HubbleStack Documentation Release 2016.7.1
Christer Edwards
Nov 10, 2016
Contents
1 Components 3
i ii HubbleStack Documentation, Release 2016.7.1
Welcome to the HubbleStack documentation! Hubble is a modular, open-source security compliance framework built on top of SaltStack. The project provides on- demand profile-based auditing, real-time security event notifications, automated remediation, alerting and reporting. Hubble can “dock” with any existing SaltStack installation, and requires very little work to get started. This document describes installation, configuration and general use.
Contents 1 HubbleStack Documentation, Release 2016.7.1
2 Contents CHAPTER 1
Components
Hubble is made up of four different components, each playing a role in the overall auditing of your systems. These components are described here: • Nova - Nova is Hubble’s profile-based auditing engine. • Pulsar - Pulsar is Hubble’s real-time event system. • Nebula- Nebula is Hubble’s security snapshot utility. • Quasar - Quasar is Hubble’s flexible reporting suite. Each of these components are modular, flexible, and easy to drop into place for any size infrastructure. While each of these components can be used standalone it is often required to combine each components with it’s corresponding Quasar module. Quasar modules are what connects Nova, Nebula and Pulsar to external endpoints such as Splunk, Slack, etc.
New to HubbleStack? Explore some of these topics:
1.1 Nova
Nova is the best place to get started with Hubble. Using pre-built security and compliance “profiles”, Nova will give you a complete picture of your security stance. Check out the installation docs: • Package Installation (stable) • Manual Installation (develop) Have a look at the Nova module list, and learn how audit modules work. • Nova Modules ... or read through some of the pre-built profiles: • Nova Profiles
Tip: Once you have Nova installed, check out Quasar next.
3 HubbleStack Documentation, Release 2016.7.1
1.2 Nebula
See also: Nebula has a hard dependency on osquery. See install requirements here https://osquery.io/downloads/ Nebula allows you to take snapshots of your systems by scheduling specific queries. These queries capture information such as: • running processes • established outbound connections • listening processes • suid binaries • crontab • installed packages • ...anything else you’d like to query Check out the installation docs: • Package Installation (stable) • Manual Installation (develop) Have a look at the Nebula modules: • Nebula Modules.
Tip: Once you have Nebula installed, checkout Quasar next.
1.3 Pulsar
See also: Pulsar has a dependency on the Python pyinotify library. See: Pulsar Required Packages Pulsar watches for filesystem events as they happen and notify you in real-time regarding any changes. • Package Installation (stable) • Manual Installation (develop) You can also take a look at the Pulsar module list: • Pulsar Modules
Tip: Next step? Check out the Quasar modules to collect Pulsar event data.
4 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
1.4 Quasar
Quasar modules are integral in collecting and tracking your security data. In general you’ll want to combine each HubbleStack component (Nova, Pulsar, Nebula) with it’s corresponding Quasar module. • Package Installation (stable) • Manual Installation (develop) You can also take a look at the Pulsar module list: • Quasar Modules
1.4.1 Components
Nova
Nova
Introduction
Nova is designed to audit the compliance and security level of a system. It is composed of multiple modules, which ingest YAML configuration profiles to run a single or series of audits against a system. Two different installation methods are outlined below. The first method is more stable (and therefore recommended). This method uses Salt’s package manager to track versioned, packaged updates to Hubble’s components. The second method installs directly from git. It should be considered bleeding edge and possibly unstable.
Installation
Each of the four HubbleStack components have been packaged for use with Salt’s Package Manager (SPM). Note that all SPM installation commands should be done on the Salt Master. Required Configuration Salt’s Package Manager (SPM) installs files into /srv/spm/{salt,pillar}. Ensure that this path is defined in your Salt Master’s file_roots:
file_roots: - /srv/salt - /srv/spm/salt
Note: This should be the default value. To verify run: salt-call config.get file_roots
Tip: Remember to restart the Salt Master after making this change to the configuration.
1.4. Quasar 5 HubbleStack Documentation, Release 2016.7.1
Installation (Packages)
Installation is as easy as downloading and installing packages. (Note: in future releases you’ll be able to subscribe directly to our HubbleStack SPM repo for updates and bugfixes!) Nova packages have been divided into modules and profiles. This way we can iterate policy changes separate from the code. Nova Modules wget https://spm.hubblestack.io/nova/hubblestack_nova-2016.10.2-1.spm spm local install hubblestack_nova-2016.10.2-1.spm
Nova Profiles wget https://spm.hubblestack.io/nova/hubblestack_nova_profiles-20161101-1.spm spm local install hubblestack_nova_profiles-20161101-1.spm
You should now be able to sync the new modules to your minion(s) using the sync_modules Salt utility: salt \* saltutil.sync_modules
Once these modules are synced you are ready to run a HubbleStack Nova audit. Skip to Usage.
Installation (Manual)
Place _modules/hubble.py into your salt/_modules/ directory, and sync it to the minions. git clone https://github.com/hubblestack/nova.git hubblestack-nova.git cd hubblestack-nova.git mkdir -p /srv/salt/_modules/ cp _modules/hubble.py /srv/salt/_modules/ cp -a hubblestack_nova_profiles /srv/salt/ cp -a hubblestack_nova /srv/salt/ salt \* saltutil.sync_modules salt \* hubble.sync
Installation (GitFS)
This installation method subscribes directly to our GitHub repository, pinning to a tag or branch. This method requires no package installation or manual checkouts. Requirements: GitFS support on your Salt Master. /etc/salt/master.d/hubblestack-nova.conf gitfs_remotes: - https://github.com/hubblestack/nova: - base: v2016.10.2
Tip: Remember to restart the Salt Master after applying this change.
6 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
Skip to Usage.
Usage
There are four primary functions in the hubble.py module: 1. hubble.sync will sync the hubblestack_nova_profiles/ and hubblestack_nova/ directories to the minion(s). 2. hubble.load will load the synced audit modules and their yaml configuration files. 3. hubble.audit will audit the minion(s) using the YAML profile(s) you provide as comma-separated argu- ments 4. hubble.top will audit the minion(s) using the top.nova configuration. hubble.audit takes two optional arguments. The first is a comma-separated list of paths. These paths can be files or directories within the hubblestack_nova_profiles directory. The second argument allows for toggling Nova configuration, such as verbosity, level of detail, etc. If hubble.audit is run without targeting any audit configs or directories, it will instead run hubble.top with no arguments. hubble.audit will return a list of audits which were successful, and a list of audits which failed. Here are some example calls:
# Run the cve scanner and the CIS profile: salt \* hubble.audit cve.scan-v2,cis.centos-7-level-1-scored-v1
# Run hubble.top with the default topfile (top.nova) salt \* hubble.top
# Run all yaml configs and tags under salt://hubblestack_nova_profiles/foo/ # and salt://hubblestack_nova_profiles/bar, but only run audits with tags # starting with "CIS" salt \* hubble.audit foo,bar tags='CIS*'
Nova Topfiles
Nova topfiles look very similar to saltstack topfiles, except the top-level key is always nova, as nova doesn’t have environments.
nova: '*': - cve.scan-v2 - network.ssh - network.smtp 'web*': - cis.centos-7-level-1-scored-v1 - cis.centos-7-level-2-scored-v1 'G@os_family:debian': - network.ssh - cis.debian-7-level-1-scored:'CIS *'
Additionally, all nova topfile matches are compound matches, so you never need to define a match type like you do in saltstack topfiles.
1.4. Quasar 7 HubbleStack Documentation, Release 2016.7.1
Each list item is a string representing the dot-separated location of a yaml file which will be run with hubble.audit. You can also specify a tag glob to use as a filter for just that yaml file, using a colon after the yaml file (turning it into a dictionary). See the last two lines in the yaml above for examples. Examples:
salt' *' hubble.top salt' *' hubble.top foo/bar/top.nova salt' *' hubble.top foo/bar.nova verbose=True
Compensating Control Configuration
In some cases, your organization may want to skip certain audit checks for certain hosts. This is supported via compensating control configuration. You can skip a check globally by adding a control:
control: - CIS-2.1.4: This is the reason we control the check - some_other_tag: reason: This is the reason we control the check - a_third_tag_with_no_reason
Note that providing a reason for the control is optional. Any of the three formats shown in the yaml list above will work. Once you have your compensating control config, just target the yaml to the hosts you want to control using your topfile. In this case, all the audits will still run, but if any of the controlled checks fail, they will be removed from Failure and added to Controlled, and will be treated as a Success for the purposes of compliance percentage.
Schedule
In order to run the audits once daily, you can use the following cron job: /etc/cron.d/hubble
MAILTO="" SHELL=/bin/bash @daily root /usr/bin/salt '*' hubble.top verbose=True,show_profile=True -- ˓→return splunk_nova_return
8 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
Configuration
Under the Hood
1. The directory/environment in which nova searches for audit modules are configurable via pillar. The defaults are shown below:
hubblestack: nova: saltenv: base module_dir: salt://hubblestack_nova profile_dir: salt://hubblestack_nova_profiles
2. By default, hubble.audit will call hubble.load (which in turn calls hubble.sync) in order to ensure that it is auditing with the most up-to-date information. These operations are fairly fast, but if you want to avoid the additional overhead, you can disable these behaviors via pillar (defaults are shown, change to False to disable behaviors):
hubblestack: nova: autosync: True autoload: True
Development
If you’re interested in contributing to this project this section outlines the structure and requirements for Nova audit module development.
Anatomy of a Nova audit module
#-*- encoding: utf-8 -*- ''' Loader and primary interface for nova modules
:maintainer: HubbleStack :maturity: 20160214 :platform: Linux :requires: SaltStack
''' from __future__ import absolute_import import logging
All Nova plugins should include the above header, expanding the docstring to include full documentation
import fnmatch import salt.utils
def __virtual__(): if salt.utils.is_windows(): return False,'This audit module only runs on linux' return True
1.4. Quasar 9 HubbleStack Documentation, Release 2016.7.1
def audit(data_list, tag, verbose=False, show_profile=False, debug=False): __tags__=[] for profile, data in data_list: # This is where you process the dictionaries passed in by hubble.py, # searching for data pertaining to this audit module. Modules which # require no data should use yaml which is empty except for a # top-level key, and should only do work if the top-level key is # found in the data
# if show_profile is True, then we need to also inject the profile # in the data for each check so that it appears in verbose output pass
ret={'Success': [],'Failure': []} for tag in __tags__: if fnmatch.fnmatch(tag, tags): # We should run this tag #
All Nova plugins require a __virtual__() function to determine module compatibility, and an audit() function to perform the actual audit functionality The audit() function must take four arguments, data_list, tag, verbose, show_profile, and debug. The data_list argument is a list of dictionaries passed in by hubble.py. hubble.py gets this data from loading the specified yaml for the audit run. Your audit module should only run if it finds its own data in this list. The tag argument is a glob expression for which tags the audit function should run. It is the job of the audit module to compare the tag glob with all tags supported by this module and only run the audits which match. The verbose argument defines whether additional information should be returned for audits, such as description and remediation instructions. The show_profile argument tells whether the profile should be injected into the verbose data for each check. The debug argument tells whether the module should log additional debugging information at debug log level. The return value should be a dictionary, with optional keys “Success”, “Failure”, and “Controlled”. The values for these keys should be a list of one-key dictionaries in the form of {
Contribute
If you are interested in contributing or offering feedback to this project feel free to submit an issue or a pull request. We’re very open to community contribution.
10 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
Modules
Audit Modules
command
maintainer HubbleStack / basepi maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova source https://github.com/HubbleStack/Nova/blob/develop/hubblestack_nova/command.py Hubble Nova plugin for running arbitrary commands and checking the output of those commands.
Configuration
Sample YAML data, with inline comments:
1 command:
2 nodev:
3 data:
4 'Red Hat Enterprise Linux Server-6':
5 tag: CIS-1.1.10 # (required)
6 commands: # list of command stanzas with individual flags
7 -'grep "[[:space:]]/home[[:space:]]" /etc/fstab':
8 # Check the output for this pattern
9 # If match_output not provided, any output will be a match
10 match_output: nodev
11 # Use regex when matching the output (default False)
12 match_output_regex: False
13 # Invert the success criteria. If True, a match will cause failure
˓→(default False)
14 fail_if_matched: False
15 -'mount| grep /home':
16 match_output: nodev
17 match_output_regex: False
18 # Match each line of the output against our pattern
19 # Any that don't match will make the audit fail (default False)
20 match_output_by_line: True
21 -?
22 |
23 echo 'this is a multi-line'
24 echo 'bash script'
25 echo 'note the special ? syntax'
26 :
27 # Shell through which the script will be run, must be abs path
28 shell: /bin/bash
29 match_output: this
30 # Aggregation strategy for multiple commands. Defaults to 'and', other
˓→option is 'or'
31 aggregation:'and'
32 # Catch-all, if no other osfinger match was found 33 '*': 34 tag: generic_tag
35 commands:
1.4. Quasar 11 HubbleStack Documentation, Release 2016.7.1
36 -'grep "[[:space:]]/home[[:space:]]" /etc/fstab':
37 match_output: nodev
38 match_output_regex: False
39 fail_if_matched: False
40 -'mount| grep /home':
41 match_output: nodev
42 match_output_regex: False
43 match_output_by_line: True
44 aggregation:'and'
45 # Description will be output with the results
46 description:'/home should be nodev'
grep
maintainer HubbleStack / basepi maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova source https://github.com/HubbleStack/Nova/blob/develop/hubblestack_nova/grep.py HubbleStack Nova plugin for using grep to verify settings in files. Supports both blacklisting and whitelisting patterns. Blacklisted patterns must not be found in the specified file. Whitelisted patterns must be found in the specified file.
Configuration
Sample profile data, with inline comments:
1 grep: # module definition
2 whitelist: # 'whitelist' or 'blacklist'
3 fstab_tmp_partition: # unique ID
4 data: # required key
5 CentOS Linux-6: # osfinger grain
6 -'/etc/fstab': # full path to file
7 tag:'CIS-1.1.1' # audit tag
8 pattern:'/tmp' # grep pattern
9 match_output:'nodev' # string to check for in output of grep
˓→command (optional)
10 match_output_regex: True # whether to use regex when matching
˓→output (default: False)
11 grep_args: # extra args to grep
12 -'-E' # -E, --extended-regexp
13 -'-i' # -i, --ignore-case
14 -'-B2' # -B num, --before-context=num
15 match_on_file_missing: True # See below
16 17 '*': # wildcard, will be run if no direct ˓→osfinger match
18 -'/etc/fstab': # full path to file
19 tag:'CIS-1.1.1' # audit tag
20 pattern:'/tmp' # grep pattern
21
22 ## optional
23 description: |
12 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
24 The /tmp directory is intended to be world-writable, which presents a risk
25 of resource exhaustion if it is not bound to a separate partition.
If match_on_file_missing is ommitted, success/failure will be determined entirely based on the grep command and other arguments. If it’s set to True and the file is missing, then it will be considered a match (success for whitelist, failure for blacklist). If it’s set to False and the file is missing, then it will be considered a non-match (success for blacklist, failure for whitelist). If the file exists, this setting is ignored.
iptables
maintainer HubbleStack / avb76 maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova source https://github.com/HubbleStack/Nova/blob/develop/hubblestack_nova/firewall.py Hubble Nova plugin for using iptables to verify firewall rules.
Configuration
Sample YAML data, with inline comments:
1 firewall: # module definition
2 whitelist: # whitelist or blacklist
3 ssh: # unique id
4 data: # required key
5 tag:'FIREWALL-TCP-22' # audit tag
6 table:'filter' # table to check (REQUIRED)
7 chain: INPUT # INPUT / OUTPUT / FORWARD (REQUIRED)
8 rule: # dict containing the elements for
˓→building the rule
9 proto: tcp # protocol (tcp/udp/icmp)
10 dport: 22 # destination port
11 match: state # rule match
12 connstate: RELATED,ESTABLISHED # connection state
13 jump: ACCEPT # 'jump' destination
14 family:'ipv4' # iptables family (REQUIRED)
15 description:'ssh iptables rule check' # description of the check
A few words about the auditing logic
The audit function uses the iptables.build_rule salt execution module to build the actual iptables rule to be checked.
How are the rules built?
The elements in the rule dictionary will be used to build the iptables rule. Note: table, chain and family are not required under the rule key. Note: iptables.build_rule does not verify the syntax of the iptables rules. Here is a list of accepted iptables rules elements, based on the iptables.build_rule source code:
1.4. Quasar 13 HubbleStack Documentation, Release 2016.7.1
• command • position • full • target • jump • proto/protocol • if • of • match • match-set • connstate • dport • sport • dports • sports • comment • set • jump Check the following links for more details: • iptables.build_rule - upstream SaltStack documentation • iptables salt execution module source code (search for the build_rule function inside):
netstat
maintainer HubbleStack / basepi maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova source https://github.com/HubbleStack/Nova/blob/develop/hubblestack_nova/netstat.py HubbleStack Nova module for auditing open ports.
Configuration
Sample data for the netstat whitelist:
1 netstat: # module definition
2 ssh: # unique id 3 address:' *:22' # netstat output match 4 another_identifier: # unique id
5 address: # multiline output match
6 - 127.0.0.1:80 # multiline output match
7 - 0.0.0.0:80 # multiline output match
14 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
openscap
maintainer HubbleStack / cedwards maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova, openscap, RHEL source https://github.com/HubbleStack/Nova/blob/develop/hubblestack_nova/cve_scan.py This module automates the ingestion of security advisory announcements, CVE scanning and reporting. This feature was inspired by FreeBSD’s VuXML integration with pkg audit. To run an on-demand CVE scan, ensure that the oscap execution module is synced to your system(s).
Usage
Red Hat publishes security advisories in the form of an XML file. These files follow a specific standard, which requires an additional dependency to use: openscap. The XML files can be found here: https://www.redhat.com/security/data/oval/. This module supports fetching CVE data directly from upstream, or serving locally through your salt:/ fileserver. See also: openscap Profile
openssl
maintainer HubbleStack / avb76 maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova, python-OpenSSL source https://github.com/HubbleStack/Nova/blob/develop/hubblestack_nova/openssl.py HubbleStack Nova module for auditing SSL certificates.
Configuration
Sample YAML data, with in line comments:
1 openssl: # module definition
2 google: # unique ID
3 data: # required key
4 tag:'CERT-001' # TAG
5 endpoint:'www.google.com' # https endpoint
6 file: False # PEM input file
7 port: 443 # port (default: 443)
8 not_after: 15 # optional
9 not_before: 2 # optional
10 fail_if_not_before: False # optional
11 description:'google certificate'
Some words about the elements in the data dictionary: • tag: this check’s unique TAG
1.4. Quasar 15 HubbleStack Documentation, Release 2016.7.1
• endpoint: the ssl endpoint to check (endpoint or file) • file: the path to the .pem file containing the SSL certificate to be checked • port: (optional) defaults to 443 • not_after: the minimum number of days left until the certificate should expire • not_before: the expected number of days until the certificate becomes valid • fail_if_not_before: if True, the check will fail only if not_before is 0 (or missing)
Known issues
For unknown reasons (yet), the module can fail downloading the certificate from certain endpoints. When this happens, the check will fail.
pkg
maintainer HubbleStack / basepi maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova source https://github.com/HubbleStack/Nova/blob/develop/hubblestack_nova/pkg.py HubbleStack Nova module for auditing installed packages. Supports both blacklisting and whitelisting pacakges. Blacklisted packages must not be installed. Whitelisted pack- ages must be installed. Also supported is requiring a specific version or a minimum or maximum version.
Configuration
Sample YAML data, with inline comments: blacklist:
1 pkg: # module definition
2 blacklist: # 'whitelist' or 'blacklist'
3 rsh: # unique ID
4 data: # required key
5 CentOS Linux-6: # osfinger grain
6 -'rsh':'CIS-2.1.1' # pkg_name : TAG
7 description:'RSH is evil' # description of audit
8
9 CentOS Linux-6: # osfinger grain
10 -'rsh': # dict format allows version definition
11 tag:'CIS-2.1.3' # TAG
12 version:'4.3.2' # version
13 description:'RSH is evil' # description of audit
14
15 CentOS Linux-6: # osfinger grain
16 -'rsh': # dict format allows version definition
17 tag:'CIS-2.1.3' # TAG
18 version:'>=4.3.2' # flexible version
19 description:'RSH is evil' # description of audit
16 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
whitelist:
1 pkg: # module definition
2 whitelist: # 'whitelist' or 'blacklist'
3 rsh: # unique ID
4 data: # required key
5 CentOS Linux-6: # osfinger grain
6 -'rsh':'CIS-2.1.1' # pkg_name : TAG
7 description:'RSH is awesome' # description of audit
8
9 -'rsh': # dict format allows version definition
10 tag:'CIS-2.1.3' # TAG
11 version:'4.3.2' # version
12 description:'RSH is awesome' # description of audit
13
14 -'rsh': # dict format allows version definition
15 tag:'CIS-2.1.3' # TAG
16 version:'>=4.3.2' # flexible version
17 description:'RSH is awesome' # description of audit
service
maintainer HubbleStack / basepi maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova source https://github.com/HubbleStack/Nova/blob/develop/hubblestack_nova/service.py HubbleStack Nova module for auditing running services. Supports both blacklisting and whitelisting services. Blacklisted services must not be running. Whitelisted services must be running.
Configuration
Sample YAML data, with inline comments: blacklist:
1 service: # module definiton
2 blacklist: # 'whitelist' or 'blacklist'
3 telnet: # unique ID
4 data: # required key
5 CentOS Linux-6: # osfinger grain
6 -'telnet':'CIS-2.1.1' # pkg_name : TAG
7 description:'Telnet is evil' # description of audit
whitelist:
1 service: # module definition
2 whitelist: # 'whitelist' or 'blacklist'
3 rsh: # unique ID
4 data: # required key
5 CentOS Linux-7: # osfinger grain
6 -'rsh':'CIS-2.1.3' # pkg_name : TAG
1.4. Quasar 17 HubbleStack Documentation, Release 2016.7.1
7 -'rsh-server':'CIS-2.1.4' # pkg_name : TAG
8 description:'RSH is awesome' # description of audit
stat
maintainer HubbleStack / avb76 maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova source https://github.com/HubbleStack/Nova/blob/develop/hubblestack_nova/stat.py HubbleStack Nova module for using stat to verify ownership & permissions.
Configuration
Sample YAML data, with inline comments:
1 stat: # module definition
2 grub_conf_owner: # unique ID
3 data: # required key
4 'CentOS-6': # osfinger grain
5 -'/etc/grub.conf': # path to configuration file
6 tag:'CIS-1.5.1' # TAG
7 user:'root' # expected user
8 uid: 0 # expected uid
9 group:'root' # expected group
10 gid: 0 # expected gid
11 description:'Grub must be owned by root' # description of audit
12
13 'CentOS Linux-7': # osfinger grain
14 -'/etc/grub2/grub.cfg': # path to configuration file
15 tag:'CIS-1.5.1' # TAG
16 user:'root' # expected user
17 uid: 0 # expected uid
18 group:'root' # expected group
19 gid: 0 # expected gid
20 description:'Grub must be owned by root' # description of audit
sysctl
maintainer HubbleStack / avb76 maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova source https://github.com/HubbleStack/Nova/blob/develop/hubblestack_nova/sysctl.py HubbleStack Nova module for using sysctl to verify sysctl parameter.
Configuration
Sample YAML data, with inline comments:
18 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
1 sysctl: # module definition
2 randomize_va_space: # unique ID
3 data: # required key
4 'CentOS-6': # osfinger grain
5 -'kernel.randomize_va_space': # sysctl parameter to check
6 tag:'CIS-1.6.3' # TAG
7 match_output:'2' # expected value
8 description:'Enable Randomized Virtual Memory' # description of audit
vulners.com
maintainer HubbleStack / jaredhanson11 maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova source https://github.com/HubbleStack/Nova/blob/develop/hubblestack_nova/cve_scan_v2.py Another major component of the Nova auditing system is the on-demand CVE scanning and reporting. This component automates the ingestion of security advisory announcements, and compares this data to the installed packages. This feature was inspired by FreeBSD’s VuXML integration with pkg audit. This module, scan-v2, uses a public vulnerability database at https://vulners.com. Queries to https://vulners.com are made either directly from the minion or served from your salt:/ fileserver. The defined ttl in either case will determine the amount of time the JSON data is cached on the minion. Example profiles for each of these are found at cve.scan-v2 and cve.scan-v2-salt respectively.
Configuration
The required JSON files can be downloaded using the utils/cve_store.py tool found in the Nova repository. These downloaded files can then be served using salt:/. See also: utils/cve_store.py
Usage
salt \* hubble.audit cve.scan-v2
See also: cve.scan-v2 profile
salt \* hubble.audit cve.scan-v2-salt
See also: cve.scan-v2-salt profile
1.4. Quasar 19 HubbleStack Documentation, Release 2016.7.1
Profiles
Audit Profiles
Nova ingests audit “profiles” which define the audits and checks to be run. This is a sampling of some of the pre-built profiles that come with a default Hubble installation.
cis-centos-6-level-1-scored-v1
Multiple profiles can be combined to create more comprehensive profiles. Common examples include the CIS and STIG profiles:
1 # NOTE: This CIS Profile only includes Level 1 Scored Items for CentOS6.
2 # NOTE: Within this file, there are a few sections that should be tailored to your
3 # organization's specific policy. Search for '# NOTE: ' comments through the
˓→file.
