + data: + Red Hat Enterprise Linux Server-6: + - rsh: V-38594 + description: (High) The rshd service must not be running. (Service) + rexecd_not_running_service: + data: + Red Hat Enterprise Linux Server-6: + - rexec: V-38598 + description: (High) The rexecd service must not be running. (Service) + telnet_not_running_service: + data: + Red Hat Enterprise Linux Server-6: + - telnet: V-38589 + description: (High) The telnet daemon must not be running. (Service) + qpidd_not_running_service: + data: + Red Hat Enterprise Linux Server-6: + - qpidd: V-38648 + description: (LOW) The qpidd service must not be running. (Service) + atd_not_running_service: + data: + Red Hat Enterprise Linux Server-6: + - atd: V-38641 + description: (LOW) The atd service must not be running. (Service) + abrtd_not_running: + data: + Red Hat Enterprise Linux Server-6: + - abrtd: V-38640 + description: (LOW) The Automatic Bug Reporting Tool (abrtd) service must not be running. (Service) + oddjobd_not_running: + data: + Red Hat Enterprise Linux Server-6: + - oddjobd: V-38646 + description: (LOW) The oddjobd service must not be running. (Service) + ntpdate_not_running: + data: + Red Hat Enterprise Linux Server-6: + - ntpdate: V-38644 + description: (LOW) The ntpdate service must not be running. (Service) + rdisc_not_running: + data: + Red Hat Enterprise Linux Server-6: + - rdisc: V-38650 + description: (LOW) The rdisc service must not be running. (Service) + netconsole_not_running: + data: + Red Hat Enterprise Linux Server-6: + - netconsole: V-38672 + description: (LOW) The netconsole service must not be running. (Service) + avahi_not_running: + data: + Red Hat Enterprise Linux Server-6: + - avahi-daemon: V-38618 + description: (LOW) The avahi service must not be running. (Service) + autofs_not_running: + data: + Red Hat Enterprise Linux Server-6: + - autofs: V-38437 + description: (LOW) Automated file system mounting tools must not be enabled unless needed. (Service) + ypbind_not_running: + data: + Red Hat Enterprise Linux Server-6: + - ypbind: V-38604 + description: (MEDIUM) The ypbind service must not be running. (Service) + bluetooth_not_running: + data: + Red Hat Enterprise Linux Server-6: + - bluetooth: V-38691 + description: (MEDIUM) The Bluetooth service must be disabled. (Service) + xinetd_not_running: + data: + Red Hat Enterprise Linux Server-6: + - xinetd: V-38582 + description: (MEDIUM) The xinetd service must be disabled if no network services utilizing it are enabled. (Service) + + whitelist: + postfix_enabled: + data: + Red Hat Enterprise Linux Server-6: + - postfix: V-38669 + description: (LOW) The postfix service must be running for mail delivery. (Service) + vpn_enabled: + data: + Red Hat Enterprise Linux Server-6: + - ipsec: V-38687 + description: (LOW) The system must provide VPN connectivity for communications over untrusted networks. (Service) + iptables_enabled: + data: + Red Hat Enterprise Linux Server-6: + - iptables: V-38555 + description: (MEDIUM) The system must employ a local IPv4 firewall. (Service) + iptables_enabled_2: + data: + Red Hat Enterprise Linux Server-6: + - iptables: V-38512 + description: (MEDIUM) The operating system must prevent public IPv4 access into an organizations internal networks, except as appropriately mediated by managed interfaces employing boundary protection devices. (Service) + cron_enabled: + data: + Red Hat Enterprise Linux Server-6: + - crond: V-38605 + description: (MEDIUM) The cron service must be running. (Service) + ntpd_enabled: + data: + Red Hat Enterprise Linux Server-6: + - ntpd: V-38620 + description: (MEDIUM) The system clock must be synchronized continuously, or at least daily. (Service) + +stat: + cron_daily_clamscan_host: + # NOTE: This will need to be udated for your respective organization. + # This particular check