├── .gitignore ├── README.md ├── hubblestack_cron ├── hubblestack_masterless ├── hubblestack_nebula ├── hubblestack_nebula_queries.yaml ├── hubblestack_nebula_win_queries.yaml ├── top.nebula └── win_top.nebula ├── hubblestack_nebula_v2 ├── hubblestack_nebula_queries.yaml ├── hubblestack_nebula_win_queries.yaml ├── mask.yaml ├── top.mask ├── top.nebula ├── top_v2.mask └── win_top.nebula ├── hubblestack_nova_profiles ├── centos_6.json ├── centos_7.json ├── cis │ ├── amazon-201409-level-1-scored-v1-0-0.yaml │ ├── amazon-level-1-scored-v1-0-0.yaml │ ├── amazon-level-1-scored-v2-0-0.yaml │ ├── amazon-level-1-scored-v2-1-0.yaml │ ├── centos-6-level-1-scored-v1-0-0.yaml │ ├── centos-6-level-1-scored-v2-0-1.yaml │ ├── centos-7-level-1-scored-v1-0-0.yaml │ ├── centos-7-level-1-scored-v2-0-0.yaml │ ├── centos-7-level-1-scored-v2-1-0.yaml │ ├── centos-7-level-1-scored-v2-1-1.yaml │ ├── centos-7-level-1-scored-v2-2-0.yaml │ ├── coreos-level-1.yaml │ ├── debian-7.yaml │ ├── debian-8-level-1-scored-v1-0-0.yaml │ ├── debian-9-level-1-scored-v1-0-0.yaml │ ├── debian-9.yaml │ ├── distribution-independent-linux-level-1-all-v1-1-0.yaml │ ├── rhels-5-level-1-scored-v2-2-0.yaml │ ├── rhels-6-level-1-scored-v1-0-0.yaml │ ├── rhels-6-level-1-scored-v2-0-1.yaml │ ├── rhels-7-level-1-scored-v1-0-0.yaml │ ├── rhels-7-level-1-scored-v2-1-0.yaml │ ├── rhels-7-level-1-scored-v2-2-0.yaml │ ├── rhelw-7-level-1-scored-v2-1-0.yaml │ ├── ubuntu-1204-level-1-scored-v1-0-0.yaml │ ├── ubuntu-1404-level-1-scored-v1-0-0.yaml │ ├── ubuntu-1604-level-1-scored-v1-0-0.yaml │ ├── ubuntu-1604-level-1-scored-v1-1-0.yaml │ ├── ubuntu-1804-level-1-scored-v1-0-0.yaml │ ├── windows-2008r2-level-1-scored-v3-0-1.yaml │ ├── windows-2012r2-level-1-scored-v2-2-1.yaml │ ├── windows-2012r2-level-1-scored-v2-3-0.yaml │ └── windows-2016-level-1-scored-v1-0-0.yaml ├── cve │ └── vulners.yaml ├── firewall │ └── ssh.yaml ├── misc.yaml ├── network │ ├── smtp.yaml │ └── ssh.yaml ├── samples │ ├── dont_blame_nrpe.yaml │ ├── sample_cis.yaml │ ├── sample_command.yaml │ ├── sample_control.yaml │ ├── sample_firewall.yaml │ └── sample_openssl.yaml ├── security │ ├── meltdown_spectre.yaml │ └── ssh_passwordauthentication.yaml ├── stig │ └── rhel-6-mac-1-classified.yaml └── top.nova ├── hubblestack_pulsar ├── hubblestack_pulsar_config.yaml ├── hubblestack_pulsar_win_config.yaml ├── top.pulsar └── win_top.pulsar └── hubblestack_schedule /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | env/ 12 | build/ 13 | develop-eggs/ 14 | dist/ 15 | downloads/ 16 | eggs/ 17 | .eggs/ 18 | lib/ 19 | lib64/ 20 | parts/ 21 | sdist/ 22 | var/ 23 | *.egg-info/ 24 | .installed.cfg 25 | *.egg 26 | 27 | # PyInstaller 28 | # Usually these files are written by a python script from a template 29 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 30 | *.manifest 31 | *.spec 32 | 33 | # Installer logs 34 | pip-log.txt 35 | pip-delete-this-directory.txt 36 | 37 | # Unit test / coverage reports 38 | htmlcov/ 39 | .tox/ 40 | .coverage 41 | .coverage.* 42 | .cache 43 | nosetests.xml 44 | coverage.xml 45 | *,cover 46 | .hypothesis/ 47 | 48 | # Translations 49 | *.mo 50 | *.pot 51 | 52 | # Django stuff: 53 | *.log 54 | 55 | # Sphinx documentation 56 | docs/_build/ 57 | 58 | # PyBuilder 59 | target/ 60 | 61 | #Ipython Notebook 62 | .ipynb_checkpoints 63 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Issues should be opened against the 2 | [Hubble](https://github.com/hubblestack/hubble) repo. 3 | 4 | # hubblestack_data 5 | Data source for all hubble pieces. Includes nebula osqueries, nova profiles, pulsar configuration, etc. 6 | -------------------------------------------------------------------------------- /hubblestack_cron: -------------------------------------------------------------------------------- 1 | # Recommended cron jobs for minions 2 | # 3 | # This file is here for your consumption, but will not automatically be 4 | # deployed by hubble. We recommend you deploy this file on the master at 5 | # /etc/cron.d/hubblestack_cron 6 | # 7 | # If you're worried about master load for running these jobs (most teams won't 8 | # have a problem with this, unless they are several thousand servers per 9 | # master), then use the hubblestack_masterless instructions in this repo 10 | # instead. 11 | 12 | MAILTO="" 13 | SHELL=/bin/bash 14 | */15 * * * * root /usr/bin/salt '*' nebula.queries fifteen_min --return splunk_nebula_return 15 | @hourly root /usr/bin/salt '*' nebula.queries hour --return splunk_nebula_return 16 | @daily root /usr/bin/salt '*' nebula.queries day --return splunk_nebula_return 17 | @daily root /usr/bin/salt '*' cp.cache_file salt://hubblestack_pulsar/hubblestack_pulsar_config.yaml 18 | @daily root /usr/bin/salt '*' cp.cache_file salt://hubblestack_pulsar/hubblestack_pulsar_win_config.yaml 19 | @daily root /usr/bin/salt '*' hubble.top verbose=True show_profile=True --return splunk_nova_return 20 | @daily root /usr/bin/salt '*' saltutil.sync_all 21 | -------------------------------------------------------------------------------- /hubblestack_masterless: -------------------------------------------------------------------------------- 1 | ## Instructions for a master-managed masterless deploy 2 | ## 3 | ## These instructions assume that you are using gitfs to deploy your main salt 4 | ## files, as they will be deploying files to /srv/salt and /srv/pillar on the 5 | ## minions, including the minion on the master. 6 | ## 7 | ## Note that pulsar must still be configured with master-side pillar data, 8 | ## as pulsar requires connection to a master with a running minion daemon. 9 | ## 10 | ## Once you have configured your folder structure as shown below, deployment 11 | ## to your minions should be as easy as running the `salt '*' state.sls hubble`. 12 | ## We recommend you add this state to your state topfile so it will be deployed 13 | ## to all minions whenever your highstate is applied. 14 | ## 15 | ## Here is the recommended folder structure: 16 | ## 17 | ## salt://hubble/ 18 | ## salt://hubble/init.sls 19 | ## salt://hubble/hubblestack_cron 20 | ## salt://hubble/pillar/top.sls 21 | ## salt://hubble/pillar/hubble.sls 22 | ## 23 | ## Here are the files: 24 | ## 25 | ## salt://hubble/init.sls 26 | 27 | hubblestack_pulsar_data: 28 | file.recurse: 29 | - name: /srv/salt/hubblestack_pulsar 30 | - source: salt://hubblestack_pulsar 31 | - clean: True 32 | - user: root 33 | - group: root 34 | - dir_mode: 700 35 | - file_mode: 600 36 | 37 | hubblestack_nova_profiles: 38 | file.recurse: 39 | - name: /srv/salt/hubblestack_nova_profiles 40 | - source: salt://hubblestack_nova_profiles 41 | - clean: True 42 | - user: root 43 | - group: root 44 | - dir_mode: 700 45 | - file_mode: 600 46 | 47 | hubblestack_nova_modules: 48 | file.recurse: 49 | - name: /srv/salt/hubblestack_nova 50 | - source: salt://hubblestack_nova 51 | - clean: True 52 | - user: root 53 | - group: root 54 | - dir_mode: 700 55 | - file_mode: 600 56 | 57 | hubblestack_nebula_data: 58 | file.recurse: 59 | - name: /srv/salt/hubblestack_nebula 60 | - source: salt://hubblestack_nebula 61 | - clean: True 62 | - user: root 63 | - group: root 64 | - dir_mode: 700 65 | - file_mode: 600 66 | 67 | hubblestack_pillar_data: 68 | file.recurse: 69 | - name: /srv/pillar 70 | - source: salt://hubble/pillar 71 | - clean: True 72 | - user: root 73 | - group: root 74 | - dir_mode: 700 75 | - file_mode: 600 76 | 77 | hubblestack_modules: 78 | file.recurse: 79 | - name: /srv/salt/_modules 80 | - source: salt://_modules 81 | - clean: True 82 | - user: root 83 | - group: root 84 | - dir_mode: 700 85 | - file_mode: 600 86 | 87 | hubblestack_beacons: 88 | file.recurse: 89 | - name: /srv/salt/_beacons 90 | - source: salt://_beacons 91 | - clean: True 92 | - user: root 93 | - group: root 94 | - dir_mode: 700 95 | - file_mode: 600 96 | 97 | hubblestack_returners: 98 | file.recurse: 99 | - name: /srv/salt/_returners 100 | - source: salt://_returners 101 | - clean: True 102 | - user: root 103 | - group: root 104 | - dir_mode: 700 105 | - file_mode: 600 106 | 107 | hubblestack_sync_all: 108 | module.run: 109 | - name: saltutil.sync_all 110 | - onchanges: 111 | - file: hubblestack_pillar_data 112 | - file: hubblestack_modules 113 | - file: hubblestack_beacons 114 | - file: hubblestack_returners 115 | 116 | hubblestack_cron: 117 | file.managed: 118 | - name: /etc/cron.d/hubblestack_cron 119 | - mode: 0600 120 | - source: salt://hubble/hubblestack_cron 121 | - require: 122 | - file: hubblestack_pillar_data 123 | - file: hubblestack_nova_modules 124 | - file: hubblestack_nova_profiles 125 | - file: hubblestack_pulsar_data 126 | - file: hubblestack_nebula_data 127 | - file: hubblestack_modules 128 | - file: hubblestack_beacons 129 | - file: hubblestack_returners 130 | 131 | ## salt://hubble/hubblestack_cron 132 | 133 | # This file managed by salt. Do not modify! 134 | 135 | MAILTO="" 136 | SHELL=/bin/bash 137 | PATH=/usr/local/bin:/bin:/usr/bin:/usr/local/sbin:/usr/sbin:/sbin 138 | */15 * * * * root sleep $(expr $RANDOM \% 600); /usr/bin/salt-call --local nebula.queries fifteen_min --return splunk_nebula_return 139 | @hourly root sleep $(expr $RANDOM \% 1800); /usr/bin/salt-call --local nebula.queries hour --return splunk_nebula_return 140 | @daily root sleep $(expr $RANDOM \% 3600); /usr/bin/salt-call --local nebula.queries day --return splunk_nebula_return 141 | @daily root sleep $(expr $RANDOM \% 3600); /usr/bin/salt-call --local cp.cache_file salt://hubblestack_pulsar/hubblestack_pulsar_config.yaml 142 | @daily root sleep $(expr $RANDOM \% 3600); /usr/bin/salt-call --local hubble.top verbose=True show_profile=True --return splunk_nova_return 143 | @daily root /usr/bin/salt-call --local saltutil.sync_all 144 | 145 | ## salt://hubble/pillar/top.sls 146 | 147 | base: 148 | '*': 149 | - hubble 150 | 151 | ## salt://hubble/pillar/hubble.sls 152 | ## 153 | ## This file must be modified with your API credentials and index 154 | 155 | hubblestack: 156 | nova: 157 | returner: 158 | splunk: 159 | token: 160 | indexer: splunk-hec.loc.adobe.net 161 | sourcetype: hubble_audit 162 | index: 163 | 164 | nebula: 165 | returner: 166 | splunk: 167 | token: 168 | indexer: splunk-hec.loc.adobe.net 169 | sourcetype: hubble_osquery 170 | index: 171 | 172 | pulsar: 173 | returner: 174 | splunk: 175 | token: 176 | indexer: splunk-hec.loc.adobe.net 177 | sourcetype: hubble_fim 178 | index: 179 | -------------------------------------------------------------------------------- /hubblestack_nebula/hubblestack_nebula_queries.yaml: -------------------------------------------------------------------------------- 1 | fifteen_min: 2 | - query_name: running_procs 3 | query: SELECT t.unix_time AS query_time, p.name AS process, p.pid AS process_id, p.pgroup AS process_group, p.state AS process_state, p.cmdline, p.cwd, p.on_disk, p.resident_size AS mem_used, p.user_time, p.system_time, (SELECT strftime('%s','now')-ut.total_seconds+p.start_time FROM uptime AS ut) AS process_start_time, p.parent AS parent_process_id, pp.name AS parent_process, g.groupname AS 'group', g.gid AS group_id, u.username AS user, u.uid AS user_id, eu.username AS effective_username, eg.groupname AS effective_groupname, p.path, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256, '__JSONIFY__'||(SELECT json_group_array(json_object('fd',pof.fd, 'path',pof.path)) FROM process_open_files AS pof WHERE pof.pid=p.pid GROUP BY pof.pid) AS open_files, '__JSONIFY__'||(SELECT json_group_array(json_object('variable_name',pe.key, 'value',pe.value)) FROM process_envs AS pe WHERE pe.pid=p.pid GROUP BY pe.pid) AS environment FROM processes AS p LEFT JOIN processes AS pp ON p.parent=pp.pid LEFT JOIN users AS u ON p.uid=u.uid LEFT JOIN users AS eu ON p.euid=eu.uid LEFT JOIN groups AS g ON p.gid=g.gid LEFT JOIN groups AS eg ON p.gid=eg.gid LEFT JOIN hash AS h ON p.path=h.path LEFT JOIN time AS t WHERE p.parent IS NOT 2 AND (process NOTNULL OR p.parent NOTNULL); 4 | - query_name: established_outbound 5 | query: SELECT t.unix_time AS query_time, pos.state AS connection_state, CASE pos.family WHEN 2 THEN 'ipv4' WHEN 10 THEN 'ipv6' ELSE pos.family END AS family, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256, h.directory AS directory, pos.local_address AS src_connection_ip, pos.local_port AS src_connection_port, pos.remote_port AS dest_connection_port, pos.remote_address AS dest_connection_ip, p.name AS process, p.pid AS process_id, p.parent AS parent_process_id, pp.name AS parent_process, p.path AS file_path, f.size AS file_size, p.cmdline AS cmdline, u.uid AS user_id, u.username AS user, CASE pos.protocol WHEN 6 THEN 'tcp' WHEN 17 THEN 'udp' ELSE pos.protocol END AS transport FROM process_open_sockets AS pos JOIN processes AS p ON p.pid=pos.pid LEFT JOIN processes AS pp ON p.parent=pp.pid LEFT JOIN users AS u ON p.uid=u.uid LEFT JOIN time AS t LEFT JOIN hash AS h ON h.path=p.path LEFT JOIN file AS f ON f.path=p.path WHERE NOT pos.remote_address='' AND NOT pos.remote_address='::' AND NOT pos.remote_address='::1' AND NOT pos.remote_address='0.0.0.0' AND NOT pos.remote_address='127.0.0.1' AND (pos.local_port,pos.protocol) NOT IN (SELECT lp.port, lp.protocol FROM listening_ports AS lp); 6 | - query_name: listening_procs 7 | query: SELECT t.unix_time AS query_time, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256, lp.pid AS process_id, p.pgroup AS process_group, p.name AS process, (SELECT strftime('%s','now')-ut.total_seconds+p.start_time FROM uptime AS ut) AS process_start_time, CASE lp.family WHEN 2 THEN 'ipv4' WHEN 10 THEN 'ipv6' ELSE lp.family END AS family, lp.address AS address, lp.port AS dest_port, p.path AS file_path, p.cwd, p.cmdline, p.on_disk, p.root, u.username AS user, u.uid AS user_id, g.groupname AS 'group', g.gid AS group_id, p.parent AS parent_process_id, pp.name AS parent_process, CASE lp.protocol WHEN 6 THEN 'tcp' WHEN 17 THEN 'udp' ELSE lp.protocol END AS transport FROM listening_ports AS lp LEFT JOIN processes AS p ON lp.pid=p.pid LEFT JOIN processes AS pp ON p.parent=pp.pid LEFT JOIN users AS u ON p.uid=u.uid LEFT JOIN groups AS g ON p.gid=g.gid LEFT JOIN time AS t LEFT JOIN hash AS h ON h.path=p.path WHERE NOT lp.family=1; 8 | - query_name: shell_history 9 | query: SELECT t.unix_time AS query_time, uid, gid, username AS user, groupname AS 'group', command, time, history_file FROM users JOIN groups USING (gid) JOIN shell_history USING (uid) LEFT JOIN time AS t WHERE time > strftime('%s', 'now', '-16 minutes'); 10 | - query_name: docker_running_procs 11 | query: SELECT t.unix_time AS query_time, dc.id AS container_id, dc.name AS container_name, dc.image AS image_name, dc.image_id AS image_id, dc.command AS container_command, dc.created AS container_start_time, dc.state AS container_state, dc.status AS status, dcproc.pid AS process_id, dcproc.parent AS parent_process_id, dcproc.pgroup AS process_group, dcproc.threads, dcproc.name AS process, dcproc.cmdline, dcproc.state AS process_state, dcproc.uid AS user_id, dcproc.user AS user, dcproc.gid AS group_id, dcproc.euid AS effective_userid, dcproc.egid AS effective_groupid, dcproc.resident_size AS mem_used, (SELECT strftime('%s','now')-u.total_seconds+dcproc.start_time FROM uptime AS u) AS process_start_time, dcproc.time AS total_cpu_time, '__JSONIFY__'||(SELECT json_group_array(json_object('fd',pof.fd, 'path',pof.path)) FROM process_open_files AS pof WHERE pof.pid=dcproc.pid GROUP BY pof.pid) AS open_files, '__JSONIFY__'||(SELECT json_group_array(json_object('variable_name',pe.key, 'value',pe.value)) FROM process_envs AS pe WHERE pe.pid=dcproc.pid GROUP BY pe.pid) AS environment FROM docker_containers AS dc JOIN docker_container_processes AS dcproc USING (id) LEFT JOIN time AS t; 12 | hour: 13 | - query_name: crontab 14 | query: SELECT t.unix_time AS query_time, c.event, c.minute, c.hour, c.day_of_month, c.month, c.day_of_week, c.command, c.path AS cron_file FROM crontab AS c JOIN time AS t; 15 | - query_name: login_history 16 | query: SELECT t.unix_time AS query_time, l.username AS user, l.tty, l.pid, l.type AS utmp_type, CASE l.type WHEN 1 THEN 'RUN_LVL' WHEN 2 THEN 'BOOT_TIME' WHEN 3 THEN 'NEW_TIME' WHEN 4 THEN 'OLD_TIME' WHEN 5 THEN 'INIT_PROCESS' WHEN 6 THEN 'LOGIN_PROCESS' WHEN 7 THEN 'USER_PROCESS' WHEN 8 THEN 'DEAD_PROCESS' ELSE l.type END AS utmp_type_name, l.host AS src, l.time FROM last AS l LEFT JOIN time AS t WHERE (l.time > strftime('%s','now') - 3660) AND NOT (l.type=8 AND l.tty=''); 17 | - query_name: docker_running_containers 18 | query: SELECT t.unix_time AS query_time, dc.id AS container_id, dc.name AS container_name, dc.image AS image_name, di.created AS image_created_time, di.size_bytes AS image_size, di.tags AS image_tags, dc.image_id AS image_id, dc.command AS container_command, dc.created AS container_start_time, dc.state AS container_state, dc.status AS status, '__JSONIFY__'||(SELECT json_group_array(json_object('key',dcl.key, 'value',dcl.value)) FROM docker_container_labels AS dcl WHERE dcl.id=dc.id GROUP BY dcl.id) AS container_labels, '__JSONIFY__'||(SELECT json_group_array(json_object('mount_type',dcm.type, 'mount_name',dcm.name, 'mount_host_path',dcm.source, 'mount_container_path',dcm.destination, 'mount_driver',dcm.driver, 'mount_mode',dcm.mode, 'mount_rw',dcm.rw, 'mount_progpagation',dcm.propagation)) FROM docker_container_mounts AS dcm WHERE dcm.id=dc.id GROUP BY dcm.id) AS container_mounts, '__JSONIFY__'||(SELECT json_group_array(json_object('port_type',dcport.type, 'port',dcport.port, 'host_ip',dcport.host_ip, 'host_port',dcport.host_port)) FROM docker_container_ports AS dcport WHERE dcport.id=dc.id GROUP BY dcport.id) AS container_ports, '__JSONIFY__'||(SELECT json_group_array(json_object('network_name',dcnet.name, 'network_id',dcnet.network_id, 'endpoint_id',dcnet.endpoint_id, 'gateway',dcnet.gateway, 'container_ip',dcnet.ip_address, 'container_ip_prefix_len',dcnet.ip_prefix_len, 'ipv6_gateway',dcnet.ipv6_gateway, 'container_ipv6_address',dcnet.ipv6_address, 'container_ipv6_prefix_len',dcnet.ipv6_prefix_len, 'container_mac_address',dcnet.mac_address)) FROM docker_container_networks AS dcnet WHERE dcnet.id=dc.id GROUP BY dcnet.id) AS container_networks FROM docker_containers AS dc JOIN docker_images AS di ON di.id=dc.image_id LEFT JOIN time AS t; 19 | - query_name: nameservers 20 | query: SELECT t.unix_time AS query_time, '__JSONIFY__'||json_group_array(dr.address) AS nameservers FROM dns_resolvers AS dr, time AS t WHERE dr.type = 'nameserver'; 21 | - query_name: suid_binaries 22 | query: SELECT t.unix_time AS query_time, sb.username AS user, sb.groupname AS 'group', sb.permissions, sb.path, f.uid, f.gid, f.mode AS file_acl, f.mtime AS file_modify_time, f.ctime AS file_create_time, f.type AS file_type, f.filename AS filename, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256 FROM suid_bin AS sb JOIN time AS t LEFT JOIN hash AS h ON sb.path=h.path LEFT JOIN file AS f ON sb.path=f.path; 23 | - query_name: more_suid_binaries 24 | query: SELECT t.unix_time AS query_time, f.path, u.username AS user, g.groupname AS 'group', f.uid, f.gid, f.mode AS file_acl, f.mtime AS file_modify_time, f.ctime AS file_create_time, f.type AS file_type, f.filename AS filename, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256 FROM users AS u JOIN file AS f ON u.uid=f.uid LEFT JOIN groups AS g ON g.gid=f.gid LEFT JOIN hash AS h ON h.path=f.path LEFT JOIN time AS t WHERE (f.directory LIKE '/root%%' OR f.directory LIKE '/usr/libexec%%' OR f.directory LIKE '/var/tmp%%' OR f.directory LIKE '/dev%%') AND (substr(f.mode,1,1) IN ('2','4','6') AND f.type='regular'); 25 | - query_name: ssh_public_keys 26 | query: SELECT t.unix_time AS query_time, u.username AS user, ak.uid, ak.key AS ssh_public_key, ak.key_file AS object_path, g.gid, g.groupname AS 'group', f.mode AS file_acl, f.size AS file_size, f.atime AS file_access_time, f.mtime AS file_modify_time, f.ctime AS file_change_time, f.uid AS file_uid, f.gid AS file_gid, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256 FROM users AS u JOIN authorized_keys AS ak ON u.uid=ak.uid LEFT JOIN groups AS g ON u.gid=g.gid LEFT JOIN file AS f ON ak.key_file=f.path LEFT JOIN hash AS h ON ak.key_file=h.path LEFT JOIN time AS t; 27 | - query_name: ssh_key_files 28 | query: SELECT t.unix_time AS query_time, u.username AS user, usk.uid, g.groupname AS 'group', f.gid, usk.path AS file_path, usk.encrypted, f.mode AS file_acl, f.size AS file_size, f.atime AS file_access_time, f.mtime AS file_modify_time, f.ctime AS file_change_time, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256 FROM users AS u JOIN user_ssh_keys AS usk ON u.uid=usk.uid LEFT JOIN hash AS h ON h.path=usk.path LEFT JOIN file AS f ON f.path=usk.path LEFT JOIN groups AS g ON g.gid=f.gid LEFT JOIN time AS t; 29 | - query_name: local_user_accounts 30 | query: SELECT t.unix_time AS query_time, u.uid AS user_id, u.username AS user, u.description AS name, u.gid AS group_id, g.groupname AS 'group', (SELECT group_concat(gs.groupname) FROM user_groups AS ugs LEFT JOIN groups AS gs ON gs.gid=ugs.gid WHERE u.uid=ugs.uid GROUP BY ugs.uid) AS all_groups, (SELECT group_concat(gs.gid) FROM user_groups AS ugs LEFT JOIN groups AS gs ON gs.gid=ugs.gid WHERE u.uid=ugs.uid GROUP BY ugs.uid) AS all_group_ids, u.shell AS shell_path, sf.mode AS shell_acl, sf.inode AS shell_inode, sf.uid AS shell_user_id, sf.gid AS shell_group_id, sf.device AS shell_device, sf.size AS shell_size, sf.atime AS shell_access_time, sf.mtime AS shell_modify_time, sf.ctime AS shell_change_time, sf.hard_links AS shell_hard_links, sh.md5 AS shell_md5, sh.sha1 AS shell_sha1, sh.sha256 AS shell_sha256, u.directory AS home_path, hf.mode AS home_acl, hf.inode AS home_inode, hf.uid AS home_user_id, hf.gid AS home_group_id, hf.device AS home_device, hf.atime AS home_access_time, hf.mtime AS home_modify_time, hf.ctime AS home_change_time, hf.hard_links AS home_hard_links FROM users AS u LEFT JOIN groups AS g ON u.gid=g.gid LEFT JOIN file AS sf ON sf.path=u.shell LEFT JOIN file AS hf ON hf.path=u.directory LEFT JOIN hash AS sh ON sh.path=u.shell LEFT JOIN time AS t; 31 | - query_name: etc_hosts 32 | query: SELECT t.unix_time AS query_time, '__JSONIFY__'||(SELECT json_group_array(json_object('address',eh.address, 'hostnames',eh.hostnames)) FROM etc_hosts AS eh) AS etc_hosts FROM time AS t; 33 | day: 34 | - query_name: rpm_packages 35 | query: SELECT t.unix_time AS query_time, rpm.name, rpm.version, rpm.release, rpm.source AS package_source, rpm.size, rpm.sha1, rpm.arch FROM rpm_packages AS rpm JOIN time AS t; 36 | - query_name: deb_packages 37 | query: SELECT t.unix_time AS query_time, deb.name, deb.version, deb.revision, deb.source AS package_source, deb.size, deb.arch FROM deb_packages AS deb JOIN time AS t; 38 | - query_name: os_info 39 | query: SELECT t.unix_time AS query_time, os.* FROM os_version AS os LEFT JOIN time AS t; 40 | - query_name: interface_addresses 41 | query: SELECT t.unix_time AS query_time, ia.interface, ia.address, id.mac, (SELECT filename FROM file WHERE directory='/sys/class/net/' AND inode = (SELECT inode FROM file WHERE path='/sys/class/net/'||id.interface||'/brport/bridge')) AS bridge FROM interface_addresses AS ia JOIN interface_details AS id ON ia.interface=id.interface LEFT JOIN time AS t WHERE NOT ia.interface='lo'; 42 | - query_name: routes 43 | query: SELECT DISTINCT t.unix_time AS query_time, r.destination AS route_destination, r.netmask AS route_netmask, r.gateway, r.source AS source_ip, r.flags AS route_flags, r.interface AS interface, r.metric AS route_metric, r.type AS route_type FROM routes AS r LEFT JOIN time AS t WHERE NOT ((type='broadcast' OR type='other') AND interface='lo'); 44 | - query_name: uptime 45 | query: SELECT t.unix_time AS query_time, total_seconds AS uptime, strftime('%s','now')-u.total_seconds AS system_start_time FROM uptime AS u LEFT JOIN time AS t; 46 | - query_name: mounts 47 | query: SELECT t.unix_time AS query_time, m.* FROM mounts AS m LEFT JOIN time AS t; 48 | - query_name: iptables_rules 49 | query: SELECT DISTINCT t.unix_time AS query_time, ipt.filter_name, ipt.chain, ipt.policy FROM iptables AS ipt LEFT JOIN time AS t WHERE ipt.policy<>''; 50 | - query_name: sysctl 51 | query: SELECT t.unix_time AS query_time, sc.