forked from gdg-x/aura
-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathnormalize.json
251 lines (251 loc) · 24 KB
/
normalize.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
{
"normalize": [
{
"header": "Heimdall Data Format",
"desc": "One major barrier to security automation is having multiple security tools that do not use a common format for representing security data. MITRE SAF uses the Heimdall Data Format (HDF) as a common format to represent normalized security data. HDF files record vital security data about a completed validation test, such as the test code, description, attributes, and outcome. This allows for the aggregation and analysis of test results from a wide range of validation tools at once."
},
{
"header": "HDF Core Elements",
"desc": "HDF uses a common alignment point of the core elements of testing results data so that we can transform multiple formats. The goal is to preserve metadata from unique testing formats as tags when translated into HDF. HDF requires the following core data elements to standardize the testing results data from various formats.",
"bullets": [
{ "main": "Test Title – High level overview of the test(s) goal" },
{ "main": "Test Description – Details on the intent and possible impact" },
{ "main": "Test Audit, aka ‘check text’ – the validation actions we are asking of the end user" },
{ "main": "Test Remediation, aka ‘fix text’ – the remediation actions we are asking of the end user" },
{ "main": "NIST SP 800-53 Control Alignment(s) – the NIST SP 800-53 security control this test(s) relates to" },
{ "main": "Test Severity - The static default of the control categorization impact" },
{ "main": "Test Impact - The context-specific severity during testing" },
{
"main": "Other data tags specific to the source benchmark – other data elements that enhance the context of the test(s)",
"sub": [
"CIS - tags such as the level, version and scoring status of the CIS benchmark",
"DISA STIG - tags such as the DISA Common Correlation Index Identifier (CCI)"
]
},
{ "main": "Test Elements – the individual tests that make up the actions in the ‘Check Text’" }
],
"footer" : "Properly created InSpec profiles naturally produce results in this format. To create HDF files using non-InSpec tool output, we provide <a href='https://saf-cli.mitre.org/#convert' target='_blank'>saf convert</a>."
},
{
"header": "HDF Schema",
"desc": "While the core elements of HDF describe individual controls, the full schema of an HDF output file describes a set of security validation profiles (such as InSpec profiles) that were executed against a target system, the controls included in those profiles, and the results they generated. HDF output also includes helpful statistics such as which controls passed, which failed, and which were skipped as non-applicable.",
"jsonviewer": [
{
"title": "Schema",
"url": "https://raw.githubusercontent.com/mitre/heimdall2/master/libs/inspecjs/schemas/exec-json.json"
},
{
"title": "Example Ubuntu 16.04 STIG baseline requirement V-75443",
"json": {
"platform": { "name": "ubuntu", "release": "16.04" },
"profiles": [
{
"name": "Canonical Ubuntu 16.04 LTS Security Technical Implementation Guide",
"version": "0.2.0",
"sha256": "b5d892ca3aeef2a34bbb1621ca1aa3837c056b41dc04f1ba39a522ee1b9ac31d",
"title": "Canonical Ubuntu 16.04 LTS Security Technical Implementation Guide",
"maintainer": "The Authors",
"summary": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected].",
"license": "Apache-2.0",
"copyright": "The Authors",
"copyright_email": "[email protected]",
"supports": [{ "platform-name": "ubuntu", "release": "16.04" }],
"attributes": [],
"groups": [
{ "id": "controls/V-75443.rb", "controls": ["V-75443"] }
],
"controls": [
{
"id": "V-75443",
"title": "The Ubuntu operating system must limit the number of concurrent\nsessions to ten for all accounts and/or account types.",
"desc": "Ubuntu operating system management includes the ability to control the\nnumber of users and user sessions that utilize an Ubuntu operating system.\nLimiting the number of allowed users and sessions per user is helpful in\nreducing the risks related to DoS attacks.\n\n This requirement addresses concurrent sessions for information system\naccounts and does not address concurrent sessions by single users via multiple\nsystem accounts. The maximum number of concurrent sessions should be defined\nbased upon mission needs and the operational environment for each system.",
"descriptions": [
{
"label": "default",
"data": "Ubuntu operating system management includes the ability to control the\nnumber of users and user sessions that utilize an Ubuntu operating system.\nLimiting the number of allowed users and sessions per user is helpful in\nreducing the risks related to DoS attacks.\n\n This requirement addresses concurrent sessions for information system\naccounts and does not address concurrent sessions by single users via multiple\nsystem accounts. The maximum number of concurrent sessions should be defined\nbased upon mission needs and the operational environment for each system."