4
5
6
7 pkg:
8 blacklist:
9
10 telnet:
11 data:
12 'CentOS-6':
13 -'telnet-server':'CIS-2.1.1'
14 -'telnet':'CIS-2.1.2'
15 description:'Remove telnet and telnet-server'
16
17 rsh:
18 data:
19 'CentOS-6':
20 -'rsh-server':'CIS-2.1.3'
21 -'rsh':'CIS-2.1.4'
22 description:'Remove rsh and rsh-server'
23
24 nis:
25 data:
26 'CentOS-6':
27 -'ypbind':'CIS-2.1.5'
28 -'ypserv':'CIS-2.1.6'
29 description:'Remove nis client and nis server'
30
31 tftp:
32 data:
33 'CentOS-6':
34 -'tftp':'CIS-2.1.7'
35 -'tftp-server':'CIS-2.1.8'
36 description:'Remove tftp and tftp-server'
37
38 talk:
39 data:
40 'CentOS-6':
41 -'talk':'CIS-2.1.9'
42 -'talk-server':'CIS-2.1.10'
43 description:'Remove talk and talk-server'
20 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
44
45 xinetd:
46 data:
47 'CentOS-6':
48 -'xinetd':'CIS-2.1.11'
49 description:'Remove xinetd'
50
51 dhcp:
52 data:
53 'CentOS-6':
54 -'dhcp':'CIS-3.5'
55 description:'Remove DHCP server'
56
57 whitelist:
58
59 rsyslog:
60 data:
61 'CentOS-6':
62 'rsyslog':'CIS-5.1.1'
63 description:'Install rsyslog'
64
65 anacron:
66 data:
67 'CentOS-6':
68 'cronie-anacron':'CIS-6.1.1'
69 description:'Enable anacron Daemon'
70
71
72
73 stat:
74 grub_conf_own:
75 data:
76 'CentOS-6':
77 -'/etc/grub.conf':
78 tag:'CIS-1.5.1'
79 user:'root'
80 uid: 0
81 group:'root'
82 gid: 0
83 description:'Grub must be owned by root'
84
85 grub_conf_perm:
86 data:
87 'CentOS-6':
88 -'/etc/grub.conf':
89 tag:'CIS-1.5.2'
90 mode: 600
91 description:'Grub must have permissions 600'
92
93 hosts_allow:
94 data:
95 'CentOS-6':
96 -'/etc/hosts.allow':
97 tag:'CIS-4.5.3'
98 mode: 644
99 description:'/etc/hosts.allow must have permissions 644'
100
101 hosts_deny:
1.4. Quasar 21 HubbleStack Documentation, Release 2016.7.1
102 data:
103 'CentOS-6':
104 -'/etc/hosts.deny':
105 tag:'CIS-4.5.5'
106 mode: 644
107 description:'/etc/hosts.deny must have persmissions 644'
108
109 anacrontab:
110 data:
111 'CentOS-6':
112 -'/etc/anacrontab':
113 tag:'CIS-6.1.3'
114 mode: 600
115 user:'root'
116 uid: 0
117 group:'root'
118 gid: 0
119 description:'/etc/anacrontab file be owned by root and must have permissions 600'
120
121 crontab:
122 data:
123 'CentOS-6':
124 -'/etc/crontab':
125 tag:'CIS-6.1.4'
126 mode: 600
127 user:'root'
128 uid: 0
129 group:'root'
130 gid: 0
131 description:'/etc/crontab must be owned by root and have persmissions 600'
132
133 cron_hourly:
134 data:
135 'CentOS-6':
136 -'/etc/cron.hourly':
137 tag:'CIS-6.1.5'
138 mode: 700
139 user:'root'
140 uid: 0
141 group:'root'
142 gid: 0
143 description:'/etc/cron.hourly must be owned by root and must have permissions 700
˓→'
144
145 cron_daily:
146 data:
147 'CentOS-6':
148 -'/etc/cron.daily':
149 tag:'CIS-6.1.6'
150 mode: 700
151 user:'root'
152 uid: 0
153 group:'root'
154 gid: 0
155 description:'/etc/cron.daily must be owned by root and must have permissions 700'
156
157 cron_weekly:
158 data:
22 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
159 'CentOS-6':
160 -'/etc/cron.weekly':
161 tag:'CIS-6.1.7'
162 mode: 700
163 user:'root'
164 uid: 0
165 group:'root'
166 gid: 0
167 description:'/etc/cron.weekly must be owned by root and must have permissions 700
˓→'
168
169 cron_monthly:
170 data:
171 'CentOS-6':
172 -'/etc/cron.monthly':
173 tag:'CIS-6.1.8'
174 mode: 700
175 user:'root'
176 uid: 0
177 group:'root'
178 gid: 0
179 description:'/etc/cron.monthly must be owned by root and must have permissions
˓→700'
180
181 cron_d:
182 data:
183 'CentOS-6':
184 -'/etc/cron.d':
185 tag:'CIS-6.1.9'
186 mode: 700
187 user:'root'
188 uid: 0
189 group:'root'
190 gid: 0
191 description:'/etc/cron.d must be owned by root and must have permissions 700'
192
193 at_allow:
194 data:
195 'CentOS-6':
196 -'/etc/at.allow':
197 tag:'CIS-6.1.10'
198 mode: 600
199 user:'root'
200 uid: 0
201 group:'root'
202 gid: 0
203 description:'/etc/at.allow must be owned by root and have persmissions 600'
204
205 at_cron_allow:
206 data:
207 'CentOS-6':
208 -'/etc/cron.deny':
209 tag:'CIS-6.1.11'
210 mode: null
211 user: null
212 uid: null
213 group: null
214 gid: null
1.4. Quasar 23 HubbleStack Documentation, Release 2016.7.1
215 -'/etc/at.deny':
216 tag:'CIS-6.1.11'
217 mode: null
218 user: null
219 uid: null
220 group: null
221 gid: null
222 -'/etc/cron.allow':
223 tag:'CIS-6.1.11'
224 mode: 600
225 user:'root'
226 uid: 0
227 group:'root'
228 gid: 0
229 -'/etc/at.allow':
230 tag:'CIS-6.1.11'
231 mode: 600
232 user:'root'
233 uid: 0
234 group:'root'
235 gid: 0
236 description:'Restrict at/cron to authorized users'
237
238 sshd_config:
239 data:
240 'CentOS-6':
241 -'/etc/ssh/sshd_config':
242 tag:'CIS-6.2.3'
243 mode: 600
244 user:'root'
245 uid: 0
246 group:'root'
247 gid: 0
248 description:'/etc/ssh/sshd_config must be owned by root and must have
˓→permissions 600'
249
250 warning_banner:
251 data:
252 'CentOS-6':
253 -'/etc/motd':
254 tag:'CIS-8.1'
255 mode: 644
256 user:'root'
257 uid: 0
258 group:'root'
259 gid: 0
260 -'/etc/issue':
261 tag:'CIS-8.1'
262 mode: 644
263 user:'root'
264 uid: 0
265 group:'root'
266 gid: 0
267 -'/etc/issue.net':
268 tag:'CIS-8.1'
269 mode: 644
270 user:'root'
271 uid: 0
24 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
272 group:'root'
273 gid: 0
274 description:'Files containing the warning banners must be owned by root and must
˓→have permissions 644'
275
276 passwd_perm:
277 data:
278 'CentOS-6':
279 -'/etc/passwd':
280 tag:'CIS-9.1.2'
281 mode: 644
282 description:'/etc/passwd must have permissions 644'
283
284 passwd_own:
285 data:
286 'CentOS-6':
287 -'/etc/passwd':
288 tag:'CIS-9.1.6'
289 user:'root'
290 uid: 0
291 group:'root'
292 uid: 0
293 description:'/etc/passwd must be owned by root'
294
295 shadow_perm:
296 data:
297 'CentOS-6':
298 -'/etc/shadow':
299 tag:'CIS-9.1.3'
300 mode: 0
301 description:'/etc/shadow must have permissions 000'
302
303 shadow_own:
304 data:
305 'CentOS-6':
306 -'/etc/shadow':
307 tag:'CIS-9.1.7'
308 user:'root'
309 uid: 0
310 group:'root'
311 gid: 0
312 description:'/etc/shadow must be owned by root'
313
314 gshadow_perm:
315 data:
316 'CentOS-6':
317 -'/etc/gshadow':
318 tag:'CIS-9.1.4'
319 mode: 0
320 description:'/etc/gshadow must have permissions 000'
321
322 gshadow_own:
323 data:
324 'CentOS-6':
325 -'/etc/gshadow':
326 tag:'CIS-9.1.8'
327 user:'root'
328 uid: 0
1.4. Quasar 25 HubbleStack Documentation, Release 2016.7.1
329 group:'root'
330 gid: 0
331 description:'/etc/gshadow must be owned by root'
332
333 group_perm:
334 data:
335 'CentOS-6':
336 -'/etc/group':
337 tag:'CIS-9.1.5'
338 mode: 644
339 description:'/etc/group must have permissions 644'
340
341 group_own:
342 data:
343 'CentOS-6':
344 -'/etc/group':
345 tag:'CIS-9.1.9'
346 user:'root'
347 uid: 0
348 group:'root'
349 gid: 0
350 description:'/etc/group must be owned by root'
351
352
353
354 sysctl:
355 bad_error_message_protection:
356 data:
357 CentOS-6:
358 - net.ipv4.icmp_ignore_bogus_error_responses:
359 match_output:'1'
360 tag: CIS-4.2.6
361 description: Enable Bad Error Message Protection (Scored)
362 exec_shield:
363 data:
364 CentOS-6:
365 - kernel.exec-shield:
366 match_output:'1'
367 tag: CIS-1.6.2
368 description: Configure ExecShield (Scored)
369 icmp_redirect_acceptance:
370 data:
371 CentOS-6:
372 - net.ipv4.conf.all.accept_redirects:
373 match_output:'0'
374 tag: CIS-4.2.2
375 - net.ipv4.conf.default.accept_redirects:
376 match_output:'0'
377 tag: CIS-4.2.2
378 description: Disable ICMP Redirect Acceptance (Scored)
379 ignore_broadcast_requests:
380 data:
381 CentOS-6:
382 - net.ipv4.icmp_echo_ignore_broadcasts:
383 match_output:'1'
384 tag: CIS-4.2.5
385 description: Enable Ignore Broadcast Requests (Scored)
386 ip_forwarding:
26 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
387 data:
388 CentOS-6:
389 - net.ipv4.ip_forward:
390 match_output:'0'
391 tag: CIS-4.1.1
392 description: Disable IP Forwarding (Scored)
393 log_suspicious_packets:
394 data:
395 CentOS-6:
396 - net.ipv4.conf.all.log_martians:
397 match_output:'1'
398 tag: CIS-4.2.4
399 - net.ipv4.conf.default.log_martians:
400 match_output:'1'
401 tag: CIS-4.2.4
402 description: Log Suspicious Activity (Scored)
403 randomize_va_space:
404 data:
405 CentOS-6:
406 - kernel.randomize_va_space:
407 match_output:'2'
408 tag: CIS-1.6.3
409 description: Enable Randomized Virtual Memory Region Placement (Scored)
410 send_packet_redirect:
411 data:
412 CentOS-6:
413 - net.ipv4.conf.all.send_redirects:
414 match_output:'0'
415 tag: CIS-4.1.2
416 - net.ipv4.conf.default.send_redirects:
417 match_output:'0'
418 tag: CIS-4.1.2
419 description: Disable Send Packet Redirect (Scored)
420 source_routed_packet_acceptance:
421 data:
422 CentOS-6:
423 - net.ipv4.conf.all.accept_source_route:
424 match_output:'0'
425 tag: CIS-4.2.1
426 - net.ipv4.conf.default.accept_source_route:
427 match_output:'0'
428 tag: CIS-4.2.1
429 description: Disable Source Routed Packet Acceptance (Scored)
430 tcp_syn_cookies:
431 data:
432 CentOS-6:
433 - net.ipv4.tcp_syncookies:
434 match_output:'1'
435 tag: CIS-4.2.8
436 description: Enable TCP SYN cookies (Scored)
437
438
439 grep:
440 whitelist:
441
442 fstab_tmp_partition:
443 data:
444 CentOS-6:
1.4. Quasar 27 HubbleStack Documentation, Release 2016.7.1
445 -'/etc/fstab':
446 tag:'CIS-1.1.1'
447 pattern:'/tmp'
448 description:'Create Separate Partition for /tmp (Scored)'
449
450 fstab_tmp_partition_nodev:
451 data:
452 CentOS-6:
453 -'/etc/fstab':
454 tag:'CIS-1.1.2'
455 pattern:'/tmp'
456 match_output:'nodev'
457 description:'Set nodev option for /tmp Partition (Scored)'
458
459 fstab_tmp_partition_nosuid:
460 data:
461 CentOS-6:
462 -'/etc/fstab':
463 tag:'CIS-1.1.3'
464 pattern:'/tmp'
465 match_output:'nosuid'
466 description:'Set nosuid option for /tmp Partition (Scored)'
467
468 fstab_tmp_partition_noexec:
469 data:
470 CentOS-6:
471 -'/etc/fstab':
472 tag:'CIS-1.1.4'
473 pattern:'/tmp'
474 match_output:'noexec'
475 description:'Set noexec option for /tmp Partition (Scored)'
476
477 fstab_var_partition:
478 data:
479 CentOS-6:
480 -'/etc/fstab':
481 tag:'CIS-1.1.5'
482 pattern:'/var'
483 description:'Create Separate Partition for /var (Scored)'
484
485 fstab_var_tmp_bind_mount:
486 data:
487 CentOS-6:
488 -'/etc/fstab':
489 tag:'CIS-1.1.6'
490 pattern:'/tmp'
491 match_output:'/var/tmp'
492 description:'Bind Mount the /var/tmp directory to /tmp (Scored)'
493
494 fstab_var_log_partition:
495 data:
496 CentOS-6:
497 -'/etc/fstab':
498 tag:'CIS-1.1.7'
499 pattern:'/var/log'
500 description:'Create Separate Partition for /var/log (Scored)'
501
502 fstab_var_log_audit_partition:
28 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
503 data:
504 CentOS-6:
505 -'/etc/fstab':
506 tag:'CIS-1.1.8'
507 pattern:'/var/log/audit'
508 description:'Create Separate Partition for /var/log/audit (Scored)'
509
510 fstab_home_partition:
511 data:
512 CentOS-6:
513 -'/etc/fstab':
514 tag:'CIS-1.1.9'
515 pattern:'/home'
516 description:'Create Separate Partition for /home (Scored)'
517
518 fstab_home_partition_nodev:
519 data:
520 CentOS-6:
521 -'/etc/fstab':
522 tag:'CIS-1.1.10'
523 pattern:'/home'
524 match_output:'nodev'
525 description:'Add nodev Option to /home (Scored)'
526
527 fstab_dev_shm_partition_nodev:
528 data:
529 CentOS-6:
530 -'/etc/fstab':
531 tag:'CIS-1.1.14'
532 pattern:'/dev/shm'
533 match_output:'nodev'
534 description:'Add nodev Option to /dev/shm Partition (Scored)'
535
536 fstab_dev_shm_partition_nosuid:
537 data:
538 CentOS-6:
539 -'/etc/fstab':
540 tag:'CIS-1.1.15'
541 pattern:'/dev/shm'
542 match_output:'nosuid'
543 description:'Add nosuid Option to /dev/shm Partition (Scored)'
544
545 fstab_dev_shm_partition_noexec:
546 data:
547 CentOS-6:
548 -'/etc/fstab':
549 tag:'CIS-1.1.16'
550 pattern:'/dev/shm'
551 match_output:'noexec'
552 description:'Add noexec Option to /dev/shm Partition (Scored)'
553
554 activate_gpg_check:
555 data:
556 CentOS-6:
557 -'/etc/yum.conf':
558 tag:'CIS-1.2.2'
559 pattern:'gpgcheck'
560 match_output:'gpgcheck=1'
1.4. Quasar 29 HubbleStack Documentation, Release 2016.7.1
561 description:'Verify that gpgcheck is Globally Activated (Scored)'
562
563 boot_loader_passwd:
564 data:
565 'CentOS-6':
566 -'/etc/grub.conf':
567 tag:'CIS-1.5.3'
568 pattern:'^password'
569 description:'Set Boot Loader Password (Scored)'
570
571 restrict_core_dumps:
572 data:
573 'CentOS-6':
574 -'/etc/security/limits.conf':
575 tag:'CIS-1.6.1'
576 pattern:'hard core'
577 description:'Restrict Core Dumps (Scored)'
578
579 set_daemon_umask:
580 data:
581 'CentOS-6':
582 -'/etc/sysconfig/init':
583 tag:'CIS-3.1'
584 pattern:'umask'
585 match_output:'umask 027'
586 description:'Set Daemon umask (Scored)'
587
588 configure_ntp:
589 data:
590 'CentOS-6':
591 -'/etc/ntp.conf':
592 tag:'CIS-3.6'
593 pattern:'restrict default'
594 -'/etc/ntp.conf':
595 tag:'CIS-3.6'
596 pattern:'restrict -6 default'
597 -'/etc/ntp.conf':
598 tag:'CIS-3.6'
599 pattern:'^server'
600 -'/etc/sysconfig/ntpd':
601 tag:'CIS-3.6'
602 pattern:'ntp:ntp'
603 description:'Configure Network Time Protocol (NTP) (Scored)'
604
605 rsyslog_remote_logging:
606 data:
607 'CentOS-6':
608 -'/etc/rsyslog.conf':
609 tag:'CIS-5.1.5' 610 pattern:"^ *.*[^I][^I]*@" 611 description:'Configure rsyslog to Send Logs toa Remote Log Host (Scored)'
612
613 sshd_protocol_2:
614 data:
615 'CentOS-6':
616 -'/etc/ssh/sshd_config':
617 tag:'CIS-6.2.1'
618 pattern:"^Protocol"
30 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
619 match_output:'Protocol2'
620 description:'Set SSH Protocol to2 (Scored)'
621
622 sshd_loglevel_info:
623 data:
624 'CentOS-6':
625 -'/etc/ssh/sshd_config':
626 tag:'CIS-6.2.2'
627 pattern:"^LogLevel"
628 match_output:'LogLevel INFO'
629 description:'Set LogLevel to INFO (Scored)'
630
631 sshd_x11_forwarding:
632 data:
633 'CentOS-6':
634 -'/etc/ssh/sshd_config':
635 tag:'CIS-6.2.4'
636 pattern:"^X11Forwarding"
637 match_output:'X11Forwarding no'
638 description:'Disable SSH X11 Forwarding (Scored)'
639
640 # NOTE: Need to update this entry to reflect your organization's password policy
641 sshd_max_auth_retries:
642 data:
643 'CentOS-6':
644 -'/etc/ssh/sshd_config':
645 tag:'CIS-6.2.5'
646 pattern:"^MaxAuthTries"
647 match_output:"MaxAuthTries4"
648 description:'Set SSH MaxAuthTries to4 or Less (Scored)'
649
650 sshd_ignore_rhosts:
651 data:
652 'CentOS-6':
653 -'/etc/ssh/sshd_config':
654 tag:'CIS-6.2.6'
655 pattern:"^IgnoreRhosts"
656 match_output:"IgnoreRhosts yes"
657 description:'Set SSH IgnoreRhosts to Yes (Scored)'
658
659 sshd_hostbased_auth:
660 data:
661 'CentOS-6':
662 -'/etc/ssh/sshd_config':
663 tag:'CIS-6.2.7'
664 pattern:"^HostbasedAuthentication"
665 match_output:"HostbasedAuthentication no"
666 description:'Set SSH HostbasedAuthentication to No (Scored)'
667
668 sshd_disable_root_login:
669 data:
670 'CentOS-6':
671 -'/etc/ssh/sshd_config':
672 tag:'CIS-6.2.8'
673 pattern:"^PermitRootLogin"
674 match_output:"PermitRootLogin no"
675 description:'Set SSH HostbasedAuthentication to No (Scored)'
676
1.4. Quasar 31 HubbleStack Documentation, Release 2016.7.1
677 sshd_permit_empty_passwords:
678 data:
679 'CentOS-6':
680 -'/etc/ssh/sshd_config':
681 tag:'CIS-6.2.9'
682 pattern:"^PermitEmptyPasswords"
683 match_output:"PermitEmptyPasswords no"
684 description:'Set SSH PermitEmptyPasswords to No (Scored)'
685
686 sshd_permit_user_environment:
687 data:
688 'CentOS-6':
689 -'/etc/ssh/sshd_config':
690 tag:'CIS-6.2.10'
691 pattern:"^PermitUserEnvironment"
692 match_output:"PermitUserEnvironment no"
693 description:'Do Not Allow Users to Set Environment Options (Scored)'
694
695 sshd_approved_cipher:
696 data:
697 'CentOS-6':
698 -'/etc/ssh/sshd_config':
699 tag:'CIS-6.2.11'
700 pattern:"Ciphers"
701 match_output:"Ciphers aes128-ctr,aes192-ctr,aes256-ctr"
702 description:'Use Only Approved Cipher in Counter Mode (Scored)'
703
704 sshd_idle_timeout:
705 data:
706 'CentOS-6':
707 -'/etc/ssh/sshd_config':
708 tag:'CIS-6.2.12'
709 pattern:"^ClientAliveInterval"
710 match_output:"ClientAliveInterval 300"
711 -'/etc/ssh/sshd_config':
712 tag:'CIS-6.2.12'
713 pattern:"^ClientAliveCountMax"
714 match_output:"ClientAliveCountMax0"
715 description:'Set Idle Timeout Interval for User Login (Scored)'
716
717 sshd_limit_access:
718 data:
719 'CentOS-6':
720 -'/etc/ssh/sshd_config':
721 tag:'CIS-6.2.13'
722 pattern:'(^AllowUsers)|(^AllowGroups)|(^DenyUsers)|(^DenyGroups)'
723 grep_args:
724 -'-E'
725 description:'Limit Access via SSH (Scored)'
726
727 sshd_banner:
728 data:
729 'CentOS-6':
730 -'/etc/ssh/sshd_config':
731 tag:'CIS-6.2.14'
732 pattern:"^Banner"
733 description:'Set SSH Banner (Scored)'
734
32 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
735 # NOTE: Need to update this entry to reflect your organization's password policy
736 limit_password_reuse:
737 data:
738 'CentOS-6':
739 -'/etc/pam.d/system-auth':
740 tag:'CIS-6.3.4'
741 pattern:"pam_unix.so"
742 match_output:"remember=5" # number of passwords to remember
743 description:'PAM Password Reuse (Scored)'
744
745 limit_su_command_access:
746 data:
747 'CentOS-6':
748 -'/etc/pam.d/su':
749 tag:'CIS-6.5'
750 pattern:"pam_wheel.so"
751 match_output:"use_uid"
752 -'/etc/group':
753 tag:'CIS-6.5'
754 pattern:"wheel"
755 description:'Limit su command access (Scored)'
756
757 # NOTE: Need to update this entry to reflect your organization's password policy
758 passwd_expiration_days:
759 data:
760 'CentOS-6':
761 -'/etc/login.defs':
762 tag:'CIS-7.1.1'
763 pattern:"PASS_MAX_DAYS"
764 match_output:"90"
765 description:'Set Password Expiration Days (Scored)'
766
767 # NOTE: Need to update this entry to reflect your organization's password policy
768 passwd_change_min_days:
769 data:
770 'CentOS-6':
771 -'/etc/login.defs':
772 tag:'CIS-7.1.2'
773 pattern:"PASS_MIN_DAYS"
774 match_output:"7"
775 description:'Set Password Change Minimum Number of Days (Scored)'
776
777 # NOTE: Need to update this entry to reflect your organization's password policy
778 passwd_expiry_warning:
779 data:
780 'CentOS-6':
781 -'/etc/login.defs':
782 tag:'CIS-7.1.3'
783 pattern:"PASS_WARN_AGE"
784 match_output:"7"
785 description:'Set Password Expiring Warning Days (Scored)'
786
787 default_umask:
788 data:
789 'CentOS-6':
790 -'/etc/bashrc':
791 tag:'CIS-7.4'
792 pattern:"^umask 077"
1.4. Quasar 33 HubbleStack Documentation, Release 2016.7.1
793 -'/etc/profile':
794 tag:'CIS-7.4'
795 pattern:"^umask 077"
796 description:'Set Default umask for Users (Scored)'
797
798 blacklist:
799 legacy_passwd_entries_passwd:
800 data:
801 'CentOS-6':
802 -'/etc/passwd':
803 tag:'CIS-9.2.2'
804 pattern:"^+:"
805 description:'Verify No Legacy "+" Entries Exist in /etc/passwd (Scored)'
806
807 legacy_passwd_entries_shadow:
808 data:
809 'CentOS-6':
810 -'/etc/shadow':
811 tag:'CIS-9.2.3'
812 pattern:"^+:"
813 description:'Verify No Legacy "+" Entries Exist in /etc/shadow (Scored)'
814
815 legacy_passwd_entries_group:
816 data:
817 'CentOS-6':
818 -'/etc/group':
819 tag:'CIS-9.2.4'
820 pattern:"^+:"
821 description:'Verify No Legacy "+" Entries Exist in /etc/group (Scored)'
cis-centos-7-level-1-scored-v1
Multiple profiles can be combined to create more comprehensive profiles. Common examples include the CIS and STIG profiles:
1 grep:
2 blacklist:
3 legacy_passwd_entries_group:
4 data:
5 CentOS Linux-7:
6 - /etc/group:
7 pattern:'^+:'
8 tag: CIS-9.2.4
9 description: Verify No Legacy "+" Entries Exist in /etc/group (Scored)
10 legacy_passwd_entries_passwd:
11 data:
12 CentOS Linux-7:
13 - /etc/passwd:
14 pattern:'^+:'
15 tag: CIS-9.2.2
16 description: Verify No Legacy "+" Entries Exist in /etc/passwd (Scored)
17 legacy_passwd_entries_shadow:
18 data:
19 CentOS Linux-7:
20 - /etc/shadow:
21 pattern:'^+:'
34 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
22 tag: CIS-9.2.3
23 description: Verify No Legacy "+" Entries Exist in /etc/shadow (Scored)
24 whitelist:
25 activate_gpg_check:
26 data:
27 CentOS Linux-7:
28 - /etc/yum.conf:
29 match_output: gpgcheck=1
30 pattern: gpgcheck
31 tag: CIS-1.2.2
32 description: Verify that gpgcheck is Globally Activated (Scored)
33 boot_loader_passwd:
34 data:
35 CentOS Linux-7:
36 - /boot/grub2/grub.cfg:
37 pattern: ^password
38 tag: CIS-1.5.3
39 description: Set Boot Loader Password (Scored)
40 configure_ntp:
41 data:
42 CentOS Linux-7:
43 - /etc/ntp.conf:
44 pattern: restrict default
45 tag: CIS-3.6
46 - /etc/ntp.conf:
47 pattern: restrict -6 default
48 tag: CIS-3.6
49 -'/etc/ntp.conf':
50 tag:'CIS-3.6'
51 pattern:'^server'
52 -'/etc/sysconfig/ntpd':
53 tag:'CIS-3.6'
54 pattern:'ntp:ntp'
55 description: Configure Network Time Protocol (NTP) (Scored)
56 default_umask:
57 data:
58 CentOS Linux-7:
59 - /etc/bashrc:
60 pattern: ^umask 077
61 tag: CIS-7.4 62 - /etc/profile.d/*: 63 pattern: ^umask 077
64 tag: CIS-7.4
65 description: Set Default umask for Users (Scored)
66 fstab_dev_shm_partition_nodev:
67 data:
68 CentOS Linux-7:
69 - /etc/fstab:
70 match_output: nodev
71 pattern: /dev/shm
72 tag: CIS-1.1.14
73 description: Add nodev Option to /dev/shm Partition (Scored)
74 fstab_dev_shm_partition_noexec:
75 data:
76 CentOS Linux-7:
77 - /etc/fstab:
78 match_output: noexec
79 pattern: /dev/shm
1.4. Quasar 35 HubbleStack Documentation, Release 2016.7.1
80 tag: CIS-1.1.16
81 description: Add noexec Option to /dev/shm Partition (Scored)
82 fstab_dev_shm_partition_nosuid:
83 data:
84 CentOS Linux-7:
85 - /etc/fstab:
86 match_output: nosuid
87 pattern: /dev/shm
88 tag: CIS-1.1.15
89 description: Add nosuid Option to /dev/shm Partition (Scored)
90 fstab_home_partition:
91 data:
92 CentOS Linux-7:
93 - /etc/fstab:
94 pattern: /home
95 tag: CIS-1.1.9
96 description: Create Separate Partition for /home (Scored)
97 fstab_home_partition_nodev:
98 data:
99 CentOS Linux-7:
100 - /etc/fstab:
101 match_output: nodev
102 pattern: /home
103 tag: CIS-1.1.10
104 description: Add nodev Option to /home (Scored)
105 fstab_tmp_partition:
106 data:
107 CentOS Linux-7:
108 - /etc/fstab:
109 pattern: /tmp
110 tag: CIS-1.1.1
111 description: Create Separate Partition for /tmp (Scored)
112 fstab_tmp_partition_nodev:
113 data:
114 CentOS Linux-7:
115 - /etc/fstab:
116 match_output: nodev
117 pattern: /tmp
118 tag: CIS-1.1.2
119 description: Set nodev option for /tmp Partition (Scored)
120 fstab_tmp_partition_noexec:
121 data:
122 CentOS Linux-7:
123 - /etc/fstab:
124 match_output: noexec
125 pattern: /tmp
126 tag: CIS-1.1.4
127 description: Set noexec option for /tmp Partition (Scored)
128 fstab_tmp_partition_nosuid:
129 data:
130 CentOS Linux-7:
131 - /etc/fstab:
132 match_output: nosuid
133 pattern: /tmp
134 tag: CIS-1.1.3
135 description: Set nosuid option for /tmp Partition (Scored)
136 fstab_var_log_audit_partition:
137 data:
36 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
138 CentOS Linux-7:
139 - /etc/fstab:
140 pattern: /var/log/audit
141 tag: CIS-1.1.8
142 description: Create Separate Partition for /var/log/audit (Scored)
143 fstab_var_log_partition:
144 data:
145 CentOS Linux-7:
146 - /etc/fstab:
147 pattern: /var/log
148 tag: CIS-1.1.7