* FROM system_controls AS sc LEFT JOIN time AS t; 52 | - query_name: kernel_info 53 | query: SELECT t.unix_time AS query_time, ki.version, ki.arguments AS boot_arguments, ki.device AS boot_device, CASE WHEN ki.path<>'' THEN ki.path ELSE 'NOT_AVAILABLE' END AS boot_image, CASE WHEN ki.path<>'' THEN '/boot/'||ltrim(ki.path,'/boot/') ELSE '/boot/vmlinuz-'||ki.version END AS file_path, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256, f.filename AS file_name, f.inode, f.uid, u.username AS user, f.gid, g.groupname AS 'group', f.mode AS file_acl, f.size AS file_size, f.atime AS file_access_time, f.mtime AS file_modify_time, f.ctime AS file_change_time, f.hard_links, f.type AS file_type FROM kernel_info AS ki LEFT JOIN hash AS h ON h.path=file_path LEFT JOIN file AS f ON f.path=file_path LEFT JOIN users AS u ON u.uid=f.uid LEFT JOIN groups AS g ON g.gid=f.gid LEFT JOIN time AS t; 54 | - query_name: docker_info 55 | query: SELECT t.unix_time AS query_time, di.id AS docker_id, di.storage_driver AS storage_driver, di.logging_driver AS logging_driver, di.cgroup_driver AS cgroup_driver, di.server_version AS docker_version, di.root_dir AS root_dir FROM docker_info AS di LEFT JOIN time AS t; 56 | - query_name: system_info 57 | query: SELECT t.unix_time AS query_time, si.uuid, si.cpu_type, si.cpu_subtype, si.cpu_brand, si.cpu_physical_cores, si.cpu_logical_cores, si.hardware_vendor, si.hardware_serial, si.hardware_model, (SELECT value FROM cpuid WHERE feature = 'hypervisor') AS virtual_machine, mi.memory_total, mi.memory_free, mi.swap_total, mi.swap_free, pi.vendor AS bios_vendor, pi.version AS bios_version, pi.date AS bios_date, pi.revision AS bios_revision, (SELECT average FROM load_average WHERE period = '1m') AS load_1m, (SELECT average FROM load_average WHERE period = '5m') AS load_5m, (SELECT average FROM load_average WHERE period = '15m') AS load_15m, t.local_timezone AS local_timezone FROM system_info AS si LEFT JOIN memory_info AS mi LEFT JOIN platform_info AS pi LEFT JOIN time AS t; 58 | - query_name: hubble_log_file 59 | query: SELECT t.unix_time AS query_time, f.path AS object_path, f.uid AS user_id, f.gid AS group_id, u.username AS user, g.groupname AS 'group', f.mode AS file_acl, f.size AS file_size, f.block_size AS blocks_size, m.path AS mount_path, max(length(m.path)) AS mount_path_length, m.blocks_free, m.inodes_free, m.type AS type, (m.blocks_size*m.blocks_free) AS bytes_free, (m.blocks_size*m.blocks) AS total_bytes, round((1-(m.blocks_free*1.0/m.blocks))*100,2) AS percentage_utilized FROM file AS f JOIN mounts AS m ON (m.type!='rootfs' AND instr(f.path, m.path)=1) LEFT JOIN users AS u ON u.uid=f.uid LEFT JOIN groups AS g ON g.gid=f.gid, time AS t WHERE f.path='/var/log/hubble' GROUP BY f.path; 60 | - query_name: profile_version 61 | query: SELECT t.unix_time AS query_time, '2019-05-2' AS version FROM time AS t; 62 | - query_name: pci_devices 63 | query: SELECT t.unix_time AS query_time, pi.pci_slot AS pci_slot, pi.pci_class AS pci_class, pi.driver AS driver, pi.vendor AS vendor, pi.vendor_id AS vendor_id, pi.model AS model, pi.model_id AS model_id FROM pci_devices AS pi LEFT JOIN time AS t WHERE pi.driver <> ''; 64 | -------------------------------------------------------------------------------- /hubblestack_nebula/hubblestack_nebula_win_queries.yaml: -------------------------------------------------------------------------------- 1 | fifteen_min: 2 | - query_name: win_running_procs 3 | query: SELECT t.unix_time AS query_time, p.name AS process, p.pid AS process_id, p.cmdline, p.cwd, p.on_disk, p.resident_size AS mem_used, p.parent, pp.name AS parent_process, p.path, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256 FROM processes AS p LEFT JOIN processes AS pp ON p.parent=pp.pid LEFT JOIN time AS t LEFT JOIN hash AS h ON p.path=h.path; 4 | - query_name: win_established_outbound 5 | query: SELECT t.unix_time AS query_time, pos.state AS connection_state, CASE pos.family WHEN 2 THEN 'ipv4' WHEN 10 THEN 'ipv6' ELSE pos.family END AS family, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256, h.directory AS directory, pos.local_address AS src_connection_ip, pos.local_port AS src_connection_port, pos.remote_port AS dest_connection_port, pos.remote_address AS dest_connection_ip, p.name AS name, p.pid AS pid, p.parent AS parent_pid, pp.name AS parent_process, p.path AS file_path, f.size AS file_size, p.cmdline AS cmdline, u.uid AS uid, u.username AS username, CASE pos.protocol WHEN 6 THEN 'tcp' WHEN 17 THEN 'udp' ELSE pos.protocol END AS transport FROM process_open_sockets AS pos JOIN processes AS p ON p.pid=pos.pid LEFT JOIN processes AS pp ON p.parent=pp.pid LEFT JOIN users AS u ON p.uid=u.uid LEFT JOIN time AS t LEFT JOIN hash AS h ON h.path=p.path LEFT JOIN file AS f ON f.path=p.path WHERE NOT pos.remote_address='' AND NOT pos.remote_address='::' AND NOT pos.remote_address='::1' AND NOT pos.remote_address='0.0.0.0' AND NOT pos.remote_address='127.0.0.1' AND (pos.local_port,pos.protocol) NOT IN (SELECT lp.port, lp.protocol FROM listening_ports AS lp); 6 | - query_name: win_listening_procs 7 | query: SELECT t.unix_time AS query_time, h.md5 AS md5, p.pid AS process_id, p.name AS process, ltrim(address, ':f') AS address, port AS dest_port, p.path AS file_path, p.cmdline, p.on_disk, p.root, p.parent, pp.name AS parent_process, CASE lp.protocol WHEN 6 THEN 'tcp' WHEN 17 THEN 'udp' ELSE lp.protocol END AS transport FROM listening_ports AS lp LEFT JOIN processes AS p ON lp.pid=p.pid LEFT JOIN processes AS pp ON p.parent=pp.pid LEFT JOIN time AS t LEFT JOIN hash AS h ON h.path=p.path; 8 | hour: 9 | - query_name: win_drivers 10 | query: SELECT t.unix_time AS query_time, d.*, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256 FROM drivers AS d LEFT JOIN time AS t LEFT JOIN hash AS h ON h.path = d.image; 11 | day: 12 | - query_name: win_os_info 13 | query: SELECT t.unix_time AS query_time, os.* FROM os_version AS os LEFT JOIN time AS t; 14 | - query_name: win_interface_addresses 15 | query: SELECT t.unix_time AS query_time, ia.interface, ia.address, id.mac FROM interface_addresses AS ia JOIN interface_details AS id ON ia.interface=id.interface LEFT JOIN time AS t WHERE NOT ia.interface='lo'; 16 | - query_name: win_uptime 17 | query: SELECT t.unix_time AS query_time, total_seconds AS uptime FROM uptime LEFT JOIN time AS t; 18 | - query_name: win_system_info 19 | query: SELECT t.unix_time AS query_time, si.uuid, si.cpu_type, si.cpu_subtype, si.cpu_brand, si.cpu_physical_cores, si.cpu_logical_cores, si.hardware_vendor, si.hardware_serial, si.hardware_model, (SELECT value FROM cpuid WHERE feature = 'hypervisor') AS virtual_machine, t.local_timezone AS local_timezone FROM system_info AS si, time AS t; 20 | - query_name: win_programs 21 | query: SELECT t.unix_time AS query_time, p.* FROM programs AS p LEFT JOIN time AS t; 22 | - query_name: profile_version 23 | query: SELECT t.unix_time AS query_time, '2019-05-2' AS version FROM time AS t; 24 | -------------------------------------------------------------------------------- /hubblestack_nebula/top.nebula: -------------------------------------------------------------------------------- 1 | nebula: 2 | '*': 3 | - hubblestack_nebula_queries 4 | -------------------------------------------------------------------------------- /hubblestack_nebula/win_top.nebula: -------------------------------------------------------------------------------- 1 | nebula: 2 | '*': 3 | - hubblestack_nebula_win_queries 4 | -------------------------------------------------------------------------------- /hubblestack_nebula_v2/hubblestack_nebula_queries.yaml: -------------------------------------------------------------------------------- 1 | fifteen_min: 2 | running_procs: 3 | query: SELECT t.unix_time AS query_time, p.name AS process, p.pid AS process_id, p.pgroup AS process_group, p.state AS process_state, p.cmdline, p.cwd, p.on_disk, p.resident_size AS mem_used, p.user_time, p.system_time, (SELECT strftime('%s','now')-ut.total_seconds+p.start_time FROM uptime AS ut) AS process_start_time, pn.cgroup_namespace, pn.ipc_namespace, pn.mnt_namespace, pn.net_namespace, pn.pid_namespace, pn.user_namespace, pn.uts_namespace, p.parent AS parent_process_id, pp.name AS parent_process, g.groupname AS 'group', g.gid AS group_id, u.username AS user, u.uid AS user_id, eu.username AS effective_username, eg.groupname AS effective_groupname, p.path, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256, '__JSONIFY__'||(SELECT json_group_array(json_object('fd',pof.fd, 'path',pof.path)) FROM process_open_files AS pof WHERE pof.pid=p.pid GROUP BY pof.pid) AS open_files, '__JSONIFY__'||(SELECT json_group_array(json_object('variable_name',pe.key, 'value',pe.value)) FROM process_envs AS pe WHERE pe.pid=p.pid GROUP BY pe.pid) AS environment FROM processes AS p LEFT JOIN processes AS pp ON p.parent=pp.pid LEFT JOIN process_namespaces AS pn ON pn.pid=p.pid LEFT JOIN users AS u ON p.uid=u.uid LEFT JOIN users AS eu ON p.euid=eu.uid LEFT JOIN groups AS g ON p.gid=g.gid LEFT JOIN groups AS eg ON p.gid=eg.gid LEFT JOIN hash AS h ON p.path=h.path LEFT JOIN time AS t WHERE p.parent IS NOT 2 AND (process NOTNULL OR p.parent NOTNULL); 4 | established_outbound: 5 | query: SELECT t.unix_time AS query_time, pos.state AS connection_state, CASE pos.family WHEN 2 THEN 'ipv4' WHEN 10 THEN 'ipv6' ELSE pos.family END AS family, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256, h.directory AS directory, pos.local_address AS src_connection_ip, pos.local_port AS src_connection_port, pos.remote_port AS dest_connection_port, pos.remote_address AS dest_connection_ip, p.name AS process, p.pid AS process_id, p.parent AS parent_process_id, pp.name AS parent_process, p.path AS file_path, f.size AS file_size, p.cmdline AS cmdline, u.uid AS user_id, u.username AS user, CASE pos.protocol WHEN 6 THEN 'tcp' WHEN 17 THEN 'udp' ELSE pos.protocol END AS transport, pn.cgroup_namespace, pn.ipc_namespace, pn.mnt_namespace, pn.net_namespace, pn.pid_namespace, pn.user_namespace, pn.uts_namespace FROM process_open_sockets AS pos JOIN processes AS p ON p.pid=pos.pid LEFT JOIN process_namespaces AS pn ON pn.pid=p.pid LEFT JOIN processes AS pp ON p.parent=pp.pid LEFT JOIN users AS u ON p.uid=u.uid LEFT JOIN time AS t LEFT JOIN hash AS h ON h.path=p.path LEFT JOIN file AS f ON f.path=p.path WHERE NOT pos.remote_address='' AND NOT pos.remote_address='::' AND NOT pos.remote_address='::1' AND NOT pos.remote_address='0.0.0.0' AND NOT pos.remote_address='127.0.0.1' AND (pos.local_port,pos.protocol) NOT IN (SELECT lp.port, lp.protocol FROM listening_ports AS lp); 6 | listening_procs: 7 | query: SELECT t.unix_time AS query_time, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256, lp.pid AS process_id, p.pgroup AS process_group, p.name AS process, (SELECT strftime('%s','now')-ut.total_seconds+p.start_time FROM uptime AS ut) AS process_start_time, CASE lp.family WHEN 2 THEN 'ipv4' WHEN 10 THEN 'ipv6' ELSE lp.family END AS family, lp.address AS address, lp.port AS dest_port, p.path AS file_path, p.cwd, p.cmdline, p.on_disk, p.root, u.username AS user, u.uid AS user_id, g.groupname AS 'group', g.gid AS group_id, p.parent AS parent_process_id, pp.name AS parent_process, CASE lp.protocol WHEN 6 THEN 'tcp' WHEN 17 THEN 'udp' ELSE lp.protocol END AS transport, pn.cgroup_namespace, pn.ipc_namespace, pn.mnt_namespace, pn.net_namespace, pn.pid_namespace, pn.user_namespace, pn.uts_namespace FROM listening_ports AS lp LEFT JOIN processes AS p ON lp.pid=p.pid LEFT JOIN process_namespaces AS pn ON pn.pid=p.pid LEFT JOIN processes AS pp ON p.parent=pp.pid LEFT JOIN users AS u ON p.uid=u.uid LEFT JOIN groups AS g ON p.gid=g.gid LEFT JOIN time AS t LEFT JOIN hash AS h ON h.path=p.path WHERE NOT lp.family=1; 8 | shell_history: 9 | query: SELECT t.unix_time AS query_time, uid, gid, username AS user, groupname AS 'group', command, time, history_file FROM users JOIN groups USING (gid) JOIN shell_history USING (uid) LEFT JOIN time AS t WHERE time > strftime('%s', 'now', '-16 minutes'); 10 | docker_running_procs: 11 | query: SELECT t.unix_time AS query_time, dc.id AS container_id, dc.name AS container_name, dc.image AS image_name, dc.image_id AS image_id, dc.command AS container_command, dc.created AS container_start_time, dc.state AS container_state, dc.status AS status, dcproc.pid AS process_id, dcproc.parent AS parent_process_id, pp.name AS parent_process, dcproc.pgroup AS process_group, dcproc.threads, dcproc.name AS process, dcproc.cmdline, dcproc.state AS process_state, p.path AS file_path, pn.cgroup_namespace, pn.ipc_namespace, pn.mnt_namespace, pn.net_namespace, pn.pid_namespace, pn.user_namespace, pn.uts_namespace, dcproc.uid AS user_id, dcproc.user AS user, dcproc.gid AS group_id, dcproc.euid AS effective_userid, dcproc.egid AS effective_groupid, dcproc.resident_size AS mem_used, (SELECT strftime('%s','now')-u.total_seconds+dcproc.start_time FROM uptime AS u) AS process_start_time, dcproc.time AS total_cpu_time, '__JSONIFY__'||(SELECT json_group_array(json_object('fd',pof.fd, 'path',pof.path)) FROM process_open_files AS pof WHERE pof.pid=dcproc.pid GROUP BY pof.pid) AS open_files, '__JSONIFY__'||(SELECT json_group_array(json_object('variable_name',pe.key, 'value',pe.value)) FROM process_envs AS pe WHERE pe.pid=dcproc.pid GROUP BY pe.pid) AS environment FROM docker_containers AS dc JOIN docker_container_processes AS dcproc USING (id) LEFT JOIN process_namespaces AS pn ON pn.pid=dcproc.pid LEFT JOIN processes AS pp ON pp.pid=dcproc.parent LEFT JOIN processes AS p ON p.pid=dcproc.pid LEFT JOIN time AS t; 12 | hour: 13 | crontab: 14 | query: SELECT t.unix_time AS query_time, c.event, c.minute, c.hour, c.day_of_month, c.month, c.day_of_week, c.command, c.path AS cron_file FROM crontab AS c JOIN time AS t; 15 | login_history: 16 | query: SELECT t.unix_time AS query_time, l.username AS user, l.tty, l.pid, l.type AS utmp_type, CASE l.type WHEN 1 THEN 'RUN_LVL' WHEN 2 THEN 'BOOT_TIME' WHEN 3 THEN 'NEW_TIME' WHEN 4 THEN 'OLD_TIME' WHEN 5 THEN 'INIT_PROCESS' WHEN 6 THEN 'LOGIN_PROCESS' WHEN 7 THEN 'USER_PROCESS' WHEN 8 THEN 'DEAD_PROCESS' ELSE l.type END AS utmp_type_name, l.host AS src, l.time FROM last AS l LEFT JOIN time AS t WHERE (l.time > strftime('%s','now') - 3660) AND NOT (l.type=8 AND l.tty=''); 17 | docker_running_containers: 18 | query: SELECT t.unix_time AS query_time, dc.id AS container_id, dc.name AS container_name, dc.image AS image_name, di.created AS image_created_time, di.size_bytes AS image_size, di.tags AS image_tags, dc.image_id AS image_id, dc.command AS container_command, dc.created AS container_start_time, dc.state AS container_state, dc.privileged, dc.status AS status, '__JSONIFY__'||(SELECT json_group_array(json_object('key',dcl.key, 'value',dcl.value)) FROM docker_container_labels AS dcl WHERE dcl.id=dc.id GROUP BY dcl.id) AS container_labels, '__JSONIFY__'||(SELECT json_group_array(json_object('mount_type',dcm.type, 'mount_name',dcm.name, 'mount_host_path',dcm.source, 'mount_container_path',dcm.destination, 'mount_driver',dcm.driver, 'mount_mode',dcm.mode, 'mount_rw',dcm.rw, 'mount_progpagation',dcm.propagation)) FROM docker_container_mounts AS dcm WHERE dcm.id=dc.id GROUP BY dcm.id) AS container_mounts, '__JSONIFY__'||(SELECT json_group_array(json_object('port_type',dcport.type, 'port',dcport.port, 'host_ip',dcport.host_ip, 'host_port',dcport.host_port)) FROM docker_container_ports AS dcport WHERE dcport.id=dc.id GROUP BY dcport.id) AS container_ports, '__JSONIFY__'||(SELECT json_group_array(json_object('network_name',dcnet.name, 'network_id',dcnet.network_id, 'endpoint_id',dcnet.endpoint_id, 'gateway',dcnet.gateway, 'container_ip',dcnet.ip_address, 'container_ip_prefix_len',dcnet.ip_prefix_len, 'ipv6_gateway',dcnet.ipv6_gateway, 'container_ipv6_address',dcnet.ipv6_address, 'container_ipv6_prefix_len',dcnet.ipv6_prefix_len, 'container_mac_address',dcnet.mac_address)) FROM docker_container_networks AS dcnet WHERE dcnet.id=dc.id GROUP BY dcnet.id) AS container_networks FROM docker_containers AS dc JOIN docker_images AS di ON di.id=dc.image_id LEFT JOIN time AS t; 19 | nameservers: 20 | query: SELECT t.unix_time AS query_time, '__JSONIFY__'||json_group_array(dr.address) AS nameservers FROM dns_resolvers AS dr, time AS t WHERE dr.type = 'nameserver'; 21 | suid_binaries: 22 | query: SELECT t.unix_time AS query_time, sb.username AS user, sb.groupname AS 'group', sb.permissions, sb.path, f.uid, f.gid, f.mode AS file_acl, f.mtime AS file_modify_time, f.ctime AS file_create_time, f.type AS file_type, f.filename AS filename, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256 FROM suid_bin AS sb JOIN time AS t LEFT JOIN hash AS h ON sb.path=h.path LEFT JOIN file AS f ON sb.path=f.path; 23 | more_suid_binaries: 24 | query: SELECT t.unix_time AS query_time, f.path, u.username AS user, g.groupname AS 'group', f.uid, f.gid, f.mode AS file_acl, f.mtime AS file_modify_time, f.ctime AS file_create_time, f.type AS file_type, f.filename AS filename, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256 FROM users AS u JOIN file AS f ON u.uid=f.uid LEFT JOIN groups AS g ON g.gid=f.gid LEFT JOIN hash AS h ON h.path=f.path LEFT JOIN time AS t WHERE (f.directory LIKE '/root%%' OR f.directory LIKE '/usr/libexec%%' OR f.directory LIKE '/var/tmp%%' OR f.directory LIKE '/dev%%') AND (substr(f.mode,1,1) IN ('2','4','6') AND f.type='regular'); 25 | ssh_public_keys: 26 | query: SELECT t.unix_time AS query_time, u.username AS user, ak.uid, ak.key AS ssh_public_key, ak.key_file AS object_path, g.gid, g.groupname AS 'group', f.mode AS file_acl, f.size AS file_size, f.atime AS file_access_time, f.mtime AS file_modify_time, f.ctime AS file_change_time, f.uid AS file_uid, f.gid AS file_gid, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256 FROM users AS u JOIN authorized_keys AS ak ON u.uid=ak.uid LEFT JOIN groups AS g ON u.gid=g.gid LEFT JOIN file AS f ON ak.key_file=f.path LEFT JOIN hash AS h ON ak.key_file=h.path LEFT JOIN time AS t; 27 | ssh_key_files: 28 | query: SELECT t.unix_time AS query_time, u.username AS user, usk.uid, g.groupname AS 'group', f.gid, usk.path AS file_path, usk.encrypted, f.mode AS file_acl, f.size AS file_size, f.atime AS file_access_time, f.mtime AS file_modify_time, f.ctime AS file_change_time, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256 FROM users AS u JOIN user_ssh_keys AS usk ON u.uid=usk.uid LEFT JOIN hash AS h ON h.path=usk.path LEFT JOIN file AS f ON f.path=usk.path LEFT JOIN groups AS g ON g.gid=f.gid LEFT JOIN time AS t; 29 | local_user_accounts: 30 | query: SELECT t.unix_time AS query_time, u.uid AS user_id, u.username AS user, u.description AS name, u.gid AS group_id, g.groupname AS 'group', (SELECT group_concat(gs.groupname) FROM user_groups AS ugs LEFT JOIN groups AS gs ON gs.gid=ugs.gid WHERE u.uid=ugs.uid GROUP BY ugs.uid) AS all_groups, (SELECT group_concat(gs.gid) FROM user_groups AS ugs LEFT JOIN groups AS gs ON gs.gid=ugs.gid WHERE u.uid=ugs.uid GROUP BY ugs.uid) AS all_group_ids, u.shell AS shell_path, sf.mode AS shell_acl, sf.inode AS shell_inode, sf.uid AS shell_user_id, sf.gid AS shell_group_id, sf.device AS shell_device, sf.size AS shell_size, sf.atime AS shell_access_time, sf.mtime AS shell_modify_time, sf.ctime AS shell_change_time, sf.hard_links AS shell_hard_links, sh.md5 AS shell_md5, sh.sha1 AS shell_sha1, sh.sha256 AS shell_sha256, u.directory AS home_path, hf.mode AS home_acl, hf.inode AS home_inode, hf.uid AS home_user_id, hf.gid AS home_group_id, hf.device AS home_device, hf.atime AS home_access_time, hf.mtime AS home_modify_time, hf.ctime AS home_change_time, hf.hard_links AS home_hard_links FROM users AS u LEFT JOIN groups AS g ON u.gid=g.gid LEFT JOIN file AS sf ON sf.path=u.shell LEFT JOIN file AS hf ON hf.path=u.directory LEFT JOIN hash AS sh ON sh.path=u.shell LEFT JOIN time AS t; 31 | etc_hosts: 32 | query: SELECT t.unix_time AS query_time, '__JSONIFY__'||(SELECT json_group_array(json_object('address',eh.address, 'hostnames',eh.hostnames)) FROM etc_hosts AS eh) AS etc_hosts FROM time AS t; 33 | day: 34 | rpm_packages: 35 | query: SELECT t.unix_time AS query_time, rpm.name, rpm.version, rpm.release, rpm.source AS package_source, rpm.size, rpm.sha1, rpm.arch FROM rpm_packages AS rpm JOIN time AS t; 36 | deb_packages: 37 | query: SELECT t.unix_time AS query_time, deb.name, deb.version, deb.revision, deb.source AS package_source, deb.size, deb.arch FROM deb_packages AS deb JOIN time AS t; 38 | os_info: 39 | query: SELECT t.unix_time AS query_time, os.* FROM os_version AS os LEFT JOIN time AS t; 40 | interface_addresses: 41 | query: SELECT t.unix_time AS query_time, ia.interface, ia.address, id.mac, (SELECT filename FROM file WHERE directory='/sys/class/net/' AND inode = (SELECT inode FROM file WHERE path='/sys/class/net/'||id.interface||'/brport/bridge')) AS bridge, id.pci_slot AS pci_device_id FROM interface_addresses AS ia JOIN interface_details AS id ON ia.interface=id.interface LEFT JOIN time AS t WHERE NOT ia.interface='lo'; 42 | routes: 43 | query: SELECT DISTINCT t.unix_time AS query_time, r.destination AS route_destination, r.netmask AS route_netmask, r.gateway, r.source AS source_ip, r.flags AS route_flags, r.interface AS interface, r.metric AS route_metric, r.type AS route_type FROM routes AS r LEFT JOIN time AS t WHERE NOT ((type='broadcast' OR type='other') AND interface='lo'); 44 | uptime: 45 | query: SELECT t.unix_time AS query_time, total_seconds AS uptime, strftime('%s','now')-u.total_seconds AS system_start_time FROM uptime AS u LEFT JOIN time AS t; 46 | mounts: 47 | query: SELECT t.unix_time AS query_time, m.* FROM mounts AS m LEFT JOIN time AS t; 48 | iptables_rules: 49 | query: SELECT DISTINCT t.unix_time AS query_time, ipt.filter_name, ipt.chain, ipt.policy FROM iptables AS ipt LEFT JOIN time AS t WHERE ipt.policy<>''; 50 | sysctl: 51 | query: SELECT t.unix_time AS query_time, sc.* FROM system_controls AS sc LEFT JOIN time AS t; 52 | kernel_info: 53 | query: SELECT t.unix_time AS query_time, ki.version, ki.arguments AS boot_arguments, ki.device AS boot_device, CASE WHEN ki.path<>'' THEN ki.path ELSE 'NOT_AVAILABLE' END AS boot_image, CASE WHEN ki.path<>'' THEN '/boot/'||ltrim(ki.path,'/boot/') ELSE '/boot/vmlinuz-'||ki.version END AS file_path, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256, f.filename AS file_name, f.inode, f.uid, u.username AS user, f.gid, g.groupname AS 'group', f.mode AS file_acl, f.size AS file_size, f.atime AS file_access_time, f.mtime AS file_modify_time, f.ctime AS file_change_time, f.hard_links, f.type AS file_type FROM kernel_info AS ki LEFT JOIN hash AS h ON h.path=file_path LEFT JOIN file AS f ON f.path=file_path LEFT JOIN users AS u ON u.uid=f.uid LEFT JOIN groups AS g ON g.gid=f.gid LEFT JOIN time AS t; 54 | docker_info: 55 | query: SELECT t.unix_time AS query_time, di.id AS docker_id, di.storage_driver AS storage_driver, di.logging_driver AS logging_driver, di.cgroup_driver AS cgroup_driver, di.server_version AS docker_version, di.root_dir AS root_dir FROM docker_info AS di LEFT JOIN time AS t; 56 | system_info: 57 | query: SELECT t.unix_time AS query_time, si.uuid, si.cpu_type, si.cpu_subtype, si.cpu_brand, si.cpu_physical_cores, si.cpu_logical_cores, si.hardware_vendor, si.hardware_serial, si.hardware_model, (SELECT value FROM cpuid WHERE feature = 'hypervisor') AS virtual_machine, mi.memory_total, mi.memory_free, mi.swap_total, mi.swap_free, pi.vendor AS bios_vendor, pi.version AS bios_version, pi.date AS bios_date, pi.revision AS bios_revision, (SELECT average FROM load_average WHERE period = '1m') AS load_1m, (SELECT average FROM load_average WHERE period = '5m') AS load_5m, (SELECT average FROM load_average WHERE period = '15m') AS load_15m, t.local_timezone AS local_timezone FROM system_info AS si LEFT JOIN memory_info AS mi LEFT JOIN platform_info AS pi LEFT JOIN time AS t; 58 | hubble_log_file: 59 | query: SELECT t.unix_time AS query_time, f.path AS object_path, f.uid AS user_id, f.gid AS group_id, u.username AS user, g.groupname AS 'group', f.mode AS file_acl, f.size AS file_size, f.block_size AS blocks_size, m.path AS mount_path, max(length(m.path)) AS mount_path_length, m.blocks_free, m.inodes_free, m.type AS type, (m.blocks_size*m.blocks_free) AS bytes_free, (m.blocks_size*m.blocks) AS total_bytes, round((1-(m.blocks_free*1.0/m.blocks))*100,2) AS percentage_utilized FROM file AS f JOIN mounts AS m ON (m.type!='rootfs' AND instr(f.path, m.path)=1) LEFT JOIN users AS u ON u.uid=f.uid LEFT JOIN groups AS g ON g.gid=f.gid, time AS t WHERE f.path='/var/log/hubble' GROUP BY f.path; 60 | profile_version: 61 | query: SELECT t.unix_time AS query_time, '2019-08-3' AS version FROM time AS t; 62 | pci_devices: 63 | query: SELECT t.unix_time AS query_time, pi.pci_slot AS pci_slot, pi.pci_class AS pci_class, pi.driver AS driver, pi.vendor AS vendor, pi.vendor_id AS vendor_id, pi.model AS model, pi.model_id AS model_id FROM pci_devices AS pi LEFT JOIN time AS t WHERE pi.driver <> ''; 64 | -------------------------------------------------------------------------------- /hubblestack_nebula_v2/hubblestack_nebula_win_queries.yaml: -------------------------------------------------------------------------------- 1 | fifteen_min: 2 | win_running_procs: 3 | query: SELECT t.unix_time AS query_time, p.name AS process, p.pid AS process_id, p.cmdline, p.cwd, p.on_disk, p.resident_size AS mem_used, p.parent, pp.name AS parent_process, p.path, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256 FROM processes AS p LEFT JOIN processes AS pp ON p.parent=pp.pid LEFT JOIN time AS t LEFT JOIN hash AS h ON p.path=h.path; 4 | win_established_outbound: 5 | query: SELECT t.unix_time AS query_time, pos.state AS connection_state, pos.family AS family, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256, h.directory AS directory, pos.local_address AS src_connection_ip, pos.local_port AS src_connection_port, pos.remote_port AS dest_connection_port, pos.remote_address AS dest_connection_ip, p.name AS name, p.path AS file_path, p.pid AS pid, p.parent AS parent_pid, pp.name AS parent_process,p.cmdline AS cmdline, CASE pos.protocol WHEN 6 THEN 'tcp' WHEN 17 THEN 'udp' ELSE pos.protocol END AS transport FROM process_open_sockets AS pos JOIN processes AS p ON p.pid=pos.pid LEFT JOIN processes AS pp ON p.parent=pp.pid LEFT JOIN time AS t LEFT JOIN (SELECT * FROM listening_ports) AS lp ON lp.port=pos.local_port AND lp.protocol=pos.protocol LEFT JOIN hash AS h ON h.path=p.path WHERE NOT pos.remote_address='' AND NOT pos.remote_address='::' AND NOT pos.remote_address='::1' AND NOT pos.remote_address='0.0.0.0' AND NOT pos.remote_address='127.0.0.1' AND port IS NULL; 6 | win_listening_procs: 7 | query: SELECT t.unix_time AS query_time, h.md5 AS md5, p.pid AS process_id, p.name AS process, ltrim(address, ':f') AS address, port AS dest_port, p.path AS file_path, p.cmdline, p.on_disk, p.root, p.parent, pp.name AS parent_process, CASE lp.protocol WHEN 6 THEN 'tcp' WHEN 17 THEN 'udp' ELSE lp.protocol END AS transport FROM listening_ports AS lp LEFT JOIN processes AS p ON lp.pid=p.pid LEFT JOIN processes AS pp ON p.parent=pp.pid LEFT JOIN time AS t LEFT JOIN hash AS h ON h.path=p.path; 8 | hour: 9 | win_drivers: 10 | query: SELECT t.unix_time AS query_time, d.