Hubblestack Documentation Release 2016.7.1

HubbleStack Documentation Release 2016.7.1

Christer Edwards

Nov 10, 2016

Contents

1 Components 3

i ii HubbleStack Documentation, Release 2016.7.1

Welcome to the HubbleStack documentation! Hubble is a modular, open-source security compliance framework built on top of SaltStack. The project provides on- demand profile-based auditing, real-time security event notifications, automated remediation, alerting and reporting. Hubble can “dock” with any existing SaltStack installation, and requires very little work to get started. This document describes installation, configuration and general use.

Contents 1 HubbleStack Documentation, Release 2016.7.1

2 Contents CHAPTER 1

Components

Hubble is made up of four different components, each playing a role in the overall auditing of your systems. These components are described here: • Nova - Nova is Hubble’s profile-based auditing engine. • Pulsar - Pulsar is Hubble’s real-time event system. • Nebula- Nebula is Hubble’s security snapshot utility. • Quasar - Quasar is Hubble’s flexible reporting suite. Each of these components are modular, flexible, and easy to drop into place for any size infrastructure. While each of these components can be used standalone it is often required to combine each components with it’s corresponding Quasar module. Quasar modules are what connects Nova, Nebula and Pulsar to external endpoints such as Splunk, Slack, etc.

New to HubbleStack? Explore some of these topics:

1.1 Nova

Nova is the best place to get started with Hubble. Using pre-built security and compliance “profiles”, Nova will give you a complete picture of your security stance. Check out the installation docs: • Package Installation (stable) • Manual Installation (develop) Have a look at the Nova module list, and learn how audit modules work. • Nova Modules ... or read through some of the pre-built profiles: • Nova Profiles

Tip: Once you have Nova installed, check out Quasar next.

3 HubbleStack Documentation, Release 2016.7.1

1.2 Nebula

See also: Nebula has a hard dependency on osquery. See install requirements here https://osquery.io/downloads/ Nebula allows you to take snapshots of your systems by scheduling speciﬁc queries. These queries capture information such as: • running processes • established outbound connections • listening processes • suid binaries • crontab • installed packages • ...anything else you’d like to query Check out the installation docs: • Package Installation (stable) • Manual Installation (develop) Have a look at the Nebula modules: • Nebula Modules.

Tip: Once you have Nebula installed, checkout Quasar next.

1.3 Pulsar

See also: Pulsar has a dependency on the Python pyinotify library. See: Pulsar Required Packages Pulsar watches for ﬁlesystem events as they happen and notify you in real-time regarding any changes. • Package Installation (stable) • Manual Installation (develop) You can also take a look at the Pulsar module list: • Pulsar Modules

Tip: Next step? Check out the Quasar modules to collect Pulsar event data.

4 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1

1.4 Quasar

Quasar modules are integral in collecting and tracking your security data. In general you’ll want to combine each HubbleStack component (Nova, Pulsar, Nebula) with it’s corresponding Quasar module. • Package Installation (stable) • Manual Installation (develop) You can also take a look at the Pulsar module list: • Quasar Modules

1.4.1 Components

Nova

Introduction

Nova is designed to audit the compliance and security level of a system. It is composed of multiple modules, which ingest YAML configuration profiles to run a single or series of audits against a system. Two different installation methods are outlined below. The first method is more stable (and therefore recommended). This method uses Salt’s package manager to track versioned, packaged updates to Hubble’s components. The second method installs directly from git. It should be considered bleeding edge and possibly unstable.

Installation

Each of the four HubbleStack components have been packaged for use with Salt’s Package Manager (SPM). Note that all SPM installation commands should be done on the Salt Master. Required Configuration Salt’s Package Manager (SPM) installs files into /srv/spm/{salt,pillar}. Ensure that this path is defined in your Salt Master’s file_roots:

file_roots: - /srv/salt - /srv/spm/salt

Note: This should be the default value. To verify run: salt-call config.get file_roots

Tip: Remember to restart the Salt Master after making this change to the conﬁguration.

1.4. Quasar 5 HubbleStack Documentation, Release 2016.7.1

Installation (Packages)

Installation is as easy as downloading and installing packages. (Note: in future releases you’ll be able to subscribe directly to our HubbleStack SPM repo for updates and bugﬁxes!) Nova packages have been divided into modules and proﬁles. This way we can iterate policy changes separate from the code. Nova Modules wget https://spm.hubblestack.io/nova/hubblestack_nova-2016.10.2-1.spm spm local install hubblestack_nova-2016.10.2-1.spm

Nova Proﬁles wget https://spm.hubblestack.io/nova/hubblestack_nova_profiles-20161101-1.spm spm local install hubblestack_nova_profiles-20161101-1.spm

You should now be able to sync the new modules to your minion(s) using the sync_modules Salt utility: salt \* saltutil.sync_modules

Once these modules are synced you are ready to run a HubbleStack Nova audit. Skip to Usage.

Installation (Manual)

Place _modules/hubble.py into your salt/_modules/ directory, and sync it to the minions. git clone https://github.com/hubblestack/nova.git hubblestack-nova.git cd hubblestack-nova.git mkdir -p /srv/salt/_modules/ cp _modules/hubble.py /srv/salt/_modules/ cp -a hubblestack_nova_profiles /srv/salt/ cp -a hubblestack_nova /srv/salt/ salt \* saltutil.sync_modules salt \* hubble.sync

Installation (GitFS)

This installation method subscribes directly to our GitHub repository, pinning to a tag or branch. This method requires no package installation or manual checkouts. Requirements: GitFS support on your Salt Master. /etc/salt/master.d/hubblestack-nova.conf gitfs_remotes: - https://github.com/hubblestack/nova: - base: v2016.10.2

Tip: Remember to restart the Salt Master after applying this change.

6 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1

Skip to Usage.

Usage

There are four primary functions in the hubble.py module: 1. hubble.sync will sync the hubblestack_nova_profiles/ and hubblestack_nova/ directories to the minion(s). 2. hubble.load will load the synced audit modules and their yaml configuration files. 3. hubble.audit will audit the minion(s) using the YAML profile(s) you provide as comma-separated arguments 4. hubble.top will audit the minion(s) using the top.nova configuration. hubble.audit takes two optional arguments. The first is a comma-separated list of paths. These paths can be files or directories within the hubblestack_nova_profiles directory. The second argument allows for toggling Nova configuration, such as verbosity, level of detail, etc. If hubble.audit is run without targeting any audit configs or directories, it will instead run hubble.top with no arguments. hubble.audit will return a list of audits which were successful, and a list of audits which failed. Here are some example calls:

# Run the cve scanner and the CIS profile: salt \* hubble.audit cve.scan-v2,cis.centos-7-level-1-scored-v1

# Run hubble.top with the default topfile (top.nova) salt \* hubble.top

# Run all yaml configs and tags under salt://hubblestack_nova_profiles/foo/ # and salt://hubblestack_nova_profiles/bar, but only run audits with tags # starting with "CIS" salt \* hubble.audit foo,bar tags='CIS*'

Nova Topﬁles

Nova topﬁles look very similar to saltstack topﬁles, except the top-level key is always nova, as nova doesn’t have environments.

nova: '*': - cve.scan-v2 - network.ssh - network.smtp 'web*': - cis.centos-7-level-1-scored-v1 - cis.centos-7-level-2-scored-v1 'G@os_family:debian': - network.ssh - cis.debian-7-level-1-scored:'CIS *'

Additionally, all nova topfile matches are compound matches, so you never need to define a match type like you do in saltstack topfiles.

1.4. Quasar 7 HubbleStack Documentation, Release 2016.7.1

Each list item is a string representing the dot-separated location of a yaml file which will be run with hubble.audit. You can also specify a tag glob to use as a filter for just that yaml file, using a colon after the yaml file (turning it into a dictionary). See the last two lines in the yaml above for examples. Examples:

salt' *' hubble.top salt' *' hubble.top foo/bar/top.nova salt' *' hubble.top foo/bar.nova verbose=True

Compensating Control Conﬁguration

In some cases, your organization may want to skip certain audit checks for certain hosts. This is supported via compensating control configuration. You can skip a check globally by adding a control: key to the check itself. This key should be added at the same level as description and trigger pieces of a check. In this case, the check will never run, and will output under the Controlled results key. Nova also supports separate control profiles, for more fine-grained control using topfiles. You can use a separate YAML top-level key called control. Generally, you’ll put this top-level key inside of a separate YAML file and only include it in the top-data for the hosts for which it is relevant. For these separate control configs, the audits will always run, whether they are controlled or not. However, controlled audits which fail will be converted from Failure to Controlled in a post-processing operation. The control config syntax is as follows:

control: - CIS-2.1.4: This is the reason we control the check - some_other_tag: reason: This is the reason we control the check - a_third_tag_with_no_reason

Note that providing a reason for the control is optional. Any of the three formats shown in the yaml list above will work. Once you have your compensating control conﬁg, just target the yaml to the hosts you want to control using your topﬁle. In this case, all the audits will still run, but if any of the controlled checks fail, they will be removed from Failure and added to Controlled, and will be treated as a Success for the purposes of compliance percentage.

Schedule

In order to run the audits once daily, you can use the following cron job: /etc/cron.d/hubble

MAILTO="" SHELL=/bin/bash @daily root /usr/bin/salt '*' hubble.top verbose=True,show_profile=True -- ˓→return splunk_nova_return

8 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1

Conﬁguration

Under the Hood

1. The directory/environment in which nova searches for audit modules are conﬁgurable via pillar. The defaults are shown below:

hubblestack: nova: saltenv: base module_dir: salt://hubblestack_nova profile_dir: salt://hubblestack_nova_profiles

2. By default, hubble.audit will call hubble.load (which in turn calls hubble.sync) in order to ensure that it is auditing with the most up-to-date information. These operations are fairly fast, but if you want to avoid the additional overhead, you can disable these behaviors via pillar (defaults are shown, change to False to disable behaviors):

hubblestack: nova: autosync: True autoload: True

Development

If you’re interested in contributing to this project this section outlines the structure and requirements for Nova audit module development.

Anatomy of a Nova audit module

#-*- encoding: utf-8 -*- ''' Loader and primary interface for nova modules

:maintainer: HubbleStack :maturity: 20160214 :platform: Linux :requires: SaltStack

''' from __future__ import absolute_import import logging

All Nova plugins should include the above header, expanding the docstring to include full documentation

import fnmatch import salt.utils

def __virtual__(): if salt.utils.is_windows(): return False,'This audit module only runs on linux' return True

1.4. Quasar 9 HubbleStack Documentation, Release 2016.7.1

def audit(data_list, tag, verbose=False, show_profile=False, debug=False): __tags__=[] for profile, data in data_list: # This is where you process the dictionaries passed in by hubble.py, # searching for data pertaining to this audit module. Modules which # require no data should use yaml which is empty except for a # top-level key, and should only do work if the top-level key is # found in the data

# if show_profile is True, then we need to also inject the profile # in the data for each check so that it appears in verbose output pass

ret={'Success': [],'Failure': []} for tag in __tags__: if fnmatch.fnmatch(tag, tags): # We should run this tag # ret['Success'].append(tag) return ret

All Nova plugins require a __virtual__() function to determine module compatibility, and an audit() function to perform the actual audit functionality The audit() function must take four arguments, data_list, tag, verbose, show_profile, and debug. The data_list argument is a list of dictionaries passed in by hubble.py. hubble.py gets this data from loading the specified yaml for the audit run. Your audit module should only run if it finds its own data in this list. The tag argument is a glob expression for which tags the audit function should run. It is the job of the audit module to compare the tag glob with all tags supported by this module and only run the audits which match. The verbose argument defines whether additional information should be returned for audits, such as description and remediation instructions. The show_profile argument tells whether the profile should be injected into the verbose data for each check. The debug argument tells whether the module should log additional debugging information at debug log level. The return value should be a dictionary, with optional keys “Success”, “Failure”, and “Controlled”. The values for these keys should be a list of one-key dictionaries in the form of {: }, or a list of one-key dictionaries in the form of {: } (in the case of verbose).

Contribute

If you are interested in contributing or offering feedback to this project feel free to submit an issue or a pull request. We’re very open to community contribution.

10 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1

Modules

Audit Modules

command

Conﬁguration

Sample YAML data, with inline comments:

1 command:

2 nodev:

3 data:

4 'Red Hat Enterprise Linux Server-6':

5 tag: CIS-1.1.10 # (required)

6 commands: # list of command stanzas with individual flags

7 -'grep "[[:space:]]/home[[:space:]]" /etc/fstab':

8 # Check the output for this pattern

9 # If match_output not provided, any output will be a match

10 match_output: nodev

11 # Use regex when matching the output (default False)

12 match_output_regex: False

13 # Invert the success criteria. If True, a match will cause failure

˓→(default False)

14 fail_if_matched: False

15 -'mount| grep /home':

16 match_output: nodev

17 match_output_regex: False

18 # Match each line of the output against our pattern

19 # Any that don't match will make the audit fail (default False)

20 match_output_by_line: True

21 -?

22 |

23 echo 'this is a multi-line'

24 echo 'bash script'

25 echo 'note the special ? syntax'

26 :

27 # Shell through which the script will be run, must be abs path

28 shell: /bin/bash

29 match_output: this

30 # Aggregation strategy for multiple commands. Defaults to 'and', other

˓→option is 'or'

31 aggregation:'and'

32 # Catch-all, if no other osfinger match was found 33 '*': 34 tag: generic_tag

35 commands:

1.4. Quasar 11 HubbleStack Documentation, Release 2016.7.1

36 -'grep "[[:space:]]/home[[:space:]]" /etc/fstab':

37 match_output: nodev

38 match_output_regex: False

39 fail_if_matched: False

40 -'mount| grep /home':

41 match_output: nodev

42 match_output_regex: False

43 match_output_by_line: True

44 aggregation:'and'

45 # Description will be output with the results

46 description:'/home should be nodev'

grep

maintainer HubbleStack / basepi maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova source https://github.com/HubbleStack/Nova/blob/develop/hubblestack_nova/grep.py HubbleStack Nova plugin for using grep to verify settings in files. Supports both blacklisting and whitelisting patterns. Blacklisted patterns must not be found in the specified file. Whitelisted patterns must be found in the specified file.

Conﬁguration

Sample proﬁle data, with inline comments:

1 grep: # module definition

2 whitelist: # 'whitelist' or 'blacklist'

3 fstab_tmp_partition: # unique ID

4 data: # required key

5 CentOS Linux-6: # osfinger grain

6 -'/etc/fstab': # full path to file

7 tag:'CIS-1.1.1' # audit tag

8 pattern:'/tmp' # grep pattern

9 match_output:'nodev' # string to check for in output of grep

˓→command (optional)

10 match_output_regex: True # whether to use regex when matching

˓→output (default: False)

11 grep_args: # extra args to grep

12 -'-E' # -E, --extended-regexp

13 -'-i' # -i, --ignore-case

14 -'-B2' # -B num, --before-context=num

15 match_on_file_missing: True # See below

16 17 '*': # wildcard, will be run if no direct ˓→osfinger match

18 -'/etc/fstab': # full path to file

19 tag:'CIS-1.1.1' # audit tag

20 pattern:'/tmp' # grep pattern

22 ## optional

23 description: |

12 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1

24 The /tmp directory is intended to be world-writable, which presents a risk

25 of resource exhaustion if it is not bound to a separate partition.