149 description: Create Separate Partition for /var/log (Scored)
150 fstab_var_partition:
151 data:
152 CentOS Linux-7:
153 - /etc/fstab:
154 pattern: /var
155 tag: CIS-1.1.5
156 description: Create Separate Partition for /var (Scored)
157 fstab_var_tmp_bind_mount:
158 data:
159 CentOS Linux-7:
160 - /etc/fstab:
161 match_output: /var/tmp
162 pattern: /tmp
163 tag: CIS-1.1.6
164 description: Bind Mount the /var/tmp directory to /tmp (Scored)
165 limit_password_reuse:
166 data:
167 CentOS Linux-7:
168 - /etc/pam.d/system-auth:
169 match_output: remember=5
170 pattern: pam_unix.so
171 tag: CIS-6.3.4
172 description: PAM Password Reuse (Scored)
173 limit_su_command_access:
174 data:
175 CentOS Linux-7:
176 - /etc/pam.d/su:
177 match_output: use_uid
178 pattern: pam_wheel.so
179 tag: CIS-6.5
180 - /etc/group:
181 pattern: wheel
182 tag: CIS-6.5
183 description: Limit su command access (Scored)
184 pam_cracklib_try_first_pass:
185 data: {}
186 description: PAM cracklib policy (Scored)
187 passwd_change_min_days:
188 data:
189 CentOS Linux-7:
190 - /etc/login.defs:
191 match_output:'7'
192 pattern: PASS_MIN_DAYS
193 tag: CIS-7.1.2
194 description: Set Password Change Minimum Number of Days (Scored)
195 passwd_expiration_days:
1.4. Quasar 37 HubbleStack Documentation, Release 2016.7.1
196 data:
197 CentOS Linux-7:
198 - /etc/login.defs:
199 match_output:'90'
200 pattern: PASS_MAX_DAYS
201 tag: CIS-7.1.1
202 description: Set Password Expiration Days (Scored)
203 passwd_expiry_warning:
204 data:
205 CentOS Linux-7:
206 - /etc/login.defs:
207 match_output:'7'
208 pattern: PASS_WARN_AGE
209 tag: CIS-7.1.3
210 description: Set Password Expiring Warning Days (Scored)
211 restrict_core_dumps:
212 data:
213 CentOS Linux-7:
214 - /etc/security/limits.conf:
215 pattern: hard core
216 tag: CIS-1.6.1
217 description: Restrict Core Dumps (Scored)
218 rsyslog_remote_logging:
219 data:
220 CentOS Linux-7:
221 - /etc/rsyslog.conf: 222 pattern: ^*.*[^I][^I]*@ 223 tag: CIS-5.1.5
224 description: Configure rsyslog to Send Logs to a Remote Log Host (Scored)
225 set_daemon_umask:
226 data:
227 CentOS Linux-7:
228 - /etc/sysconfig/init:
229 match_output: umask 027
230 pattern: umask
231 tag: CIS-3.1
232 description: Set Daemon umask (Scored)
233 sshd_approved_cipher:
234 data:
235 CentOS Linux-7:
236 - /etc/ssh/sshd_config:
237 match_output:'Ciphers aes128-ctr,aes192-ctr,aes256-ctr'
238 pattern: Ciphers
239 tag: CIS-6.2.11
240 description: Use Only Approved Cipher in Counter Mode (Scored)
241 sshd_banner:
242 data:
243 CentOS Linux-7:
244 - /etc/ssh/sshd_config:
245 pattern: ^Banner
246 tag: CIS-6.2.14
247 description: Set SSH Banner (Scored)
248 sshd_disable_root_login:
249 data:
250 CentOS Linux-7:
251 - /etc/ssh/sshd_config:
252 match_output: PermitRootLogin no
253 pattern: ^PermitRootLogin
38 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
254 tag: CIS-6.2.8
255 description: Set SSH HostbasedAuthentication to No (Scored)
256 sshd_hostbased_auth:
257 data:
258 CentOS Linux-7:
259 - /etc/ssh/sshd_config:
260 match_output: HostbasedAuthentication no
261 pattern: ^HostbasedAuthentication
262 tag: CIS-6.2.7
263 description: Set SSH HostbasedAuthentication to No (Scored)
264 sshd_idle_timeout:
265 data:
266 CentOS Linux-7:
267 - /etc/ssh/sshd_config:
268 match_output: ClientAliveInterval 300
269 pattern: ^ClientAliveInterval
270 tag: CIS-6.2.12
271 - /etc/ssh/sshd_config:
272 match_output: ClientAliveCountMax 0
273 pattern: ^ClientAliveCountMax
274 tag: CIS-6.2.12
275 description: Set Idle Timeout Interval for User Login (Scored)
276 sshd_ignore_rhosts:
277 data:
278 CentOS Linux-7:
279 - /etc/ssh/sshd_config:
280 match_output: IgnoreRhosts yes
281 pattern: ^IgnoreRhosts
282 tag: CIS-6.2.6
283 description: Set SSH IgnoreRhosts to Yes (Scored)
284 sshd_limit_access:
285 data:
286 CentOS Linux-7:
287 - /etc/ssh/sshd_config:
288 pattern: ^AllowUsers
289 tag: CIS-6.2.13
290 - /etc/ssh/sshd_config:
291 pattern: ^AllowGroups
292 tag: CIS-6.2.13
293 - /etc/ssh/sshd_config:
294 pattern: ^DenyUsers
295 tag: CIS-6.2.13
296 - /etc/ssh/sshd_config:
297 pattern: ^DenyGroups
298 tag: CIS-6.2.13
299 description: Limit Access via SSH (Scored)
300 sshd_loglevel_info:
301 data:
302 CentOS Linux-7:
303 - /etc/ssh/sshd_config:
304 match_output: LogLevel INFO
305 pattern: ^LogLevel
306 tag: CIS-6.2.2
307 description: Set LogLevel to INFO (Scored)
308 sshd_max_auth_retries:
309 data:
310 CentOS Linux-7:
311 - /etc/ssh/sshd_config:
1.4. Quasar 39 HubbleStack Documentation, Release 2016.7.1
312 match_output: MaxAuthTries 4
313 pattern: ^MaxAuthTries
314 tag: CIS-6.2.5
315 description: Set SSH MaxAuthTries to 4 or Less (Scored)
316 sshd_permit_empty_passwords:
317 data:
318 CentOS Linux-7:
319 - /etc/ssh/sshd_config:
320 match_output: PermitEmptyPasswords no
321 pattern: ^PermitEmptyPasswords
322 tag: CIS-6.2.9
323 description: Set SSH PermitEmptyPasswords to No (Scored)
324 sshd_permit_user_environment:
325 data:
326 CentOS Linux-7:
327 - /etc/ssh/sshd_config:
328 match_output: PermitUserEnvironment no
329 pattern: ^PermitUserEnvironment
330 tag: CIS-6.2.10
331 description: Do Not Allow Users to Set Environment Options (Scored)
332 sshd_protocol_2:
333 data:
334 CentOS Linux-7:
335 - /etc/ssh/sshd_config:
336 match_output: Protocol 2
337 pattern: ^Protocol
338 tag: CIS-6.2.1
339 description: Set SSH Protocol to 2 (Scored)
340 sshd_x11_forwarding:
341 data:
342 CentOS Linux-7:
343 - /etc/ssh/sshd_config:
344 match_output: X11Forwarding no
345 pattern: ^X11Forwarding
346 tag: CIS-6.2.4
347 description: Disable SSH X11 Forwarding (Scored)
348 pkg:
349 blacklist:
350 avahi-daemon:
351 data:
352 CentOS Linux-7:
353 - avahi-daemon: CIS-3.3
354 description: Disable Avahi Server (Scored)
355 dhcp:
356 data:
357 CentOS Linux-7:
358 - dhcp: CIS-3.5
359 description: Remove DHCP server (Scored)
360 nis:
361 data:
362 CentOS Linux-7:
363 - ypbind: CIS-2.1.5
364 - ypserv: CIS-2.1.6
365 description: Remove nis client and nis server (Scored)
366 rsh:
367 data:
368 CentOS Linux-7:
369 - rsh-server: CIS-2.1.3
40 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
370 - rsh: CIS-2.1.4
371 description: Remove rsh and rsh-server (Scored)
372 talk:
373 data:
374 CentOS Linux-7:
375 - talk: CIS-2.1.9
376 - talk-server: CIS-2.1.10
377 description: Remove talk and talk-server (Scored)
378 telnet:
379 data:
380 CentOS Linux-7:
381 - telnet-server: CIS-2.1.1
382 - telnet: CIS-2.1.2
383 description: Remove telnet and telnet-server (Scored)
384 tftp:
385 data:
386 CentOS Linux-7:
387 - tftp: CIS-2.1.7
388 - tftp-server: CIS-2.1.8
389 description: Remove tftp and tftp-server (Scored)
390 xinetd:
391 data:
392 CentOS Linux-7:
393 - xinetd: CIS-2.1.11
394 description: Remove xinetd (Scored)
395 xorg-x11-server-common:
396 data:
397 CentOS Linux-7:
398 - xorg-x11-server-common: CIS-3.2
399 description: Remove the X Window System (Scored)
400 whitelist:
401 aide:
402 data:
403 CentOS Linux-7:
404 - aide: CIS-1.3.1
405 description: Install AIDE (Scored)
406 anacron:
407 data:
408 CentOS Linux-7:
409 - cronie-anacron: CIS-6.1.1
410 description: Enable anacron Daemon (Scored)
411 firewalld:
412 data:
413 CentOS Linux-7:
414 - firewalld: CIS-4.7_installed
415 description: Enable firewalld (Scored)
416 iptables:
417 data: {}
418 description: Install IPtables (Scored)
419 rsyslog:
420 data:
421 CentOS Linux-7:
422 - rsyslog: CIS-5.1.1
423 description: Install rsyslog (Scored)
424 stat:
425 anacrontab:
426 data:
427 CentOS Linux-7:
1.4. Quasar 41 HubbleStack Documentation, Release 2016.7.1
428 - /etc/anacrontab:
429 gid: 0
430 group: root
431 mode: 600
432 tag: CIS-6.1.3
433 uid: 0
434 user: root
435 description: /etc/anacrontab file be owned by root and must have permissions 600
436 (Scored)
437 at_allow:
438 data:
439 CentOS Linux-7:
440 - /etc/at.allow:
441 gid: 0
442 group: root
443 mode: 600
444 tag: CIS-6.1.10
445 uid: 0
446 user: root
447 description: /etc/at.allow must be owned by root and have persmissions 600
˓→(Scored)
448 at_cron_allow:
449 data:
450 CentOS Linux-7:
451 - /etc/cron.deny:
452 gid: null
453 group: null
454 mode: null
455 tag: CIS-6.1.11
456 uid: null
457 user: null
458 - /etc/at.deny:
459 gid: null
460 group: null
461 mode: null
462 tag: CIS-6.1.11
463 uid: null
464 user: null
465 - /etc/cron.allow:
466 gid: 0
467 group: root
468 mode: 600
469 tag: CIS-6.1.11
470 uid: 0
471 user: root
472 - /etc/at/allow:
473 gid: 0
474 group: root
475 mode: 600
476 tag: CIS-6.1.11
477 uid: 0
478 user: root
479 description: Restrict at/cron to authorized users (Scored)
480 cron_d:
481 data:
482 CentOS Linux-7:
483 - /etc/cron.d:
484 gid: 0
42 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
485 group: root
486 mode: 700
487 tag: CIS-6.1.9
488 uid: 0
489 user: root
490 description: /etc/cron.d must be owned by root and must have permissions 700
˓→(Scored)
491 cron_daily:
492 data:
493 CentOS Linux-7:
494 - /etc/cron.daily:
495 gid: 0
496 group: root
497 mode: 700
498 tag: CIS-6.1.6
499 uid: 0
500 user: root
501 description: /etc/cron.daily must be owned by root and must have permissions 700
502 (Scored)
503 cron_hourly:
504 data:
505 CentOS Linux-7:
506 - /etc/cron.hourly:
507 gid: 0
508 group: root
509 mode: 700
510 tag: CIS-6.1.5
511 uid: 0
512 user: root
513 description: /etc/cron.hourly must be owned by root and must have permissions
514 700 (Scored)
515 cron_monthly:
516 data:
517 CentOS Linux-7:
518 - /etc/cron.monthly:
519 gid: 0
520 group: root
521 mode: 700
522 tag: CIS-6.1.8
523 uid: 0
524 user: root
525 description: /etc/cron.monthly must be owned by root and must have permissions
526 700 (Scored)
527 cron_weekly:
528 data:
529 CentOS Linux-7:
530 - /etc/cron.weekly:
531 gid: 0
532 group: root
533 mode: 700
534 tag: CIS-6.1.7
535 uid: 0
536 user: root
537 description: /etc/cron.weekly must be owned by root and must have permissions
538 700 (Scored)
539 crontab:
540 data:
541 CentOS Linux-7:
1.4. Quasar 43 HubbleStack Documentation, Release 2016.7.1
542 - /etc/crontab:
543 gid: 0
544 group: root
545 mode: 600
546 tag: CIS-6.1.4
547 uid: 0
548 user: root
549 description: /etc/crontab must be owned by root and have persmissions 600 (Scored)
550 group_own:
551 data:
552 CentOS Linux-7:
553 - /etc/group:
554 gid: 0
555 group: root
556 tag: CIS-9.1.9
557 uid: 0
558 user: root
559 description: /etc/group must be owned by root (Scored)
560 group_perm:
561 data:
562 CentOS Linux-7:
563 - /etc/group:
564 mode: 644
565 tag: CIS-9.1.5
566 description: /etc/group must have permissions 000 (Scored)
567 grub_conf_own:
568 data:
569 CentOS Linux-7:
570 - /etc/grub2/grub.cfg:
571 gid: 0
572 group: root
573 tag: CIS-1.5.1
574 uid: 0
575 user: root
576 description: Grub must be owned by root (Scored)
577 grub_conf_perm:
578 data:
579 CentOS Linux-7:
580 - /etc/grub2/grub.cfg:
581 mode: 600
582 tag: CIS-1.5.2
583 description: Grub must have permissions 600 (Scored)
584 gshadow_own:
585 data:
586 CentOS Linux-7:
587 - /etc/gshadow:
588 gid: 0
589 group: root
590 tag: CIS-9.1.8
591 uid: 0
592 user: root
593 description: /etc/gshadow must be owned by root (Scored)
594 gshadow_perm:
595 data:
596 CentOS Linux-7:
597 - /etc/gshadow:
598 mode: 0
599 tag: CIS-9.1.4
44 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
600 description: /etc/gshadow must have permissions 000 (Scored)
601 hosts_allow:
602 data:
603 CentOS Linux-7:
604 - /etc/hosts.allow:
605 mode: 644
606 tag: CIS-4.5.3
607 description: /etc/hosts.allow must have permissions 644 (Scored)
608 hosts_deny:
609 data:
610 CentOS Linux-7:
611 - /etc/hosts.deny:
612 mode: 644
613 tag: CIS-4.5.5
614 description: /etc/hosts.deny must have persmissions 644 (Scored)
615 passwd_own:
616 data:
617 CentOS Linux-7:
618 - /etc/passwd:
619 group: root
620 tag: CIS-9.1.6
621 uid: 0
622 user: root
623 description: /etc/passwd must be owned by root (Scored)
624 passwd_perm:
625 data:
626 CentOS Linux-7:
627 - /etc/passwd:
628 mode: 644
629 tag: CIS-9.1.2
630 description: /etc/passwd must have permissions 644 (Scored)
631 shadow_own:
632 data:
633 CentOS Linux-7:
634 - /etc/shadow:
635 gid: 0
636 group: root
637 tag: CIS-9.1.7
638 uid: 0
639 user: root
640 description: /etc/shadow must be owned by root (Scored)
641 shadow_perm:
642 data:
643 CentOS Linux-7:
644 - /etc/shadow:
645 mode: 0
646 tag: CIS-9.1.3
647 description: /etc/shadow must have permissions 000 (Scored)
648 sshd_config:
649 data:
650 CentOS Linux-7:
651 - /etc/ssh/sshd_config:
652 gid: 0
653 group: root
654 mode: 600
655 tag: CIS-6.2.3
656 uid: 0
657 user: root
1.4. Quasar 45 HubbleStack Documentation, Release 2016.7.1
658 description: /etc/ssh/sshd_config must be owned by root and must have permissions
659 600 (Scored)
660 warning_banner:
661 data:
662 CentOS Linux-7:
663 - /etc/motd:
664 gid: 0
665 group: root
666 mode: 644
667 tag: CIS-8.1
668 uid: 0
669 user: root
670 - /etc/issue:
671 gid: 0
672 group: root
673 mode: 644
674 tag: CIS-8.1
675 uid: 0
676 user: root
677 - /etc/issue.net:
678 gid: 0
679 group: root
680 mode: 644
681 tag: CIS-8.1
682 uid: 0
683 user: root
684 description: Files containing the warning banners must be owned by root and must
685 have permissions 644 (Scored)
686 sysctl:
687 bad_error_message_protection:
688 data:
689 CentOS Linux-7:
690 - net.ipv4.icmp_ignore_bogus_error_responses:
691 match_output:'1'
692 tag: CIS-4.2.6
693 description: Enable Bad Error Message Protection (Scored)
694 exec_shield:
695 data: {}
696 description: Configure ExecShield (Scored)
697 icmp_redirect_acceptance:
698 data:
699 CentOS Linux-7:
700 - net.ipv4.conf.all.accept_redirects:
701 match_output:'0'
702 tag: CIS-4.2.2
703 - net.ipv4.conf.default.accept_redirects:
704 match_output:'0'
705 tag: CIS-4.2.2
706 description: Disable ICMP Redirect Acceptance (Scored)
707 ignore_broadcast_requests:
708 data:
709 CentOS Linux-7:
710 - net.ipv4.icmp_echo_ignore_broadcasts:
711 match_output:'1'
712 tag: CIS-4.2.5
713 description: Enable Ignore Broadcast Requests (Scored)
714 ip_forwarding:
715 data:
46 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
716 CentOS Linux-7:
717 - net.ipv4.ip_forward:
718 match_output:'0'
719 tag: CIS-4.1.1
720 description: Disable IP Forwarding (Scored)
721 log_suspicious_packets:
722 data:
723 CentOS Linux-7:
724 - net.ipv4.conf.all.log_martians:
725 match_output:'1'
726 tag: CIS-4.2.4
727 - net.ipv4.conf.default.log_martians:
728 match_output:'1'
729 tag: CIS-4.2.4
730 description: Log Suspicious Activity (Scored)
731 randomize_va_space:
732 data:
733 CentOS Linux-7:
734 - kernel.randomize_va_space:
735 match_output:'2'
736 tag: CIS-1.6.2
737 description: Enable Randomized Virtual Memory Region Placement (Scored)
738 restrict_suid_core_dumps:
739 data: {}
740 description: Restrict SUID Core Dumps (Scored)
741 secure_icmp_redirect_acceptance:
742 data:
743 CentOS Linux-7:
744 - net.ipv4.conf.all.secure_redirects:
745 match_output:'0'
746 tag: CIS-4.2.3
747 - net.ipv4.conf.default.secure_redirects:
748 match_output:'0'
749 tag: CIS-4.2.3
750 description: Disable Secure ICMP Redirect Acceptance (Scored)
751 send_packet_redirect:
752 data:
753 CentOS Linux-7:
754 - net.ipv4.conf.all.send_redirects:
755 match_output:'0'
756 tag: CIS-4.1.2
757 - net.ipv4.conf.default.send_redirects:
758 match_output:'0'
759 tag: CIS-4.1.2
760 description: Disable Send Packet Redirect (Scored)
761 source_routed_packet_acceptance:
762 data:
763 CentOS Linux-7:
764 - net.ipv4.conf.all.accept_source_route:
765 match_output:'0'
766 tag: CIS-4.2.1
767 - net.ipv4.conf.default.accept_source_route:
768 match_output:'0'
769 tag: CIS-4.2.1
770 description: Disable Source Routed Packet Acceptance (Scored)
771 tcp_syn_cookies:
772 data:
773 CentOS Linux-7:
1.4. Quasar 47 HubbleStack Documentation, Release 2016.7.1
774 - net.ipv4.tcp_syncookies:
775 match_output:'1'
776 tag: CIS-4.2.8
777 description: Enable TCP SYN cookies (Scored)
cis-debian-8-level-1-scored-v1
Multiple profiles can be combined to create more comprehensive profiles. Common examples include the CIS and STIG profiles:
1 grep:
2 whitelist:
3
4 local_only_mta:
5 data:
6 Debian-8:
7 -'/etc/exim4/update-exim4.conf':
8 tag:'CIS-6.15'
9 pattern:"^dc_local_interfaces= '127.0.0.1'"
10 description:'Configure Mail Transfer Agent for local-only mode (Scored)'
11
12 fstab_tmp_partition:
13 data:
14 Debian-8:
15 -'/etc/fstab':
16 tag:'CIS-2.1'
17 pattern:'/tmp'
18 description:'Create Separate Partition for /tmp (Scored)'
19
20 fstab_tmp_partition_nodev:
21 data:
22 Debian-8:
23 -'/etc/fstab':
24 tag:'CIS-2.2'
25 pattern:'/tmp'
26 match_output:'nodev'
27 description:'Set nodev option for /tmp Partition (Scored)'
28
29 fstab_tmp_partition_nosuid:
30 data:
31 Debian-8:
32 -'/etc/fstab':
33 tag:'CIS-2.3'
34 pattern:'/tmp'
35 match_output:'nosuid'
36 description:'Set nosuid option for /tmp Partition (Scored)'
37
38 fstab_tmp_partition_noexec:
39 data:
40 Debian-8:
41 -'/etc/fstab':
42 tag:'CIS-2.4'
43 pattern:'/tmp'
44 match_output:'noexec'
45 description:'Set noexec option for /tmp Partition (Scored)'
46
48 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
47 fstab_var_partition:
48 data:
49 Debian-8:
50 -'/etc/fstab':
51 tag:'CIS-2.5'
52 pattern:'/var'
53 description:'Create Separate Partition for /var (Scored)'
54
55 fstab_var_tmp_bind_mount:
56 data:
57 Debian-8:
58 -'/etc/fstab':
59 tag:'CIS-2.6'
60 pattern:'/var'
61 match_output:'/var/tmp'
62 description:'Bind Mount the /var/tmp directory to /tmp (Scored)'
63
64 fstab_var_log_partition:
65 data:
66 Debian-8:
67 -'/etc/fstab':
68 tag:'CIS-2.7'
69 pattern:'/var/log'
70 description:'Create Separate Partition for /var/log (Scored)'
71
72 fstab_var_log_audit_partition:
73 data:
74 Debian-8:
75 -'/etc/fstab':
76 tag:'CIS-2.8'
77 pattern:'/var/log/audit'
78 description:'Create Separate Partition for /var/log/audit (Scored)'
79
80 fstab_home_partition:
81 data:
82 Debian-8:
83 -'/etc/fstab':
84 tag:'CIS-2.9'
85 pattern:'/home'
86 description:'Create Separate Partition for /home (Scored)'
87
88 fstab_home_partition_nodev:
89 data:
90 Debian-8:
91 -'/etc/fstab':
92 tag:'CIS-2.10'
93 pattern:'/home'
94 match_output:'nodev'
95 description:'Add nodev Option to /home (Scored)'
96
97 fstab_dev_shm_partition_nodev:
98 data:
99 Debian-8:
100 -'/etc/fstab':
101 tag:'CIS-2.14'
102 pattern:'/dev/shm'
103 match_output:'nodev'
104 description:'Add nodev Option to /dev/shm Partition (Scored)'
1.4. Quasar 49 HubbleStack Documentation, Release 2016.7.1
105
106 fstab_dev_shm_partition_nosuid:
107 data:
108 Debian-8:
109 -'/etc/fstab':
110 tag:'CIS-2.15'
111 pattern:'/dev/shm'
112 match_output:'nosuid'
113 description:'Add nosuid Option to /dev/shm Partition (Scored)'
114
115 fstab_dev_shm_partition_noexec:
116 data:
117 Debian-8:
118 -'/etc/fstab':
119 tag:'CIS-2.16'
120 pattern:'/dev/shm'
121 match_output:'noexec'
122 description:'Add noexec Option to /dev/shm Partition (Scored)'
123
124 configure_ntp:
125 data:
126 Debian-8:
127 -'/etc/ntp.conf':
128 tag:'CIS-6.5'
129 pattern:'restrict default'
130 description:'Configure Network Time Protocol (NTP) (Scored)'
131
132 keep_all_auditing_information:
133 data:
134 Debian-8:
135 -'/etc/audit/auditd.conf':
136 tag:'CIS-8.1.1.3'
137 pattern:'max_log_file_action'
138 match_output:'keep_logs'
139 description:'Keep All Auditing Information (Scored)'
140
141 rsyslog_remote_logging:
142 data:
143 Debian-8:
144 -'/etc/rsyslog.conf':
145 tag:'CIS-8.2.5' 146 pattern:"^ *.*[^I][^I]*@" 147 description:'Configure rsyslog to Send Logs toa Remote Log Host (Scored)'
148
149 passwd_limit_reuse:
150 data:
151 Debian-8:
152 -'/etc/pam.d/common-password':
153 tag:'CIS-9.2.3'
154 pattern:"remember"
155 match_output:"5"
156 description:'Limit password reuse (Scored)'
157
158 sshd_protocol_2:
159 data:
160 Debian-8:
161 -'/etc/ssh/sshd_config':
162 tag:'CIS-9.3.1'
50 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
163 pattern:"^Protocol"
164 match_output:'Protocol2'
165 description:'Set SSH Protocol to2 (Scored)'
166
167 sshd_loglevel_info:
168 data:
169 Debian-8:
170 -'/etc/ssh/sshd_config':
171 tag:'CIS-9.3.2'
172 pattern:"^LogLevel"
173 match_output:'LogLevel INFO'
174 description:'Set LogLevel to INFO (Scored)'
175
176 sshd_x11_forwarding:
177 data:
178 Debian-8:
179 -'/etc/ssh/sshd_config':
180 tag:'CIS-9.3.4'
181 pattern:"^X11Forwarding"
182 match_output:'X11Forwarding no'
183 description:'Disable SSH X11 Forwarding (Scored)'
184
185 sshd_max_auth_retries:
186 data:
187 Debian-8:
188 -'/etc/ssh/sshd_config':
189 tag:'CIS-9.3.5'
190 pattern:"^MaxAuthTries"
191 match_output:"MaxAuthTries4"
192 description:'Set SSH MaxAuthTries to4 or Less (Scored)'
193
194 sshd_ignore_rhosts:
195 data:
196 Debian-8:
197 -'/etc/ssh/sshd_config':
198 tag:'CIS-9.3.6'
199 pattern:"^IgnoreRhosts"
200 match_output:"IgnoreRhosts yes"
201 description:'Set SSH IgnoreRhosts to Yes (Scored)'
202
203 sshd_hostbased_auth:
204 data:
205 Debian-8:
206 -'/etc/ssh/sshd_config':
207 tag:'CIS-9.3.7'
208 pattern:"^HostbasedAuthentication"
209 match_output:"HostbasedAuthentication no"
210 description:'Set SSH HostbasedAuthentication to No (Scored)'
211
212 sshd_disable_root_login:
213 data:
214 Debian-8:
215 -'/etc/ssh/sshd_config':
216 tag:'CIS-9.3.8'
217 pattern:"^PermitRootLogin"
218 match_output:"PermitRootLogin no"
219 description:'Set SSH HostbasedAuthentication to No (Scored)'
220
1.4. Quasar 51 HubbleStack Documentation, Release 2016.7.1
221 sshd_permit_empty_passwords:
222 data:
223 Debian-8:
224 -'/etc/ssh/sshd_config':
225 tag:'CIS-9.3.9'
226 pattern:"^PermitEmptyPasswords"
227 match_output:"PermitEmptyPasswords no"
228 description:'Set SSH PermitEmptyPasswords to No (Scored)'
229
230 sshd_permit_user_environment:
231 data:
232 Debian-8:
233 -'/etc/ssh/sshd_config':
234 tag:'CIS-9.3.10'
235 pattern:"^PermitUserEnvironment"
236 match_output:"PermitUserEnvironment no"
237 description:'Do Not Allow Users to Set Environment Options (Scored)'
238
239 sshd_approved_cipher:
240 data:
241 Debian-8:
242 -'/etc/ssh/sshd_config':
243 tag:'CIS-9.3.11'
244 pattern:"Ciphers"
245 match_output:"Ciphers aes128-ctr,aes192-ctr,aes256-ctr"
246 description:'Use Only Approved Cipher in Counter Mode (Scored)'
247
248 sshd_idle_timeout:
249 data:
250 Debian-8:
251 -'/etc/ssh/sshd_config':
252 tag:'CIS-9.3.12'
253 pattern:"^ClientAliveInterval"
254 match_output:"ClientAliveInterval 300"
255 -'/etc/ssh/sshd_config':
256 tag:'CIS-9.3.12'
257 pattern:"^ClientAliveCountMax"
258 match_output:"ClientAliveCountMax0"
259 description:'Set Idle Timeout Interval for User Login (Scored)'
260
261 sshd_limit_access:
262 data:
263 Debian-8:
264 -'/etc/ssh/sshd_config':
265 tag:'CIS-9.3.13'
266 pattern:"^AllowUsers"
267 -'/etc/ssh/sshd_config':
268 tag:'CIS-9.3.13'
269 pattern:"^AllowGroups"
270 -'/etc/ssh/sshd_config':
271 tag:'CIS-9.3.13'
272 pattern:"^DenyUsers"
273 -'/etc/ssh/sshd_config':
274 tag:'CIS-9.3.13'
275 pattern:"^DenyGroups"
276 description:'Limit Access via SSH (Scored)'
277
278 sshd_banner:
52 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
