-
Notifications
You must be signed in to change notification settings - Fork 61
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #194 from vmware/aria-automation-8.12-updates
Aria automation 8.12 updates
- Loading branch information
Showing
278 changed files
with
5,134 additions
and
264 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file renamed
BIN
+2.74 MB
...n_8.x_V1R3_STIG_Readiness_Guide_xccdf.zip → ...n_8.x_V1R4_STIG_Readiness_Guide_xccdf.zip
Binary file not shown.
47 changes: 47 additions & 0 deletions
47
.../vmware-vra-8x-stig-baseline/CHANGELOG.md → ...-automation-8x-stig-baseline/CHANGELOG.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
...nspec/vmware-vra-8x-stig-baseline/LICENSE → ...-aria-automation-8x-stig-baseline/LICENSE
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
File renamed without changes.
File renamed without changes.
2 changes: 2 additions & 0 deletions
2
aria/automation/8.x/inspec/vmware-aria-automation-8x-stig-baseline/controls/vra.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
include_controls 'vra' do | ||
end |
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
6 changes: 3 additions & 3 deletions
6
...re-vra-8x-stig-baseline/docker/inspec.yml → ...mation-8x-stig-baseline/docker/inspec.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,8 @@ | ||
name: Docker-CE | ||
title: InSpec Profile | ||
maintainer: The Authors | ||
maintainer: SCOPE/VMTA | ||
copyright: The Authors | ||
copyright_email: you@example.com | ||
copyright_email: stigs@vmware.com | ||
license: Apache-2.0 | ||
summary: An InSpec Compliance Profile | ||
version: 0.1.0 | ||
version: 1.0.1 |
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
6 changes: 3 additions & 3 deletions
6
...ra-8x-stig-baseline/kubernetes/inspec.yml → ...on-8x-stig-baseline/kubernetes/inspec.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,11 @@ | ||
name: kubernetes-stig-baseline | ||
title: Kubernetes Security Technical Implementation Guide | ||
maintainer: VMTA | ||
maintainer: SCOPE/VMTA | ||
copyright: The Authors | ||
copyright_email: you@example.com | ||
copyright_email: stigs@vmware.com | ||
license: Apache-2.0 | ||
summary: "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]." | ||
version: 1.0.3 | ||
version: 1.0.4 | ||
|
||
supports: | ||
- platform-family: linux | ||
|
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
50 changes: 50 additions & 0 deletions
50
...tion/8.x/inspec/vmware-aria-automation-8x-stig-baseline/photon/controls/PHTN-30-000001.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
control 'PHTN-30-000001' do | ||
title 'The Photon operating system must audit all account creations.' | ||
desc 'Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes.' | ||
desc 'rationale', '' | ||
desc 'check', " | ||
At the command line, run the following command: | ||
# auditctl -l | grep -E \"(useradd|groupadd)\" | ||
Expected result: | ||
-w /usr/sbin/useradd -p x -k useradd | ||
-w /usr/sbin/groupadd -p x -k groupadd | ||
If either \"useradd\" or \"groupadd\" are not listed with a permissions filter of at least \"x\", this is a finding. | ||
Note: This check depends on the \"auditd\" service to be in a running state for accurate results. The \"auditd\" service is enabled in control PHTN-30-000013. | ||
" | ||
desc 'fix', " | ||
Navigate to and open: | ||
/etc/audit/rules.d/audit.STIG.rules | ||
Add or update the following lines: | ||
-w /usr/sbin/useradd -p x -k useradd | ||
-w /usr/sbin/groupadd -p x -k groupadd | ||
At the command line, run the following command to load the new audit rules: | ||
# /sbin/augenrules --load | ||
Note: A new \"audit.STIG.rules\" file is provided for placement in \"/etc/audit/rules.d\" that contains all rules needed for auditd. | ||
Note: An older \"audit.STIG.rules\" may exist and may reference older \"GEN\" SRG IDs. This file can be removed and replaced as necessary with an updated one. | ||
" | ||
impact 0.5 | ||
tag severity: 'medium' | ||
tag gtitle: 'SRG-OS-000004-GPOS-00004' | ||
tag gid: 'V-PHTN-30-000001' | ||
tag rid: 'SV-PHTN-30-000001' | ||
tag stig_id: 'PHTN-30-000001' | ||
tag cci: ['CCI-000018'] | ||
tag nist: ['AC-2 (4)'] | ||
|
||
describe auditd do | ||
its('lines') { should include %r{-w /usr/sbin/useradd -p x -k useradd} } | ||
its('lines') { should include %r{-w /usr/sbin/groupadd -p x -k groupadd} } | ||
end | ||
end |
60 changes: 60 additions & 0 deletions
60
...tion/8.x/inspec/vmware-aria-automation-8x-stig-baseline/photon/controls/PHTN-30-000002.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
control 'PHTN-30-000002' do | ||
title 'The Photon operating system must automatically lock an account when three unsuccessful logon attempts occur.' | ||
desc 'By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.' | ||
desc 'rationale', '' | ||
desc 'check', " | ||
At the command line, run the following commands: | ||