},
{
"label": "check",
"data": "Verify that the Ubuntu operating system limits the number of\nconcurrent sessions to \"10\" for all accounts and/or account types by running\nthe following command:\n\n# grep maxlogins /etc/security/limits.conf\n\nThe result must contain the following line:\n\n* hard maxlogins 10\n\nIf the \"maxlogins\" item is missing or the value is not set to \"10\" or less,\nor is commented out, this is a finding."
},
{
"label": "fix",
"data": "Configure the Ubuntu operating system to limit the number of\nconcurrent sessions to ten for all accounts and/or account types.\n\nAdd the following line to the top of the /etc/security/limits.conf:\n\n* hard maxlogins 10"
}
],
"impact": 0.3,
"refs": [],
"tags": {
"gtitle": "SRG-OS-000027-GPOS-00008",
"gid": "V-75443",
"rid": "SV-90123r2_rule",
"stig_id": "UBTU-16-010070",
"fix_id": "F-82071r1_fix",
"cci": ["CCI-000054"],
"nist": ["AC-10", "Rev_4"],
"false_negatives": null,
"false_positives": null,
"documentable": false,
"mitigations": null,
"severity_override_guidance": false,
"potential_impacts": null,
"third_party_tools": null,
"mitigation_controls": null,
"responsibility": null,
"ia_controls": null
},
"code": "control 'V-75443' do\n title \"The Ubuntu operating system must limit the number of concurrent\nsessions to ten for all accounts and/or account types.\"\n desc \"Ubuntu operating system management includes the ability to control the\nnumber of users and user sessions that utilize an Ubuntu operating system.\nLimiting the number of allowed users and sessions per user is helpful in\nreducing the risks related to DoS attacks.\n\n This requirement addresses concurrent sessions for information system\naccounts and does not address concurrent sessions by single users via multiple\nsystem accounts. The maximum number of concurrent sessions should be defined\nbased upon mission needs and the operational environment for each system.\n \"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000027-GPOS-00008'\n tag \"gid\": 'V-75443'\n tag \"rid\": 'SV-90123r2_rule'\n tag \"stig_id\": 'UBTU-16-010070'\n tag \"fix_id\": 'F-82071r1_fix'\n tag \"cci\": ['CCI-000054']\n tag \"nist\": %w[AC-10 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Ubuntu operating system limits the number of\nconcurrent sessions to \\\"10\\\" for all accounts and/or account types by running\nthe following command:\n\n# grep maxlogins /etc/security/limits.conf\n\nThe result must contain the following line:\n\n* hard maxlogins 10\n\nIf the \\\"maxlogins\\\" item is missing or the value is not set to \\\"10\\\" or less,\nor is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to limit the number of\nconcurrent sessions to ten for all accounts and/or account types.\n\nAdd the following line to the top of the /etc/security/limits.conf:\n\n* hard maxlogins 10\"\n\n describe limits_conf do\n its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] }\n end\nend\n",
"source_location": {
"line": 3,
"ref": "canonical-ubuntu-16.04-lts-stig-baseline-master/controls/V-75443.rb"
},
"waiver_data": {},
"results": [
{
"status": "failed",
"code_desc": "limits.conf * is expected to include [\"hard\", \"maxlogins\", \"10\"]",
"run_time": 0.000519,
"start_time": "2020-05-14T17:47:39-04:00",
"message": "expected [[\"hard\", \"core\", \"0\"]] to include [\"hard\", \"maxlogins\", \"10\"]"
}
]
}
],
"status": "loaded"
}
],
"statistics": { "duration": 23.865506 },
"version": "4.18.100"
}
}
],
"image": "hdf-schema-diagram"
},
{