If match_on_file_missing is ommitted, success/failure will be determined entirely based on the grep command and other arguments. If it’s set to True and the file is missing, then it will be considered a match (success for whitelist, failure for blacklist). If it’s set to False and the file is missing, then it will be considered a non-match (success for blacklist, failure for whitelist). If the file exists, this setting is ignored.

iptables

maintainer HubbleStack / avb76 maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova source https://github.com/HubbleStack/Nova/blob/develop/hubblestack_nova/ﬁrewall.py Hubble Nova plugin for using iptables to verify ﬁrewall rules.

Conﬁguration

Sample YAML data, with inline comments:

1 firewall: # module definition

2 whitelist: # whitelist or blacklist

3 ssh: # unique id

4 data: # required key

5 tag:'FIREWALL-TCP-22' # audit tag

6 table:'filter' # table to check (REQUIRED)

7 chain: INPUT # INPUT / OUTPUT / FORWARD (REQUIRED)

8 rule: # dict containing the elements for

˓→building the rule

9 proto: tcp # protocol (tcp/udp/icmp)

10 dport: 22 # destination port

11 match: state # rule match

12 connstate: RELATED,ESTABLISHED # connection state

13 jump: ACCEPT # 'jump' destination

14 family:'ipv4' # iptables family (REQUIRED)

15 description:'ssh iptables rule check' # description of the check

A few words about the auditing logic

The audit function uses the iptables.build_rule salt execution module to build the actual iptables rule to be checked.

How are the rules built?

The elements in the rule dictionary will be used to build the iptables rule. Note: table, chain and family are not required under the rule key. Note: iptables.build_rule does not verify the syntax of the iptables rules. Here is a list of accepted iptables rules elements, based on the iptables.build_rule source code:

1.4. Quasar 13 HubbleStack Documentation, Release 2016.7.1

• command • position • full • target • jump • proto/protocol • if • of • match • match-set • connstate • dport • sport • dports • sports • comment • set • jump Check the following links for more details: • iptables.build_rule - upstream SaltStack documentation • iptables salt execution module source code (search for the build_rule function inside):

netstat

Conﬁguration

Sample data for the netstat whitelist:

1 netstat: # module definition

2 ssh: # unique id 3 address:' *:22' # netstat output match 4 another_identifier: # unique id

5 address: # multiline output match

6 - 127.0.0.1:80 # multiline output match

7 - 0.0.0.0:80 # multiline output match

14 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1

openscap

maintainer HubbleStack / cedwards maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova, openscap, RHEL source https://github.com/HubbleStack/Nova/blob/develop/hubblestack_nova/cve_scan.py This module automates the ingestion of security advisory announcements, CVE scanning and reporting. This feature was inspired by FreeBSD’s VuXML integration with pkg audit. To run an on-demand CVE scan, ensure that the oscap execution module is synced to your system(s).

Usage

Red Hat publishes security advisories in the form of an XML file. These files follow a specific standard, which requires an additional dependency to use: openscap. The XML files can be found here: https://www.redhat.com/security/data/oval/. This module supports fetching CVE data directly from upstream, or serving locally through your salt:/ fileserver. See also: openscap Profile

openssl

maintainer HubbleStack / avb76 maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova, python-OpenSSL source https://github.com/HubbleStack/Nova/blob/develop/hubblestack_nova/openssl.py HubbleStack Nova module for auditing SSL certiﬁcates.

Conﬁguration

Sample YAML data, with in line comments:

1 openssl: # module definition

2 google: # unique ID

3 data: # required key

4 tag:'CERT-001' # TAG

5 endpoint:'www.google.com' # https endpoint

6 file: False # PEM input file

7 port: 443 # port (default: 443)

8 not_after: 15 # optional

9 not_before: 2 # optional

10 fail_if_not_before: False # optional

11 description:'google certificate'

Some words about the elements in the data dictionary: • tag: this check’s unique TAG

1.4. Quasar 15 HubbleStack Documentation, Release 2016.7.1

• endpoint: the ssl endpoint to check (endpoint or file) • file: the path to the .pem file containing the SSL certificate to be checked • port: (optional) defaults to 443 • not_after: the minimum number of days left until the certificate should expire • not_before: the expected number of days until the certificate becomes valid • fail_if_not_before: if True, the check will fail only if not_before is 0 (or missing)

Known issues

For unknown reasons (yet), the module can fail downloading the certiﬁcate from certain endpoints. When this happens, the check will fail.

pkg

maintainer HubbleStack / basepi maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova source https://github.com/HubbleStack/Nova/blob/develop/hubblestack_nova/pkg.py HubbleStack Nova module for auditing installed packages. Supports both blacklisting and whitelisting pacakges. Blacklisted packages must not be installed. Whitelisted packages must be installed. Also supported is requiring a speciﬁc version or a minimum or maximum version.

Conﬁguration

Sample YAML data, with inline comments: blacklist:

1 pkg: # module definition

2 blacklist: # 'whitelist' or 'blacklist'

3 rsh: # unique ID

4 data: # required key

5 CentOS Linux-6: # osfinger grain

6 -'rsh':'CIS-2.1.1' # pkg_name : TAG

7 description:'RSH is evil' # description of audit

9 CentOS Linux-6: # osfinger grain

10 -'rsh': # dict format allows version definition

11 tag:'CIS-2.1.3' # TAG

12 version:'4.3.2' # version

13 description:'RSH is evil' # description of audit

15 CentOS Linux-6: # osfinger grain

16 -'rsh': # dict format allows version definition

17 tag:'CIS-2.1.3' # TAG

18 version:'>=4.3.2' # flexible version

19 description:'RSH is evil' # description of audit

16 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1

whitelist:

1 pkg: # module definition

2 whitelist: # 'whitelist' or 'blacklist'

3 rsh: # unique ID

4 data: # required key

5 CentOS Linux-6: # osfinger grain

6 -'rsh':'CIS-2.1.1' # pkg_name : TAG

7 description:'RSH is awesome' # description of audit

9 -'rsh': # dict format allows version definition

10 tag:'CIS-2.1.3' # TAG

11 version:'4.3.2' # version

12 description:'RSH is awesome' # description of audit

14 -'rsh': # dict format allows version definition

15 tag:'CIS-2.1.3' # TAG

16 version:'>=4.3.2' # flexible version

17 description:'RSH is awesome' # description of audit

service

maintainer HubbleStack / basepi maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova source https://github.com/HubbleStack/Nova/blob/develop/hubblestack_nova/service.py HubbleStack Nova module for auditing running services. Supports both blacklisting and whitelisting services. Blacklisted services must not be running. Whitelisted services must be running.

Conﬁguration

Sample YAML data, with inline comments: blacklist:

1 service: # module definiton

2 blacklist: # 'whitelist' or 'blacklist'

3 telnet: # unique ID

4 data: # required key

5 CentOS Linux-6: # osfinger grain

6 -'telnet':'CIS-2.1.1' # pkg_name : TAG

7 description:'Telnet is evil' # description of audit

whitelist:

1 service: # module definition

2 whitelist: # 'whitelist' or 'blacklist'

3 rsh: # unique ID

4 data: # required key

5 CentOS Linux-7: # osfinger grain

6 -'rsh':'CIS-2.1.3' # pkg_name : TAG

1.4. Quasar 17 HubbleStack Documentation, Release 2016.7.1

7 -'rsh-server':'CIS-2.1.4' # pkg_name : TAG

8 description:'RSH is awesome' # description of audit

stat

maintainer HubbleStack / avb76 maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova source https://github.com/HubbleStack/Nova/blob/develop/hubblestack_nova/stat.py HubbleStack Nova module for using stat to verify ownership & permissions.

Conﬁguration

Sample YAML data, with inline comments:

1 stat: # module definition

2 grub_conf_owner: # unique ID

3 data: # required key

4 'CentOS-6': # osfinger grain

5 -'/etc/grub.conf': # path to configuration file

6 tag:'CIS-1.5.1' # TAG

7 user:'root' # expected user

8 uid: 0 # expected uid

9 group:'root' # expected group

10 gid: 0 # expected gid

11 description:'Grub must be owned by root' # description of audit

13 'CentOS Linux-7': # osfinger grain

14 -'/etc/grub2/grub.cfg': # path to configuration file

15 tag:'CIS-1.5.1' # TAG

16 user:'root' # expected user

17 uid: 0 # expected uid

18 group:'root' # expected group

19 gid: 0 # expected gid

20 description:'Grub must be owned by root' # description of audit

sysctl

maintainer HubbleStack / avb76 maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova source https://github.com/HubbleStack/Nova/blob/develop/hubblestack_nova/sysctl.py HubbleStack Nova module for using sysctl to verify sysctl parameter.

Conﬁguration

Sample YAML data, with inline comments:

18 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1

1 sysctl: # module definition

2 randomize_va_space: # unique ID

3 data: # required key

4 'CentOS-6': # osfinger grain

5 -'kernel.randomize_va_space': # sysctl parameter to check

6 tag:'CIS-1.6.3' # TAG

7 match_output:'2' # expected value

8 description:'Enable Randomized Virtual Memory' # description of audit

vulners.com

maintainer HubbleStack / jaredhanson11 maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova source https://github.com/HubbleStack/Nova/blob/develop/hubblestack_nova/cve_scan_v2.py Another major component of the Nova auditing system is the on-demand CVE scanning and reporting. This component automates the ingestion of security advisory announcements, and compares this data to the installed packages. This feature was inspired by FreeBSD’s VuXML integration with pkg audit. This module, scan-v2, uses a public vulnerability database at https://vulners.com. Queries to https://vulners.com are made either directly from the minion or served from your salt:/ fileserver. The defined ttl in either case will determine the amount of time the JSON data is cached on the minion. Example profiles for each of these are found at cve.scan-v2 and cve.scan-v2-salt respectively.

Conﬁguration

The required JSON ﬁles can be downloaded using the utils/cve_store.py tool found in the Nova repository. These downloaded ﬁles can then be served using salt:/. See also: utils/cve_store.py

Usage

salt \* hubble.audit cve.scan-v2

See also: openscap Audit Module

Tip: tl;dr - dash-delimited filenames only You may be tempted to name the Nova profile the same name as the XML file. Remember, a ‘.’ is a directory-separator in Hubble (and Salt), meaning you’d actually be pointing to a file salt://com/redhat/rhsa-RHEL7/xml.

1.4. Quasar 79 HubbleStack Documentation, Release 2016.7.1

rhel-6-mac-1-classiﬁed

Multiple profiles can be combined to create more comprehensive profiles. Common examples include the CIS and STIG profiles:

1 ######################################################################################

˓→#

2 # This is the Hubblestack Nova Auditing profile for the DISA SIGS:

3 #

4 # Source: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/MAC-1_

˓→Classified/

5 # OS Finger: Red Hat Enterprise Linux Server-6

6 # Audit Level: MAC-I Classified

7 #

8 # Usage:

9 # salt hubble.audit

10 # salt hubble.audit

11 # salt hubble.audit

12 #

13 # Tags use the Vulnerability ID from the STIGs

14 # Example: You can check for a specific tag with this usage:

15 #

16 # salt hubble.audit stig-rhel6-mac1-classifed.yaml V-38677

17 #

18 # The Description field is structured following this scheme: (Severity) 19 #20 # Coverage:21 # NOTE: At this time, hubblestack provides 000% coverage of stig inspections22 # due to the suite of available modules. As more modules become available,23 # coverage will increase.24 #25 # Current coverage: XX / 264 = 000%26 # High Severity: 09 Done, 06 Partial, 2 Blocker = 15 / 17 = 88%27 # - V-38666: (Partial)28 # - Tailored: Checking for Clam AV packages installed and in cron.daily29 # - Cannot verify the output of the nails status command for30 # McAfee scans a this time31 # - Cannot verify the age of AV definitions as a result of the output32 # of a command at this time33 # - V-38476: Cannot verify the output of the rpm command at this time34 # - V-38491: Cannot verify presence of a file within an discovered list of˓→directories35 # - V-38602: (Partial) checking for running service, but cannot verify the36 # output of the chkconfig command37 # - V-38594: (Partial) checking for running service, but cannot verify the38 # output of the chkconfig command39 # - V-38598: (Partial) checking for running service, but cannot verify the40 # output of the chkconfig command41 # - V-38589: (Partial) checking for running service, but cannot verify the42 # output of the chkconfig command43 # - V-38701: Potentially a false positive if the file does not exist.44 # Medium Severity: XX / 146 = 000%45 # Low Severity: XX / 101 = 000%46 #47 # Tailoring:48 # You may need to tailor some of these inspections to your system/site to account49 # for:50 # 1. your environmental configuration80 Chapter 1. Components HubbleStack Documentation, Release 2016.7.151 # ex: using McAfee AV Scan vs ClamAV52 # 2. compensating controls you may have53 # 3. tailoring you've done for your specific system54 #55 ######################################################################################˓→#56 grep:57 blacklist:58 snmpd_not_use_default_passwd:59 data:60 Red Hat Enterprise Linux Server-6:61 - /etc/snmp/snmpd.conf:62 pattern:'^[^#]'63 match_output: public64 tag: V-3865365 description: (HIGH) The snmpd service must not use a default password.66 rpm_cryptographically_verify_packages:67 data:68 Red Hat Enterprise Linux Server-6:69 - /etc/rpmrc:70 pattern: nosignature71 tag: V-3846272 - /usr/lib/rpm/rpmrc:73 pattern: nosignature74 tag: V-3846275 - /usr/lib/rpm/redhat/rpmrc:76 pattern: nosignature77 tag: V-3846278 - /root/.rpmrc:79 pattern: nosignature80 tag: V-3846281 description: |82 (HIGH) The RPM package management tool must cryptographically verify83 the authenticity of all software packages during installation.84 null_passwords_cannot_be_used:85 data:86 Red Hat Enterprise Linux Server-6:87 - /etc/pam.d/system-auth:88 pattern: nullok89 tag: V-3849790 - /etc/pam.d/system-auth-ac:91 pattern: nullok92 tag: V-3849793 - /etc/pam.d/password-auth:94 pattern: nullok95 tag: V-3849796 - /etc/pam.d/password-auth-ac:97 pattern: nullok98 tag: V-3849799 - /etc/pam.d/sshd:100 pattern: nullok101 tag: V-38497102 description: (HIGH) The system must not allow null passwords to be used.103 nfs_no_insecure_file_locking:104 data:105 Red Hat Enterprise Linux Server-6:106 - /etc/exports:107 pattern: insecure_locks1.4. Quasar 81 HubbleStack Documentation, Release 2016.7.1108 tag: V-38677109 description: (HIGH) The NFS server must not have the insecure file˓→locking option enabled.110 sshd_no_empty_passwords:111 data:112 Red Hat Enterprise Linux Server-6:113 - /etc/ssh/sshd_config:114 pattern:'^PermitEmptyPasswords'115 match_output:"yes"116 tag: V-38614117 - /etc/ssh/sshd_config:118 pattern:'^PermitEmptyPasswords'119 match_output:"Yes"120 tag: V-38614121 description: (HIGH) The SSH daemon must not allow authentication using˓→an empty password.122123 whitelist:124 x86_ctrl_alt_del_disabled:125 data:126 Red Hat Enterprise Linux Server-6:127 - /etc/init/control-alt-delete.override:128 pattern:'êxec /usr/bin/logger'129 match_output: security.info "Control-Alt-Delete pressed"130 tag: V-38668131 description: (HIGH) The x86 Ctrl-Alt-Delete key sequence must be˓→disabled.132 sshd_use_only_SSHv2_protocol:133 data:134 Red Hat Enterprise Linux Server-6:135 - /etc/ssh/sshd_config:136 pattern:'^Protocol'137 match_output: Protocol 2138 tag: V-38607139 description: (HIGH) The SSH daemon must be configured to use only the˓→SSHv2 protocol.140 tftp_daemon_operate_in_secure_mode:141 # NOTE: potentially a false positive if the file does not exist142 data:143 Red Hat Enterprise Linux Server-6:144 - /etc/xinetd.d/tftp:145 pattern:'^server_args'146 match_output: -s147 tag: V-38701148 description: |149 (HIGH) The TFTP daemon must operate in secure mode which provides150 access only to a single directory on the host <a href="/tags/File_system/" rel="tag">file system</a>. Potentially151 a false positive if this file does not exist.152153 pkg:154 blacklist:155 rsh-server_not_installed:156 data:157 Red Hat Enterprise Linux Server-6:158 - rsh-server: V-38591159 description: (HIGH) The rsh-server package must not be installed.160 telnet-server_not_installed:161 data:82 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1162 Red Hat Enterprise Linux Server-6:163 - telnet-server: V-38587164 - telnet: V-38587165 description: (HIGH) The telnet-server and telnet package must not be˓→installed.166167 whitelist:168 approved_virus_scan_program:169 # NOTE: This will need to be udated for your respective organization.170 # This particular check is validating that clamav package is installed.171 # This is a multi-part check to verify V-38666. Under the stat section,172 # there is a check to verify cron.daily script for clamav inspection.173 data:174 Red Hat Enterprise Linux Server-6:175 - clamav: V-38666176 - clamd: V-38666177 description: (HIGH) The system must use and update a DoD-approved virus˓→scan program.178179 service:180 blacklist:181 rlogind_not_running:182 # This is partially implemented to ensure that the service is not running.183 # This inspection alone does not fully satisfy the STIG check as it does184 # not current check the output of the chkconfig command185 data:186 Red Hat Enterprise Linux Server-6:187 - rlogin: V-38602188 description: (High) The rlogind service must not be running.189 rshd_not_running:190 # This is partially implemented to ensure that the service is not running.191 # This inspection alone does not fully satisfy the STIG check as it does192 # not current check the output of the chkconfig command193 data:194 Red Hat Enterprise Linux Server-6:195 - rsh: V-38594196 description: (High) The rshd service must not be running.197 rexecd_not_running:198 # This is partially implemented to ensure that the service is not running.199 # This inspection alone does not fully satisfy the STIG check as it does200 # not current check the output of the chkconfig command201 data:202 Red Hat Enterprise Linux Server-6:203 - rexec: V-38598204 description: (High) The rexecd service must not be running.205 telnet_not_running:206 # This is partially implemented to ensure that the service is not running.207 # This inspection alone does not fully satisfy the STIG check as it does208 # not current check the output of the chkconfig command209 data:210 Red Hat Enterprise Linux Server-6:211 - telnet: V-38589212 description: (High) The telnet daemon must not be running.213214 stat:215 cron_daily_clamscan_host:216 # NOTE: This will need to be udated for your respective organization.217 # This particular check is validating that clamav is run on a daily basis.1.4. Quasar 83 HubbleStack Documentation, Release 2016.7.1218 # This is a multi-part check to verify V-38666. Under the pkg section,219 # there is a check to verify clam is installed.220 data:221 Red Hat Enterprise Linux Server-6:222 - /etc/cron.daily/clamscan_host.sh:223 group: root224 user: root225 mode: 755226 tag: V-38666227 description: (HIGH) The system must use and update a DoD-approved virus˓→scan program. sample profilesCVE-2014-29131 grep:2 blacklist:34 dont_blame_nrpe:5 data: 6 '*': 7 -'/etc/nrpe.cfg':8 tag:'CVE-2014-2913'9 pattern:'dont_blame_nrpe=1'10 description:'NRPE- Nagios Remote Plugin Executor' command Profile1 command:2 nodev:3 data:4 'Red Hat Enterprise Linux Server-6':5 tag: CIS-1.1.106 commands:7 -'grep "[[:space:]]/home[[:space:]]" /etc/fstab':8 match_output: nodev9 match_output_regex: False10 fail_if_matched: False11 -'mount| grep /home':12 match_output: nodev13 match_output_regex: False14 match_output_by_line: True15 aggregation:'and'16 description:'/home should be nodev' compensating control1 stat:2 grub_conf_own:3 data:84 Chapter 1. Components HubbleStack Documentation, Release 2016.7.14 'CentOS-6':5 -'/etc/grub.conf':6 tag:'CIS-1.5.1'7 user:'root'8 uid: 09 group:'root'10 gid: 011 'CentOS Linux-7':12 -'/etc/grub2/grub.cfg':13 tag:'CIS-1.5.1'14 user:'root'15 uid: 016 group:'root'17 gid: 018 description:'Grub must be owned by root (Scored)'19 control:'We do not care about this'2021 grub_conf_perm:22 data:23 'CentOS-6':24 -'/etc/grub.conf':25 tag:'CIS-1.5.2'26 mode: 60027 'CentOS Linux-7':28 -'/etc/grub2/grub.cfg':29 tag:'CIS-1.5.2'30 mode: 60031 description:'Grub must have permissions 600 (Scored)'3233 hosts_allow:34 data:35 'CentOS-6':36 -'/etc/hosts.allow':37 tag:'CIS-4.5.3'38 mode: 64439 'CentOS Linux-7':40 -'/etc/hosts.allow':41 tag:'CIS-4.5.3'42 mode: 64443 description:'/etc/hosts.allow must have permissions 644 (Scored)'44 control:'We do not care about this'4546 hosts_deny:47 data:48 'CentOS-6':49 -'/etc/hosts.deny':50 tag:'CIS-4.5.5'51 mode: 64452 'CentOS Linux-7':53 -'/etc/hosts.deny':54 tag:'CIS-4.5.5'55 mode: 64456 description:'/etc/hosts.deny must have persmissions 644 (Scored)'57 control:'We do not care about this'5859 anacrontab:60 data:61 'CentOS-6':1.4. Quasar 85 HubbleStack Documentation, Release 2016.7.162 -'/etc/anacrontab':63 tag:'CIS-6.1.3'64 mode: 60065 user:'root'66 uid: 067 group:'root'68 gid: 069 'CentOS Linux-7':70 -'/etc/anacrontab':71 tag:'CIS-6.1.3'72 mode: 60073 user:'root'74 uid: 075 group:'root'76 gid: 077 description:'/etc/anacrontab file be owned by root and must have permissions 600˓→(Scored)'78798081 pkg:82 blacklist:8384 telnet:85 data:86 'CentOS-6':87 -'telnet-server':'CIS-2.1.1'88 -'telnet':'CIS-2.1.2'89 'CentOS Linux-7':90 -'telnet-server':'CIS-2.1.1'91 -'telnet':'CIS-2.1.2'92 description:'Remove telnet and telnet-server (Scored)'9394 rsh:95 data:96 'CentOS-6':97 -'rsh-server':'CIS-2.1.3'98 -'rsh':'CIS-2.1.4'99 'CentOS Linux-7':100 -'rsh-server':'CIS-2.1.3'101 -'rsh':'CIS-2.1.4'102 description:'Remove rsh and rsh-server (Scored)'103 control:'We do not care about this'104105 nis:106 data:107 'CentOS-6':108 -'ypbind':'CIS-2.1.5'109 -'ypserv':'CIS-2.1.6'110 'CentOS Linux-7':111 -'ypbind':'CIS-2.1.5'112 -'ypserv':'CIS-2.1.6'113 description:'Remove nis client and nis server (Scored)'114115 tftp:116 data:117 'CentOS-6':118 -'tftp':'CIS-2.1.7'86 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1119 -'tftp-server':'CIS-2.1.8'120 'CentOS Linux-7':121 -'tftp':'CIS-2.1.7'122 -'tftp-server':'CIS-2.1.8'123 description:'Remove tftp and tftp-server (Scored)'124 control:'We do not care about this'125126127 sysctl:128 restrict_suid_core_dumps:129 data:130 'CentOS-6':131 -'fs.suid_dumpable':132 tag:'CIS-1.6.1'133 match_output:'0'134 description:'Restrict SUID Core Dumps (Scored)'135136 exec_shield:137 data:138 'CentOS-6':139 -'kernel.exec-shield':140 tag:'CIS-1.6.2'141 match_output:'1'142 description:'Configure ExecShield (Scored)'143 control:'We do not care about this'144145 randomize_va_space:146 data:147 'CentOS-6':148 -'kernel.randomize_va_space':149 tag:'CIS-1.6.3'150 match_output:'2'151 'CentOS Linux-7':152 -'kernel.randomize_va_space':153 tag:'CIS-1.6.2'154 match_output:'2'155 description:'Enable Randomized Virtual Memory Region Placement (Scored)'156157158159 grep:160 whitelist:161162 fstab_tmp_partition:163 data:164 CentOS-6:165 -'/etc/fstab':166 tag:'CIS-1.1.1'167 pattern:'/tmp'168 CentOS Linux-7:169 -'/etc/fstab':170 tag:'CIS-1.1.1'171 pattern:'/tmp'172 Ubuntu-14.04:173 -'/etc/fstab':174 tag:'CIS-2.1'175 pattern:'/tmp'176 description:'Create Separate Partition for /tmp (Scored)'1.4. Quasar 87 HubbleStack Documentation, Release 2016.7.1177 control:'We do not care about this'178179 fstab_tmp_partition_nodev:180 data:181 CentOS-6:182 -'/etc/fstab':183 tag:'CIS-1.1.2'184 pattern:'/tmp'185 match_output:'nodev'186 CentOS Linux-7:187 -'/etc/fstab':188 tag:'CIS-1.1.2'189 pattern:'/tmp'190 match_output:'nodev'191 Ubuntu-14.04:192 -'/etc/fstab':193 tag:'CIS-2.2'194 pattern:'/tmp'195 match_output:'nodev'196 description:'Set nodev option for /tmp Partition (Scored)'197198 blacklist:199 legacy_passwd_entries_passwd:200 data:201 'CentOS-6':202 -'/etc/passwd':203 tag:'CIS-9.2.2'204 pattern:"^+:"205 CentOS Linux-7:206 -'/etc/passwd':207 tag:'CIS-9.2.2'208 pattern:"^+:"209 description:'Verify No Legacy "+" Entries Exist in /etc/passwd (Scored)'210 control:'We do not care about this'211212 legacy_passwd_entries_shadow:213 data:214 'CentOS-6':215 -'/etc/shadow':216 tag:'CIS-9.2.3'217 pattern:"^+:"218 CentOS Linux-7:219 -'/etc/shadow':220 tag:'CIS-9.2.3'221 pattern:"^+:"222 description:'Verify No Legacy "+" Entries Exist in /etc/shadow (Scored)'223224 legacy_passwd_entries_group:225 data:226 'CentOS-6':227 -'/etc/group':228 