-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathextracted_rules_with_audit_output.json
80 lines (80 loc) · 21 KB
/
extracted_rules_with_audit_output.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
{
"7.1.1": {
"title": "Ensure permissions on /etc/passwd are configured \n(Automated)",
"audit": "Run the following command to verify /etc/passwd is mode 644 or more restrictive, Uid \nis 0/root and Gid is 0/root : \n# stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/passwd \n \nAccess: (0644/ -rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)",
"description": "The /etc/passwd file contains user account information that is used by many system \nutilities and therefore must be readable for these utilities to operate.",
"remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/passwd : \n# chmod u -x,go-wx /etc/passwd \n# chown root:root /etc/passwd"
},
"7.1.2": {
"title": "Ensure permissions on /etc/passwd - are configured \n(Automated)",
"audit": "Run the following command to verify /etc/passwd - is mode 644 or more restrictive, \nUid is 0/root and Gid is 0/root : \n# stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: { %g/ %G)' /etc/passwd - \n \nAccess: (0644/ -rw-r--r--) Uid: ( 0/ root) Gid: { 0/ root)",
"description": "The /etc/passwd - file contains backup user account information.",
"remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/passwd -: \n# chmod u -x,go-wx /etc/passwd - \n# chown root:root /etc/passwd -"
},
"7.1.3": {
"title": "Ensure permissions on /etc/group are configured \n(Automated)",
"audit": "Run the following command to verify /etc/group is mode 644 or more restrictive, Uid \nis 0/root and Gid is 0/root : \n# stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/group \n \nAccess: (0644/ -rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)",
"description": "The /etc/group file contains a list of all the valid groups defined in the system. The \ncommand below allows read/write access for root and read access for everyone else.",
"remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/group : \n# chmod u -x,go-wx /etc/group \n# chown root:root /etc/group"
},
"7.1.4": {
"title": "Ensure permissions on /etc/group - are configured \n(Automated)",
"audit": "Run the following command to verify /etc/group - is mode 644 or more restrictive, Uid \nis 0/root and Gid is 0/root : \n# stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/group - \n \nAccess: (0644/ -rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)",
"description": "The /etc/group - file contains a backup list of all the valid groups defined in the \nsystem.",
"remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/group -: \n# chmod u -x,go-wx /etc/group - \n# chown root:root /etc/group -"
},
"7.1.5": {
"title": "Ensure permissions on /etc/shadow are configured \n(Automated)",
"audit": "Run the following command to verify /etc/shadow is mode 640 or more restrictive, Uid \nis 0/root and Gid is 0/root or ({GID}/ shadow): \n# stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/shadow \nExample: \nAccess: (0640/ -rw-r-----) Uid: ( 0/ root) Gid: ( 42/ shadow)",
"description": "The /etc/shadow file is used to store the information about user accounts that is critical \nto the security of those accounts, such as the hashed password and other security \ninformation.",
"remediation": "Run one of the following commands to set ownership of /etc/shadow to root and \ngroup to either root or shadow : \n# chown root:shadow /etc/shadow \n -OR- \n# chown root:root /etc/shadow \nRun the following command to remove excess permissions form /etc/shadow : \n# chmod u -x,g-wx,o-rwx /etc/shadow"
},
"7.1.6": {
"title": "Ensure permissions on /etc/shadow - are configured \n(Automated)",
"audit": "Run the following command to verify /etc/shadow - is mode 640 or more restrictive, \nUid is 0/root and Gid is 0/root or {GID}/shadow : \n# stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/shadow - \nExample: \nAccess: (0640/ -rw-r-----) Uid: ( 0/ root) Gid: ( 42/ shadow)",