"header": "saf convert",
"desc": "MITRE SAF's <a href='https://saf-cli.mitre.org/#convert' target='_blank'>saf convert option</a> allows the conversion of output from widely used automated security testing tools into HDF (and from HDF into other common formats). SAF CLI has converters for tools and formats such as:",
"bullets": [
{ "main": "AWS Security Hub" },
{ "main": "Burp Suite" },
{ "main": "DISA CKL files" },
{ "main": "DISA XCCDF results files" },
{ "main": "DBProtect" },
{ "main": "Fortify" },
{ "main": "JFrog Xray" },
{ "main": "Netsparker" },
{ "main": "Nikto" },
{ "main": "Prowler" },
{ "main": "Sarif" },
{ "main": "Scoutsuite" },
{ "main": "Sonarqube" },
{ "main": "Snyk" },
{ "main": "Tenable Nessus" },
{ "main": "Trivy" },
{ "main": "OWASP ZAP" }
],
"footer": "For instructions on using the converter function, check out the page for SAF CLI linked above. If you need a converter that is not on the list, reach out to us to discuss creating a new one (or write your own!)."
},
{
"header": "InSpec Control Template Examples That Support Proper Generation of HDF Output",
"desc": "As we have developed HDF, we have found these common elements help structure well-written and complete security automation baselines. Below are some examples of InSpec control structures that align to the MITRE HDF format.",
"examples": [
{
"code": "control 'V-75443' do\n title \"The Ubuntu operating system must limit the number of concurrent\nsessions to ten for all accounts and/or account types.\"\n desc \"Ubuntu operating system management includes the ability to control the\nnumber of users and user sessions that utilize an Ubuntu operating system.\nLimiting the number of allowed users and sessions per user is helpful in\nreducing the risks related to DoS attacks.\n\n This requirement addresses concurrent sessions for information system\naccounts and does not address concurrent sessions by single users via multiple\nsystem accounts. The maximum number of concurrent sessions should be defined\nbased upon mission needs and the operational environment for each system.\n \"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000027-GPOS-00008'\n tag \"gid\": 'V-75443'\n tag \"rid\": 'SV-90123r2_rule'\n tag \"stig_id\": 'UBTU-16-010070'\n tag \"fix_id\": 'F-82071r1_fix'\n tag \"cci\": ['CCI-000054']\n tag \"nist\": %w[AC-10 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Ubuntu operating system limits the number of\nconcurrent sessions to \\\"10\\\" for all accounts and/or account types by running\nthe following command:\n\n# grep maxlogins /etc/security/limits.conf\n\nThe result must contain the following line:\n\n* hard maxlogins 10\n\nIf the \\\"maxlogins\\\" item is missing or the value is not set to \\\"10\\\" or less,\nor is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to limit the number of\nconcurrent sessions to ten for all accounts and/or account types.\n\nAdd the following line to the top of the /etc/security/limits.conf:\n\n* hard maxlogins 10\"\n\n describe limits_conf do\n its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] }\n end\nend\n",
"syntax": "ruby",
"title": "STIG/SRG Template"
},
{
