-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathinspec.yml
219 lines (195 loc) · 8.93 KB
/
inspec.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
name: canonical-ubuntu-18.04-lts-stig-baseline
title: Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide
maintainer: MITRE InSpec Team
copyright: The MITRE Corporation, 2021
copyright_email: [email protected]
license: Apache-2.0
summary: "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]."
version: 1.0.0
supports:
- platform-name: ubuntu
release: 18.04
inputs:
- name: platform_name
description: Name of the OS/Platform
type: String
value: 'ubuntu'
- name: platform_release
description: Release number of the OS/Platform
type: Numeric
value: 18.04
- name: supported_until
description: Support end date for OS/Platform security updates
type: String
value: '2023-04-30'
- name: log_file_path
description: Audit log file path (SHOULD BE REPLACED/REMOVED WHEN auditd.conf_path FUNCTIONALITY BECOMES AVAILABLE IN INSPEC)
type: String
value: '/var/log/audit/audit.log'
- name: log_file_dir
description: Audit log file directory (SHOULD BE REPLACED/REMOVED WHEN auditd.conf_path FUNCTIONALITY BECOMES AVAILABLE IN INSPEC)
type: String
value: '/var/log/audit/'
- name: org_name
description: Organization Name
type: String
value: 'MITRE'
# V-219147
- name: grub_main_cfg
description: Main grub boot config file
type: String
value: '/boot/grub/grub.cfg'
- name: grub_superuser
description: superusers for grub boot
type: String
value: 'root'
# V-219148
- name: grub_uefi_main_cfg
description: Main grub boot config file
type: String
value: '/boot/efi/EFI/ubuntu/grub.cfg'
# V-219195
# V-219197
- name: audit_tools
description: System audit tools used to view and manipulate log data
type: Array
value:
- /sbin/auditctl
- /sbin/aureport
- /sbin/ausearch
- /sbin/autrace
- /sbin/auditd
- /sbin/audispd
- /sbin/augenrules
# V-219162
- name: audisp_cfg
description: Auditing Daemon config file
type: String
value: '/etc/audisp/audisp-remote.conf'
- name: audisp_cfg_remote_server
description: Auditing Daemon remote_server IP Address
type: String
value: '10.0.0.2'
- name: audisp_cfg_remote_plugin_cfg
description: Auditing Daemon plugin audisp-remote config filea
type: String
value: '/etc/audisp/plugins.d/au-remote.conf'
# V-219164
- name: min_fail_delay
description: The minimum milliseconds after failed logon attempt
type: String
value: '4000000'
# V-219167
- name: banner_message_text_gui
description: Banner message text for graphical user interface logins.
type: String
value: "'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'"
# V-219170
- name: banner_message_text_cli
description: Banner message text for command line interface logins.
type: String
value: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
# V-219180
- name: min_reuse_generations
description: The minimum number of generations before a password can be reused
type: String
value: '5'
# V-219303
- name: system_activity_timeout
description: The length in seconds of inactivity from the user in which the network connections associated with a session in terminated
type: String
value: '600'
# V-219311
- name: client_alive_interval
description: The length in seconds of inactivity for ClientAliveInterval in sshd_config
type: String
value: '600'
# V-219150
- name: is_default_install_partition
description: Assert default partition layout for encryption
type: Boolean
value: false
# V-219324
# TODO: May need to reduce to a base set
- name: allowed_profiles_enforce_mode
description: List of AppArmor profiles (PIDs substituted with *) that are allowed to be in enforce mode
type: Array
value:
- /sbin/dhclient
- /snap/core/*/usr/lib/snapd/snap-confine
- /snap/core/*/usr/lib/snapd/snap-confine//mount-namespace-capture-helper
- /usr/bin/evince
- /usr/bin/evince-previewer
- /usr/bin/evince-previewer//sanitized_helper
- /usr/bin/evince-thumbnailer
- /usr/bin/evince//sanitized_helper
- /usr/bin/man
- /usr/lib/NetworkManager/nm-dhcp-client.action
- /usr/lib/NetworkManager/nm-dhcp-helper
- /usr/lib/chromium-browser/chromium-browser//browser_java
- /usr/lib/chromium-browser/chromium-browser//browser_openjdk
- /usr/lib/chromium-browser/chromium-browser//sanitized_helper
- /usr/lib/connman/scripts/dhclient-script
- /usr/lib/cups/backend/cups-pdf
- /usr/lib/lightdm/lightdm-guest-session
- /usr/lib/lightdm/lightdm-guest-session//chromium
- /usr/lib/snapd/snap-confine
- /usr/lib/snapd/snap-confine//mount-namespace-capture-helper
- /usr/sbin/cups-browsed
- /usr/sbin/cupsd
- /usr/sbin/cupsd//third_party
- /usr/sbin/ippusbxd
- /usr/sbin/tcpdump
- docker-default
- snap-update-ns.code
- snap-update-ns.core
- snap-update-ns.kontena-lens
- snap.core.hook.configure
- webbrowser-app
- webbrowser-app//oxide_helper
# V-219324
# TODO: May need to reduce to a base set
- name: allowed_profiles_complain_mode
description: List of AppArmor profiles (PIDs substituted with *) that are allowed to be in complain mode (at a minimum)
type: Array
value:
- /usr/lib/chromium-browser/chromium-browser
- /usr/lib/chromium-browser/chromium-browser//chromium_browser_sandbox
- /usr/lib/chromium-browser/chromium-browser//lsb_release
- /usr/lib/chromium-browser/chromium-browser//xdgsettings
- /usr/lib/dovecot/anvil
- /usr/lib/dovecot/auth
- /usr/lib/dovecot/config
- /usr/lib/dovecot/deliver
- /usr/lib/dovecot/dict
- /usr/lib/dovecot/dovecot-auth
- /usr/lib/dovecot/dovecot-lda
- /usr/lib/dovecot/dovecot-lda///usr/sbin/sendmail
- /usr/lib/dovecot/imap
- /usr/lib/dovecot/imap-login
- /usr/lib/dovecot/lmtp
- /usr/lib/dovecot/log
- /usr/lib/dovecot/managesieve
- /usr/lib/dovecot/managesieve-login
- /usr/lib/dovecot/pop3
- /usr/lib/dovecot/pop3-login
- /usr/lib/dovecot/ssl-params
- /usr/sbin/avahi-daemon
- /usr/sbin/dnsmasq
- /usr/sbin/dnsmasq//libvirt_leaseshelper
- /usr/sbin/dovecot
- /usr/sbin/identd
- /usr/sbin/mdnsd
- /usr/sbin/nmbd
- /usr/sbin/nscd
- /usr/sbin/smbd
- /usr/sbin/smbldap-useradd
- /usr/sbin/smbldap-useradd///etc/init.d/nscd
- /usr/{sbin/traceroute,bin/traceroute.db}
- /{usr/,}bin/ping
- klogd
- snap.code.code
- snap.code.url-handler
- snap.kontena-lens.kontena-lens
- syslog-ng
- syslogd