tag:'CIS-9.2.4'229 pattern:"^+:"230 CentOS Linux-7:231 -'/etc/group':232 tag:'CIS-9.2.4'233 pattern:"^+:"234 description:'Verify No Legacy "+" Entries Exist in /etc/group (Scored)'88 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1235 control:'We do not care about this'firewall1 firewall:2 whitelist:34 ssh:5 data:6 tag:'FIREWALL-TCP-22'7 table:'filter'8 chain: INPUT9 family:'ipv4'10 rule:11 proto: tcp12 dport: 2213 match: state14 connstate: RELATED,ESTABLISHED15 jump: ACCEPT16 description:'ssh iptables rule check' openssl1 openssl:2 google:3 data:4 tag:'CERT-001' # tag (required)5 endpoint:'www.google.com' # required if file is not defined6 file: null # /path/to/the/pem/file (required if endpoint is˓→not defined)7 port: 443 # required only if both8 # - endpoint is defined9 # - https is not configured on port 44310 not_after: 30 # minimum number of days until expiration (default˓→value: 0)11 # the check is failed if the certificate expires in˓→less then 30 days12 not_before: 10 # number of days until the ceriticate becomes˓→valid (default value: 0)13 # the check is failed if the certificate becomes˓→valid in more then 10 days14 fail_if_not_before: True # fails the check if the certificate is not valid˓→yet15 description:'google certificate' sample CIS profile1 # NOTE: This CIS Profile only includes Level 1 Scored Items.2 # NOTE: Within this file, there are a few sections that should be tailored to your3 # organization's specific policy. Search for '# NOTE: ' comments through the˓→file.41.4. Quasar 89 HubbleStack Documentation, Release 2016.7.15 pkg:6 blacklist:78 telnet:9 data:10 'Red Hat Enterprise Linux Server-6':11 -'telnet-server':'CIS-2.1.1'12 -'telnet':'CIS-2.1.2'13 'CentOS Linux-7':14 -'telnet-server':'CIS-2.1.1'15 -'telnet':'CIS-2.1.2'16 description:'Remove telnet and telnet-server (Scored)'1718 rsh:19 data:20 'Red Hat Enterprise Linux Server-6':21 -'rsh-server':'CIS-2.1.3'22 -'rsh':'CIS-2.1.4'23 'CentOS Linux-7':24 -'rsh-server':'CIS-2.1.3'25 -'rsh':'CIS-2.1.4'26 description:'Remove rsh and rsh-server (Scored)'2728 nis:29 data:30 'Red Hat Enterprise Linux Server-6':31 -'ypbind':'CIS-2.1.5'32 -'ypserv':'CIS-2.1.6'33 'CentOS Linux-7':34 -'ypbind':'CIS-2.1.5'35 -'ypserv':'CIS-2.1.6'36 description:'Remove nis client and nis server (Scored)'3738 tftp:39 data:40 'Red Hat Enterprise Linux Server-6':41 -'tftp':'CIS-2.1.7'42 -'tftp-server':'CIS-2.1.8'43 'CentOS Linux-7':44 -'tftp':'CIS-2.1.7'45 -'tftp-server':'CIS-2.1.8'46 description:'Remove tftp and tftp-server (Scored)'4748 talk:49 data:50 'Red Hat Enterprise Linux Server-6':51 -'talk':'CIS-2.1.9'52 -'talk-server':'CIS-2.1.10'53 'CentOS Linux-7':54 -'talk':'CIS-2.1.9'55 -'talk-server':'CIS-2.1.10'56 description:'Remove talk and talk-server (Scored)'5758 xinetd:59 data:60 'Red Hat Enterprise Linux Server-6':61 -'xinetd':'CIS-2.1.11'62 'CentOS Linux-7':90 Chapter 1. Components HubbleStack Documentation, Release 2016.7.163 -'xinetd':'CIS-2.1.11'64 description:'Remove xinetd (Scored)'6566 xorg-x11-server-common:67 data:68 'Red Hat Enterprise Linux Server-6':69 -'xorg-x11-server-common':'CIS-3.2'70 'CentOS Linux-7':71 -'xorg-x11-server-common':'CIS-3.2'72 description:'Remove theX Window System (Scored)'7374 avahi-daemon:75 data:76 'Red Hat Enterprise Linux Server-6':77 -'avahi-daemon':'CIS-3.3'78 'CentOS Linux-7':79 -'avahi-daemon':'CIS-3.3'80 description:'Disable Avahi Server (Scored)'8182 dhcp:83 data:84 'Red Hat Enterprise Linux Server-6':85 -'dhcp':'CIS-3.5'86 'CentOS Linux-7':87 -'dhcp':'CIS-3.5'88 description:'Remove DHCP server (Scored)'8990 whitelist:9192 aide:93 data:94 'Red Hat Enterprise Linux Server-6':95 -'aide':'CIS-1.3.1'96 'CentOS Linux-7':97 -'aide':'CIS-1.3.1'98 description:'Install AIDE (Scored)'99100 iptables:101 data:102 'Red Hat Enterprise Linux Server-6':103 -'iptables':'CIS-4.7_installed'104 description:'Install IPtables (Scored)'105106 firewalld:107 data:108 'CentOS Linux-7':109 -'firewalld':'CIS-4.7_installed'110 description:'Enable firewalld (Scored)'111112 rsyslog:113 data:114 'Red Hat Enterprise Linux Server-6':115 -'rsyslog':'CIS-5.1.1'116 'CentOS Linux-7':117 -'rsyslog':'CIS-5.1.1'118 description:'Install rsyslog (Scored)'119120 anacron:1.4. Quasar 91 HubbleStack Documentation, Release 2016.7.1121 data:122 'Red Hat Enterprise Linux Server-6':123 -'cronie-anacron':'CIS-6.1.1'124 'CentOS Linux-7':125 -'cronie-anacron':'CIS-6.1.1'126 description:'Enable anacron Daemon (Scored)'127128 stat:129 grub_conf_own:130 data:131 'Red Hat Enterprise Linux Server-6':132 -'/etc/grub.conf':133 tag:'CIS-1.5.1'134 user:'root'135 uid: 0136 group:'root'137 gid: 0138 'CentOS Linux-7':139 -'/etc/grub2/grub.cfg':140 tag:'CIS-1.5.1'141 user:'root'142 uid: 0143 group:'root'144 gid: 0145 description:'Grub must be owned by root (Scored)'146147 grub_conf_perm:148 data:149 'Red Hat Enterprise Linux Server-6':150 -'/etc/grub.conf':151 tag:'CIS-1.5.2'152 mode: 600153 'CentOS Linux-7':154 -'/etc/grub2/grub.cfg':155 tag:'CIS-1.5.2'156 mode: 600157 description:'Grub must have permissions 600 (Scored)'158159 hosts_allow:160 data:161 'Red Hat Enterprise Linux Server-6':162 -'/etc/hosts.allow':163 tag:'CIS-4.5.3'164 mode: 644165 'CentOS Linux-7':166 -'/etc/hosts.allow':167 tag:'CIS-4.5.3'168 mode: 644169 description:'/etc/hosts.allow must have permissions 644 (Scored)'170171 hosts_deny:172 data:173 'Red Hat Enterprise Linux Server-6':174 -'/etc/hosts.deny':175 tag:'CIS-4.5.5'176 mode: 644177 'CentOS Linux-7':178 -'/etc/hosts.deny':92 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1179 tag:'CIS-4.5.5'180 mode: 644181 description:'/etc/hosts.deny must have persmissions 644 (Scored)'182183 anacrontab:184 data:185 'Red Hat Enterprise Linux Server-6':186 -'/etc/anacrontab':187 tag:'CIS-6.1.3'188 mode: 600189 user:'root'190 uid: 0191 group:'root'192 gid: 0193 'CentOS Linux-7':194 -'/etc/anacrontab':195 tag:'CIS-6.1.3'196 mode: 600197 user:'root'198 uid: 0199 group:'root'200 gid: 0201 description:'/etc/anacrontab file be owned by root and must have permissions 600˓→(Scored)'202203 crontab:204 data:205 'Red Hat Enterprise Linux Server-6':206 -'/etc/crontab':207 tag:'CIS-6.1.4'208 mode: 600209 user:'root'210 uid: 0211 group:'root'212 gid: 0213 'CentOS Linux-7':214 -'/etc/crontab':215 tag:'CIS-6.1.4'216 mode: 600217 user:'root'218 uid: 0219 group:'root'220 gid: 0221 description:'/etc/crontab must be owned by root and have persmissions 600˓→(Scored)'222223 cron_hourly:224 data:225 'Red Hat Enterprise Linux Server-6':226 -'/etc/cron.hourly':227 tag:'CIS-6.1.5'228 mode: 700229 user:'root'230 uid: 0231 group:'root'232 gid: 0233 'CentOS Linux-7':234 -'/etc/cron.hourly':1.4. Quasar 93 HubbleStack Documentation, Release 2016.7.1235 tag:'CIS-6.1.5'236 mode: 700237 user:'root'238 uid: 0239 group:'root'240 gid: 0241 description:'/etc/cron.hourly must be owned by root and must have permissions˓→700 (Scored)'242243 cron_daily:244 data:245 'Red Hat Enterprise Linux Server-6':246 -'/etc/cron.daily':247 tag:'CIS-6.1.6'248 mode: 700249 user:'root'250 uid: 0251 group:'root'252 gid: 0253 'CentOS Linux-7':254 -'/etc/cron.daily':255 tag:'CIS-6.1.6'256 mode: 700257 user:'root'258 uid: 0259 group:'root'260 gid: 0261 description:'/etc/cron.daily must be owned by root and must have permissions 700˓→(Scored)'262263 cron_weekly:264 data:265 'Red Hat Enterprise Linux Server-6':266 -'/etc/cron.weekly':267 tag:'CIS-6.1.7'268 mode: 700269 user:'root'270 uid: 0271 group:'root'272 gid: 0273 'CentOS Linux-7':274 -'/etc/cron.weekly':275 tag:'CIS-6.1.7'276 mode: 700277 user:'root'278 uid: 0279 group:'root'280 gid: 0281 description:'/etc/cron.weekly must be owned by root and must have permissions˓→700 (Scored)'282283 cron_monthly:284 data:285 'Red Hat Enterprise Linux Server-6':286 -'/etc/cron.monthly':287 tag:'CIS-6.1.8'288 mode: 700289 user:'root'94 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1290 uid: 0291 group:'root'292 gid: 0293 'CentOS Linux-7':294 -'/etc/cron.monthly':295 tag:'CIS-6.1.8'296 mode: 700297 user:'root'298 uid: 0299 group:'root'300 gid: 0301 description:'/etc/cron.monthly must be owned by root and must have permissions˓→700 (Scored)'302303 cron_d:304 data:305 'Red Hat Enterprise Linux Server-6':306 -'/etc/cron.d':307 tag:'CIS-6.1.9'308 mode: 700309 user:'root'310 uid: 0311 group:'root'312 gid: 0313 'CentOS Linux-7':314 -'/etc/cron.d':315 tag:'CIS-6.1.9'316 mode: 700317 user:'root'318 uid: 0319 group:'root'320 gid: 0321 description:'/etc/cron.d must be owned by root and must have permissions 700˓→(Scored)'322323 at_allow:324 data:325 'Red Hat Enterprise Linux Server-6':326 -'/etc/at.allow':327 tag:'CIS-6.1.10'328 mode: 600329 user:'root'330 uid: 0331 group:'root'332 gid: 0333 'CentOS Linux-7':334 -'/etc/at.allow':335 tag:'CIS-6.1.10'336 mode: 600337 user:'root'338 uid: 0339 group:'root'340 gid: 0341 description:'/etc/at.allow must be owned by root and have persmissions 600˓→(Scored)'342343 at_cron_allow:344 data:1.4. Quasar 95 HubbleStack Documentation, Release 2016.7.1345 'Red Hat Enterprise Linux Server-6':346 -'/etc/cron.deny':347 tag:'CIS-6.1.11'348 mode: null349 user: null350 uid: null351 group: null352 gid: null353 -'/etc/at.deny':354 tag:'CIS-6.1.11'355 mode: null356 user: null357 uid: null358 group: null359 gid: null360 -'/etc/cron.allow':361 tag:'CIS-6.1.11'362 mode: 600363 user:'root'364 uid: 0365 group:'root'366 gid: 0367 -'/etc/at/allow':368 tag:'CIS-6.1.11'369 mode: 600370 user:'root'371 uid: 0372 group:'root'373 gid: 0374 'CentOS Linux-7':375 -'/etc/cron.deny':376 tag:'CIS-6.1.11'377 mode: null378 user: null379 uid: null380 group: null381 gid: null382 -'/etc/at.deny':383 tag:'CIS-6.1.11'384 mode: null385 user: null386 uid: null387 group: null388 gid: null389 -'/etc/cron.allow':390 tag:'CIS-6.1.11'391 mode: 600392 user:'root'393 uid: 0394 group:'root'395 gid: 0396 -'/etc/at/allow':397 tag:'CIS-6.1.11'398 mode: 600399 user:'root'400 uid: 0401 group:'root'402 gid: 096 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1403 description:'Restrict at/cron to authorized users (Scored)'404405 sshd_config:406 data:407 'Red Hat Enterprise Linux Server-6':408 -'/etc/ssh/sshd_config':409 tag:'CIS-6.2.3'410 mode: 600411 user:'root'412 uid: 0413 group:'root'414 gid: 0415 'CentOS Linux-7':416 -'/etc/ssh/sshd_config':417 tag:'CIS-6.2.3'418 mode: 600419 user:'root'420 uid: 0421 group:'root'422 gid: 0423 description:'/etc/ssh/sshd_config must be owned by root and must have˓→permissions 600 (Scored)'424425 warning_banner:426 data:427 'Red Hat Enterprise Linux Server-6':428 -'/etc/motd':429 tag:'CIS-8.1'430 mode: 644431 user:'root'432 uid: 0433 group:'root'434 gid: 0435 -'/etc/issue':436 tag:'CIS-8.1'437 mode: 644438 user:'root'439 uid: 0440 group:'root'441 gid: 0442 -'/etc/issue.net':443 tag:'CIS-8.1'444 mode: 644445 user:'root'446 uid: 0447 group:'root'448 gid: 0449 'CentOS Linux-7':450 -'/etc/motd':451 tag:'CIS-8.1'452 mode: 644453 user:'root'454 uid: 0455 group:'root'456 gid: 0457 -'/etc/issue':458 tag:'CIS-8.1'459 mode: 6441.4. Quasar 97 HubbleStack Documentation, Release 2016.7.1460 user:'root'461 uid: 0462 group:'root'463 gid: 0464 -'/etc/issue.net':465 tag:'CIS-8.1'466 mode: 644467 user:'root'468 uid: 0469 group:'root'470 gid: 0471 description:'Files containing the warning banners must be owned by root and must˓→have permissions 644 (Scored)'472473 passwd_perm:474 data:475 'Red Hat Enterprise Linux Server-6':476 -'/etc/passwd':477 tag:'CIS-9.1.2'478 mode: 644479 'CentOS Linux-7':480 -'/etc/passwd':481 tag:'CIS-9.1.2'482 mode: 644483 description:'/etc/passwd must have permissions 644 (Scored)'484485 passwd_own:486 data:487 'Red Hat Enterprise Linux Server-6':488 -'/etc/passwd':489 tag:'CIS-9.1.6'490 user:'root'491 uid: 0492 group:'root'493 uid: 0494 'CentOS Linux-7':495 -'/etc/passwd':496 tag:'CIS-9.1.6'497 user:'root'498 uid: 0499 group:'root'500 uid: 0501 description:'/etc/passwd must be owned by root (Scored)'502503 shadow_perm:504 data:505 'Red Hat Enterprise Linux Server-6':506 -'/etc/shadow':507 tag:'CIS-9.1.3'508 mode: 0509 'CentOS Linux-7':510 -'/etc/shadow':511 tag:'CIS-9.1.3'512 mode: 0513 description:'/etc/shadow must have permissions 000 (Scored)'514515 shadow_own:516 data:98 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1517 'Red Hat Enterprise Linux Server-6':518 -'/etc/shadow':519 tag:'CIS-9.1.7'520 user:'root'521 uid: 0522 group:'root'523 gid: 0524 'CentOS Linux-7':525 -'/etc/shadow':526 tag:'CIS-9.1.7'527 user:'root'528 uid: 0529 group:'root'530 gid: 0531 description:'/etc/shadow must be owned by root (Scored)'532533 gshadow_perm:534 data:535 'Red Hat Enterprise Linux Server-6':536 -'/etc/gshadow':537 tag:'CIS-9.1.4'538 mode: 0539 'CentOS Linux-7':540 -'/etc/gshadow':541 tag:'CIS-9.1.4'542 mode: 0543 description:'/etc/gshadow must have permissions 000 (Scored)'544545 gshadow_own:546 data:547 'Red Hat Enterprise Linux Server-6':548 -'/etc/gshadow':549 tag:'CIS-9.1.8'550 user:'root'551 uid: 0552 group:'root'553 gid: 0554 'CentOS Linux-7':555 -'/etc/gshadow':556 tag:'CIS-9.1.8'557 user:'root'558 uid: 0559 group:'root'560 gid: 0561 description:'/etc/gshadow must be owned by root (Scored)'562563 group_perm:564 data:565 'Red Hat Enterprise Linux Server-6':566 -'/etc/group':567 tag:'CIS-9.1.5'568 mode: 644569 'CentOS Linux-7':570 -'/etc/group':571 tag:'CIS-9.1.5'572 mode: 644573 description:'/etc/group must have permissions 000 (Scored)'5741.4. Quasar 99 HubbleStack Documentation, Release 2016.7.1575 group_own:576 data:577 'Red Hat Enterprise Linux Server-6':578 -'/etc/group':579 tag:'CIS-9.1.9'580 user:'root'581 uid: 0582 group:'root'583 gid: 0584 'CentOS Linux-7':585 -'/etc/group':586 tag:'CIS-9.1.9'587 user:'root'588 uid: 0589 group:'root'590 gid: 0591 description:'/etc/group must be owned by root (Scored)'592593 grep:594 whitelist:595596 fstab_tmp_partition:597 data:598 Red Hat Enterprise Linux Server-6:599 -'/etc/fstab':600 tag:'CIS-1.1.1'601 pattern:'/tmp'602 CentOS Linux-7:603 -'/etc/fstab':604 tag:'CIS-1.1.1'605 pattern:'/tmp'606 Ubuntu-14.04:607 -'/etc/fstab':608 tag:'CIS-2.1'609 pattern:'/tmp'610 description:'Create Separate Partition for /tmp (Scored)'611612 fstab_tmp_partition_nodev:613 data:614 Red Hat Enterprise Linux Server-6:615 -'/etc/fstab':616 tag:'CIS-1.1.2'617 pattern:'/tmp'618 match_output:'nodev'619 CentOS Linux-7:620 -'/etc/fstab':621 tag:'CIS-1.1.2'622 pattern:'/tmp'623 match_output:'nodev'624 Ubuntu-14.04:625 -'/etc/fstab':626 tag:'CIS-2.2'627 pattern:'/tmp'628 match_output:'nodev'629 description:'Set nodev option for /tmp Partition (Scored)'630631 fstab_tmp_partition_nosuid:632 data:100 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1633 Red Hat Enterprise Linux Server-6:634 -'/etc/fstab':635 tag:'CIS-1.1.3'636 pattern:'/tmp'637 match_output:'nosuid'638 CentOS Linux-7:639 -'/etc/fstab':640 tag:'CIS-1.1.3'641 pattern:'/tmp'642 match_output:'nosuid'643 Ubuntu-14.04:644 -'/etc/fstab':645 tag:'CIS-2.3'646 pattern:'/tmp'647 match_output:'nosuid'648 description:'Set nosuid option for /tmp Partition (Scored)'649650 fstab_tmp_partition_noexec:651 data:652 Red Hat Enterprise Linux Server-6:653 -'/etc/fstab':654 tag:'CIS-1.1.4'655 pattern:'/tmp'656 match_output:'noexec'657 CentOS Linux-7:658 -'/etc/fstab':659 tag:'CIS-1.1.4'660 pattern:'/tmp'661 match_output:'noexec'662 Ubuntu-14.04:663 -'/etc/fstab':664 tag:'CIS-2.4'665 pattern:'/tmp'666 match_output:'nosuid'667 description:'Set noexec option for /tmp Partition (Scored)'668669 fstab_var_partition:670 data:671 Red Hat Enterprise Linux Server-6:672 -'/etc/fstab':673 tag:'CIS-1.1.5'674 pattern:'/var'675 CentOS Linux-7:676 -'/etc/fstab':677 tag:'CIS-1.1.5'678 pattern:'/var'679 Ubuntu-14.04:680 -'/etc/fstab':681 tag:'CIS-2.5'682 pattern:'/var'683 description:'Create Separate Partition for /var (Scored)'684685 fstab_var_tmp_bind_mount:686 data:687 Red Hat Enterprise Linux Server-6:688 -'/etc/fstab':689 tag:'CIS-1.1.6'690 pattern:'/tmp'1.4. Quasar 101 HubbleStack Documentation, Release 2016.7.1691 match_output:'/var/tmp'692 CentOS Linux-7:693 -'/etc/fstab':694 tag:'CIS-1.1.6'695 pattern:'/tmp'696 match_output:'/var/tmp'697 Ubuntu-14.04:698 -'/etc/fstab':699 tag:'CIS-2.6'700 pattern:'/var'701 match_output:'/var/tmp'702 description:'Bind Mount the /var/tmp directory to /tmp (Scored)'703704 fstab_var_log_partition:705 data:706 Red Hat Enterprise Linux Server-6:707 -'/etc/fstab':708 tag:'CIS-1.1.7'709 pattern:'/var/log'710 CentOS Linux-7:711 -'/etc/fstab':712 tag:'CIS-1.1.7'713 pattern:'/var/log'714 Ubuntu-14.04:715 -'/etc/fstab':716 tag:'CIS-2.7'717 pattern:'/var/log'718 description:'Create Separate Partition for /var/log (Scored)'719720 fstab_var_log_audit_partition:721 data:722 Red Hat Enterprise Linux Server-6:723 -'/etc/fstab':724 tag:'CIS-1.1.8'725 pattern:'/var/log/audit'726 CentOS Linux-7:727 -'/etc/fstab':728 tag:'CIS-1.1.8'729 pattern:'/var/log/audit'730 Ubuntu-14.04:731 -'/etc/fstab':732 tag:'CIS-2.8'733 pattern:'/var/log/audit'734 description:'Create Separate Partition for /var/log/audit (Scored)'735736 fstab_home_partition:737 data:738 Red Hat Enterprise Linux Server-6:739 -'/etc/fstab':740 tag:'CIS-1.1.9'741 pattern:'/home'742 CentOS Linux-7:743 -'/etc/fstab':744 tag:'CIS-1.1.9'745 pattern:'/home'746 Ubuntu-14.04:747 -'/etc/fstab':748 tag:'CIS-2.9'102 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1749 pattern:'/home'750 description:'Create Separate Partition for /home (Scored)'751752 fstab_home_partition_nodev:753 data:754 Red Hat Enterprise Linux Server-6:755 -'/etc/fstab':756 tag:'CIS-1.1.10'757 pattern:'/home'758 match_output:'nodev'759 CentOS Linux-7:760 -'/etc/fstab':761 tag:'CIS-1.1.10'762 pattern:'/home'763 match_output:'nodev'764 Ubuntu-14.04:765 -'/etc/fstab':766 tag:'CIS-2.10'767 pattern:'/home'768 match_output:'nodev'769 description:'Add nodev Option to /home (Scored)'770771 fstab_dev_shm_partition_nodev:772 data:773 Red Hat Enterprise Linux Server-6:774 -'/etc/fstab':775 tag:'CIS-1.1.14'776 pattern:'/dev/shm'777 match_output:'nodev'778 CentOS Linux-7:779 -'/etc/fstab':780 tag:'CIS-1.1.14'781 pattern:'/dev/shm'782 match_output:'nodev'783 Ubuntu-14.04:784 -'/etc/fstab':785 tag:'CIS-2.14'786 pattern:'/dev/shm'787 match_output:'nodev'788 description:'Add nodev Option to /dev/shm Partition (Scored)'789790 fstab_dev_shm_partition_nosuid:791 data:792 Red Hat Enterprise Linux Server-6:793 -'/etc/fstab':794 tag:'CIS-1.1.15'795 pattern:'/dev/shm'796 match_output:'nosuid'797 CentOS Linux-7:798 -'/etc/fstab':799 tag:'CIS-1.1.15'800 pattern:'/dev/shm'801 match_output:'nosuid'802 Ubuntu-14.04:803 -'/etc/fstab':804 tag:'CIS-2.15'805 pattern:'/dev/shm'806 match_output:'nosuid'1.4. Quasar 103 HubbleStack Documentation, Release 2016.7.1807 description:'Add nosuid Option to /dev/shm Partition (Scored)'808809 fstab_dev_shm_partition_noexec:810 data:811 Red Hat Enterprise Linux Server-6:812 -'/etc/fstab':813 tag:'CIS-1.1.16'814 pattern:'/dev/shm'815 match_output:'noexec'816 CentOS Linux-7:817 -'/etc/fstab':818 tag:'CIS-1.1.16'819 pattern:'/dev/shm'820 match_output:'noexec'821 Ubuntu-14.04:822 -'/etc/fstab':823 tag:'CIS-2.16'824 pattern:'/dev/shm'825 match_output:'noexec'826 description:'Add noexec Option to /dev/shm Partition (Scored)'827828 activate_gpg_check:829 data:830 Red Hat Enterprise Linux Server-6:831 -'/etc/yum.conf':832 tag:'CIS-1.2.3'833 pattern:'gpgcheck'834 match_output:'gpgcheck=1'835 CentOS Linux-7:836 -'/etc/yum.conf':837 tag:'CIS-1.2.2'838 pattern:'gpgcheck'839 match_output:'gpgcheck=1'840 description:'Verify that gpgcheck is Globally Activated (Scored)'841842 boot_loader_passwd:843 data:844 'Red Hat Enterprise Linux Server-6':845 -'/etc/grub.conf':846 tag:'CIS-1.5.3'847 pattern:'^password'848 CentOS Linux-7:849 -'/boot/grub2/grub.cfg':850 tag:'CIS-1.5.3'851 pattern:'^password'852 description:'Set Boot Loader Password (Scored)'853854 restrict_core_dumps:855 data:856 'Red Hat Enterprise Linux Server-6':857 -'/etc/security/limits.conf':858 tag:'CIS-1.6.1'859 pattern:'hard core'860 CentOS Linux-7:861 -'/etc/security/limits.conf':862 tag:'CIS-1.6.1'863 pattern:'hard core'864 description:'Restrict Core Dumps (Scored)'104 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1865866 set_daemon_umask:867 data:868 'Red Hat Enterprise Linux Server-6':869 -'/etc/sysconfig/init':870 tag:'CIS-3.1'871 pattern:'umask'872 match_output:'umask 027'873 CentOS Linux-7:874 -'/etc/sysconfig/init':875 tag:'CIS-3.1'876 pattern:'umask'877 match_output:'umask 027'878 description:'Set Daemon umask (Scored)'879880 configure_ntp:881 data:882 'Red Hat Enterprise Linux Server-6':883 -'/etc/ntp.conf':884 tag:'CIS-3.6'885 pattern:'restrict default'886 -'/etc/ntp.conf':887 tag:'CIS-3.6'888 pattern:'restrict -6 default'889 CentOS Linux-7:890 -'/etc/ntp.conf':891 tag:'CIS-3.6'892 pattern:'restrict default'893 -'/etc/ntp.conf':894 tag:'CIS-3.6'895 pattern:'restrict -6 default'896 description:'Configure Network Time Protocol (NTP) (Scored)'897898 rsyslog_remote_logging:899 data:900 'Red Hat Enterprise Linux Server-6':901 -'/etc/rsyslog.conf':902 tag:'CIS-5.1.5' 903 pattern:"^ *.*[Î][Î]*@" 904 CentOS Linux-7:905 -'/etc/rsyslog.conf':906 tag:'CIS-5.1.5' 907 pattern:"^ *.*[Î][Î]*@" 908 description:'Configure rsyslog to Send Logs toa Remote Log Host (Scored)'909910 sshd_protocol_2:911 data:912 'Red Hat Enterprise Linux Server-6':913 -'/etc/ssh/sshd_config':914 tag:'CIS-6.2.1'915 pattern:"^Protocol"916 match_output:'Protocol2'917 CentOS Linux-7:918 -'/etc/ssh/sshd_config':919 tag:'CIS-6.2.1'920 pattern:"^Protocol"921 match_output:'Protocol2'922 description:'Set SSH Protocol to2 (Scored)'1.4. Quasar 105 HubbleStack Documentation, Release 2016.7.1923924 sshd_loglevel_info:925 data:926 'Red Hat Enterprise Linux Server-6':927 -'/etc/ssh/sshd_config':928 tag:'CIS-6.2.2'929 pattern:"^LogLevel"930 match_output:'LogLevel INFO'931 CentOS Linux-7:932 -'/etc/ssh/sshd_config':933 tag:'CIS-6.2.2'934 pattern:"^LogLevel"935 match_output:'LogLevel INFO'936 description:'Set LogLevel to INFO (Scored)'937938 sshd_x11_forwarding:939 data:940 'Red Hat Enterprise Linux Server-6':941 -'/etc/ssh/sshd_config':942 tag:'CIS-6.2.4'943 pattern:"^X11Forwarding"944 match_output:'X11Forwarding no'945 CentOS Linux-7:946 -'/etc/ssh/sshd_config':947 tag:'CIS-6.2.4'948 pattern:"^X11Forwarding"949 match_output:'X11Forwarding no'950 description:'Disable SSH X11 Forwarding (Scored)'951952 sshd_max_auth_retries:953 data:954 'Red Hat Enterprise Linux Server-6':955 -'/etc/ssh/sshd_config':956 tag:'CIS-6.2.5'957 pattern:"^MaxAuthTries"958 match_output:"MaxAuthTries4"959 CentOS Linux-7:960 -'/etc/ssh/sshd_config':961 tag:'CIS-6.2.5'962 pattern:"^MaxAuthTries"963 match_output:"MaxAuthTries4"964 description:'Set SSH MaxAuthTries to4 or Less (Scored)'965966 sshd_ignore_rhosts:967 data:968 'Red Hat Enterprise Linux Server-6':969 -'/etc/ssh/sshd_config':970 tag:'CIS-6.2.6'971 pattern:"ÎgnoreRhosts"972 match_output:"IgnoreRhosts yes"973 CentOS Linux-7:974 -'/etc/ssh/sshd_config':975 tag:'CIS-6.2.6'976 pattern:"ÎgnoreRhosts"977 match_output:"IgnoreRhosts yes"978 description:'Set SSH IgnoreRhosts to Yes (Scored)'979980 sshd_hostbased_auth:106 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1981 data:982 'Red Hat Enterprise Linux Server-6':983 -'/etc/ssh/sshd_config':984 tag:'CIS-6.2.7'985 pattern:"^HostbasedAuthentication"986 match_output:"HostbasedAuthentication no"987 CentOS Linux-7:988 -'/etc/ssh/sshd_config':989 tag:'CIS-6.2.7'990 pattern:"^HostbasedAuthentication"991 match_output:"HostbasedAuthentication no"992 description:'Set SSH HostbasedAuthentication to No (Scored)'993994 sshd_disable_root_login:995 data:996 'Red Hat Enterprise Linux Server-6':997 -'/etc/ssh/sshd_config':998 tag:'CIS-6.2.8'999 pattern:"^PermitRootLogin"1000 match_output:"PermitRootLogin no"1001 CentOS Linux-7:1002 -'/etc/ssh/sshd_config':1003 tag:'CIS-6.2.8'1004 pattern:"^PermitRootLogin"1005 match_output:"PermitRootLogin no"1006 description:'Set SSH HostbasedAuthentication to No (Scored)'10071008 sshd_permit_empty_passwords:1009 data:1010 'Red Hat Enterprise Linux Server-6':1011 -'/etc/ssh/sshd_config':1012 tag:'CIS-6.2.9'1013 pattern:"^PermitEmptyPasswords"1014 match_output:"PermitEmptyPasswords no"1015 CentOS Linux-7:1016 -'/etc/ssh/sshd_config':1017 tag:'CIS-6.2.9'1018 pattern:"^PermitEmptyPasswords"1019 match_output:"PermitEmptyPasswords no"1020 description:'Set SSH PermitEmptyPasswords to No (Scored)'10211022 sshd_permit_user_environment:1023 data:1024 'Red Hat Enterprise Linux Server-6':1025 -'/etc/ssh/sshd_config':1026 tag:'CIS-6.2.10'1027 pattern:"^PermitUserEnvironment"1028 match_output:"PermitUserEnvironment no"1029 CentOS Linux-7:1030 -'/etc/ssh/sshd_config':1031 tag:'CIS-6.2.10'1032 pattern:"^PermitUserEnvironment"1033 match_output:"PermitUserEnvironment no"1034 description:'Do Not Allow Users to Set Environment Options (Scored)'10351036 sshd_approved_cipher:1037 data:1038 'Red Hat Enterprise Linux Server-6':1.4. Quasar 107 HubbleStack Documentation, Release 2016.7.11039 -'/etc/ssh/sshd_config':1040 tag:'CIS-6.2.11'1041 pattern:"Ciphers"1042 match_output:"Ciphers aes128-ctr,aes192-ctr,aes256-ctr"1043 CentOS Linux-7:1044 -'/etc/ssh/sshd_config':1045 tag:'CIS-6.2.11'1046 pattern:"Ciphers"1047 match_output:"Ciphers aes128-ctr,aes192-ctr,aes256-ctr"1048 description:'Use Only Approved Cipher in Counter Mode (Scored)'10491050 sshd_idle_timeout:1051 data:1052 'Red Hat Enterprise Linux Server-6':1053 -'/etc/ssh/sshd_config':1054 tag:'CIS-6.2.12'1055 pattern:"^ClientAliveInterval"1056 match_output:"ClientAliveInterval 300"1057 -'/etc/ssh/sshd_config':1058 tag:'CIS-6.2.12'1059 pattern:"^ClientAliveCountMax"1060 match_output:"ClientAliveCountMax0"1061 CentOS Linux-7:1062 -'/etc/ssh/sshd_config':1063 tag:'CIS-6.2.12'1064 pattern:"^ClientAliveInterval"1065 match_output:"ClientAliveInterval 300"1066 -'/etc/ssh/sshd_config':1067 tag:'CIS-6.2.12'1068 pattern:"^ClientAliveCountMatch"1069 match_output:"ClientAliveCountMatch0"1070 description:'Set Idle Timeout Interval for User Login (Scored)'10711072 sshd_limit_access:1073 data:1074 'Red Hat Enterprise Linux Server-6':1075 -'/etc/ssh/sshd_config':1076 tag:'CIS-6.2.13'1077 pattern:"ÂllowUsers"1078 -'/etc/ssh/sshd_config':1079 tag:'CIS-6.2.13'1080 pattern:"ÂllowGroups"1081 -'/etc/ssh/sshd_config':1082 tag:'CIS-6.2.13'1083 pattern:"^DenyUsers"1084 -'/etc/ssh/sshd_config':1085 tag:'CIS-6.2.13'1086 pattern:"^DenyGroups"1087 CentOS Linux-7:1088 -'/etc/ssh/sshd_config':1089 tag:'CIS-6.2.13'1090 pattern:"ÂllowUsers"1091 -'/etc/ssh/sshd_config':1092 tag:'CIS-6.2.13'1093 pattern:"ÂllowGroups"1094 -'/etc/ssh/sshd_config':1095 tag:'CIS-6.2.13'1096 pattern:"^DenyUsers"108 Chapter 1. Components HubbleStack Documentation, Release 2016.7.11097 -'/etc/ssh/sshd_config':1098 tag:'CIS-6.2.13'1099 