Skip to content
This repository has been archived by the owner. It is now read-only.

Merge to master (prep for v2016.10.2) #277

Merged
merged 17 commits into from
Nov 1, 2016
Merged

Merge to master (prep for v2016.10.2) #277

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
361b412
diabled -> disabled
holmboe Oct 20, 2016
53eb2ee
far -> fat
holmboe Oct 20, 2016
ecc33a8
disble -> disable
holmboe Oct 20, 2016
c0c88f3
Add missing gid and mode
holmboe Oct 20, 2016
2ec448f
Merge pull request #270 from holmboe/hh-fix-typos
basepi Oct 20, 2016
757ef8b
Merge pull request #271 from holmboe/hh-fix-perms
basepi Oct 20, 2016
16301d7
Both win32_group and win32_useraccount would take upward of 5 minutes…
madchills Oct 24, 2016
1386665
Merge pull request #272 from HubbleStack/win32_user-fix
basepi Oct 24, 2016
042ae68
updating schedule docs to use cron
cedwards Oct 25, 2016
6d0cde9
markup fix
cedwards Oct 25, 2016
8d93573
Merge pull request #273 from cedwards/cron-documentation
basepi Oct 25, 2016
aa23800
initial rhels-5-level-1-scored profile
cedwards Oct 26, 2016
4f38d5b
Merge pull request #274 from cedwards/fixup
basepi Oct 27, 2016
b6bd606
fixes to rhel-5 profile
cedwards Oct 27, 2016
e32c31d
Merge pull request #275 from cedwards/fixup
basepi Oct 27, 2016
bfc8ec1
Fix windows 2008 nova cis issues
basepi Nov 1, 2016
957ba22
Merge pull request #276 from basepi/fixup
cedwards Nov 1, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions FORMULA
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,7 @@
top_level_dir: hubblestack_nova
name: hubblestack_nova
os: RedHat, CentOS, Debian, Ubuntu
os_family: RedHat, Debian
version: 2016.9.2
version: 2016.10.1
release: 1
summary: HubbleStack Nova
description: HubbleStack Nova
17 changes: 6 additions & 11 deletions README.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,20 +243,15 @@ the purposes of compliance percentage.
Schedule
--------

In order to run the audits once daily, you can use the following schedule:
In order to run the audits once daily, you can use the following cron job:

**/etc/cron.d/hubble**

.. code-block:: yaml

schedule:
nova_day:
function: hubble.top
seconds: 86400
kwargs:
verbose: True
show_profile: True
returner: splunk_nova_return
return_job: False
run_on_start: False
MAILTO=""
SHELL=/bin/bash
@daily root /usr/bin/salt '*' hubble.top verbose=True,show_profile=True --return splunk_nova_return

.. _nova_configuration:

Expand Down
12 changes: 7 additions & 5 deletions hubblestack_nova/win_secedit.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -264,11 +264,13 @@ def _secedit_import(inf_file):
def _get_account_sid():
'''This helper function will get all the users and groups on the computer
and return a dictionary'''
win32 = __salt__['cmd.run']('Get-WmiObject win32_useraccount | Format-List -Property '
'Name, SID', shell='powershell', python_shell=True)
win32 = __salt__['cmd.run']('Get-WmiObject win32_useraccount -Filter "localaccount=\'True\'"'
' | Format-List -Property Name, SID', shell='powershell',
python_shell=True)
win32 += '\n'
win32 += __salt__['cmd.run']('Get-WmiObject win32_group | Format-List -Property Name, '
'SID', shell='powershell', python_shell=True)
win32 += __salt__['cmd.run']('Get-WmiObject win32_group -Filter "localaccount=\'True\'" | '
'Format-List -Property Name, SID', shell='powershell',
python_shell=True)
if win32:

