Update definitions.yaml

Fixing syntax of titles, and set 6.1.1.a 6.1.1.b as one test.
This commit is contained in:
yoavrotems 2019-03-25 15:13:45 +02:00 committed by GitHub
parent b1ee46f6bd
commit 586ed5ed6e
Failed to generate hash of commit

View file

@ -37,7 +37,7 @@ groups:
Use your package manager to update all packages on the system according to site policy. Use your package manager to update all packages on the system according to site policy.
scored: false scored: false
- id: 1.1 - id: 1.1
description: "Filesystem Configurationilesystem Configuration" description: "Filesystem Configuration"
checks: checks:
- id: 1.1.2 - id: 1.1.2
description: "Ensure separate partition exists for /tmp" description: "Ensure separate partition exists for /tmp"
@ -429,7 +429,7 @@ groups:
# update-rc.d autofs disable # update-rc.d autofs disable
scored: true scored: true
- id: 1.1.1 - id: 1.1.1
description: "Disable unused filesystemsisable unused filesystems" description: "Disable unused filesystems"
checks: checks:
- id: 1.1.1.1.a - id: 1.1.1.1.a
description: "Ensure mounting of cramfs filesystems is disabled" description: "Ensure mounting of cramfs filesystems is disabled"
@ -759,7 +759,7 @@ groups:
scored: true scored: true
- id: 1.2 - id: 1.2
description: "Configure Software Updatesonfigure Software Updates" description: "Configure Software Updates"
checks: checks:
- id: 1.2.1 - id: 1.2.1
description: "Ensure package manager repositories are configured" description: "Ensure package manager repositories are configured"
@ -818,7 +818,7 @@ groups:
Update your package manager GPG keys in accordance with site policy. Update your package manager GPG keys in accordance with site policy.
scored: false scored: false
- id: 1.3 - id: 1.3
description: "Filesystem Integrity Checkingilesystem Integrity Checking" description: "Filesystem Integrity Checking"
checks: checks:
- id: 1.3.1 - id: 1.3.1
description: "Ensure AIDE is installed" description: "Ensure AIDE is installed"
@ -903,7 +903,7 @@ groups:
scored: true scored: true
- id: 1.4 - id: 1.4
description: "Secure Boot Settingsecure Boot Settings" description: "Secure Boot Settings"
checks: checks:
- id: 1.4.1 - id: 1.4.1
description: "Ensure permissions on bootloader config are configured" description: "Ensure permissions on bootloader config are configured"
@ -1097,7 +1097,7 @@ groups:
- id: 1.5 - id: 1.5
description: "Additional Process Hardeningdditional Process Hardening" description: "Additional Process Hardening"
checks: checks:
- id: 1.5.1.a - id: 1.5.1.a
description: "Ensure core dumps are restricted" description: "Ensure core dumps are restricted"
@ -1271,7 +1271,7 @@ groups:
zypper remove prelink zypper remove prelink
scored: true scored: true
- id: 1.6 - id: 1.6
description: "Mandatory Access Controlandatory Access Control" description: "Mandatory Access Control"
checks: checks:
- id: 1.6.3 - id: 1.6.3
description: "Ensure SELinux or AppArmor are installed" description: "Ensure SELinux or AppArmor are installed"
@ -1370,7 +1370,7 @@ groups:
The previous commands install SELinux, use the appropriate package if AppArmor is desired. The previous commands install SELinux, use the appropriate package if AppArmor is desired.