*, h.md5 AS md5, h.sha1 AS sha1, h.sha256 AS sha256 FROM drivers AS d LEFT JOIN time AS t LEFT JOIN hash AS h ON h.path = d.image; 11 | day: 12 | win_os_info: 13 | query: SELECT t.unix_time AS query_time, os.* FROM os_version AS os LEFT JOIN time AS t; 14 | win_interface_addresses: 15 | query: SELECT t.unix_time AS query_time, ia.interface, ia.address, id.mac FROM interface_addresses AS ia JOIN interface_details AS id ON ia.interface=id.interface LEFT JOIN time AS t WHERE NOT ia.interface='lo'; 16 | win_uptime: 17 | query: SELECT t.unix_time AS query_time, total_seconds AS uptime FROM uptime LEFT JOIN time AS t; 18 | win_system_info: 19 | query: SELECT t.unix_time AS query_time, si.uuid, si.cpu_type, si.cpu_subtype, si.cpu_brand, si.cpu_physical_cores, si.cpu_logical_cores, si.hardware_vendor, si.hardware_serial, si.hardware_model, (SELECT value FROM cpuid WHERE feature = 'hypervisor') AS virtual_machine, pi.vendor AS bios_vendor, pi.version AS bios_version, pi.date AS bios_date, pi.revision AS bios_revision, t.local_timezone AS local_timezone FROM system_info AS si LEFT JOIN platform_info AS pi LEFT JOIN time AS t; 20 | win_programs: 21 | query: SELECT t.unix_time AS query_time, p.* FROM programs AS p LEFT JOIN time AS t; 22 | profile_version: 23 | query: SELECT t.unix_time AS query_time, '2019-05-2' AS version FROM time AS t; 24 | -------------------------------------------------------------------------------- /hubblestack_nebula_v2/mask.yaml: -------------------------------------------------------------------------------- 1 | # Sample masking for documentation. Please see nebula_osquery.py for more 2 | # documentation 3 | # 4 | # Pattern that will replace whatever is masked 5 | mask_with: '***masked*by*hubble***' 6 | 7 | # Target and mask strings based on regex patterns 8 | # Can limit search specific queries and columns 9 | #blacklisted_strings: 10 | # - query_name: 'running_procs' # Name of the osquery to be masked. 11 | # # Put '*' to match all queries. Note 12 | # # that query_name doesn't support 13 | # # full globbing. '*' is just given 14 | # # special treatment. 15 | # column: 'command_line' # Column name in the osquery to be masked. No regex or glob support 16 | # # See below for documentation of these blacklisted patterns 17 | # blacklisted_patterns: 18 | # - '(prefix)(password)(suffix)' 19 | 20 | # Some osquery results are formed as lists of dicts. We can mask 21 | # based on variable names within these dicts. 22 | #blacklisted_objects: 23 | # 24 | # - query_name: 'running_procs' # Name of the osquery to be masked. 25 | # # Put '*' to match all queries. Note 26 | # # that query_name doesn't support 27 | # # full globbing. '*' is just given 28 | # # special treatment. 29 | # column: 'environment' # Column name in the osquery to be masked. No regex or glob support 30 | # attribute_to_check: 'variable_name' # In the inner dict, this is the key 31 | # # to check for blacklisted_patterns 32 | # attributes_to_mask: # Values under these keys in the dict will be 33 | # - 'value' # masked, assuming one of the blacklisted_patterns 34 | # # is found under attribute_to_check in the same dict 35 | # blacklisted_patterns: # Strings to look for under attribute_to_check. No regex support. 36 | # - 'ETCDCTL_READ_PASSWORD' 37 | # - 'ETCDCTL_WRITE_PASSWORD' 38 | -------------------------------------------------------------------------------- /hubblestack_nebula_v2/top.mask: -------------------------------------------------------------------------------- 1 | nebula: 2 | - '*': 3 | - mask 4 | -------------------------------------------------------------------------------- /hubblestack_nebula_v2/top.nebula: -------------------------------------------------------------------------------- 1 | nebula: 2 | - '*': 3 | - hubblestack_nebula_queries 4 | -------------------------------------------------------------------------------- /hubblestack_nebula_v2/top_v2.mask: -------------------------------------------------------------------------------- 1 | nebula: 2 | - '*': 3 | - mask 4 | -------------------------------------------------------------------------------- /hubblestack_nebula_v2/win_top.nebula: -------------------------------------------------------------------------------- 1 | nebula: 2 | - '*': 3 | - hubblestack_nebula_win_queries 4 | -------------------------------------------------------------------------------- /hubblestack_nova_profiles/cis/centos-6-level-1-scored-v1-0-0.yaml: -------------------------------------------------------------------------------- 1 | # NOTE: This CIS Profile only includes Level 1 Scored Items for CentOS 6. 2 | # NOTE: Within this file, there are a few sections that should be tailored to your 3 | # organization's specific policy. Search for '# NOTE: ' comments through the file. 4 | 5 | # TODO: Checks that aren't implemented yet: 6 | # 1.1.17 7 | # 1.2.1 8 | # 1.5.4 9 | # 1.5.5 10 | # 2.1.12-18 11 | # 3.2 12 | # 3.3 13 | # 3.16 14 | # 4.1.2 15 | # 4.1.4 16 | # 5.7 17 | # 6.1.2 18 | # 6.1.10 19 | # 6.3.1 20 | # 6.3.2 21 | # 7.2 22 | # 7.3 23 | # 7.5 24 | # 8.2 25 | # 9.1.11 26 | # 9.1.12 27 | # 9.2.1 28 | # 9.2.5-19 29 | 30 | 31 | pkg: 32 | blacklist: 33 | 34 | telnet-client: 35 | data: 36 | 'CentOS-6': 37 | - 'telnet': 'CIS-2.1.2' 38 | description: 'Remove telnet Clients' 39 | 40 | telnet-server: 41 | data: 42 | 'CentOS-6': 43 | - 'telnet-server': 'CIS-2.1.1' 44 | description: 'Remove telnet-server' 45 | 46 | rsh-client: 47 | data: 48 | 'CentOS-6': 49 | - 'rsh': 'CIS-2.1.4' 50 | description: 'Remove rsh' 51 | 52 | rsh-server: 53 | data: 54 | 'CentOS-6': 55 | - 'rsh-server': 'CIS-2.1.3' 56 | description: 'Remove rsh-server' 57 | 58 | nis-client: 59 | data: 60 | 'CentOS-6': 61 | - 'ypbind': 'CIS-2.1.5' 62 | description: 'Remove NIS Client' 63 | 64 | nis-server: 65 | data: 66 | 'CentOS-6': 67 | - 'ypserv': 'CIS-2.1.6' 68 | description: 'Remove NIS Server' 69 | 70 | tftp-client: 71 | data: 72 | 'CentOS-6': 73 | - 'tftp': 'CIS-2.1.7' 74 | description: 'Remove tftp' 75 | 76 | tftp-server: 77 | data: 78 | 'CentOS-6': 79 | - 'tftp-server': 'CIS-2.1.8' 80 | description: 'Remove tftp-server' 81 | 82 | talk-client: 83 | data: 84 | 'CentOS-6': 85 | - 'talk': 'CIS-2.1.9' 86 | description: 'Remove talk' 87 | 88 | talk-server: 89 | data: 90 | 'CentOS-6': 91 | - 'talk-server': 'CIS-2.1.10' 92 | description: 'Remove talk-server' 93 | 94 | dhcp: 95 | data: 96 | 'CentOS-6': 97 | - 'dhcp': 'CIS-3.5' 98 | description: 'Remove DHCP Server' 99 | 100 | whitelist: 101 | 102 | rsyslog: 103 | data: 104 | 'CentOS-6': 105 | - 'rsyslog': 'CIS-4.1.1' 106 | description: 'Install the rsyslog package' 107 | 108 | anacron: 109 | data: 110 | 'CentOS-6': 111 | - 'cronie-anacron': 'CIS-6.1.1' 112 | description: 'Enable anacron Daemon' 113 | 114 | 115 | 116 | stat: 117 | grub_conf_own: 118 | data: 119 | 'CentOS-6': 120 | - '/etc/grub.conf': 121 | tag: 'CIS-1.5.1' 122 | user: 'root' 123 | uid: 0 124 | group: 'root' 125 | gid: 0 126 | description: 'Set User/Group Owner on /etc/grub.conf' 127 | 128 | grub_conf_perm: 129 | data: 130 | 'CentOS-6': 131 | - '/etc/grub.conf': 132 | tag: 'CIS-1.5.2' 133 | mode: 600 134 | description: 'Set Permissions on /etc/grub.conf' 135 | 136 | hosts_allow: 137 | data: 138 | 'CentOS-6': 139 | - '/etc/hosts.allow': 140 | tag: 'CIS-5.5.3' 141 | mode: 644 142 | description: 'Verify Permissions on /etc/hosts.allow' 143 | 144 | hosts_deny: 145 | data: 146 | 'CentOS-6': 147 | - '/etc/hosts.deny': 148 | tag: 'CIS-5.5.5' 149 | mode: 644 150 | description: 'Verify Permissions on /etc/hosts.deny' 151 | 152 | anacrontab: 153 | data: 154 | 'CentOS-6': 155 | - '/etc/anacrontab': 156 | tag: 'CIS-6.1.3' 157 | mode: 600 158 | user: 'root' 159 | uid: 0 160 | group: 'root' 161 | gid: 0 162 | description: 'Set User/Group Owner and Permission on /etc/anacrontab' 163 | 164 | crontab: 165 | data: 166 | 'CentOS-6': 167 | - '/etc/crontab': 168 | tag: 'CIS-6.1.4' 169 | mode: 600 170 | user: 'root' 171 | uid: 0 172 | group: 'root' 173 | gid: 0 174 | description: 'Set User/Group Owner and Permission on /etc/crontab' 175 | 176 | cron_hourly: 177 | data: 178 | 'CentOS-6': 179 | - '/etc/cron.hourly': 180 | tag: 'CIS-6.1.5' 181 | mode: 700 182 | user: 'root' 183 | uid: 0 184 | group: 'root' 185 | gid: 0 186 | description: 'Set User/Group Owner and Permission on /etc/cron.hourly' 187 | 188 | cron_daily: 189 | data: 190 | 'CentOS-6': 191 | - '/etc/cron.daily': 192 | tag: 'CIS-6.1.6' 193 | mode: 700 194 | user: 'root' 195 | uid: 0 196 | group: 'root' 197 | gid: 0 198 | description: 'Set User/Group Owner and Permission on /etc/cron.daily' 199 | 200 | cron_weekly: 201 | data: 202 | 'CentOS-6': 203 | - '/etc/cron.weekly': 204 | tag: 'CIS-6.1.7' 205 | mode: 700 206 | user: 'root' 207 | uid: 0 208 | group: 'root' 209 | gid: 0 210 | description: 'Set User/Group Owner and Permission on /etc/cron.weekly' 211 | 212 | cron_monthly: 213 | data: 214 | 'CentOS-6': 215 | - '/etc/cron.monthly': 216 | tag: 'CIS-6.1.8' 217 | mode: 700 218 | user: 'root' 219 | uid: 0 220 | group: 'root' 221 | gid: 0 222 | description: 'Set User/Group Owner and Permission on /etc/cron.monthly' 223 | 224 | cron_d: 225 | data: 226 | 'CentOS-6': 227 | - '/etc/cron.d': 228 | tag: 'CIS-6.1.9' 229 | mode: 700 230 | user: 'root' 231 | uid: 0 232 | group: 'root' 233 | gid: 0 234 | description: 'Set User/Group Owner and Permission on /etc/cron.d' 235 | 236 | at_cron_allow: 237 | data: 238 | 'CentOS-6': 239 | - '/etc/cron.deny': 240 | tag: 'CIS-6.1.11' 241 | mode: null 242 | user: null 243 | uid: null 244 | group: null 245 | gid: null 246 | - '/etc/at.deny': 247 | tag: 'CIS-6.1.11' 248 | mode: null 249 | user: null 250 | uid: null 251 | group: null 252 | gid: null 253 | - '/etc/cron.allow': 254 | tag: 'CIS-6.1.11' 255 | mode: 600 256 | user: 'root' 257 | uid: 0 258 | group: 'root' 259 | gid: 0 260 | - '/etc/at.allow': 261 | tag: 'CIS-6.1.11' 262 | mode: 600 263 | user: 'root' 264 | uid: 0 265 | group: 'root' 266 | gid: 0 267 | description: 'Restrict at/cron to Authorized Users' 268 | 269 | sshd_config: 270 | data: 271 | 'CentOS-6': 272 | - '/etc/ssh/sshd_config': 273 | tag: 'CIS-6.2.3' 274 | mode: 600 275 | user: 'root' 276 | uid: 0 277 | group: 'root' 278 | gid: 0 279 | description: 'Set Permissions on /etc/ssh/sshd_config' 280 | 281 | warning_banner: 282 | data: 283 | 'CentOS-6': 284 | - '/etc/motd': 285 | tag: 'CIS-8.1' 286 | mode: 644 287 | user: 'root' 288 | uid: 0 289 | group: 'root' 290 | gid: 0 291 | - '/etc/issue': 292 | tag: 'CIS-8.1' 293 | mode: 644 294 | user: 'root' 295 | uid: 0 296 | group: 'root' 297 | gid: 0 298 | - '/etc/issue.net': 299 | tag: 'CIS-8.1' 300 | mode: 644 301 | user: 'root' 302 | uid: 0 303 | group: 'root' 304 | gid: 0 305 | description: 'Set Warning Banner for Standard Login Services' 306 | 307 | passwd_perm: 308 | data: 309 | 'CentOS-6': 310 | - '/etc/passwd': 311 | tag: 'CIS-9.1.2' 312 | mode: 644 313 | description: 'Verify Permissions on /etc/passwd' 314 | 315 | passwd_own: 316 | data: 317 | 'CentOS-6': 318 | - '/etc/passwd': 319 | tag: 'CIS-9.1.6' 320 | user: 'root' 321 | uid: 0 322 | group: 'root' 323 | gid: 0 324 | description: 'Verify User/Group Ownership on /etc/passwd' 325 | 326 | shadow_perm: 327 | data: 328 | 'CentOS-6': 329 | - '/etc/shadow': 330 | tag: 'CIS-9.1.3' 331 | mode: 0 332 | description: 'Verify Permissions on /etc/shadow' 333 | 334 | shadow_own: 335 | data: 336 | 'CentOS-6': 337 | - '/etc/shadow': 338 | tag: 'CIS-9.1.7' 339 | user: 'root' 340 | uid: 0 341 | group: 'root' 342 | gid: 0 343 | description: 'Verify User/Group Ownership on /etc/shadow' 344 | 345 | gshadow_perm: 346 | data: 347 | 'CentOS-6': 348 | - '/etc/gshadow': 349 | tag: 'CIS-9.1.4' 350 | mode: 0 351 | description: 'Verify Permissions on /etc/gshadow' 352 | 353 | gshadow_own: 354 | data: 355 | 'CentOS-6': 356 | - '/etc/gshadow': 357 | tag: 'CIS-9.1.8' 358 | user: 'root' 359 | uid: 0 360 | group: 'root' 361 | gid: 0 362 | description: 'Verify User/Group Ownership on /etc/gshadow' 363 | 364 | group_perm: 365 | data: 366 | 'CentOS-6': 367 | - '/etc/group': 368 | tag: 'CIS-9.1.5' 369 | mode: 644 370 | description: 'Verify Permissions on /etc/group' 371 | 372 | group_own: 373 | data: 374 | 'CentOS-6': 375 | - '/etc/group': 376 | tag: 'CIS-9.1.9' 377 | user: 'root' 378 | uid: 0 379 | group: 'root' 380 | gid: 0 381 | description: 'Verify User/Group Ownership on /etc/group' 382 | 383 | 384 | 385 | sysctl: 386 | bad_error_message_protection: 387 | data: 388 | CentOS-6: 389 | - net.ipv4.icmp_ignore_bogus_error_responses: 390 | match_output: '1' 391 | tag: CIS-5.2.6 392 | description: Enable Bad Error Message Protection 393 | exec_shield: 394 | data: 395 | CentOS-6: 396 | - kernel.exec-shield: 397 | match_output: '1' 398 | tag: CIS-1.6.2 399 | description: Configure ExecShield 400 | icmp_redirect_acceptance: 401 | data: 402 | CentOS-6: 403 | - net.ipv4.conf.all.accept_redirects: 404 | match_output: '0' 405 | tag: CIS-5.2.2 406 | - net.ipv4.conf.default.accept_redirects: 407 | match_output: '0' 408 | tag: CIS-5.2.2 409 | description: Disable ICMP Redirect Acceptance 410 | ignore_broadcast_requests: 411 | data: 412 | CentOS-6: 413 | - net.ipv4.icmp_echo_ignore_broadcasts: 414 | match_output: '1' 415 | tag: CIS-5.2.5 416 | description: Enable Ignore Broadcast Requests 417 | ip_forwarding: 418 | data: 419 | CentOS-6: 420 | - net.ipv4.ip_forward: 421 | match_output: '0' 422 | tag: CIS-5.1.1 423 | description: Disable IP Forwarding 424 | log_suspicious_packets: 425 | data: 426 | CentOS-6: 427 | - net.ipv4.conf.all.log_martians: 428 | match_output: '1' 429 | tag: CIS-5.2.4 430 | - net.ipv4.conf.default.log_martians: 431 | match_output: '1' 432 | tag: CIS-5.2.4 433 | description: Log Suspicious Packets 434 | randomize_va_space: 435 | data: 436 | CentOS-6: 437 | - kernel.randomize_va_space: 438 | match_output: '2' 439 | tag: CIS-1.6.3 440 | description: Enable Randomized Virtual Memory Region Placement 441 | send_packet_redirect: 442 | data: 443 | CentOS-6: 444 | - net.ipv4.conf.all.send_redirects: 445 | match_output: '0' 446 | tag: CIS-5.1.2 447 | - net.ipv4.conf.default.send_redirects: 448 | match_output: '0' 449 | tag: CIS-5.1.2 450 | description: Disable Send Packet Redirects 451 | source_routed_packet_acceptance: 452 | data: 453 | CentOS-6: 454 | - net.ipv4.conf.all.accept_source_route: 455 | match_output: '0' 456 | tag: CIS-5.2.1 457 | - net.ipv4.conf.default.accept_source_route: 458 | match_output: '0' 459 | tag: CIS-5.2.1 460 | description: Disable Source Routed Packet Acceptance 461 | tcp_syn_cookies: 462 | data: 463 | CentOS-6: 464 | - net.ipv4.tcp_syncookies: 465 | match_output: '1' 466 | tag: CIS-5.2.8 467 | description: Enable TCP SYN Cookies 468 | 469 | 470 | grep: 471 | whitelist: 472 | 473 | mounts_tmp_partition: 474 | data: 475 | CentOS-6: 476 | - '/proc/mounts': 477 | tag: 'CIS-1.1.1' 478 | pattern: '/tmp' 479 | description: 'Create Separate Partition for /tmp' 480 | 481 | mounts_tmp_partition_nodev: 482 | data: 483 | CentOS-6: 484 | - '/proc/mounts': 485 | tag: 'CIS-1.1.2' 486 | pattern: '/tmp' 487 | match_output: 'nodev' 488 | description: 'Set nodev option for /tmp Partition' 489 | 490 | mounts_tmp_partition_nosuid: 491 | data: 492 | CentOS-6: 493 | - '/proc/mounts': 494 | tag: 'CIS-1.1.3' 495 | pattern: '/tmp' 496 | match_output: 'nosuid' 497 | description: 'Set nosuid option for /tmp Partition' 498 | 499 | mounts_tmp_partition_noexec: 500 | data: 501 | CentOS-6: 502 | - '/proc/mounts': 503 | tag: 'CIS-1.1.4' 504 | pattern: '/tmp' 505 | match_output: 'noexec' 506 | description: 'Set noexec option for /tmp Partition' 507 | 508 | mounts_var_partition: 509 | data: 510 | CentOS-6: 511 | - '/proc/mounts': 512 | tag: 'CIS-1.1.5' 513 | pattern: '/var' 514 | description: 'Create Separate Partition for /var' 515 | 516 | fstab_var_tmp_bind_mount: 517 | data: 518 | CentOS-6: 519 | - '/etc/fstab': 520 | tag: 'CIS-1.1.6' 521 | pattern: '/tmp' 522 | match_output: '/var/tmp' 523 | description: 'Bind Mount the /var/tmp directory to /tmp' 524 | 525 | mounts_var_log_partition: 526 | data: 527 | CentOS-6: 528 | - '/proc/mounts': 529 | tag: 'CIS-1.1.7' 530 | pattern: '/var/log' 531 | description: 'Create Separate Partition for /var/log' 532 | 533 | mounts_var_log_audit_partition: 534 | data: 535 | CentOS-6: 536 | - '/proc/mounts': 537 | tag: 'CIS-1.1.8' 538 | pattern: '/var/log/audit' 539 | description: 'Create Separate Partition for /var/log/audit' 540 | 541 | mounts_home_partition: 542 | data: 543 | CentOS-6: 544 | - '/proc/mounts': 545 | tag: 'CIS-1.1.9' 546 | pattern: '/home' 547 | description: 'Create Separate Partition for /home' 548 | 549 | mounts_home_partition_nodev: 550 | data: 551 | CentOS-6: 552 | - '/proc/mounts': 553 | tag: 'CIS-1.1.10' 554 | pattern: '/home' 555 | match_output: 'nodev' 556 | description: 'Add nodev Option to /home' 557 | 558 | mounts_dev_shm_partition_nodev: 559 | data: 560 | CentOS-6: 561 | - '/proc/mounts': 562 | tag: 'CIS-1.1.14' 563 | pattern: '/dev/shm' 564 | match_output: 'nodev' 565 | description: 'Add nodev Option to /dev/shm Partition' 566 | 567 | mounts_dev_shm_partition_nosuid: 568 | data: 569 | CentOS-6: 570 | - '/proc/mounts': 571 | tag: 'CIS-1.1.15' 572 | pattern: '/dev/shm' 573 | match_output: 'nosuid' 574 | description: 'Add nosuid Option to /dev/shm Partition' 575 | 576 | mounts_dev_shm_partition_noexec: 577 | data: 578 | CentOS-6: 579 | - '/proc/mounts': 580 | tag: 'CIS-1.1.16' 581 | pattern: '/dev/shm' 582 | match_output: 'noexec' 583 | description: 'Add noexec Option to /dev/shm Partition' 584 | 585 | activate_gpg_check: 586 | data: 587 | CentOS-6: 588 | - '/etc/yum.conf': 589 | tag: 'CIS-1.2.2' 590 | pattern: 'gpgcheck' 591 | match_output: 'gpgcheck=1' 592 | description: 'Verify that gpgcheck is Globally Activated' 593 | 594 | boot_loader_passwd: 595 | data: 596 | 'CentOS-6': 597 | - '/etc/grub.conf': 598 | tag: 'CIS-1.5.3' 599 | pattern: '^password' 600 | description: 'Set Boot Loader Password' 601 | 602 | restrict_core_dumps: 603 | data: 604 | 'CentOS-6': 605 | - '/etc/security/limits.conf': 606 | tag: 'CIS-1.6.1' 607 | pattern: 'hard core' 608 | description: 'Restrict Core Dumps' 609 | 610 | set_daemon_umask: 611 | data: 612 | 'CentOS-6': 613 | - '/etc/sysconfig/init': 614 | tag: 'CIS-3.1' 615 | pattern: 'umask' 616 | match_output: 'umask 027' 617 | description: 'Set Daemon umask' 618 | 619 | configure_ntp: 620 | data: 621 | 'CentOS-6': 622 | - '/etc/ntp.conf': 623 | tag: 'CIS-3.6' 624 | pattern: 'restrict default' 625 | - '/etc/ntp.conf': 626 | tag: 'CIS-3.6' 627 | pattern: 'restrict -6 default' 628 | - '/etc/ntp.conf': 629 | tag: 'CIS-3.6' 630 | pattern: '^server' 631 | - '/etc/sysconfig/ntpd': 632 | tag: 'CIS-3.6' 633 | pattern: 'ntp:ntp' 634 | description: 'Configure Network Time Protocol (NTP)' 635 | 636 | rsyslog_remote_logging: 637 | data: 638 | 'CentOS-6': 639 | - '/etc/rsyslog.conf': 640 | tag: 'CIS-4.1.5' 641 | pattern: "^*.*[^I][^I]*@" 642 | description: 'Configure rsyslog to Send Logs to a Remote Log Host' 643 | 644 | sshd_protocol_2: 645 | data: 646 | 'CentOS-6': 647 | - '/etc/ssh/sshd_config': 648 | tag: 'CIS-6.2.1' 649 | pattern: "^Protocol" 650 | match_output: 'Protocol 2' 651 | description: 'Set SSH Protocol to 2' 652 | 653 | sshd_loglevel_info: 654 | data: 655 | 'CentOS-6': 656 | - '/etc/ssh/sshd_config': 657 | tag: 'CIS-6.2.2' 658 | pattern: "^LogLevel" 659 | match_output: 'LogLevel INFO' 660 | description: 'Set LogLevel to INFO' 661 | 662 | sshd_x11_forwarding: 663 | data: 664 | 'CentOS-6': 665 | - '/etc/ssh/sshd_config': 666 | tag: 'CIS-6.2.4' 667 | pattern: "^X11Forwarding" 668 | match_output: 'X11Forwarding no' 669 | description: 'Disable SSH X11 Forwarding' 670 | 671 | # NOTE: Need to update this entry to reflect your organization's password policy 672 | sshd_max_auth_retries: 673 | data: 674 | 'CentOS-6': 675 | - '/etc/ssh/sshd_config': 676 | tag: 'CIS-6.2.5' 677 | pattern: "^MaxAuthTries" 678 | match_output_regex: True 679 | match_output: "^MaxAuthTries +[1-4]$" 680 | description: 'Set SSH MaxAuthTries to 4 or Less' 681 | 682 | sshd_ignore_rhosts: 683 | data: 684 | 'CentOS-6': 685 | - '/etc/ssh/sshd_config': 686 | tag: 'CIS-6.2.6' 687 | pattern: "^IgnoreRhosts" 688 | match_output: "IgnoreRhosts yes" 689 | description: 'Set SSH IgnoreRhosts to Yes' 690 | 691 | sshd_hostbased_auth: 692 | data: 693 | 'CentOS-6': 694 | - '/etc/ssh/sshd_config': 695 | tag: 'CIS-6.2.7' 696 | pattern: "^HostbasedAuthentication" 697 | match_output: "HostbasedAuthentication no" 698 | description: 'Set SSH HostbasedAuthentication to No' 699 | 700 | sshd_disable_root_login: 701 | data: 702 | 'CentOS-6': 703 | - '/etc/ssh/sshd_config': 704 | tag: 'CIS-6.2.8' 705 | pattern: "^PermitRootLogin" 706 | match_output: "PermitRootLogin no" 707 | description: 'Disable SSH Root Login' 708 | 709 | sshd_permit_empty_passwords: 710 | data: 711 | 'CentOS-6': 712 | - '/etc/ssh/sshd_config': 713 | tag: 'CIS-6.2.9' 714 | pattern: "^PermitEmptyPasswords" 715 | match_output: "PermitEmptyPasswords no" 716 | description: 'Set SSH PermitEmptyPasswords to No' 717 | 718 | sshd_permit_user_environment: 719 | data: 720 | 'CentOS-6': 721 | - '/etc/ssh/sshd_config': 722 | tag: 'CIS-6.2.10' 723 | pattern: "^PermitUserEnvironment" 724 | match_output: "PermitUserEnvironment no" 725 | description: 'Do Not Allow Users to Set Environment Options' 726 | 727 | sshd_approved_cipher: 728 | data: 729 | 'CentOS-6': 730 | - '/etc/ssh/sshd_config': 731 | tag: 'CIS-6.2.11' 732 | pattern: "Ciphers" 733 | match_output: "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$" 734 | match_output_regex: True 735 | description: 'Use Only Approved Cipher in Counter Mode' 736 | 737 | sshd_idle_timeout: 738 | data: 739 | 'CentOS-6': 740 | - '/etc/ssh/sshd_config': 741 | tag: 'CIS-6.2.12' 742 | pattern: "^ClientAliveInterval" 743 | match_output: ^ClientAliveInterval +([1-2]{0,1}\d{1,2}|300)$ 744 | match_output_regex: True 745 | - '/etc/ssh/sshd_config': 746 | tag: 'CIS-6.2.12' 747 | pattern: "^ClientAliveCountMax" 748 | match_output: "^ClientAliveCountMax +[0-3]$" 749 | match_output_regex: True 750 | description: 'Set Idle Timeout Interval for User Login' 751 | 752 | sshd_limit_access: 753 | data: 754 | 'CentOS-6': 755 | - '/etc/ssh/sshd_config': 756 | tag: 'CIS-6.2.13' 757 | pattern: '(^AllowUsers)|(^AllowGroups)|(^DenyUsers)|(^DenyGroups)' 758 | grep_args: 759 | - '-E' 760 | description: 'Limit Access via SSH' 761 | 762 | sshd_banner: 763 | data: 764 | 'CentOS-6': 765 | - '/etc/ssh/sshd_config': 766 | tag: 'CIS-6.2.14' 767 | pattern: "^Banner" 768 | description: 'Set SSH Banner' 769 | 770 | # NOTE: Need to update this entry to reflect your organization's password policy 771 | limit_password_reuse: 772 | data: 773 | 'CentOS-6': 774 | - '/etc/pam.d/system-auth': 775 | tag: 'CIS-6.3.4' 776 | pattern: "pam_unix.so" 777 | match_output: "remember=5" # number of passwords to remember 778 | description: 'Limit Password Reuse' 779 | 780 | limit_su_command_access: 781 | data: 782 | 'CentOS-6': 783 | - '/etc/pam.d/su': 784 | tag: 'CIS-6.5' 785 | pattern: "pam_wheel.so" 786 | match_output: "use_uid" 787 | - '/etc/group': 788 | tag: 'CIS-6.5' 789 | pattern: "wheel" 790 | description: 'Restrict Access to the su Command' 791 | 792 | # NOTE: Need to update this entry to reflect your organization's password policy 793 | passwd_expiration_days: 794 | data: 795 | 'CentOS-6': 796 | - '/etc/login.defs': 797 | tag: 'CIS-7.1.1' 798 | pattern: "PASS_MAX_DAYS" 799 | match_output: "90" 800 | description: 'Set Password Expiration Days' 801 | 802 | # NOTE: Need to update this entry to reflect your organization's password policy 803 | passwd_change_min_days: 804 | data: 805 | 'CentOS-6': 806 | - '/etc/login.defs': 807 | tag: 'CIS-7.1.2' 808 | pattern: "PASS_MIN_DAYS" 809 | match_output: "7" 810 | description: 'Set Password Change Minimum Number of Days' 811 | 812 | # NOTE: Need to update this entry to reflect your organization's password policy 813 | passwd_expiry_warning: 814 | data: 815 | 'CentOS-6': 816 | - '/etc/login.defs': 817 | tag: 'CIS-7.1.3' 818 | pattern: "PASS_WARN_AGE" 819 | match_output: "7" 820 | description: 'Set Password Expiring Warning Days' 821 | 822 | default_umask: 823 | data: 824 | 'CentOS-6': 825 | - '/etc/bashrc': 826 | tag: 'CIS-7.4' 827 | pattern: "^umask 077" 828 | - '/etc/profile': 829 | tag: 'CIS-7.4' 830 | pattern: "^umask 077" 831 | description: 'Set Default umask for Users' 832 | 833 | blacklist: 834 | legacy_passwd_entries_passwd: 835 | data: 836 | 'CentOS-6': 837 | - '/etc/passwd': 838 | tag: 'CIS-9.2.2' 839 | pattern: "^+:" 840 | description: 'Verify No Legacy "+" Entries Exist in /etc/passwd File' 841 | 842 | legacy_passwd_entries_shadow: 843 | data: 844 | 'CentOS-6': 845 | - '/etc/shadow': 846 | tag: 'CIS-9.2.3' 847 | pattern: "^+:" 848 | description: 'Verify No Legacy "+" Entries Exist in /etc/shadow File' 849 | 850 | legacy_passwd_entries_group: 851 | data: 852 | 'CentOS-6': 853 | - '/etc/group': 854 | tag: 'CIS-9.2.4' 855 | pattern: "^+:" 856 | description: 'Verify No Legacy "+" Entries Exist in /etc/group File' 857 | -------------------------------------------------------------------------------- /hubblestack_nova_profiles/cis/centos-7-level-1-scored-v1-0-0.yaml: -------------------------------------------------------------------------------- 1 | # NOTE: This CIS Profile only includes Level 1 Scored Items for CentOS7. 