"code": "# encoding: UTF-8\n \ncontrol \"C-1.1.1.1\" do\n title \"Ensure mounting of cramfs filesystems is disabled\"\n desc \"The `cramfs` filesystem type is a compressed read-only Linux\n filesystem embedded in small footprint systems. A `cramfs` image can be \n used without having to first decompress the image.\"\n \n desc \"rationale\", \"Removing support for unneeded filesystem types reduces\n the local attack surface of the server. If this filesystem type is not needed,\n disable it.\"\n \n impact 0.7\n tag severity: 'high'\n tag nist: [\"CM-6\"]\n tag cis_scored: true\n tag cis_version: 1.2.0\n tag cis_level: 3\n tag cis_controls: [\"5.1\"]\n tag cis_cdc_version: 7\n tag cis_rid: \"1.1.1.1\"\n \n desc \"check\", \"Run the following commands and verify the output is as \n indicated:\n \n # modprobe -n -v cramfs | grep -v mtd\n install /bin/true\n # lsmod | grep cramfs\"\n \n desc \"fix\", \"Edit or create a file in the `/etc/modprobe.d/` directory ending in \n .conf\n Example: `vi /etc/modprobe.d/cramfs.conf`\n and add the following line:\n install cramfs /bin/true\n Run the following command to unload the `cramfs` module:\n # rmmod cramfs\"\n \n describe kernel_module('cramfs') do\n it { should_not be_loaded }\n it { should be_disabled }\n it { should be_blacklisted }\n end\n \nend\n",
"syntax": "ruby",
"title": "CIS Template"
},
{
"code": {
"platform": { "name": "ubuntu", "release": "16.04" },
"profiles": [
{
"name": "Canonical Ubuntu 16.04 LTS Security Technical Implementation Guide",
"version": "0.2.0",
"sha256": "b5d892ca3aeef2a34bbb1621ca1aa3837c056b41dc04f1ba39a522ee1b9ac31d",
"title": "Canonical Ubuntu 16.04 LTS Security Technical Implementation Guide",
"maintainer": "The Authors",
"summary": "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected].",
"license": "Apache-2.0",
"copyright": "The Authors",
"copyright_email": "[email protected]",
"supports": [{ "platform-name": "ubuntu", "release": "16.04" }],
"attributes": [],
"groups": [
{ "id": "controls/V-75443.rb", "controls": ["V-75443"] }
],
"controls": [
{
"id": "V-75443",
"title": "The Ubuntu operating system must limit the number of concurrent\nsessions to ten for all accounts and/or account types.",
"desc": "Ubuntu operating system management includes the ability to control the\nnumber of users and user sessions that utilize an Ubuntu operating system.\nLimiting the number of allowed users and sessions per user is helpful in\nreducing the risks related to DoS attacks.\n\n This requirement addresses concurrent sessions for information system\naccounts and does not address concurrent sessions by single users via multiple\nsystem accounts. The maximum number of concurrent sessions should be defined\nbased upon mission needs and the operational environment for each system.",
"descriptions": [
{
"label": "default",
"data": "Ubuntu operating system management includes the ability to control the\nnumber of users and user sessions that utilize an Ubuntu operating system.\nLimiting the number of allowed users and sessions per user is helpful in\nreducing the risks related to DoS attacks.\n\n This requirement addresses concurrent sessions for information system\naccounts and does not address concurrent sessions by single users via multiple\nsystem accounts. The maximum number of concurrent sessions should be defined\nbased upon mission needs and the operational environment for each system."
},
{
"label": "check",
"data": "Verify that the Ubuntu operating system limits the number of\nconcurrent sessions to \"10\" for all accounts and/or account types by running\nthe following command:\n\n# grep maxlogins /etc/security/limits.conf\n\nThe result must contain the following line:\n\n* hard maxlogins 10\n\nIf the \"maxlogins\" item is missing or the value is not set to \"10\" or less,\nor is commented out, this is a finding."