dict_return = {}
Expand All @@ -278,7 +280,7 @@ def _get_account_sid():
lines.remove('local:')
for line in lines:
line = line.strip()
if line != '':
if line != '' and ' : ' in line:
k, v = line.split(' : ')
if k.lower() == 'name':
key = v
Expand Down
24 changes: 12 additions & 12 deletions hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-1-0.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ grep:
pattern: password
tag: CIS-1.4.2
description: Ensure bootloader password is set
chargen_diabled:
chargen_disabled:
data:
Red Hat Enterprise Server-7:
- /etc/xinetd.d/chargen-dgram:
Expand All @@ -70,7 +70,7 @@ grep:
match_output: yes
tag: CIS-2.1.2
description: Ensure daytime services are not enabled
discard_diabled:
discard_disabled:
data:
Red Hat Enterprise Server-7:
- /etc/xinetd.d/discard-dgram:
Expand All @@ -82,7 +82,7 @@ grep:
match_output: yes
tag: CIS-2.1.3
description: Ensure discard services are not enabled
echo_diabled:
echo_disabled:
data:
Red Hat Enterprise Server-7:
- /etc/xinetd.d/echo-dgram:
Expand All @@ -94,7 +94,7 @@ grep:
match_output: yes
tag: CIS-2.1.4
description: Ensure echo services are not enabled
time_diabled:
time_disabled:
data:
Red Hat Enterprise Server-7:
- /etc/xinetd.d/time-dgram:
Expand Down Expand Up @@ -155,7 +155,7 @@ grep:
- '-r'
tag: CIS-5.4.4
description: Ensure default user umask is 027 or more restrictive
disble_mount_cramfs:
disable_mount_cramfs:
data:
CentOS Linux-7:
- /etc/modprobe.d:
Expand All @@ -165,7 +165,7 @@ grep:
- '-r'
tag: CIS-1.1.1.1
description: Ensure mounting of cramfs filesystems is disabled
disble_mount_freevxfs:
disable_mount_freevxfs:
data:
CentOS Linux-7:
- /etc/modprobe.d:
Expand All @@ -175,7 +175,7 @@ grep:
- '-r'
tag: CIS-1.1.1.2
description: Ensure mounting of freevxfs filesystems is disabled
disble_mount_jffs2:
disable_mount_jffs2:
data:
CentOS Linux-7:
- /etc/modprobe.d:
Expand All @@ -185,7 +185,7 @@ grep:
- '-r'
tag: CIS-1.1.1.3
description: Ensure mounting of jffs2 filesystems is disabled
disble_mount_hfs:
disable_mount_hfs:
data:
CentOS Linux-7:
- /etc/modprobe.d:
Expand All @@ -195,7 +195,7 @@ grep:
- '-r'
tag: CIS-1.1.1.4
description: Ensure mounting of hfs filesystems is disabled
disble_mount_hfsplus:
disable_mount_hfsplus:
data:
CentOS Linux-7:
- /etc/modprobe.d:
Expand All @@ -205,7 +205,7 @@ grep:
- '-r'
tag: CIS-1.1.1.5
description: Ensure mounting of hfsplus filesystems is disabled
disble_mount_squashfs:
disable_mount_squashfs:
data:
CentOS Linux-7:
- /etc/modprobe.d:
Expand All @@ -215,7 +215,7 @@ grep:
- '-r'
tag: CIS-1.1.1.6
description: Ensure mounting of squashfs filesystems is disabled
disble_mount_udf:
disable_mount_udf:
data:
CentOS Linux-7:
- /etc/modprobe.d:
Expand All @@ -225,7 +225,7 @@ grep:
- '-r'
tag: CIS-1.1.1.7
description: Ensure mounting of udf filesystems is disabled
disble_mount_far:
disable_mount_fat:
data:
CentOS Linux-7:
- /etc/modprobe.d:
Expand Down
28 changes: 16 additions & 12 deletions hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ grep:
pattern: password
tag: CIS-1.4.2
description: Set Boot Loader Password (Scored)
chargen_diabled:
chargen_disabled:
data:
Red Hat Enterprise Server-7:
- /etc/xinetd.d/chargen-dgram:
Expand All @@ -70,7 +70,7 @@ grep:
match_output: yes
tag: CIS-2.1.2
description: Ensure that daytime service in not enabled (Scored)
discard_diabled:
discard_disabled:
data:
Red Hat Enterprise Server-7:
- /etc/xinetd.d/discard-dgram:
Expand All @@ -82,7 +82,7 @@ grep:
match_output: yes
tag: CIS-2.1.3
description: Ensure that discard service in not enabled (Scored)
echo_diabled:
echo_disabled:
data:
Red Hat Enterprise Server-7:
- /etc/xinetd.d/echo-dgram:
Expand All @@ -94,7 +94,7 @@ grep:
match_output: yes
tag: CIS-2.1.4
description: Ensure that echo service in not enabled (Scored)
time_diabled:
time_disabled:
data:
Red Hat Enterprise Server-7:
- /etc/xinetd.d/time-dgram:
Expand Down Expand Up @@ -155,7 +155,7 @@ grep:
- '-r'
tag: CIS-5.4.4
description: Set Default umask for Users (Scored)
disble_mount_cramfs:
disable_mount_cramfs:
data:
CentOS Linux-7:
- /etc/modprobe.d:
Expand All @@ -165,7 +165,7 @@ grep:
- '-r'
tag: CIS-1.1.1.1
description: Disable mounting cramfs filesystems (Scored).
disble_mount_freevxfs:
disable_mount_freevxfs:
data:
CentOS Linux-7:
- /etc/modprobe.d:
Expand All @@ -175,7 +175,7 @@ grep:
- '-r'
tag: CIS-1.1.1.2
description: Disable mounting freevxfs filesystems (Scored).
disble_mount_jffs2:
disable_mount_jffs2:
data:
CentOS Linux-7:
- /etc/modprobe.d:
Expand All @@ -185,7 +185,7 @@ grep:
- '-r'
tag: CIS-1.1.1.3
description: Disable mounting jffs2 filesystems (Scored).
disble_mount_hfs:
disable_mount_hfs:
data:
CentOS Linux-7:
- /etc/modprobe.d:
Expand All @@ -195,7 +195,7 @@ grep:
- '-r'
tag: CIS-1.1.1.4
description: Disable mounting hfs filesystems (Scored).
disble_mount_hfsplus:
disable_mount_hfsplus:
data:
CentOS Linux-7:
- /etc/modprobe.d:
Expand All @@ -205,7 +205,7 @@ grep:
- '-r'
tag: CIS-1.1.1.5
description: Disable mounting hfsplus filesystems (Scored).
disble_mount_squashfs:
disable_mount_squashfs:
data:
CentOS Linux-7:
- /etc/modprobe.d:
Expand All @@ -215,7 +215,7 @@ grep:
- '-r'
tag: CIS-1.1.1.6
description: Disable mounting squashfs filesystems (Scored).
disble_mount_udf:
disable_mount_udf:
data:
CentOS Linux-7:
- /etc/modprobe.d:
Expand All @@ -225,7 +225,7 @@ grep:
- '-r'
tag: CIS-1.1.1.7
description: Disable mounting udf filesystems (Scored).
disble_mount_far:
disable_mount_fat:
data:
CentOS Linux-7:
- /etc/modprobe.d:
Expand Down Expand Up @@ -905,7 +905,9 @@ stat:
data:
CentOS Linux-7:
- /etc/passwd:
gid: 0
group: root
mode: 644
tag: CIS-6.1.2
uid: 0
user: root
Expand Down Expand Up @@ -947,7 +949,9 @@ stat:
data:
CentOS Linux-7:
- /etc/passwd-:
gid: 0
group: root
mode: 644
tag: CIS-6.1.6
uid: 0
user: root
Expand Down
Loading