"description": "The /etc/shadow - file is used to store backup information about user accounts that is \ncritical to the security of those accounts, such as the hashed password and other \nsecurity information.",
"remediation": "Run one of the following commands to set ownership of /etc/shadow - to root and \ngroup to either root or shadow : \n# chown root:shadow /etc/shadow - \n -OR- \n# chown root:root /etc/shadow - \nRun the following command to remove excess permissions form /etc/shadow -: \n# chmod u -x,g-wx,o-rwx /etc/shadow -"
},
"7.1.7": {
"title": "Ensure permissions on /etc/gshadow are configured \n(Automated)",
"audit": "Run the following command to verify /etc/gshadow is mode 640 or more restrictive, \nUid is 0/root and Gid is 0/root or `{GID}/shadow: \n# stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/gshadow \nExample: \nAccess: (0640/ -rw-r-----) Uid: ( 0/ root) Gid: ( 42/ shadow)",
"description": "The /etc/gshadow file is used to store the information about groups that is critical to \nthe security of those accounts, such as the hashed password and other security \ninformation.",
"remediation": "Run one of the following commands to set ownership of /etc/gshadow to root and \ngroup to either root or shadow : \n# chown root:shadow /etc/gshadow \n -OR- \n# chown root:root /etc/gshadow \nRun the following command to remove excess permissions form /etc/gshadow : \n# chmod u -x,g-wx,o-rwx /etc/gshadow"
},
"7.1.8": {
"title": "Ensure permissions on /etc/gshadow - are configured \n(Automated)",
"audit": "Run the following command to verify /etc/gshadow - is mode 640 or more restrictive, \nUid is 0/root and Gid is 0/root or {GID}/shadow : \n# stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/gshadow - \nExample: \nAccess: (0640/ -rw-r-----) Uid: ( 0/ root) Gid: ( 42/ shadow)",
"description": "The /etc/gshadow - file is used to store backup information about groups that is critical \nto the security of those accounts, such as the hashed password and other security \ninformation.",
"remediation": "Run one of the following commands to set ownership of /etc/gshadow - to root and \ngroup to either root or shadow : \n# chown root:shadow /etc/gshadow - \n -OR- \n# chown root:root /etc/gshadow - \nRun the following command to remove excess permissions form /etc/gshadow -: \n# chmod u -x,g-wx,o-rwx /etc/gshadow -"
},
"7.1.9": {
"title": "Ensure permissions on /etc/shells are configured \n(Automated)",
"audit": "Run the following command to verify /etc/shells is mode 644 or more restrictive, Uid \nis 0/root and Gid is 0/root : \n# stat -Lc 'Access: (%#a/%A) Uid: ( %u/ %U) Gid: ( %g/ %G)' /etc/shells \n \nAccess: (0644/ -rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)",
"description": "/etc/shells is a text file which contains the full pathnames of valid login shells. This \nfile is consulted by chsh and available to be queried by other programs.",
"remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/shells : \n# chmod u -x,go-wx /etc/shells \n# chown root:root /etc/shells"
},
"7.1.10": {
"title": "Ensure permissions on /etc/security/opasswd are \nconfigured (Automated)",
"audit": "Run the following commands to verify /etc/security/opasswd and \n/etc/security/opasswd.old are mode 600 or more restrictive, Uid is 0/root and \nGid is 0/root if they exist: \n# [ -e \"/etc/security/opasswd\" ] && stat -Lc '%n Access: (%#a/%A) Uid: ( \n%u/ %U) Gid: ( %g/ %G)' /etc/security/opasswd \n \n/etc/security/opasswd Access: (0600/ -rw-------) Uid: ( 0/ root) Gid: ( 0/ \nroot) \n -OR- \nNothing is returned \n# [ -e \"/etc/security/opasswd.old\" ] && stat -Lc '%n Access: (%#a/%A) Uid: \n( %u/ %U) Gid: ( %g/ %G)' /etc/security/opasswd.old \n \n/etc/security/opasswd.old Access: (0600/ -rw-------) Uid: ( 0/ root) Gid: ( \n0/ root) \n -OR- \nNothing is returned \n Page 953",
"description": "/etc/security/opasswd and it's backup /etc/security/opasswd.old hold user's \nprevious passwords if pam_unix or pam_pwhistory is in use on the system",