},
{
"label": "fix",
"data": "Configure the Ubuntu operating system to limit the number of\nconcurrent sessions to ten for all accounts and/or account types.\n\nAdd the following line to the top of the /etc/security/limits.conf:\n\n* hard maxlogins 10"
}
],
"impact": 0.3,
"refs": [],
"tags": {
"gtitle": "SRG-OS-000027-GPOS-00008",
"gid": "V-75443",
"rid": "SV-90123r2_rule",
"stig_id": "UBTU-16-010070",
"fix_id": "F-82071r1_fix",
"cci": ["CCI-000054"],
"nist": ["AC-10", "Rev_4"],
"false_negatives": null,
"false_positives": null,
"documentable": false,
"mitigations": null,
"severity_override_guidance": false,
"potential_impacts": null,
"third_party_tools": null,
"mitigation_controls": null,
"responsibility": null,
"ia_controls": null
},
"code": "control 'V-75443' do\n title \"The Ubuntu operating system must limit the number of concurrent\nsessions to ten for all accounts and/or account types.\"\n desc \"Ubuntu operating system management includes the ability to control the\nnumber of users and user sessions that utilize an Ubuntu operating system.\nLimiting the number of allowed users and sessions per user is helpful in\nreducing the risks related to DoS attacks.\n\n This requirement addresses concurrent sessions for information system\naccounts and does not address concurrent sessions by single users via multiple\nsystem accounts. The maximum number of concurrent sessions should be defined\nbased upon mission needs and the operational environment for each system.\n \"\n impact 0.3\n tag \"gtitle\": 'SRG-OS-000027-GPOS-00008'\n tag \"gid\": 'V-75443'\n tag \"rid\": 'SV-90123r2_rule'\n tag \"stig_id\": 'UBTU-16-010070'\n tag \"fix_id\": 'F-82071r1_fix'\n tag \"cci\": ['CCI-000054']\n tag \"nist\": %w[AC-10 Rev_4]\n tag \"false_negatives\": nil\n tag \"false_positives\": nil\n tag \"documentable\": false\n tag \"mitigations\": nil\n tag \"severity_override_guidance\": false\n tag \"potential_impacts\": nil\n tag \"third_party_tools\": nil\n tag \"mitigation_controls\": nil\n tag \"responsibility\": nil\n tag \"ia_controls\": nil\n desc 'check', \"Verify that the Ubuntu operating system limits the number of\nconcurrent sessions to \\\"10\\\" for all accounts and/or account types by running\nthe following command:\n\n# grep maxlogins /etc/security/limits.conf\n\nThe result must contain the following line:\n\n* hard maxlogins 10\n\nIf the \\\"maxlogins\\\" item is missing or the value is not set to \\\"10\\\" or less,\nor is commented out, this is a finding.\"\n desc 'fix', \"Configure the Ubuntu operating system to limit the number of\nconcurrent sessions to ten for all accounts and/or account types.\n\nAdd the following line to the top of the /etc/security/limits.conf:\n\n* hard maxlogins 10\"\n\n describe limits_conf do\n its('*') { should include ['hard', 'maxlogins', input('maxlogins').to_s] }\n end\nend\n",
"source_location": {
"line": 3,
"ref": "canonical-ubuntu-16.04-lts-stig-baseline-master/controls/V-75443.rb"
},
"waiver_data": {},
"results": [
{
"status": "failed",
"code_desc": "limits.conf * is expected to include [\"hard\", \"maxlogins\", \"10\"]",
"run_time": 0.000519,
"start_time": "2020-05-14T17:47:39-04:00",
"message": "expected [[\"hard\", \"core\", \"0\"]] to include [\"hard\", \"maxlogins\", \"10\"]"
}
]
}
],
"status": "loaded"
}
],
"statistics": { "duration": 23.865506 },
"version": "4.18.100"
},
"syntax": "json",
"title": "Example Simple HDF JSON",
"desc": "This HDF file can be generated by running the example STIG template InSpec test given above - note how the code of that test is captured in the \"code\" field in the HDF file. The format includes information on the platform a validation test ran on (\"platform\"), the test itself (\"tags\", \"code\"), and the test's results (\"results\")."
}
]
}
]
}