is validating that clamav is run on a daily basis. + # This is a multi-part check to verify V-38666. Under the pkg section, + # there is a check to verify clam is installed. + data: + Red Hat Enterprise Linux Server-6: + - /etc/cron.daily/clamscan_host.sh: + group: root + user: root + mode: 755 + tag: V-38666 + description: (HIGH) The system must use and update a DoD-approved virus scan program. + etc_passwd_owned_by_root: + data: + Red Hat Enterprise Linux Server-6: + - /etc/passwd: + tag: V-38450 + user: root + uid: 0 + description: (MEDIUM) The /etc/passwd file must be owned by root. + etc_passwd_group-owned_by_root: + data: + Red Hat Enterprise Linux Server-6: + - /etc/passwd: + tag: V-38451 + group: root + gid: 0 + description: (MEDIUM) The /etc/passwd file must be group-owned by root. + etc_passwd_permissions: + data: + Red Hat Enterprise Linux Server-6: + - /etc/passwd: + tag: V-38457 + mode: 644 + description: (MEDIUM) The /etc/passwd file must have mode 0644 or less permissive. + etc_group_owned_by_root: + data: + Red Hat Enterprise Linux Server-6: + - /etc/group: + tag: V-38458 + user: root + uid: 0 + description: (MEDIUM) The /etc/group file must be owned by root. + etc_group_group-owned_by_root: + data: + Red Hat Enterprise Linux Server-6: + - /etc/group: + tag: V-38459 + group: root + gid: 0 + description: (MEDIUM) The /etc/group file must be group-owned by root. + etc_group_permissions: + data: + Red Hat Enterprise Linux Server-6: + - /etc/group: + tag: V-38461 + mode: 644 + description: (MEDIUM) The /etc/group file must have mode 0644 or less permissive. + etc_gshadow_owned_by_root: + data: + Red Hat Enterprise Linux Server-6: + - /etc/gshadow: + tag: V-38443 + user: root + uid: 0 + description: (MEDIUM) The /etc/gshadow file must be owned by root. + etc_gshadow_group-owned_by_root: + data: + Red Hat Enterprise Linux Server-6: + - /etc/gshadow: + tag: V-38448 + group: root + gid: 0 + description: (MEDIUM) The /etc/gshadow file must be group-owned by root. + etc_gshadow_permissions: + data: + Red Hat Enterprise Linux Server-6: + - /etc/gshadow: + tag: V-38449 + mode: 000 + description: (MEDIUM) The /etc/gshadow file must have mode 0000. + etc_shadow_owned_by_root: + data: + Red Hat Enterprise Linux Server-6: + - /etc/shadow: + tag: V-38502 + user: root + uid: 0 + description: (MEDIUM) The /etc/shadow file must be owned by root. + etc_shadow_group-owned_by_root: + data: + Red Hat Enterprise Linux Server-6: + - /etc/shadow: + tag: V-38503 + group: root + gid: 0 + description: (MEDIUM) The /etc/shadow file must be group-owned by root. + etc_shadow_permissions: + data: + Red Hat Enterprise Linux Server-6: + - /etc/shadow: + tag: V-38504 + mode: 000 + description: (MEDIUM) The /etc/shadow file must have mode 0000. + audit_log_permissions: + data: + Red Hat Enterprise Linux Server-6: + - /var/log/audit/audit.log: + tag: V-38498 + mode: 600 + description: (MEDIUM) Audit log files must have mode 0640 or less permissive. (check set at 600) + audit_log_files_owned_by_root: + data: + Red Hat Enterprise Linux Server-6: + - /var/log/audit/audit.log: + tag: V-38495 + user: root + uid: 0 + description: (MEDIUM) Audit log files must be owned by root. + bootloader_owned_by_root: + data: + Red Hat Enterprise Linux Server-6: + - /boot/grub/grub.conf: + tag: V-38579 + user: root + uid: 0 + description: (MEDIUM) The system boot loader configuration file(s) must be owned by root. + bootloader_group-owned_by_root: + data: + Red Hat Enterprise Linux Server-6: + - /boot/grub/grub.conf: + tag: V-38581 + group: root + gid: 0 + description: (MEDIUM) The system boot loader configuration file(s) must be group-owned by root. + bootloader_permissions: + data: + Red Hat Enterprise Linux Server-6: + - /boot/grub/grub.conf: + tag: V-38583 + mode: 600 + description: (MEDIUM) The