2 | # NOTE: Within this file, there are a few sections that should be tailored to your 3 | # organization's specific policy. Search for '# NOTE: ' comments through the file. 4 | 5 | # TODO: Checks that aren't implemented yet: 6 | # 1.1.17 7 | # 1.2.1 8 | # 2.1.12-18 9 | # 3.16 10 | # 5.1.4 11 | # 6.1.10 12 | # 6.3.1 13 | # 6.3.2 14 | # 7.2 15 | # 7.3 16 | # 7.5 17 | # 8.2 18 | # 9.1.11 19 | # 9.1.12 20 | # 9.2.1 21 | # 9.2.5-20 22 | 23 | 24 | grep: 25 | blacklist: 26 | legacy_passwd_entries_group: 27 | data: 28 | CentOS Linux-7: 29 | - /etc/group: 30 | pattern: '^+:' 31 | tag: CIS-9.2.4 32 | description: Verify No Legacy "+" Entries Exist in /etc/group File 33 | legacy_passwd_entries_passwd: 34 | data: 35 | CentOS Linux-7: 36 | - /etc/passwd: 37 | pattern: '^+:' 38 | tag: CIS-9.2.2 39 | description: Verify No Legacy "+" Entries Exist in /etc/passwd File 40 | legacy_passwd_entries_shadow: 41 | data: 42 | CentOS Linux-7: 43 | - /etc/shadow: 44 | pattern: '^+:' 45 | tag: CIS-9.2.3 46 | description: Verify No Legacy "+" Entries Exist in /etc/shadow File 47 | whitelist: 48 | activate_gpg_check: 49 | data: 50 | CentOS Linux-7: 51 | - /etc/yum.conf: 52 | match_output: gpgcheck=1 53 | pattern: gpgcheck 54 | tag: CIS-1.2.2 55 | description: Verify that gpgcheck is Globally Activated 56 | boot_loader_passwd: 57 | data: 58 | CentOS Linux-7: 59 | - /boot/grub2/grub.cfg: 60 | pattern: ^password 61 | tag: CIS-1.5.3 62 | description: Set Boot Loader Password 63 | configure_ntp: 64 | data: 65 | CentOS Linux-7: 66 | - /etc/ntp.conf: 67 | pattern: restrict default 68 | tag: CIS-3.6 69 | - /etc/ntp.conf: 70 | pattern: restrict -6 default 71 | tag: CIS-3.6 72 | - '/etc/ntp.conf': 73 | tag: 'CIS-3.6' 74 | pattern: '^server' 75 | - '/etc/sysconfig/ntpd': 76 | tag: 'CIS-3.6' 77 | pattern: 'ntp:ntp' 78 | description: Configure Network Time Protocol (NTP) 79 | default_umask: 80 | data: 81 | CentOS Linux-7: 82 | - /etc/bashrc: 83 | pattern: ^umask 077 84 | tag: CIS-7.4 85 | - /etc/profile.d/*: 86 | pattern: ^umask 077 87 | tag: CIS-7.4 88 | description: Set Default umask for Users 89 | mounts_dev_shm_partition_nodev: 90 | data: 91 | CentOS Linux-7: 92 | - /proc/mounts: 93 | match_output: nodev 94 | pattern: /dev/shm 95 | tag: CIS-1.1.14 96 | description: Add nodev Option to /dev/shm Partition 97 | mounts_dev_shm_partition_noexec: 98 | data: 99 | CentOS Linux-7: 100 | - /proc/mounts: 101 | match_output: noexec 102 | pattern: /dev/shm 103 | tag: CIS-1.1.16 104 | description: Add noexec Option to /dev/shm Partition 105 | mounts_dev_shm_partition_nosuid: 106 | data: 107 | CentOS Linux-7: 108 | - /proc/mounts: 109 | match_output: nosuid 110 | pattern: /dev/shm 111 | tag: CIS-1.1.15 112 | description: Add nosuid Option to /dev/shm Partition 113 | mounts_home_partition: 114 | data: 115 | CentOS Linux-7: 116 | - /proc/mounts: 117 | pattern: /home 118 | tag: CIS-1.1.9 119 | description: Create Separate Partition for /home 120 | mounts_home_partition_nodev: 121 | data: 122 | CentOS Linux-7: 123 | - /proc/mounts: 124 | match_output: nodev 125 | pattern: /home 126 | tag: CIS-1.1.10 127 | description: Add nodev Option to /home 128 | mounts_tmp_partition: 129 | data: 130 | CentOS Linux-7: 131 | - /proc/mounts: 132 | pattern: /tmp 133 | tag: CIS-1.1.1 134 | description: Create Separate Partition for /tmp 135 | mounts_tmp_partition_nodev: 136 | data: 137 | CentOS Linux-7: 138 | - /proc/mounts: 139 | match_output: nodev 140 | pattern: /tmp 141 | tag: CIS-1.1.2 142 | description: Set nodev option for /tmp Partition 143 | mounts_tmp_partition_noexec: 144 | data: 145 | CentOS Linux-7: 146 | - /proc/mounts: 147 | match_output: noexec 148 | pattern: /tmp 149 | tag: CIS-1.1.4 150 | description: Set noexec option for /tmp Partition 151 | mounts_tmp_partition_nosuid: 152 | data: 153 | CentOS Linux-7: 154 | - /proc/mounts: 155 | match_output: nosuid 156 | pattern: /tmp 157 | tag: CIS-1.1.3 158 | description: Set nosuid option for /tmp Partition 159 | mounts_var_log_audit_partition: 160 | data: 161 | CentOS Linux-7: 162 | - /proc/mounts: 163 | pattern: /var/log/audit 164 | tag: CIS-1.1.8 165 | description: Create Separate Partition for /var/log/audit 166 | mounts_var_log_partition: 167 | data: 168 | CentOS Linux-7: 169 | - /proc/mounts: 170 | pattern: /var/log 171 | tag: CIS-1.1.7 172 | description: Create Separate Partition for /var/log 173 | mounts_var_partition: 174 | data: 175 | CentOS Linux-7: 176 | - /proc/mounts: 177 | pattern: /var 178 | tag: CIS-1.1.5 179 | description: Create Separate Partition for /var 180 | fstab_var_tmp_bind_mount: 181 | data: 182 | CentOS Linux-7: 183 | - /etc/fstab: 184 | match_output: /var/tmp 185 | pattern: /tmp 186 | tag: CIS-1.1.6 187 | description: Bind Mount the /var/tmp directory to /tmp 188 | limit_password_reuse: 189 | data: 190 | CentOS Linux-7: 191 | - /etc/pam.d/system-auth: 192 | match_output: remember=5 193 | pattern: pam_unix.so 194 | tag: CIS-6.3.4 195 | description: Limit Password Reuse 196 | limit_su_command_access: 197 | data: 198 | CentOS Linux-7: 199 | - /etc/pam.d/su: 200 | match_output: use_uid 201 | pattern: pam_wheel.so 202 | tag: CIS-6.5 203 | - /etc/group: 204 | pattern: wheel 205 | tag: CIS-6.5 206 | description: Restrict Access to the su Command 207 | passwd_change_min_days: 208 | data: 209 | CentOS Linux-7: 210 | - /etc/login.defs: 211 | match_output: '7' 212 | pattern: PASS_MIN_DAYS 213 | tag: CIS-7.1.2 214 | description: Set Password Change Minimum Number of Days 215 | passwd_expiration_days: 216 | data: 217 | CentOS Linux-7: 218 | - /etc/login.defs: 219 | match_output: '90' 220 | pattern: PASS_MAX_DAYS 221 | tag: CIS-7.1.1 222 | description: Set Password Expiration Days 223 | passwd_expiry_warning: 224 | data: 225 | CentOS Linux-7: 226 | - /etc/login.defs: 227 | match_output: '7' 228 | pattern: PASS_WARN_AGE 229 | tag: CIS-7.1.3 230 | description: Set Password Expiring Warning Days 231 | restrict_core_dumps: 232 | data: 233 | CentOS Linux-7: 234 | - /etc/security/limits.conf: 235 | pattern: hard core 236 | tag: CIS-1.6.1 237 | description: Restrict Core Dumps 238 | rsyslog_remote_logging: 239 | data: 240 | CentOS Linux-7: 241 | - /etc/rsyslog.conf: 242 | pattern: ^*.*[^I][^I]*@ 243 | tag: CIS-5.1.5 244 | description: Configure rsyslog to Send Logs to a Remote Log Host 245 | set_daemon_umask: 246 | data: 247 | CentOS Linux-7: 248 | - /etc/sysconfig/init: 249 | match_output: umask 027 250 | pattern: umask 251 | tag: CIS-3.1 252 | description: Set Daemon umask 253 | sshd_approved_cipher: 254 | data: 255 | CentOS Linux-7: 256 | - /etc/ssh/sshd_config: 257 | match_output: '^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$' 258 | match_output_regex: True 259 | pattern: Ciphers 260 | tag: CIS-6.2.11 261 | description: Use Only Approved Cipher in Counter Mode 262 | sshd_banner: 263 | data: 264 | CentOS Linux-7: 265 | - /etc/ssh/sshd_config: 266 | pattern: ^Banner 267 | tag: CIS-6.2.14 268 | description: Set SSH Banner 269 | sshd_disable_root_login: 270 | data: 271 | CentOS Linux-7: 272 | - /etc/ssh/sshd_config: 273 | match_output: PermitRootLogin no 274 | pattern: ^PermitRootLogin 275 | tag: CIS-6.2.8 276 | description: Disable SSH Root Login 277 | sshd_hostbased_auth: 278 | data: 279 | CentOS Linux-7: 280 | - /etc/ssh/sshd_config: 281 | match_output: HostbasedAuthentication no 282 | pattern: ^HostbasedAuthentication 283 | tag: CIS-6.2.7 284 | description: Set SSH HostbasedAuthentication to No 285 | sshd_idle_timeout: 286 | data: 287 | CentOS Linux-7: 288 | - /etc/ssh/sshd_config: 289 | match_output: ^ClientAliveInterval +([1-2]{0,1}\d{1,2}|300)$ 290 | match_output_regex: True 291 | pattern: ^ClientAliveInterval 292 | tag: CIS-6.2.12 293 | - /etc/ssh/sshd_config: 294 | match_output: "^ClientAliveCountMax +[0-3]$" 295 | match_output_regex: True 296 | pattern: ^ClientAliveCountMax 297 | tag: CIS-6.2.12 298 | description: Set Idle Timeout Interval for User Login 299 | sshd_ignore_rhosts: 300 | data: 301 | CentOS Linux-7: 302 | - /etc/ssh/sshd_config: 303 | match_output: IgnoreRhosts yes 304 | pattern: ^IgnoreRhosts 305 | tag: CIS-6.2.6 306 | description: Set SSH IgnoreRhosts to Yes 307 | sshd_limit_access: 308 | data: 309 | CentOS Linux-7: 310 | - /etc/ssh/sshd_config: 311 | pattern: ^AllowUsers 312 | tag: CIS-6.2.13 313 | - /etc/ssh/sshd_config: 314 | pattern: ^AllowGroups 315 | tag: CIS-6.2.13 316 | - /etc/ssh/sshd_config: 317 | pattern: ^DenyUsers 318 | tag: CIS-6.2.13 319 | - /etc/ssh/sshd_config: 320 | pattern: ^DenyGroups 321 | tag: CIS-6.2.13 322 | description: Limit Access via SSH 323 | sshd_loglevel_info: 324 | data: 325 | CentOS Linux-7: 326 | - /etc/ssh/sshd_config: 327 | match_output: LogLevel INFO 328 | pattern: ^LogLevel 329 | tag: CIS-6.2.2 330 | description: Set LogLevel to INFO 331 | sshd_max_auth_retries: 332 | data: 333 | CentOS Linux-7: 334 | - /etc/ssh/sshd_config: 335 | match_output: "^MaxAuthTries +[1-4]$" 336 | pattern: ^MaxAuthTries 337 | match_output_regex: True 338 | tag: CIS-6.2.5 339 | description: Set SSH MaxAuthTries to 4 or Less 340 | sshd_permit_empty_passwords: 341 | data: 342 | CentOS Linux-7: 343 | - /etc/ssh/sshd_config: 344 | match_output: PermitEmptyPasswords no 345 | pattern: ^PermitEmptyPasswords 346 | tag: CIS-6.2.9 347 | description: Set SSH PermitEmptyPasswords to No 348 | sshd_permit_user_environment: 349 | data: 350 | CentOS Linux-7: 351 | - /etc/ssh/sshd_config: 352 | match_output: PermitUserEnvironment no 353 | pattern: ^PermitUserEnvironment 354 | tag: CIS-6.2.10 355 | description: Do Not Allow Users to Set Environment Options 356 | sshd_protocol_2: 357 | data: 358 | CentOS Linux-7: 359 | - /etc/ssh/sshd_config: 360 | match_output: Protocol 2 361 | pattern: ^Protocol 362 | tag: CIS-6.2.1 363 | description: Set SSH Protocol to 2 364 | sshd_x11_forwarding: 365 | data: 366 | CentOS Linux-7: 367 | - /etc/ssh/sshd_config: 368 | match_output: X11Forwarding no 369 | pattern: ^X11Forwarding 370 | tag: CIS-6.2.4 371 | description: Disable SSH X11 Forwarding 372 | pkg: 373 | blacklist: 374 | avahi-daemon: 375 | data: 376 | CentOS Linux-7: 377 | - avahi-daemon: CIS-3.3 378 | description: Disable Avahi Server 379 | dhcp: 380 | data: 381 | CentOS Linux-7: 382 | - dhcp: CIS-3.5 383 | description: Remove DHCP Server 384 | nis-client: 385 | data: 386 | CentOS Linux-7: 387 | - ypbind: CIS-2.1.5 388 | description: Remove NIS Client 389 | nis-server: 390 | data: 391 | CentOS Linux-7: 392 | - ypserv: CIS-2.1.6 393 | description: Remove NIS Server 394 | rsh-client: 395 | data: 396 | CentOS Linux-7: 397 | - rsh: CIS-2.1.4 398 | description: Remove rsh 399 | rsh-server: 400 | data: 401 | CentOS Linux-7: 402 | - rsh-server: CIS-2.1.3 403 | description: Remove rsh-server 404 | talk-client: 405 | data: 406 | CentOS Linux-7: 407 | - talk: CIS-2.1.9 408 | description: Remove talk 409 | talk-server: 410 | data: 411 | CentOS Linux-7: 412 | - talk-server: CIS-2.1.10 413 | description: Remove talk-server 414 | telnet-client: 415 | data: 416 | CentOS Linux-7: 417 | - telnet: CIS-2.1.2 418 | description: Remove telnet Clients 419 | telnet-server: 420 | data: 421 | CentOS Linux-7: 422 | - telnet-server: CIS-2.1.1 423 | description: Remove telnet-server 424 | tftp-client: 425 | data: 426 | CentOS Linux-7: 427 | - tftp: CIS-2.1.7 428 | description: Remove tftp 429 | tftp-server: 430 | data: 431 | CentOS Linux-7: 432 | - tftp-server: CIS-2.1.8 433 | description: Remove tftp-server 434 | xorg-x11-server-common: 435 | data: 436 | CentOS Linux-7: 437 | - xorg-x11-server-common: CIS-3.2 438 | description: Remove the X Window System 439 | whitelist: 440 | anacron: 441 | data: 442 | CentOS Linux-7: 443 | - cronie-anacron: CIS-6.1.1 444 | description: Enable anacron Daemon 445 | firewalld: 446 | data: 447 | CentOS Linux-7: 448 | - firewalld: CIS-4.7 449 | description: Enable firewalld 450 | rsyslog: 451 | data: 452 | CentOS Linux-7: 453 | - rsyslog: CIS-5.1.1 454 | description: Install the rsyslog package 455 | stat: 456 | anacrontab: 457 | data: 458 | CentOS Linux-7: 459 | - /etc/anacrontab: 460 | gid: 0 461 | group: root 462 | mode: 600 463 | tag: CIS-6.1.3 464 | uid: 0 465 | user: root 466 | description: Set User/Group Owner and Permission on /etc/anacrontab 467 | at_cron_allow: 468 | data: 469 | CentOS Linux-7: 470 | - /etc/cron.deny: 471 | gid: null 472 | group: null 473 | mode: null 474 | tag: CIS-6.1.11 475 | uid: null 476 | user: null 477 | - /etc/at.deny: 478 | gid: null 479 | group: null 480 | mode: null 481 | tag: CIS-6.1.11 482 | uid: null 483 | user: null 484 | - /etc/cron.allow: 485 | gid: 0 486 | group: root 487 | mode: 600 488 | tag: CIS-6.1.11 489 | uid: 0 490 | user: root 491 | - /etc/at.allow: 492 | gid: 0 493 | group: root 494 | mode: 600 495 | tag: CIS-6.1.11 496 | uid: 0 497 | user: root 498 | description: Restrict at/cron to Authorized Users 499 | cron_d: 500 | data: 501 | CentOS Linux-7: 502 | - /etc/cron.d: 503 | gid: 0 504 | group: root 505 | mode: 700 506 | tag: CIS-6.1.9 507 | uid: 0 508 | user: root 509 | description: Set User/Group Owner and Permission on /etc/cron.d 510 | cron_daily: 511 | data: 512 | CentOS Linux-7: 513 | - /etc/cron.daily: 514 | gid: 0 515 | group: root 516 | mode: 700 517 | tag: CIS-6.1.6 518 | uid: 0 519 | user: root 520 | description: Set User/Group Owner and Permission on /etc/cron.daily 521 | cron_hourly: 522 | data: 523 | CentOS Linux-7: 524 | - /etc/cron.hourly: 525 | gid: 0 526 | group: root 527 | mode: 700 528 | tag: CIS-6.1.5 529 | uid: 0 530 | user: root 531 | description: Set User/Group Owner and Permission on /etc/cron.hourly 532 | cron_monthly: 533 | data: 534 | CentOS Linux-7: 535 | - /etc/cron.monthly: 536 | gid: 0 537 | group: root 538 | mode: 700 539 | tag: CIS-6.1.8 540 | uid: 0 541 | user: root 542 | description: Set User/Group Owner and Permission on /etc/cron.monthly 543 | cron_weekly: 544 | data: 545 | CentOS Linux-7: 546 | - /etc/cron.weekly: 547 | gid: 0 548 | group: root 549 | mode: 700 550 | tag: CIS-6.1.7 551 | uid: 0 552 | user: root 553 | description: Set User/Group Owner and Permission on /etc/cron.weekly 554 | crontab: 555 | data: 556 | CentOS Linux-7: 557 | - /etc/crontab: 558 | gid: 0 559 | group: root 560 | mode: 600 561 | tag: CIS-6.1.4 562 | uid: 0 563 | user: root 564 | description: Set User/Group Owner and Permission on /etc/crontab 565 | group_own: 566 | data: 567 | CentOS Linux-7: 568 | - /etc/group: 569 | gid: 0 570 | group: root 571 | tag: CIS-9.1.9 572 | uid: 0 573 | user: root 574 | description: Verify User/Group Ownership on /etc/group 575 | group_perm: 576 | data: 577 | CentOS Linux-7: 578 | - /etc/group: 579 | mode: 644 580 | tag: CIS-9.1.5 581 | description: Verify Permissions on /etc/group 582 | grub_conf_own: 583 | data: 584 | CentOS Linux-7: 585 | - /boot/grub2/grub.cfg: 586 | gid: 0 587 | group: root 588 | tag: CIS-1.5.1 589 | uid: 0 590 | user: root 591 | description: Set User/Group Owner on /boot/grub2/grub.cfg 592 | grub_conf_perm: 593 | data: 594 | CentOS Linux-7: 595 | - /boot/grub2/grub.cfg: 596 | mode: 600 597 | tag: CIS-1.5.2 598 | description: Set Permissions on /boot/grub2/grub.cfg 599 | gshadow_own: 600 | data: 601 | CentOS Linux-7: 602 | - /etc/gshadow: 603 | gid: 0 604 | group: root 605 | tag: CIS-9.1.8 606 | uid: 0 607 | user: root 608 | description: Verify User/Group Ownership on /etc/gshadow 609 | gshadow_perm: 610 | data: 611 | CentOS Linux-7: 612 | - /etc/gshadow: 613 | mode: 0 614 | tag: CIS-9.1.4 615 | description: Verify Permissions on /etc/gshadow 616 | hosts_allow: 617 | data: 618 | CentOS Linux-7: 619 | - /etc/hosts.allow: 620 | mode: 644 621 | tag: CIS-4.5.3 622 | description: Verify Permissions on /etc/hosts.allow 623 | hosts_deny: 624 | data: 625 | CentOS Linux-7: 626 | - /etc/hosts.deny: 627 | mode: 644 628 | tag: CIS-4.5.5 629 | description: Verify Permissions on /etc/hosts.deny 630 | passwd_own: 631 | data: 632 | CentOS Linux-7: 633 | - /etc/passwd: 634 | group: root 635 | tag: CIS-9.1.6 636 | uid: 0 637 | user: root 638 | description: Verify User/Group Ownership on /etc/passwd 639 | passwd_perm: 640 | data: 641 | CentOS Linux-7: 642 | - /etc/passwd: 643 | mode: 644 644 | tag: CIS-9.1.2 645 | description: Verify Permissions on /etc/passwd 646 | shadow_perm: 647 | data: 648 | CentOS Linux-7: 649 | - /etc/shadow: 650 | mode: 0 651 | tag: CIS-9.1.3 652 | description: Verify Permissions on /etc/shadow 653 | shadow_own: 654 | data: 655 | CentOS Linux-7: 656 | - /etc/shadow: 657 | gid: 0 658 | group: root 659 | tag: CIS-9.1.7 660 | uid: 0 661 | user: root 662 | description: Verify User/Group Ownership on /etc/shadow 663 | sshd_config: 664 | data: 665 | CentOS Linux-7: 666 | - /etc/ssh/sshd_config: 667 | gid: 0 668 | group: root 669 | mode: 600 670 | tag: CIS-6.2.3 671 | uid: 0 672 | user: root 673 | description: Set Permissions on /etc/ssh/sshd_config 674 | warning_banner: 675 | data: 676 | CentOS Linux-7: 677 | - /etc/motd: 678 | gid: 0 679 | group: root 680 | mode: 644 681 | tag: CIS-8.1 682 | uid: 0 683 | user: root 684 | - /etc/issue: 685 | gid: 0 686 | group: root 687 | mode: 644 688 | tag: CIS-8.1 689 | uid: 0 690 | user: root 691 | - /etc/issue.net: 692 | gid: 0 693 | group: root 694 | mode: 644 695 | tag: CIS-8.1 696 | uid: 0 697 | user: root 698 | description: Set Warning Banner for Standard Login Services 699 | sysctl: 700 | bad_error_message_protection: 701 | data: 702 | CentOS Linux-7: 703 | - net.ipv4.icmp_ignore_bogus_error_responses: 704 | match_output: '1' 705 | tag: CIS-4.2.6 706 | description: Enable Bad Error Message Protection 707 | icmp_redirect_acceptance: 708 | data: 709 | CentOS Linux-7: 710 | - net.ipv4.conf.all.accept_redirects: 711 | match_output: '0' 712 | tag: CIS-4.2.2 713 | - net.ipv4.conf.default.accept_redirects: 714 | match_output: '0' 715 | tag: CIS-4.2.2 716 | description: Disable ICMP Redirect Acceptance 717 | ignore_broadcast_requests: 718 | data: 719 | CentOS Linux-7: 720 | - net.ipv4.icmp_echo_ignore_broadcasts: 721 | match_output: '1' 722 | tag: CIS-4.2.5 723 | description: Enable Ignore Broadcast Requests 724 | ip_forwarding: 725 | data: 726 | CentOS Linux-7: 727 | - net.ipv4.ip_forward: 728 | match_output: '0' 729 | tag: CIS-4.1.1 730 | description: Disable IP Forwarding 731 | log_suspicious_packets: 732 | data: 733 | CentOS Linux-7: 734 | - net.ipv4.conf.all.log_martians: 735 | match_output: '1' 736 | tag: CIS-4.2.4 737 | - net.ipv4.conf.default.log_martians: 738 | match_output: '1' 739 | tag: CIS-4.2.4 740 | description: Log Suspicious Packets 741 | randomize_va_space: 742 | data: 743 | CentOS Linux-7: 744 | - kernel.randomize_va_space: 745 | match_output: '2' 746 | tag: CIS-1.6.2 747 | description: Enable Randomized Virtual Memory Region Placement 748 | send_packet_redirect: 749 | data: 750 | CentOS Linux-7: 751 | - net.ipv4.conf.all.send_redirects: 752 | match_output: '0' 753 | tag: CIS-4.1.2 754 | - net.ipv4.conf.default.send_redirects: 755 | match_output: '0' 756 | tag: CIS-4.1.2 757 | description: Disable Send Packet Redirects 758 | source_routed_packet_acceptance: 759 | data: 760 | CentOS Linux-7: 761 | - net.ipv4.conf.all.accept_source_route: 762 | match_output: '0' 763 | tag: CIS-4.2.1 764 | - net.ipv4.conf.default.accept_source_route: 765 | match_output: '0' 766 | tag: CIS-4.2.1 767 | description: Disable Source Routed Packet Acceptance 768 | tcp_syn_cookies: 769 | data: 770 | CentOS Linux-7: 771 | - net.ipv4.tcp_syncookies: 772 | match_output: '1' 773 | tag: CIS-4.2.8 774 | description: Enable TCP SYN Cookies 775 | service: 776 | whitelist: 777 | rsyslogd_running: 778 | data: 779 | CentOS Linux-7: 780 | - rsyslog: CIS-5.1.2 781 | description: Activate the rsyslog Service 782 | crond_running: 783 | data: 784 | CentOS Linux-7: 785 | - crond: CIS-6.1.2 786 | description: Enable crond Daemon 787 | -------------------------------------------------------------------------------- /hubblestack_nova_profiles/cis/coreos-level-1.yaml: -------------------------------------------------------------------------------- 1 | grep: 2 | blacklist: 3 | banner_os_info_motd: 4 | data: 5 | '*CoreOS*': 6 | - /etc/motd: 7 | pattern: '\\\\v' 8 | tag: CIS-1.7.1.1 9 | - /etc/motd: 10 | pattern: '\\\\r' 11 | tag: CIS-1.7.1.1 12 | - /etc/motd: 13 | pattern: '\\\\m' 14 | tag: CIS-1.7.1.1 15 | - /etc/motd: 16 | pattern: '\\\\s' 17 | tag: CIS-1.7.1.1 18 | description: Ensure message of the day is configured properly 19 | ensure_local_login_warning: 20 | data: 21 | '*CoreOS*': 22 | - /etc/issue: 23 | pattern: '\\\\v' 24 | tag: CIS-1.7.1.2 25 | - /etc/issue: 26 | pattern: '\\\\r' 27 | tag: CIS-1.7.1.2 28 | - /etc/issue: 29 | pattern: '\\\\m' 30 | tag: CIS-1.7.1.2 31 | - /etc/issue: 32 | pattern: '\\\\s' 33 | tag: CIS-1.7.1.2 34 | description: Ensure local login warning banner is configured properly 35 | ensure_remote_login_warning: 36 | data: 37 | '*CoreOS*': 38 | - /etc/issue.net: 39 | pattern: '\\\\v' 40 | tag: CIS-1.7.1.3 41 | - /etc/issue.net: 42 | pattern: '\\\\r' 43 | tag: CIS-1.7.1.3 44 | - /etc/issue.net: 45 | pattern: '\\\\m' 46 | tag: CIS-1.7.1.3 47 | - /etc/issue.net: 48 | pattern: '\\\\s' 49 | tag: CIS-1.7.1.3 50 | description: Ensure remote login warning banner is configured properly 51 | whitelist: 52 | default_umask: 53 | data: 54 | '*CoreOS*': 55 | - /etc/bash/bashrc: 56 | pattern: umask 57 | match_pattern: '027' 58 | tag: CIS-5.4.4 59 | - /etc/profile: 60 | pattern: umask 61 | match_pattern: '027' 62 | tag: CIS-5.4.4 63 | description: Ensure default user umask is 027 or more restrictive 64 | ssh_passwd_disabled: 65 | data: 66 | '*CoreOS*': 67 | - /etc/ssh/sshd_config: 68 | match_output: 'PasswordAuthentication no' 69 | pattern: ^\\s*PasswordAuthentication 70 | tag: CIS-7.4 71 | description: Ensure password authentication is disabled in sshd_config 72 | sshd_approved_macs: 73 | data: 74 | '*CoreOS*': 75 | - /etc/ssh/sshd_config: 76 | match_output: 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com' 77 | pattern: MACs 78 | tag: CIS-5.2.12 79 | description: Ensure only approved MAC algorithms are used 80 | limit_su_access: 81 | data: 82 | '*CoreOS*': 83 | - /etc/pam.d/su: 84 | pattern: pam_wheel.so 85 | match_output: use_uid 86 | tag: CIS-5.6 87 | - /etc/group: 88 | pattern: wheel 89 | tag: CIS-5.6 90 | description: Ensure access to the su command is restricted 91 | sshd_approved_cipher: 92 | data: 93 | '*CoreOS*': 94 | - /etc/ssh/sshd_config: 95 | match_output: '^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$' 96 | match_output_regex: True 97 | pattern: Ciphers 98 | tag: CIS-5.2.11 99 | description: Ensure only approved ciphers are used 100 | sshd_banner: 101 | data: 102 | '*CoreOS*': 103 | - /etc/ssh/sshd_config: 104 | pattern: ^Banner 105 | tag: CIS-5.2.16 106 | description: Ensure SSH warning banner is configured 107 | sshd_disable_root_login: 108 | data: 109 | '*CoreOS*': 110 | - /etc/ssh/sshd_config: 111 | match_output: PermitRootLogin no 112 | pattern: ^PermitRootLogin 113 | tag: CIS-5.2.8 114 | description: Ensure SSH root login is disabled 115 | sshd_hostbased_auth: 116 | data: 117 | '*CoreOS*': 118 | - /etc/ssh/sshd_config: 119 | match_output: HostbasedAuthentication no 120 | pattern: ^HostbasedAuthentication 121 | tag: CIS-5.2.7 122 | description: Ensure SSH HostbasedAuthentication is disabled 123 | sshd_gracetime: 124 | data: 125 | '*CoreOS*': 126 | - /etc/ssh/sshd_config: 127 | pattern: ^LoginGraceTime 128 | match_output: ^LoginGraceTime ([0-5]{0,1}\d|60|1m)$ 129 | match_output_regex: True 130 | tag: CIS-5.2.14 131 | description: Ensure SSH LoginGraceTime is set to one minute or less 132 | sshd_ignore_rhosts: 133 | data: 134 | '*CoreOS*': 135 | - /etc/ssh/sshd_config: 136 | match_output: IgnoreRhosts yes 137 | pattern: ^IgnoreRhosts 138 | tag: CIS-5.2.6 139 | description: Ensure SSH IgnoreRhosts is enabled 140 | sshd_limit_access: 141 | data: 142 | '*CoreOS*': 143 | - /etc/ssh/sshd_config: 144 | pattern: ^AllowUsers 145 | tag: CIS-5.2.15 146 | - /etc/ssh/sshd_config: 147 | pattern: ^AllowGroups 148 | tag: CIS-5.2.15 149 | - /etc/ssh/sshd_config: 150 | pattern: ^DenyUsers 151 | tag: CIS-5.2.15 152 | - /etc/ssh/sshd_config: 153 | pattern: ^DenyGroups 154 | tag: CIS-5.2.15 155 | description: Ensure SSH access is limited 156 | sshd_loglevel_info: 157 | data: 158 | '*CoreOS*': 159 | - /etc/ssh/sshd_config: 160 | match_output: LogLevel INFO 161 | pattern: ^LogLevel 162 | tag: CIS-5.2.3 163 | description: Ensure SSH LogLevel is set to INFO 164 | sshd_max_auth_retries: 165 | data: 166 | '*CoreOS*': 167 | - /etc/ssh/sshd_config: 168 | match_output: "^MaxAuthTries +[1-4]$" 169 | pattern: ^MaxAuthTries 170 | match_output_regex: True 171 | tag: CIS-5.2.5 172 | description: Ensure SSH MaxAuthTries