Update definitions.yaml

Fixing syntax of titles, and set 6.1.1.a 6.1.1.b as one test.
2019-03-25 15:13:45 +02:00 · 2019-03-25 15:13:45 +02:00 · 586ed5ed6e
commit 586ed5ed6e
parent b1ee46f6bd
1 changed files with 49 additions and 44 deletions
--- a/cfg/1.1.0/definitions.yaml
+++ b/cfg/1.1.0/definitions.yaml
@ -37,7 +37,7 @@ groups:
                Use your package manager to update all packages on the system according to site policy.
      scored: false
 - id: 1.1
-  description: "Filesystem Configurationilesystem Configuration"
+  description: "Filesystem Configuration"
  checks:
    - id: 1.1.2
      description: "Ensure separate partition exists for /tmp"
@ -429,7 +429,7 @@ groups:
                # update-rc.d autofs disable  
      scored: true                  
 - id: 1.1.1
-  description: "Disable unused filesystemsisable unused filesystems"
+  description: "Disable unused filesystems"
  checks:
    - id: 1.1.1.1.a
      description: "Ensure mounting of cramfs filesystems is disabled"
@ -759,7 +759,7 @@ groups:
      scored: true      
            
 - id: 1.2
-  description: "Configure Software Updatesonfigure Software Updates"
+  description: "Configure Software Updates"
  checks:
    - id: 1.2.1
      description: "Ensure package manager repositories are configured"
@ -818,7 +818,7 @@ groups:
                Update your package manager GPG keys in accordance with site policy.
      scored: false
 - id: 1.3
-  description: "Filesystem Integrity Checkingilesystem Integrity Checking"
+  description: "Filesystem Integrity Checking"
  checks:
    - id: 1.3.1
      description: "Ensure AIDE is installed"
@ -903,7 +903,7 @@ groups:
      scored: true                  
            
 - id: 1.4
-  description: "Secure Boot Settingsecure Boot Settings"
+  description: "Secure Boot Settings"
  checks:                           
    - id: 1.4.1
      description: "Ensure permissions on bootloader config are configured"
@ -1097,7 +1097,7 @@ groups:
                           
            
 - id: 1.5
-  description: "Additional Process Hardeningdditional Process Hardening"
+  description: "Additional Process Hardening"
  checks:
    - id: 1.5.1.a
      description: "Ensure core dumps are restricted"
@ -1271,7 +1271,7 @@ groups:
            zypper remove prelink 
      scored: true                           
 - id: 1.6
-  description: "Mandatory Access Controlandatory Access Control"
+  description: "Mandatory Access Control"
  checks:
  - id: 1.6.3
    description: "Ensure SELinux or AppArmor are installed"
@ -1370,7 +1370,7 @@ groups:
               The previous commands install SELinux, use the appropriate package if AppArmor is desired.
    scored: false   
 - id: 1.6.1
-  description: "Configure SELinuxonfigure SELinux"
+  description: "Configure SELinux"
  checks:
  - id: 1.6.1.1
    description: "Ensure SELinux is not disabled in bootloader configuration"
@ -1628,7 +1628,7 @@ groups:
               
          
 - id: 1.6.2
-  description: "Configure AppArmoronfigure AppArmor"
+  description: "Configure AppArmor"
  checks:
    - id: 1.6.2.1
      description: "Ensure AppArmor is not disabled in bootloader configuration"
@ -1759,7 +1759,7 @@ groups:
      scored: true        
            
 - id: 1.7.1
-  description: "Command Line Warning Bannersommand Line Warning Banners"
+  description: "Command Line Warning Banners"
  checks:
    - id: 1.7.1.1.a
      description: "Ensure message of the day is configured properly"
@ -2001,9 +2001,9 @@ groups:
      scored: false                  
             
 - id: 2
-  description: "Serviceservices"
+  description: "Services"
 - id: 2.1
-  description: "inetd Services netd Services"
+  description: "inetd Services"
  checks:
    - id: 2.1.1.a
      description: "Ensure chargen services are not enabled"
@ -2339,7 +2339,7 @@ groups:
      scored: true
    
 - id: 2.2
-  description: "Special Purpose Servicespecial Purpose Services"
+  description: "Special Purpose Services"
  checks:
    - id: 2.2.2
      description: "Ensure X Window System is not installed"
@ -3361,7 +3361,7 @@ groups:
      scored: true
    
 - id: 2.2.1
-  description: "Time Synchronizationime Synchronization"
+  description: "Time Synchronization"
  checks:
    - id: 2.2.1.1.a
      description: "Ensure time synchronization is in use"
@ -3951,7 +3951,7 @@ groups:
                # zypper remove openldap-clients
      scored: true                  
 - id: 3
-  description: "Network Configurationetwork Configuration"
+  description: "Network Configuration"
  checks:
    - id: 3.7.a
      description: "Ensure wireless interfaces are disabled"
@ -4646,7 +4646,7 @@ groups:
      scored: true                  
            