279 data:
280 Debian-8:
281 -'/etc/ssh/sshd_config':
282 tag:'CIS-9.3.14'
283 pattern:"^Banner"
284 description:'Set SSH Banner (Scored)'
285
286 restrict_access_su:
287 data:
288 Debian-8:
289 -'/etc/pam.d/su':
290 tag:'CIS-9.5'
291 pattern:"pam_wheel.so"
292 description:'Restrict access to the su command (Scored)'
293
294 passwd_expiration_days:
295 data:
296 Debian-8:
297 -'/etc/login.defs':
298 tag:'CIS-10.1.1'
299 pattern:"PASS_MAX_DAYS"
300 match_output:"90"
301 description:'Set Password Expiration Days (Scored)'
302
303 passwd_change_min_days:
304 data:
305 Debian-8:
306 -'/etc/login.defs':
307 tag:'CIS-10.1.2'
308 pattern:"PASS_MIN_DAYS"
309 match_output:"7"
310 description:'Set Password Change Minimum Number of Days (Scored)'
311
312 passwd_expiry_warning:
313 data:
314 Debian-8:
315 -'/etc/login.defs':
316 tag:'CIS-10.1.3'
317 pattern:"PASS_WARN_AGE"
318 match_output:"7"
319 description:'Set Password Expiring Warning Days (Scored)'
320
321 default_umask:
322 data:
323 Debian-8:
324 -'/etc/bash.bashrc':
325 tag:'CIS-10.4'
326 pattern:"^umask 077" 327 -'/etc/profile.d/ *': 328 tag:'CIS-10.4'
329 pattern:"^umask 077"
330 description:'Set Default umask for Users (Scored)'
331
332 stat:
333 grub_conf_own:
334 data:
335 Debian-8:
336 -'/boot/grub/grub.cfg':
1.4. Quasar 53 HubbleStack Documentation, Release 2016.7.1
337 tag:'CIS-3.1'
338 user:'root'
339 group:'root'
340 description:'Grub must be owned by root (Scored)'
341
342 grub_conf_perm:
343 data:
344 Debian-8:
345 -'/boot/grub/grub.cfg':
346 tag:'CIS-3.2'
347 mode: 600
348 description:'Set permissions on bootloader config (Scored)'
349
350 boot_loader_passwd:
351 data:
352 Debian-8:
353 -'/boot/grub/grub.cfg':
354 tag:'CIS-3.3'
355 pattern:"^password"
356 description:'Set Boot Loader Password (Scored)'
357
358 restrict_core_dumps:
359 data:
360 Debian-8:
361 -'/etc/security/limits.conf':
362 tag:'CIS-4.1'
363 pattern:'hard core'
364 description:'Restrict Core Dumps (Scored)'
365
366 cron_hourly:
367 data:
368 Debian-8:
369 -'/etc/cron.hourly':
370 tag:'CIS-9.1.3'
371 mode: 700
372 user:'root'
373 group:'root'
374 description:'Set user/group owner and permissions on /etc/cron.hourly (Scored)'
375
376 cron_daily:
377 data:
378 Debian-8:
379 -'/etc/cron.daily':
380 tag:'CIS-9.1.4'
381 mode: 700
382 user:'root'
383 group:'root'
384 description:'Set user/group owner and permissions on /etc/cron.daily (Scored)'
385
386 cron_weekly:
387 data:
388 Debian-8:
389 -'/etc/cron.weekly':
390 tag:'CIS-9.1.5'
391 mode: 700
392 user:'root'
393 group:'root'
394 description:'Set user/group owner and permission on /etc/cron.weekly (Scored)'
54 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
395
396 cron_monthly:
397 data:
398 Debian-8:
399 -'/etc/cron.monthly':
400 tag:'CIS-9.1.6'
401 mode: 700
402 user:'root'
403 group:'root'
404 description:'Set user/group owner and permission on /etc/cron.monthly (Scored)'
405
406 cron_d:
407 data:
408 Debian-8:
409 -'/etc/cron.d':
410 tag:'CIS-9.1.7'
411 mode: 700
412 user:'root'
413 group:'root'
414 description:'Set user/group owner and permission on /etc/cron.d (Scored)'
415
416 sshd_config:
417 data:
418 Debian-8:
419 -'/etc/ssh/sshd_config':
420 tag:'CIS-9.3.3'
421 mode: 600
422 user:'root'
423 group:'root'
424 description:'Set Permissions on /etc/ssh/sshd_config (Scored)'
425
426 passwd_perm:
427 data:
428 Debian-8:
429 -'/etc/passwd':
430 tag:'CIS-12.1'
431 mode: 644
432 -'/etc/passwd':
433 tag:'CIS-12.4'
434 user:'root'
435 group:'root'
436 description:'Verify permissions on /etc/passwd (Scored)'
437
438 shadow_perm:
439 data:
440 Debian-8:
441 -'/etc/shadow':
442 tag:'CIS-12.2'
443 mode: 640
444 -'/etc/shadow':
445 tag:'CIS-12.5'
446 user:'root'
447 group:'root'
448 description:'Verify user/group ownership on /etc/shadow (Scored)'
449
450 group_perm:
451 data:
452 Debian-8:
1.4. Quasar 55 HubbleStack Documentation, Release 2016.7.1
453 -'/etc/group':
454 tag:'CIS-12.3'
455 mode: 644
456 -'/etc/group':
457 tag:'CIS-12.3'
458 user:'root'
459 group:'root'
460 description:'/etc/group must have permissions 000 (Scored)'
461
462 blacklist:
463 single_user_auth:
464 data:
465 Debian-8:
466 -'/etc/shadow':
467 tag:'CIS-3.4' 468 pattern:"^root:[ *\\!]:" 469 description:'Require Authentication for Single-User Mode (Scored)'
470
471 hosts_allow:
472 data:
473 Debian-8:
474 -'/etc/hosts.allow':
475 tag:'CIS-7.4.3'
476 mode: 644
477 description:'Verify Permissions on /etc/hosts.allow (Scored)'
478
479 hosts_deny:
480 data:
481 Debian-8:
482 -'/etc/hosts.deny':
483 tag:'CIS-7.4.5'
484 mode: 644
485 description:'Verify Permissions on /etc/hosts.deny (Scored)'
486
487 legacy_passwd_entries:
488 data:
489 Debian-8:
490 -'/etc/passwd':
491 tag:'CIS-13.2'
492 pattern:"^+:"
493 description:'Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)'
494
495 legacy_shadow_entries:
496 data:
497 Debian-8:
498 -'/etc/shadow':
499 tag:'CIS-13.3'
500 pattern:"^+:"
501 description:'Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)'
502
503 legacy_group_entries:
504 data:
505 Debian-8:
506 -'/etc/group':
507 tag:'CIS-13.4'
508 pattern:"^+:"
509 description:'Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)'
510
56 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
511 sysctl:
512 randomize_va_space:
513 data:
514 Debian-8:
515 -'kernel.randomize_va_space':
516 tag:'CIS-4.3'
517 match_output:'2'
518 description:'Enable Randomized Virtual Memory Region Placement (Scored)'
519
520 ip_forwarding:
521 data:
522 Debian-8:
523 -'net.ipv4.ip_forward':
524 tag:'CIS-7.1.1'
525 match_output:'0'
526 description:'DisableIP Forwarding (Scored)'
527
528 send_packet_redirect:
529 data:
530 Debian-8:
531 -'net.ipv4.conf.all.send_redirects':
532 tag:'CIS-7.1.2'
533 match_output:'0'
534 -'net.ipv4.conf.default.send_redirects':
535 tag:'CIS-7.1.2'
536 match_output:'0'
537 description:'Disable Send Packet Redirect (Scored)'
538
539 source_routed_packet_acceptance:
540 data:
541 Debian-8:
542 -'net.ipv4.conf.all.accept_source_route':
543 tag:'CIS-7.2.1'
544 match_output:'0'
545 -'net.ipv4.conf.default.accept_source_route':
546 tag:'CIS-7.2.1'
547 match_output:'0'
548 description:'Disable Source Routed Packet Acceptance (Scored)'
549
550 icmp_redirect_acceptance:
551 data:
552 Debian-8:
553 -'net.ipv4.conf.all.accept_redirects':
554 tag:'CIS-7.2.2'
555 match_output:'0'
556 -'net.ipv4.conf.default.accept_redirects':
557 tag:'CIS-7.2.2'
558 match_output:'0'
559 description:'Disable ICMP Redirect Acceptance'
560
561 icmp_redirect_acceptance:
562 data:
563 Debian-8:
564 -'net.ipv4.conf.all.secure_redirects':
565 tag:'CIS-7.2.3'
566 match_output:'0'
567 -'net.ipv4.conf.default.secure_redirects':
568 tag:'CIS-7.2.3'
1.4. Quasar 57 HubbleStack Documentation, Release 2016.7.1
569 match_output:'0'
570 description:'Disable Secure ICMP Redirect Acceptance'
571
572 log_suspicious_packets:
573 data:
574 Debian-8:
575 -'net.ipv4.conf.all.log_martian':
576 tag:'CIS-7.2.4'
577 match_output:'1'
578 -'net.ipv4.conf.default.log_martians':
579 tag:'CIS-7.2.4'
580 match_output:'1'
581 description:'Log Suspicious Activity (Scored)'
582
583 ignore_broadcast_requests:
584 data:
585 Debian-8:
586 -'net.ipv4.icmp_echo_ignore_broadcasts':
587 tag:'CIS-7.2.5'
588 match_output:'1'
589 description:'Enable Ignore Broadcast Requests (Scored)'
590
591 bad_error_message_protection:
592 data:
593 Debian-8:
594 -'net.ipv4.icmp_ignore_bogus_error_responses':
595 tag:'CIS-7.2.6'
596 match_output:'1'
597 description:'Enable Bad Error Message Protection (Scored)'
598
599 source_route_validation:
600 data:
601 Debian-8:
602 -'net.ipv4.conf.all.rp_filter':
603 tag:'CIS-7.2.7'
604 match_output:'1'
605 -'net.ipv4.conf.default.rp_filter':
606 tag:'CIS-7.2.7'
607 match_output:'1'
608
609 tcp_syn_cookies:
610 data:
611 Debian-8:
612 -'net.ipv4.tcp_syncookies':
613 tag:'CIS-7.2.8'
614 match_output:'1'
615 description:'Enable TCP SYN cookies (Scored)'
616
617 pkg:
618 blacklist:
619
620 prelink:
621 data:
622 Debian-8:
623 -'prelink':'CIS-4.4'
624 description:'Disable Prelink (Scored)'
625
626 nis:
58 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
627 data:
628 Debian-8:
629 -'nis':'CIS-5.1.1'
630 description:'Remove nis client and nis server (Scored)'
631
632 rsh:
633 data:
634 Debian-8:
635 -'rsh-server':'CIS-5.1.2'
636 -'rsh-client':'CIS-5.1.3'
637 -'rsh-redone-client':'CIS-5.1.3'
638 description:'Remove rsh and rsh-server (Scored)'
639
640 talk:
641 data:
642 Debian-8:
643 -'talk':'CIS-5.1.5'
644 description:'Remove talk and talk-server (Scored)'
645
646 telnet:
647 data:
648 Debian-8:
649 -'telnet':'CIS-5.1.6'
650 -'telnet-server':'CIS-5.1.6'
651 description:'Remove telnet and telnet-server (Scored)'
652
653 tftp:
654 data:
655 Debian-8:
656 -'tftp':'CIS-5.1.7'
657 -'atftp':'CIS-5.1.7'
658 description:'Remove tftp and tftp-server (Scored)'
659
660 xinetd:
661 data:
662 Debian-8:
663 -'xinetd':'CIS-5.1.8'
664 description:'Remove xinetd (Scored)'
665
666 xorg-server:
667 data:
668 Debian-8:
669 -'xserver-xorg-core':'CIS-6.1'
670 description:'Remove theX Window System (Scored)'
671
672 avahi-daemon:
673 data:
674 Debian-8:
675 -'avahi-daemon':'CIS-6.2'
676 description:'Disable Avahi Server (Scored)'
677
678 dhcp:
679 data:
680 Debian-8:
681 -'isc-dhcp-server':'CIS-6.4'
682 description:'Remove DHCP server (Scored)'
683
684 slapd:
1.4. Quasar 59 HubbleStack Documentation, Release 2016.7.1
685 data:
686 Debian-8:
687 -'slapd':'CIS-6.6'
688 description:'Ensure LDAP is not enabled (Scored)'
689
690 whitelist:
691
692 apparmor:
693 data:
694 Debian-8:
695 -'apparmor':'CIS-4.5'
696 -'apparmor-utils':'CIS-4.5'
697 -'apparmor-profiles':'CIS-4.5'
698 description:'Activate AppArmor (Scored)'
699
700 tcp_wrappers:
701 data:
702 Debian-8:
703 -'tcpd':'CIS-7.4.1'
704 description:'Install TCP Wrappers (Scored)'
705
706 iptables:
707 data:
708 Debian-8:
709 -'iptables':'CIS-7.7'
710 -'iptables-persistent':'CIS-7.7'
711 description:'Ensure firewall is active (Scored)'
712
713 auditd:
714 data:
715 Debian-8:
716 -'auditd':'CIS-8.1.2'
717 description:'Install and Enable auditd Service (Scored)'
718
719 rsyslog:
720 data:
721 Debian-8:
722 -'rsyslog':'CIS-8.2.1'
723 description:'Install rsyslog package (Scored)'
724
725 aide:
726 data:
727 Debian-8:
728 -'aide':'CIS-8.3.1'
729 description:'Install AIDE (Scored)'
730
731 cracklib:
732 data:
733 Debian-8:
734 -'libpam-cracklib':'CIS-9.2.1'
735 description:'Set password creation requirement parameters using pam_cracklib
˓→(Scored)'
736
737 openssh_server:
738 data:
739 Debian-8:
740 -'openssh-server':'CIS-9.3'
741 description:'Configure SSH'
60 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
cis-ubuntu-1404-level-1-scored-v1
Multiple profiles can be combined to create more comprehensive profiles. Common examples include the CIS and STIG profiles:
1 grep:
2 whitelist:
3 fstab_dev_shm_partition_nodev:
4 data:
5 Ubuntu-14.04:
6 - /etc/fstab:
7 match_output: nodev
8 pattern: /dev/shm
9 tag: CIS-2.14
10 description: Add nodev Option to /dev/shm Partition (Scored)
11 fstab_dev_shm_partition_noexec:
12 data:
13 Ubuntu-14.04:
14 - /etc/fstab:
15 match_output: noexec
16 pattern: /dev/shm
17 tag: CIS-2.16
18 description: Add noexec Option to /dev/shm Partition (Scored)
19 fstab_dev_shm_partition_nosuid:
20 data:
21 Ubuntu-14.04:
22 - /etc/fstab:
23 match_output: nosuid
24 pattern: /dev/shm
25 tag: CIS-2.15
26 description: Add nosuid Option to /dev/shm Partition (Scored)
27 fstab_home_partition:
28 data:
29 Ubuntu-14.04:
30 - /etc/fstab:
31 pattern: /home
32 tag: CIS-2.9
33 description: Create Separate Partition for /home (Scored)
34 fstab_home_partition_nodev:
35 data:
36 Ubuntu-14.04:
37 - /etc/fstab:
38 match_output: nodev
39 pattern: /home
40 tag: CIS-2.10
41 description: Add nodev Option to /home (Scored)
42 fstab_tmp_partition:
43 data:
44 Ubuntu-14.04:
45 - /etc/fstab:
46 pattern: /tmp
47 tag: CIS-2.1
48 description: Create Separate Partition for /tmp (Scored)
49 fstab_tmp_partition_nodev:
50 data:
51 Ubuntu-14.04:
52 - /etc/fstab:
53 match_output: nodev
1.4. Quasar 61 HubbleStack Documentation, Release 2016.7.1
54 pattern: /tmp
55 tag: CIS-2.2
56 description: Set nodev option for /tmp Partition (Scored)
57 fstab_tmp_partition_noexec:
58 data:
59 Ubuntu-14.04:
60 - /etc/fstab:
61 match_output: nosuid
62 pattern: /tmp
63 tag: CIS-2.4
64 description: Set noexec option for /tmp Partition (Scored)
65 fstab_tmp_partition_nosuid:
66 data:
67 Ubuntu-14.04:
68 - /etc/fstab:
69 match_output: nosuid
70 pattern: /tmp
71 tag: CIS-2.3
72 description: Set nosuid option for /tmp Partition (Scored)
73 fstab_var_log_audit_partition:
74 data:
75 Ubuntu-14.04:
76 - /etc/fstab:
77 pattern: /var/log/audit
78 tag: CIS-2.8
79 description: Create Separate Partition for /var/log/audit (Scored)
80 fstab_var_log_partition:
81 data:
82 Ubuntu-14.04:
83 - /etc/fstab:
84 pattern: /var/log
85 tag: CIS-2.7
86 description: Create Separate Partition for /var/log (Scored)
87 fstab_var_partition:
88 data:
89 Ubuntu-14.04:
90 - /etc/fstab:
91 pattern: /var
92 tag: CIS-2.5
93 description: Create Separate Partition for /var (Scored)
94 fstab_var_tmp_bind_mount:
95 data:
96 Ubuntu-14.04:
97 - /etc/fstab:
98 match_output: /var/tmp
99 pattern: /var
100 tag: CIS-2.6
101 description: Bind Mount the /var/tmp directory to /tmp (Scored)
102 grub_password:
103 data:
104 Ubuntu-14.04:
105 - /boot/grub/grub.cfg:
106 pattern: password
107 tag: CIS-3.3
108 description: Set Bootloader Password (Scored)
109 core_hard_limit:
110 data:
111 Ubuntu-14.04:
62 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
112 - /etc/security/limits.conf:
113 match_output:'0'
114 pattern: hard core
115 tag: CIS-4.1
116 description: Restrict Core Dumps (Scored)
117 ntp_restrict_default:
118 data:
119 Ubuntu-14.04:
120 - /etc/ntp.conf:
121 pattern:'^restrict'
122 match_output: default
123 tag: CIS-6.5
124 - /etc/ntp.conf:
125 pattern: restrict -6 default
126 tag: CIS-6.5
127 - /etc/ntp.conf:
128 pattern:'^server'
129 tag: CIS-6.5
130 - /etc/init.d/ntp:
131 pattern: RUNASUSER=
132 tag: CIS-6.5
133 description: Configure Network Time Protocol (NTP) (Scored)
134 local_mta:
135 data:
136 Ubuntu-14.04:
137 - /etc/postfix/main.cf:
138 pattern:'^inet_interfaces'
139 match_output: localhost
140 tag: CIS-6.15
141 description: Ensure MTA is configured for local-only (Scored)
142 rsync:
143 data:
144 Ubuntu-14.04:
145 - /etc/default/rsync:
146 pattern: ^RSYNC_ENABLE
147 match_output:'false'
148 tag: CIS-6.16
149 description: Ensure RSYNC is disabled (Scored)
150 rsyslog_file_perms:
151 data:
152 Ubuntu-14.04:
153 - /etc/rsyslog.conf:
154 pattern:'^\$FileCreateMode'
155 match_output:'0640'
156 tag: CIS-8.2.4
157 description: Create and Set Permissions on rsyslog Log Files (Scored)
158 rsyslog_remote_logging:
159 data:
160 Ubuntu-14.04:
161 - /etc/rsyslog.conf: 162 pattern: ^*.*[^I][^I]*@ 163 tag: CIS-8.2.5
164 description: Configure rsyslog to Send Logs to a Remote Log Host (Scored)
165 pam_cracklib_settings:
166 data:
167 Ubuntu-14.04:
168 - /etc/pam.d/common-password:
169 pattern: pam_cracklib
1.4. Quasar 63 HubbleStack Documentation, Release 2016.7.1
170 match_output:'retry=3'
171 tag: CIS-9.2.1
172 - /etc/pam.d/common-password:
173 pattern: pam_cracklib
174 match_output:'minlen=14'
175 tag: CIS-9.2.1
176 - /etc/pam.d/common-password:
177 pattern: pam_cracklib
178 match_output:'dcredit=-1'
179 tag: CIS-9.2.1
180 - /etc/pam.d/common-password:
181 pattern: pam_cracklib
182 match_output:'ucredit=-1'
183 tag: CIS-9.2.1
184 - /etc/pam.d/common-password:
185 pattern: pam_cracklib
186 match_output:'ocredit=-1'
187 tag: CIS-9.2.1
188 - /etc/pam.d/common-password:
189 pattern: pam_cracklib
190 match_output:'lcredit=-1'
191 tag: CIS-9.2.1
192 description: PAM cracklib policy (Scored)
193 pam_password_reuse:
194 data:
195 Ubuntu-14.04:
196 - /etc/pam.d/common-password:
197 pattern: remember
198 match_output:'remember=5'
199 tag: CIS-9.2.3
200 description: Limit Password Reuse (Scored)
201 ssh_version_2:
202 data:
203 Ubuntu-14.04:
204 - /etc/ssh/sshd_config:
205 pattern: Protocol
206 match_output:'2'
207 tag: CIS-9.3.1
208 description: Set SSH Protocol to 2 (Scored)
209 ssh_log_level:
210 data:
211 Ubuntu-14.04:
212 - /etc/ssh/sshd_config:
213 pattern: LogLevel
214 match_output: INFO
215 tag: CIS-9.3.2
216 description: Set LogLevel to INFO (Scored)
217 ssh_disable_xforward:
218 data:
219 Ubuntu-14.04:
220 - /etc/ssh/sshd_config:
221 pattern: XForwarding
222 match:'no'
223 tag: CIS-9.3.4
224 description: Disable SSH X11 Forwarding (Scored)
225 ssh_auth_retries:
226 data:
227 Ubuntu-14.04:
64 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
228 - /etc/ssh/sshd_config:
229 pattern: MaxAuthTries
230 match:'4'
231 tag: CIS-9.3.5
232 description: Set SSH MaxAuthTries to 4 or Less (Scored)
233 ssh_ignore_rhosts:
234 data:
235 Ubuntu-14.04:
236 - /etc/ssh/sshd_config:
237 pattern: IgnoreRhosts
238 match:'yes'
239 tag: CIS-9.3.6
240 description: Set SSH IgnoreRhosts to Yes (Scored)
241 ssh_hostbased_auth:
242 data:
243 Ubuntu-14.04:
244 - /etc/ssh/sshd_config:
245 pattern: HostbasedAuthentication
246 match:'no'
247 tag: CIS-9.3.7
248 description: Set SSH HostbasedAuthentication to No (Scored)
249 ssh_permit_root:
250 data:
251 Ubuntu-14.04:
252 - /etc/ssh/sshd_config:
253 pattern: PermitRootLogin
254 match:'no'
255 tag: CIS-9.3.8
256 description: Disable SSH Root Login (Scored)
257 ssh_permit_empty_pw:
258 data:
259 Ubuntu-14.04:
260 - /etc/ssh/sshd_config:
261 pattern: PermitEmptyPasswords
262 match:'no'
263 tag: CIS-9.3.9
264 description: Set SSH PermitEmptyPasswords to No (Scored)
265 ssh_permit_user_env:
266 data:
267 Ubuntu-14.04:
268 - /etc/ssh/sshd_config:
269 pattern: PermitUserEnvironment
270 match:'no'
271 tag: CIS-9.3.10
272 description: Do Not Allow Users to Set Environment Options (Scored)
273 ssh_restrict_cipher:
274 data:
275 Ubuntu-14.04:
276 - /etc/ssh/sshd_config:
277 pattern: Ciphers
278 match:'aes128-ctr,aes192-ctr,aes256-ctr'
279 tag: CIS-9.3.11
280 description: Use Only Approved Cipher in Counter Mode (Scored)
281 ssh_idle_timeout:
282 data:
283 Ubuntu-14.04:
284 - /etc/ssh/sshd_config:
285 pattern: ClientAliveInterval
1.4. Quasar 65 HubbleStack Documentation, Release 2016.7.1
286 match:'300'
287 tag: CIS-9.3.12
288 - /etc/ssh/sshd_config:
289 pattern: ClientAliveCountMax
290 match: 0
291 tag: CIS-9.3.12
292 description: Set Idle Timeout Interval for User Login (Scored)
293 ssh_limit_access:
294 data:
295 Ubuntu-14.04:
296 - /etc/ssh/sshd_config:
297 pattern: AllowUsers
298 tag: CIS-9.3.13
299 - /etc/ssh/sshd_config:
300 pattern: AllowGroups
301 tag: CIS-9.3.13
302 - /etc/ssh/sshd_config:
303 pattern: DenyUsers
304 tag: CIS-9.3.13
305 - /etc/ssh/sshd_config:
306 pattern: DenyGroups
307 tag: CIS-9.3.13
308 description: Limit Access via SSH (Scored)
309 ssh_set_banner:
310 data:
311 Ubuntu-14.04:
312 - /etc/sshd_conf:
313 pattern: Banner
314 match: issue
315 tag: CIS-9.3.14
316 description: Set SSH Banner (Scored)
317 limit_su_access:
318 data:
319 Ubuntu-14.04:
320 - /etc/pam.d/su:
321 pattern: pam_wheel.so
322 match_output: use_uid
323 tag: CIS-9.5
324 - /etc/group:
325 pattern: wheel
326 tag: CIS-9.5
327 description: Restrict Access to the su Command (Scored)
328 password_max_days:
329 data:
330 Ubuntu-14.04:
331 - /etc/login.defs:
332 pattern: PASS_MAX_DAYS
333 match_output:'90'
334 tag: CIS-10.1.1
335 description: Set Password Expiration Days (Scored)
336 password_min_days:
337 data:
338 Ubuntu-14.04:
339 - /etc/login.defs:
340 pattern: PASS_MIN_DAYS
341 match_output:'7'
342 tag: CIS-10.1.2
343 description: Set Password Change Minimum Number of Days (Scored)
66 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
344 password_warn_days:
345 data:
346 Ubuntu-14.04:
347 - /etc/login.defs:
348 pattern: PASS_WARN_AGE
349 match_output:'7'
350 tag: CIS-10.1.3
351 description: Set Password Expiring Warning Days (Scored)
352 umask:
353 data:
354 Ubuntu-14.04:
355 - /etc/login.defs:
356 pattern: UMASK
357 match_output:'077'
358 tag: CIS-10.4
359 description: Set Default umask for Users (Scored)
360 blacklist:
361 root_passwd_set:
362 data:
363 Ubuntu-14.04:
364 - /etc/passwd: 365 pattern:'^root:[ *\!]:' 366 tag: CIS-3.4
367 description: Require Authentication for Single User Mode (Scored)
368 rsh_inet:
369 data:
370 Ubuntu-14.04:
371 - /etc/inetd.conf:
372 pattern:'^shell'
373 tag: CIS-5.1.2
374 - /etc/inetd.conf:
375 pattern:'^login'
376 tag: CIS-5.1.2
377 - /etc/inetd.conf:
378 pattern:'^exec'
379 tag: CIS-5.1.2
380 description: Ensure RSH server is not Enabled (Scored)
381 talk:
382 data:
383 Ubuntu-14.04:
384 - /etc/inetd.conf:
385 pattern:'^talk'
386 tag: CIS-5.1.4
387 - /etc/inetd.conf:
388 pattern:'^ntalk'
389 tag: CIS-5.1.4
390 description: Ensure Talk Server is not Enabled (Scored)
391 telnet:
392 data:
393 Ubuntu-14.04:
394 - /etc/inetd.conf:
395 pattern:'^telnet'
396 tag: CIS-5.1.6
397 description: Ensure Telnet Server is not Enabled (Scored)
398 tftp:
399 data:
400 Ubuntu-14.04:
401 - /etc/inetd.conf:
1.4. Quasar 67 HubbleStack Documentation, Release 2016.7.1
402 pattern:'^tftp'
403 tag: CIS-5.1.7
404 description: Ensure TFTP Server is not Enabled (Scored)
405 chargen:
406 data:
407 Ubuntu-14.04:
408 - /etc/inetd.conf:
409 pattern:'^chargen'
410 tag: CIS-5.2
411 description: Ensure Chargen is not Enabled (Scored)
412 daytime:
413 data:
414 Ubuntu-14.04:
415 - /etc/inetd.conf:
416 pattern:'^daytime'
417 tag: CIS-5.3
418 description: Ensure daytime is not Enabled (Scored)
419 echo:
420 data:
421 Ubuntu-14.04:
422 - /etc/inetd.conf:
423 pattern:'^echo'
424 tag: CIS-5.4
425 description: Ensure echo is not Enabled (Scored)
426 discard:
427 data:
428 Ubuntu-14.04:
429 - /etc/inetd.conf:
430 pattern:'^discard'
431 tag: CIS-5.5
432 description: Ensure discard is not Enabled (Scored)
433 time:
434 data:
435 Ubuntu-14.04:
436 - /etc/inetd.conf:
437 pattern:'^time'
438 tag: CIS-5.6
439 description: Ensure time is not Enabled (Scored)
440 banner_os_info_motd:
441 data:
442 Ubuntu-14.04:
443 - /etc/motd:
444 pattern:'\v'
445 tag: CIS-11.2
446 - /etc/motd:
447 pattern:'\r'
448 tag: CIS-11.2
449 - /etc/motd:
450 pattern:'\m'
451 tag: CIS-11.2
452 - /etc/motd:
453 pattern:'\s'
454 tag: CIS-11.2
455 description: Remove OS Information from Login Warning Banners (motd) (Scored)
456 banner_os_info_issue:
457 data:
458 Ubuntu-14.04:
459 - /etc/issue:
68 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
460 pattern:'\v'
461 tag: CIS-11.2
462 - /etc/issue:
463 pattern:'\r'
464 tag: CIS-11.2
465 - /etc/issue:
466 pattern:'\m'
467 tag: CIS-11.2
468 - /etc/issue:
469 pattern:'\s'
470 tag: CIS-11.2
471 description: Remove OS Information from Login Warning Banners (issue) (Scored)
472 banner_os_info_issue_net:
473 data:
474 Ubuntu-14.04:
475 - /etc/issue.net:
476 pattern:'\v'
477 tag: CIS-11.2
478 - /etc/issue.net:
479 pattern:'\r'
480 tag: CIS-11.2
481 - /etc/issue.net:
482 pattern:'\m'
483 tag: CIS-11.2
484 - /etc/issue.net:
485 pattern:'\s'
486 tag: CIS-11.2