"remediation": "Run the following commands to remove excess permissions, set owner, and set group \non /etc/security/opasswd and /etc/security/opasswd.old is they exist: \n# [ -e \"/etc/security/opasswd\" ] && chmod u -x,go-rwx /etc/security/opasswd \n# [ -e \"/etc/security/opasswd\" ] && chown root:root /etc/security/opasswd \n# [ -e \"/etc/security/opasswd.old\" ] && chmod u -x,go-rwx \n/etc/security/opasswd.old \n# [ -e \"/etc/security/op asswd.old\" ] && chown root:root \n/etc/security/opasswd.old"
},
"7.1.11": {
"title": "Ensure world writable files and directories are secured \n(Automated)",
"audit": "Run the following script to verify: \nNo world writable files exist \nNo world writable directories without the sticky bit exist Page 955 #!/usr/bin/env bash \n \n{ \n l_output=\"\" l_output2=\"\" \n l_smask='01000' \n a_file=(); a_dir=() # Initialize arrays \n a_path=(! -path \"/run/user/*\" -a ! -path \"/proc/*\" -a ! -path \n\"*/containerd/*\" -a ! -path \"*/kubelet/pods/*\" -a ! -path \n\"*/kubelet/plugins/* \" -a ! -path \"/sys/*\" -a ! -path \"/snap/*\") \n while IFS= read -r l_mount; do \n while IFS= read -r -d $'\\0' l_file; do \n if [ -e \"$l_file\" ]; then \n [ -f \"$l_file\" ] && a_file+=(\"$l_file\") # Add WR files \n if [ -d \"$l_file\" ] ; then # Add directories w/o sticky bit \n l_mode=\"$(stat -Lc '%#a' \"$l_file\")\" \n [ ! $(( $l_mode & $l_smask )) -gt 0 ] && a_dir+=(\"$l_file\") \n fi \n fi \n done < <(find \"$l_mount\" -xdev \\( \"${a_path[@]}\" \\) \\( -type f -o -type \nd \\) -perm -0002 -print0 2> /dev/null) \n done < <(findmnt -Dkerno fstype,target | awk '($1 !~ \n/^\\s*(nfs|proc|smb|vfat|iso9660|efivarfs|selinuxfs)/ && $2 !~ \n/^(\\/run\\/user\\/|\\/tmp|\\/var\\/tmp)/){print $2}') \n if ! (( ${#a_file[@]} > 0 )); t hen \n l_output=\"$l_output \\n - No world writable files exist on the local \nfilesystem.\" \n else \n l_output2=\"$l_output2 \\n - There are \\\"$(printf '%s' \"${#a_file[@]}\") \\\" \nWorld writable files on the system. \\n - The following is a list of World \nwritable files: \\n$(printf '%s \\n' \"${a_file[@]}\") \\n - end of list \\n\" \n fi \n if ! (( ${#a_dir[@]} > 0 )); then \n l_output=\"$l_output \\n - Sticky bit is set on world writable \ndirectories on the local filesystem.\" \n else \n l_output2=\"$l_output2 \\n - There are \\\"$(printf '%s' \"${#a_dir[@]}\") \\\" \nWorld writable directories without the sticky bit on the system. \\n - The \nfollowing is a list of World writable directories without the sticky \nbit:\\n$(printf '%s \\n' \"${a_dir[@]}\") \\n - end of list \\n\" \n fi \n unset a_path; unset a_arr; unset a_file; unset a_dir # Remove arrays \n # If l_output2 is empty, we pass \n if [ -z \"$l_output2\" ]; then \n echo -e \"\\n- Audit Result: \\n ** PASS ** \\n - * Correctly configured * \n:\\n$l_output \\n\" \n else \n echo -e \"\\n- Audit Result: \\n ** FAIL ** \\n - * Reasons for audit \nfailure * : \\n$l_output2\" \n [ -n \"$l_output\" ] && echo -e \"- * Correctly configured * \n:\\n$l_output \\n\" \n fi \n} \nNote: On systems with a large number of files and/or directories, this audit may be a \nlong running process Page 956",
"description": "World writable files are the least secure. Data in world -writable files can be modified and \ncompromised by any user on the system. World writable files may also indicate an \nincorrectly written script or program that could potentially be the cause of a larg er \ncompromise to the system's integrity. See the chmod(2) man page for more \ninformation. \nSetting the sticky bit on world writable directories prevents users from deleting or \nrenaming files in that directory that are not owned by them.",