is set to 4 or less 173 | sshd_permit_empty_passwords: 174 | data: 175 | '*CoreOS*': 176 | - /etc/ssh/sshd_config: 177 | match_output: PermitEmptyPasswords no 178 | pattern: ^PermitEmptyPasswords 179 | tag: CIS-5.2.9 180 | description: Ensure SSH PermitEmptyPasswords is disabled 181 | sshd_permit_user_environment: 182 | data: 183 | '*CoreOS*': 184 | - /etc/ssh/sshd_config: 185 | match_output: PermitUserEnvironment no 186 | pattern: ^PermitUserEnvironment 187 | tag: CIS-5.2.10 188 | description: Ensure SSH PermitUserEnvironment is disabled 189 | sshd_protocol_2: 190 | data: 191 | '*CoreOS*': 192 | - /etc/ssh/sshd_config: 193 | match_output: Protocol 2 194 | pattern: ^Protocol 195 | tag: CIS-5.2.2 196 | description: Ensure SSH Protocol is set to 2 197 | sshd_x11_forwarding: 198 | data: 199 | '*CoreOS*': 200 | - /etc/ssh/sshd_config: 201 | match_output: X11Forwarding no 202 | pattern: ^X11Forwarding 203 | tag: CIS-5.2.4 204 | description: Ensure SSH X11 forwarding is disabled 205 | sysctl: 206 | bad_error_message_protection: 207 | data: 208 | '*CoreOS*': 209 | - net.ipv4.icmp_ignore_bogus_error_responses: 210 | match_output: '1' 211 | tag: CIS-3.2.6 212 | description: Ensure bogus ICMP responses are ignored 213 | disable_packet_redirect: 214 | data: 215 | '*CoreOS*': 216 | - net.ipv4.conf.all.send_redirects: 217 | match_output: '0' 218 | tag: CIS-3.1.2 219 | - net.ipv4.conf.default.send_redirects: 220 | match_output: '0' 221 | tag: CIS-3.1.2 222 | description: Ensure packet redirect sending is disabled 223 | icmp_redirect_acceptance: 224 | data: 225 | '*CoreOS*': 226 | - net.ipv4.conf.all.accept_redirects: 227 | match_output: '0' 228 | tag: CIS-3.2.2 229 | - net.ipv4.conf.default.accept_redirects: 230 | match_output: '0' 231 | tag: CIS-3.2.2 232 | description: Ensure ICMP redirects are not accepted 233 | ignore_broadcast_requests: 234 | data: 235 | '*CoreOS*': 236 | - net.ipv4.icmp_echo_ignore_broadcasts: 237 | match_output: '1' 238 | tag: CIS-3.2.5 239 | description: Ensure broadcast ICMP requests are ignored 240 | log_suspicious_packets: 241 | data: 242 | '*CoreOS*': 243 | - net.ipv4.conf.all.log_martians: 244 | match_output: '1' 245 | tag: CIS-3.2.4 246 | - net.ipv4.conf.default.log_martians: 247 | match_output: '1' 248 | tag: CIS-3.2.4 249 | description: Ensure suspicious packets are logged 250 | secure_icmp_redirect_acceptance: 251 | data: 252 | '*CoreOS*': 253 | - net.ipv4.conf.all.secure_redirects: 254 | match_output: '0' 255 | tag: CIS-3.2.3 256 | - net.ipv4.conf.default.secure_redirects: 257 | match_output: '0' 258 | tag: CIS-3.2.3 259 | description: Ensure secure ICMP redirects are not accepted 260 | source_routed_packet_acceptance: 261 | data: 262 | '*CoreOS*': 263 | - net.ipv4.conf.all.accept_source_route: 264 | match_output: '0' 265 | tag: CIS-3.2.1 266 | - net.ipv4.conf.default.accept_source_route: 267 | match_output: '0' 268 | tag: CIS-3.2.1 269 | description: Ensure source routed packets are not accepted 270 | tcp_syn_cookies: 271 | data: 272 | '*CoreOS*': 273 | - net.ipv4.tcp_syncookies: 274 | match_output: '1' 275 | tag: CIS-3.2.8 276 | description: Ensure TCP SYN Cookies is enabled 277 | stat: 278 | passwd_own_perm: 279 | data: 280 | '*CoreOS*': 281 | - /etc/passwd: 282 | gid: 0 283 | group: root 284 | mode: 644 285 | tag: CIS-6.1.2 286 | uid: 0 287 | user: root 288 | description: Ensure permissions on /etc/passwd are configured 289 | shadow_own_perm: 290 | data: 291 | '*CoreOS*': 292 | - /etc/shadow: 293 | gid: 0 294 | group: root 295 | mode: 000 296 | tag: CIS-6.1.3 297 | uid: 0 298 | user: root 299 | description: Ensure permissions on /etc/shadow are configured 300 | group_own_perm: 301 | data: 302 | '*CoreOS*': 303 | - /etc/group: 304 | gid: 0 305 | group: root 306 | mode: 644 307 | tag: CIS-6.1.4 308 | uid: 0 309 | user: root 310 | description: Ensure permissions on /etc/group are configured 311 | gshadow_own_perm: 312 | data: 313 | '*CoreOS*': 314 | - /etc/gshadow: 315 | gid: 0 316 | group: root 317 | mode: 000 318 | tag: CIS-6.1.5 319 | uid: 0 320 | user: root 321 | description: Ensure permissions on /etc/gshadow are configured 322 | passwd-_own_perm: 323 | data: 324 | '*CoreOS*': 325 | - /etc/passwd-: 326 | gid: 0 327 | group: root 328 | mode: 600 329 | tag: CIS-6.1.6 330 | uid: 0 331 | user: root 332 | description: Ensure permissions on /etc/passwd- are configured 333 | shadow-_own_perm: 334 | data: 335 | '*CoreOS*': 336 | - /etc/shadow-: 337 | gid: 0 338 | group: root 339 | mode: 600 340 | tag: CIS-6.1.7 341 | uid: 0 342 | user: root 343 | description: Ensure permissions on /etc/shadow- are configured 344 | group-_own_perm: 345 | data: 346 | '*CoreOS*': 347 | - /etc/group-: 348 | gid: 0 349 | group: root 350 | mode: 600 351 | tag: CIS-6.1.8 352 | uid: 0 353 | user: root 354 | description: Ensure permissions on /etc/group- are configured 355 | gshadow-_own_perm: 356 | data: 357 | '*CoreOS*': 358 | - /etc/gshadow-: 359 | gid: 0 360 | group: root 361 | mode: 600 362 | tag: CIS-6.1.9 363 | uid: 0 364 | user: root 365 | description: Ensure permissions on /etc/gshadow- are configured 366 | sshd_config: 367 | data: 368 | '*CoreOS*': 369 | - /etc/ssh/sshd_config: 370 | gid: 0 371 | group: root 372 | mode: 600 373 | tag: CIS-5.2.1 374 | uid: 0 375 | user: root 376 | description: Ensure permissions on /etc/ssh/sshd_config are configured 377 | warning_banner_motd: 378 | data: 379 | '*CoreOS*': 380 | - /etc/motd: 381 | gid: 0 382 | group: root 383 | mode: 644 384 | tag: CIS-1.7.1.4 385 | uid: 0 386 | user: root 387 | description: Ensure permissions on /etc/motd are configured 388 | warning_banner_issue: 389 | data: 390 | '*CoreOS*': 391 | - /etc/issue: 392 | gid: 0 393 | group: root 394 | mode: 644 395 | tag: CIS-1.7.1.5 396 | uid: 0 397 | user: root 398 | description: Ensure permissions on /etc/issue are configured 399 | warning_banner_issue.net: 400 | data: 401 | '*CoreOS*': 402 | - /etc/issue.net: 403 | gid: 0 404 | group: root 405 | mode: 644 406 | tag: CIS-1.7.1.6 407 | uid: 0 408 | user: root 409 | description: Ensure permissions on /etc/issue.net are configured 410 | docker_directory_ownership: 411 | data: 412 | '*CoreOS*': 413 | - /etc/docker: 414 | gid: 0 415 | group: root 416 | tag: CIS-7.5 417 | uid: 0 418 | user: root 419 | description: Ensure that /etc/docker directory ownership is set to root:root 420 | systemd_system_ownership: 421 | data: 422 | '*CoreOS*': 423 | - /etc/systemd/system: 424 | gid: 0 425 | group: root 426 | tag: CIS-7.2 427 | uid: 0 428 | user: root 429 | description: Ensure that /etc/systemd/system directory ownership is set to root:root 430 | misc: 431 | system_account_non_login: 432 | data: 433 | '*CoreOS*': 434 | tag: CIS-5.4.2 435 | function: system_account_non_login 436 | description: Ensure system accounts are non-login 437 | default_group_for_root_account: 438 | data: 439 | '*CoreOS*': 440 | tag: CIS-5.4.3 441 | function: default_group_for_root 442 | description: Ensure default group for the root account is GID 0 443 | root_is_only_uid_0_account: 444 | data: 445 | '*CoreOS*': 446 | tag: CIS-6.2.5 447 | function: root_is_only_uid_0_account 448 | description: Ensure root is the only UID 0 account 449 | ensure_nodev_option_on_/tmp: 450 | data: 451 | '*CoreOS*': 452 | tag: CIS-1.1.3 453 | function: test_mount_attrs 454 | args: 455 | - /tmp 456 | - nodev 457 | - soft 458 | description: Ensure nodev option set on /tmp partition 459 | ensure_nosuid_option_on_/tmp: 460 | data: 461 | '*CoreOS*': 462 | tag: CIS-1.1.4 463 | function: test_mount_attrs 464 | args: 465 | - /tmp 466 | - nosuid 467 | - soft 468 | description: Ensure nosuid option set on /tmp partition 469 | ensure_noexec_option_on_/tmp: 470 | data: 471 | '*CoreOS*': 472 | tag: CIS-1.1.5 473 | function: test_mount_attrs 474 | args: 475 | - /tmp 476 | - noexec 477 | - soft 478 | description: Ensure noexec option set on /tmp partition 479 | ensure_nodev_option_on_/dev/shm: 480 | data: 481 | '*CoreOS*': 482 | tag: CIS-1.1.15 483 | function: test_mount_attrs 484 | args: 485 | - /dev/shm 486 | - nodev 487 | - soft 488 | description: Ensure nodev option set on /dev/shm partition 489 | ensure_nosuid_option_on_/dev/shm: 490 | data: 491 | '*CoreOS*': 492 | tag: CIS-1.1.16 493 | function: test_mount_attrs 494 | args: 495 | - /dev/shm 496 | - nosuid 497 | - soft 498 | description: Ensure nosuid option set on /dev/shm partition 499 | ensure_noexec_option_on_/dev/shm: 500 | data: 501 | '*CoreOS*': 502 | tag: CIS-1.1.17 503 | function: test_mount_attrs 504 | args: 505 | - /dev/shm 506 | - noexec 507 | - soft 508 | description: Ensure noexec option set on /dev/shm partition 509 | ensure_path_integrity: 510 | data: 511 | '*CoreOS*': 512 | tag: CIS-6.2.6 513 | function: check_path_integrity 514 | description: Ensure root PATH Integrity 515 | docker_directory_permissions: 516 | data: 517 | '*CoreOS*': 518 | tag: CIS-7.6 519 | function: restrict_permissions 520 | args: 521 | - /etc/docker 522 | - 755 523 | description: Ensure that /etc/docker directory permissions are set to 755 or more restrictive 524 | time_sync: 525 | data: 526 | '*CoreOS*': 527 | tag: CIS-7.1 528 | function: check_time_synchronization 529 | description: Ensure that some service running to synchronize system time 530 | check_duplicate_uids: 531 | data: 532 | '*CoreOS*': 533 | tag: CIS-6.1.16 534 | function: check_duplicate_uids 535 | description: Ensure no duplicate UIDs exist 536 | check_duplicate_gids: 537 | data: 538 | '*CoreOS*': 539 | tag: CIS-6.2.17 540 | function: check_duplicate_gids 541 | description: Ensure no duplicate GIDs exist 542 | check_duplicate_unames: 543 | data: 544 | '*CoreOS*': 545 | tag: CIS-6.2.18 546 | function: check_duplicate_unames 547 | description: Ensure no duplicate user names exist 548 | check_duplicate_gnames: 549 | data: 550 | '*CoreOS*': 551 | tag: CIS-6.2.19 552 | function: check_duplicate_gnames 553 | description: Ensure no duplicate group names exist 554 | restrict_core_dumps: 555 | data: 556 | '*CoreOS*': 557 | tag: CIS-1.5.1 558 | function: check_core_dumps 559 | description: Ensure core dumps are restricted 560 | # check_log_files_permission: 561 | # data: 562 | # '*CoreOS*': 563 | # tag: CIS-4.2.4 564 | # function: check_directory_files_permission 565 | # args: 566 | # - /var/log 567 | # - 740 568 | # description: Ensure permissions on all logfiles are configured 569 | systemd_system_permission: 570 | data: 571 | '*CoreOS*': 572 | tag: CIS-7.3 573 | function: restrict_permissions 574 | args: 575 | - /etc/systemd/system 576 | - 755 577 | description: Ensure that /etc/systemd/system directory permissions are set to 755 or more restrictive 578 | journald_enabled: 579 | data: 580 | '*CoreOS*': 581 | tag: CIS-7.7 582 | function: check_service_status 583 | args: 584 | - systemd-journald 585 | - enabled 586 | description: Ensure systemd-journald service is enabled 587 | sshd_idle_timeout: 588 | data: 589 | '*CoreOS*': 590 | tag: CIS-5.2.13 591 | function: check_ssh_timeout_config 592 | description: Ensure SSH Idle Timeout Interval is configured 593 | all_users_home_directory: 594 | data: 595 | '*CoreOS*': 596 | tag: CIS-6.2.7 597 | function: check_all_users_home_directory 598 | args: 599 | - 1000 600 | description: Ensure all users' home directories exist 601 | all_users_home_directory_permission: 602 | data: 603 | '*CoreOS*': 604 | tag: CIS-6.2.8 605 | function: check_users_home_directory_permissions 606 | description: Ensure users' home directories permissions are 750 or more restrictive 607 | all_users_own_their_home: 608 | data: 609 | '*CoreOS*': 610 | tag: CIS-6.2.9 611 | function: check_users_own_their_home 612 | args: 613 | - 1000 614 | description: Ensure users own their home directories 615 | # users_dot_file_check: 616 | # data: 617 | # '*CoreOS*': 618 | # tag: CIS-6.2.10 619 | # function: check_users_dot_files 620 | # description: Ensure users' dot files are not group or world writable 621 | users_forward_files_check: 622 | data: 623 | '*CoreOS*': 624 | tag: CIS-6.2.11 625 | function: check_users_forward_files 626 | description: Ensure no users have .forward files 627 | users_netrc_files_check: 628 | data: 629 | '*CoreOS*': 630 | tag: CIS-6.2.12 631 | function: check_users_netrc_files 632 | description: Ensure no users have .netrc files 633 | check_groups_validity: 634 | data: 635 | '*CoreOS*': 636 | tag: CIS-6.2.15 637 | function: check_groups_validity 638 | description: Ensure all groups in /etc/passwd exist in /etc/group 639 | enable_reverse_path_filtering: 640 | data: 641 | '*CoreOS*': 642 | tag: CIS-3.2.7 643 | function: ensure_reverse_path_filtering 644 | description: Ensure Reverse Path Filtering is enabled 645 | -------------------------------------------------------------------------------- /hubblestack_nova_profiles/cis/debian-7.yaml: -------------------------------------------------------------------------------- 1 | # This profile is temporary, and is a copy-paste from the 2 | # debian-8-level-1-scored-v1-0-0.yaml. Eventually it should be replaced 3 | # with a Debian-7 official one. 4 | 5 | grep: 6 | whitelist: 7 | 8 | local_only_mta: 9 | data: 10 | Debian*7: 11 | - '/etc/exim4/update-exim4.conf': 12 | tag: 'CIS-6.15' 13 | pattern: "^dc_local_interfaces = '127.0.0.1'" 14 | description: Configure Mail Transfer Agent for Local-Only Mode 15 | 16 | mounts_tmp_partition: 17 | data: 18 | Debian*7: 19 | - '/proc/mounts': 20 | tag: 'CIS-2.1' 21 | pattern: '/tmp' 22 | description: Create Separate Partition for /tmp 23 | 24 | mounts_tmp_partition_nodev: 25 | data: 26 | Debian*7: 27 | - '/proc/mounts': 28 | tag: 'CIS-2.2' 29 | pattern: '/tmp' 30 | match_output: 'nodev' 31 | description: Set nodev option for /tmp Partition 32 | 33 | mounts_tmp_partition_nosuid: 34 | data: 35 | Debian*7: 36 | - '/proc/mounts': 37 | tag: 'CIS-2.3' 38 | pattern: '/tmp' 39 | match_output: 'nosuid' 40 | description: Set nosuid option for /tmp Partition 41 | 42 | mounts_tmp_partition_noexec: 43 | data: 44 | Debian*7: 45 | - '/proc/mounts': 46 | tag: 'CIS-2.4' 47 | pattern: '/tmp' 48 | match_output: 'nosuid' 49 | description: Set noexec option for /tmp Partition 50 | 51 | mounts_var_partition: 52 | data: 53 | Debian*7: 54 | - '/proc/mounts': 55 | tag: 'CIS-2.5' 56 | pattern: '/var' 57 | description: Create Separate Partition for /var 58 | 59 | fstab_var_tmp_bind_mount: 60 | data: 61 | Debian*7: 62 | - '/etc/fstab': 63 | tag: 'CIS-2.6' 64 | pattern: '/var' 65 | match_output: '/var/tmp' 66 | description: Bind Mount the /var/tmp directory to /tmp 67 | 68 | mounts_var_log_partition: 69 | data: 70 | Debian*7: 71 | - '/proc/mounts': 72 | tag: 'CIS-2.7' 73 | pattern: '/var/log' 74 | description: Create Separate Partition for /var/log 75 | 76 | mounts_var_log_audit_partition: 77 | data: 78 | Debian*7: 79 | - '/proc/mounts': 80 | tag: 'CIS-2.8' 81 | pattern: '/var/log/audit' 82 | description: Create Separate Partition for /var/log/audit 83 | 84 | mounts_home_partition: 85 | data: 86 | Debian*7: 87 | - '/proc/mounts': 88 | tag: 'CIS-2.9' 89 | pattern: '/home' 90 | description: Create Separate Partition for /home 91 | 92 | mounts_home_partition_nodev: 93 | data: 94 | Debian*7: 95 | - '/proc/mounts': 96 | tag: 'CIS-2.10' 97 | pattern: '/home' 98 | match_output: 'nodev' 99 | description: Add nodev Option to /home 100 | 101 | mounts_dev_shm_partition_nodev: 102 | data: 103 | Debian*7: 104 | - '/proc/mounts': 105 | tag: 'CIS-2.14' 106 | pattern: '/dev/shm' 107 | match_output: 'nodev' 108 | description: Add nodev Option to /run/shm Partition 109 | 110 | mounts_dev_shm_partition_nosuid: 111 | data: 112 | Debian*7: 113 | - '/proc/mounts': 114 | tag: 'CIS-2.15' 115 | pattern: '/dev/shm' 116 | match_output: 'nosuid' 117 | description: Add nosuid Option to /run/shm Partition 118 | 119 | mounts_dev_shm_partition_noexec: 120 | data: 121 | Debian*7: 122 | - '/proc/mounts': 123 | tag: 'CIS-2.16' 124 | pattern: '/dev/shm' 125 | match_output: 'noexec' 126 | description: Add noexec Option to /run/shm Partition 127 | 128 | configure_ntp: 129 | data: 130 | Debian*7: 131 | - '/etc/ntp.conf': 132 | tag: 'CIS-6.5' 133 | pattern: 'restrict default' 134 | description: Configure Network Time Protocol (NTP) 135 | 136 | rsyslog_remote_logging: 137 | data: 138 | Debian*7: 139 | - '/etc/rsyslog.conf': 140 | tag: 'CIS-8.2.5' 141 | pattern: "^*.*[^I][^I]*@" 142 | description: Configure rsyslog to Send Logs to a Remote Log Host 143 | 144 | passwd_limit_reuse: 145 | data: 146 | Debian*7: 147 | - '/etc/pam.d/common-password': 148 | tag: 'CIS-9.2.3' 149 | pattern: "remember" 150 | match_output: "5" 151 | description: Limit Password Reuse 152 | 153 | sshd_protocol_2: 154 | data: 155 | Debian*7: 156 | - '/etc/ssh/sshd_config': 157 | tag: 'CIS-9.3.1' 158 | pattern: "^Protocol" 159 | match_output: 'Protocol 2' 160 | description: Set SSH Protocol to 2 161 | 162 | sshd_loglevel_info: 163 | data: 164 | Debian*7: 165 | - '/etc/ssh/sshd_config': 166 | tag: 'CIS-9.3.2' 167 | pattern: "^LogLevel" 168 | match_output: 'LogLevel INFO' 169 | description: Set LogLevel to INFO 170 | 171 | sshd_x11_forwarding: 172 | data: 173 | Debian*7: 174 | - '/etc/ssh/sshd_config': 175 | tag: 'CIS-9.3.4' 176 | pattern: "^X11Forwarding" 177 | match_output: 'X11Forwarding no' 178 | description: Disable SSH X11 Forwarding 179 | 180 | sshd_max_auth_retries: 181 | data: 182 | Debian*7: 183 | - '/etc/ssh/sshd_config': 184 | tag: 'CIS-9.3.5' 185 | pattern: "^MaxAuthTries" 186 | match_output_regex: True 187 | match_output: "^MaxAuthTries +[1-4]$" 188 | description: Set SSH MaxAuthTries to 4 or Less 189 | 190 | sshd_ignore_rhosts: 191 | data: 192 | Debian*7: 193 | - '/etc/ssh/sshd_config': 194 | tag: 'CIS-9.3.6' 195 | pattern: "^IgnoreRhosts" 196 | match_output: "IgnoreRhosts yes" 197 | description: Set SSH IgnoreRhosts to Yes 198 | 199 | sshd_hostbased_auth: 200 | data: 201 | Debian*7: 202 | - '/etc/ssh/sshd_config': 203 | tag: 'CIS-9.3.7' 204 | pattern: "^HostbasedAuthentication" 205 | match_output: "HostbasedAuthentication no" 206 | description: Set SSH HostbasedAuthentication to No 207 | 208 | sshd_disable_root_login: 209 | data: 210 | Debian*7: 211 | - '/etc/ssh/sshd_config': 212 | tag: 'CIS-9.3.8' 213 | pattern: "^PermitRootLogin" 214 | match_output: "PermitRootLogin no" 215 | description: Disable SSH Root Login 216 | 217 | sshd_permit_empty_passwords: 218 | data: 219 | Debian*7: 220 | - '/etc/ssh/sshd_config': 221 | tag: 'CIS-9.3.9' 222 | pattern: "^PermitEmptyPasswords" 223 | match_output: "PermitEmptyPasswords no" 224 | description: Set SSH PermitEmptyPasswords to No 225 | 226 | sshd_permit_user_environment: 227 | data: 228 | Debian*7: 229 | - '/etc/ssh/sshd_config': 230 | tag: 'CIS-9.3.10' 231 | pattern: "^PermitUserEnvironment" 232 | match_output: "PermitUserEnvironment no" 233 | description: Do Not Allow Users to Set Environment Options 234 | 235 | sshd_approved_cipher: 236 | data: 237 | Debian*7: 238 | - '/etc/ssh/sshd_config': 239 | tag: 'CIS-9.3.11' 240 | pattern: "Ciphers" 241 | match_output: "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$" 242 | match_output_regex: True 243 | description: Use Only Approved Cipher in Counter Mode 244 | 245 | sshd_idle_timeout: 246 | data: 247 | Debian*7: 248 | - '/etc/ssh/sshd_config': 249 | tag: 'CIS-9.3.12' 250 | pattern: "^ClientAliveInterval" 251 | match_output: ^ClientAliveInterval +([1-2]{0,1}\d{1,2}|300)$ 252 | match_output_regex: True 253 | - '/etc/ssh/sshd_config': 254 | tag: 'CIS-9.3.12' 255 | pattern: "^ClientAliveCountMax" 256 | match_output: "^ClientAliveCountMax +[0-3]$" 257 | match_output_regex: True 258 | description: Set Idle Timeout Interval for User Login 259 | 260 | sshd_limit_access: 261 | data: 262 | Debian*7: 263 | - '/etc/ssh/sshd_config': 264 | tag: 'CIS-9.3.13' 265 | pattern: "^AllowUsers" 266 | - '/etc/ssh/sshd_config': 267 | tag: 'CIS-9.3.13' 268 | pattern: "^AllowGroups" 269 | - '/etc/ssh/sshd_config': 270 | tag: 'CIS-9.3.13' 271 | pattern: "^DenyUsers" 272 | - '/etc/ssh/sshd_config': 273 | tag: 'CIS-9.3.13' 274 | pattern: "^DenyGroups" 275 | description: Limit Access via SSH 276 | 277 | sshd_banner: 278 | data: 279 | Debian*7: 280 | - '/etc/ssh/sshd_config': 281 | tag: 'CIS-9.3.14' 282 | pattern: "^Banner" 283 | description: Set SSH Banner 284 | 285 | restrict_access_su: 286 | data: 287 | Debian*7: 288 | - '/etc/pam.d/su': 289 | tag: 'CIS-9.5' 290 | pattern: "pam_wheel.so" 291 | description: Restrict Access to the su Command 292 | 293 | passwd_expiration_days: 294 | data: 295 | Debian*7: 296 | - '/etc/login.defs': 297 | tag: 'CIS-10.1.1' 298 | pattern: "PASS_MAX_DAYS" 299 | match_output: "90" 300 | description: Set Password Expiration Days 301 | 302 | passwd_change_min_days: 303 | data: 304 | Debian*7: 305 | - '/etc/login.defs': 306 | tag: 'CIS-10.1.2' 307 | pattern: "PASS_MIN_DAYS" 308 | match_output: "7" 309 | description: Set Password Change Minimum Number of Days 310 | 311 | passwd_expiry_warning: 312 | data: 313 | Debian*7: 314 | - '/etc/login.defs': 315 | tag: 'CIS-10.1.3' 316 | pattern: "PASS_WARN_AGE" 317 | match_output: "7" 318 | description: Set Password Expiring Warning Days 319 | 320 | default_umask: 321 | data: 322 | Debian*7: 323 | - '/etc/bash.bashrc': 324 | tag: 'CIS-10.4' 325 | pattern: "^umask 077" 326 | - '/etc/profile.d/*': 327 | tag: 'CIS-10.4' 328 | pattern: "^umask 077" 329 | description: Set Default umask for Users 330 | 331 | stat: 332 | grub_conf_own: 333 | data: 334 | Debian*7: 335 | - '/boot/grub/grub.cfg': 336 | tag: 'CIS-3.1' 337 | user: 'root' 338 | group: 'root' 339 | description: Set User/Group Owner on bootloader config 340 | 341 | grub_conf_perm: 342 | data: 343 | Debian*7: 344 | - '/boot/grub/grub.cfg': 345 | tag: 'CIS-3.2' 346 | mode: 600 347 | description: Set Permissions on bootloader config 348 | 349 | boot_loader_passwd: 350 | data: 351 | Debian*7: 352 | - '/boot/grub/grub.cfg': 353 | tag: 'CIS-3.3' 354 | pattern: "^password" 355 | description: Set Boot Loader Password 356 | 357 | restrict_core_dumps: 358 | data: 359 | Debian*7: 360 | - '/etc/security/limits.conf': 361 | tag: 'CIS-4.1' 362 | pattern: 'hard core' 363 | description: Restrict Core Dumps 364 | 365 | cron_hourly: 366 | data: 367 | Debian*7: 368 | - '/etc/cron.hourly': 369 | tag: 'CIS-9.1.3' 370 | mode: 700 371 | user: 'root' 372 | group: 'root' 373 | description: Set User/Group Owner and Permission on /etc/cron.hourly 374 | 375 | cron_daily: 376 | data: 377 | Debian*7: 378 | - '/etc/cron.daily': 379 | tag: 'CIS-9.1.4' 380 | mode: 700 381 | user: 'root' 382 | group: 'root' 383 | description: Set User/Group Owner and Permission on /etc/cron.daily 384 | 385 | cron_weekly: 386 | data: 387 | Debian*7: 388 | - '/etc/cron.weekly': 389 | tag: 'CIS-9.1.5' 390 | mode: 700 391 | user: 'root' 392 | group: 'root' 393 | description: Set User/Group Owner and Permission on /etc/cron.weekly 394 | 395 | cron_monthly: 396 | data: 397 | Debian*7: 398 | - '/etc/cron.monthly': 399 | tag: 'CIS-9.1.6' 400 | mode: 700 401 | user: 'root' 402 | group: 'root' 403 | description: Set User/Group Owner and Permission on /etc/cron.monthly 404 | 405 | cron_d: 406 | data: 407 | Debian*7: 408 | - '/etc/cron.d': 409 | tag: 'CIS-9.1.7' 410 | mode: 700 411 | user: 'root' 412 | group: 'root' 413 | description: Set User/Group Owner and Permission on /etc/cron.d 414 | 415 | sshd_config: 416 | data: 417 | Debian*7: 418 | - '/etc/ssh/sshd_config': 419 | tag: 'CIS-9.3.3' 420 | mode: 600 421 | user: 'root' 422 | group: 'root' 423 | description: Set Permissions on /etc/ssh/sshd_config 424 | 425 | passwd_perm: 426 | data: 427 | Debian*7: 428 | - '/etc/passwd': 429 | tag: 'CIS-12.1' 430 | mode: 644 431 | description: Verify Permissions on /etc/passwd 432 | 433 | passwd_own: 434 | data: 435 | Debian*7: 436 | - '/etc/passwd': 437 | tag: 'CIS-12.4' 438 | user: 'root' 439 | group: 'root' 440 | description: Verify User/Group Ownership on /etc/passwd 441 | 442 | shadow_perm: 443 | data: 444 | Debian*7: 445 | - '/etc/shadow': 446 | tag: 'CIS-12.2' 447 | mode: 640 448 | description: Verify Permissions on /etc/shadow 449 | 450 | shadow_own: 451 | data: 452 | Debian*7: 453 | - '/etc/shadow': 454 | tag: 'CIS-12.5' 455 | user: 'root' 456 | group: 'root' 457 | description: Verify User/Group Ownership on /etc/shadow 458 | 459 | group_perm: 460 | data: 461 | Debian*7: 462 | - '/etc/group': 463 | tag: 'CIS-12.3' 464 | mode: 644 465 | - '/etc/group': 466 | tag: 'CIS-12.3' 467 | user: 'root' 468 | group: 'root' 469 | description: Verify Permissions on /etc/group 470 | 471 | single_user_auth: 472 | data: 473 | Debian*7: 474 | - '/etc/shadow': 475 | tag: 'CIS-3.4' 476 | pattern: "^root:[*\\!]:" 477 | description: Require Authentication for Single-User Mode 478 | 479 | hosts_allow: 480 | data: 481 | Debian*7: 482 | - '/etc/hosts.allow': 483 | tag: 'CIS-7.4.3' 484 | mode: 644 485 | description: Verify Permissions on /etc/hosts.allow 486 | 487 | hosts_deny: 488 | data: 489 | Debian*7: 490 | - '/etc/hosts.deny': 491 | tag: 'CIS-7.4.5' 492 | mode: 644 493 | description: Verify Permissions on /etc/hosts.deny 494 | 495 | legacy_passwd_entries: 496 | data: 497 | Debian*7: 498 | - '/etc/passwd': 499 | tag: 'CIS-13.2' 500 | pattern: "^+:" 501 | description: Verify No Legacy "+" Entries Exist in /etc/passwd File 502 | 503 | legacy_shadow_entries: 504 | data: 505 | Debian*7: 506 | - '/etc/shadow': 507 | tag: 'CIS-13.3' 508 | pattern: "^+:" 509 | description: Verify No Legacy "+" Entries Exist in /etc/shadow File 