diff --git a/cfg/1.1.0/definitions.yaml b/cfg/1.1.0/definitions.yaml index 0893992..3af3258 100644 --- a/cfg/1.1.0/definitions.yaml +++ b/cfg/1.1.0/definitions.yaml @@ -37,7 +37,7 @@ groups: Use your package manager to update all packages on the system according to site policy. scored: false - id: 1.1 - description: "Filesystem Configurationilesystem Configuration" + description: "Filesystem Configuration" checks: - id: 1.1.2 description: "Ensure separate partition exists for /tmp" @@ -429,7 +429,7 @@ groups: # update-rc.d autofs disable scored: true - id: 1.1.1 - description: "Disable unused filesystemsisable unused filesystems" + description: "Disable unused filesystems" checks: - id: 1.1.1.1.a description: "Ensure mounting of cramfs filesystems is disabled" @@ -759,7 +759,7 @@ groups: scored: true - id: 1.2 - description: "Configure Software Updatesonfigure Software Updates" + description: "Configure Software Updates" checks: - id: 1.2.1 description: "Ensure package manager repositories are configured" @@ -818,7 +818,7 @@ groups: Update your package manager GPG keys in accordance with site policy. scored: false - id: 1.3 - description: "Filesystem Integrity Checkingilesystem Integrity Checking" + description: "Filesystem Integrity Checking" checks: - id: 1.3.1 description: "Ensure AIDE is installed" @@ -903,7 +903,7 @@ groups: scored: true - id: 1.4 - description: "Secure Boot Settingsecure Boot Settings" + description: "Secure Boot Settings" checks: - id: 1.4.1 description: "Ensure permissions on bootloader config are configured" @@ -1097,7 +1097,7 @@ groups: - id: 1.5 - description: "Additional Process Hardeningdditional Process Hardening" + description: "Additional Process Hardening" checks: - id: 1.5.1.a description: "Ensure core dumps are restricted" @@ -1271,7 +1271,7 @@ groups: zypper remove prelink scored: true - id: 1.6 - description: "Mandatory Access Controlandatory Access Control" + description: "Mandatory Access Control" checks: - id: 1.6.3 description: "Ensure SELinux or AppArmor are installed" @@ -1370,7 +1370,7 @@ groups: The previous commands install SELinux, use the appropriate package if AppArmor is desired. scored: false - id: 1.6.1 - description: "Configure SELinuxonfigure SELinux" + description: "Configure SELinux" checks: - id: 1.6.1.1 description: "Ensure SELinux is not disabled in bootloader configuration" @@ -1628,7 +1628,7 @@ groups: - id: 1.6.2 - description: "Configure AppArmoronfigure AppArmor" + description: "Configure AppArmor" checks: - id: 1.6.2.1 description: "Ensure AppArmor is not disabled in bootloader configuration" @@ -1759,7 +1759,7 @@ groups: scored: true - id: 1.7.1 - description: "Command Line Warning Bannersommand Line Warning Banners" + description: "Command Line Warning Banners" checks: - id: 1.7.1.1.a description: "Ensure message of the day is configured properly" @@ -2001,9 +2001,9 @@ groups: scored: false - id: 2 - description: "Serviceservices" + description: "Services" - id: 2.1 - description: "inetd Services netd Services" + description: "inetd Services" checks: - id: 2.1.1.a description: "Ensure chargen services are not enabled" @@ -2339,7 +2339,7 @@ groups: scored: true - id: 2.2 - description: "Special Purpose Servicespecial Purpose Services" + description: "Special Purpose Services" checks: - id: 2.2.2 description: "Ensure X Window System is not installed" @@ -3361,7 +3361,7 @@ groups: scored: true - id: 2.2.1 - description: "Time Synchronizationime Synchronization" + description: "Time Synchronization" checks: - id: 2.2.1.1.a description: "Ensure time synchronization is in use" @@ -3951,7 +3951,7 @@ groups: # zypper remove openldap-clients scored: true - id: 3 - description: "Network Configurationetwork Configuration" + description: "Network Configuration" checks: - id: 3.7.a description: "Ensure wireless interfaces are disabled" @@ -4646,7 +4646,7 @@ groups: scored: true - id: 3.3 - description: "IPv6Pv6" + description: "IPv6" checks: - id: 3.3.1.a description: "Ensure IPv6 router advertisements are not accepted" @@ -4857,7 +4857,7 @@ groups: # update-grub scored: false - id: 3.4 - description: "TCP WrappersCP Wrappers" + description: "TCP