 - id: 3.3
-  description: "IPv6Pv6"
+  description: "IPv6"
  checks:
    - id: 3.3.1.a
      description: "Ensure IPv6 router advertisements are not accepted"
@ -4857,7 +4857,7 @@ groups:
                # update-grub
      scored: false
 - id: 3.4
-  description: "TCP WrappersCP Wrappers"
+  description: "TCP Wrappers"
  checks:
    - id: 3.4.1
      description: "Ensure TCP Wrappers is installed"
@ -4969,7 +4969,7 @@ groups:
                        
            
 - id: 3.5
-  description: "Uncommon Network Protocolsncommon Network Protocols"
+  description: "Uncommon Network Protocols"
  checks:
    - id: 3.5.1.a
      description: "Ensure DCCP is disabled"
@ -5100,7 +5100,7 @@ groups:
      scored: false                  
            
 - id: 3.6
-  description: "Firewall Configurationirewall Configuration"
+  description: "Firewall Configuration"
  checks:
    - id: 3.6.1
      description: "Ensure iptables is installed"
@ -5268,7 +5268,7 @@ groups:
            
      scored: true                  
 - id: 4
-  description: "Logging and Auditingogging and Auditing"
+  description: "Logging and Auditing"
  checks:
    - id: 4.3
      description: "Ensure logrotate is configured"
@ -5278,7 +5278,7 @@ groups:
            Edit `/etc/logrotate.conf` and `/etc/logrotate.d/*` to ensure logs are rotated according to site policy.
      scored: true                  
 - id: 4.1
-  description: "Configure System Accounting (auditd)onfigure System Accounting (auditd)"
+  description: "Configure System Accounting (auditd)"
  checks:
    - id: 4.1.2
      description: "Ensure auditd service is enabled"
@ -6141,7 +6141,7 @@ groups:
            
      scored: true 
 - id: 4.1.1
-  description: "Configure Data Retentiononfigure Data Retention"
+  description: "Configure Data Retention"
  checks:
    - id: 4.1.1.1
      description: "Ensure audit log storage size is configured"
@ -6688,7 +6688,7 @@ groups:
                # pkill -HUP syslog-ng
      scored: true                  
 - id: 5
-  description: "Access, Authentication and Authorizationccess, Authentication and Authorization"
+  description: "Access, Authentication and Authorization"
  checks:
    - id: 5.5
      description: "Ensure root login is restricted to system console"
@ -6739,7 +6739,7 @@ groups:
      scored: true                  
            
 - id: 5.1
-  description: "Configure crononfigure cron"
+  description: "Configure cron"
  checks:
    - id: 5.1.1
      description: "Ensure cron daemon is enabled"
@ -6989,7 +6989,7 @@ groups:
      scored: true                  
            
 - id: 5.2
-  description: "SSH Server ConfigurationSH Server Configuration"
+  description: "SSH Server Configuration"
  checks:
    - id: 5.2.1
      description: "Ensure permissions on /etc/ssh/sshd_config are configured"
@ -7290,7 +7290,7 @@ groups:
                      
            
 - id: 5.3
-  description: "Configure PAMonfigure PAM"
+  description: "Configure PAM"
  checks:
    - id: 5.3.1
      description: "Ensure password creation requirements are configured"
@ -7363,7 +7363,7 @@ groups:
      scored: false                  
            
 - id: 5.4
-  description: "User Accounts and Environmentser Accounts and Environment"
+  description: "User Accounts and Environment"
  checks:
    - id: 5.4.2
      description: "Ensure system accounts are non-login"
@ -7507,7 +7507,7 @@ groups:
            
      scored: true        
 - id: 5.4.1
-  description: "Set Shadow Password Suite Parameterset Shadow Password Suite Parameters"
+  description: "Set Shadow Password Suite Parameters"
  checks:
    - id: 5.4.1.1.a
      description: "Ensure password expiration is 365 days or less"
@ -7771,24 +7771,29 @@ groups:
      scored: true         
            
 - id: 6
-  description: "System Maintenanceystem Maintenance"
+  description: "System Maintenance"
 - id: 6.1
-  description: "System File Permissionsystem File Permissions"
+  description: "System File Permissions"
  checks:
-    - id: 6.1.1.a
+    - id: 6.1.1
      description: "Audit system file permissions"
-      audit: "rpm -Va --nomtime --nosize --nomd5 --nolinkto > <filename>"
-      type: "manual"            
-      remediation: |
-            Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted.
-      scored: false                  
-            
-    - id: 6.1.1.b
-      description: "Audit system file permissions"
-      audit: "dpkg --verify > <filename>"
-      type: "manual"      
-      remediation: |
-            Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted.
+      sub_checks:
+      - check:
+          audit: "rpm -Va --nomtime --nosize --nomd5 --nolinkto > <filename>"
+          type: "manual"            
+          constraints:
+            platform:
+            - rhel7
+          remediation: |
+                Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted.
+      - check:
+          audit: "dpkg --verify > <filename>"
+          type: "manual"      
+          constraints:
+            platform:
+            - ubuntu
+          remediation: |
+                Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted.
      scored: false
    - id: 6.1.2
      description: "Ensure permissions on /etc/passwd are configured"
@ -8349,4 +8354,4 @@ groups:
      remediation: |
            Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group.
      scored: true                  
-  
+