510 | 511 | legacy_group_entries: 512 | data: 513 | Debian*7: 514 | - '/etc/group': 515 | tag: 'CIS-13.4' 516 | pattern: "^+:" 517 | description: Verify No Legacy "+" Entries Exist in /etc/group File 518 | 519 | sysctl: 520 | randomize_va_space: 521 | data: 522 | Debian*7: 523 | - 'kernel.randomize_va_space': 524 | tag: 'CIS-4.3' 525 | match_output: '2' 526 | description: Enable Randomized Virtual Memory Region Placement 527 | 528 | ip_forwarding: 529 | data: 530 | Debian*7: 531 | - 'net.ipv4.ip_forward': 532 | tag: 'CIS-7.1.1' 533 | match_output: '0' 534 | description: Disable IP Forwarding 535 | 536 | send_packet_redirect: 537 | data: 538 | Debian*7: 539 | - 'net.ipv4.conf.all.send_redirects': 540 | tag: 'CIS-7.1.2' 541 | match_output: '0' 542 | - 'net.ipv4.conf.default.send_redirects': 543 | tag: 'CIS-7.1.2' 544 | match_output: '0' 545 | description: Disable Send Packet Redirects 546 | 547 | source_routed_packet_acceptance: 548 | data: 549 | Debian*7: 550 | - 'net.ipv4.conf.all.accept_source_route': 551 | tag: 'CIS-7.2.1' 552 | match_output: '0' 553 | - 'net.ipv4.conf.default.accept_source_route': 554 | tag: 'CIS-7.2.1' 555 | match_output: '0' 556 | description: Disable Source Routed Packet Acceptance 557 | 558 | icmp_redirect_acceptance: 559 | data: 560 | Debian*7: 561 | - 'net.ipv4.conf.all.accept_redirects': 562 | tag: 'CIS-7.2.2' 563 | match_output: '0' 564 | - 'net.ipv4.conf.default.accept_redirects': 565 | tag: 'CIS-7.2.2' 566 | match_output: '0' 567 | description: Disable ICMP Redirect Acceptance 568 | 569 | icmp_secure_redirect_acceptance: 570 | data: 571 | Debian*7: 572 | - 'net.ipv4.conf.all.secure_redirects': 573 | tag: 'CIS-7.2.3' 574 | match_output: '0' 575 | - 'net.ipv4.conf.default.secure_redirects': 576 | tag: 'CIS-7.2.3' 577 | match_output: '0' 578 | description: Disable Secure ICMP Redirect Acceptance 579 | 580 | log_suspicious_packets: 581 | data: 582 | Debian*7: 583 | - 'net.ipv4.conf.all.log_martians': 584 | tag: 'CIS-7.2.4' 585 | match_output: '1' 586 | - 'net.ipv4.conf.default.log_martians': 587 | tag: 'CIS-7.2.4' 588 | match_output: '1' 589 | description: Log Suspicious Packets 590 | 591 | ignore_broadcast_requests: 592 | data: 593 | Debian*7: 594 | - 'net.ipv4.icmp_echo_ignore_broadcasts': 595 | tag: 'CIS-7.2.5' 596 | match_output: '1' 597 | description: Enable Ignore Broadcast Requests 598 | 599 | bad_error_message_protection: 600 | data: 601 | Debian*7: 602 | - 'net.ipv4.icmp_ignore_bogus_error_responses': 603 | tag: 'CIS-7.2.6' 604 | match_output: '1' 605 | description: Enable Bad Error Message Protection 606 | 607 | source_route_validation: 608 | data: 609 | Debian*7: 610 | - 'net.ipv4.conf.all.rp_filter': 611 | tag: 'CIS-7.2.7' 612 | match_output: '1' 613 | - 'net.ipv4.conf.default.rp_filter': 614 | tag: 'CIS-7.2.7' 615 | match_output: '1' 616 | description: Enable RFC-recommended Source Route Validation 617 | 618 | tcp_syn_cookies: 619 | data: 620 | Debian*7: 621 | - 'net.ipv4.tcp_syncookies': 622 | tag: 'CIS-7.2.8' 623 | match_output: '1' 624 | description: Enable TCP SYN Cookies 625 | 626 | pkg: 627 | blacklist: 628 | 629 | prelink: 630 | data: 631 | Debian*7: 632 | - 'prelink': 'CIS-4.4' 633 | description: Disable Prelink 634 | 635 | nis: 636 | data: 637 | Debian*7: 638 | - 'nis': 'CIS-5.1.1' 639 | description: Ensure NIS is not installed 640 | 641 | rsh-clients: 642 | data: 643 | Debian*7: 644 | - 'rsh-client': CIS-5.1.3 645 | - 'rsh-redone-client': CIS-5.1.3 646 | description: Ensure rsh client is not installed 647 | rsh-server: 648 | data: 649 | Debian*7: 650 | - 'rsh-server': CIS-5.1.2 651 | description: Ensure rsh server is not enabled 652 | 653 | talk: 654 | data: 655 | Debian*7: 656 | - 'talk': 'CIS-5.1.5' 657 | description: Ensure talk client is not installed 658 | 659 | telnet: 660 | data: 661 | Debian*7: 662 | - 'telnet': 'CIS-5.1.6' 663 | - 'telnet-server': 'CIS-5.1.6' 664 | description: Ensure telnet server is not enabled 665 | 666 | tftp: 667 | data: 668 | Debian*7: 669 | - 'tftp': 'CIS-5.1.7' 670 | - 'atftp': 'CIS-5.1.7' 671 | description: Ensure tftp-server is not enabled 672 | 673 | xinetd: 674 | data: 675 | Debian*7: 676 | - 'xinetd': 'CIS-5.1.8' 677 | description: Ensure xinetd is not enabled 678 | 679 | xorg-server: 680 | data: 681 | Debian*7: 682 | - 'xserver-xorg-core': 'CIS-6.1' 683 | description: Ensure the X Window system is not installed 684 | 685 | avahi-daemon: 686 | data: 687 | Debian*7: 688 | - 'avahi-daemon': 'CIS-6.2' 689 | description: Ensure Avahi Server is not enabled 690 | 691 | dhcp: 692 | data: 693 | Debian*7: 694 | - 'isc-dhcp-server': 'CIS-6.4' 695 | description: Ensure DHCP Server is not enabled 696 | 697 | whitelist: 698 | 699 | tcp_wrappers: 700 | data: 701 | Debian*7: 702 | - 'tcpd': 'CIS-7.4.1' 703 | description: Install TCP Wrappers 704 | 705 | iptables: 706 | data: 707 | Debian*7: 708 | - 'iptables': 'CIS-7.7' 709 | - 'iptables-persistent': 'CIS-7.7' 710 | description: Ensure Firewall is active 711 | 712 | rsyslog: 713 | data: 714 | Debian*7: 715 | - 'rsyslog': 'CIS-8.2.1' 716 | description: Install the rsyslog package 717 | 718 | cracklib: 719 | data: 720 | Debian*7: 721 | - 'libpam-cracklib': 'CIS-9.2.1' 722 | description: Set Password Creation Requirement Parameters Using pam_cracklib 723 | -------------------------------------------------------------------------------- /hubblestack_nova_profiles/cis/debian-8-level-1-scored-v1-0-0.yaml: -------------------------------------------------------------------------------- 1 | # NOTE: This CIS Profile only includes Level 1 Scored Items for Debian 8 2 | # NOTE: Within this file, there are a few sections that should be tailored to your 3 | # organization's specific policy. Search for '# NOTE: ' comments through the file. 4 | 5 | # TODO: Checks that aren't implemented yet: 6 | # 2.17 7 | # 2.25 8 | # 3.3 9 | # 5.1.4 10 | # 5.2-6 11 | # 6.16 12 | # 8.2.2 13 | # 8.2.4 14 | # 9.1.1 15 | # 9.1.8 16 | # 10.2 17 | # 10.3 18 | # 10.5 19 | # 11.1 20 | # 11.2 21 | # 12.8 22 | # 12.9 23 | # 13.1 24 | # 13.5-20 25 | 26 | grep: 27 | whitelist: 28 | 29 | local_only_mta: 30 | data: 31 | Debian*8: 32 | - '/etc/exim4/update-exim4.conf': 33 | tag: 'CIS-6.15' 34 | pattern: "^dc_local_interfaces = '127.0.0.1'" 35 | description: Configure Mail Transfer Agent for Local-Only Mode 36 | 37 | mounts_tmp_partition: 38 | data: 39 | Debian*8: 40 | - '/proc/mounts': 41 | tag: 'CIS-2.1' 42 | pattern: '/tmp' 43 | description: Create Separate Partition for /tmp 44 | 45 | mounts_tmp_partition_nodev: 46 | data: 47 | Debian*8: 48 | - '/proc/mounts': 49 | tag: 'CIS-2.2' 50 | pattern: '/tmp' 51 | match_output: 'nodev' 52 | description: Set nodev option for /tmp Partition 53 | 54 | mounts_tmp_partition_nosuid: 55 | data: 56 | Debian*8: 57 | - '/proc/mounts': 58 | tag: 'CIS-2.3' 59 | pattern: '/tmp' 60 | match_output: 'nosuid' 61 | description: Set nosuid option for /tmp Partition 62 | 63 | mounts_tmp_partition_noexec: 64 | data: 65 | Debian*8: 66 | - '/proc/mounts': 67 | tag: 'CIS-2.4' 68 | pattern: '/tmp' 69 | match_output: 'nosuid' 70 | description: Set noexec option for /tmp Partition 71 | 72 | mounts_var_partition: 73 | data: 74 | Debian*8: 75 | - '/proc/mounts': 76 | tag: 'CIS-2.5' 77 | pattern: '/var' 78 | description: Create Separate Partition for /var 79 | 80 | fstab_var_tmp_bind_mount: 81 | data: 82 | Debian*8: 83 | - '/etc/fstab': 84 | tag: 'CIS-2.6' 85 | pattern: '/var' 86 | match_output: '/var/tmp' 87 | description: Bind Mount the /var/tmp directory to /tmp 88 | 89 | mounts_var_log_partition: 90 | data: 91 | Debian*8: 92 | - '/proc/mounts': 93 | tag: 'CIS-2.7' 94 | pattern: '/var/log' 95 | description: Create Separate Partition for /var/log 96 | 97 | mounts_var_log_audit_partition: 98 | data: 99 | Debian*8: 100 | - '/proc/mounts': 101 | tag: 'CIS-2.8' 102 | pattern: '/var/log/audit' 103 | description: Create Separate Partition for /var/log/audit 104 | 105 | mounts_home_partition: 106 | data: 107 | Debian*8: 108 | - '/proc/mounts': 109 | tag: 'CIS-2.9' 110 | pattern: '/home' 111 | description: Create Separate Partition for /home 112 | 113 | mounts_home_partition_nodev: 114 | data: 115 | Debian*8: 116 | - '/proc/mounts': 117 | tag: 'CIS-2.10' 118 | pattern: '/home' 119 | match_output: 'nodev' 120 | description: Add nodev Option to /home 121 | 122 | mounts_dev_shm_partition_nodev: 123 | data: 124 | Debian*8: 125 | - '/proc/mounts': 126 | tag: 'CIS-2.14' 127 | pattern: '/dev/shm' 128 | match_output: 'nodev' 129 | description: Add nodev Option to /run/shm Partition 130 | 131 | mounts_dev_shm_partition_nosuid: 132 | data: 133 | Debian*8: 134 | - '/proc/mounts': 135 | tag: 'CIS-2.15' 136 | pattern: '/dev/shm' 137 | match_output: 'nosuid' 138 | description: Add nosuid Option to /run/shm Partition 139 | 140 | mounts_dev_shm_partition_noexec: 141 | data: 142 | Debian*8: 143 | - '/proc/mounts': 144 | tag: 'CIS-2.16' 145 | pattern: '/dev/shm' 146 | match_output: 'noexec' 147 | description: Add noexec Option to /run/shm Partition 148 | 149 | configure_ntp: 150 | data: 151 | Debian*8: 152 | - '/etc/ntp.conf': 153 | tag: 'CIS-6.5' 154 | pattern: 'restrict default' 155 | description: Configure Network Time Protocol (NTP) 156 | 157 | rsyslog_remote_logging: 158 | data: 159 | Debian*8: 160 | - '/etc/rsyslog.conf': 161 | tag: 'CIS-8.2.5' 162 | pattern: "^*.*[^I][^I]*@" 163 | description: Configure rsyslog to Send Logs to a Remote Log Host 164 | 165 | passwd_limit_reuse: 166 | data: 167 | Debian*8: 168 | - '/etc/pam.d/common-password': 169 | tag: 'CIS-9.2.3' 170 | pattern: "remember" 171 | match_output: "5" 172 | description: Limit Password Reuse 173 | 174 | sshd_protocol_2: 175 | data: 176 | Debian*8: 177 | - '/etc/ssh/sshd_config': 178 | tag: 'CIS-9.3.1' 179 | pattern: "^Protocol" 180 | match_output: 'Protocol 2' 181 | description: Set SSH Protocol to 2 182 | 183 | sshd_loglevel_info: 184 | data: 185 | Debian*8: 186 | - '/etc/ssh/sshd_config': 187 | tag: 'CIS-9.3.2' 188 | pattern: "^LogLevel" 189 | match_output: 'LogLevel INFO' 190 | description: Set LogLevel to INFO 191 | 192 | sshd_x11_forwarding: 193 | data: 194 | Debian*8: 195 | - '/etc/ssh/sshd_config': 196 | tag: 'CIS-9.3.4' 197 | pattern: "^X11Forwarding" 198 | match_output: 'X11Forwarding no' 199 | description: Disable SSH X11 Forwarding 200 | 201 | sshd_max_auth_retries: 202 | data: 203 | Debian*8: 204 | - '/etc/ssh/sshd_config': 205 | tag: 'CIS-9.3.5' 206 | pattern: "^MaxAuthTries" 207 | match_output_regex: True 208 | match_output: "^MaxAuthTries +[1-4]$" 209 | description: Set SSH MaxAuthTries to 4 or Less 210 | 211 | sshd_ignore_rhosts: 212 | data: 213 | Debian*8: 214 | - '/etc/ssh/sshd_config': 215 | tag: 'CIS-9.3.6' 216 | pattern: "^IgnoreRhosts" 217 | match_output: "IgnoreRhosts yes" 218 | description: Set SSH IgnoreRhosts to Yes 219 | 220 | sshd_hostbased_auth: 221 | data: 222 | Debian*8: 223 | - '/etc/ssh/sshd_config': 224 | tag: 'CIS-9.3.7' 225 | pattern: "^HostbasedAuthentication" 226 | match_output: "HostbasedAuthentication no" 227 | description: Set SSH HostbasedAuthentication to No 228 | 229 | sshd_disable_root_login: 230 | data: 231 | Debian*8: 232 | - '/etc/ssh/sshd_config': 233 | tag: 'CIS-9.3.8' 234 | pattern: "^PermitRootLogin" 235 | match_output: "PermitRootLogin no" 236 | description: Disable SSH Root Login 237 | 238 | sshd_permit_empty_passwords: 239 | data: 240 | Debian*8: 241 | - '/etc/ssh/sshd_config': 242 | tag: 'CIS-9.3.9' 243 | pattern: "^PermitEmptyPasswords" 244 | match_output: "PermitEmptyPasswords no" 245 | description: Set SSH PermitEmptyPasswords to No 246 | 247 | sshd_permit_user_environment: 248 | data: 249 | Debian*8: 250 | - '/etc/ssh/sshd_config': 251 | tag: 'CIS-9.3.10' 252 | pattern: "^PermitUserEnvironment" 253 | match_output: "PermitUserEnvironment no" 254 | description: Do Not Allow Users to Set Environment Options 255 | 256 | sshd_approved_cipher: 257 | data: 258 | Debian*8: 259 | - '/etc/ssh/sshd_config': 260 | tag: 'CIS-9.3.11' 261 | pattern: "Ciphers" 262 | match_output: "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$" 263 | match_output_regex: True 264 | description: Use Only Approved Cipher in Counter Mode 265 | 266 | sshd_idle_timeout: 267 | data: 268 | Debian*8: 269 | - '/etc/ssh/sshd_config': 270 | tag: 'CIS-9.3.12' 271 | pattern: "^ClientAliveInterval" 272 | match_output: ^ClientAliveInterval +([1-2]{0,1}\d{1,2}|300)$ 273 | match_output_regex: True 274 | - '/etc/ssh/sshd_config': 275 | tag: 'CIS-9.3.12' 276 | pattern: "^ClientAliveCountMax" 277 | match_output: "^ClientAliveCountMax +[0-3]$" 278 | match_output_regex: True 279 | description: Set Idle Timeout Interval for User Login 280 | 281 | sshd_limit_access: 282 | data: 283 | Debian*8: 284 | - '/etc/ssh/sshd_config': 285 | tag: 'CIS-9.3.13' 286 | pattern: "^AllowUsers" 287 | - '/etc/ssh/sshd_config': 288 | tag: 'CIS-9.3.13' 289 | pattern: "^AllowGroups" 290 | - '/etc/ssh/sshd_config': 291 | tag: 'CIS-9.3.13' 292 | pattern: "^DenyUsers" 293 | - '/etc/ssh/sshd_config': 294 | tag: 'CIS-9.3.13' 295 | pattern: "^DenyGroups" 296 | description: Limit Access via SSH 297 | 298 | sshd_banner: 299 | data: 300 | Debian*8: 301 | - '/etc/ssh/sshd_config': 302 | tag: 'CIS-9.3.14' 303 | pattern: "^Banner" 304 | description: Set SSH Banner 305 | 306 | restrict_access_su: 307 | data: 308 | Debian*8: 309 | - '/etc/pam.d/su': 310 | tag: 'CIS-9.5' 311 | pattern: "pam_wheel.so" 312 | description: Restrict Access to the su Command 313 | 314 | passwd_expiration_days: 315 | data: 316 | Debian*8: 317 | - '/etc/login.defs': 318 | tag: 'CIS-10.1.1' 319 | pattern: "PASS_MAX_DAYS" 320 | match_output: "90" 321 | description: Set Password Expiration Days 322 | 323 | passwd_change_min_days: 324 | data: 325 | Debian*8: 326 | - '/etc/login.defs': 327 | tag: 'CIS-10.1.2' 328 | pattern: "PASS_MIN_DAYS" 329 | match_output: "7" 330 | description: Set Password Change Minimum Number of Days 331 | 332 | passwd_expiry_warning: 333 | data: 334 | Debian*8: 335 | - '/etc/login.defs': 336 | tag: 'CIS-10.1.3' 337 | pattern: "PASS_WARN_AGE" 338 | match_output: "7" 339 | description: Set Password Expiring Warning Days 340 | 341 | default_umask: 342 | data: 343 | Debian*8: 344 | - '/etc/bash.bashrc': 345 | tag: 'CIS-10.4' 346 | pattern: "^umask 077" 347 | - '/etc/profile.d/*': 348 | tag: 'CIS-10.4' 349 | pattern: "^umask 077" 350 | description: Set Default umask for Users 351 | 352 | blacklist: 353 | single_user_auth: 354 | data: 355 | Debian*8: 356 | - '/etc/shadow': 357 | tag: 'CIS-3.4' 358 | pattern: "^root:[*\\!]:" 359 | description: Require Authentication for Single-User Mode 360 | 361 | legacy_passwd_entries_group: 362 | data: 363 | Debian*8: 364 | - /etc/group: 365 | pattern: '^+:' 366 | tag: CIS-13.4 367 | description: Verify No Legacy "+" Entries Exist in /etc/group File 368 | legacy_passwd_entries_passwd: 369 | data: 370 | Debian*8: 371 | - /etc/passwd: 372 | pattern: '^+:' 373 | tag: CIS-13.2 374 | description: Verify No Legacy "+" Entries Exist in /etc/passwd File 375 | legacy_passwd_entries_shadow: 376 | data: 377 | Debian*8: 378 | - /etc/shadow: 379 | pattern: '^+:' 380 | tag: CIS-13.3 381 | description: Verify No Legacy "+" Entries Exist in /etc/shadow File 382 | 383 | stat: 384 | grub_conf_own: 385 | data: 386 | Debian*8: 387 | - '/boot/grub/grub.cfg': 388 | tag: 'CIS-3.1' 389 | user: 'root' 390 | group: 'root' 391 | description: Set User/Group Owner on bootloader config 392 | 393 | grub_conf_perm: 394 | data: 395 | Debian*8: 396 | - '/boot/grub/grub.cfg': 397 | tag: 'CIS-3.2' 398 | mode: 600 399 | description: Set Permissions on bootloader config 400 | 401 | boot_loader_passwd: 402 | data: 403 | Debian*8: 404 | - '/boot/grub/grub.cfg': 405 | tag: 'CIS-3.3' 406 | pattern: "^password" 407 | description: Set Boot Loader Password 408 | 409 | restrict_core_dumps: 410 | data: 411 | Debian*8: 412 | - '/etc/security/limits.conf': 413 | tag: 'CIS-4.1' 414 | pattern: 'hard core' 415 | description: Restrict Core Dumps 416 | 417 | crontab_own_perms: 418 | data: 419 | Debian*8: 420 | - '/etc/crontab': 421 | tag: 'CIS-9.1.2' 422 | mode: 600 423 | user: 'root' 424 | group: 'root' 425 | description: Set User/Group Owner and Permission on /etc/crontab 426 | 427 | cron_hourly: 428 | data: 429 | Debian*8: 430 | - '/etc/cron.hourly': 431 | tag: 'CIS-9.1.3' 432 | mode: 700 433 | user: 'root' 434 | group: 'root' 435 | description: Set User/Group Owner and Permission on /etc/cron.hourly 436 | 437 | cron_daily: 438 | data: 439 | Debian*8: 440 | - '/etc/cron.daily': 441 | tag: 'CIS-9.1.4' 442 | mode: 700 443 | user: 'root' 444 | group: 'root' 445 | description: Set User/Group Owner and Permission on /etc/cron.daily 446 | 447 | cron_weekly: 448 | data: 449 | Debian*8: 450 | - '/etc/cron.weekly': 451 | tag: 'CIS-9.1.5' 452 | mode: 700 453 | user: 'root' 454 | group: 'root' 455 | description: Set User/Group Owner and Permission on /etc/cron.weekly 456 | 457 | cron_monthly: 458 | data: 459 | Debian*8: 460 | - '/etc/cron.monthly': 461 | tag: 'CIS-9.1.6' 462 | mode: 700 463 | user: 'root' 464 | group: 'root' 465 | description: Set User/Group Owner and Permission on /etc/cron.monthly 466 | 467 | cron_d: 468 | data: 469 | Debian*8: 470 | - '/etc/cron.d': 471 | tag: 'CIS-9.1.7' 472 | mode: 700 473 | user: 'root' 474 | group: 'root' 475 | description: Set User/Group Owner and Permission on /etc/cron.d 476 | 477 | sshd_config: 478 | data: 479 | Debian*8: 480 | - '/etc/ssh/sshd_config': 481 | tag: 'CIS-9.3.3' 482 | mode: 600 483 | user: 'root' 484 | group: 'root' 485 | description: Set Permissions on /etc/ssh/sshd_config 486 | 487 | passwd_perm: 488 | data: 489 | Debian*8: 490 | - '/etc/passwd': 491 | tag: 'CIS-12.1' 492 | mode: 644 493 | description: Verify Permissions on /etc/passwd 494 | 495 | passwd_own: 496 | data: 497 | Debian*8: 498 | - '/etc/passwd': 499 | tag: 'CIS-12.4' 500 | user: 'root' 501 | group: 'root' 502 | description: Verify User/Group Ownership on /etc/passwd 503 | 504 | shadow_perm: 505 | data: 506 | Debian*8: 507 | - '/etc/shadow': 508 | tag: 'CIS-12.2' 509 | mode: 640 510 | description: Verify Permissions on /etc/shadow 511 | 512 | shadow_own: 513 | data: 514 | Debian*8: 515 | - '/etc/shadow': 516 | tag: 'CIS-12.5' 517 | user: 'root' 518 | group: 'root' 519 | description: Verify User/Group Ownership on /etc/shadow 520 | 521 | group_perm: 522 | data: 523 | Debian*8: 524 | - '/etc/group': 525 | tag: 'CIS-12.3' 526 | user: 'root' 527 | group: 'root' 528 | description: Verify Permissions on /etc/group 529 | 530 | group_own: 531 | data: 532 | Debian*8: 533 | - '/etc/group': 534 | tag: 'CIS-12.6' 535 | user: 'root' 536 | group: 'root' 537 | description: Verify User/Group Ownership on /etc/group 538 | 539 | hosts_allow: 540 | data: 541 | Debian*8: 542 | - '/etc/hosts.allow': 543 | tag: 'CIS-7.4.3' 544 | mode: 644 545 | description: Verify Permissions on /etc/hosts.allow 546 | 547 | hosts_deny: 548 | data: 549 | Debian*8: 550 | - '/etc/hosts.deny': 551 | tag: 'CIS-7.4.5' 552 | mode: 644 553 | description: Verify Permissions on /etc/hosts.deny 554 | 555 | legacy_passwd_entries: 556 | data: 557 | Debian*8: 558 | - '/etc/passwd': 559 | tag: 'CIS-13.2' 560 | pattern: "^+:" 561 | description: Verify No Legacy "+" Entries Exist in /etc/passwd File 562 | 563 | legacy_shadow_entries: 564 | data: 565 | Debian*8: 566 | - '/etc/shadow': 567 | tag: 'CIS-13.3' 568 | pattern: "^+:" 569 | description: Verify No Legacy "+" Entries Exist in /etc/shadow File 570 | 571 | legacy_group_entries: 572 | data: 573 | Debian*8: 574 | - '/etc/group': 575 | tag: 'CIS-13.4' 576 | pattern: "^+:" 577 | description: Verify No Legacy "+" Entries Exist in /etc/group File 578 | 579 | sysctl: 580 | restrict_suid_core_dumps: 581 | data: 582 | Debian*8: 583 | - fs.suid_dumpable: 584 | match_output: '0' 585 | tag: CIS-4.1 586 | description: Restrict Core Dumps 587 | 588 | randomize_va_space: 589 | data: 590 | Debian*8: 591 | - 'kernel.randomize_va_space': 592 | tag: 'CIS-4.3' 593 | match_output: '2' 594 | description: Enable Randomized Virtual Memory Region Placement 595 | 596 | ip_forwarding: 597 | data: 598 | Debian*8: 599 | - 'net.ipv4.ip_forward': 600 | tag: 'CIS-7.1.1' 601 | match_output: '0' 602 | description: Disable IP Forwarding 603 | 604 | send_packet_redirect: 605 | data: 606 | Debian*8: 607 | - 'net.ipv4.conf.all.send_redirects': 608 | tag: 'CIS-7.1.2' 609 | match_output: '0' 610 | - 'net.ipv4.conf.default.send_redirects': 611 | tag: 'CIS-7.1.2' 612 | match_output: '0' 613 | description: Disable Send Packet Redirects 614 | 615 | source_routed_packet_acceptance: 616 | data: 617 | Debian*8: 618 | - 'net.ipv4.conf.all.accept_source_route': 619 | tag: 'CIS-7.2.1' 620 | match_output: '0' 621 | - 'net.ipv4.conf.default.accept_source_route': 622 | tag: 'CIS-7.2.1' 623 | match_output: '0' 624 | description: Disable Source Routed Packet Acceptance 625 | 626 | icmp_redirect_acceptance: 627 | data: 628 | Debian*8: 629 | - 'net.ipv4.conf.all.accept_redirects': 630 | tag: 'CIS-7.2.2' 631 | match_output: '0' 632 | - 'net.ipv4.conf.default.accept_redirects': 633 | tag: 'CIS-7.2.2' 634 | match_output: '0' 635 | description: Disable ICMP Redirect Acceptance 636 | 637 | secure_icmp_redirect_acceptance: 638 | data: 639 | Debian*8: 640 | - 'net.ipv4.conf.all.secure_redirects': 641 | tag: 'CIS-7.2.3' 642 | match_output: '0' 643 | - 'net.ipv4.conf.default.secure_redirects': 644 | tag: 'CIS-7.2.3' 645 | match_output: '0' 646 | description: Disable Secure ICMP Redirect Acceptance 647 | 648 | log_suspicious_packets: 649 | data: 650 | Debian*8: 651 | - 'net.ipv4.conf.all.log_martians': 652 | tag: 'CIS-7.2.4' 653 | match_output: '1' 654 | - 'net.ipv4.conf.default.log_martians': 655 | tag: 'CIS-7.2.4' 656 | match_output: '1' 657 | description: Log Suspicious Packets 658 | 659 | ignore_broadcast_requests: 660 | data: 661 | Debian*8: 662 | - 'net.ipv4.icmp_echo_ignore_broadcasts': 663 | tag: 'CIS-7.2.5' 664 | match_output: '1' 665 | description: Enable Ignore Broadcast Requests 666 | 667 | bad_error_message_protection: 668 | data: 669 | Debian*8: 670 | - 'net.ipv4.icmp_ignore_bogus_error_responses': 671 | tag: 'CIS-7.2.6' 672 | match_output: '1' 673 | description: Enable Bad Error Message Protection 674 | 675 | source_route_validation: 676 | data: 677 | Debian*8: 678 | - 'net.ipv4.conf.all.rp_filter': 679 | tag: 'CIS-7.2.7' 680 | match_output: '1' 681 | - 'net.ipv4.conf.default.rp_filter': 682 | tag: 'CIS-7.2.7' 683 | match_output: '1' 684 | description: Enable RFC-recommended Source Route Validation 685 | 686 | tcp_syn_cookies: 687 | data: 688 | Debian*8: 689 | - 'net.ipv4.tcp_syncookies': 690 | tag: 'CIS-7.2.8' 691 | match_output: '1' 692 | description: Enable TCP SYN Cookies 693 | 694 | pkg: 695 | blacklist: 696 | 697 | prelink: 698 | data: 699 | Debian*8: 700 | - 'prelink': 'CIS-4.4' 701 | description: Disable Prelink 702 | 703 | nis: 704 | data: 705 | Debian*8: 706 | - 'nis': 'CIS-5.1.1' 707 | description: Ensure NIS is not installed 708 | 709 | rsh-clients: 710 | data: 711 | Debian*8: 712 | - 'rsh-client': CIS-5.1.3 713 | - 'rsh-redone-client': CIS-5.1.3 714 | description: Ensure rsh client is not installed 715 | rsh-server: 716 | data: 717 | Debian*8: 718 | - 'rsh-server': CIS-5.1.2 719 | description: Ensure rsh server is not enabled 720 | 721 | talk: 722 | data: 723 | Debian*8: 724 | - 'talk': 'CIS-5.1.5' 725 | description: Ensure talk client is not installed 726 | 727 | telnet: 728 | data: 729 | Debian*8: 730 | - 'telnet': 'CIS-5.1.6' 731 | - 'telnet-server': 'CIS-5.1.6' 732 | description: Ensure telnet server is not enabled 733 | 734 | tftp: 735 | data: 736 | Debian*8: 737 | - 'tftp': 'CIS-5.1.7' 738 | - 'atftp': 'CIS-5.1.7' 739 | description: Ensure tftp-server is not enabled 740 | 741 | xinetd: 742 | data: 743 | Debian*8: 744 | - 'xinetd': 'CIS-5.1.8' 745 | description: Ensure xinetd is not enabled 746 | 747 | xorg-server: 748 | data: 749 | Debian*8: 750 | - 'xserver-xorg-core': 'CIS-6.1' 751 | description: Ensure the X Window system is not installed 752 | 753 | avahi-daemon: 754 | data: 755 | Debian*8: 756 | - 'avahi-daemon': 'CIS-6.2' 757 | description: Ensure Avahi Server is not enabled 758 | 759 | dhcp: 760 | data: 761 | Debian*8: 762 | - 'isc-dhcp-server': 'CIS-6.4' 763 | description: Ensure DHCP Server is not enabled 764 | 765 | whitelist: 766 | 767 | tcp_wrappers: 768 | data: 769 | Debian*8: 770 | - 'tcpd': 'CIS-7.4.1' 771 | description: Install TCP Wrappers 772 | 773 | iptables: 774 | data: 775 | Debian*8: 776 | - 'iptables': 'CIS-7.7' 777 | - 'iptables-persistent': 'CIS-7.7' 778 | description: Ensure Firewall is active 779 | 780 | rsyslog: 781 | data: 782 | Debian*8: 783 | - 'rsyslog': 'CIS-8.2.1' 784 | description: Install the rsyslog package 785 | 786 | cracklib: 787 | data: 788 | Debian*8: 789 | - 'libpam-cracklib': 'CIS-9.2.1' 790 | description: Set Password Creation Requirement Parameters Using pam_cracklib 791 | -------------------------------------------------------------------------------- /hubblestack_nova_profiles/cis/debian-9.yaml: -------------------------------------------------------------------------------- 1 | # This profile is temporary, and is a copy-paste from the 2 | # debian-8-level-1-scored-v1-0-0.yaml. Eventually it should be replaced 3 | # with a Debian-9 official one. 4 | 5 | grep: 6 | whitelist: 7 | 8 | local_only_mta: 9 | data: 10 | Debian*9: 11 | - '/etc/exim4/update-exim4.conf': 12 | tag: 'CIS-6.15' 13 | pattern: "^dc_local_interfaces = '127.0.0.1'" 14 | description: Configure Mail Transfer Agent for Local-Only Mode 15 | 16 | mounts_tmp_partition: 17 | data: 18 | Debian*9: 19 | - '/proc/mounts': 20 | tag: 'CIS-2.1' 21 | pattern: '/tmp' 22 | description: Create Separate Partition for /tmp 23 | 24 | mounts_tmp_partition_nodev: 25 | data: 26 | Debian*9: 27 | - '/proc/mounts': 28 | tag: 'CIS-2.2' 29 | pattern: '/tmp' 30 | match_output: 'nodev' 31 | description: Set nodev option for /tmp Partition 32 | 33 | mounts_tmp_partition_nosuid: 34 | data: 35 | Debian*9: 36 | - '/proc/mounts': 37 | tag: 'CIS-2.3' 38 | pattern: '/tmp' 39 | match_output: 'nosuid' 40 | description: Set nosuid option for /tmp Partition 41 | 42 | mounts_tmp_partition_noexec: 43 | data: 44 | Debian*9: 45 | - '/proc/mounts': 46 | tag: 'CIS-2.4' 47 | pattern: '/tmp' 48 | match_output: 'nosuid' 49 | description: Set noexec option for /tmp Partition 50 | 51 | mounts_var_partition: 52 | data: 53 | Debian*9: 54 | - '/proc/mounts': 55 | tag: 'CIS-2.5' 56 | pattern: '/var' 57 | description: Create Separate Partition for /var 58 | 59 | fstab_var_tmp_bind_mount: 60 | data: 61 | Debian*9: 62 | - '/etc/fstab': 63 | tag: 'CIS-2.6' 64 | pattern: '/var' 65 | match_output: '/var/tmp' 66 | description: Bind Mount the /var/tmp directory to /tmp 67 | 68 | mounts_var_log_partition: 69 | data: 70 | Debian*9: 71 | - '/proc/mounts': 72 | tag: 'CIS-2.7' 73 | pattern: '/var/log' 74 | description: Create Separate Partition for /var/log 75 | 76 | mounts_var_log_audit_partition: 77 | data: 78 | Debian*9: 79 | - '/proc/mounts': 80 | tag: 'CIS-2.8' 81 | pattern: '/var/log/audit' 82 | description: Create Separate Partition for /var/log/audit 83 | 84 | mounts_home_partition: 85 | data: 86 | Debian*9: 87 | - '/proc/mounts': 88 | tag: 'CIS-2.9' 89 | pattern: '/home' 90 | description: Create Separate Partition for /home 91 | 92 | mounts_home_partition_nodev: 93 | data: 94 | Debian*9: 95 | - '/proc/mounts': 96 | tag: 'CIS-2.10' 97 | pattern: '/home' 98 | match_output: 'nodev' 99 | description: Add nodev Option to /home 100 | 101 | mounts_dev_shm_partition_nodev: 102 | data: 103 | Debian*9: 104 | - '/proc/mounts': 105 | tag: 'CIS-2.14' 106 | pattern: '/dev/shm' 107 | match_output: 'nodev' 108 | description: Add nodev Option to /run/shm Partition 109 | 110 | mounts_dev_shm_partition_nosuid: 111 | data: 112 | Debian*9: 113 | - '/proc/mounts': 114 | tag: 'CIS-2.15' 115 | pattern: '/dev/shm' 116 | match_output: 'nosuid' 117 | description: Add nosuid Option to /run/shm Partition 118 | 119 | mounts_dev_shm_partition_noexec: 120 | data: 121 | Debian*9: 122 | - '/proc/mounts': 123 | tag: 'CIS-2.16' 124 | pattern: '/dev/shm' 125 | match_output: 'noexec' 126 | description: Add noexec Option to /run/shm Partition 127 | 128 | configure_ntp: 129 | data: 130 | Debian*9: 131 | - '/etc/ntp.conf': 132 | tag: 'CIS-6.5' 133 | pattern: 'restrict default' 134 | description: Configure Network Time Protocol (NTP) 135 | 136 | keep_all_auditing_information: 137 | data: 138 | Debian*9: 139 | - '/etc/audit/auditd.conf': 140 | tag: 'CIS-8.1.1.3' 141 | pattern: 'max_log_file_action' 142 | match_output: 'keep_logs' 143 | description: Keep All Auditing Information (Scored) 144 | 145 | rsyslog_remote_logging: 146 | data: 147 | Debian*9: 148 | - '/etc/rsyslog.conf': 149 | tag: 'CIS-8.2.5' 150 | pattern: "^*.