scored: false scored: false
- id: 1.6.1 - id: 1.6.1
description: "Configure SELinuxonfigure SELinux" description: "Configure SELinux"
checks: checks:
- id: 1.6.1.1 - id: 1.6.1.1
description: "Ensure SELinux is not disabled in bootloader configuration" description: "Ensure SELinux is not disabled in bootloader configuration"
@ -1628,7 +1628,7 @@ groups:
- id: 1.6.2 - id: 1.6.2
description: "Configure AppArmoronfigure AppArmor" description: "Configure AppArmor"
checks: checks:
- id: 1.6.2.1 - id: 1.6.2.1
description: "Ensure AppArmor is not disabled in bootloader configuration" description: "Ensure AppArmor is not disabled in bootloader configuration"
@ -1759,7 +1759,7 @@ groups:
scored: true scored: true
- id: 1.7.1 - id: 1.7.1
description: "Command Line Warning Bannersommand Line Warning Banners" description: "Command Line Warning Banners"
checks: checks:
- id: 1.7.1.1.a - id: 1.7.1.1.a
description: "Ensure message of the day is configured properly" description: "Ensure message of the day is configured properly"
@ -2001,9 +2001,9 @@ groups:
scored: false scored: false
- id: 2 - id: 2
description: "Serviceservices" description: "Services"
- id: 2.1 - id: 2.1
description: "inetd Services netd Services" description: "inetd Services"
checks: checks:
- id: 2.1.1.a - id: 2.1.1.a
description: "Ensure chargen services are not enabled" description: "Ensure chargen services are not enabled"
@ -2339,7 +2339,7 @@ groups:
scored: true scored: true
- id: 2.2 - id: 2.2
description: "Special Purpose Servicespecial Purpose Services" description: "Special Purpose Services"
checks: checks:
- id: 2.2.2 - id: 2.2.2
description: "Ensure X Window System is not installed" description: "Ensure X Window System is not installed"
@ -3361,7 +3361,7 @@ groups:
scored: true scored: true
- id: 2.2.1 - id: 2.2.1
description: "Time Synchronizationime Synchronization" description: "Time Synchronization"
checks: checks:
- id: 2.2.1.1.a - id: 2.2.1.1.a
description: "Ensure time synchronization is in use" description: "Ensure time synchronization is in use"
@ -3951,7 +3951,7 @@ groups:
# zypper remove openldap-clients # zypper remove openldap-clients
scored: true scored: true
- id: 3 - id: 3
description: "Network Configurationetwork Configuration" description: "Network Configuration"
checks: checks:
- id: 3.7.a - id: 3.7.a
description: "Ensure wireless interfaces are disabled" description: "Ensure wireless interfaces are disabled"
@ -4646,7 +4646,7 @@ groups:
scored: true scored: true
- id: 3.3 - id: 3.3
description: "IPv6Pv6" description: "IPv6"
checks: checks:
- id: 3.3.1.a - id: 3.3.1.a
description: "Ensure IPv6 router advertisements are not accepted" description: "Ensure IPv6 router advertisements are not accepted"
@ -4857,7 +4857,7 @@ groups:
# update-grub # update-grub
scored: false scored: false
- id: 3.4 - id: 3.4
description: "TCP WrappersCP Wrappers" description: "TCP Wrappers"
checks: checks:
- id: 3.4.1 - id: 3.4.1
description: "Ensure TCP Wrappers is installed" description: "Ensure TCP Wrappers is installed"
@ -4969,7 +4969,7 @@ groups:
- id: 3.5 - id: 3.5
description: "Uncommon Network Protocolsncommon Network Protocols" description: "Uncommon Network Protocols"
checks: checks:
- id: 3.5.1.a - id: 3.5.1.a
description: "Ensure DCCP is disabled" description: "Ensure DCCP is disabled"
@ -5100,7 +5100,7 @@ groups:
scored: false scored: false
- id: 3.6 - id: 3.6
description: "Firewall Configurationirewall Configuration" description: "Firewall Configuration"
checks: checks:
- id: 3.6.1 - id: 3.6.1
description: "Ensure iptables is installed" description: "Ensure iptables is installed"
@ -5268,7 +5268,7 @@ groups:
scored: true scored: true
- id: 4 - id: 4
description: "Logging and Auditingogging and Auditing" description: "Logging and Auditing"
checks: checks:
- id: 4.3 - id: 4.3
description: "Ensure logrotate is configured" description: "Ensure logrotate is configured"
@ -5278,7 +5278,7 @@ groups:
Edit `/etc/logrotate.conf` and `/etc/logrotate.d/*` to ensure logs are rotated according to site policy. Edit `/etc/logrotate.conf` and `/etc/logrotate.d/*` to ensure logs are rotated according to site policy.
