-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathinspec.yml
320 lines (274 loc) · 8.22 KB
/
inspec.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
name: canonical-ubuntu-16.04-lts-stig-baseline
title: canonical-ubuntu-16.04-lts-stig-baseline
maintainer: The Authors
copyright: The Authors
copyright_email: you@example.com
license: Apache-2.0
summary: "Inspec Validation Profile for Canonical Ubuntu 16.04 LTS STIG"
version: 1.1.0
inspec_version: ">= 4.0"
supports:
- platform-name: ubuntu
release: 16.04
inputs:
- name: platform_name
description: Name of the OS/Platform
type: String
value: 'ubuntu'
- name: platform_release
description: Release number of the OS/Platform
type: Numeric
value: 16.04
- name: supported_until
description: Support end date for OS/Platform security updates
type: String
value: '2021-04-30'
- name: log_file_path
description: Audit log file path (SHOULD BE REPLACED/REMOVED WHEN auditd.conf_path FUNCTIONALITY BECOMES AVAILABLE IN INSPEC)
type: String
value: '/var/log/audit/audit.log'
- name: log_file_dir
description: Audit log file directory (SHOULD BE REPLACED/REMOVED WHEN auditd.conf_path FUNCTIONALITY BECOMES AVAILABLE IN INSPEC)
type: String
value: '/var/log/audit/'
- name: org_name
description: Organization Name
type: String
value: 'DoD'
#V-75443
- name: maxlogins
description: Maximum number of concurrent sessions
type: Numeric
value: 10
#V-75449
- name: min_num_uppercase_char
description: Minimum number of upper case characters needed in a password (Denoted in negative numbers)
type: Numeric
value: -1
#V-75451
- name: min_num_lowercase_char
description: Minimum number of lower case characters needed in a password (Denoted in negative numbers)
type: Numeric
value: -1
#V-75453
- name: min_num_numeric_char
description: Minimum number of numeric characters needed in a password (Denoted in negative numbers)
type: Numeric
value: -1
#V-75455
- name: min_num_special_char
description: Minimum number of special characters needed in a password (Denoted in negative numbers)
type: Numeric
value: -1
#V-75457
- name: min_num_characters_to_change
description: Minimum number of characters that need to be changed for password rotation
type: Numeric
value: 8
#V-75469
- name: emergency_accounts
description: Emergency user accounts
type: Array
value: []
#V-75475
- name: min_num_password_generations
description: Minimum number of passwords to remember
type: Numeric
value: 5
#V-75485
- name: max_account_inactive_days
description: Maximum number of days an account can remain inactive
type: Numeric
value: 35
#V-75491
- name: temporary_accounts
description: Temporary user accounts
type: Array
value: []
#V-75513, V-75583
- name: application_groups
description: Known Application Groups
type: Array
value: []
- name: known_system_accounts
description: System accounts that support approved system activities
type: Array
value: [
'root',
'bin',
'daemon',
'adm',
'lp',
'sync',
'shutdown',
'halt',
'mail',
'operator',
'nobody',
'systemd-bus-proxy',
'systemd-network',
'dbus',
'polkitd',
'tss',
'postfix',
'chrony',
'sshd',
'sssd',
'rpc',
'ntp',
'vboxadd',
'nfsnobody',
'vagrant',
'rpcuser',
'sys',
'man',
'news',
'uucp',
'proxy',
'www-data',
'backup',
'list',
'irc',
'gnats',
'systemd-timesync',
'systemd-resolve',
'syslog',
'_apt',
'lxd',
'messagebus',
'uuidd',
'dnsmasq',
'statd',
]
- name: disallowed_accounts
description: Accounts that are not allowed on the system
type: Array
value: [
'games',
'gopher',
'ftp',
]
- name: user_accounts
description: Accounts of known managed users
type: Array
value: []
- name: exempt_home_users
description: These are `home dir` exempt interactive accounts
type: Array
value: []
- name: non_interactive_shells
description: These shells do not allow a user to login
type: Array
value: [
'/sbin/nologin',
'/sbin/halt',
'/sbin/shutdown',
'/bin/false',
'/bin/sync',
'/bin/true'
]
- name: disable_slow_controls
description: This attribute disables controls that consistently take a long time to complete
type: Boolean
value: false
- name: known_system_mount_points
description: Known System Mount Points
type: Array
value: [
'/',
'/boot',
'none'
]
#V-75577
- name: removable_media_mount_points
description: Mount points for removable
type: Array
value: []
#V-75585
- name: is_kdump_required
description: Is kdump service required? (check with SA and documented with ISSO)
type: Boolean
value: false
#V-75591
- name: audit_log_path
description: System Audit Log Data Path
type: String
value: '/var/log/audit'
#V-75625
- name: security_accounts
description: Security Personnel accounts
type: Array
sensitive: true
value: [
'root'
]
#V-75653
- name: audit_tools
description: Audit tools
type: Array
value: [
'/sbin/auditctl',
'/sbin/aureport',
'/sbin/ausearch',
'/sbin/autrace',
'/sbin/auditd',
'/sbin/audispd',
'/sbin/augenrules'
]
#V-75813
- name: is_system_networked
description: Set to true if the system is networked for NTP check
type: Boolean
value: true
- name: banner_text
description: Standard Mandatory DoD Notice and Consent Banner
type: String
value: 'You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.'
#V-75867
- name: is_wireless_available
description: Set to true if the system has a wireless network radio available (default:false)
type: Boolean
value: true
#V-75621
- name: standard_audit_log_size
description: Set audit log size in bytes (default:1073741824 per control specification)
type: Numeric
value: 1073741824
#V-75623
- name: action_mail_acct
description: Email address of the SA and ISSO to be notified in case of audit record storage issues
type: String
value: ''
#V-75837
- name: client_alive_interval
description: Client Alive Interval
type: Numeric
value: 600
- name: client_alive_count_max
description: Client Alive Interval
type: Numeric
value: 1
#V-75867
- name: allowed_network_interfaces
description: Array of allowed network interfaces (wired & wireless)
type: Array
value: [
'lo',
'eth0'
]
#V-78005
- name: other_antivirus_loaded_active
description: System Administrator and/or DoD approved antivirus program loaded, other than McAfee VirusScan Enterprise for Linux or Clam AntiVirus is loaded and activities
type: Boolean
value: false
#V-80961
- name: space_left_percent
description: Audit space storage remaining (percentage)
type: Numeric
value: 25