487 description: Remove OS Information from Login Warning Banners (issue.net)
˓→(Scored)
488 legacy_entries_passwd:
489 data:
490 Ubuntu-14.04:
491 - /etc/passwd:
492 pattern:'^+'
493 tag: CIS-13.2
494 description: Verify No Legacy "+" Entries Exist in /etc/passwd File (Scored)
495 legacy_entries_shadow:
496 data:
497 Ubuntu-14.04:
498 - /etc/shadow:
499 pattern:'^+'
500 tag: CIS-13.2
501 description: Verify No Legacy "+" Entries Exist in /etc/shadow File (Scored)
502 legacy_entries_group:
503 data:
504 Ubuntu-14.04:
505 - /etc/group:
506 pattern:'^+'
507 tag: CIS-13.2
508 description: Verify No Legacy "+" Entries Exist in /etc/group File (Scored)
509
510 service:
511 blacklist:
512 autofs:
513 data:
514 Ubuntu-14.04:
515 - autofs: CIS-2.25
516 description: Disable Automounting (Scored)
1.4. Quasar 69 HubbleStack Documentation, Release 2016.7.1
517 apport:
518 data:
519 Ubuntu-14.04:
520 - apport: CIS-4.1
521 description: Disable Apport to Restrict Core Dumps (Scored)
522 whoopsie:
523 data:
524 Ubuntu-14.04:
525 - whoopsie: CIS-4.1
526 description: Disable Whoopsie to Restrict Core Dumps (Scored)
527 xinetd:
528 data:
529 Ubuntu-14.04:
530 - xinetd: CIS-5.1.8
531 description: Disable xinetd Service (Scored)
532 avahi_daemon:
533 data:
534 Ubuntu-14.04:
535 - avahi-daemon: CIS-6.2
536 description: Ensure Avahi Server is not enabled (Scored)
537 cups:
538 data:
539 Ubuntu-14.04:
540 - cups: CIS-6.3
541 description: Ensure print server is not enabled (Scored)
542 dhcp-server:
543 data:
544 Ubuntu-14.04:
545 - isc-dhcp-server: CIS-6.4
546 description: Ensure DHCP Server is not enabled (Scored)
547 whitelist:
548 rsyslog:
549 data:
550 Ubuntu-14.04:
551 - rsyslog: CIS-8.2.2
552 description: Ensure the rsyslog Service is activated (Scored)
553 cron:
554 data:
555 Ubuntu-14.04:
556 - cron: CIS-9.1.1
557 description: Enable cron Daemon (Scored)
558
559 sysctl:
560 disable_suid_dumpable:
561 data:
562 Ubuntu-14.04:
563 - fs.suid_dumpable:
564 match_output:'0'
565 tag: CIS-4.1
566 description: Prevent suid Applications from Core Dumping (Scored)
567 randomize_va_space:
568 data:
569 Ubuntu-14.04:
570 - kernel.randomize_va_space:
571 match_output:'2'
572 tag: CIS-4.3
573 description: Enable Randomized Virtual Memory Region Placement (Scored)
574 disable_ip4_ip_forward:
70 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
575 data:
576 Ubuntu-14.04:
577 - net.ipv4.ip_forward:
578 match_output:'0'
579 tag: CIS-7.1.1
580 description: Disable IP Forwarding (Scored)
581 disable_packet_redirect:
582 data:
583 Ubuntu-14.04:
584 - net.ipv4.conf.all.send_redirects:
585 match_output:'0'
586 tag: CIS-7.1.2
587 description: Disable Send Packet Redirects (Scored)
588 disable_source_routed_packets:
589 data:
590 Ubuntu-14.04:
591 - net.ipv4.conf.all.accept_source_route:
592 match_output:'0'
593 tag: CIS-7.2.1
594 description: Disable Source Routed Packet Acceptance (Scored)
595 disable_icmp_redirect:
596 data:
597 Ubuntu-14.04:
598 - net.ipv4.conf.all.accept_redirects:
599 match_output:'0'
600 tag: CIS-7.2.2
601 description: Disable ICMP Redirect Acceptance (Scored)
602 disable_secure_icmp_redirect:
603 data:
604 Ubuntu-14.04:
605 - net.ipv4.conf.all.secure_redirects:
606 match_output:'0'
607 tag: CIS-7.2.3
608 description: Disable Secure ICMP Redirect Acceptance (Scored)
609 log_martians:
610 data:
611 Ubuntu-14.04:
612 - net.ipv4.conf.all.log_martians:
613 match_output:'1'
614 tag: CIS-7.2.4
615 description: Log Suspicious Packets (Scored)
616 ignore_broadcast:
617 data:
618 Ubuntu-14.04:
619 - net.ipv4.icmp_echo_ignore_broadcasts:
620 match_output:'1'
621 tag: CIS-7.2.5
622 description: Enable Ignore Broadcast Requests (Scored)
623 bogus_errors:
624 data:
625 Ubuntu-14.04:
626 - icmp_ignore_bogus_error_responses:
627 match_output:'1'
628 tag: CIS-7.2.6
629 description: Enable Bad Error Message Protection (Scored)
630 rp_filter:
631 data:
632 Ubuntu-14.04:
1.4. Quasar 71 HubbleStack Documentation, Release 2016.7.1
633 - net.ipv4.conf.all.rp_filter:
634 match_output:'1'
635 tag: CIS-7.2.7
636 description: Enable RFC-recommended Source Route Validation (Scored)
637 tcp_syncookies:
638 data:
639 Ubuntu-14.04:
640 - net.ipv4.tcp_syncookies:
641 match_output:'1'
642 tag: CIS-7.2.8
643 description: Enable TCP SYN Cookies (Scored)
644
645 pkg:
646 blacklist:
647 prelink:
648 data:
649 Ubuntu-14.04:
650 - prelink: CIS-4.4
651 description: Disable Prelink (Scored)
652 nis:
653 data:
654 Ubuntu-14.04:
655 - nis: CIS-5.1.1
656 description: Ensure NIS is not installed (Scored)
657 talk:
658 data:
659 Ubuntu-14.04:
660 - talk: CIS-5.1.5
661 description: Ensure Talk Client is not installed (Scored)
662 xserver:
663 data:
664 Ubuntu-14.04: 665 - xserver-xorg-core\*: CIS-6.1 666 description: Ensure the XWindow System is not installed (Scored)
667 biosdevname:
668 data:
669 Ubuntu-14.04:
670 - biosdevname: CIS-6.17
671 description: Ensure biosdevname is not enabled (Scored)
672 whitelist:
673 ntp:
674 data:
675 Ubuntu-14.04:
676 - ntp: CIS-6.5
677 description: Ensure ntp is installed (Scored)
678 tcpd:
679 data:
680 Ubuntu-14.04:
681 - tcpd: CIS-7.4.1
682 description: Install TCP Wrappers (Scored)
683 rsyslog:
684 data:
685 Ubuntu-14.04:
686 - rsyslog: CIS-8.2.1
687 description: Install the rsyslog package (Scored)
688
689 stat:
690 grub_cfg_owner:
72 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
691 data:
692 Ubuntu-14.04:
693 - /boot/grub/grub.cfg:
694 gid: 0
695 group: root
696 uid: 0
697 user: root
698 tag: CIS-3.1
699 description: Set User/Group Owner on bootloader config (Scored)
700 grub_cfg_perms:
701 data:
702 Ubuntu-14.04:
703 - /boot/grub/grub.cfg:
704 mode: 600
705 tag: CIS-3.2
706 description: Set Permissions on bootloader config (Scored)
707 hosts_allow_perms:
708 data:
709 Ubuntu-14.04:
710 - /etc/hosts.allow:
711 mode: 644
712 tag: CIS-7.4.3
713 description: Verify Permissions on /etc/hosts.allow (Scored)
714 hosts_deny_perms:
715 data:
716 Ubuntu-14.04:
717 - /etc/hosts.deny:
718 mode: 644
719 tag: CIS-7.4.5
720 description: Verify Permissions on /etc/hosts.deny (Scored)
721 crontab_own_perms:
722 data:
723 Ubuntu-14.04:
724 - /etc/crontab:
725 gid: 0
726 group: root
727 uid: 0
728 user: root
729 mode: 600
730 tag: CIS-9.1.2
731 description: Set User/Group Owner and Permission on /etc/crontab (Scored)
732 cron_hourly_own_perms:
733 data:
734 Ubuntu-14.04:
735 - /etc/cron.hourly:
736 gid: 0
737 group: root
738 uid: 0
739 user: root
740 mode: 600
741 tag: CIS-9.1.3
742 description: Set User/Group Owner and Permission on /etc/cron.hourly (Scored)
743 cron_daily_own_perms:
744 data:
745 Ubuntu-14.04:
746 - /etc/cron.daily:
747 gid: 0
748 group: root
1.4. Quasar 73 HubbleStack Documentation, Release 2016.7.1
749 uid: 0
750 user: root
751 mode: 600
752 tag: CIS-9.1.4
753 description: Set User/Group Owner and Permission on /etc/cron.daily (Scored)
754 cron_weekly_own_perms:
755 data:
756 Ubuntu-14.04:
757 - /etc/cron.weekly:
758 gid: 0
759 group: root
760 uid: 0
761 user: root
762 mode: 600
763 tag: CIS-9.1.5
764 description: Set User/Group Owner and Permission on /etc/cron.weekly (Scored)
765 cron_monthly_own_perms:
766 data:
767 Ubuntu-14.04:
768 - /etc/cron.monthly:
769 gid: 0
770 group: root
771 uid: 0
772 user: root
773 mode: 600
774 tag: CIS-9.1.6
775 description: Set User/Group Owner and Permission on /etc/cron.monthly (Scored)
776 cron_d_own_perms:
777 data:
778 Ubuntu-14.04:
779 - /etc/cron.d:
780 gid: 0
781 group: root
782 uid: 0
783 user: root
784 mode: 700
785 tag: CIS-9.1.7
786 description: Set User/Group Owner and Permission on /etc/cron.d (Scored)
787 at_cron_allow:
788 data:
789 Ubuntu-14.04:
790 - /etc/cron.deny:
791 gid: 0
792 group: root
793 mode: 600
794 tag: CIS-9.1.8
795 uid: 0
796 user: root
797 - /etc/at.deny:
798 gid: 0
799 group: root
800 mode: 600
801 tag: CIS-9.1.8
802 uid: 0
803 user: root
804 - /etc/cron.allow:
805 gid: 0
806 group: root
74 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
807 mode: 600
808 tag: CIS-9.1.8
809 uid: 0
810 user: root
811 - /etc/at.allow:
812 gid: 0
813 group: root
814 mode: 600
815 tag: CIS-9.1.8
816 uid: 0
817 user: root
818 description: Restrict at/cron to authorized users (Scored)
819 sshd_config:
820 data:
821 Ubuntu-14.04:
822 - /etc/ssh/sshd_config:
823 uid: 0
824 gid: 0
825 user: root
826 group: root
827 mode: 600
828 tag: CIS-9.3.3
829 description: Set Permissions on /etc/ssh/sshd_config (Scored)
830 banner_files:
831 data:
832 Ubuntu-14.04:
833 - /etc/motd:
834 uid: 0
835 gid: 0
836 user: root
837 group: root
838 mode: 644
839 tag: CIS-11.1
840 - /etc/issue:
841 uid: 0
842 gid: 0
843 user: root
844 group: root
845 mode: 644
846 tag: CIS-11.1
847 - /etc/issue.net:
848 uid: 0
849 gid: 0
850 user: root
851 group: root
852 mode: 644
853 tag: CIS-11.1
854 description: Set Warning Banner for Standard Login Services (Scored)
855 passwd_perms:
856 data:
857 Ubuntu-14.04:
858 - /etc/passwd:
859 mode: 644
860 tag: CIS-12.1
861 description: Verify Permissions on /etc/passwd (Scored)
862 shadow_perms:
863 data:
864 Ubuntu-14.04:
1.4. Quasar 75 HubbleStack Documentation, Release 2016.7.1
865 - /etc/shadow:
866 mode: 640
867 tag: CIS-12.2
868 description: Verify Permissions on /etc/shadow (Scored)
869 group_perms:
870 data:
871 Ubuntu-14.04:
872 - /etc/group:
873 mode: 644
874 tag: CIS-12.3
875 description: Verify Permissions on /etc/group (Scored)
876 passwd_owner_group:
877 data:
878 Ubuntu-14.04:
879 - /etc/passwd:
880 uid: 0
881 gid: 0
882 user: root
883 group: root
884 tag: CIS-12.4
885 description: Verify User and Group on /etc/passwd (Scored)
886 shadow_owner_group:
887 data:
888 Ubuntu-14.04:
889 - /etc/shadow:
890 uid: 0
891 gid: 42
892 user: root
893 group: shadow
894 tag: CIS-12.5
895 description: Verify User and Group on /etc/shadow (Scored)
896 group_user_group:
897 data:
898 Ubuntu-14.04:
899 - /etc/group:
900 uid: 0
901 gid: 0
902 user: root
903 group: root
904 tag: CIS-12.6
905 description: Verify User and Group on /etc/group (Scored)
906
907 command:
908 rsh_client:
909 data:
910 Ubuntu-14.04:
911 tag: CIS-5.1.3
912 commands:
913 -'dpkg -s rsh-client':
914 match_output: is not installed
915 -'dpkg -s rsh-redone-client':
916 match_output: is not installed
917 description: Ensure RSH Client is not Installed (Scored)
918 ufw_active:
919 data:
920 Ubuntu-14.04:
921 tag: CIS-7.7
922 commands:
76 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
923 -'ufw status':
924 match_output: Status active
925 description: Ensure Firewall is active (Scored)
926 disable_system_accts:
927 data:
928 Ubuntu-14.04:
929 tag: CIS-10.2
930 commands:
931 -?
932 >
933 egrep -v "^\+" /etc/passwd | awk -F: '($1!="root" && $1!="sync"
934 && $1!="shutdown" && $1!="halt" && $3<500
935 && $7!="/usr/sbin/nologin" && $7!="/bin/false") {print}'
936 :
937 shell: /bin/bash
938 fail_if_matched: true
939 description: Disable System Accounts (Scored)
940 default_root_group:
941 data:
942 Ubuntu-14.04:
943 tag: CIS-10.3
944 commands:
945 -'grep "^root:" /etc/passwd| cut -f4 -d:':
946 match_output:'0'
947 description: Set Default Group for root Account (Scored)
948 inactive_users:
949 data:
950 Ubuntu-14.04:
951 tag: CIS-10.5
952 commands:
953 -'useradd-D| grep INACTIVE':
954 match_output:'35'
955 description: Lock Inactive User Accounts (Scored)
956 empty_passwd_field:
957 data:
958 Ubuntu-14.04:
959 tag: CIS-13.1
960 commands:
961 -?
962 >
963 cat /etc/shadow | /usr/bin/awk -F: '($2 == "" ) { print $1 }'
964 :
965 shell: /bin/bash
966 fail_if_matched: true
967 description: Ensure Password Fields are Not Empty (Scored)
968 uid_zero_only_root:
969 data:
970 Ubuntu-14.04:
971 tag: CIS-13.5
972 commands:
973 -?
974 >
975 cat /etc/passwd | /usr/bin/awk -F: '($1!="root" && $3==0) { print $1 }
˓→'
976 :
977 shell: /bin/bash
978 fail_if_matched: true
979 description: Verify No UID 0 Accounts Exist Other Than root (Scored)
1.4. Quasar 77 HubbleStack Documentation, Release 2016.7.1
980 root_path:
981 data:
982 Ubuntu-14.04:
983 tag: CIS-13.6
984 commands:
985 -?
986 |-
987 if [ "`echo $PATH | grep :: `" != "" ]; then
988 echo "Empty Directory in PATH (::)"
989 fi
990 if [ "`echo $PATH | grep :$`" != "" ]; then
991 echo "Trailing : in PATH"
992 fi
993 p=`echo $PATH | sed -e 's/::/:/' -e 's/:$//' -e 's/:/ /g'`
994 set -- $p
995 while [ "$1" != "" ]; do
996 if [ "$1" = "." ]; then
997 echo "PATH contains ."
998 shift
999 continue
1000 fi
1001 if [ -d $1 ]; then
1002 dirperm=`ls -ldH $1 | cut -f1 -d" "`
1003 if [ `echo $dirperm | cut -c6 ` != "-" ]; then
1004 echo "Group Write permission set on directory $1"
1005 fi
1006 if [ `echo $dirperm | cut -c9 ` != "-" ]; then
1007 echo "Other Write permission set on directory $1"
1008 fi
1009 dirown=`ls -ldH $1 | awk '{print $3}'`
1010 if [ "$dirown" != "root" ] ; then
1011 echo $1 is not owned by root
1012 fi
1013 else
1014 echo $1 is not a directory
1015 fi
1016 shift
1017 done
1018 :
1019 shell: /bin/bash
1020 fail_if_matched: true
1021 description: Ensure root PATH Integrity (Scored)
iptables (firewall sample)
1 iptables:
2 whitelist:
3
4 ssh:
5 data:
6 tag:'IPTABLES-TCP-22'
7 table:'filter'
8 chain: INPUT
9 family:'ipv4'
10 rule:
11 proto: tcp
78 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
12 dport: 22
13 match: state
14 connstate: ESTABLISHED,RELATED
15 jump: ACCEPT
16 description:'iptables: filter ipv4 tcp 22 established,related accept'
network (netstat sample)
1 netstat:
2 ssh:
3 address: 4 -' *:22'
1 netstat:
2 smtp:
3 address:
4 -'127.0.0.1:25'
openscap (cve.scan-v1 example)
Red Hat publishes security advisories in the form of an XML file. These files follow a specific standard (OVAL) which requires an additional dependency to use. This profiles underlying module relies on openscap-scanner (https://www.open-scap.org). The XML files can be found here: https://www.redhat.com/security/data/oval/. Simply point to your preferred OVAL file:
Upstream
1 cve_scan: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml
salt://
To include a CVE scan in your Nova top file, simply add the name of the XML feed into a new Nova profile:
1 cve_scan: salt://com-redhat-rhsa-RHEL7.xml
See also: openscap Audit Module
Tip: tl;dr - dash-delimited filenames only You may be tempted to name the Nova profile the same name as the XML file. Remember, a ‘.’ is a directory-separator in Hubble (and Salt), meaning you’d actually be pointing to a file salt://com/redhat/rhsa-RHEL7/xml.
1.4. Quasar 79 HubbleStack Documentation, Release 2016.7.1
rhel-6-mac-1-classified
Multiple profiles can be combined to create more comprehensive profiles. Common examples include the CIS and STIG profiles:
1 ######################################################################################
˓→#
2 # This is the Hubblestack Nova Auditing profile for the DISA SIGS:
3 #
4 # Source: https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/MAC-1_
˓→Classified/
5 # OS Finger: Red Hat Enterprise Linux Server-6
6 # Audit Level: MAC-I Classified
7 #
8 # Usage:
9 # salt
10 # salt
11 # salt
12 #
13 # Tags use the Vulnerability ID from the STIGs
14 # Example: You can check for a specific tag with this usage:
15 #
16 # salt
17 #
18 # The Description field is structured following this scheme: (Severity)
19 #
20 # Coverage:
21 # NOTE: At this time, hubblestack provides 000% coverage of stig inspections
22 # due to the suite of available modules. As more modules become available,
23 # coverage will increase.
24 #
25 # Current coverage: XX / 264 = 000%
26 # High Severity: 09 Done, 06 Partial, 2 Blocker = 15 / 17 = 88%
27 # - V-38666: (Partial)
28 # - Tailored: Checking for Clam AV packages installed and in cron.daily
29 # - Cannot verify the output of the nails status command for
30 # McAfee scans a this time
31 # - Cannot verify the age of AV definitions as a result of the output
32 # of a command at this time
33 # - V-38476: Cannot verify the output of the rpm command at this time
34 # - V-38491: Cannot verify presence of a file within an discovered list of
˓→directories
35 # - V-38602: (Partial) checking for running service, but cannot verify the
36 # output of the chkconfig command
37 # - V-38594: (Partial) checking for running service, but cannot verify the
38 # output of the chkconfig command
39 # - V-38598: (Partial) checking for running service, but cannot verify the
40 # output of the chkconfig command
41 # - V-38589: (Partial) checking for running service, but cannot verify the
42 # output of the chkconfig command
43 # - V-38701: Potentially a false positive if the file does not exist.
44 # Medium Severity: XX / 146 = 000%
45 # Low Severity: XX / 101 = 000%
46 #
47 # Tailoring:
48 # You may need to tailor some of these inspections to your system/site to account
49 # for:
50 # 1. your environmental configuration
80 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
51 # ex: using McAfee AV Scan vs ClamAV
52 # 2. compensating controls you may have
53 # 3. tailoring you've done for your specific system
54 #
55 ######################################################################################
˓→#
56 grep:
57 blacklist:
58 snmpd_not_use_default_passwd:
59 data:
60 Red Hat Enterprise Linux Server-6:
61 - /etc/snmp/snmpd.conf:
62 pattern:'^[^#]'
63 match_output: public
64 tag: V-38653
65 description: (HIGH) The snmpd service must not use a default password.
66 rpm_cryptographically_verify_packages:
67 data:
68 Red Hat Enterprise Linux Server-6:
69 - /etc/rpmrc:
70 pattern: nosignature
71 tag: V-38462
72 - /usr/lib/rpm/rpmrc:
73 pattern: nosignature
74 tag: V-38462
75 - /usr/lib/rpm/redhat/rpmrc:
76 pattern: nosignature
77 tag: V-38462
78 - /root/.rpmrc:
79 pattern: nosignature
80 tag: V-38462
81 description: |
82 (HIGH) The RPM package management tool must cryptographically verify
83 the authenticity of all software packages during installation.
84 null_passwords_cannot_be_used:
85 data:
86 Red Hat Enterprise Linux Server-6:
87 - /etc/pam.d/system-auth:
88 pattern: nullok
89 tag: V-38497
90 - /etc/pam.d/system-auth-ac:
91 pattern: nullok
92 tag: V-38497
93 - /etc/pam.d/password-auth:
94 pattern: nullok
95 tag: V-38497
96 - /etc/pam.d/password-auth-ac:
97 pattern: nullok
98 tag: V-38497
99 - /etc/pam.d/sshd:
100 pattern: nullok
101 tag: V-38497
102 description: (HIGH) The system must not allow null passwords to be used.
103 nfs_no_insecure_file_locking:
104 data:
105 Red Hat Enterprise Linux Server-6:
106 - /etc/exports:
107 pattern: insecure_locks
1.4. Quasar 81 HubbleStack Documentation, Release 2016.7.1
108 tag: V-38677
109 description: (HIGH) The NFS server must not have the insecure file
˓→locking option enabled.
110 sshd_no_empty_passwords:
111 data:
112 Red Hat Enterprise Linux Server-6:
113 - /etc/ssh/sshd_config:
114 pattern:'^PermitEmptyPasswords'
115 match_output:"yes"
116 tag: V-38614
117 - /etc/ssh/sshd_config:
118 pattern:'^PermitEmptyPasswords'
119 match_output:"Yes"
120 tag: V-38614
121 description: (HIGH) The SSH daemon must not allow authentication using
˓→an empty password.
122
123 whitelist:
124 x86_ctrl_alt_del_disabled:
125 data:
126 Red Hat Enterprise Linux Server-6:
127 - /etc/init/control-alt-delete.override:
128 pattern:'^exec /usr/bin/logger'
129 match_output: security.info "Control-Alt-Delete pressed"
130 tag: V-38668
131 description: (HIGH) The x86 Ctrl-Alt-Delete key sequence must be
˓→disabled.
132 sshd_use_only_SSHv2_protocol:
133 data:
134 Red Hat Enterprise Linux Server-6:
135 - /etc/ssh/sshd_config:
136 pattern:'^Protocol'
137 match_output: Protocol 2
138 tag: V-38607
139 description: (HIGH) The SSH daemon must be configured to use only the
˓→SSHv2 protocol.
140 tftp_daemon_operate_in_secure_mode:
141 # NOTE: potentially a false positive if the file does not exist
142 data:
143 Red Hat Enterprise Linux Server-6:
144 - /etc/xinetd.d/tftp:
145 pattern:'^server_args'
146 match_output: -s
147 tag: V-38701
148 description: |
149 (HIGH) The TFTP daemon must operate in secure mode which provides
150 access only to a single directory on the host file system. Potentially
151 a false positive if this file does not exist.
152
153 pkg:
154 blacklist:
155 rsh-server_not_installed:
156 data:
157 Red Hat Enterprise Linux Server-6:
158 - rsh-server: V-38591
159 description: (HIGH) The rsh-server package must not be installed.
160 telnet-server_not_installed:
161 data:
82 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
162 Red Hat Enterprise Linux Server-6:
163 - telnet-server: V-38587
164 - telnet: V-38587
165 description: (HIGH) The telnet-server and telnet package must not be
˓→installed.
166
167 whitelist:
168 approved_virus_scan_program:
169 # NOTE: This will need to be udated for your respective organization.
170 # This particular check is validating that clamav package is installed.
171 # This is a multi-part check to verify V-38666. Under the stat section,
172 # there is a check to verify cron.daily script for clamav inspection.
173 data:
174 Red Hat Enterprise Linux Server-6:
175 - clamav: V-38666
176 - clamd: V-38666
177 description: (HIGH) The system must use and update a DoD-approved virus
˓→scan program.
178
179 service:
180 blacklist:
181 rlogind_not_running:
182 # This is partially implemented to ensure that the service is not running.
183 # This inspection alone does not fully satisfy the STIG check as it does
184 # not current check the output of the chkconfig command
185 data:
186 Red Hat Enterprise Linux Server-6:
187 - rlogin: V-38602
188 description: (High) The rlogind service must not be running.
189 rshd_not_running:
190 # This is partially implemented to ensure that the service is not running.
191 # This inspection alone does not fully satisfy the STIG check as it does
192 # not current check the output of the chkconfig command
193 data:
194 Red Hat Enterprise Linux Server-6:
195 - rsh: V-38594
196 description: (High) The rshd service must not be running.
197 rexecd_not_running:
198 # This is partially implemented to ensure that the service is not running.
199 # This inspection alone does not fully satisfy the STIG check as it does
200 # not current check the output of the chkconfig command
201 data:
202 Red Hat Enterprise Linux Server-6:
203 - rexec: V-38598
204 description: (High) The rexecd service must not be running.
205 telnet_not_running:
206 # This is partially implemented to ensure that the service is not running.
207 # This inspection alone does not fully satisfy the STIG check as it does
208 # not current check the output of the chkconfig command
209 data:
210 Red Hat Enterprise Linux Server-6:
211 - telnet: V-38589
212 description: (High) The telnet daemon must not be running.
213
214 stat:
215 cron_daily_clamscan_host:
216 # NOTE: This will need to be udated for your respective organization.
217 # This particular check is validating that clamav is run on a daily basis.
1.4. Quasar 83 HubbleStack Documentation, Release 2016.7.1
218 # This is a multi-part check to verify V-38666. Under the pkg section,
219 # there is a check to verify clam is installed.