*[^I][^I]*@" 151 | description: Configure rsyslog to Send Logs to a Remote Log Host 152 | 153 | passwd_limit_reuse: 154 | data: 155 | Debian*9: 156 | - '/etc/pam.d/common-password': 157 | tag: 'CIS-9.2.3' 158 | pattern: "remember" 159 | match_output: "5" 160 | description: Limit Password Reuse 161 | 162 | sshd_protocol_2: 163 | data: 164 | Debian*9: 165 | - '/etc/ssh/sshd_config': 166 | tag: 'CIS-9.3.1' 167 | pattern: "^Protocol" 168 | match_output: 'Protocol 2' 169 | description: Set SSH Protocol to 2 170 | 171 | sshd_loglevel_info: 172 | data: 173 | Debian*9: 174 | - '/etc/ssh/sshd_config': 175 | tag: 'CIS-9.3.2' 176 | pattern: "^LogLevel" 177 | match_output: 'LogLevel INFO' 178 | description: Set LogLevel to INFO 179 | 180 | sshd_x11_forwarding: 181 | data: 182 | Debian*9: 183 | - '/etc/ssh/sshd_config': 184 | tag: 'CIS-9.3.4' 185 | pattern: "^X11Forwarding" 186 | match_output: 'X11Forwarding no' 187 | description: Disable SSH X11 Forwarding 188 | 189 | sshd_max_auth_retries: 190 | data: 191 | Debian*9: 192 | - '/etc/ssh/sshd_config': 193 | tag: 'CIS-9.3.5' 194 | pattern: "^MaxAuthTries" 195 | match_output_regex: True 196 | match_output: "^MaxAuthTries +[1-4]$" 197 | description: Set SSH MaxAuthTries to 4 or Less 198 | 199 | sshd_ignore_rhosts: 200 | data: 201 | Debian*9: 202 | - '/etc/ssh/sshd_config': 203 | tag: 'CIS-9.3.6' 204 | pattern: "^IgnoreRhosts" 205 | match_output: "IgnoreRhosts yes" 206 | description: Set SSH IgnoreRhosts to Yes 207 | 208 | sshd_hostbased_auth: 209 | data: 210 | Debian*9: 211 | - '/etc/ssh/sshd_config': 212 | tag: 'CIS-9.3.7' 213 | pattern: "^HostbasedAuthentication" 214 | match_output: "HostbasedAuthentication no" 215 | description: Set SSH HostbasedAuthentication to No 216 | 217 | sshd_disable_root_login: 218 | data: 219 | Debian*9: 220 | - '/etc/ssh/sshd_config': 221 | tag: 'CIS-9.3.8' 222 | pattern: "^PermitRootLogin" 223 | match_output: "PermitRootLogin no" 224 | description: Disable SSH Root Login 225 | 226 | sshd_permit_empty_passwords: 227 | data: 228 | Debian*9: 229 | - '/etc/ssh/sshd_config': 230 | tag: 'CIS-9.3.9' 231 | pattern: "^PermitEmptyPasswords" 232 | match_output: "PermitEmptyPasswords no" 233 | description: Set SSH PermitEmptyPasswords to No 234 | 235 | sshd_permit_user_environment: 236 | data: 237 | Debian*9: 238 | - '/etc/ssh/sshd_config': 239 | tag: 'CIS-9.3.10' 240 | pattern: "^PermitUserEnvironment" 241 | match_output: "PermitUserEnvironment no" 242 | description: Do Not Allow Users to Set Environment Options 243 | 244 | sshd_approved_cipher: 245 | data: 246 | Debian*9: 247 | - '/etc/ssh/sshd_config': 248 | tag: 'CIS-9.3.11' 249 | pattern: "Ciphers" 250 | match_output: "^Ciphers aes256-ctr,aes192-ctr,aes128-ctr$|^Ciphers aes256-ctr,aes128-ctr,aes192-ctr$|^Ciphers aes192-ctr,aes128-ctr,aes256-ctr$|^Ciphers aes192-ctr,aes256-ctr,aes128-ctr$|^Ciphers aes128-ctr,aes256-ctr,aes192-ctr$|^Ciphers aes128-ctr,aes192-ctr,aes256-ctr$" 251 | match_output_regex: True 252 | description: Use Only Approved Cipher in Counter Mode 253 | 254 | sshd_idle_timeout: 255 | data: 256 | Debian*9: 257 | - '/etc/ssh/sshd_config': 258 | tag: 'CIS-9.3.12' 259 | pattern: "^ClientAliveInterval" 260 | match_output: ^ClientAliveInterval +([1-2]{0,1}\d{1,2}|300)$ 261 | match_output_regex: True 262 | - '/etc/ssh/sshd_config': 263 | tag: 'CIS-9.3.12' 264 | pattern: "^ClientAliveCountMax" 265 | match_output: "^ClientAliveCountMax +[0-3]$" 266 | match_output_regex: True 267 | description: Set Idle Timeout Interval for User Login 268 | 269 | sshd_limit_access: 270 | data: 271 | Debian*9: 272 | - '/etc/ssh/sshd_config': 273 | tag: 'CIS-9.3.13' 274 | pattern: "^AllowUsers" 275 | - '/etc/ssh/sshd_config': 276 | tag: 'CIS-9.3.13' 277 | pattern: "^AllowGroups" 278 | - '/etc/ssh/sshd_config': 279 | tag: 'CIS-9.3.13' 280 | pattern: "^DenyUsers" 281 | - '/etc/ssh/sshd_config': 282 | tag: 'CIS-9.3.13' 283 | pattern: "^DenyGroups" 284 | description: Limit Access via SSH 285 | 286 | sshd_banner: 287 | data: 288 | Debian*9: 289 | - '/etc/ssh/sshd_config': 290 | tag: 'CIS-9.3.14' 291 | pattern: "^Banner" 292 | description: Set SSH Banner 293 | 294 | restrict_access_su: 295 | data: 296 | Debian*9: 297 | - '/etc/pam.d/su': 298 | tag: 'CIS-9.5' 299 | pattern: "pam_wheel.so" 300 | description: Restrict Access to the su Command 301 | 302 | passwd_expiration_days: 303 | data: 304 | Debian*9: 305 | - '/etc/login.defs': 306 | tag: 'CIS-10.1.1' 307 | pattern: "PASS_MAX_DAYS" 308 | match_output: "90" 309 | description: Set Password Expiration Days 310 | 311 | passwd_change_min_days: 312 | data: 313 | Debian*9: 314 | - '/etc/login.defs': 315 | tag: 'CIS-10.1.2' 316 | pattern: "PASS_MIN_DAYS" 317 | match_output: "7" 318 | description: Set Password Change Minimum Number of Days 319 | 320 | passwd_expiry_warning: 321 | data: 322 | Debian*9: 323 | - '/etc/login.defs': 324 | tag: 'CIS-10.1.3' 325 | pattern: "PASS_WARN_AGE" 326 | match_output: "7" 327 | description: Set Password Expiring Warning Days 328 | 329 | default_umask: 330 | data: 331 | Debian*9: 332 | - '/etc/bash.bashrc': 333 | tag: 'CIS-10.4' 334 | pattern: "^umask 077" 335 | - '/etc/profile.d/*': 336 | tag: 'CIS-10.4' 337 | pattern: "^umask 077" 338 | description: Set Default umask for Users 339 | 340 | stat: 341 | grub_conf_own: 342 | data: 343 | Debian*9: 344 | - '/boot/grub/grub.cfg': 345 | tag: 'CIS-3.1' 346 | user: 'root' 347 | group: 'root' 348 | description: Set User/Group Owner on bootloader config 349 | 350 | grub_conf_perm: 351 | data: 352 | Debian*9: 353 | - '/boot/grub/grub.cfg': 354 | tag: 'CIS-3.2' 355 | mode: 600 356 | description: Set Permissions on bootloader config 357 | 358 | boot_loader_passwd: 359 | data: 360 | Debian*9: 361 | - '/boot/grub/grub.cfg': 362 | tag: 'CIS-3.3' 363 | pattern: "^password" 364 | description: Set Boot Loader Password 365 | 366 | restrict_core_dumps: 367 | data: 368 | Debian*9: 369 | - '/etc/security/limits.conf': 370 | tag: 'CIS-4.1' 371 | pattern: 'hard core' 372 | description: Restrict Core Dumps 373 | 374 | cron_hourly: 375 | data: 376 | Debian*9: 377 | - '/etc/cron.hourly': 378 | tag: 'CIS-9.1.3' 379 | mode: 700 380 | user: 'root' 381 | group: 'root' 382 | description: Set User/Group Owner and Permission on /etc/cron.hourly 383 | 384 | cron_daily: 385 | data: 386 | Debian*9: 387 | - '/etc/cron.daily': 388 | tag: 'CIS-9.1.4' 389 | mode: 700 390 | user: 'root' 391 | group: 'root' 392 | description: Set User/Group Owner and Permission on /etc/cron.daily 393 | 394 | cron_weekly: 395 | data: 396 | Debian*9: 397 | - '/etc/cron.weekly': 398 | tag: 'CIS-9.1.5' 399 | mode: 700 400 | user: 'root' 401 | group: 'root' 402 | description: Set User/Group Owner and Permission on /etc/cron.weekly 403 | 404 | cron_monthly: 405 | data: 406 | Debian*9: 407 | - '/etc/cron.monthly': 408 | tag: 'CIS-9.1.6' 409 | mode: 700 410 | user: 'root' 411 | group: 'root' 412 | description: Set User/Group Owner and Permission on /etc/cron.monthly 413 | 414 | cron_d: 415 | data: 416 | Debian*9: 417 | - '/etc/cron.d': 418 | tag: 'CIS-9.1.7' 419 | mode: 700 420 | user: 'root' 421 | group: 'root' 422 | description: Set User/Group Owner and Permission on /etc/cron.d 423 | 424 | sshd_config: 425 | data: 426 | Debian*9: 427 | - '/etc/ssh/sshd_config': 428 | tag: 'CIS-9.3.3' 429 | mode: 600 430 | user: 'root' 431 | group: 'root' 432 | description: Set Permissions on /etc/ssh/sshd_config 433 | 434 | passwd_perm: 435 | data: 436 | Debian*9: 437 | - '/etc/passwd': 438 | tag: 'CIS-12.1' 439 | mode: 644 440 | - '/etc/passwd': 441 | tag: 'CIS-12.4' 442 | user: 'root' 443 | group: 'root' 444 | description: Verify Permissions on /etc/passwd 445 | 446 | shadow_perm: 447 | data: 448 | Debian*9: 449 | - '/etc/shadow': 450 | tag: 'CIS-12.2' 451 | mode: 640 452 | - '/etc/shadow': 453 | tag: 'CIS-12.5' 454 | user: 'root' 455 | group: 'root' 456 | description: Verify Permissions on /etc/shadow 457 | 458 | group_perm: 459 | data: 460 | Debian*9: 461 | - '/etc/group': 462 | tag: 'CIS-12.3' 463 | mode: 644 464 | - '/etc/group': 465 | tag: 'CIS-12.3' 466 | user: 'root' 467 | group: 'root' 468 | description: Verify Permissions on /etc/group 469 | 470 | blacklist: 471 | single_user_auth: 472 | data: 473 | Debian*9: 474 | - '/etc/shadow': 475 | tag: 'CIS-3.4' 476 | pattern: "^root:[*\\!]:" 477 | description: Require Authentication for Single-User Mode 478 | 479 | hosts_allow: 480 | data: 481 | Debian*9: 482 | - '/etc/hosts.allow': 483 | tag: 'CIS-7.4.3' 484 | mode: 644 485 | description: Verify Permissions on /etc/hosts.allow 486 | 487 | hosts_deny: 488 | data: 489 | Debian*9: 490 | - '/etc/hosts.deny': 491 | tag: 'CIS-7.4.5' 492 | mode: 644 493 | description: Verify Permissions on /etc/hosts.deny 494 | 495 | legacy_passwd_entries: 496 | data: 497 | Debian*9: 498 | - '/etc/passwd': 499 | tag: 'CIS-13.2' 500 | pattern: "^+:" 501 | description: Verify No Legacy "+" Entries Exist in /etc/passwd File 502 | 503 | legacy_shadow_entries: 504 | data: 505 | Debian*9: 506 | - '/etc/shadow': 507 | tag: 'CIS-13.3' 508 | pattern: "^+:" 509 | description: Verify No Legacy "+" Entries Exist in /etc/shadow File 510 | 511 | legacy_group_entries: 512 | data: 513 | Debian*9: 514 | - '/etc/group': 515 | tag: 'CIS-13.4' 516 | pattern: "^+:" 517 | description: Verify No Legacy "+" Entries Exist in /etc/group File 518 | 519 | sysctl: 520 | randomize_va_space: 521 | data: 522 | Debian*9: 523 | - 'kernel.randomize_va_space': 524 | tag: 'CIS-4.3' 525 | match_output: '2' 526 | description: Enable Randomized Virtual Memory Region Placement 527 | 528 | ip_forwarding: 529 | data: 530 | Debian*9: 531 | - 'net.ipv4.ip_forward': 532 | tag: 'CIS-7.1.1' 533 | match_output: '0' 534 | description: Disable IP Forwarding 535 | 536 | send_packet_redirect: 537 | data: 538 | Debian*9: 539 | - 'net.ipv4.conf.all.send_redirects': 540 | tag: 'CIS-7.1.2' 541 | match_output: '0' 542 | - 'net.ipv4.conf.default.send_redirects': 543 | tag: 'CIS-7.1.2' 544 | match_output: '0' 545 | description: Disable Send Packet Redirects 546 | 547 | source_routed_packet_acceptance: 548 | data: 549 | Debian*9: 550 | - 'net.ipv4.conf.all.accept_source_route': 551 | tag: 'CIS-7.2.1' 552 | match_output: '0' 553 | - 'net.ipv4.conf.default.accept_source_route': 554 | tag: 'CIS-7.2.1' 555 | match_output: '0' 556 | description: Disable Source Routed Packet Acceptance 557 | 558 | icmp_redirect_acceptance: 559 | data: 560 | Debian*9: 561 | - 'net.ipv4.conf.all.accept_redirects': 562 | tag: 'CIS-7.2.2' 563 | match_output: '0' 564 | - 'net.ipv4.conf.default.accept_redirects': 565 | tag: 'CIS-7.2.2' 566 | match_output: '0' 567 | description: Disable ICMP Redirect Acceptance 568 | 569 | icmp_secure_redirect_acceptance: 570 | data: 571 | Debian*9: 572 | - 'net.ipv4.conf.all.secure_redirects': 573 | tag: 'CIS-7.2.3' 574 | match_output: '0' 575 | - 'net.ipv4.conf.default.secure_redirects': 576 | tag: 'CIS-7.2.3' 577 | match_output: '0' 578 | description: Disable Secure ICMP Redirect Acceptance 579 | 580 | log_suspicious_packets: 581 | data: 582 | Debian*9: 583 | - 'net.ipv4.conf.all.log_martians': 584 | tag: 'CIS-7.2.4' 585 | match_output: '1' 586 | - 'net.ipv4.conf.default.log_martians': 587 | tag: 'CIS-7.2.4' 588 | match_output: '1' 589 | description: Log Suspicious Packets 590 | 591 | ignore_broadcast_requests: 592 | data: 593 | Debian*9: 594 | - 'net.ipv4.icmp_echo_ignore_broadcasts': 595 | tag: 'CIS-7.2.5' 596 | match_output: '1' 597 | description: Enable Ignore Broadcast Requests 598 | 599 | bad_error_message_protection: 600 | data: 601 | Debian*9: 602 | - 'net.ipv4.icmp_ignore_bogus_error_responses': 603 | tag: 'CIS-7.2.6' 604 | match_output: '1' 605 | description: Enable Bad Error Message Protection 606 | 607 | source_route_validation: 608 | data: 609 | Debian*9: 610 | - 'net.ipv4.conf.all.rp_filter': 611 | tag: 'CIS-7.2.7' 612 | match_output: '1' 613 | - 'net.ipv4.conf.default.rp_filter': 614 | tag: 'CIS-7.2.7' 615 | match_output: '1' 616 | description: Enable RFC-recommended Source Route Validation 617 | 618 | tcp_syn_cookies: 619 | data: 620 | Debian*9: 621 | - 'net.ipv4.tcp_syncookies': 622 | tag: 'CIS-7.2.8' 623 | match_output: '1' 624 | description: Enable TCP SYN Cookies 625 | 626 | pkg: 627 | blacklist: 628 | 629 | prelink: 630 | data: 631 | Debian*9: 632 | - 'prelink': 'CIS-4.4' 633 | description: Disable Prelink 634 | 635 | nis: 636 | data: 637 | Debian*9: 638 | - 'nis': 'CIS-5.1.1' 639 | description: Ensure NIS is not installed 640 | 641 | rsh-clients: 642 | data: 643 | Debian*9: 644 | - 'rsh-client': CIS-5.1.3 645 | - 'rsh-redone-client': CIS-5.1.3 646 | description: Ensure rsh client is not installed 647 | rsh-server: 648 | data: 649 | Debian*9: 650 | - 'rsh-server': CIS-5.1.2 651 | description: Ensure rsh server is not enabled 652 | 653 | talk: 654 | data: 655 | Debian*9: 656 | - 'talk': 'CIS-5.1.5' 657 | description: Ensure talk client is not installed 658 | 659 | telnet: 660 | data: 661 | Debian*9: 662 | - 'telnet': 'CIS-5.1.6' 663 | - 'telnet-server': 'CIS-5.1.6' 664 | description: Ensure telnet server is not enabled 665 | 666 | tftp: 667 | data: 668 | Debian*9: 669 | - 'tftp': 'CIS-5.1.7' 670 | - 'atftp': 'CIS-5.1.7' 671 | description: Ensure tftp-server is not enabled 672 | 673 | xinetd: 674 | data: 675 | Debian*9: 676 | - 'xinetd': 'CIS-5.1.8' 677 | description: Ensure xinetd is not enabled 678 | 679 | xorg-server: 680 | data: 681 | Debian*9: 682 | - 'xserver-xorg-core': 'CIS-6.1' 683 | description: Ensure the X Window system is not installed 684 | 685 | avahi-daemon: 686 | data: 687 | Debian*9: 688 | - 'avahi-daemon': 'CIS-6.2' 689 | description: Ensure Avahi Server is not enabled 690 | 691 | dhcp: 692 | data: 693 | Debian*9: 694 | - 'isc-dhcp-server': 'CIS-6.4' 695 | description: Ensure DHCP Server is not enabled 696 | 697 | slapd: 698 | data: 699 | Debian*9: 700 | - 'slapd': 'CIS-6.6' 701 | description: Ensure LDAP is not enabled 702 | 703 | whitelist: 704 | 705 | apparmor: 706 | data: 707 | Debian*9: 708 | - 'apparmor': 'CIS-4.5' 709 | - 'apparmor-utils': 'CIS-4.5' 710 | - 'apparmor-profiles': 'CIS-4.5' 711 | description: Activate AppArmor (Scored) Lvl2 712 | 713 | tcp_wrappers: 714 | data: 715 | Debian*9: 716 | - 'tcpd': 'CIS-7.4.1' 717 | description: Install TCP Wrappers 718 | 719 | iptables: 720 | data: 721 | Debian*9: 722 | - 'iptables': 'CIS-7.7' 723 | - 'iptables-persistent': 'CIS-7.7' 724 | description: Ensure Firewall is active 725 | 726 | auditd: 727 | data: 728 | Debian*9: 729 | - 'auditd': 'CIS-8.1.2' 730 | description: 'Install and Enable auditd Service (Scored)' 731 | 732 | rsyslog: 733 | data: 734 | Debian*9: 735 | - 'rsyslog': 'CIS-8.2.1' 736 | description: Install the rsyslog package 737 | 738 | aide: 739 | data: 740 | Debian*9: 741 | - 'aide': 'CIS-8.3.1' 742 | description: Install AIDE (Scored) Lvl2 743 | 744 | cracklib: 745 | data: 746 | Debian*9: 747 | - 'libpam-cracklib': 'CIS-9.2.1' 748 | description: Set Password Creation Requirement Parameters Using pam_cracklib 749 | 750 | openssh_server: 751 | data: 752 | Debian*9: 753 | - 'openssh-server': 'CIS-9.3' 754 | description: Configure SSH 755 | -------------------------------------------------------------------------------- /hubblestack_nova_profiles/cve/vulners.yaml: -------------------------------------------------------------------------------- 1 | vulners_scanner: True 2 | vulners_api_key: 3 | -------------------------------------------------------------------------------- /hubblestack_nova_profiles/firewall/ssh.yaml: -------------------------------------------------------------------------------- 1 | iptables: 2 | whitelist: 3 | 4 | ssh: 5 | data: 6 | tag: 'IPTABLES-TCP-22' 7 | table: 'filter' 8 | chain: INPUT 9 | family: 'ipv4' 10 | rule: 11 | proto: tcp 12 | dport: 22 13 | match: state 14 | connstate: ESTABLISHED,RELATED 15 | jump: ACCEPT 16 | description: 'iptables: filter ipv4 tcp 22 established,related accept' 17 | 18 | -------------------------------------------------------------------------------- /hubblestack_nova_profiles/misc.yaml: -------------------------------------------------------------------------------- 1 | # This is a general-use profile to fill with your implementation-specific 2 | # checks 3 | -------------------------------------------------------------------------------- /hubblestack_nova_profiles/network/smtp.yaml: -------------------------------------------------------------------------------- 1 | netstat: 2 | smtp: 3 | address: 4 | - '127.0.0.1:25' 5 | -------------------------------------------------------------------------------- /hubblestack_nova_profiles/network/ssh.yaml: -------------------------------------------------------------------------------- 1 | netstat: 2 | ssh: 3 | address: 4 | - '*:22' 5 | -------------------------------------------------------------------------------- /hubblestack_nova_profiles/samples/dont_blame_nrpe.yaml: -------------------------------------------------------------------------------- 1 | grep: 2 | blacklist: 3 | 4 | dont_blame_nrpe: 5 | data: 6 | '*': 7 | - '/etc/nrpe.cfg': 8 | tag: 'CVE-2014-2913' 9 | pattern: 'dont_blame_nrpe=1' 10 | description: 'NRPE - Nagios Remote Plugin Executor' 11 | -------------------------------------------------------------------------------- /hubblestack_nova_profiles/samples/sample_command.yaml: -------------------------------------------------------------------------------- 1 | command: 2 | nodev: 3 | data: 4 | 'Red Hat Enterprise Linux Server-6': 5 | tag: CIS-1.1.10 6 | commands: 7 | - 'grep "[[:space:]]/home[[:space:]]" /etc/fstab': 8 | match_output: nodev 9 | match_output_regex: False 10 | fail_if_matched: False 11 | - 'mount | grep /home': 12 | match_output: nodev 13 | match_output_regex: False 14 | match_output_by_line: True 15 | aggregation: 'and' 16 | description: '/home should be nodev' 17 | -------------------------------------------------------------------------------- /hubblestack_nova_profiles/samples/sample_control.yaml: -------------------------------------------------------------------------------- 1 | stat: 2 | grub_conf_own: 3 | data: 4 | 'CentOS-6': 5 | - '/etc/grub.conf': 6 | tag: 'CIS-1.5.1' 7 | user: 'root' 8 | uid: 0 9 | group: 'root' 10 | gid: 0 11 | 'CentOS Linux-7': 12 | - '/etc/grub2/grub.cfg': 13 | tag: 'CIS-1.5.1' 14 | user: 'root' 15 | uid: 0 16 | group: 'root' 17 | gid: 0 18 | description: 'Grub must be owned by root (Scored)' 19 | control: 'We do not care about this' 20 | 21 | grub_conf_perm: 22 | data: 23 | 'CentOS-6': 24 | - '/etc/grub.conf': 25 | tag: 'CIS-1.5.2' 26 | mode: 600 27 | 'CentOS Linux-7': 28 | - '/etc/grub2/grub.cfg': 29 | tag: 'CIS-1.5.2' 30 | mode: 600 31 | description: 'Grub must have permissions 600 (Scored)' 32 | 33 | hosts_allow: 34 | data: 35 | 'CentOS-6': 36 | - '/etc/hosts.allow': 37 | tag: 'CIS-4.5.3' 38 | mode: 644 39 | 'CentOS Linux-7': 40 | - '/etc/hosts.allow': 41 | tag: 'CIS-4.5.3' 42 | mode: 644 43 | description: '/etc/hosts.allow must have permissions 644 (Scored)' 44 | control: 'We do not care about this' 45 | 46 | hosts_deny: 47 | data: 48 | 'CentOS-6': 49 | - '/etc/hosts.deny': 50 | tag: 'CIS-4.5.5' 51 | mode: 644 52 | 'CentOS Linux-7': 53 | - '/etc/hosts.deny': 54 | tag: 'CIS-4.5.5' 55 | mode: 644 56 | description: '/etc/hosts.deny must have persmissions 644 (Scored)' 57 | control: 'We do not care about this' 58 | 59 | anacrontab: 60 | data: 61 | 'CentOS-6': 62 | - '/etc/anacrontab': 63 | tag: 'CIS-6.1.3' 64 | mode: 600 65 | user: 'root' 66 | uid: 0 67 | group: 'root' 68 | gid: 0 69 | 'CentOS Linux-7': 70 | - '/etc/anacrontab': 71 | tag: 'CIS-6.1.3' 72 | mode: 600 73 | user: 'root' 74 | uid: 0 75 | group: 'root' 76 | gid: 0 77 | description: '/etc/anacrontab file be owned by root and must have permissions 600 (Scored)' 78 | 79 | 80 | 81 | pkg: 82 | blacklist: 83 | 84 | telnet: 85 | data: 86 | 'CentOS-6': 87 | - 'telnet-server': 'CIS-2.1.1' 88 | - 'telnet': 'CIS-2.1.2' 89 | 'CentOS Linux-7': 90 | - 'telnet-server': 'CIS-2.1.1' 91 | - 'telnet': 'CIS-2.1.2' 92 | description: 'Remove telnet and telnet-server (Scored)' 93 | 94 | rsh: 95 | data: 96 | 'CentOS-6': 97 | - 'rsh-server': 'CIS-2.1.3' 98 | - 'rsh': 'CIS-2.1.4' 99 | 'CentOS Linux-7': 100 | - 'rsh-server': 'CIS-2.1.3' 101 | - 'rsh': 'CIS-2.1.4' 102 | description: 'Remove rsh and rsh-server (Scored)' 103 | control: 'We do not care about this' 104 | 105 | nis: 106 | data: 107 | 'CentOS-6': 108 | - 'ypbind': 'CIS-2.1.5' 109 | - 'ypserv': 'CIS-2.1.6' 110 | 'CentOS Linux-7': 111 | - 'ypbind': 'CIS-2.1.5' 112 | - 'ypserv': 'CIS-2.1.6' 113 | description: 'Remove nis client and nis server (Scored)' 114 | 115 | tftp: 116 | data: 117 | 'CentOS-6': 118 | - 'tftp': 'CIS-2.1.7' 119 | - 'tftp-server': 'CIS-2.1.8' 120 | 'CentOS Linux-7': 121 | - 'tftp': 'CIS-2.1.7' 122 | - 'tftp-server': 'CIS-2.1.8' 123 | description: 'Remove tftp and tftp-server (Scored)' 124 | control: 'We do not care about this' 125 | 126 | 127 | sysctl: 128 | restrict_suid_core_dumps: 129 | data: 130 | 'CentOS-6': 131 | - 'fs.suid_dumpable': 132 | tag: 'CIS-1.6.1' 133 | match_output: '0' 134 | description: 'Restrict SUID Core Dumps (Scored)' 135 | 136 | exec_shield: 137 | data: 138 | 'CentOS-6': 139 | - 'kernel.exec-shield': 140 | tag: 'CIS-1.6.2' 141 | match_output: '1' 142 | description: 'Configure ExecShield (Scored)' 143 | control: 'We do not care about this' 144 | 145 | randomize_va_space: 146 | data: 147 | 'CentOS-6': 148 | - 'kernel.randomize_va_space': 149 | tag: 'CIS-1.6.3' 150 | match_output: '2' 151 | 'CentOS Linux-7': 152 | - 'kernel.randomize_va_space': 153 | tag: 'CIS-1.6.2' 154 | match_output: '2' 155 | description: 'Enable Randomized Virtual Memory Region Placement (Scored)' 156 | 157 | 158 | 159 | grep: 160 | whitelist: 161 | 162 | fstab_tmp_partition: 163 | data: 164 | CentOS-6: 165 | - '/etc/fstab': 166 | tag: 'CIS-1.1.1' 167 | pattern: '/tmp' 168 | CentOS Linux-7: 169 | - '/etc/fstab': 170 | tag: 'CIS-1.1.1' 171 | pattern: '/tmp' 172 | Ubuntu-14.04: 173 | - '/etc/fstab': 174 | tag: 'CIS-2.1' 175 | pattern: '/tmp' 176 | description: 'Create Separate Partition for /tmp (Scored)' 177 | control: 'We do not care about this' 178 | 179 | fstab_tmp_partition_nodev: 180 | data: 181 | CentOS-6: 182 | - '/etc/fstab': 183 | tag: 'CIS-1.1.2' 184 | pattern: '/tmp' 185 | match_output: 'nodev' 186 | CentOS Linux-7: 187 | - '/etc/fstab': 188 | tag: 'CIS-1.1.2' 189 | pattern: '/tmp' 190 | match_output: 'nodev' 191 | Ubuntu-14.04: 192 | - '/etc/fstab': 193 | tag: 'CIS-2.2' 194 | pattern: '/tmp' 195 | match_output: 'nodev' 196 | description: 'Set nodev option for /tmp Partition (Scored)' 197 | 198 | blacklist: 199 | legacy_passwd_entries_passwd: 200 | data: 201 | 'CentOS-6': 202 | - '/etc/passwd': 203 | tag: 'CIS-9.2.2' 204 | pattern: "^+:" 205 | CentOS Linux-7: 206 | - '/etc/passwd': 207 | tag: 'CIS-9.2.2' 208 | pattern: "^+:" 209 | description: 'Verify No Legacy "+" Entries Exist in /etc/passwd (Scored)' 210 | control: 'We do not care about this' 211 | 212 | legacy_passwd_entries_shadow: 213 | data: 214 | 'CentOS-6': 215 | - '/etc/shadow': 216 | tag: 'CIS-9.2.3' 217 | pattern: "^+:" 218 | CentOS Linux-7: 219 | - '/etc/shadow': 220 | tag: 'CIS-9.2.3' 221 | pattern: "^+:" 222 | description: 'Verify No Legacy "+" Entries Exist in /etc/shadow (Scored)' 223 | 224 | legacy_passwd_entries_group: 225 | data: 226 | 'CentOS-6': 227 | - '/etc/group': 228 | tag: 'CIS-9.2.4' 229 | pattern: "^+:" 230 | CentOS Linux-7: 231 | - '/etc/group': 232 | tag: 'CIS-9.2.4' 233 | pattern: "^+:" 234 | description: 'Verify No Legacy "+" Entries Exist in /etc/group (Scored)' 235 | control: 'We do not care about this' 236 | -------------------------------------------------------------------------------- /hubblestack_nova_profiles/samples/sample_firewall.yaml: -------------------------------------------------------------------------------- 1 | firewall: 2 | whitelist: 3 | 4 | ssh: 5 | data: 6 | tag: 'FIREWALL-TCP-22' 7 | table: 'filter' 8 | chain: INPUT 9 | family: 'ipv4' 10 | rule: 11 | proto: tcp 12 | dport: 22 13 | match: state 14 | connstate: RELATED,ESTABLISHED 15 | jump: ACCEPT 16 | description: 'ssh iptables rule check' 17 | 18 | -------------------------------------------------------------------------------- /hubblestack_nova_profiles/samples/sample_openssl.yaml: -------------------------------------------------------------------------------- 1 | openssl: 2 | google: 3 | data: 4 | tag: 'CERT-001' # tag (required) 5 | endpoint: 'www.google.com' # required if file is not defined 6 | file: null # /path/to/the/pem/file (required if endpoint is not defined) 7 | port: 443 # required only if both 8 | # - endpoint is defined 9 | # - https is not configured on port 443 10 | not_after: 30 # minimum number of days until expiration (default value: 0) 11 | # the check is failed if the certificate expires in less then 30 days 12 | not_before: 10 # number of days until the ceriticate becomes valid (default value: 0) 13 | # the check is failed if the certificate becomes valid in more then 10 days 14 | fail_if_not_before: True # fails the check if the certificate is not valid yet 15 | description: 'google certificate' 16 | -------------------------------------------------------------------------------- /hubblestack_nova_profiles/security/meltdown_spectre.