system boot loader configuration file(s) must have mode 0600 or less permissive. + +sysctl: + # This module only checks the running config. Each entry should also be checked + # via the grep module as well to very they are correctly set in /etc/sysctl.conf + log_martian_packets_sysctl: + data: + Red Hat Enterprise Linux Server-6: + - 'net.ipv4.conf.all.log_martians': + tag: V-38528 + match_output: '1' + description: (LOW) The system must log Martian packets. (Running sysctl) + ignore_ICMPv4_redirect_sysctl: + data: + Red Hat Enterprise Linux Server-6: + - 'net.ipv4.conf.default.accept_redirects': + tag: V-38533 + match_output: '0' + description: (LOW) The system must ignore ICMPv4 redirect messages by default. (Running sysctl) + ignore_ICMPv4_broadcast_sysctl: + data: + Red Hat Enterprise Linux Server-6: + - 'net.ipv4.icmp_echo_ignore_broadcasts': + tag: V-38535 + match_output: '1' + description: (LOW) The system must not respond to ICMPv4 sent to a broadcast address. (Running sysctl) + ignore_ICMPv4_bogus_error_responses_sysctl: + data: + Red Hat Enterprise Linux Server-6: + - 'net.ipv4.icmp_ignore_bogus_error_responses': + tag: V-38537 + match_output: '1' + description: (LOW) The system must ignore ICMPv4 bogus error responses. (Running sysctl) + not_accept_icmpv4_secure_redirect_sysctl: + data: + Red Hat Enterprise Linux Server-6: + - 'net.ipv4.conf.all.secure_redirects': + tag: V-38526 + match_output: '0' + description: (MEDIUM) The system must not accept ICMPv4 secure redirect packets on any interface. (Running sysctl) + not_accept_icmpv4_redirect_sysctl: + data: + Red Hat Enterprise Linux Server-6: + - 'net.ipv4.conf.all.accept_redirects': + tag: V-38524 + match_output: '0' + description: (MEDIUM) The system must not accept ICMPv4 redirect packets on any interface. (Running sysctl) + not_send_icmpv4_redirect_sysctl: + data: + Red Hat Enterprise Linux Server-6: + - 'net.ipv4.conf.all.send_redirects': + tag: V-38601 + match_output: '0' + description: (MEDIUM) The system must not send ICMPv4 redirect packets from any interface. (Running sysctl) + not_send_icmpv4_redirect_default_sysctl: + data: + Red Hat Enterprise Linux Server-6: + - 'net.ipv4.conf.default.send_redirects': + tag: V-38600 + match_output: '0' + description: (MEDIUM) The system must not send ICMPv4 redirect packets by default. (Running sysctl) + not_accept_icmpv4_source-routed_sysctl: + data: + Red Hat Enterprise Linux Server-6: + - 'net.ipv4.conf.all.accept_source_route': + tag: V-38523 + match_output: '0' + description: (MEDIUM) The system must not accept ICMPv4 source-routed packets on any interface. (Running sysctl) + not_accept_icmpv4_source-routed_default_sysctl: + data: + Red Hat Enterprise Linux Server-6: + - 'net.ipv4.conf.default.accept_source_route': + tag: V-38529 + match_output: '0' + description: (MEDIUM) The system must not accept ICMPv4 source-routed packets by default. (Running sysctl) + reverse-path_for_ipv4_traffic_sysctl: + data: + Red Hat Enterprise Linux Server-6: + - 'net.ipv4.conf.all.rp_filter': + tag: V-38542 + match_output: '1' + description: (MEDIUM) The system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces. (Running sysctl) + reverse-path_for_ipv4_traffic_default_sysctl: + data: + Red Hat Enterprise Linux Server-6: + - 'net.ipv4.conf.default.rp_filter': + tag: V-38544 + match_output: '1' + description: (MEDIUM) The system must use a reverse-path filter for IPv4 network traffic when possible by default. (Running sysctl) + disable_ipv6_sysctl: + # NOTE: may need to be tailored. + data: + Red Hat Enterprise Linux Server-6: + - 'net.ipv6.conf.all.disable_ipv6': + tag: V-38546 + match_output: '1' + description: (MEDIUM) The IPv6 protocol handler must not be bound to the network stack unless needed. (Running sysctl) + ignore_ICMPv6_redirects_default_sysctl: + # NOTE: may need to be tailored. + data: + Red Hat Enterprise Linux Server-6: + - 'net.ipv6.conf.default.accept_redirects': + tag: V-38548 + match_output: '0' + description: (MEDIUM) The system must ignore ICMPv6 redirects by default. (Running sysctl) + ip_forwarding_not_enabled_sysctl: + # NOTE: may need to be tailored. + data: + Red Hat Enterprise Linux Server-6: + - 'net.ipv4.ip_forward': + tag: V-38511 + match_output: '0' + description: (MEDIUM) IP forwarding for IPv4 must not be enabled, unless the system is a router. (Running sysctl) + tcp_syncookies_sysctl: + data: + Red Hat Enterprise Linux Server-6: + - 'net.ipv4.tcp_syncookies': + tag: V-38539 + match_output: '1' + description: (MEDIUM) The system must be configured to use TCP syncookies when experiencing a TCP SYN flood. (Running sysctl) + default_secure_redirects: + data: + Red Hat Enterprise Linux Server-6: + - 'net.ipv4.conf.default.secure_redirects': + tag: V-38532 + match_output: '0' + description: (MEDIUM) The system must not accept ICMPv4 secure redirect packets by default. (Running sysctl) diff --git a/hubblestack_nova_profiles/top.nova b/hubblestack_nova_profiles/top.nova index d35a1ba..2a0d181 100644 --- a/hubblestack_nova_profiles/top.nova +++ b/hubblestack_nova_profiles/top.nova @@ -9,14 +9,20 @@ nova: - cis.centos-6-level-1-scored-v2-0-1 'G@osfinger:CentOS*Linux-7': - cis.centos-7-level-1-scored-v2-1-0 - 'G@osfinger:Debian-8': + 'G@osfinger:Debian*7': + - cis.debian-7 + 'G@osfinger:Debian*8': - cis.debian-8-level-1-scored-v1-0-0 + 'G@osfinger:Debian*9': + - cis.debian-9 'G@osfinger:Red*Hat*Enterprise*Linux*Server-6': - cis.rhels-6-level-1-scored-v2-0-1 'G@osfinger:Red*Hat*Enterprise*Linux*Server-7': - cis.rhels-7-level-1-scored-v2-1-0 'G@osfinger:Red*Hat*Enterprise*Linux*Workstation-7': - cis.rhelw-7-level-1-scored-v2-1-0 + 'G@osfinger:Ubuntu-12.04': + - cis.ubuntu-1204-level-1-scored-v1-0-0 'G@osfinger:Ubuntu-14.04': - cis.ubuntu-1404-level-1-scored-v1-0-0 'G@osfinger:Ubuntu-16.04': @@ -30,6 +36,10 @@ nova: 'G@osfinger:Amazon*Linux*2015*': - cis.amazon-level-1-scored-v1-0-0 'G@osfinger:Amazon*Linux*2016*': + - cis.amazon-level-1-scored-v2-0-0 + 'G@osfinger:Amazon*Linux*2017*': + - cis.amazon-level-1-scored-v1-0-0 + 'G@osfinger:Amazon*Linux*2018*': - cis.amazon-level-1-scored-v1-0-0 #'*': # - misc diff --git a/hubblestack_pulsar/hubblestack_pulsar_config.yaml b/hubblestack_pulsar/hubblestack_pulsar_config.yaml index e375f3c..2e92806 100644 --- a/hubblestack_pulsar/hubblestack_pulsar_config.yaml +++ b/hubblestack_pulsar/hubblestack_pulsar_config.yaml @@ -28,6 +28,7 @@ - /etc/gshadow+ - /etc/gshadow- - /etc/cas/timestamp + - /etc/resolv.conf.tmp - /etc/pki/nssdb/key4.db-journal - /etc/pki/nssdb/cert9.db-journal - /etc/salt/gpgkeys/random_seed diff --git a/hubblestack_pulsar/hubblestack_pulsar_win_config.yaml b/hubblestack_pulsar/hubblestack_pulsar_win_config.yaml index 39136b6..e132232 100644 --- a/hubblestack_pulsar/hubblestack_pulsar_win_config.yaml +++ b/hubblestack_pulsar/hubblestack_pulsar_win_config.yaml @@ -1,4 +1,8 @@ -C:\Users: {} +C:\Users: + exclude: + - C:\Users\*\AppData\Local\VMware\vpx + - C:\Users\*\AppData\Local\Mozilla\Firefox\Profiles + - C:\Users\*\AppData\Local\Temp C:\Windows: mask: - Write @@ -8,7 +12,16 @@ C:\Windows: - TakeOwnership exclude: - C:\Windows\System32 -C:\temp: {} + - C:\Windows\security\logs\diagnosis.log + - C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive?.dat + - C:\Windows\WinSxS\FileMaps + - C:\Windows\security\logs + - C:\Windows\ServiceProfiles\LocalService\AppData\Local + - C:\Windows\security\templates\policies + - C:\Windows\CCM\Logs + - C:\Windows\security\database + - C:\Windows\SoftwareDistribution + - C:\Windows\WinSxS win_notify_interval: 30 # MUST be the same as interval in pillar config return: splunk_pulsar_return batch: True