220 data:
221 Red Hat Enterprise Linux Server-6:
222 - /etc/cron.daily/clamscan_host.sh:
223 group: root
224 user: root
225 mode: 755
226 tag: V-38666
227 description: (HIGH) The system must use and update a DoD-approved virus
˓→scan program.
sample profiles
CVE-2014-2913
1 grep:
2 blacklist:
3
4 dont_blame_nrpe:
5 data: 6 '*': 7 -'/etc/nrpe.cfg':
8 tag:'CVE-2014-2913'
9 pattern:'dont_blame_nrpe=1'
10 description:'NRPE- Nagios Remote Plugin Executor'
command Profile
1 command:
2 nodev:
3 data:
4 'Red Hat Enterprise Linux Server-6':
5 tag: CIS-1.1.10
6 commands:
7 -'grep "[[:space:]]/home[[:space:]]" /etc/fstab':
8 match_output: nodev
9 match_output_regex: False
10 fail_if_matched: False
11 -'mount| grep /home':
12 match_output: nodev
13 match_output_regex: False
14 match_output_by_line: True
15 aggregation:'and'
16 description:'/home should be nodev'
compensating control
1 stat:
2 grub_conf_own:
3 data:
84 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
4 'CentOS-6':
5 -'/etc/grub.conf':
6 tag:'CIS-1.5.1'
7 user:'root'
8 uid: 0
9 group:'root'
10 gid: 0
11 'CentOS Linux-7':
12 -'/etc/grub2/grub.cfg':
13 tag:'CIS-1.5.1'
14 user:'root'
15 uid: 0
16 group:'root'
17 gid: 0
18 description:'Grub must be owned by root (Scored)'
19 control:'We do not care about this'
20
21 grub_conf_perm:
22 data:
23 'CentOS-6':
24 -'/etc/grub.conf':
25 tag:'CIS-1.5.2'
26 mode: 600
27 'CentOS Linux-7':
28 -'/etc/grub2/grub.cfg':
29 tag:'CIS-1.5.2'
30 mode: 600
31 description:'Grub must have permissions 600 (Scored)'
32
33 hosts_allow:
34 data:
35 'CentOS-6':
36 -'/etc/hosts.allow':
37 tag:'CIS-4.5.3'
38 mode: 644
39 'CentOS Linux-7':
40 -'/etc/hosts.allow':
41 tag:'CIS-4.5.3'
42 mode: 644
43 description:'/etc/hosts.allow must have permissions 644 (Scored)'
44 control:'We do not care about this'
45
46 hosts_deny:
47 data:
48 'CentOS-6':
49 -'/etc/hosts.deny':
50 tag:'CIS-4.5.5'
51 mode: 644
52 'CentOS Linux-7':
53 -'/etc/hosts.deny':
54 tag:'CIS-4.5.5'
55 mode: 644
56 description:'/etc/hosts.deny must have persmissions 644 (Scored)'
57 control:'We do not care about this'
58
59 anacrontab:
60 data:
61 'CentOS-6':
1.4. Quasar 85 HubbleStack Documentation, Release 2016.7.1
62 -'/etc/anacrontab':
63 tag:'CIS-6.1.3'
64 mode: 600
65 user:'root'
66 uid: 0
67 group:'root'
68 gid: 0
69 'CentOS Linux-7':
70 -'/etc/anacrontab':
71 tag:'CIS-6.1.3'
72 mode: 600
73 user:'root'
74 uid: 0
75 group:'root'
76 gid: 0
77 description:'/etc/anacrontab file be owned by root and must have permissions 600
˓→(Scored)'
78
79
80
81 pkg:
82 blacklist:
83
84 telnet:
85 data:
86 'CentOS-6':
87 -'telnet-server':'CIS-2.1.1'
88 -'telnet':'CIS-2.1.2'
89 'CentOS Linux-7':
90 -'telnet-server':'CIS-2.1.1'
91 -'telnet':'CIS-2.1.2'
92 description:'Remove telnet and telnet-server (Scored)'
93
94 rsh:
95 data:
96 'CentOS-6':
97 -'rsh-server':'CIS-2.1.3'
98 -'rsh':'CIS-2.1.4'
99 'CentOS Linux-7':
100 -'rsh-server':'CIS-2.1.3'
101 -'rsh':'CIS-2.1.4'
102 description:'Remove rsh and rsh-server (Scored)'
103 control:'We do not care about this'
104
105 nis:
106 data:
107 'CentOS-6':
108 -'ypbind':'CIS-2.1.5'
109 -'ypserv':'CIS-2.1.6'
110 'CentOS Linux-7':
111 -'ypbind':'CIS-2.1.5'
112 -'ypserv':'CIS-2.1.6'
113 description:'Remove nis client and nis server (Scored)'
114
115 tftp:
116 data:
117 'CentOS-6':
118 -'tftp':'CIS-2.1.7'
86 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
119 -'tftp-server':'CIS-2.1.8'
120 'CentOS Linux-7':
121 -'tftp':'CIS-2.1.7'
122 -'tftp-server':'CIS-2.1.8'
123 description:'Remove tftp and tftp-server (Scored)'
124 control:'We do not care about this'
125
126
127 sysctl:
128 restrict_suid_core_dumps:
129 data:
130 'CentOS-6':
131 -'fs.suid_dumpable':
132 tag:'CIS-1.6.1'
133 match_output:'0'
134 description:'Restrict SUID Core Dumps (Scored)'
135
136 exec_shield:
137 data:
138 'CentOS-6':
139 -'kernel.exec-shield':
140 tag:'CIS-1.6.2'
141 match_output:'1'
142 description:'Configure ExecShield (Scored)'
143 control:'We do not care about this'
144
145 randomize_va_space:
146 data:
147 'CentOS-6':
148 -'kernel.randomize_va_space':
149 tag:'CIS-1.6.3'
150 match_output:'2'
151 'CentOS Linux-7':
152 -'kernel.randomize_va_space':
153 tag:'CIS-1.6.2'
154 match_output:'2'
155 description:'Enable Randomized Virtual Memory Region Placement (Scored)'
156
157
158
159 grep:
160 whitelist:
161
162 fstab_tmp_partition:
163 data:
164 CentOS-6:
165 -'/etc/fstab':
166 tag:'CIS-1.1.1'
167 pattern:'/tmp'
168 CentOS Linux-7:
169 -'/etc/fstab':
170 tag:'CIS-1.1.1'
171 pattern:'/tmp'
172 Ubuntu-14.04:
173 -'/etc/fstab':
174 tag:'CIS-2.1'
175 pattern:'/tmp'
176 description:'Create Separate Partition for /tmp (Scored)'
1.4. Quasar 87 HubbleStack Documentation, Release 2016.7.1
177 control:'We do not care about this'
178
179 fstab_tmp_partition_nodev:
180 data:
181 CentOS-6:
182 -'/etc/fstab':
183 tag:'CIS-1.1.2'
184 pattern:'/tmp'
185 match_output:'nodev'
186 CentOS Linux-7:
187 -'/etc/fstab':
188 tag:'CIS-1.1.2'
189 pattern:'/tmp'
190 match_output:'nodev'
191 Ubuntu-14.04:
192 -'/etc/fstab':
193 tag:'CIS-2.2'
194 pattern:'/tmp'
195 match_output:'nodev'
196 description:'Set nodev option for /tmp Partition (Scored)'
197
198 blacklist:
199 legacy_passwd_entries_passwd:
200 data:
201 'CentOS-6':
202 -'/etc/passwd':
203 tag:'CIS-9.2.2'
204 pattern:"^+:"
205 CentOS Linux-7:
206 -'/etc/passwd':
207 tag:'CIS-9.2.2'
208 pattern:"^+:"
209 description:'Verify No Legacy "+" Entries Exist in /etc/passwd (Scored)'
210 control:'We do not care about this'
211
212 legacy_passwd_entries_shadow:
213 data:
214 'CentOS-6':
215 -'/etc/shadow':
216 tag:'CIS-9.2.3'
217 pattern:"^+:"
218 CentOS Linux-7:
219 -'/etc/shadow':
220 tag:'CIS-9.2.3'
221 pattern:"^+:"
222 description:'Verify No Legacy "+" Entries Exist in /etc/shadow (Scored)'
223
224 legacy_passwd_entries_group:
225 data:
226 'CentOS-6':
227 -'/etc/group':
228 tag:'CIS-9.2.4'
229 pattern:"^+:"
230 CentOS Linux-7:
231 -'/etc/group':
232 tag:'CIS-9.2.4'
233 pattern:"^+:"
234 description:'Verify No Legacy "+" Entries Exist in /etc/group (Scored)'
88 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
235 control:'We do not care about this'
firewall
1 firewall:
2 whitelist:
3
4 ssh:
5 data:
6 tag:'FIREWALL-TCP-22'
7 table:'filter'
8 chain: INPUT
9 family:'ipv4'
10 rule:
11 proto: tcp
12 dport: 22
13 match: state
14 connstate: RELATED,ESTABLISHED
15 jump: ACCEPT
16 description:'ssh iptables rule check'
openssl
1 openssl:
2 google:
3 data:
4 tag:'CERT-001' # tag (required)
5 endpoint:'www.google.com' # required if file is not defined
6 file: null # /path/to/the/pem/file (required if endpoint is
˓→not defined)
7 port: 443 # required only if both
8 # - endpoint is defined
9 # - https is not configured on port 443
10 not_after: 30 # minimum number of days until expiration (default
˓→value: 0)
11 # the check is failed if the certificate expires in
˓→less then 30 days
12 not_before: 10 # number of days until the ceriticate becomes
˓→valid (default value: 0)
13 # the check is failed if the certificate becomes
˓→valid in more then 10 days
14 fail_if_not_before: True # fails the check if the certificate is not valid
˓→yet
15 description:'google certificate'
sample CIS profile
1 # NOTE: This CIS Profile only includes Level 1 Scored Items.
2 # NOTE: Within this file, there are a few sections that should be tailored to your
3 # organization's specific policy. Search for '# NOTE: ' comments through the
˓→file.
4
1.4. Quasar 89 HubbleStack Documentation, Release 2016.7.1
5 pkg:
6 blacklist:
7
8 telnet:
9 data:
10 'Red Hat Enterprise Linux Server-6':
11 -'telnet-server':'CIS-2.1.1'
12 -'telnet':'CIS-2.1.2'
13 'CentOS Linux-7':
14 -'telnet-server':'CIS-2.1.1'
15 -'telnet':'CIS-2.1.2'
16 description:'Remove telnet and telnet-server (Scored)'
17
18 rsh:
19 data:
20 'Red Hat Enterprise Linux Server-6':
21 -'rsh-server':'CIS-2.1.3'
22 -'rsh':'CIS-2.1.4'
23 'CentOS Linux-7':
24 -'rsh-server':'CIS-2.1.3'
25 -'rsh':'CIS-2.1.4'
26 description:'Remove rsh and rsh-server (Scored)'
27
28 nis:
29 data:
30 'Red Hat Enterprise Linux Server-6':
31 -'ypbind':'CIS-2.1.5'
32 -'ypserv':'CIS-2.1.6'
33 'CentOS Linux-7':
34 -'ypbind':'CIS-2.1.5'
35 -'ypserv':'CIS-2.1.6'
36 description:'Remove nis client and nis server (Scored)'
37
38 tftp:
39 data:
40 'Red Hat Enterprise Linux Server-6':
41 -'tftp':'CIS-2.1.7'
42 -'tftp-server':'CIS-2.1.8'
43 'CentOS Linux-7':
44 -'tftp':'CIS-2.1.7'
45 -'tftp-server':'CIS-2.1.8'
46 description:'Remove tftp and tftp-server (Scored)'
47
48 talk:
49 data:
50 'Red Hat Enterprise Linux Server-6':
51 -'talk':'CIS-2.1.9'
52 -'talk-server':'CIS-2.1.10'
53 'CentOS Linux-7':
54 -'talk':'CIS-2.1.9'
55 -'talk-server':'CIS-2.1.10'
56 description:'Remove talk and talk-server (Scored)'
57
58 xinetd:
59 data:
60 'Red Hat Enterprise Linux Server-6':
61 -'xinetd':'CIS-2.1.11'
62 'CentOS Linux-7':
90 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
63 -'xinetd':'CIS-2.1.11'
64 description:'Remove xinetd (Scored)'
65
66 xorg-x11-server-common:
67 data:
68 'Red Hat Enterprise Linux Server-6':
69 -'xorg-x11-server-common':'CIS-3.2'
70 'CentOS Linux-7':
71 -'xorg-x11-server-common':'CIS-3.2'
72 description:'Remove theX Window System (Scored)'
73
74 avahi-daemon:
75 data:
76 'Red Hat Enterprise Linux Server-6':
77 -'avahi-daemon':'CIS-3.3'
78 'CentOS Linux-7':
79 -'avahi-daemon':'CIS-3.3'
80 description:'Disable Avahi Server (Scored)'
81
82 dhcp:
83 data:
84 'Red Hat Enterprise Linux Server-6':
85 -'dhcp':'CIS-3.5'
86 'CentOS Linux-7':
87 -'dhcp':'CIS-3.5'
88 description:'Remove DHCP server (Scored)'
89
90 whitelist:
91
92 aide:
93 data:
94 'Red Hat Enterprise Linux Server-6':
95 -'aide':'CIS-1.3.1'
96 'CentOS Linux-7':
97 -'aide':'CIS-1.3.1'
98 description:'Install AIDE (Scored)'
99
100 iptables:
101 data:
102 'Red Hat Enterprise Linux Server-6':
103 -'iptables':'CIS-4.7_installed'
104 description:'Install IPtables (Scored)'
105
106 firewalld:
107 data:
108 'CentOS Linux-7':
109 -'firewalld':'CIS-4.7_installed'
110 description:'Enable firewalld (Scored)'
111
112 rsyslog:
113 data:
114 'Red Hat Enterprise Linux Server-6':
115 -'rsyslog':'CIS-5.1.1'
116 'CentOS Linux-7':
117 -'rsyslog':'CIS-5.1.1'
118 description:'Install rsyslog (Scored)'
119
120 anacron:
1.4. Quasar 91 HubbleStack Documentation, Release 2016.7.1
121 data:
122 'Red Hat Enterprise Linux Server-6':
123 -'cronie-anacron':'CIS-6.1.1'
124 'CentOS Linux-7':
125 -'cronie-anacron':'CIS-6.1.1'
126 description:'Enable anacron Daemon (Scored)'
127
128 stat:
129 grub_conf_own:
130 data:
131 'Red Hat Enterprise Linux Server-6':
132 -'/etc/grub.conf':
133 tag:'CIS-1.5.1'
134 user:'root'
135 uid: 0
136 group:'root'
137 gid: 0
138 'CentOS Linux-7':
139 -'/etc/grub2/grub.cfg':
140 tag:'CIS-1.5.1'
141 user:'root'
142 uid: 0
143 group:'root'
144 gid: 0
145 description:'Grub must be owned by root (Scored)'
146
147 grub_conf_perm:
148 data:
149 'Red Hat Enterprise Linux Server-6':
150 -'/etc/grub.conf':
151 tag:'CIS-1.5.2'
152 mode: 600
153 'CentOS Linux-7':
154 -'/etc/grub2/grub.cfg':
155 tag:'CIS-1.5.2'
156 mode: 600
157 description:'Grub must have permissions 600 (Scored)'
158
159 hosts_allow:
160 data:
161 'Red Hat Enterprise Linux Server-6':
162 -'/etc/hosts.allow':
163 tag:'CIS-4.5.3'
164 mode: 644
165 'CentOS Linux-7':
166 -'/etc/hosts.allow':
167 tag:'CIS-4.5.3'
168 mode: 644
169 description:'/etc/hosts.allow must have permissions 644 (Scored)'
170
171 hosts_deny:
172 data:
173 'Red Hat Enterprise Linux Server-6':
174 -'/etc/hosts.deny':
175 tag:'CIS-4.5.5'
176 mode: 644
177 'CentOS Linux-7':
178 -'/etc/hosts.deny':
92 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
179 tag:'CIS-4.5.5'
180 mode: 644
181 description:'/etc/hosts.deny must have persmissions 644 (Scored)'
182
183 anacrontab:
184 data:
185 'Red Hat Enterprise Linux Server-6':
186 -'/etc/anacrontab':
187 tag:'CIS-6.1.3'
188 mode: 600
189 user:'root'
190 uid: 0
191 group:'root'
192 gid: 0
193 'CentOS Linux-7':
194 -'/etc/anacrontab':
195 tag:'CIS-6.1.3'
196 mode: 600
197 user:'root'
198 uid: 0
199 group:'root'
200 gid: 0
201 description:'/etc/anacrontab file be owned by root and must have permissions 600
˓→(Scored)'
202
203 crontab:
204 data:
205 'Red Hat Enterprise Linux Server-6':
206 -'/etc/crontab':
207 tag:'CIS-6.1.4'
208 mode: 600
209 user:'root'
210 uid: 0
211 group:'root'
212 gid: 0
213 'CentOS Linux-7':
214 -'/etc/crontab':
215 tag:'CIS-6.1.4'
216 mode: 600
217 user:'root'
218 uid: 0
219 group:'root'
220 gid: 0
221 description:'/etc/crontab must be owned by root and have persmissions 600
˓→(Scored)'
222
223 cron_hourly:
224 data:
225 'Red Hat Enterprise Linux Server-6':
226 -'/etc/cron.hourly':
227 tag:'CIS-6.1.5'
228 mode: 700
229 user:'root'
230 uid: 0
231 group:'root'
232 gid: 0
233 'CentOS Linux-7':
234 -'/etc/cron.hourly':
1.4. Quasar 93 HubbleStack Documentation, Release 2016.7.1
235 tag:'CIS-6.1.5'
236 mode: 700
237 user:'root'
238 uid: 0
239 group:'root'
240 gid: 0
241 description:'/etc/cron.hourly must be owned by root and must have permissions
˓→700 (Scored)'
242
243 cron_daily:
244 data:
245 'Red Hat Enterprise Linux Server-6':
246 -'/etc/cron.daily':
247 tag:'CIS-6.1.6'
248 mode: 700
249 user:'root'
250 uid: 0
251 group:'root'
252 gid: 0
253 'CentOS Linux-7':
254 -'/etc/cron.daily':
255 tag:'CIS-6.1.6'
256 mode: 700
257 user:'root'
258 uid: 0
259 group:'root'
260 gid: 0
261 description:'/etc/cron.daily must be owned by root and must have permissions 700
˓→(Scored)'
262
263 cron_weekly:
264 data:
265 'Red Hat Enterprise Linux Server-6':
266 -'/etc/cron.weekly':
267 tag:'CIS-6.1.7'
268 mode: 700
269 user:'root'
270 uid: 0
271 group:'root'
272 gid: 0
273 'CentOS Linux-7':
274 -'/etc/cron.weekly':
275 tag:'CIS-6.1.7'
276 mode: 700
277 user:'root'
278 uid: 0
279 group:'root'
280 gid: 0
281 description:'/etc/cron.weekly must be owned by root and must have permissions
˓→700 (Scored)'
282
283 cron_monthly:
284 data:
285 'Red Hat Enterprise Linux Server-6':
286 -'/etc/cron.monthly':
287 tag:'CIS-6.1.8'
288 mode: 700
289 user:'root'
94 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
290 uid: 0
291 group:'root'
292 gid: 0
293 'CentOS Linux-7':
294 -'/etc/cron.monthly':
295 tag:'CIS-6.1.8'
296 mode: 700
297 user:'root'
298 uid: 0
299 group:'root'
300 gid: 0
301 description:'/etc/cron.monthly must be owned by root and must have permissions
˓→700 (Scored)'
302
303 cron_d:
304 data:
305 'Red Hat Enterprise Linux Server-6':
306 -'/etc/cron.d':
307 tag:'CIS-6.1.9'
308 mode: 700
309 user:'root'
310 uid: 0
311 group:'root'
312 gid: 0
313 'CentOS Linux-7':
314 -'/etc/cron.d':
315 tag:'CIS-6.1.9'
316 mode: 700
317 user:'root'
318 uid: 0
319 group:'root'
320 gid: 0
321 description:'/etc/cron.d must be owned by root and must have permissions 700
˓→(Scored)'
322
323 at_allow:
324 data:
325 'Red Hat Enterprise Linux Server-6':
326 -'/etc/at.allow':
327 tag:'CIS-6.1.10'
328 mode: 600
329 user:'root'
330 uid: 0
331 group:'root'
332 gid: 0
333 'CentOS Linux-7':
334 -'/etc/at.allow':
335 tag:'CIS-6.1.10'
336 mode: 600
337 user:'root'
338 uid: 0
339 group:'root'
340 gid: 0
341 description:'/etc/at.allow must be owned by root and have persmissions 600
˓→(Scored)'
342
343 at_cron_allow:
344 data:
1.4. Quasar 95 HubbleStack Documentation, Release 2016.7.1
345 'Red Hat Enterprise Linux Server-6':
346 -'/etc/cron.deny':
347 tag:'CIS-6.1.11'
348 mode: null
349 user: null
350 uid: null
351 group: null
352 gid: null
353 -'/etc/at.deny':
354 tag:'CIS-6.1.11'
355 mode: null
356 user: null
357 uid: null
358 group: null
359 gid: null
360 -'/etc/cron.allow':
361 tag:'CIS-6.1.11'
362 mode: 600
363 user:'root'
364 uid: 0
365 group:'root'
366 gid: 0
367 -'/etc/at/allow':
368 tag:'CIS-6.1.11'
369 mode: 600
370 user:'root'
371 uid: 0
372 group:'root'
373 gid: 0
374 'CentOS Linux-7':
375 -'/etc/cron.deny':
376 tag:'CIS-6.1.11'
377 mode: null
378 user: null
379 uid: null
380 group: null
381 gid: null
382 -'/etc/at.deny':
383 tag:'CIS-6.1.11'
384 mode: null
385 user: null
386 uid: null
387 group: null
388 gid: null
389 -'/etc/cron.allow':
390 tag:'CIS-6.1.11'
391 mode: 600
392 user:'root'
393 uid: 0
394 group:'root'
395 gid: 0
396 -'/etc/at/allow':
397 tag:'CIS-6.1.11'
398 mode: 600
399 user:'root'
400 uid: 0
401 group:'root'
402 gid: 0
96 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
403 description:'Restrict at/cron to authorized users (Scored)'
404
405 sshd_config:
406 data:
407 'Red Hat Enterprise Linux Server-6':
408 -'/etc/ssh/sshd_config':
409 tag:'CIS-6.2.3'
410 mode: 600
411 user:'root'
412 uid: 0
413 group:'root'
414 gid: 0
415 'CentOS Linux-7':
416 -'/etc/ssh/sshd_config':
417 tag:'CIS-6.2.3'
418 mode: 600
419 user:'root'
420 uid: 0
421 group:'root'
422 gid: 0
423 description:'/etc/ssh/sshd_config must be owned by root and must have
˓→permissions 600 (Scored)'
424
425 warning_banner:
426 data:
427 'Red Hat Enterprise Linux Server-6':
428 -'/etc/motd':
429 tag:'CIS-8.1'
430 mode: 644
431 user:'root'
432 uid: 0
433 group:'root'
434 gid: 0
435 -'/etc/issue':
436 tag:'CIS-8.1'
437 mode: 644
438 user:'root'
439 uid: 0
440 group:'root'
441 gid: 0
442 -'/etc/issue.net':
443 tag:'CIS-8.1'
444 mode: 644
445 user:'root'
446 uid: 0
447 group:'root'
448 gid: 0
449 'CentOS Linux-7':
450 -'/etc/motd':
451 tag:'CIS-8.1'
452 mode: 644
453 user:'root'
454 uid: 0
455 group:'root'
456 gid: 0
457 -'/etc/issue':
458 tag:'CIS-8.1'
459 mode: 644
1.4. Quasar 97 HubbleStack Documentation, Release 2016.7.1
460 user:'root'
461 uid: 0
462 group:'root'
463 gid: 0
464 -'/etc/issue.net':
465 tag:'CIS-8.1'
466 mode: 644
467 user:'root'
468 uid: 0
469 group:'root'
470 gid: 0
471 description:'Files containing the warning banners must be owned by root and must
˓→have permissions 644 (Scored)'
472
473 passwd_perm:
474 data:
475 'Red Hat Enterprise Linux Server-6':
476 -'/etc/passwd':
477 tag:'CIS-9.1.2'
478 mode: 644
479 'CentOS Linux-7':
480 -'/etc/passwd':
481 tag:'CIS-9.1.2'
482 mode: 644
483 description:'/etc/passwd must have permissions 644 (Scored)'
484
485 passwd_own:
486 data:
487 'Red Hat Enterprise Linux Server-6':
488 -'/etc/passwd':
489 tag:'CIS-9.1.6'
490 user:'root'
491 uid: 0
492 group:'root'
493 uid: 0
494 'CentOS Linux-7':
495 -'/etc/passwd':
496 tag:'CIS-9.1.6'
497 user:'root'
498 uid: 0
499 group:'root'
500 uid: 0
501 description:'/etc/passwd must be owned by root (Scored)'
502
503 shadow_perm:
504 data:
505 'Red Hat Enterprise Linux Server-6':
506 -'/etc/shadow':
507 tag:'CIS-9.1.3'
508 mode: 0
509 'CentOS Linux-7':
510 -'/etc/shadow':
511 tag:'CIS-9.1.3'
512 mode: 0
513 description:'/etc/shadow must have permissions 000 (Scored)'
514
515 shadow_own:
516 data:
98 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
517 'Red Hat Enterprise Linux Server-6':
518 -'/etc/shadow':
519 tag:'CIS-9.1.7'
520 user:'root'
521 uid: 0
522 group:'root'
523 gid: 0
524 'CentOS Linux-7':
525 -'/etc/shadow':
526 tag:'CIS-9.1.7'
527 user:'root'
528 uid: 0
529 group:'root'
530 gid: 0
531 description:'/etc/shadow must be owned by root (Scored)'
532
533 gshadow_perm:
534 data:
535 'Red Hat Enterprise Linux Server-6':
536 -'/etc/gshadow':
537 tag:'CIS-9.1.4'
538 mode: 0
539 'CentOS Linux-7':
540 -'/etc/gshadow':
541 tag:'CIS-9.1.4'
542 mode: 0
543 description:'/etc/gshadow must have permissions 000 (Scored)'
544
545 gshadow_own:
546 data:
547 'Red Hat Enterprise Linux Server-6':
548 -'/etc/gshadow':
549 tag:'CIS-9.1.8'
550 user:'root'
551 uid: 0
552 group:'root'
553 gid: 0
554 'CentOS Linux-7':
555 -'/etc/gshadow':
556 tag:'CIS-9.1.8'
557 user:'root'
558 uid: 0
559 group:'root'
560 gid: 0
561 description:'/etc/gshadow must be owned by root (Scored)'
562
563 group_perm:
564 data:
565 'Red Hat Enterprise Linux Server-6':
566 -'/etc/group':
567 tag:'CIS-9.1.5'
568 mode: 644
569 'CentOS Linux-7':
570 -'/etc/group':
571 tag:'CIS-9.1.5'
572 mode: 644
573 description:'/etc/group must have permissions 000 (Scored)'
574
1.4. Quasar 99 HubbleStack Documentation, Release 2016.7.1
575 group_own:
576 data:
577 'Red Hat Enterprise Linux Server-6':
578 -'/etc/group':
579 tag:'CIS-9.1.9'
580 user:'root'
581 uid: 0
582 group:'root'
583 gid: 0
584 'CentOS Linux-7':
585 -'/etc/group':
586 tag:'CIS-9.1.9'
587 user:'root'
588 uid: 0
589 group:'root'
590 gid: 0
591 description:'/etc/group must be owned by root (Scored)'
592
593 grep:
594 whitelist:
595
596 fstab_tmp_partition:
597 data:
598 Red Hat Enterprise Linux Server-6:
599 -'/etc/fstab':
600 tag:'CIS-1.1.1'
601 pattern:'/tmp'
602 CentOS Linux-7:
603 -'/etc/fstab':
604 tag:'CIS-1.1.1'
605 pattern:'/tmp'
606 Ubuntu-14.04:
607 -'/etc/fstab':
608 tag:'CIS-2.1'
609 pattern:'/tmp'
610 description:'Create Separate Partition for /tmp (Scored)'
611
612 fstab_tmp_partition_nodev:
613 data:
614 Red Hat Enterprise Linux Server-6:
615 -'/etc/fstab':
616 tag:'CIS-1.1.2'
617 pattern:'/tmp'
618 match_output:'nodev'
619 CentOS Linux-7:
620 -'/etc/fstab':
621 tag:'CIS-1.1.2'
622 pattern:'/tmp'
623 match_output:'nodev'
624 Ubuntu-14.04:
625 -'/etc/fstab':
626 tag:'CIS-2.2'
627 pattern:'/tmp'
628 match_output:'nodev'
629 description:'Set nodev option for /tmp Partition (Scored)'
630
631 fstab_tmp_partition_nosuid:
632 data:
100 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
633 Red Hat Enterprise Linux Server-6:
634 -'/etc/fstab':
635 tag:'CIS-1.1.3'
636 pattern:'/tmp'
637 match_output:'nosuid'
638 CentOS Linux-7:
639 -'/etc/fstab':
640 tag:'CIS-1.1.3'
641 pattern:'/tmp'
642 match_output:'nosuid'
643 Ubuntu-14.04:
644 -'/etc/fstab':
645 tag:'CIS-2.3'
646 pattern:'/tmp'
647 match_output:'nosuid'
648 description:'Set nosuid option for /tmp Partition (Scored)'
649
650 fstab_tmp_partition_noexec:
651 data:
652 Red Hat Enterprise Linux Server-6:
653 -'/etc/fstab':
654 tag:'CIS-1.1.4'
655 pattern:'/tmp'
656 match_output:'noexec'
657 CentOS Linux-7:
658 -'/etc/fstab':
659 tag:'CIS-1.1.4'
660 pattern:'/tmp'
661 match_output:'noexec'
662 Ubuntu-14.04:
663 -'/etc/fstab':
664 tag:'CIS-2.4'
665 pattern:'/tmp'
666 match_output:'nosuid'
667 description:'Set noexec option for /tmp Partition (Scored)'
668
669 fstab_var_partition:
670 data:
671 Red Hat Enterprise Linux Server-6:
672 -'/etc/fstab':
673 tag:'CIS-1.1.5'
674 pattern:'/var'
675 CentOS Linux-7:
676 -'/etc/fstab':
677 tag:'CIS-1.1.5'
678 pattern:'/var'
679 Ubuntu-14.04:
680 -'/etc/fstab':
681 tag:'CIS-2.5'
682 pattern:'/var'
683 description:'Create Separate Partition for /var (Scored)'
684
685 fstab_var_tmp_bind_mount:
686 data:
687 Red Hat Enterprise Linux Server-6:
688 -'/etc/fstab':
689 tag:'CIS-1.1.6'
690 pattern:'/tmp'
1.4. Quasar 101 HubbleStack Documentation, Release 2016.7.1
691 match_output:'/var/tmp'
692 CentOS Linux-7:
693 -'/etc/fstab':
694 tag:'CIS-1.1.6'
695 pattern:'/tmp'
696 match_output:'/var/tmp'
697 Ubuntu-14.04:
698 -'/etc/fstab':
699 tag:'CIS-2.6'
700 pattern:'/var'