pattern:"^DenyGroups"1100 description:'Limit Access via SSH (Scored)'11011102 sshd_banner:1103 data:1104 'Red Hat Enterprise Linux Server-6':1105 -'/etc/ssh/sshd_config':1106 tag:'CIS-6.2.14'1107 pattern:"^Banner"1108 CentOS Linux-7:1109 -'/etc/ssh/sshd_config':1110 tag:'CIS-6.2.14'1111 pattern:"^Banner"1112 description:'Set SSH Banner (Scored)'11131114 # NOTE: Need to update this entry to reflect your organization's password policy1115 pam_cracklib_try_first_pass:1116 data:1117 'Red Hat Enterprise Linux Server-6':1118 -'/etc/pam.d/system-auth':1119 tag:'CIS-6.3.2'1120 pattern:"pam_cracklib.so"1121 match_output:"try_first_pass" # allow retrieval from previous stacked˓→PAM module1122 -'/etc/pam.d/system-auth':1123 tag:'CIS-6.3.2'1124 pattern:"pam_cracklib.so"1125 match_output:"retry=3" # Number of tries before failure1126 -'/etc/pam.d/system-auth':1127 tag:'CIS-6.3.2'1128 pattern:"pam_cracklib.so"1129 match_output:"minlen=14" # min password lenghth1130 -'/etc/pam.d/system-auth':1131 tag:'CIS-6.3.2'1132 pattern:"pam_cracklib.so"1133 match_output:"dcredit=-1" # must have at least 1 digit1134 -'/etc/pam.d/system-auth':1135 tag:'CIS-6.3.2'1136 pattern:"pam_cracklib.so"1137 match_output:"ucredit=-1" # must have at lesat 1 uppercase1138 -'/etc/pam.d/system-auth':1139 tag:'CIS-6.3.2'1140 pattern:"pam_cracklib.so"1141 match_output:"ocredit=-1" # must have at least 1 special char1142 -'/etc/pam.d/system-auth':1143 tag:'CIS-6.3.2'1144 pattern:"pam_cracklib.so"1145 match_output:"lcredit=-1" # must have at least 1 lowercase1146 description:'PAM cracklib policy (Scored)'11471148 # NOTE: Need to update this entry to reflect your organization's password policy1149 limit_password_reuse:1150 data:1151 'Red Hat Enterprise Linux Server-6':1152 -'/etc/pam.d/system-auth':1153 tag:'CIS-6.3.4'1.4. Quasar 109 HubbleStack Documentation, Release 2016.7.11154 pattern:"pam_unix.so"1155 match_output:"remember=5" # number of passwords to remember1156 'CentOS Linux-7':1157 -'/etc/pam.d/system-auth':1158 tag:'CIS-6.3.4'1159 pattern:"pam_unix.so"1160 match_output:"remember=5" # number of passwords to remember1161 description:'PAM Password Reuse (Scored)'11621163 limit_su_command_access:1164 data:1165 'Red Hat Enterprise Linux Server-6':1166 -'/etc/pam.d/su':1167 tag:'CIS-6.5'1168 pattern:"pam_wheel.so"1169 match_output:"use_uid" # number of passwords to remember1170 -'/etc/group':1171 tag:'CIS-6.5'1172 pattern:"wheel"1173 'CentOS Linux-7':1174 -'/etc/pam.d/su':1175 tag:'CIS-6.5'1176 pattern:"pam_wheel.so"1177 match_output:"use_uid" # number of passwords to remember1178 -'/etc/group':1179 tag:'CIS-6.5'1180 pattern:"wheel"1181 description:'Limit su command access (Scored)'11821183 passwd_expiration_days:1184 data:1185 'Red Hat Enterprise Linux Server-6':1186 -'/etc/login.defs':1187 tag:'CIS-7.1.1'1188 pattern:"PASS_MAX_DAYS"1189 match_output:"90"1190 CentOS Linux-7:1191 -'/etc/login.defs':1192 tag:'CIS-7.1.1'1193 pattern:"PASS_MAX_DAYS"1194 match_output:"90"1195 description:'Set Password Expiration Days (Scored)'11961197 passwd_change_min_days:1198 data:1199 'Red Hat Enterprise Linux Server-6':1200 -'/etc/login.defs':1201 tag:'CIS-7.1.2'1202 pattern:"PASS_MIN_DAYS"1203 match_output:"7"1204 CentOS Linux-7:1205 -'/etc/login.defs':1206 tag:'CIS-7.1.2'1207 pattern:"PASS_MIN_DAYS"1208 match_output:"7"1209 description:'Set Password Change Minimum Number of Days (Scored)'12101211 passwd_expiry_warning:110 Chapter 1. Components HubbleStack Documentation, Release 2016.7.11212 data:1213 'Red Hat Enterprise Linux Server-6':1214 -'/etc/login.defs':1215 tag:'CIS-7.1.3'1216 pattern:"PASS_WARN_AGE"1217 match_output:"7"1218 CentOS Linux-7:1219 -'/etc/login.defs':1220 tag:'CIS-7.1.3'1221 pattern:"PASS_WARN_AGE"1222 match_output:"7"1223 description:'Set Password Expiring Warning Days (Scored)'12241225 default_umask:1226 data:1227 'Red Hat Enterprise Linux Server-6':1228 -'/etc/bashrc':1229 tag:'CIS-7.4'1230 pattern:"ûmask 077" 1231 -'/etc/profile.d/ *': 1232 tag:'CIS-7.4'1233 pattern:"ûmask 077"1234 CentOS Linux-7:1235 -'/etc/bashrc':1236 tag:'CIS-7.4'1237 pattern:"ûmask 077" 1238 -'/etc/profile.d/ *': 1239 tag:'CIS-7.4'1240 pattern:"ûmask 077"1241 description:'Set Default umask for Users (Scored)'12421243 blacklist:1244 legacy_passwd_entries_passwd:1245 data:1246 'Red Hat Enterprise Linux Server-6':1247 -'/etc/passwd':1248 tag:'CIS-9.2.2'1249 pattern:"^+:"1250 CentOS Linux-7:1251 -'/etc/passwd':1252 tag:'CIS-9.2.2'1253 pattern:"^+:"1254 description:'Verify No Legacy "+" Entries Exist in /etc/passwd (Scored)'12551256 legacy_passwd_entries_shadow:1257 data:1258 'Red Hat Enterprise Linux Server-6':1259 -'/etc/shadow':1260 tag:'CIS-9.2.3'1261 pattern:"^+:"1262 CentOS Linux-7:1263 -'/etc/shadow':1264 tag:'CIS-9.2.3'1265 pattern:"^+:"1266 description:'Verify No Legacy "+" Entries Exist in /etc/shadow (Scored)'12671268 legacy_passwd_entries_group:1269 data:1.4. Quasar 111 HubbleStack Documentation, Release 2016.7.11270 'Red Hat Enterprise Linux Server-6':1271 -'/etc/group':1272 tag:'CIS-9.2.4'1273 pattern:"^+:"1274 CentOS Linux-7:1275 -'/etc/group':1276 tag:'CIS-9.2.4'1277 pattern:"^+:"1278 description:'Verify No Legacy "+" Entries Exist in /etc/group (Scored)'12791280 sysctl:1281 restrict_suid_core_dumps:1282 data:1283 'Red Hat Enterprise Linux Server-6':1284 -'fs.suid_dumpable':1285 tag:'CIS-1.6.1'1286 match_output:'0'1287 description:'Restrict SUID Core Dumps (Scored)'12881289 exec_shield:1290 data:1291 'Red Hat Enterprise Linux Server-6':1292 -'kernel.exec-shield':1293 tag:'CIS-1.6.2'1294 match_output:'1'1295 description:'Configure ExecShield (Scored)'12961297 randomize_va_space:1298 data:1299 'Red Hat Enterprise Linux Server-6':1300 -'kernel.randomize_va_space':1301 tag:'CIS-1.6.3'1302 match_output:'2'1303 'CentOS Linux-7':1304 -'kernel.randomize_va_space':1305 tag:'CIS-1.6.2'1306 match_output:'2'1307 description:'Enable Randomized Virtual Memory Region Placement (Scored)'13081309 ip_forwarding:1310 data:1311 'Red Hat Enterprise Linux Server-6':1312 -'net.ipv4.ip_forward':1313 tag:'CIS-4.1.1'1314 match_output:'0'1315 'CentOS Linux-7':1316 -'net.ipv4.ip_forward':1317 tag:'CIS-4.1.1'1318 match_output:'0'1319 description:'DisableIP Forwarding (Scored)'13201321 send_packet_redirect:1322 data:1323 'Red Hat Enterprise Linux Server-6':1324 -'net.ipv4.conf.all.send_redirects':1325 tag:'CIS-4.1.2'1326 match_output:'0'1327 -'net.ipv4.conf.default.send_redirects':112 Chapter 1. Components HubbleStack Documentation, Release 2016.7.11328 tag:'CIS-4.1.2'1329 match_output:'0'1330 -'net.ipv4.conf.default.send_redirects':1331 tag:'CIS-4.1.2'1332 match_output:'0'1333 'CentOS Linux-7':1334 -'net.ipv4.conf.all.send_redirects':1335 tag:'CIS-4.1.2'1336 match_output:'0'1337 -'net.ipv4.conf.default.send_redirects':1338 tag:'CIS-4.1.2'1339 match_output:'0'1340 description:'Disable Send Packet Redirect (Scored)'13411342 source_routed_packet_acceptance:1343 data:1344 'Red Hat Enterprise Linux Server-6':1345 -'net.ipv4.conf.all.accept_source_route':1346 tag:'CIS-4.2.1'1347 match_output:'0'1348 -'net.ipv4.conf.default.accept_source_route':1349 tag:'CIS-4.2.1'1350 match_output:'0'1351 'CentOS Linux-7':1352 -'net.ipv4.conf.all.accept_source_route':1353 tag:'CIS-4.2.1'1354 match_output:'0'1355 -'net.ipv4.conf.default.accept_source_route':1356 tag:'CIS-4.2.1'1357 match_output:'0'1358 description:'Disable Source Routed Packet Acceptance (Scored)'13591360 icmp_redirect_acceptance:1361 data:1362 'Red Hat Enterprise Linux Server-6':1363 -'net.ipv4.conf.all.accept_redirects':1364 tag:'CIS-4.2.2'1365 match_output:'0'1366 -'net.ipv4.conf.default.accept_redirects':1367 tag:'CIS-4.2.2'1368 match_output:'0'1369 'CentOS Linux-7':1370 -'net.ipv4.conf.all.accept_redirects':1371 tag:'CIS-4.2.2'1372 match_output:'0'1373 -'net.ipv4.conf.default.accept_redirects':1374 tag:'CIS-4.2.2'1375 match_output:'0'1376 description:'Disable ICMP Redirect Acceptance (Scored)'13771378 secure_icmp_redirect_acceptance:1379 data:1380 'Red Hat Enterprise Linux Server-6':1381 -'net.ipv4.conf.all.secure_redirects':1382 tag:'CIS-4.2.3'1383 match_output:'0'1384 -'net.ipv4.conf.default.secure_redirects':1385 tag:'CIS-4.2.3'1.4. Quasar 113 HubbleStack Documentation, Release 2016.7.11386 match_output:'0'1387 'CentOS Linux-7':1388 -'net.ipv4.conf.all.secure_redirects':1389 tag:'CIS-4.2.3'1390 match_output:'0'1391 -'net.ipv4.conf.default.secure_redirects':1392 tag:'CIS-4.2.3'1393 match_output:'0'1394 description:'Disable Secure ICMP Redirect Acceptance (Scored)'13951396 log_suspicious_packets:1397 data:1398 'Red Hat Enterprise Linux Server-6':1399 -'net.ipv4.conf.all.log_martians':1400 tag:'CIS-4.2.4'1401 match_output:'1'1402 -'net.ipv4.conf.default.log_martians':1403 tag:'CIS-4.2.4'1404 match_output:'1'1405 'CentOS Linux-7':1406 -'net.ipv4.conf.all.log_martians':1407 tag:'CIS-4.2.4'1408 match_output:'1'1409 -'net.ipv4.conf.default.log_martians':1410 tag:'CIS-4.2.4'1411 match_output:'1'1412 description:'Log Suspicious Activity (Scored)'14131414 ignore_broadcast_requests:1415 data:1416 'Red Hat Enterprise Linux Server-6':1417 -'net.ipv4.icmp_echo_ignore_broadcasts':1418 tag:'CIS-4.2.5'1419 match_output:'1'1420 'CentOS Linux-7':1421 -'net.ipv4.icmp_echo_ignore_broadcasts':1422 tag:'CIS-4.2.5'1423 match_output:'1'1424 description:'Enable Ignore Broadcast Requests (Scored)'14251426 bad_error_message_protection:1427 data:1428 'Red Hat Enterprise Linux Server-6':1429 -'net.ipv4.icmp_ignore_bogus_error_responses':1430 tag:'CIS-4.2.6'1431 match_output:'1'1432 'CentOS Linux-7':1433 -'net.ipv4.icmp_ignore_bogus_error_responses':1434 tag:'CIS-4.2.6'1435 match_output:'1'1436 description:'Enable Bad Error Message Protection (Scored)'14371438 tcp_syn_cookies:1439 data:1440 'Red Hat Enterprise Linux Server-6':1441 -'net.ipv4.tcp_syncookies':1442 tag:'CIS-4.2.8'1443 match_output:'1'114 Chapter 1. Components HubbleStack Documentation, Release 2016.7.11444 'CentOS Linux-7':1445 -'net.ipv4.tcp_syncookies':1446 tag:'CIS-4.2.8'1447 match_output:'1'1448 description:'Enable TCP SYN cookies (Scored)'14491450 service:1451 # Must be installed, no version checking (yet)1452 whitelist:1453 iptables_running: # best practice to verify the process is running1454 data:1455 'Red Hat Enterprise Linux Server-6':1456 -'iptables':'CIS-4.7_running'1457 description:'rsyslogd should be running'14581459 rsyslogd_running: # best practice to verify the process is running1460 data:1461 'Red Hat Enterprise Linux Server-6':1462 -'rsyslogd':'CIS-5.1.2_running'1463 description:'rsyslogd should be running'14641465 auditd_running: # best practice to verify the process is running1466 data:1467 'Red Hat Enterprise Linux Server-6':1468 -'auditd':'CIS-5.2_running'1469 description:'auditd should be running'14701471 anacron_running: # best practice to verify the process is running1472 data:1473 'Red Hat Enterprise Linux Server-6':1474 -'cronie-anacron':'CIS-6.1.1_running'1475 description:'anacron should be running'14761477 crond_running: # best practice to verify the process is running1478 data:1479 'Red Hat Enterprise Linux Server-6':1480 -'crond':'CIS-6.1.2_running'1481 description:'crond should be running' vulners.com (cve.scan-v2 example)This example pulls directly from vulners.com:1 cve_scan_v2:2 ttl: 864003 url:"http://vulners.com"4 # control:5 # score: 4Tip: When the url is vulners.com, this module will automatically determine the distribution and version and query the API accordingly.1.4. Quasar 115 HubbleStack Documentation, Release 2016.7.1YAML1. ttl - how long, in seconds, should we cache the CVE data. (default: 24hrs) 2. url - an http://, https:// or salt:// URL where the required CVE data can be found. 3. control - (optional) limit the CVE score reported as Failure. 4. score - (optional) severity score between 1-10. vulners.com (cve.scan-v2-salt example)This example pulls from the salt:// fileserver.1 cve_scan_v2:2 ttl: 864003 url:"salt://hubblestack_nova/centos_7.json"See also: Nova utility - utils/cve_storeYAML1. ttl - how long, in seconds, should we cache the CVE data. (default: 24hrs) 2. url - an http://, https:// or salt:// URL where the required CVE data can be found. 3. control - (optional) limit the CVE score reported as Failure. 4. score - (optional) severity score between 1-10.Tip: When the url is NOT vulners.com, this module will simply fetch the URI defined. No auto-detection is done.If you need to support multiple distributions you’ll need to create a unique profile for each distribution and target accordingly in the top.nova.UtilitiesUtilities utils/check_yaml.pyA simple utility to validate YAML syntax in Nova profiles. This utility script is available in the HubbleStack Nova repository under the utils/ directory. python ./check_yaml.py <profile.yaml>116 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1 utils/update_tags.pyThis script does four things: 1. Updates tags in yaml profile to match the cis standards, saved at <yaml>_updated.yaml. 2. Finds format errors in yaml profile. 3. Finds outdated audits in the yaml profile. 