Git Product home page Git Product logo

azure / ato-toolkit Goto Github PK

View Code? Open in Web Editor NEW
77.0 18.0 40.0 162.7 MB

On this page you'll find everything you need to get started with the Azure blueprint for Zero Trust. This blueprint is currently in preview.

License: MIT License

PowerShell 51.38% Shell 18.25% Makefile 0.12% HCL 4.18% Dockerfile 0.14% Go 3.89% Mustache 0.24% Open Policy Agent 8.05% HTML 2.61% Python 0.10% CSS 4.43% JavaScript 1.17% C# 0.26% SCSS 3.10% XSLT 0.43% Pug 0.02% Jinja 1.63%

ato-toolkit's Introduction

Welcome to Azure's DoD DevSecOps Enterprise Open Source Solutions!

In this repository you will find DevSecOps solutions that will kickstart your path to DoD application development, authorization, and deployment.

  1. Zero Trust Architecture Blueprint
  2. Software Factory
  3. STIG

ato-toolkit's People

Contributors

bcwilhite avatar carlowahlstedt avatar coreyperkins avatar dependabot[bot] avatar erjenkin avatar jomolesk avatar marcvaneijk avatar microsoftopensource avatar niralishah130 avatar pgcarlowahlstedt avatar sdubeymsft avatar shpriyams avatar shruti5488 avatar todorgb avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

todorgb 0-1-2-3-4 dstrkt attawayinc chugh97 carlowahlstedt brandonsharp jesse-wilker-insight https-github-com-vfulitod176641 azureandsecurityotaku my-smb-tech iwazirijr digitalarche coreyperkins shruti5488 wilbug1git1 mysmb-git isabella232 erjenkin arvindmits niralishah130 zacharyljones steved-msft apenav kennyb7322 bcwilhite jakedean3631 carterwv smiley717 wayneme75 vetspec artieroggeband whalito fabiengilbert shsolomo kevehid12 michaelchristopherson sourcecodecheck conspiracy98 mikesecurity

ato-toolkit's Issues

Ask about OS support.

I want to use Ubuntu 22.04 with security hardening.

  1. does the ubuntuSTIG.sh support to deploy on ubuntu 22.04 as extension?

ubuntuSTIG.sh not explicitly setting file permissions on newly created files

The ubuntuSTIG.sh backs up two files (backup.common-password and backup.common-auth) and creates two new files. The two new files are created using output redirection. The current configuration is relying on the "umask" settings to set the new file's permissions. This is not a recommended approach and is causing my configuration to stop working. In my case, I have added the following two commands to ensure the permissions are set appropriately for operation.

ato-toolkit/stig/linux/ubuntuSTIG.sh

Lines 27 to 33 in e63f31c

echo "Creating /etc/pam.d/common-password to meet STIG requirements..."
mv --force /etc/pam.d/common-password /etc/pam.d/backup.common-password
echo "# Generated by Microsoft.Azure.Extensions/CustomScript" > /etc/pam.d/common-password
echo "# Original common-password was moved to /etc/pam.d/backup.common-password" >> /etc/pam.d/common-password
echo "password\trequisite\t\t\tpam_pwquality.so retry=3 enforce_for_root" >> /etc/pam.d/common-password
echo "password\t[success=1 default=ignore]\tpam_unix.so obscure sha512 shadow remember=5 rounds=5000" >> /etc/pam.d/common-password
echo "password\trequired\t\t\tpam_permit.so" >> /etc/pam.d/common-password

chmod 644 /etc/pam.d/common-password

ato-toolkit/stig/linux/ubuntuSTIG.sh

Lines 34 to 44 in e63f31c

echo "Creating /etc/pam.d/common-auth to meet STIG requirements..."
mv --force /etc/pam.d/common-auth /etc/pam.d/backup.common-auth
echo "# Generated by Microsoft.Azure.Extensions/CustomScript" > /etc/pam.d/common-auth
echo "# Original common-auth was moved to /etc/pam.d/backup.common-auth" >> /etc/pam.d/common-auth
echo "auth\trequired\t\t\tpam_tally2.so onerr=fail deny=3" >> /etc/pam.d/common-auth
echo "auth\trequired\t\t\tpam_faildelay.so delay=4000000" >> /etc/pam.d/common-auth
echo "auth\t[success=1 default=ignore]\tpam_unix.so nullok_secure" >> /etc/pam.d/common-auth
echo "auth\trequisite\t\t\tpam_deny.so" >> /etc/pam.d/common-auth
echo "auth\trequired\t\t\tpam_permit.so" >> /etc/pam.d/common-auth
echo "auth\toptional\t\t\tpam_cap.so" >> /etc/pam.d/common-auth
echo "# auth\t[success=2 default=ignore]\tpam_pkcs11.so" >> /etc/pam.d/common-auth