701 match_output:'/var/tmp'
702 description:'Bind Mount the /var/tmp directory to /tmp (Scored)'
703
704 fstab_var_log_partition:
705 data:
706 Red Hat Enterprise Linux Server-6:
707 -'/etc/fstab':
708 tag:'CIS-1.1.7'
709 pattern:'/var/log'
710 CentOS Linux-7:
711 -'/etc/fstab':
712 tag:'CIS-1.1.7'
713 pattern:'/var/log'
714 Ubuntu-14.04:
715 -'/etc/fstab':
716 tag:'CIS-2.7'
717 pattern:'/var/log'
718 description:'Create Separate Partition for /var/log (Scored)'
719
720 fstab_var_log_audit_partition:
721 data:
722 Red Hat Enterprise Linux Server-6:
723 -'/etc/fstab':
724 tag:'CIS-1.1.8'
725 pattern:'/var/log/audit'
726 CentOS Linux-7:
727 -'/etc/fstab':
728 tag:'CIS-1.1.8'
729 pattern:'/var/log/audit'
730 Ubuntu-14.04:
731 -'/etc/fstab':
732 tag:'CIS-2.8'
733 pattern:'/var/log/audit'
734 description:'Create Separate Partition for /var/log/audit (Scored)'
735
736 fstab_home_partition:
737 data:
738 Red Hat Enterprise Linux Server-6:
739 -'/etc/fstab':
740 tag:'CIS-1.1.9'
741 pattern:'/home'
742 CentOS Linux-7:
743 -'/etc/fstab':
744 tag:'CIS-1.1.9'
745 pattern:'/home'
746 Ubuntu-14.04:
747 -'/etc/fstab':
748 tag:'CIS-2.9'
102 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
749 pattern:'/home'
750 description:'Create Separate Partition for /home (Scored)'
751
752 fstab_home_partition_nodev:
753 data:
754 Red Hat Enterprise Linux Server-6:
755 -'/etc/fstab':
756 tag:'CIS-1.1.10'
757 pattern:'/home'
758 match_output:'nodev'
759 CentOS Linux-7:
760 -'/etc/fstab':
761 tag:'CIS-1.1.10'
762 pattern:'/home'
763 match_output:'nodev'
764 Ubuntu-14.04:
765 -'/etc/fstab':
766 tag:'CIS-2.10'
767 pattern:'/home'
768 match_output:'nodev'
769 description:'Add nodev Option to /home (Scored)'
770
771 fstab_dev_shm_partition_nodev:
772 data:
773 Red Hat Enterprise Linux Server-6:
774 -'/etc/fstab':
775 tag:'CIS-1.1.14'
776 pattern:'/dev/shm'
777 match_output:'nodev'
778 CentOS Linux-7:
779 -'/etc/fstab':
780 tag:'CIS-1.1.14'
781 pattern:'/dev/shm'
782 match_output:'nodev'
783 Ubuntu-14.04:
784 -'/etc/fstab':
785 tag:'CIS-2.14'
786 pattern:'/dev/shm'
787 match_output:'nodev'
788 description:'Add nodev Option to /dev/shm Partition (Scored)'
789
790 fstab_dev_shm_partition_nosuid:
791 data:
792 Red Hat Enterprise Linux Server-6:
793 -'/etc/fstab':
794 tag:'CIS-1.1.15'
795 pattern:'/dev/shm'
796 match_output:'nosuid'
797 CentOS Linux-7:
798 -'/etc/fstab':
799 tag:'CIS-1.1.15'
800 pattern:'/dev/shm'
801 match_output:'nosuid'
802 Ubuntu-14.04:
803 -'/etc/fstab':
804 tag:'CIS-2.15'
805 pattern:'/dev/shm'
806 match_output:'nosuid'
1.4. Quasar 103 HubbleStack Documentation, Release 2016.7.1
807 description:'Add nosuid Option to /dev/shm Partition (Scored)'
808
809 fstab_dev_shm_partition_noexec:
810 data:
811 Red Hat Enterprise Linux Server-6:
812 -'/etc/fstab':
813 tag:'CIS-1.1.16'
814 pattern:'/dev/shm'
815 match_output:'noexec'
816 CentOS Linux-7:
817 -'/etc/fstab':
818 tag:'CIS-1.1.16'
819 pattern:'/dev/shm'
820 match_output:'noexec'
821 Ubuntu-14.04:
822 -'/etc/fstab':
823 tag:'CIS-2.16'
824 pattern:'/dev/shm'
825 match_output:'noexec'
826 description:'Add noexec Option to /dev/shm Partition (Scored)'
827
828 activate_gpg_check:
829 data:
830 Red Hat Enterprise Linux Server-6:
831 -'/etc/yum.conf':
832 tag:'CIS-1.2.3'
833 pattern:'gpgcheck'
834 match_output:'gpgcheck=1'
835 CentOS Linux-7:
836 -'/etc/yum.conf':
837 tag:'CIS-1.2.2'
838 pattern:'gpgcheck'
839 match_output:'gpgcheck=1'
840 description:'Verify that gpgcheck is Globally Activated (Scored)'
841
842 boot_loader_passwd:
843 data:
844 'Red Hat Enterprise Linux Server-6':
845 -'/etc/grub.conf':
846 tag:'CIS-1.5.3'
847 pattern:'^password'
848 CentOS Linux-7:
849 -'/boot/grub2/grub.cfg':
850 tag:'CIS-1.5.3'
851 pattern:'^password'
852 description:'Set Boot Loader Password (Scored)'
853
854 restrict_core_dumps:
855 data:
856 'Red Hat Enterprise Linux Server-6':
857 -'/etc/security/limits.conf':
858 tag:'CIS-1.6.1'
859 pattern:'hard core'
860 CentOS Linux-7:
861 -'/etc/security/limits.conf':
862 tag:'CIS-1.6.1'
863 pattern:'hard core'
864 description:'Restrict Core Dumps (Scored)'
104 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
865
866 set_daemon_umask:
867 data:
868 'Red Hat Enterprise Linux Server-6':
869 -'/etc/sysconfig/init':
870 tag:'CIS-3.1'
871 pattern:'umask'
872 match_output:'umask 027'
873 CentOS Linux-7:
874 -'/etc/sysconfig/init':
875 tag:'CIS-3.1'
876 pattern:'umask'
877 match_output:'umask 027'
878 description:'Set Daemon umask (Scored)'
879
880 configure_ntp:
881 data:
882 'Red Hat Enterprise Linux Server-6':
883 -'/etc/ntp.conf':
884 tag:'CIS-3.6'
885 pattern:'restrict default'
886 -'/etc/ntp.conf':
887 tag:'CIS-3.6'
888 pattern:'restrict -6 default'
889 CentOS Linux-7:
890 -'/etc/ntp.conf':
891 tag:'CIS-3.6'
892 pattern:'restrict default'
893 -'/etc/ntp.conf':
894 tag:'CIS-3.6'
895 pattern:'restrict -6 default'
896 description:'Configure Network Time Protocol (NTP) (Scored)'
897
898 rsyslog_remote_logging:
899 data:
900 'Red Hat Enterprise Linux Server-6':
901 -'/etc/rsyslog.conf':
902 tag:'CIS-5.1.5' 903 pattern:"^ *.*[^I][^I]*@" 904 CentOS Linux-7:
905 -'/etc/rsyslog.conf':
906 tag:'CIS-5.1.5' 907 pattern:"^ *.*[^I][^I]*@" 908 description:'Configure rsyslog to Send Logs toa Remote Log Host (Scored)'
909
910 sshd_protocol_2:
911 data:
912 'Red Hat Enterprise Linux Server-6':
913 -'/etc/ssh/sshd_config':
914 tag:'CIS-6.2.1'
915 pattern:"^Protocol"
916 match_output:'Protocol2'
917 CentOS Linux-7:
918 -'/etc/ssh/sshd_config':
919 tag:'CIS-6.2.1'
920 pattern:"^Protocol"
921 match_output:'Protocol2'
922 description:'Set SSH Protocol to2 (Scored)'
1.4. Quasar 105 HubbleStack Documentation, Release 2016.7.1
923
924 sshd_loglevel_info:
925 data:
926 'Red Hat Enterprise Linux Server-6':
927 -'/etc/ssh/sshd_config':
928 tag:'CIS-6.2.2'
929 pattern:"^LogLevel"
930 match_output:'LogLevel INFO'
931 CentOS Linux-7:
932 -'/etc/ssh/sshd_config':
933 tag:'CIS-6.2.2'
934 pattern:"^LogLevel"
935 match_output:'LogLevel INFO'
936 description:'Set LogLevel to INFO (Scored)'
937
938 sshd_x11_forwarding:
939 data:
940 'Red Hat Enterprise Linux Server-6':
941 -'/etc/ssh/sshd_config':
942 tag:'CIS-6.2.4'
943 pattern:"^X11Forwarding"
944 match_output:'X11Forwarding no'
945 CentOS Linux-7:
946 -'/etc/ssh/sshd_config':
947 tag:'CIS-6.2.4'
948 pattern:"^X11Forwarding"
949 match_output:'X11Forwarding no'
950 description:'Disable SSH X11 Forwarding (Scored)'
951
952 sshd_max_auth_retries:
953 data:
954 'Red Hat Enterprise Linux Server-6':
955 -'/etc/ssh/sshd_config':
956 tag:'CIS-6.2.5'
957 pattern:"^MaxAuthTries"
958 match_output:"MaxAuthTries4"
959 CentOS Linux-7:
960 -'/etc/ssh/sshd_config':
961 tag:'CIS-6.2.5'
962 pattern:"^MaxAuthTries"
963 match_output:"MaxAuthTries4"
964 description:'Set SSH MaxAuthTries to4 or Less (Scored)'
965
966 sshd_ignore_rhosts:
967 data:
968 'Red Hat Enterprise Linux Server-6':
969 -'/etc/ssh/sshd_config':
970 tag:'CIS-6.2.6'
971 pattern:"^IgnoreRhosts"
972 match_output:"IgnoreRhosts yes"
973 CentOS Linux-7:
974 -'/etc/ssh/sshd_config':
975 tag:'CIS-6.2.6'
976 pattern:"^IgnoreRhosts"
977 match_output:"IgnoreRhosts yes"
978 description:'Set SSH IgnoreRhosts to Yes (Scored)'
979
980 sshd_hostbased_auth:
106 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
981 data:
982 'Red Hat Enterprise Linux Server-6':
983 -'/etc/ssh/sshd_config':
984 tag:'CIS-6.2.7'
985 pattern:"^HostbasedAuthentication"
986 match_output:"HostbasedAuthentication no"
987 CentOS Linux-7:
988 -'/etc/ssh/sshd_config':
989 tag:'CIS-6.2.7'
990 pattern:"^HostbasedAuthentication"
991 match_output:"HostbasedAuthentication no"
992 description:'Set SSH HostbasedAuthentication to No (Scored)'
993
994 sshd_disable_root_login:
995 data:
996 'Red Hat Enterprise Linux Server-6':
997 -'/etc/ssh/sshd_config':
998 tag:'CIS-6.2.8'
999 pattern:"^PermitRootLogin"
1000 match_output:"PermitRootLogin no"
1001 CentOS Linux-7:
1002 -'/etc/ssh/sshd_config':
1003 tag:'CIS-6.2.8'
1004 pattern:"^PermitRootLogin"
1005 match_output:"PermitRootLogin no"
1006 description:'Set SSH HostbasedAuthentication to No (Scored)'
1007
1008 sshd_permit_empty_passwords:
1009 data:
1010 'Red Hat Enterprise Linux Server-6':
1011 -'/etc/ssh/sshd_config':
1012 tag:'CIS-6.2.9'
1013 pattern:"^PermitEmptyPasswords"
1014 match_output:"PermitEmptyPasswords no"
1015 CentOS Linux-7:
1016 -'/etc/ssh/sshd_config':
1017 tag:'CIS-6.2.9'
1018 pattern:"^PermitEmptyPasswords"
1019 match_output:"PermitEmptyPasswords no"
1020 description:'Set SSH PermitEmptyPasswords to No (Scored)'
1021
1022 sshd_permit_user_environment:
1023 data:
1024 'Red Hat Enterprise Linux Server-6':
1025 -'/etc/ssh/sshd_config':
1026 tag:'CIS-6.2.10'
1027 pattern:"^PermitUserEnvironment"
1028 match_output:"PermitUserEnvironment no"
1029 CentOS Linux-7:
1030 -'/etc/ssh/sshd_config':
1031 tag:'CIS-6.2.10'
1032 pattern:"^PermitUserEnvironment"
1033 match_output:"PermitUserEnvironment no"
1034 description:'Do Not Allow Users to Set Environment Options (Scored)'
1035
1036 sshd_approved_cipher:
1037 data:
1038 'Red Hat Enterprise Linux Server-6':
1.4. Quasar 107 HubbleStack Documentation, Release 2016.7.1
1039 -'/etc/ssh/sshd_config':
1040 tag:'CIS-6.2.11'
1041 pattern:"Ciphers"
1042 match_output:"Ciphers aes128-ctr,aes192-ctr,aes256-ctr"
1043 CentOS Linux-7:
1044 -'/etc/ssh/sshd_config':
1045 tag:'CIS-6.2.11'
1046 pattern:"Ciphers"
1047 match_output:"Ciphers aes128-ctr,aes192-ctr,aes256-ctr"
1048 description:'Use Only Approved Cipher in Counter Mode (Scored)'
1049
1050 sshd_idle_timeout:
1051 data:
1052 'Red Hat Enterprise Linux Server-6':
1053 -'/etc/ssh/sshd_config':
1054 tag:'CIS-6.2.12'
1055 pattern:"^ClientAliveInterval"
1056 match_output:"ClientAliveInterval 300"
1057 -'/etc/ssh/sshd_config':
1058 tag:'CIS-6.2.12'
1059 pattern:"^ClientAliveCountMax"
1060 match_output:"ClientAliveCountMax0"
1061 CentOS Linux-7:
1062 -'/etc/ssh/sshd_config':
1063 tag:'CIS-6.2.12'
1064 pattern:"^ClientAliveInterval"
1065 match_output:"ClientAliveInterval 300"
1066 -'/etc/ssh/sshd_config':
1067 tag:'CIS-6.2.12'
1068 pattern:"^ClientAliveCountMatch"
1069 match_output:"ClientAliveCountMatch0"
1070 description:'Set Idle Timeout Interval for User Login (Scored)'
1071
1072 sshd_limit_access:
1073 data:
1074 'Red Hat Enterprise Linux Server-6':
1075 -'/etc/ssh/sshd_config':
1076 tag:'CIS-6.2.13'
1077 pattern:"^AllowUsers"
1078 -'/etc/ssh/sshd_config':
1079 tag:'CIS-6.2.13'
1080 pattern:"^AllowGroups"
1081 -'/etc/ssh/sshd_config':
1082 tag:'CIS-6.2.13'
1083 pattern:"^DenyUsers"
1084 -'/etc/ssh/sshd_config':
1085 tag:'CIS-6.2.13'
1086 pattern:"^DenyGroups"
1087 CentOS Linux-7:
1088 -'/etc/ssh/sshd_config':
1089 tag:'CIS-6.2.13'
1090 pattern:"^AllowUsers"
1091 -'/etc/ssh/sshd_config':
1092 tag:'CIS-6.2.13'
1093 pattern:"^AllowGroups"
1094 -'/etc/ssh/sshd_config':
1095 tag:'CIS-6.2.13'
1096 pattern:"^DenyUsers"
108 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
1097 -'/etc/ssh/sshd_config':
1098 tag:'CIS-6.2.13'
1099 pattern:"^DenyGroups"
1100 description:'Limit Access via SSH (Scored)'
1101
1102 sshd_banner:
1103 data:
1104 'Red Hat Enterprise Linux Server-6':
1105 -'/etc/ssh/sshd_config':
1106 tag:'CIS-6.2.14'
1107 pattern:"^Banner"
1108 CentOS Linux-7:
1109 -'/etc/ssh/sshd_config':
1110 tag:'CIS-6.2.14'
1111 pattern:"^Banner"
1112 description:'Set SSH Banner (Scored)'
1113
1114 # NOTE: Need to update this entry to reflect your organization's password policy
1115 pam_cracklib_try_first_pass:
1116 data:
1117 'Red Hat Enterprise Linux Server-6':
1118 -'/etc/pam.d/system-auth':
1119 tag:'CIS-6.3.2'
1120 pattern:"pam_cracklib.so"
1121 match_output:"try_first_pass" # allow retrieval from previous stacked
˓→PAM module
1122 -'/etc/pam.d/system-auth':
1123 tag:'CIS-6.3.2'
1124 pattern:"pam_cracklib.so"
1125 match_output:"retry=3" # Number of tries before failure
1126 -'/etc/pam.d/system-auth':
1127 tag:'CIS-6.3.2'
1128 pattern:"pam_cracklib.so"
1129 match_output:"minlen=14" # min password lenghth
1130 -'/etc/pam.d/system-auth':
1131 tag:'CIS-6.3.2'
1132 pattern:"pam_cracklib.so"
1133 match_output:"dcredit=-1" # must have at least 1 digit
1134 -'/etc/pam.d/system-auth':
1135 tag:'CIS-6.3.2'
1136 pattern:"pam_cracklib.so"
1137 match_output:"ucredit=-1" # must have at lesat 1 uppercase
1138 -'/etc/pam.d/system-auth':
1139 tag:'CIS-6.3.2'
1140 pattern:"pam_cracklib.so"
1141 match_output:"ocredit=-1" # must have at least 1 special char
1142 -'/etc/pam.d/system-auth':
1143 tag:'CIS-6.3.2'
1144 pattern:"pam_cracklib.so"
1145 match_output:"lcredit=-1" # must have at least 1 lowercase
1146 description:'PAM cracklib policy (Scored)'
1147
1148 # NOTE: Need to update this entry to reflect your organization's password policy
1149 limit_password_reuse:
1150 data:
1151 'Red Hat Enterprise Linux Server-6':
1152 -'/etc/pam.d/system-auth':
1153 tag:'CIS-6.3.4'
1.4. Quasar 109 HubbleStack Documentation, Release 2016.7.1
1154 pattern:"pam_unix.so"
1155 match_output:"remember=5" # number of passwords to remember
1156 'CentOS Linux-7':
1157 -'/etc/pam.d/system-auth':
1158 tag:'CIS-6.3.4'
1159 pattern:"pam_unix.so"
1160 match_output:"remember=5" # number of passwords to remember
1161 description:'PAM Password Reuse (Scored)'
1162
1163 limit_su_command_access:
1164 data:
1165 'Red Hat Enterprise Linux Server-6':
1166 -'/etc/pam.d/su':
1167 tag:'CIS-6.5'
1168 pattern:"pam_wheel.so"
1169 match_output:"use_uid" # number of passwords to remember
1170 -'/etc/group':
1171 tag:'CIS-6.5'
1172 pattern:"wheel"
1173 'CentOS Linux-7':
1174 -'/etc/pam.d/su':
1175 tag:'CIS-6.5'
1176 pattern:"pam_wheel.so"
1177 match_output:"use_uid" # number of passwords to remember
1178 -'/etc/group':
1179 tag:'CIS-6.5'
1180 pattern:"wheel"
1181 description:'Limit su command access (Scored)'
1182
1183 passwd_expiration_days:
1184 data:
1185 'Red Hat Enterprise Linux Server-6':
1186 -'/etc/login.defs':
1187 tag:'CIS-7.1.1'
1188 pattern:"PASS_MAX_DAYS"
1189 match_output:"90"
1190 CentOS Linux-7:
1191 -'/etc/login.defs':
1192 tag:'CIS-7.1.1'
1193 pattern:"PASS_MAX_DAYS"
1194 match_output:"90"
1195 description:'Set Password Expiration Days (Scored)'
1196
1197 passwd_change_min_days:
1198 data:
1199 'Red Hat Enterprise Linux Server-6':
1200 -'/etc/login.defs':
1201 tag:'CIS-7.1.2'
1202 pattern:"PASS_MIN_DAYS"
1203 match_output:"7"
1204 CentOS Linux-7:
1205 -'/etc/login.defs':
1206 tag:'CIS-7.1.2'
1207 pattern:"PASS_MIN_DAYS"
1208 match_output:"7"
1209 description:'Set Password Change Minimum Number of Days (Scored)'
1210
1211 passwd_expiry_warning:
110 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
1212 data:
1213 'Red Hat Enterprise Linux Server-6':
1214 -'/etc/login.defs':
1215 tag:'CIS-7.1.3'
1216 pattern:"PASS_WARN_AGE"
1217 match_output:"7"
1218 CentOS Linux-7:
1219 -'/etc/login.defs':
1220 tag:'CIS-7.1.3'
1221 pattern:"PASS_WARN_AGE"
1222 match_output:"7"
1223 description:'Set Password Expiring Warning Days (Scored)'
1224
1225 default_umask:
1226 data:
1227 'Red Hat Enterprise Linux Server-6':
1228 -'/etc/bashrc':
1229 tag:'CIS-7.4'
1230 pattern:"^umask 077" 1231 -'/etc/profile.d/ *': 1232 tag:'CIS-7.4'
1233 pattern:"^umask 077"
1234 CentOS Linux-7:
1235 -'/etc/bashrc':
1236 tag:'CIS-7.4'
1237 pattern:"^umask 077" 1238 -'/etc/profile.d/ *': 1239 tag:'CIS-7.4'
1240 pattern:"^umask 077"
1241 description:'Set Default umask for Users (Scored)'
1242
1243 blacklist:
1244 legacy_passwd_entries_passwd:
1245 data:
1246 'Red Hat Enterprise Linux Server-6':
1247 -'/etc/passwd':
1248 tag:'CIS-9.2.2'
1249 pattern:"^+:"
1250 CentOS Linux-7:
1251 -'/etc/passwd':
1252 tag:'CIS-9.2.2'
1253 pattern:"^+:"
1254 description:'Verify No Legacy "+" Entries Exist in /etc/passwd (Scored)'
1255
1256 legacy_passwd_entries_shadow:
1257 data:
1258 'Red Hat Enterprise Linux Server-6':
1259 -'/etc/shadow':
1260 tag:'CIS-9.2.3'
1261 pattern:"^+:"
1262 CentOS Linux-7:
1263 -'/etc/shadow':
1264 tag:'CIS-9.2.3'
1265 pattern:"^+:"
1266 description:'Verify No Legacy "+" Entries Exist in /etc/shadow (Scored)'
1267
1268 legacy_passwd_entries_group:
1269 data:
1.4. Quasar 111 HubbleStack Documentation, Release 2016.7.1
1270 'Red Hat Enterprise Linux Server-6':
1271 -'/etc/group':
1272 tag:'CIS-9.2.4'
1273 pattern:"^+:"
1274 CentOS Linux-7:
1275 -'/etc/group':
1276 tag:'CIS-9.2.4'
1277 pattern:"^+:"
1278 description:'Verify No Legacy "+" Entries Exist in /etc/group (Scored)'
1279
1280 sysctl:
1281 restrict_suid_core_dumps:
1282 data:
1283 'Red Hat Enterprise Linux Server-6':
1284 -'fs.suid_dumpable':
1285 tag:'CIS-1.6.1'
1286 match_output:'0'
1287 description:'Restrict SUID Core Dumps (Scored)'
1288
1289 exec_shield:
1290 data:
1291 'Red Hat Enterprise Linux Server-6':
1292 -'kernel.exec-shield':
1293 tag:'CIS-1.6.2'
1294 match_output:'1'
1295 description:'Configure ExecShield (Scored)'
1296
1297 randomize_va_space:
1298 data:
1299 'Red Hat Enterprise Linux Server-6':
1300 -'kernel.randomize_va_space':
1301 tag:'CIS-1.6.3'
1302 match_output:'2'
1303 'CentOS Linux-7':
1304 -'kernel.randomize_va_space':
1305 tag:'CIS-1.6.2'
1306 match_output:'2'
1307 description:'Enable Randomized Virtual Memory Region Placement (Scored)'
1308
1309 ip_forwarding:
1310 data:
1311 'Red Hat Enterprise Linux Server-6':
1312 -'net.ipv4.ip_forward':
1313 tag:'CIS-4.1.1'
1314 match_output:'0'
1315 'CentOS Linux-7':
1316 -'net.ipv4.ip_forward':
1317 tag:'CIS-4.1.1'
1318 match_output:'0'
1319 description:'DisableIP Forwarding (Scored)'
1320
1321 send_packet_redirect:
1322 data:
1323 'Red Hat Enterprise Linux Server-6':
1324 -'net.ipv4.conf.all.send_redirects':
1325 tag:'CIS-4.1.2'
1326 match_output:'0'
1327 -'net.ipv4.conf.default.send_redirects':
112 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
1328 tag:'CIS-4.1.2'
1329 match_output:'0'
1330 -'net.ipv4.conf.default.send_redirects':
1331 tag:'CIS-4.1.2'
1332 match_output:'0'
1333 'CentOS Linux-7':
1334 -'net.ipv4.conf.all.send_redirects':
1335 tag:'CIS-4.1.2'
1336 match_output:'0'
1337 -'net.ipv4.conf.default.send_redirects':
1338 tag:'CIS-4.1.2'
1339 match_output:'0'
1340 description:'Disable Send Packet Redirect (Scored)'
1341
1342 source_routed_packet_acceptance:
1343 data:
1344 'Red Hat Enterprise Linux Server-6':
1345 -'net.ipv4.conf.all.accept_source_route':
1346 tag:'CIS-4.2.1'
1347 match_output:'0'
1348 -'net.ipv4.conf.default.accept_source_route':
1349 tag:'CIS-4.2.1'
1350 match_output:'0'
1351 'CentOS Linux-7':
1352 -'net.ipv4.conf.all.accept_source_route':
1353 tag:'CIS-4.2.1'
1354 match_output:'0'
1355 -'net.ipv4.conf.default.accept_source_route':
1356 tag:'CIS-4.2.1'
1357 match_output:'0'
1358 description:'Disable Source Routed Packet Acceptance (Scored)'
1359
1360 icmp_redirect_acceptance:
1361 data:
1362 'Red Hat Enterprise Linux Server-6':
1363 -'net.ipv4.conf.all.accept_redirects':
1364 tag:'CIS-4.2.2'
1365 match_output:'0'
1366 -'net.ipv4.conf.default.accept_redirects':
1367 tag:'CIS-4.2.2'
1368 match_output:'0'
1369 'CentOS Linux-7':
1370 -'net.ipv4.conf.all.accept_redirects':
1371 tag:'CIS-4.2.2'
1372 match_output:'0'
1373 -'net.ipv4.conf.default.accept_redirects':
1374 tag:'CIS-4.2.2'
1375 match_output:'0'
1376 description:'Disable ICMP Redirect Acceptance (Scored)'
1377
1378 secure_icmp_redirect_acceptance:
1379 data:
1380 'Red Hat Enterprise Linux Server-6':
1381 -'net.ipv4.conf.all.secure_redirects':
1382 tag:'CIS-4.2.3'
1383 match_output:'0'
1384 -'net.ipv4.conf.default.secure_redirects':
1385 tag:'CIS-4.2.3'
1.4. Quasar 113 HubbleStack Documentation, Release 2016.7.1
1386 match_output:'0'
1387 'CentOS Linux-7':
1388 -'net.ipv4.conf.all.secure_redirects':
1389 tag:'CIS-4.2.3'
1390 match_output:'0'
1391 -'net.ipv4.conf.default.secure_redirects':
1392 tag:'CIS-4.2.3'
1393 match_output:'0'
1394 description:'Disable Secure ICMP Redirect Acceptance (Scored)'
1395
1396 log_suspicious_packets:
1397 data:
1398 'Red Hat Enterprise Linux Server-6':
1399 -'net.ipv4.conf.all.log_martians':
1400 tag:'CIS-4.2.4'
1401 match_output:'1'
1402 -'net.ipv4.conf.default.log_martians':
1403 tag:'CIS-4.2.4'
1404 match_output:'1'
1405 'CentOS Linux-7':
1406 -'net.ipv4.conf.all.log_martians':
1407 tag:'CIS-4.2.4'
1408 match_output:'1'
1409 -'net.ipv4.conf.default.log_martians':
1410 tag:'CIS-4.2.4'
1411 match_output:'1'
1412 description:'Log Suspicious Activity (Scored)'
1413
1414 ignore_broadcast_requests:
1415 data:
1416 'Red Hat Enterprise Linux Server-6':
1417 -'net.ipv4.icmp_echo_ignore_broadcasts':
1418 tag:'CIS-4.2.5'
1419 match_output:'1'
1420 'CentOS Linux-7':
1421 -'net.ipv4.icmp_echo_ignore_broadcasts':
1422 tag:'CIS-4.2.5'
1423 match_output:'1'
1424 description:'Enable Ignore Broadcast Requests (Scored)'
1425
1426 bad_error_message_protection:
1427 data:
1428 'Red Hat Enterprise Linux Server-6':
1429 -'net.ipv4.icmp_ignore_bogus_error_responses':
1430 tag:'CIS-4.2.6'
1431 match_output:'1'
1432 'CentOS Linux-7':
1433 -'net.ipv4.icmp_ignore_bogus_error_responses':
1434 tag:'CIS-4.2.6'
1435 match_output:'1'
1436 description:'Enable Bad Error Message Protection (Scored)'
1437
1438 tcp_syn_cookies:
1439 data:
1440 'Red Hat Enterprise Linux Server-6':
1441 -'net.ipv4.tcp_syncookies':
1442 tag:'CIS-4.2.8'
1443 match_output:'1'
114 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
1444 'CentOS Linux-7':
1445 -'net.ipv4.tcp_syncookies':
1446 tag:'CIS-4.2.8'
1447 match_output:'1'
1448 description:'Enable TCP SYN cookies (Scored)'
1449
1450 service:
1451 # Must be installed, no version checking (yet)
1452 whitelist:
1453 iptables_running: # best practice to verify the process is running
1454 data:
1455 'Red Hat Enterprise Linux Server-6':
1456 -'iptables':'CIS-4.7_running'
1457 description:'rsyslogd should be running'
1458
1459 rsyslogd_running: # best practice to verify the process is running
1460 data:
1461 'Red Hat Enterprise Linux Server-6':
1462 -'rsyslogd':'CIS-5.1.2_running'
1463 description:'rsyslogd should be running'
1464
1465 auditd_running: # best practice to verify the process is running
1466 data:
1467 'Red Hat Enterprise Linux Server-6':
1468 -'auditd':'CIS-5.2_running'
1469 description:'auditd should be running'
1470
1471 anacron_running: # best practice to verify the process is running
1472 data:
1473 'Red Hat Enterprise Linux Server-6':
1474 -'cronie-anacron':'CIS-6.1.1_running'
1475 description:'anacron should be running'
1476
1477 crond_running: # best practice to verify the process is running
1478 data:
1479 'Red Hat Enterprise Linux Server-6':
1480 -'crond':'CIS-6.1.2_running'
1481 description:'crond should be running'
vulners.com (cve.scan-v2 example)
This example pulls directly from vulners.com:
1 cve_scan_v2:
2 ttl: 86400
3 url:"http://vulners.com"
4 # control:
5 # score: 4
Tip: When the url is vulners.com, this module will automatically determine the distribution and version and query the API accordingly.