4. Finds audits in the cis standards that aren’t found in the yaml profile. It also saves a log of the results of each run at <.yaml>_updated.log Optional tags: -t : templates cis standards that aren’t included in yaml into the updated version. python ./update_tags.py <optional_tag> <profile.yaml> <profile.xls> utils/cve_store.py maintainer HubbleStack / jaredhanson11 maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova source https://github.com/HubbleStack/Nova/blob/develop/utils/cve_store.py This python script will query the https://vulners.com API for the required CVE data related to the given operating system. Data is returned in a valid JSON format, which can be served via salt://.UsageThe cve_store.py utility takes a space-delimited list of distro-version: python ./cve_store.py centos-7 ubuntu-16.04 debian-8The JSON files will be downloaded and stored in the current working directory using the naming syntax: <distro>_<version>.json>. Once you’ve downloaded the files you need you’ll need to update or create new profiles that will use the downloaded data. See also: vulners.com (cve.scan-v2-salt) profileNebulaNebulaIntroductionNebula is Hubble’s Insight system, which ties into osquery, allowing you to query your infrastructure as if it were a database. This system can be used to take scheduled snapshots of your systems.1.4. Quasar 117 HubbleStack Documentation, Release 2016.7.1Two different installation methods are outlined below. The first method is more stable (and therefore recommended). This method uses Salt’s package manager to track versioned, packaged updates to Hubble’s components. The second method installs directly from git. It should be considered bleeding edge and possibly unstable.Note: Currently only supported on Linux, on SaltStack 2015.8 and above. You can actually sync the osquery execution module from a newer version of salt to 2015.5 minions and it seems to work without issue. Officially, just upgrade to 2015.8.See also: Nebula has a hard dependency on the osqueryi binary. See install requirements here https://osquery.io/downloads/InstallationEach of the four HubbleStack components have been packaged for use with Salt’s Package Manager (SPM). Note that all SPM installation commands should be done on the Salt Master. Required Configuration Salt’s Package Manager (SPM) installs files into /srv/spm/{salt,pillar}. Ensure that this path is defined in your Salt Master’s file_roots: file_roots: - /srv/salt - /srv/spm/saltNote: This should be the default value. To verify run: salt-call config.get file_rootsTip: Remember to restart the Salt Master after making this change to the configuration.Installation (Packages)Installation is as easy as downloading and installing a package. (Note: in future releases you’ll be able to subscribe directly to our HubbleStack SPM repo for updates and bugfixes!) wget https://spm.hubblestack.io/nebula/hubblestack_nebula-2016.10.2-1.spm spm local install hubblestack_nebula-2016.10.2-1.spmYou should now be able to sync the new modules to your minion(s) using the sync_modules Salt utility: salt \* saltutil.sync_modulesOnce these modules are synced you are ready to schedule HubbleStack Nebula queries. Skip to UsageInstallation (Manual)Place _modules/nebula_osquery.py into your salt/_modules/ directory, and sync it to the minions.118 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1 git clone https://github.com/hubblestack/nebula.git hubblestack-nebula.git cd hubblestack-nebula.git mkdir -p /srv/salt/_modules/ cp _modules/nebula_osquery.py /srv/salt/_modules/ mkdir /srv/salt/hubblestack_nebula cp hubblestack_nebula/hubblestack_nebula_queries.yaml /srv/salt/hubblestack_nebula salt \* saltutil.sync_modulesOnce these modules are synced you are ready to schedule HubbleStack Nebula queries.Installation (GitFS)This installation method subscribes directly to our GitHub repository, pinning to a tag or branch. This method requires no package installation or manual checkouts. Requirements: GitFS support on your Salt Master. /etc/salt/master.d/hubblestack-nebula.conf gitfs_remotes: - https://github.com/hubblestack/nebula: - base: v2016.10.2Tip: Remember to restart the Salt Master after applying this change.UsageThese queries have been designed to give detailed insight into system activity. hubblestack_nebula/hubblestack_nebula_queries.yaml fifteen_min: - query_name: running_procs query: SELECT p.name AS process, p.pid AS process_id, p.cmdline, p.cwd, p.on_˓→disk, p.resident_size AS mem_used, p.parent, g.groupname, u.username AS user, p.˓→path, h.md5, h.sha1, h.sha256 FROM processes AS p LEFT JOIN users AS u ON p.uid=u.˓→uid LEFT JOIN groups AS g ON p.gid=g.gid LEFT JOIN hash AS h ON p.path=h.path; - query_name: established_outbound query: SELECT t.iso_8601 AS _time, pos.family, h.*, ltrim(pos.local_address, ':f ˓→') AS src, pos.local_port AS src_port, pos.remote_port AS dest_port, ltrim(remote_˓→address, ':f') AS dest, name, p.path AS file_path, cmdline, pos.protocol, lp.˓→protocol FROM process_open_sockets AS pos JOIN processes AS p ON p.pid=pos.pid LEFT ˓→JOIN time AS t LEFT JOIN (SELECT * FROM listening_ports) AS lp ON lp.port=pos.local_ ˓→port AND lp.protocol=pos.protocol LEFT JOIN hash AS h ON h.path=p.path WHERE NOT˓→remote_address='' AND NOT remote_address='::' AND NOT remote_address='0.0.0.0' AND˓→NOT remote_address='127.0.0.1' AND port is NULL; - query_name: listening_procs query: SELECT t.iso_8601 AS _time, h.md5 AS md5, p.pid, name, ltrim(address, ':f˓→') AS address, port, p.path AS file_path, cmdline, root, parent FROM listening_˓→ports AS lp LEFT JOIN processes AS p ON lp.pid=p.pid LEFT JOIN time AS t LEFT JOIN˓→hash AS h ON h.path=p.path WHERE NOT address='127.0.0.1'; - query_name: suid_binaries query: SELECT sb.*, t.iso_8601 AS _time FROM suid_bin AS sb JOIN time AS t;1.4. Quasar 119 HubbleStack Documentation, Release 2016.7.1 hour: - query_name: crontab query: SELECT c.*,t.iso_8601 AS _time FROM crontab AS c JOIN time AS t; day: - query_name: rpm_packages query: SELECT rpm.name, rpm.version, rpm.release, rpm.source AS package_source,˓→rpm.size, rpm.sha1, rpm.arch, t.iso_8601 FROM rpm_packages AS rpm JOIN time AS t;ScheduleNebula is meant to be run on a schedule. Unfortunately, in it’s present state, the Salt scheduler has a memory leak. Pending a solution we’re suggesting the use of cron for the scheduled jobs: /etc/cron.d/hubbleMAILTO="" SHELL=/bin/bash */15 **** root /usr/bin/salt '*' nebula.queries fifteen_min --return splunk_nebula_ ˓→return @hourly root /usr/bin/salt '*' nebula.queries hour --return splunk_nebula_return @daily root /usr/bin/salt '*' nebula.queries day --return splunk_nebula_returnConfigurationThe only configuration required to use Nebula is to incorporate the Queries and the Schedule into your minion config or pillar (pillar recommended). See the Usage section above for more information.Under the HoodNebula leverages the osquery_nebula execution module, which needs to be synced to each minion. In addition, this also requires the osquery binary to be installed. More information about osquery can be found at https://osquery.io.Note: osqueryd does not need to be running, as we handle the scheduled queries via Salt’s scheduler.DevelopmentDevelopment for Nebula features is either incorporated into upstream osquery, or comes in the form of additional queries that leverage existing features. If you’d like to contribute queries or schedules, please see the section below.ContributeIf you are interested in contributing or offering feedback to this project feel free to submit an issue or a pull request. We’re very open to community contribution.120 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1ModulesQuery Modules osquery maintainer HubbleStack maturity 2016.7.0 platform Unix requires SaltStack, HubbleStack Nebula, osquery source https://github.com/HubbleStack/Nebula/blob/master/_modules/nebula_osquery.py This module leverages the data made available via osquery in order to generate security snapshots of your systems. These snapshots are generally run on a schedule, with the data being gathered centrally using one of the Quasar returners.QueriesThis module requires pillar data to function. The default pillar key for this data is nebula_osquery. The queries themselves should be grouped under one or more group identifiers. Usually, these identifiers will be frequencies, such as fifteen_min or hourly or daily. The module targets the queries using these identifiers. Your pillar data might look like this: hubble_nebula.sls1 nebula_osquery:2 fifteen_min:3 - query_name: running_procs4 query: select p.name as process, p.pid as process_id, p.cmdline, p.cwd, p.on_˓→disk, p.resident_size as mem_used, p.parent, g.groupname, u.username as user, p.˓→path, h.md5, h.sha1, h.sha256 from processes as p left join users as u on p.uid=u.˓→uid left join groups as g on p.gid=g.gid left join hash as h on p.path=h.path;5 - query_name: established_outbound 6 query: select t.iso_8601 as _time, pos.family, h.*, ltrim(pos.local_address, ': ˓→f') as src, pos.local_port as src_port, pos.remote_port as dest_port, ltrim(remote_˓→address, ':f') as dest, name, p.path as file_path, cmdline, pos.protocol, lp.˓→protocol from process_open_sockets as pos join processes as p on p.pid=pos.pid left˓→join time as t LEFT JOIN listening_ports as lp on lp.port=pos.local_port AND lp.˓→protocol=pos.protocol LEFT JOIN hash as h on h.path=p.path where not remote_address=˓→'' and not remote_address='::' and not remote_address='0.0.0.0' and not remote_˓→address='127.0.0.1' and port is NULL;7 - query_name: listening_procs8 query: select t.iso_8601 as _time, h.md5 as md5, p.pid, name, ltrim(address,˓→':f') as address, port, p.path as file_path, cmdline, root, parent from listening_˓→ports as lp JOIN processes as p on lp.pid=p.pid left JOIN time as t JOIN hash as h˓→on h.path=p.path WHERE not address='127.0.0.1';9 - query_name: suid_binaries 10 query: select sb.*, t.iso_8601 as _time from suid_bin as sb join time as t; 11 hour:12 - query_name: crontab 13 query: select c.*,t.iso_8601 as _time from crontab as c join time as t; 14 day:15 - query_name: rpm_packages 16 query: select rpm.*, t.iso_8601 from rpm_packages as rpm join time as t;1.4. Quasar 121 HubbleStack Documentation, Release 2016.7.1ScheduleThe Nebula osquery module is designed to be used on a schedule. Here is a set of sample schedules for use with the sample pillar data contained in this repo: hubble_nebula.sls (cont.)1 schedule:2 nebula_fifteen_min:3 function: nebula.queries4 seconds: 9005 args:6 - fifteen_min7 nebula_hour:8 function: nebula.queries9 seconds: 360010 args:11 - hour12 nebula_day:13 function: nebula.queries14 seconds: 8640015 args:16 - dayNote: osqueryd does not need to be running, as we handle the scheduled queries via Salt’s scheduler.UsageNebula query data is best tracked in a central logging or similar system. However, if you would like to run the queries manually you can call the nebula execution module. query_group Group of queries to run verbose Defaults to False. If set to True, more information (such as the query which was run) will be included in the result. pillar_key Defaults to ‘nebula_osquery’. This is the key in pillar which will be inspected for Nebula osquery data. Examples: salt' *' nebula.queries day salt' *' nebula.queries hour[verbose=True] salt' *' nebula.queries fifteen-min[pillar_key=sec_osqueries]PulsarPulsarNote: After syncing a new version of a beacon to salt, the salt-minion must be restarted to pick up the change. See https://github.com/saltstack/salt/issues/35960 for more info122 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1IntroductionIs your infrastructure immutable? Are you sure? Pulsar is designed to monitor for file system events, acting as a real-time File Integrity Monitoring (FIM) agent. Pulsar is composed of a custom Salt beacon that watches for these events and hooks into the returner system for alerting and reporting. In other words, you can recieve real-time alerts for unscheduled file system modifications anywhere you want to recieve them. We’ve designed Pulsar to be lightweight and not dependent on a Salt Master. It simply watches for events and directly sends them to one of the Pulsar returner destinations (see the Quasar repository for more on these). Two different installation methods are outlined below. The first method is more stable (and therefore recommended). This method uses Salt’s package manager to track versioned, packaged updates to Hubble’s components. The second method installs directly from git. It should be considered bleeding edge and possibly unstable.InstallationEach of the four HubbleStack components have been packaged for use with Salt’s Package Manager (SPM). Note that all SPM installation commands should be done on the Salt Master.Required ConfigurationSalt’s Package Manager (SPM) installs files into /srv/spm/{salt,pillar}. Ensure that this path is defined in your Salt Master’s file_roots: file_roots: - /srv/salt - /srv/spm/saltNote: This should be the default value. To verify, run: salt-call config.get file_rootsTip: Remember to restart the Salt Master after making any change to the configuration.Required PackagesThere is a hard requirement on the pyinotify Python library for each minion that will run the Pulsar FIM beacon.Red Hat / CentOS salt \* pkg.install python-inotify1.4. Quasar 123 HubbleStack Documentation, Release 2016.7.1Debian / Ubuntu salt \* pkg.install python-pyinotifyInstallation (Packages)Installation is as easy as downloading and installing a package. (Note: in future releases you’ll be able to subscribe directly to our HubbleStack