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # The following checks aim to detect if a relevant mitigation technique against 3 | # Meltdown or Spectre vulnerabilities is active. 4 | # This is done in two separate checks: first checks if a needed kernel feature 5 | # is present, the second checks if the feature reports as active or at 6 | # least is not disabled. If both checks succeed, a host should be protected against 7 | # the vulnerability in question. 8 | # The reasoning for this approach was two fold: 9 | # * in some Linux distros there was no other way to detect. 10 | # * in large fleets of different Linux flavors tracking many different types of 11 | # check results can become burdensome. 12 | # 13 | 14 | grep: 15 | blacklist: 16 | linux-meltdown-not-disabled: 17 | data: 18 | '*': 19 | - '/sys/devices/system/cpu/vulnerabilities/meltdown': 20 | tag: 'CVE-2017-5754-fix-enabled' 21 | pattern: 'Vulnerable' 22 | match_on_file_missing: True 23 | description: 'Check if CVE-2017-5754 mitigation has NOT been disabled in Linux.' 24 | linux-spectrev1-not-disabled: 25 | data: 26 | '*': 27 | - '/sys/devices/system/cpu/vulnerabilities/spectre_v1': 28 | tag: 'CVE-2017-5753-fix-enabled' 29 | pattern: 'Vulnerable' 30 | match_on_file_missing: True 31 | description: 'Check if CVE-2017-5753 mitigation has NOT been disabled in Linux.' 32 | linux-spectrev2-not-disabled: 33 | data: 34 | '*': 35 | - '/sys/devices/system/cpu/vulnerabilities/spectre_v2': 36 | tag: 'CVE-2017-5715-fix-enabled' 37 | pattern: 'Vulnerable' 38 | match_on_file_missing: True 39 | description: 'Check if CVE-2017-5715 mitigation has NOT been disabled in Linux.' 40 | linux-mds-not-disabled: 41 | data: 42 | '*': 43 | - '/sys/devices/system/cpu/vulnerabilities/mds': 44 | tag: 'CVE-2018-12130-fix-enabled' 45 | pattern: 'Vulnerable' 46 | match_on_file_missing: True 47 | grep_args: 48 | - '-i' 49 | description: 'Check if CVE-2018-12130 mitigation has NOT been disabled in Linux.' 50 | linux-l1tf-not-disabled: 51 | data: 52 | '*': 53 | - '/sys/devices/system/cpu/vulnerabilities/l1tf': 54 | tag: 'CVE-2018-3620-fix-enabled' 55 | pattern: 'Vulnerable' 56 | match_on_file_missing: True 57 | grep_args: 58 | - '-i' 59 | description: 'Check if CVE-2018-3620 mitigation has NOT been disabled in Linux.' 60 | whitelist: 61 | check_cpuinfo_for_pcid: 62 | data: 63 | '*': 64 | - '/proc/cpuinfo': 65 | tag: 'Meltdown-pcid' 66 | pattern: 'flags' 67 | match_output: ' pcid' 68 | grep_args: 69 | - '-i' 70 | description: 'Check the /proc/cpuinfo file for the pcid flag.' 71 | check_cpuinfo_for_invpcid: 72 | data: 73 | '*': 74 | - '/proc/cpuinfo': 75 | tag: 'Meltdown-invpcid' 76 | pattern: 'flags' 77 | match_output: ' invpcid ' 78 | grep_args: 79 | - '-i' 80 | description: 'Check the /proc/cpuinfo file for the invpcid flag.' 81 | check_cpuinfo_for_invpcid_single: 82 | data: 83 | '*': 84 | - '/proc/cpuinfo': 85 | tag: 'Meltdown-invpcid_single' 86 | pattern: 'flags' 87 | match_output: ' invpcid_single' 88 | grep_args: 89 | - '-i' 90 | description: 'Check the /proc/cpuinfo file for the invpcid_single flag.' 91 | check_cpuinfo_for_intel: 92 | data: 93 | '*': 94 | - '/proc/cpuinfo': 95 | tag: 'Meltdown-intel' 96 | pattern: 'vendor_id' 97 | match_output: ' GenuineIntel' 98 | description: 'Check if it is an Intel cpu.' 99 | 100 | stat: 101 | linux-mds-present: 102 | data: 103 | '*': 104 | - '/sys/devices/system/cpu/vulnerabilities/mds': 105 | tag: 'CVE-2018-12130-fix-present' 106 | user: root 107 | uid: 0 108 | group: root 109 | gid: 0 110 | description: 'Check for CVE-2018-12130 mitigation capability presence in Linux.' 111 | linux-l1tf-present: 112 | data: 113 | '*': 114 | - '/sys/devices/system/cpu/vulnerabilities/l1tf': 115 | tag: 'CVE-2018-3620-fix-present' 116 | user: root 117 | uid: 0 118 | group: root 119 | gid: 0 120 | description: 'Check for CVE-2018-3620 mitigation capability presence in Linux.' 121 | linux-meltdown-present: 122 | data: 123 | '*': 124 | - '/sys/devices/system/cpu/vulnerabilities/meltdown': 125 | tag: 'CVE-2017-5754-fix-present' 126 | user: root 127 | uid: 0 128 | group: root 129 | gid: 0 130 | description: 'Check for CVE-2017-5754 mitigation capability presence in Linux.' 131 | linux-spectrev1-present: 132 | data: 133 | '*': 134 | - '/sys/devices/system/cpu/vulnerabilities/spectre_v1': 135 | tag: 'CVE-2017-5753-fix-present' 136 | user: root 137 | uid: 0 138 | group: root 139 | gid: 0 140 | description: 'Check for CVE-2017-5753 mitigation capability presence in Linux.' 141 | linux-spectrev2-present: 142 | data: 143 | '*': 144 | - '/sys/devices/system/cpu/vulnerabilities/spectre_v2': 145 | tag: 'CVE-2017-5715-fix-present' 146 | user: root 147 | uid: 0 148 | group: root 149 | gid: 0 150 | description: 'Check for CVE-2017-5715 mitigation capability presence in Linux.' 151 | -------------------------------------------------------------------------------- /hubblestack_nova_profiles/security/ssh_passwordauthentication.yaml: -------------------------------------------------------------------------------- 1 | # 2 | # These checks aim to determine various authentication related settings in sshd_conf. 3 | # These checks do not exist in the official CIS benchmarks - we'll just have it on the side. 4 | # 5 | 6 | grep: 7 | whitelist: 8 | sshd_passwdauthentication_no: 9 | data: 10 | '*': 11 | - /etc/ssh/sshd_config: 12 | match_output: 'PasswordAuthentication no' 13 | pattern: ^\\s*PasswordAuthentication 14 | tag: 'sshd-passwordauthentication-no' 15 | description: Ensure password authentication is disabled in sshd_config 16 | sshd_authenticationmethods_publickey: 17 | data: 18 | '*': 19 | - /etc/ssh/sshd_config: 20 | pattern: ^\\s*AuthenticationMethods\\s.*publickey.* 21 | tag: 'sshd-authenticationmethods-publickey' 22 | description: Check for explicitly configured publickey authentication method 23 | -------------------------------------------------------------------------------- /hubblestack_nova_profiles/stig/rhel-6-mac-1-classified.yaml: -------------------------------------------------------------------------------- 1 | ####################################################################################### 2 | # This is the Hubblestack Nova Auditing profile for the DISA SIGS: 3 | # 4 | # Source: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/MAC-1_Classified/ 5 | # OS Finger: Red Hat Enterprise Linux Server-6 6 | # Audit Level: MAC-I Classified 7 | # 8 | # Usage: 9 | # salt hubble.audit 10 | # salt hubble.audit 11 | # salt hubble.audit 12 | # 13 | # Tags use the Vulnerability ID from the STIGs 14 | # Example: You can check for a specific tag with this usage: 15 | # 16 | # salt hubble.audit stig-rhel6-mac1-classifed.yaml V-38677 17 | # 18 | # The Description field is structured following this scheme: (Severity) 19 | # 20 | # Coverage: 21 | # NOTE: At this time, hubblestack provides 000% coverage of stig inspections 22 | # due to the suite of available modules. As more modules become available, 23 | # coverage will increase. 24 | # 25 | # Current coverage: XX / 264 = 000% 26 | # High Severity: 09 Done, 06 Partial, 2 Blocker = 15 / 17 = 88% 27 | # - V-38666: (Partial) 28 | # - Tailored: Checking for Clam AV packages installed and in cron.daily 29 | # - Cannot verify the output of the nails status command for 30 | # McAfee scans a this time 31 | # - Cannot verify the age of AV definitions as a result of the output 32 | # of a command at this time 33 | # - V-38476: Cannot verify the output of the rpm command at this time 34 | # - V-38491: Cannot verify presence of a file within an discovered list of directories 35 | # - V-38602: (Partial) checking for running service, but cannot verify the 36 | # output of the chkconfig command 37 | # - V-38594: (Partial) checking for running service, but cannot verify the 38 | # output of the chkconfig command 39 | # - V-38598: (Partial) checking for running service, but cannot verify the 40 | # output of the chkconfig command 41 | # - V-38589: (Partial) checking for running service, but cannot verify the 42 | # output of the chkconfig command 43 | # - V-38701: Potentially a false positive if the file does not exist. 44 | # Medium Severity: XX / 146 = 000% 45 | # Low Severity: XX / 101 = 000% 46 | # 47 | # Tailoring: 48 | # You may need to tailor some of these inspections to your system/site to account 49 | # for: 50 | # 1. your environmental configuration 51 | # ex: using McAfee AV Scan vs ClamAV 52 | # 2. compensating controls you may have 53 | # 3. tailoring you've done for your specific system 54 | # 55 | ####################################################################################### 56 | grep: 57 | blacklist: 58 | snmpd_not_use_default_passwd: 59 | data: 60 | Red Hat Enterprise Linux Server-6: 61 | - /etc/snmp/snmpd.conf: 62 | pattern: '^[^#]' 63 | match_output: public 64 | tag: V-38653 65 | description: (HIGH) The snmpd service must not use a default password. 66 | rpm_cryptographically_verify_packages: 67 | data: 68 | Red Hat Enterprise Linux Server-6: 69 | - /etc/rpmrc: 70 | pattern: nosignature 71 | tag: V-38462 72 | - /usr/lib/rpm/rpmrc: 73 | pattern: nosignature 74 | tag: V-38462 75 | - /usr/lib/rpm/redhat/rpmrc: 76 | pattern: nosignature 77 | tag: V-38462 78 | - /root/.rpmrc: 79 | pattern: nosignature 80 | tag: V-38462 81 | description: | 82 | (HIGH) The RPM package management tool must cryptographically verify 83 | the authenticity of all software packages during installation. 84 | null_passwords_cannot_be_used: 85 | data: 86 | Red Hat Enterprise Linux Server-6: 87 | - /etc/pam.d/system-auth: 88 | pattern: nullok 89 | tag: V-38497 90 | - /etc/pam.d/system-auth-ac: 91 | pattern: nullok 92 | tag: V-38497 93 | - /etc/pam.d/password-auth: 94 | pattern: nullok 95 | tag: V-38497 96 | - /etc/pam.d/password-auth-ac: 97 | pattern: nullok 98 | tag: V-38497 99 | - /etc/pam.d/sshd: 100 | pattern: nullok 101 | tag: V-38497 102 | description: (HIGH) The system must not allow null passwords to be used. 103 | nfs_no_insecure_file_locking: 104 | data: 105 | Red Hat Enterprise Linux Server-6: 106 | - /etc/exports: 107 | pattern: insecure_locks 108 | tag: V-38677 109 | description: (HIGH) The NFS server must not have the insecure file locking option enabled. 110 | sshd_no_empty_passwords: 111 | data: 112 | Red Hat Enterprise Linux Server-6: 113 | - /etc/ssh/sshd_config: 114 | pattern: '^PermitEmptyPasswords' 115 | match_output: "yes" 116 | tag: V-38614 117 | - /etc/ssh/sshd_config: 118 | pattern: '^PermitEmptyPasswords' 119 | match_output: "Yes" 120 | tag: V-38614 121 | description: (HIGH) The SSH daemon must not allow authentication using an empty password. 122 | 123 | whitelist: 124 | x86_ctrl_alt_del_disabled: 125 | data: 126 | Red Hat Enterprise Linux Server-6: 127 | - /etc/init/control-alt-delete.override: 128 | pattern: '^exec /usr/bin/logger' 129 | match_output: security.info "Control-Alt-Delete pressed" 130 | tag: V-38668 131 | description: (HIGH) The x86 Ctrl-Alt-Delete key sequence must be disabled. 132 | sshd_use_only_SSHv2_protocol: 133 | data: 134 | Red Hat Enterprise Linux Server-6: 135 | - /etc/ssh/sshd_config: 136 | pattern: '^Protocol' 137 | match_output: Protocol 2 138 | tag: V-38607 139 | description: (HIGH) The SSH daemon must be configured to use only the SSHv2 protocol. 140 | tftp_daemon_operate_in_secure_mode: 141 | # NOTE: potentially a false positive if the file does not exist 142 | data: 143 | Red Hat Enterprise Linux Server-6: 144 | - /etc/xinetd.d/tftp: 145 | pattern: '^server_args' 146 | match_output: -s 147 | tag: V-38701 148 | description: | 149 | (HIGH) The TFTP daemon must operate in secure mode which provides 150 | access only to a single directory on the host file system. Potentially 151 | a false positive if this file does not exist. 152 | 153 | pkg: 154 | blacklist: 155 | rsh-server_not_installed: 156 | data: 157 | Red Hat Enterprise Linux Server-6: 158 | - rsh-server: V-38591 159 | description: (HIGH) The rsh-server package must not be installed. 160 | telnet-server_not_installed: 161 | data: 162 | Red Hat Enterprise Linux Server-6: 163 | - telnet-server: V-38587 164 | - telnet: V-38587 165 | description: (HIGH) The telnet-server and telnet package must not be installed. 166 | 167 | whitelist: 168 | approved_virus_scan_program: 169 | # NOTE: This will need to be udated for your respective organization. 170 | # This particular check is validating that clamav package is installed. 171 | # This is a multi-part check to verify V-38666. Under the stat section, 172 | # there is a check to verify cron.daily script for clamav inspection. 173 | data: 174 | Red Hat Enterprise Linux Server-6: 175 | - clamav: V-38666 176 | - clamd: V-38666 177 | description: (HIGH) The system must use and update a DoD-approved virus scan program. 178 | 179 | service: 180 | blacklist: 181 | rlogind_not_running: 182 | # This is partially implemented to ensure that the service is not running. 183 | # This inspection alone does not fully satisfy the STIG check as it does 184 | # not current check the output of the chkconfig command 185 | data: 186 | Red Hat Enterprise Linux Server-6: 187 | - rlogin: V-38602 188 | description: (High) The rlogind service must not be running. 189 | rshd_not_running: 190 | # This is partially implemented to ensure that the service is not running. 191 | # This inspection alone does not fully satisfy the STIG check as it does 192 | # not current check the output of the chkconfig command 193 | data: 194 | Red Hat Enterprise Linux Server-6: 195 | - rsh: V-38594 196 | description: (High) The rshd service must not be running. 197 | rexecd_not_running: 198 | # This is partially implemented to ensure that the service is not running. 199 | # This inspection alone does not fully satisfy the STIG check as it does 200 | # not current check the output of the chkconfig command 201 | data: 202 | Red Hat Enterprise Linux Server-6: 203 | - rexec: V-38598 204 | description: (High) The rexecd service must not be running. 205 | telnet_not_running: 206 | # This is partially implemented to ensure that the service is not running. 207 | # This inspection alone does not fully satisfy the STIG check as it does 208 | # not current check the output of the chkconfig command 209 | data: 210 | Red Hat Enterprise Linux Server-6: 211 | - telnet: V-38589 212 | description: (High) The telnet daemon must not be running. 213 | 214 | stat: 215 | cron_daily_clamscan_host: 216 | # NOTE: This will need to be udated for your respective organization. 217 | # This particular check is validating that clamav is run on a daily basis. 218 | # This is a multi-part check to verify V-38666. Under the pkg section, 219 | # there is a check to verify clam is installed. 220 | data: 221 | Red Hat Enterprise Linux Server-6: 222 | - /etc/cron.daily/clamscan_host.sh: 223 | group: root 224 | user: root 225 | mode: 755 226 | tag: V-38666 227 | description: (HIGH) The system must use and update a DoD-approved virus scan program. 228 | -------------------------------------------------------------------------------- /hubblestack_nova_profiles/top.nova: -------------------------------------------------------------------------------- 1 | # Default top.nova 2 | # 3 | # Subscribes to CIS, cve_scan, and misc.yaml for miscellaneous checks 4 | 5 | nova: 6 | 'G@osfinger:*CoreOS*': 7 | - cis.coreos-level-1 8 | 'G@osfinger:CentOS-6': 9 | - cis.centos-6-level-1-scored-v2-0-1 10 | 'G@osfinger:CentOS*Linux-7': 11 | - cis.centos-7-level-1-scored-v2-2-0 12 | 'G@osfinger:Debian*7': 13 | - cis.debian-7 14 | 'G@osfinger:Debian*8': 15 | - cis.debian-8-level-1-scored-v1-0-0 16 | 'G@osfinger:Debian*9': 17 | - cis.debian-9-level-1-scored-v1-0-0 18 | 'G@osfinger:Red*Hat*Enterprise*Linux*Server-6': 19 | - cis.rhels-6-level-1-scored-v2-0-1 20 | 'G@osfinger:Red*Hat*Enterprise*Linux*Server-7': 21 | - cis.rhels-7-level-1-scored-v2-2-0 22 | 'G@osfinger:Red*Hat*Enterprise*Linux*Workstation-7': 23 | - cis.rhelw-7-level-1-scored-v2-1-0 24 | 'G@osfinger:Ubuntu-12.04': 25 | - cis.ubuntu-1204-level-1-scored-v1-0-0 26 | 'G@osfinger:Ubuntu-14.04': 27 | - cis.ubuntu-1404-level-1-scored-v1-0-0 28 | 'G@osfinger:Ubuntu-16.04': 29 | - cis.ubuntu-1604-level-1-scored-v1-1-0 30 | 'G@osfinger:Ubuntu-18.04': 31 | - cis.ubuntu-1804-level-1-scored-v1-0-0 32 | 'G@osfullname:Microsoft*Windows*Server*2008*': 33 | - cis.windows-2008r2-level-1-scored-v3-0-1 34 | 'G@osfullname:Microsoft*Windows*Server*2012*': 35 | - cis.windows-2012r2-level-1-scored-v2-3-0 36 | 'G@osfullname:Microsoft*Windows*Server*2016*': 37 | - cis.windows-2016-level-1-scored-v1-0-0 38 | 'G@osfinger:Amazon*Linux*2014*': 39 | - cis.amazon-201409-level-1-scored-v1-0-0 40 | 'G@osfinger:Amazon*Linux*2015*': 41 | - cis.amazon-level-1-scored-v1-0-0 42 | 'G@osfinger:Amazon*Linux*2016*': 43 | - cis.amazon-level-1-scored-v2-1-0 44 | 'G@osfinger:Amazon*Linux*2017*': 45 | - cis.amazon-level-1-scored-v2-1-0 46 | 'G@osfinger:Amazon*Linux*2018*': 47 | - cis.amazon-level-1-scored-v2-1-0 48 | 'G@kernel:Linux': 49 | - security.meltdown_spectre 50 | - security.ssh_passwordauthentication 51 | - cis.distribution-independent-linux-level-1-all-v1-1-0 52 | #'G@kernel:Linux and not G@osfinger:*CoreOS*': 53 | # - cve.vulners 54 | -------------------------------------------------------------------------------- /hubblestack_pulsar/hubblestack_pulsar_config.yaml: -------------------------------------------------------------------------------- 1 | /lib: { recurse: True, auto_add: True } 2 | /bin: { recurse: True, auto_add: True } 3 | /sbin: { recurse: True, auto_add: True } 4 | /boot: { recurse: True, auto_add: True } 5 | /lib64: { recurse: True, auto_add: True } 6 | /usr/lib: { recurse: True, auto_add: True } 7 | /usr/bin: { recurse: True, auto_add: True } 8 | /usr/sbin: { recurse: True, auto_add: True } 9 | /usr/lib64: { recurse: True, auto_add: True } 10 | /usr/libexec: { recurse: True, auto_add: True } 11 | /usr/local/etc: { recurse: True, auto_add: True } 12 | /usr/local/bin: { recurse: True, auto_add: True } 13 | /usr/local/lib: { recurse: True, auto_add: True } 14 | /usr/local/sbin: { recurse: True, auto_add: True } 15 | /usr/local/libexec: { recurse: True, auto_add: True } 16 | /opt/bin: { recurse: True, auto_add: True } 17 | /opt/osquery: { recurse: True, auto_add: True } 18 | /opt/hubble: { recurse: True, auto_add: True } 19 | /etc: 20 | exclude: 21 | - /etc/passwd.lock 22 | - /etc/shadow.lock 23 | - /etc/gshadow.lock 24 | - /etc/group.lock 25 | - /etc/passwd+ 26 | - /etc/passwd- 27 | - /etc/shadow+ 28 | - /etc/shadow- 29 | - /etc/group+ 30 | - /etc/group- 31 | - /etc/gshadow+ 32 | - /etc/gshadow- 33 | - /etc/cas/timestamp 34 | - /etc/resolv.conf.tmp 35 | - /etc/pki/nssdb/key4.db-journal 36 | - /etc/pki/nssdb/cert9.db-journal 37 | - /etc/salt/gpgkeys/random_seed 38 | - /etc/blkid/blkid.tab.old 39 | - \/etc\/blkid\/blkid\.tab\-\w{6}$: 40 | regex: True 41 | - \/etc\/passwd\.\d*$: 42 | regex: True 43 | - \/etc\/group\.\d*$: 44 | regex: True 45 | - \/etc\/shadow\.\d*$: 46 | regex: True 47 | - \/etc\/gshadow\.\d*$: 48 | regex: True 49 | recurse: True 50 | auto_add: True 51 | return: splunk_pulsar_return 52 | checksum: sha256 53 | stats: True 54 | batch: True 55 | -------------------------------------------------------------------------------- /hubblestack_pulsar/hubblestack_pulsar_win_config.yaml: -------------------------------------------------------------------------------- 1 | C:\Program Files (x86)\Hubble: 2 | exclude: 3 | - C:\Program Files (x86)\Hubble\var\* 4 | C:\Users: 5 | exclude: 6 | - C:\Users\*\AppData\Local\VMware\vpx\* 7 | - C:\Users\*\AppData\Local\Mozilla\Firefox\Profiles\* 8 | - C:\Users\*\AppData\Local\Temp\* 9 | C:\Windows: 10 | mask: 11 | - File create 12 | - File delete 13 | - Security change 14 | - 'Rename: old name' 15 | exclude: 16 | - C:\Windows\System32\* 17 | - C:\Windows\security\logs\diagnosis.log 18 | - C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive?.dat 19 | - C:\Windows\WinSxS\FileMaps\* 20 | - C:\Windows\security\logs\* 21 | - C:\Windows\ServiceProfiles\LocalService\AppData\Local\* 22 | - C:\Windows\security\templates\policies\* 23 | - C:\Windows\CCM\Logs\* 24 | - C:\Windows\security\database\* 25 | - C:\Windows\SoftwareDistribution\* 26 | - C:\Windows\WinSxS\* 27 | return: splunk_pulsar_return 28 | batch: True 29 | checksum: sha256 30 | -------------------------------------------------------------------------------- /hubblestack_pulsar/top.pulsar: -------------------------------------------------------------------------------- 1 | pulsar: 2 | '*': 3 | - hubblestack_pulsar_config 4 | -------------------------------------------------------------------------------- /hubblestack_pulsar/win_top.pulsar: -------------------------------------------------------------------------------- 1 | pulsar: 2 | '*': 3 | - hubblestack_pulsar_win_config 4 | -------------------------------------------------------------------------------- /hubblestack_schedule: -------------------------------------------------------------------------------- 1 | # Due to some bugs in the scheduler in some versions of salt, we generally 2 | # recommend using the cron.d file in this same repo, rather than this 3 | # scheduler data. But it's here if you want to use it. 4 | 5 | schedule: 6 | nova_day: 7 | function: hubble.top 8 | seconds: 86400 9 | kwargs: 10 | verbose: True 11 | show_profile: True 12 | returner: splunk_nova_return 13 | return_job: False 14 | run_on_start: False 15 | nebula_fifteen_min: 16 | function: nebula.queries 17 | seconds: 900 18 | args: 19 | - fifteen_min 20 | returner: splunk_nebula_return 21 | return_job: False 22 | run_on_start: False 23 | nebula_hour: 24 | function: nebula.queries 25 | seconds: 3600 26 | args: 27 | - hour 28 | returner: splunk_nebula_return 29 | return_job: False 30 | run_on_start: False 31 | nebula_day: 32 | function: nebula.queries 33 | seconds: 86400 34 | args: 35 | - day 36 | returner: splunk_nebula_return 37 | return_job: False 38 | run_on_start: False 39 | cache_pulsar: 40 | function: cp.cache_file 41 | seconds: 86400 42 | args: 43 | - salt://hubblestack_pulsar/hubblestack_pulsar_config.yaml 44 | return_job: False 45 | --------------------------------------------------------------------------------