chmod 644 /etc/pam.d/common-auth

Jumbox subnet association

The artifact 'jumpbox' of type 'Template' failed to deploy due to the following error: Template deployment failed with error [ { "code": "AzureBastionSubnet", "message": "Subnet with name 'AzureBastionSubnet' can be used only for the Azure Bastion resource." } ]
By the documentation it is not allowed to add anything in Bastion subnet, so no VM nic.

{
          "type": "Microsoft.Network/networkInterfaces",
          "apiVersion": "2017-09-01",
          "condition": "[equals(parameters('jumpbox-os'), 'Windows')]",
          "location": "[resourceGroup().location]",
          "name": "[concat(variables('windows-virtualMachine-name-prefix'), '-bastion-nic')]",
          "properties": {
            "ipConfigurations": [
              {
                "name": "ipconfig1",
                "properties": {
                  "privateIPAllocationMethod": "Dynamic",
                  "subnet": {
                    "id": "[variables('bastion-subnet-id')]"
                  }
                }
              }
            ]
          }
        },

Wrong subnet name

"Subnet: The subnet in your virtual network where the new Bastion host will be deployed. The subnet will be dedicated to the Bastion host and must be named as AzureBastionSubnet. This subnet must be at least /27 or larger."

The current name in *\automation\zero-trust-architecture\blueprint\artifacts\net.json is just "bastion".
Connected issues:
*\automation\zero-trust-architecture\blueprint\artifacts\jumpbox.json has variable using wrong name.
*\automation\zero-trust-architecture\blueprint\artifacts\keyvault.json has variable using wrong name.

Unclear metadata description

In the mainTemplate.json Around line 85 lists:

"autoInstallDependencies": {
            "type": "bool",
            "defaultValue": false,
            "metadata": {
                "description": "Boolean value to indicate an online or offline environment."
            }
        },

The description says “to indicate online or offline”, but doesn’t say which value is associated with online or offline. Would be nice to be a bit more clear.

windows 10 sku out of support

The only Windows 10 SKUs supported in the template are 19h2, which is a version of Windows 10 that is no longer supported.

duplicate audit rules

Problem

There are duplicate rules defined in the audit rules file. This causes issues when trying to reload the rules (using augenrules --load) or adding new rules.

After deploying Azure STIG Template on a ubuntu image, I get the following error message

root@my-vm:/etc/audit# augenrules --load
/sbin/augenrules: No change
No rules
enabled 1
failure 1
pid 820
rate_limit 0
backlog_limit 8192
lost 0
backlog 6
backlog_wait_time 0
enabled 1
failure 1
pid 820
rate_limit 0
backlog_limit 8192
lost 0
backlog 1
backlog_wait_time 0
enabled 1
failure 1
pid 820
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 0
Error sending add rule data request (Rule exists)
There was an error in line 123 of /etc/audit/audit.rules