# grep pam_tally2 /etc/pam.d/system-auth | ||
Expected result: | ||
auth required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300 | ||
# grep pam_tally2 /etc/pam.d/system-account | ||
Expected result: | ||
account required pam_tally2.so onerr=fail audit | ||
If the output does not list the \"pam_tally2\" options as configured in the expected results, this is a finding. | ||
" | ||
desc 'fix', " | ||
Navigate to and open: | ||
/etc/pam.d/system-auth | ||
Remove any existing \"pam_tally2.so\" line and add the following line after the \"pam_unix.so\" statement: | ||
auth required pam_tally2.so deny=3 onerr=fail audit even_deny_root unlock_time=900 root_unlock_time=300 | ||
Navigate to and open: | ||
/etc/pam.d/system-account | ||
Remove any existing \"pam_tally2.so\" line and add the following line after the \"pam_unix.so\" statement: | ||
account required pam_tally2.so onerr=fail audit | ||
Note: On vCenter appliances, the equivalent file must be edited under \"/etc/applmgmt/appliance\", if one exists, for the changes to persist after a reboot. | ||
" | ||
impact 0.5 | ||
tag severity: 'medium' | ||
tag gtitle: 'SRG-OS-000021-GPOS-00005' | ||
tag satisfies: ['SRG-OS-000329-GPOS-00128'] | ||
tag gid: 'V-PHTN-30-000002' | ||
tag rid: 'SV-PHTN-30-000002' | ||
tag stig_id: 'PHTN-30-000002' | ||
tag cci: ['CCI-000044', 'CCI-002238'] | ||
tag nist: ['AC-7 a', 'AC-7 b'] | ||
|
||
# match after pam_unix.so and with options in any order on pam_tally2 | ||
describe file('/etc/pam.d/system-auth') do | ||
its('content') { should match /^auth\s*required\s*pam_unix\.so.*\n(^auth\s*required\s*pam_tally2\.so\s*(?=.*\bdeny=3\b)(?=.*\bonerr=fail\b)(?=.*\baudit\b)(?=.*\beven_deny_root\b)(?=.*\bunlock_time=900\b)(?=.*\broot_unlock_time=300\b).*$)/ } | ||
end | ||
|
||
# match after pam_unix.so and with options in any order on pam_tally2 | ||
describe file('/etc/pam.d/system-account') do | ||
its('content') { should match /^account\s*required\s*pam_unix\.so.*\n(^account\s*required\s*pam_tally2\.so\s*(?=.*\bonerr=fail\b)(?=.*\baudit\b).*$)/ } | ||
end | ||
end |
73 changes: 73 additions & 0 deletions
73
...tion/8.x/inspec/vmware-aria-automation-8x-stig-baseline/photon/controls/PHTN-30-000003.rb
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
control 'PHTN-30-000003' do | ||
title 'The Photon operating system must display the Standard Mandatory DOD Notice and Consent Banner before granting Secure Shell (SSH) access.' | ||
desc 'Display of a standardized and approved use notification before granting access to the operating system ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.' | ||
desc 'rationale', '' | ||
desc 'check', " | ||
At the command line, run the following command: | ||
# sshd -T -f /etc/ssh/sshd_config_effective |&grep -i Banner | ||
Expected result: | ||
banner /etc/issue | ||
If the output does not match the expected result, this is a finding. | ||
Open /etc/issue with a text editor. | ||
If the file does not contain the Standard Mandatory DOD Notice and Consent Banner, this is a finding. | ||
Standard Mandatory DOD Notice and Consent Banner: | ||
\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: | ||
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. | ||
-At any time, the USG may inspect and seize data stored on this IS. | ||
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. | ||
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. | ||
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\" | ||
" | ||
desc 'fix', " | ||
Navigate to and open: | ||
/etc/ssh/sshd_config_effective | ||
Ensure the \"Banner\" line is uncommented and set to the following: | ||
Banner /etc/issue | ||
Navigate to and open: | ||
/etc/issue | ||
Ensure the file contains the Standard Mandatory DoD Notice and Consent Banner. | ||
\"You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: | ||
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. | ||
-At any time, the USG may inspect and seize data stored on this IS. | ||
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG authorized purpose. | ||
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. | ||
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.\" | ||
At the command line, run the following command: | ||
# systemctl restart sshd.service | ||
" | ||
impact 0.5 | ||
tag severity: 'medium' | ||
tag gtitle: 'SRG-OS-000023-GPOS-00006' | ||
tag satisfies: ['SRG-OS-000228-GPOS-00088'] | ||
tag gid: 'V-PHTN-30-000003' | ||
tag rid: 'SV-PHTN-30-000003' | ||
tag stig_id: 'PHTN-30-000003' | ||
tag cci: ['CCI-000048', 'CCI-001384'] | ||
tag nist: ['AC-8 a', 'AC-8 c 1'] | ||
|
||
sshdcommand = input('sshdcommand') | ||
describe command("#{sshdcommand}|&grep -i Banner") do | ||
its('stdout.strip') { should cmp 'Banner /etc/issue' } | ||
end | ||
|
||
describe file('/etc/issue') do | ||
its('content') { should match /You are accessing a U\.S\. Government/ } | ||
end | ||
end |
Oops, something went wrong.