SPM repo for updates and bugfixes!) wget http://spm.hubblestack.io/pulsar/hubblestack_pulsar-2016.10.3-1.spm spm local install hubblestack_pulsar-2016.10.3-1.spmYou should now be able to sync the new modules to your minion(s) using the sync_modules Salt utility: salt \* saltutil.sync_beaconsCopy the pillar.example into your Salt pillar, renaming is as desired (perhaps hubblestack_pulsar.sls) and target it to selected minions. base: '*': - hubblestack_pulsar salt \* saltutil.refresh_pillarOnce these modules are synced you are ready to begin running the Pulsar beacon. Skip to Usage.Installation (Manual)Place _beacons/pulsar.py into your _beacons/ directory, and sync it to the minions. git clone https://github.com/hubblestack/pulsar.git hubblestack-pulsar.git cd hubblestack-pulsar.git mkdir -p /srv/salt/_beacons/ cp _beacons/pulsar.py /srv/salt/_beacons/ mkdir /srv/salt/hubblestack_pulsar cp hubblestack_pulsar/hubblestack_pulsar_config.yaml /srv/salt/hubblestack_pulsar cp hubblestack_pulsar/pillar.example /srv/pillar/hubblestack_pulsar.sls salt \* saltutil.sync_beaconsTarget the copied hubblestack_pulsar.sls to selected minions. base: '*': - hubblestack_pulsar salt \* saltutil.refresh_pillar124 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1Installation (GitFS)This installation method subscribes directly to our GitHub repository, pinning to a tag or branch. This method requires no package installation or manual checkouts. Requirements: GitFS support on your Salt Master. /etc/salt/master.d/hubblestack-pulsar.conf gitfs_remotes: - https://github.com/hubblestack/pulsar: - base: v2016.10.3Tip: Remember to restart the Salt Master after applying this change.UsageOnce Pulsar is fully running there isn’t anything you need to do to interact with it. It simply runs quietly in the background and sends you alerts.ConfigurationThe default Pulsar configuration (found in <pillar.example>) is meant to act as a template. It works in tan- dem with the <hubblestack_pulsar_config.yaml> file. Every environment will have different needs and requirements, and we understand that, so we’ve designed Pulsar to be flexible. ** pillar.example ** beacons: pulsar: paths: - /var/cache/salt/minion/files/base/hubblestack_pulsar/hubblestack_pulsar_˓→config.yaml schedule: cache_pulsar: function: cp.cache_file seconds: 86400 args: - salt://hubblestack_pulsar/hubblestack_pulsar_config.yaml return_job: False** hubblestack_pulsar_config **/etc: { recurse: True, auto_add: True} /bin: { recurse: True, auto_add: True} /sbin: { recurse: True, auto_add: True} /boot: { recurse: True, auto_add: True} /usr/bin: { recurse: True, auto_add: True} /usr/sbin: { recurse: True, auto_add: True} /usr/local/bin: { recurse: True, auto_add: True} /usr/local/sbin: { recurse: True, auto_add: True} return: slack_pulsar checksum: sha2561.4. Quasar 125 HubbleStack Documentation, Release 2016.7.1 stats: True batch: FalseIn order to receive Pulsar notifications you’ll need to install the custom returners found in the Quasar repository. Example of using the Slack Pulsar returner to recieve FIM notifications: slack_pulsar: as_user: true username: calculon channel: hubble_pulsar api_key: xoxo-xxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxTip: If you need to create a Slack bot, see: https://my.slack.com/services/new/botExcluding PathsThere may be certain paths that you want to exclude from this real-time FIM tool. This can be done using the exclude: keyword beneath any defined path./var: recurse: True auto_add: True exclude: - /var/log - /var/spool - /var/cache - /var/lockTroubleshootingIf inotify is reporting that it can’t create watches due to lack of disk space, but you have plenty of disk space and <a href="/tags/Inode/" rel="tag">inodes</a> available, then you may have to raise the max number of inotify watches. To check the max number of inotify watches:# cat /proc/sys/fs/inotify/max_user_watchesTo set the max number of inotify watches:# echo 20000 | sudo tee -a /proc/sys/fs/inotify/max_user_watchesUnder The HoodPulsar is written as a Salt beacon, which requires the salt-minion daemon to be running. This then acts as an agent that watches for file system events using Linux’s inotify subsystem.126 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1DevelopmentIf you’re interested in contributing to this project this section outlines the structure and requirements for Pulsar agent module development.Anatomy of a Pulsar module#-*- encoding: utf-8 -*- ''' Pulsar agent:maintainer: HubbleStack / owner :maturity: 20160804 :platform: Linux :requires: SaltStack''' from __future__ import absolute_import import loggingAll Pulsar agents should include the above header, expanding the docstring to include full documentation Any Pulsar agent should be written as a beacon and send its return data directly to the Quasar endpoint(s). No communication with the master is required.ContributeIf you are interested in contributing or offering feedback to this project feel free to submit an issue or a pull request. We’re very open to community contribution.ModulesFIM Modules inotifyPulsar was written to leverage inotify to watch for file system events in real-time. This allows a system running the Pulsar Beacon to notify you on unscheduled file system changes. This can be used to not only track out-of-band changes, but potentially catch intrusions as they happen. When a file system event is triggered, Pulsar will notify you of the type of change (IN_CREATE, IN_MODIFY or IN_DELETE), and provide you with information about the changed file. This includes checksums of the events as well as file attributes, such as permissions, ownerships, paths, etc. The Pulsar beacon is enabled by installing the beacon module and providing the beacon with pillar configuration data.ConfigurationPulsar configuration supports a handful of options which are outlined below:1.4. Quasar 127 HubbleStack Documentation, Release 2016.7.1 beacons: pulsar: /etc: { recurse: True, auto_add: True} /lib: { recurse: True, auto_add: True} /bin: { recurse: True, auto_add: True} /sbin: { recurse: True, auto_add: True} /boot: { recurse: True, auto_add: True} /lib64: { recurse: True, auto_add: True} /usr/lib: { recurse: True, auto_add: True} /usr/bin: { recurse: True, auto_add: True} /usr/sbin: { recurse: True, auto_add: True} /usr/lib64: { recurse: True, auto_add: True} /usr/local/etc: { recurse: True, auto_add: True} /usr/local/bin: { recurse: True, auto_add: True} /usr/local/lib: { recurse: True, auto_add: True} /usr/local/sbin: { recurse: True, auto_add: True} /var: exclude: - /var/log - /var/spool - /var/cache - /var/lock - /var/lib/ntp - /var/lib/chrony - /var/lib/mlocate - /var/lib/logrotate.status recurse: True audo_add: True return: slack_pulsar checksum: sha256 stats: True batch: FalseThe majority of the options contained within the Pulsar beacon config are simply paths that you’d like the system to watch. The options of recurse and auto_add will ensure that subdirectories are tracked and newly added files watched. Another crucial option is the exclude key, which allows you to exclude specific subdirectories. Be careful not to exclude too much or you may end up with blindspots. In addition the return option allows you to specify a comma-separated list of returners. In the example above we’re using the slack_pulsar returner. One of the custom Pulsar returners must be used in order to properly recieve these alerts. To learn more about the custom returners please see the Quasar repo.QuasarQuasarIntroductionQuasar is Hubble’s reporting system; a key component in visualizing your data. Quasar gathers the data captured by Nova, Nebula and Pulsar and delivers it directly to your logging or SIM/SEM system. Create dashboards, alerts and correlations all using the SIM/SEM system you already have!128 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1Note: dashboards not included :)InstallationEach of the four HubbleStack components have been packaged for use with Salt’s Package Manager (SPM). Note that all SPM installation commands should be done on the Salt Master.Required ConfigurationSalt’s Package Manager (SPM) installs files into /srv/spm/{salt,pillar}. Ensure that this path is defined in your Salt Master’s file_roots: file_roots: - /srv/salt - /srv/spm/saltNote: This should be the default value. To verify run: salt-call config.get file_rootsTip: Remember to restart the Salt Master after making this change to the configuration.Installation (Packages)Installation is as easy as downloading and installing a package. (Note: in future releases you’ll be able to subscribe directly to our HubbleStack SPM repo for updates and bugfixes!) wget https://spm.hubblestack.io/quasar/hubblestack_quasar-2016.10.3-1.spm spm local install hubblestack_quasar-2016.10.3-1.spmYou should now be able to sync the new modules to your minion(s) using the sync_returners Salt utility: salt \* saltutil.sync_returnersCopy the hubblestack_quasar.sls.orig into your Salt pillar, dropping the .orig extension and target it to selected minions. base: '*': - hubblestack_quasar salt \* saltutil.refresh_pillarOnce these modules are synced you’ll be ready to begin reporting data and events. Skip to Usage.Installation (Manual)Copy everything from _returners/ into your salt/_returners/ directory, and sync it to the minions.1.4. Quasar 129 HubbleStack Documentation, Release 2016.7.1 git clone https://github.com/hubblestack/quasar.git hubblestack-quasar.git cd hubblestack-quasar.git mkdir -p /srv/salt/_returners cp _returners/*.py /srv/salt/_returners/ cp pillar.example /srv/pillar/hubblestack_quasar.sls salt \* saltutil.sync_returnersTarget the hubblestack_quasar.sls extension and target it to selected minions. base: '*': - hubblestack_quasar salt \* saltutil.refresh_pillarOnce these modules are synced you’ll be ready to begin reporting data and events.Installation (GitFS)This installation method subscribes directly to our GitHub repository, pinning to a tag or branch. This method requires no package installation or manual checkouts. Requirements: GitFS support on your Salt Master. /etc/salt/master.d/hubblestack-quasar.conf gitfs_remotes: - https://github.com/hubblestack/quasar: - base: v2016.10.3Tip: Remember to restart the Salt Master after applying this change.UsageEach Quasar module has different requirements and settings. Please see your preferred module’s documentation.ConfigurationUnder The HoodDevelopmentContributeIf you are interested in contributing or offering feedback to this project feel free to submit an issue or a pull request. We’re very open to community contribution.130 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1ModulesModulesSlack - PulsarHubbleStack Pulsar-to-Slack returner. maintainer HubbleStack / basepi maturity 2016.7.0 platform All requires SaltStack, HubbleStack PulsarConfigurationThe following fields can be set in the minion conf or pillar: slack_pulsar: as_user: true # required for bot profile username: calculon # bot username channel: hubble-pulsar # destination slack channel api_key: xoxb-0123456... # unique api keySplunk - NebulaHubbleStack Nebula-to-Splunk returner maintainer HubbleStack maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nebula Deliver HubbleStack Nebula query data into Splunk using the HTTP event collector. Required config/pillar settings:Configuration hubblestack: nebula: returner: splunk: token: <splunk_http_forwarder_token> indexer: <hostname/IP of Splunk indexer> sourcetype: <Destination sourcetype for data> index: <Destination index for data>Splunk - NovaHubbleStack Nova-to-Splunk returner1.4. Quasar 131 HubbleStack Documentation, Release 2016.7.1 maintainer HubbleStack maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova Deliver HubbleStack Nova result data into Splunk using the HTTP event collector. Required config/pillar settings:Configuration hubblestack: nova: returner: splunk: token: <splunk_http_forwarder_token> indexer: <hostname/IP of Splunk indexer> sourcetype: <Destination sourcetype for data> index: <Destination index for data>Splunk - PulsarHubbleStack Pulsar-to-Splunk returner maintainer HubbleStack maturity 2016.7.0 platform All requires SaltStack, HubbleStack Pulsar Deliver HubbleStack Pulsar event data into Splunk using the HTTP event collector. Required config/pillar settings:Configuration hubblestack: pulsar: returner: splunk: token: <splunk_http_forwarder_token> indexer: <hostname/IP of Splunk indexer> sourcetype: <Destination sourcetype for data> index: <Destination index for data>132 Chapter 1. Components </div> </div> </div> </div> </div> </div> </div> <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.1/jquery.min.js" integrity="sha512-aVKKRRi/Q/YV+4mjoKBsE4x3H+BkegoM/em46NNlCqNTmUYADjBbeNefNxYV7giUp0VxICtqdrbqU7iVaeZNXA==" crossorigin="anonymous" referrerpolicy="no-referrer"></script> <script src="/js/details118.16.js"></script> <script> var sc_project = 11552861; var sc_invisible = 1; var sc_security = "b956b151"; </script> <script src="https://www.statcounter.com/counter/counter.js" async></script> <noscript><div class="statcounter"><a title="Web Analytics" href="http://statcounter.com/" target="_blank"><img class="statcounter" src="//c.statcounter.com/11552861/0/b956b151/1/" alt="Web Analytics"></a></div></noscript> </body> </html>