Here is the full contents of /etc/audit/audit.rules with line numbers

1 ## This file is automatically generated from /etc/audit/rules.d
2 -D
3 -b 8192
4 -f 1
5 --backlog_wait_time 0
6 -w /var/log/tallylog -p wa -k logins
7 -w /var/log/faillog -p wa -k logins
8 -w /var/log/lastlog -p wa -k logins
9 -w /var/log/sudo.log -p wa -k priv_actions
10 -w /var/log/wtmp -p wa -k logins
11 -w /var/run/utmp -p wa -k logins
12 -w /var/log/btmp -p wa -k logins
13 -w /etc/passwd -p wa -k usergroup_modification
14 -w /etc/group -p wa -k usergroup_modification
15 -w /etc/gshadow -p wa -k usergroup_modification
16 -w /etc/shadow -p wa -k usergroup_modification
17 -w /etc/security/opasswd -p wa -k usergroup_modification
18 -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-priv_change
19 -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn
20 -a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount
21 -a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-umount
22 -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh
23 -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh
24 -a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=-1 -k perm_mod
25 -a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
26 -a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=-1 -k perm_mod
27 -a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod
28 -a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
29 -a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
30 -a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
31 -a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod
32 -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
33 -a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
34 -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
35 -a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod
36 -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_mod
37 -a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
38 -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_mod
39 -a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod
40 -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
41 -a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
42 -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
43 -a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod
44 -a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
45 -a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
46 -a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
47 -a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod
48 -a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=-1 -k perm_chng
49 -a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=-1 -k perm_chng
50 -a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=-1 -k perm_chng
51 -a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=-1 -k perm_chng
52 -a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=-1 -k perm_chng
53 -a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=-1 -k perm_chng
54 -a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=-1 -k perm_chng
55 -a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=-1 -k perm_chng
56 -a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=-1 -k perm_chng
57 -a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=-1 -k perm_chng
58 -a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=-1 -k perm_chng
59 -a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=-1 -k perm_chng
60 -a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng
61 -a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng
62 -a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
63 -a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
64 -a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
65 -a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
66 -a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
67 -a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
68 -a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
69 -a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
70 -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
71 -a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
72 -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
73 -a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
74 -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
75 -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
76 -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
77 -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
78 -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
79 -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
80 -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
81 -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
82 -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-passwd
83 -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update
84 -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-gpasswd
85 -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chage
86 -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-usermod
87 -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-crontab
88 -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-pam_timestamp_check
89 -a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=-1 -k module_chng
90 -a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=-1 -k module_chng
91 -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv
92 -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv
93 -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv
94 -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv
95 -a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_chng
96 -a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_chng
97 -a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_chng
98 -a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_chng
99 -a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_chng
100 -a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_chng
101 -a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=-1 -k delete
102 -a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=-1 -k delete
103 -a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=-1 -k delete
104 -a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=-1 -k delete
105 -a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=-1 -k delete
106 -a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=-1 -k delete
107 -a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=-1 -k delete
108 -a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=-1 -k delete
109 -a always,exit -F arch=b32 -S init_module -S finit_module -k modules
110 -a always,exit -F arch=b64 -S init_module -S finit_module -k modules
111 -a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
112 -a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
113 -a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
114 -a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
115 -a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
116 -a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
117 -a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
118 -a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
119 -a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
120 -a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
121 -a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
122 -a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
123 -a always,exit -F arch=b64 -S init_module -S finit_module -F key=modules
124 -a always,exit -F arch=b32 -S init_module -S finit_module -F key=modules
125 -a always,exit -F arch=b64 -S delete_module -F key=modules
126 -a always,exit -F arch=b32 -S delete_module -F key=modules
127 -w /sbin/modprobe -p x -k modules
128 -w /bin/kmod -p x -k module
129 -w /sbin/fdisk -p x -k fdisk

/etc/audit/audit.rules is generated from the file at /etc/audit/rules.d/audit.rules. Removing the following two rules from /etc/audit/rules.d/audit.rules appears to fix the problem

-a always,exit -F arch=b64 -S delete_module -F key=modules
-a always,exit -F arch=b32 -S delete_module -F key=modules

This allows augenrules to then parse the rules file correctly.

root@my-vm:/etc/audit# augenrules --load
No rules
enabled 1
failure 1
pid 820
rate_limit 0
backlog_limit 8192
lost 0
backlog 7
backlog_wait_time 0
enabled 1
failure 1
pid 820
rate_limit 0
backlog_limit 8192
lost 0
backlog 1
backlog_wait_time 0
enabled 1
failure 1
pid 820
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 0

UBTU-18-010038 - the provided solution is ill-formatted

The standard DoD Notice/Consent Banner is incorrect. It is not an exact match to the expected text and therefore fails automatic compliance scans. This is the associated STIG rule.

Here is the banner that the ato-toolkit currently produces (when run on an Ubuntu 18.04 VM)

Ubuntu 18.04.6 LTS \n \l

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions.

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitori
ng, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed 
or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privile
ged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. 
Such communications and work product are private and confidential. See User Agreement for details.

And here is the text that it should be for automatic compliance scans to pass (i.e. Nessus ACAS):

You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only.

By using this IS (which includes any device attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

Solution:

  1. The header in the first two lines should be removed entirely
  2. There is a punctuation error in the third line ...you consent to the following conditions. should be ...you consent to the following conditions:. Note the period should be a colon.

audit rules not defined in correct format

Problem

The audit rules (/etc/audit/rules.d/audit.rules) that get written by ato-toolkit are formatted in a way that compliance scans will flag them as potential vulnerabilities when they really aren't. This leads to too many unnecessary false-positives when users run automated checks with compliance scanning tools that expect a particular format.