"remediation": "World Writable Files: \no It is recommended that write access is removed from other with the \ncommand ( chmod o-w <filename> ), but always consult relevant vendor \ndocumentation to avoid breaking any application dependencies on a given \nfile. \nWorld Writable Directories: \no Set the sticky bit on all world writable directories with the command ( \nchmod a+t <directory_name> ) \nRun the following script to: \nRemove other write permission from any world writable files \nAdd the sticky bit to all world writable directories \n#!/usr/bin/env bash \n \n{ \n l_smask='01000' \n a_file=(); a_dir=() # Initialize arrays \n a_path=(! -path \"/run/user/*\" -a ! -path \"/proc/*\" -a ! -path \n\"*/containerd/*\" -a ! -path \"*/kubelet/pods/*\" -a ! -path \n\"*/kubelet/plugins/*\" -a ! -path \"/sys/*\" -a ! -path \"/snap/*\") \n while IFS= read -r l_mount; do \n while IFS= read -r -d $'\\0' l_file; do \n if [ -e \"$l_file\" ]; then \n l_mode=\"$(stat -Lc '%#a' \"$l_file\")\" \n if [ -f \"$l_file\" ]; then # Remove excess permissions from WW \nfiles \n echo -e \" - File: \\\"$l_file \\\" is mode: \\\"$l_mode \\\"\\n - \nremoving write permission on \\\"$l_file \\\" from \\\"other\\\"\" \n chmod o-w \"$l_file\" \n fi \n if [ -d \"$l_file\" ]; then # Add sticky bit \n if [ ! $(( $l_mode & $l_smask )) -gt 0 ]; then \n echo -e \" - Directory: \\\"$l_file \\\" is mode: \\\"$l_mode \\\" and \ndoesn't have the sticky bit set \\n - Adding the sticky bit\" \n chmod a+t \"$l_file\" \n fi \n fi \n fi \n done < <(find \"$l_mount\" -xdev \\( \"${a_path[@]}\" \\) \\( -type f -o -type \nd \\) -perm -0002 -print0 2> /dev/null) \n done < <(findmnt -Dkerno fstype,target | awk '($1 !~ \n/^\\s*(nfs|proc|smb|vfat|iso9660|efivarfs|selinuxfs)/ && $2 !~ \n/^(\\/run\\/user\\/|\\/tmp|\\/var\\/tmp)/){print $2}') \n}"
},
"7.1.12": {
"title": "Ensure no files or directories without an owner and a group \nexist (Automated)",
"audit": "Run the following script to verify no unowned or ungrouped files or directories exist: Page 959 #!/usr/bin/env bash \n \n{ \n l_output=\"\" l_output2=\"\" \n a_nouser=(); a_nogroup=() # Initialize arrays \n a_path=(! -path \"/run/user/*\" -a ! -path \"/proc/*\" -a ! -path \n\"*/containerd/*\" -a ! -path \"*/kubelet/pods/*\" -a ! -path \n\"*/kubelet/plugins/*\" -a ! -path \"/sys/fs/cgroup/memory/*\" -a ! -path \n\"/var/*/private/*\") \n while IFS= read -r l_mount; do \n while IFS= read -r -d $'\\0' l_file; do \n if [ -e \"$l_file\" ]; then \n while IFS=: read -r l_user l_group; do \n [ \"$l_user\" = \"UNKN OWN\" ] && a_nouser+=(\"$l_file\") \n [ \"$l_group\" = \"UNKNOWN\" ] && a_nogroup+=(\"$l_file\") \n done < <(stat -Lc '%U:%G' \"$l_file\") \n fi \n done < <(find \"$l_mount\" -xdev \\( \"${a_path[@]}\" \\) \\( -type f -o -type \nd \\) \\( -nouser -o -nogroup \\) -print0 2> /dev/null) \n done < <(findmnt -Dkerno fstype,target | awk '($1 !~ \n/^\\s*(nfs|proc|smb|vfat|iso9660|efivarfs|selinuxfs)/ && $2 !~ \n/^\\/run\\/user\\//){print $2}') \n if ! (( ${#a_nouser[@]} > 0 )); then \n l_output=\"$l_output \\n - No files or directories without a owner exist \non the local filesystem.\" \n else \n l_output2=\"$l_output2 \\n - There are \\\"$(printf '%s' \n\"${#a_nouser[@]}\") \\\" unowned files or directories on the system. \\n - The \nfollowing is a list of unowned files and/or directories: \\n$(printf '%s \\n' \n\"${a_nouser[@]}\") \\n - end of list\" \n fi \n if ! (( ${#a_nogroup[@]} > 0 )); then \n l_output=\"$l_output \\n - No files or directories without a group exist \non the local filesystem.\" \n else \n l_output2=\"$l_output2 \\n - There are \\\"$(printf '%s' \n\"${#a_nogroup[@]}\") \\\" ungrouped files or directories on the system. \\n - The \nfollowing is a list of ungrouped files and/or directories: \\n$(printf '%s \\n' \n\"${a_nogroup[@]}\") \\n - end of list\" \n fi \n unset a_path; unset a_arr ; unset a_nouser; unset a_nogroup # Remove \narrays \n if [ -z \"$l_output2\" ]; then # If l_output2 is empty, we pass \n echo -e \"\\n- Audit Result: \\n ** PASS ** \\n - * Correctly configured * \n:\\n$l_output \\n\" \n else \n echo -e \"\\n- Audit Result: \\n ** FAIL **\\n - * Reasons for audit \nfailure * : \\n$l_output2\" \n [ -n \"$l_output\" ] && echo -e \"\\n- * Correctly configured * \n:\\n$l_output \\n\" \n fi \n} \nNote: On systems with a large number of files and/or directories, this audit may be a \nlong running process Page 960",
"description": "Administrators may delete users or groups from the system and neglect to remove all \nfiles and/or directories owned by those users or groups.",
"remediation": "Remove or set ownership and group ownership of these files and/or directories to an \nactive user on the system as appropriate."