1.4. Quasar 115 HubbleStack Documentation, Release 2016.7.1
YAML
1. ttl - how long, in seconds, should we cache the CVE data. (default: 24hrs) 2. url - an http://, https:// or salt:// URL where the required CVE data can be found. 3. control - (optional) limit the CVE score reported as Failure. 4. score - (optional) severity score between 1-10.
vulners.com (cve.scan-v2-salt example)
This example pulls from the salt:// fileserver.
1 cve_scan_v2:
2 ttl: 86400
3 url:"salt://hubblestack_nova/centos_7.json"
See also: Nova utility - utils/cve_store
YAML
1. ttl - how long, in seconds, should we cache the CVE data. (default: 24hrs) 2. url - an http://, https:// or salt:// URL where the required CVE data can be found. 3. control - (optional) limit the CVE score reported as Failure. 4. score - (optional) severity score between 1-10.
Tip: When the url is NOT vulners.com, this module will simply fetch the URI defined. No auto-detection is done.
If you need to support multiple distributions you’ll need to create a unique profile for each distribution and target accordingly in the top.nova.
Utilities
Utilities
utils/check_yaml.py
A simple utility to validate YAML syntax in Nova profiles. This utility script is available in the HubbleStack Nova repository under the utils/ directory.
python ./check_yaml.py
116 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1 utils/update_tags.py
This script does four things: 1. Updates tags in yaml profile to match the cis standards, saved at
maintainer HubbleStack / jaredhanson11 maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova source https://github.com/HubbleStack/Nova/blob/develop/utils/cve_store.py This python script will query the https://vulners.com API for the required CVE data related to the given operating system. Data is returned in a valid JSON format, which can be served via salt://.
Usage
The cve_store.py utility takes a space-delimited list of distro-version: python ./cve_store.py centos-7 ubuntu-16.04 debian-8
The JSON files will be downloaded and stored in the current working directory using the naming syntax:
Nebula
Nebula
Introduction
Nebula is Hubble’s Insight system, which ties into osquery, allowing you to query your infrastructure as if it were a database. This system can be used to take scheduled snapshots of your systems.
1.4. Quasar 117 HubbleStack Documentation, Release 2016.7.1
Two different installation methods are outlined below. The first method is more stable (and therefore recommended). This method uses Salt’s package manager to track versioned, packaged updates to Hubble’s components. The second method installs directly from git. It should be considered bleeding edge and possibly unstable.
Note: Currently only supported on Linux, on SaltStack 2015.8 and above. You can actually sync the osquery execution module from a newer version of salt to 2015.5 minions and it seems to work without issue. Officially, just upgrade to 2015.8.
See also: Nebula has a hard dependency on the osqueryi binary. See install requirements here https://osquery.io/downloads/
Installation
Each of the four HubbleStack components have been packaged for use with Salt’s Package Manager (SPM). Note that all SPM installation commands should be done on the Salt Master. Required Configuration Salt’s Package Manager (SPM) installs files into /srv/spm/{salt,pillar}. Ensure that this path is defined in your Salt Master’s file_roots:
file_roots: - /srv/salt - /srv/spm/salt
Note: This should be the default value. To verify run: salt-call config.get file_roots
Tip: Remember to restart the Salt Master after making this change to the configuration.
Installation (Packages)
Installation is as easy as downloading and installing a package. (Note: in future releases you’ll be able to subscribe directly to our HubbleStack SPM repo for updates and bugfixes!)
wget https://spm.hubblestack.io/nebula/hubblestack_nebula-2016.10.2-1.spm spm local install hubblestack_nebula-2016.10.2-1.spm
You should now be able to sync the new modules to your minion(s) using the sync_modules Salt utility:
salt \* saltutil.sync_modules
Once these modules are synced you are ready to schedule HubbleStack Nebula queries. Skip to Usage
Installation (Manual)
Place _modules/nebula_osquery.py into your salt/_modules/ directory, and sync it to the minions.
118 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
git clone https://github.com/hubblestack/nebula.git hubblestack-nebula.git cd hubblestack-nebula.git mkdir -p /srv/salt/_modules/ cp _modules/nebula_osquery.py /srv/salt/_modules/ mkdir /srv/salt/hubblestack_nebula cp hubblestack_nebula/hubblestack_nebula_queries.yaml /srv/salt/hubblestack_nebula salt \* saltutil.sync_modules
Once these modules are synced you are ready to schedule HubbleStack Nebula queries.
Installation (GitFS)
This installation method subscribes directly to our GitHub repository, pinning to a tag or branch. This method requires no package installation or manual checkouts. Requirements: GitFS support on your Salt Master. /etc/salt/master.d/hubblestack-nebula.conf gitfs_remotes: - https://github.com/hubblestack/nebula: - base: v2016.10.2
Tip: Remember to restart the Salt Master after applying this change.
Usage
These queries have been designed to give detailed insight into system activity. hubblestack_nebula/hubblestack_nebula_queries.yaml fifteen_min: - query_name: running_procs query: SELECT p.name AS process, p.pid AS process_id, p.cmdline, p.cwd, p.on_
˓→disk, p.resident_size AS mem_used, p.parent, g.groupname, u.username AS user, p.
˓→path, h.md5, h.sha1, h.sha256 FROM processes AS p LEFT JOIN users AS u ON p.uid=u.
˓→uid LEFT JOIN groups AS g ON p.gid=g.gid LEFT JOIN hash AS h ON p.path=h.path; - query_name: established_outbound query: SELECT t.iso_8601 AS _time, pos.family, h.*, ltrim(pos.local_address, ':f ˓→') AS src, pos.local_port AS src_port, pos.remote_port AS dest_port, ltrim(remote_
˓→address, ':f') AS dest, name, p.path AS file_path, cmdline, pos.protocol, lp.
˓→protocol FROM process_open_sockets AS pos JOIN processes AS p ON p.pid=pos.pid LEFT ˓→JOIN time AS t LEFT JOIN (SELECT * FROM listening_ports) AS lp ON lp.port=pos.local_ ˓→port AND lp.protocol=pos.protocol LEFT JOIN hash AS h ON h.path=p.path WHERE NOT
˓→remote_address='' AND NOT remote_address='::' AND NOT remote_address='0.0.0.0' AND
˓→NOT remote_address='127.0.0.1' AND port is NULL; - query_name: listening_procs query: SELECT t.iso_8601 AS _time, h.md5 AS md5, p.pid, name, ltrim(address, ':f
˓→') AS address, port, p.path AS file_path, cmdline, root, parent FROM listening_
˓→ports AS lp LEFT JOIN processes AS p ON lp.pid=p.pid LEFT JOIN time AS t LEFT JOIN
˓→hash AS h ON h.path=p.path WHERE NOT address='127.0.0.1'; - query_name: suid_binaries query: SELECT sb.*, t.iso_8601 AS _time FROM suid_bin AS sb JOIN time AS t;
1.4. Quasar 119 HubbleStack Documentation, Release 2016.7.1
hour: - query_name: crontab query: SELECT c.*,t.iso_8601 AS _time FROM crontab AS c JOIN time AS t; day: - query_name: rpm_packages query: SELECT rpm.name, rpm.version, rpm.release, rpm.source AS package_source,
˓→rpm.size, rpm.sha1, rpm.arch, t.iso_8601 FROM rpm_packages AS rpm JOIN time AS t;
Schedule
Nebula is meant to be run on a schedule. Unfortunately, in it’s present state, the Salt scheduler has a memory leak. Pending a solution we’re suggesting the use of cron for the scheduled jobs: /etc/cron.d/hubble
MAILTO="" SHELL=/bin/bash */15 **** root /usr/bin/salt '*' nebula.queries fifteen_min --return splunk_nebula_ ˓→return @hourly root /usr/bin/salt '*' nebula.queries hour --return splunk_nebula_return @daily root /usr/bin/salt '*' nebula.queries day --return splunk_nebula_return
Configuration
The only configuration required to use Nebula is to incorporate the Queries and the Schedule into your minion config or pillar (pillar recommended). See the Usage section above for more information.
Under the Hood
Nebula leverages the osquery_nebula execution module, which needs to be synced to each minion. In addition, this also requires the osquery binary to be installed. More information about osquery can be found at https://osquery.io.
Note: osqueryd does not need to be running, as we handle the scheduled queries via Salt’s scheduler.
Development
Development for Nebula features is either incorporated into upstream osquery, or comes in the form of additional queries that leverage existing features. If you’d like to contribute queries or schedules, please see the section below.
Contribute
If you are interested in contributing or offering feedback to this project feel free to submit an issue or a pull request. We’re very open to community contribution.
120 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
Modules
Query Modules
osquery
maintainer HubbleStack maturity 2016.7.0 platform Unix requires SaltStack, HubbleStack Nebula, osquery source https://github.com/HubbleStack/Nebula/blob/master/_modules/nebula_osquery.py This module leverages the data made available via osquery in order to generate security snapshots of your systems. These snapshots are generally run on a schedule, with the data being gathered centrally using one of the Quasar returners.
Queries
This module requires pillar data to function. The default pillar key for this data is nebula_osquery. The queries themselves should be grouped under one or more group identifiers. Usually, these identifiers will be frequencies, such as fifteen_min or hourly or daily. The module targets the queries using these identifiers. Your pillar data might look like this: hubble_nebula.sls
1 nebula_osquery:
2 fifteen_min:
3 - query_name: running_procs
4 query: select p.name as process, p.pid as process_id, p.cmdline, p.cwd, p.on_
˓→disk, p.resident_size as mem_used, p.parent, g.groupname, u.username as user, p.
˓→path, h.md5, h.sha1, h.sha256 from processes as p left join users as u on p.uid=u.
˓→uid left join groups as g on p.gid=g.gid left join hash as h on p.path=h.path;
5 - query_name: established_outbound 6 query: select t.iso_8601 as _time, pos.family, h.*, ltrim(pos.local_address, ': ˓→f') as src, pos.local_port as src_port, pos.remote_port as dest_port, ltrim(remote_
˓→address, ':f') as dest, name, p.path as file_path, cmdline, pos.protocol, lp.
˓→protocol from process_open_sockets as pos join processes as p on p.pid=pos.pid left
˓→join time as t LEFT JOIN listening_ports as lp on lp.port=pos.local_port AND lp.
˓→protocol=pos.protocol LEFT JOIN hash as h on h.path=p.path where not remote_address=
˓→'' and not remote_address='::' and not remote_address='0.0.0.0' and not remote_
˓→address='127.0.0.1' and port is NULL;
7 - query_name: listening_procs
8 query: select t.iso_8601 as _time, h.md5 as md5, p.pid, name, ltrim(address,
˓→':f') as address, port, p.path as file_path, cmdline, root, parent from listening_
˓→ports as lp JOIN processes as p on lp.pid=p.pid left JOIN time as t JOIN hash as h
˓→on h.path=p.path WHERE not address='127.0.0.1';
9 - query_name: suid_binaries 10 query: select sb.*, t.iso_8601 as _time from suid_bin as sb join time as t; 11 hour:
12 - query_name: crontab 13 query: select c.*,t.iso_8601 as _time from crontab as c join time as t; 14 day:
15 - query_name: rpm_packages 16 query: select rpm.*, t.iso_8601 from rpm_packages as rpm join time as t;
1.4. Quasar 121 HubbleStack Documentation, Release 2016.7.1
Schedule
The Nebula osquery module is designed to be used on a schedule. Here is a set of sample schedules for use with the sample pillar data contained in this repo: hubble_nebula.sls (cont.)
1 schedule:
2 nebula_fifteen_min:
3 function: nebula.queries
4 seconds: 900
5 args:
6 - fifteen_min
7 nebula_hour:
8 function: nebula.queries
9 seconds: 3600
10 args:
11 - hour
12 nebula_day:
13 function: nebula.queries
14 seconds: 86400
15 args:
16 - day
Note: osqueryd does not need to be running, as we handle the scheduled queries via Salt’s scheduler.
Usage
Nebula query data is best tracked in a central logging or similar system. However, if you would like to run the queries manually you can call the nebula execution module. query_group Group of queries to run verbose Defaults to False. If set to True, more information (such as the query which was run) will be included in the result. pillar_key Defaults to ‘nebula_osquery’. This is the key in pillar which will be inspected for Nebula osquery data. Examples:
salt' *' nebula.queries day salt' *' nebula.queries hour[verbose=True] salt' *' nebula.queries fifteen-min[pillar_key=sec_osqueries]
Pulsar
Pulsar
Note: After syncing a new version of a beacon to salt, the salt-minion must be restarted to pick up the change. See https://github.com/saltstack/salt/issues/35960 for more info
122 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
Introduction
Is your infrastructure immutable? Are you sure? Pulsar is designed to monitor for file system events, acting as a real-time File Integrity Monitoring (FIM) agent. Pulsar is composed of a custom Salt beacon that watches for these events and hooks into the returner system for alerting and reporting. In other words, you can recieve real-time alerts for unscheduled file system modifications anywhere you want to recieve them. We’ve designed Pulsar to be lightweight and not dependent on a Salt Master. It simply watches for events and directly sends them to one of the Pulsar returner destinations (see the Quasar repository for more on these). Two different installation methods are outlined below. The first method is more stable (and therefore recommended). This method uses Salt’s package manager to track versioned, packaged updates to Hubble’s components. The second method installs directly from git. It should be considered bleeding edge and possibly unstable.
Installation
Each of the four HubbleStack components have been packaged for use with Salt’s Package Manager (SPM). Note that all SPM installation commands should be done on the Salt Master.
Required Configuration
Salt’s Package Manager (SPM) installs files into /srv/spm/{salt,pillar}. Ensure that this path is defined in your Salt Master’s file_roots:
file_roots: - /srv/salt - /srv/spm/salt
Note: This should be the default value. To verify, run: salt-call config.get file_roots
Tip: Remember to restart the Salt Master after making any change to the configuration.
Required Packages
There is a hard requirement on the pyinotify Python library for each minion that will run the Pulsar FIM beacon.
Red Hat / CentOS
salt \* pkg.install python-inotify
1.4. Quasar 123 HubbleStack Documentation, Release 2016.7.1
Debian / Ubuntu salt \* pkg.install python-pyinotify
Installation (Packages)
Installation is as easy as downloading and installing a package. (Note: in future releases you’ll be able to subscribe directly to our HubbleStack SPM repo for updates and bugfixes!) wget http://spm.hubblestack.io/pulsar/hubblestack_pulsar-2016.10.3-1.spm spm local install hubblestack_pulsar-2016.10.3-1.spm
You should now be able to sync the new modules to your minion(s) using the sync_modules Salt utility: salt \* saltutil.sync_beacons
Copy the pillar.example into your Salt pillar, renaming is as desired (perhaps hubblestack_pulsar.sls) and target it to selected minions. base: '*': - hubblestack_pulsar salt \* saltutil.refresh_pillar
Once these modules are synced you are ready to begin running the Pulsar beacon. Skip to Usage.
Installation (Manual)
Place _beacons/pulsar.py into your _beacons/ directory, and sync it to the minions. git clone https://github.com/hubblestack/pulsar.git hubblestack-pulsar.git cd hubblestack-pulsar.git mkdir -p /srv/salt/_beacons/ cp _beacons/pulsar.py /srv/salt/_beacons/ mkdir /srv/salt/hubblestack_pulsar cp hubblestack_pulsar/hubblestack_pulsar_config.yaml /srv/salt/hubblestack_pulsar cp hubblestack_pulsar/pillar.example /srv/pillar/hubblestack_pulsar.sls salt \* saltutil.sync_beacons
Target the copied hubblestack_pulsar.sls to selected minions. base: '*': - hubblestack_pulsar salt \* saltutil.refresh_pillar
124 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
Installation (GitFS)
This installation method subscribes directly to our GitHub repository, pinning to a tag or branch. This method requires no package installation or manual checkouts. Requirements: GitFS support on your Salt Master. /etc/salt/master.d/hubblestack-pulsar.conf
gitfs_remotes: - https://github.com/hubblestack/pulsar: - base: v2016.10.3
Tip: Remember to restart the Salt Master after applying this change.
Usage
Once Pulsar is fully running there isn’t anything you need to do to interact with it. It simply runs quietly in the background and sends you alerts.
Configuration
The default Pulsar configuration (found in
beacons: pulsar: paths: - /var/cache/salt/minion/files/base/hubblestack_pulsar/hubblestack_pulsar_
˓→config.yaml schedule: cache_pulsar: function: cp.cache_file seconds: 86400 args: - salt://hubblestack_pulsar/hubblestack_pulsar_config.yaml return_job: False
** hubblestack_pulsar_config **
/etc: { recurse: True, auto_add: True} /bin: { recurse: True, auto_add: True} /sbin: { recurse: True, auto_add: True} /boot: { recurse: True, auto_add: True} /usr/bin: { recurse: True, auto_add: True} /usr/sbin: { recurse: True, auto_add: True} /usr/local/bin: { recurse: True, auto_add: True} /usr/local/sbin: { recurse: True, auto_add: True} return: slack_pulsar checksum: sha256
1.4. Quasar 125 HubbleStack Documentation, Release 2016.7.1
stats: True batch: False
In order to receive Pulsar notifications you’ll need to install the custom returners found in the Quasar repository. Example of using the Slack Pulsar returner to recieve FIM notifications: slack_pulsar: as_user: true username: calculon channel: hubble_pulsar api_key: xoxo-xxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxx
Tip: If you need to create a Slack bot, see: https://my.slack.com/services/new/bot
Excluding Paths
There may be certain paths that you want to exclude from this real-time FIM tool. This can be done using the exclude: keyword beneath any defined path.
/var: recurse: True auto_add: True exclude: - /var/log - /var/spool - /var/cache - /var/lock
Troubleshooting
If inotify is reporting that it can’t create watches due to lack of disk space, but you have plenty of disk space and inodes available, then you may have to raise the max number of inotify watches. To check the max number of inotify watches:
# cat /proc/sys/fs/inotify/max_user_watches
To set the max number of inotify watches:
# echo 20000 | sudo tee -a /proc/sys/fs/inotify/max_user_watches
Under The Hood
Pulsar is written as a Salt beacon, which requires the salt-minion daemon to be running. This then acts as an agent that watches for file system events using Linux’s inotify subsystem.
126 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
Development
If you’re interested in contributing to this project this section outlines the structure and requirements for Pulsar agent module development.
Anatomy of a Pulsar module
#-*- encoding: utf-8 -*- ''' Pulsar agent
:maintainer: HubbleStack / owner :maturity: 20160804 :platform: Linux :requires: SaltStack
''' from __future__ import absolute_import import logging
All Pulsar agents should include the above header, expanding the docstring to include full documentation Any Pulsar agent should be written as a beacon and send its return data directly to the Quasar endpoint(s). No communication with the master is required.
Contribute
If you are interested in contributing or offering feedback to this project feel free to submit an issue or a pull request. We’re very open to community contribution.
Modules
FIM Modules
inotify
Pulsar was written to leverage inotify to watch for file system events in real-time. This allows a system running the Pulsar Beacon to notify you on unscheduled file system changes. This can be used to not only track out-of-band changes, but potentially catch intrusions as they happen. When a file system event is triggered, Pulsar will notify you of the type of change (IN_CREATE, IN_MODIFY or IN_DELETE), and provide you with information about the changed file. This includes checksums of the events as well as file attributes, such as permissions, ownerships, paths, etc. The Pulsar beacon is enabled by installing the beacon module and providing the beacon with pillar configuration data.
Configuration
Pulsar configuration supports a handful of options which are outlined below:
1.4. Quasar 127 HubbleStack Documentation, Release 2016.7.1
beacons: pulsar: /etc: { recurse: True, auto_add: True} /lib: { recurse: True, auto_add: True} /bin: { recurse: True, auto_add: True} /sbin: { recurse: True, auto_add: True} /boot: { recurse: True, auto_add: True} /lib64: { recurse: True, auto_add: True} /usr/lib: { recurse: True, auto_add: True} /usr/bin: { recurse: True, auto_add: True} /usr/sbin: { recurse: True, auto_add: True} /usr/lib64: { recurse: True, auto_add: True} /usr/local/etc: { recurse: True, auto_add: True} /usr/local/bin: { recurse: True, auto_add: True} /usr/local/lib: { recurse: True, auto_add: True} /usr/local/sbin: { recurse: True, auto_add: True} /var: exclude: - /var/log - /var/spool - /var/cache - /var/lock - /var/lib/ntp - /var/lib/chrony - /var/lib/mlocate - /var/lib/logrotate.status recurse: True audo_add: True return: slack_pulsar checksum: sha256 stats: True batch: False
The majority of the options contained within the Pulsar beacon config are simply paths that you’d like the system to watch. The options of recurse and auto_add will ensure that subdirectories are tracked and newly added files watched. Another crucial option is the exclude key, which allows you to exclude specific subdirectories. Be careful not to exclude too much or you may end up with blindspots. In addition the return option allows you to specify a comma-separated list of returners. In the example above we’re using the slack_pulsar returner. One of the custom Pulsar returners must be used in order to properly recieve these alerts. To learn more about the custom returners please see the Quasar repo.
Quasar
Quasar
Introduction
Quasar is Hubble’s reporting system; a key component in visualizing your data. Quasar gathers the data captured by Nova, Nebula and Pulsar and delivers it directly to your logging or SIM/SEM system. Create dashboards, alerts and correlations all using the SIM/SEM system you already have!
128 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
Note: dashboards not included :)
Installation
Each of the four HubbleStack components have been packaged for use with Salt’s Package Manager (SPM). Note that all SPM installation commands should be done on the Salt Master.
Required Configuration
Salt’s Package Manager (SPM) installs files into /srv/spm/{salt,pillar}. Ensure that this path is defined in your Salt Master’s file_roots:
file_roots: - /srv/salt - /srv/spm/salt
Note: This should be the default value. To verify run: salt-call config.get file_roots
Tip: Remember to restart the Salt Master after making this change to the configuration.
Installation (Packages)
Installation is as easy as downloading and installing a package. (Note: in future releases you’ll be able to subscribe directly to our HubbleStack SPM repo for updates and bugfixes!)
wget https://spm.hubblestack.io/quasar/hubblestack_quasar-2016.10.3-1.spm spm local install hubblestack_quasar-2016.10.3-1.spm
You should now be able to sync the new modules to your minion(s) using the sync_returners Salt utility:
salt \* saltutil.sync_returners
Copy the hubblestack_quasar.sls.orig into your Salt pillar, dropping the .orig extension and target it to selected minions.
base: '*': - hubblestack_quasar
salt \* saltutil.refresh_pillar
Once these modules are synced you’ll be ready to begin reporting data and events. Skip to Usage.
Installation (Manual)
Copy everything from _returners/ into your salt/_returners/ directory, and sync it to the minions.
1.4. Quasar 129 HubbleStack Documentation, Release 2016.7.1
git clone https://github.com/hubblestack/quasar.git hubblestack-quasar.git cd hubblestack-quasar.git mkdir -p /srv/salt/_returners cp _returners/*.py /srv/salt/_returners/ cp pillar.example /srv/pillar/hubblestack_quasar.sls salt \* saltutil.sync_returners
Target the hubblestack_quasar.sls extension and target it to selected minions. base: '*': - hubblestack_quasar salt \* saltutil.refresh_pillar
Once these modules are synced you’ll be ready to begin reporting data and events.
Installation (GitFS)
This installation method subscribes directly to our GitHub repository, pinning to a tag or branch. This method requires no package installation or manual checkouts. Requirements: GitFS support on your Salt Master. /etc/salt/master.d/hubblestack-quasar.conf gitfs_remotes: - https://github.com/hubblestack/quasar: - base: v2016.10.3
Tip: Remember to restart the Salt Master after applying this change.
Usage
Each Quasar module has different requirements and settings. Please see your preferred module’s documentation.
Configuration
Under The Hood
Development
Contribute
If you are interested in contributing or offering feedback to this project feel free to submit an issue or a pull request. We’re very open to community contribution.
130 Chapter 1. Components HubbleStack Documentation, Release 2016.7.1
Modules
Modules
Slack - Pulsar
HubbleStack Pulsar-to-Slack returner. maintainer HubbleStack / basepi maturity 2016.7.0 platform All requires SaltStack, HubbleStack Pulsar
Configuration
The following fields can be set in the minion conf or pillar: slack_pulsar: as_user: true # required for bot profile username: calculon # bot username channel: hubble-pulsar # destination slack channel api_key: xoxb-0123456... # unique api key
Splunk - Nebula
HubbleStack Nebula-to-Splunk returner maintainer HubbleStack maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nebula Deliver HubbleStack Nebula query data into Splunk using the HTTP event collector. Required config/pillar settings:
Configuration hubblestack: nebula: returner: splunk: token:
Splunk - Nova
HubbleStack Nova-to-Splunk returner
1.4. Quasar 131 HubbleStack Documentation, Release 2016.7.1
maintainer HubbleStack maturity 2016.7.0 platform All requires SaltStack, HubbleStack Nova Deliver HubbleStack Nova result data into Splunk using the HTTP event collector. Required config/pillar settings:
Configuration hubblestack: nova: returner: splunk: token:
Splunk - Pulsar
HubbleStack Pulsar-to-Splunk returner maintainer HubbleStack maturity 2016.7.0 platform All requires SaltStack, HubbleStack Pulsar Deliver HubbleStack Pulsar event data into Splunk using the HTTP event collector. Required config/pillar settings:
Configuration hubblestack: pulsar: returner: splunk: token:
132 Chapter 1. Components