Wrappers" checks: - id: 3.4.1 description: "Ensure TCP Wrappers is installed" @@ -4969,7 +4969,7 @@ groups: - id: 3.5 - description: "Uncommon Network Protocolsncommon Network Protocols" + description: "Uncommon Network Protocols" checks: - id: 3.5.1.a description: "Ensure DCCP is disabled" @@ -5100,7 +5100,7 @@ groups: scored: false - id: 3.6 - description: "Firewall Configurationirewall Configuration" + description: "Firewall Configuration" checks: - id: 3.6.1 description: "Ensure iptables is installed" @@ -5268,7 +5268,7 @@ groups: scored: true - id: 4 - description: "Logging and Auditingogging and Auditing" + description: "Logging and Auditing" checks: - id: 4.3 description: "Ensure logrotate is configured" @@ -5278,7 +5278,7 @@ groups: Edit `/etc/logrotate.conf` and `/etc/logrotate.d/*` to ensure logs are rotated according to site policy. scored: true - id: 4.1 - description: "Configure System Accounting (auditd)onfigure System Accounting (auditd)" + description: "Configure System Accounting (auditd)" checks: - id: 4.1.2 description: "Ensure auditd service is enabled" @@ -6141,7 +6141,7 @@ groups: scored: true - id: 4.1.1 - description: "Configure Data Retentiononfigure Data Retention" + description: "Configure Data Retention" checks: - id: 4.1.1.1 description: "Ensure audit log storage size is configured" @@ -6688,7 +6688,7 @@ groups: # pkill -HUP syslog-ng scored: true - id: 5 - description: "Access, Authentication and Authorizationccess, Authentication and Authorization" + description: "Access, Authentication and Authorization" checks: - id: 5.5 description: "Ensure root login is restricted to system console" @@ -6739,7 +6739,7 @@ groups: scored: true - id: 5.1 - description: "Configure crononfigure cron" + description: "Configure cron" checks: - id: 5.1.1 description: "Ensure cron daemon is enabled" @@ -6989,7 +6989,7 @@ groups: scored: true - id: 5.2 - description: "SSH Server ConfigurationSH Server Configuration" + description: "SSH Server Configuration" checks: - id: 5.2.1 description: "Ensure permissions on /etc/ssh/sshd_config are configured" @@ -7290,7 +7290,7 @@ groups: - id: 5.3 - description: "Configure PAMonfigure PAM" + description: "Configure PAM" checks: - id: 5.3.1 description: "Ensure password creation requirements are configured" @@ -7363,7 +7363,7 @@ groups: scored: false - id: 5.4 - description: "User Accounts and Environmentser Accounts and Environment" + description: "User Accounts and Environment" checks: - id: 5.4.2 description: "Ensure system accounts are non-login" @@ -7507,7 +7507,7 @@ groups: scored: true - id: 5.4.1 - description: "Set Shadow Password Suite Parameterset Shadow Password Suite Parameters" + description: "Set Shadow Password Suite Parameters" checks: - id: 5.4.1.1.a description: "Ensure password expiration is 365 days or less" @@ -7771,24 +7771,29 @@ groups: scored: true - id: 6 - description: "System Maintenanceystem Maintenance" + description: "System Maintenance" - id: 6.1 - description: "System File Permissionsystem File Permissions" + description: "System File Permissions" checks: - - id: 6.1.1.a + - id: 6.1.1 description: "Audit system file permissions" - audit: "rpm -Va --nomtime --nosize --nomd5 --nolinkto > " - type: "manual" - remediation: | - Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. - scored: false - - - id: 6.1.1.b - description: "Audit system file permissions" - audit: "dpkg --verify > " - type: "manual" - remediation: | - Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. + sub_checks: + - check: + audit: "rpm -Va --nomtime --nosize --nomd5 --nolinkto > " + type: "manual" + constraints: + platform: + - rhel7 + remediation: | + Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. + - check: + audit: "dpkg --verify > " + type: "manual" + constraints: + platform: + - ubuntu + remediation: | + Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. scored: false - id: 6.1.2 description: "Ensure permissions on /etc/passwd are configured" @@ -8349,4 +8354,4 @@ groups: remediation: | Remove all users from the shadow group, and change the primary group of any users with shadow as their primary group. scored: true - \ No newline at end of file +