},
"7.1.13": {
"title": "Ensure SUID and SGID files are reviewed (Manual)",
"audit": "Run the following script to generate a list of SUID and SGID files: \n#!/usr/bin/env bash \n \n{ \n l_output=\"\" l_output2=\"\" \n a_suid=(); a_sgid=() # initialize arrays \n while IFS= read -r l_mount; do \n while IFS= read -r -d $'\\0' l_file; do \n if [ -e \"$l_file\" ]; then \n l_mode=\"$(stat -Lc '%#a' \"$l_file\" )\" \n [ $(( $l_mode & 04000 )) -gt 0 ] && a_suid+=(\"$l_file\") \n [ $(( $l_mode & 02000 )) -gt 0 ] && a_sgid+=(\"$l_file\") \n fi \n done < <(find \"$l_mount\" -xdev -type f \\( -perm -2000 -o -perm -4000 \\) \n-print0 2>/dev/null) \n done < <(findmnt -Dkerno fstype,target,options | awk '($1 !~ \n/^\\s*(nfs|proc|smb|vfat|iso9660|efivarfs|selinuxfs)/ && $2 !~ \n/^\\/run\\/user\\// && $3 !~/noexec/ && $3 !~/nosuid/) {print $2}') \n if ! (( ${#a_suid[@]} > 0 )); then \n l_output=\"$l_output \\n - No executable SUID files exist on the system\" \n else \n l_output2=\"$l_output2 \\n - List of \\\"$(printf '%s' \"${#a_suid[@]}\") \\\" \nSUID executable files: \\n$(printf '%s \\n' \"${a_suid[@]}\") \\n - end of list -\\n\" \n fi \n if ! (( ${#a_sgid[@]} > 0 )); then \n l_output=\"$l_output \\n - No SGID files exist on the system\" \n else \n l_output2=\"$l_output2 \\n - List of \\\"$(printf '%s' \"${#a_sgid[@]}\") \\\" \nSGID executable files: \\n$(printf '%s \\n' \"${a_sgid[@]}\") \\n - end of list -\\n\" \n fi \n [ -n \"$l_output2\" ] && l_output 2=\"$l_output2 \\n- Review the preceding \nlist(s) of SUID and/or SGID files to \\n- ensure that no rogue programs have \nbeen introduced onto the system. \\n\" \n unset a_arr; unset a_suid; unset a_sgid # Remove arrays \n # If l_output2 is empty, Nothing to report \n if [ -z \"$l_output2\" ]; then \n echo -e \"\\n- Audit Result: \\n$l_output \\n\" \n else \n echo -e \"\\n- Audit Result: \\n$l_output2 \\n\" \n [ -n \"$l_output\" ] && echo -e \"$l_output \\n\" \n fi \n} \nNote: on systems with a large number of files, this may be a long running process",
"description": "The owner of a file can set the file's permissions to run with the owner's or group's \npermissions, even if the user running the program is not the owner or a member of the \ngroup. The most common reason for a SUID or SGID program is to enable users to \nperfo rm functions (such as changing their password) that require root privileges.",
"remediation": "Ensure that no rogue SUID or SGID programs have been introduced into the system. \nReview the files returned by the action in the Audit section and confirm the integrity of \nthese binaries. Page 963"
}
}