scored: true scored: true
- id: 4.1 - id: 4.1
description: "Configure System Accounting (auditd)onfigure System Accounting (auditd)" description: "Configure System Accounting (auditd)"
checks: checks:
- id: 4.1.2 - id: 4.1.2
description: "Ensure auditd service is enabled" description: "Ensure auditd service is enabled"
@ -6141,7 +6141,7 @@ groups:
scored: true scored: true
- id: 4.1.1 - id: 4.1.1
description: "Configure Data Retentiononfigure Data Retention" description: "Configure Data Retention"
checks: checks:
- id: 4.1.1.1 - id: 4.1.1.1
description: "Ensure audit log storage size is configured" description: "Ensure audit log storage size is configured"
@ -6688,7 +6688,7 @@ groups:
# pkill -HUP syslog-ng # pkill -HUP syslog-ng
scored: true scored: true
- id: 5 - id: 5
description: "Access, Authentication and Authorizationccess, Authentication and Authorization" description: "Access, Authentication and Authorization"
checks: checks:
- id: 5.5 - id: 5.5
description: "Ensure root login is restricted to system console" description: "Ensure root login is restricted to system console"
@ -6739,7 +6739,7 @@ groups:
scored: true scored: true
- id: 5.1 - id: 5.1
description: "Configure crononfigure cron" description: "Configure cron"
checks: checks:
- id: 5.1.1 - id: 5.1.1
description: "Ensure cron daemon is enabled" description: "Ensure cron daemon is enabled"
@ -6989,7 +6989,7 @@ groups:
scored: true scored: true
- id: 5.2 - id: 5.2
description: "SSH Server ConfigurationSH Server Configuration" description: "SSH Server Configuration"
checks: checks:
- id: 5.2.1 - id: 5.2.1
description: "Ensure permissions on /etc/ssh/sshd_config are configured" description: "Ensure permissions on /etc/ssh/sshd_config are configured"
@ -7290,7 +7290,7 @@ groups:
- id: 5.3 - id: 5.3
description: "Configure PAMonfigure PAM" description: "Configure PAM"
checks: checks:
- id: 5.3.1 - id: 5.3.1
description: "Ensure password creation requirements are configured" description: "Ensure password creation requirements are configured"
@ -7363,7 +7363,7 @@ groups:
scored: false scored: false
- id: 5.4 - id: 5.4
description: "User Accounts and Environmentser Accounts and Environment" description: "User Accounts and Environment"
checks: checks:
- id: 5.4.2 - id: 5.4.2
description: "Ensure system accounts are non-login" description: "Ensure system accounts are non-login"
@ -7507,7 +7507,7 @@ groups:
scored: true scored: true
- id: 5.4.1 - id: 5.4.1
description: "Set Shadow Password Suite Parameterset Shadow Password Suite Parameters" description: "Set Shadow Password Suite Parameters"
checks: checks:
- id: 5.4.1.1.a - id: 5.4.1.1.a
description: "Ensure password expiration is 365 days or less" description: "Ensure password expiration is 365 days or less"
@ -7771,24 +7771,29 @@ groups:
scored: true scored: true
- id: 6 - id: 6
description: "System Maintenanceystem Maintenance" description: "System Maintenance"
- id: 6.1 - id: 6.1
description: "System File Permissionsystem File Permissions" description: "System File Permissions"
checks: checks:
- id: 6.1.1.a - id: 6.1.1
description: "Audit system file permissions" description: "Audit system file permissions"
audit: "rpm -Va --nomtime --nosize --nomd5 --nolinkto > <filename>" sub_checks:
type: "manual" - check:
remediation: | audit: "rpm -Va --nomtime --nosize --nomd5 --nolinkto > <filename>"
Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. type: "manual"
scored: false constraints:
platform:
- id: 6.1.1.b - rhel7
description: "Audit system file permissions" remediation: |
audit: "dpkg --verify > <filename>" Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted.
type: "manual" - check:
remediation: | audit: "dpkg --verify > <filename>"
Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted. type: "manual"
constraints:
platform:
- ubuntu
remediation: |
Correct any discrepancies found and rerun the audit until output is clean or risk is mitigated or accepted.
scored: false scored: false
- id: 6.1.2 - id: 6.1.2
description: "Ensure permissions on /etc/passwd are configured" description: "Ensure permissions on /etc/passwd are configured"