The ato-toolkit produces the following audit rules at /etc/audit/rules.d/audit.rules

## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 0

## Set failure mode to syslog
-f 1

-w /var/log/tallylog -p wa -k logins
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/sudo.log -p wa -k priv_actions
-w /var/log/wtmp -p wa -k logins
-w /var/run/utmp -p wa -k logins
-w /var/log/btmp -p wa -k logins
-w /etc/passwd -p wa -k usergroup_modification
-w /etc/group -p wa -k usergroup_modification
-w /etc/gshadow -p wa -k usergroup_modification
-w /etc/shadow -p wa -k usergroup_modification
-w /etc/security/opasswd -p wa -k usergroup_modification
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn
-a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount
-a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-umount
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh
-a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh
-a always,exit -F arch=b32 -S setxattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -F auid=0 -k perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b32 -S lsetxattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b64 -S lsetxattr -F auid=0 -k perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b32 -S fsetxattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b64 -S fsetxattr -F auid=0 -k perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b32 -S removexattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b64 -S removexattr -F auid=0 -k perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b32 -S lremovexattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b64 -S lremovexattr -F auid=0 -k perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b32 -S fremovexattr -F auid=0 -k perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod
-a always,exit -F arch=b64 -S fremovexattr -F auid=0 -k perm_mod
-a always,exit -F arch=b32 -S chown -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b32 -S fchown -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b32 -S fchownat -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b32 -S lchown -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b32 -S chmod -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b32 -S fchmod -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b32 -S fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b32 -S open -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b32 -S open -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S open -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S open -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b32 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b32 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S openat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b32 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-passwd
-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-gpasswd
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chage
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-usermod
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-crontab
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-pam_timestamp_check
-a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=-1 -k module_chng
-a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=-1 -k module_chng
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv
-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b32 -S fsetxattr -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b32 -S removexattr -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b32 -S lremovexattr -F auid>=1000 -F auid!=-1 -k perm_chng
-a always,exit -F arch=b64 -S unlink -F auid>=1000 -F auid!=-1 -k delete
-a always,exit -F arch=b32 -S unlink -F auid>=1000 -F auid!=-1 -k delete
-a always,exit -F arch=b64 -S unlinkat -F auid>=1000 -F auid!=-1 -k delete
-a always,exit -F arch=b32 -S unlinkat -F auid>=1000 -F auid!=-1 -k delete
-a always,exit -F arch=b64 -S rename -F auid>=1000 -F auid!=-1 -k delete
-a always,exit -F arch=b32 -S rename -F auid>=1000 -F auid!=-1 -k delete
-a always,exit -F arch=b64 -S renameat -F auid>=1000 -F auid!=-1 -k delete
-a always,exit -F arch=b32 -S renameat -F auid>=1000 -F auid!=-1 -k delete
-a always,exit -F arch=b32 -S init_module -S finit_module -k modules
-a always,exit -F arch=b64 -S init_module -S finit_module -k modules
-a always,exit -F arch=b32 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b32 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S truncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S truncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b32 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b32 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b32 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S creat -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S creat -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access
-a always,exit -F arch=b64 -S init_module -S finit_module -F key=modules
-a always,exit -F arch=b32 -S init_module -S finit_module -F key=modules
-a always,exit -F arch=b64 -S delete_module -F key=modules
-a always,exit -F arch=b32 -S delete_module -F key=modules
-w /sbin/modprobe -p x -k modules
-w /bin/kmod -p x -k module
-w /sbin/fdisk -p x -k fdisk

Solution

Every rule that contains the text auid!=-1 should be replaced with auid!=4294967295. The audit man pages state that -1 and 4294967295 are equivalent but compliance checker tools (i.e. Nessus) don't always respect this.

The STIG benchmark rules (here for example) all state that the rules should be defined with auid!=4294967295 even though they check for the auid!=-1 format with auditctl.

This effects at least the following STIG vulnerability ID's:

V-219238
V-219239
V-219240
V-219241
V-219242
V-219243
V-219244
V-219245
V-219246
V-219247
V-219248
V-219249
V-219250
V-219251
V-219252
V-219253
V-219254
V-219255
V-219256
V-219257
V-219261
V-219262
V-219263
V-219264
V-219265
V-219266
V-219267
V-219268
V-219269
V-219270
V-219271
V-219272
V-219273
V-219274
V-219275
V-219276
V-219277
V-219279
V-219284
V-219285
V-219286
V-219287
V-219288
V-219289
V-219290
V-219293
V-219294
V-219295

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.