-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathinspec.yml
165 lines (137 loc) · 6.02 KB
/
inspec.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
name: Canonical_Ubuntu_20-04_LTS_STIG
title: Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide
maintainer: Nitin Ravindran
copyright: Nitin Ravindran
copyright_email: [email protected]
license: Apache-2.0
summary: "This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: [email protected]."
version: 1.6.0
supports:
- platform-name: ubuntu
release: 20.04
inputs:
- name: temporary_accounts
description: Temporary user accounts
type: Array
value: []
- name: banner_text
description: Standard Mandatory DoD Notice and Consent Banner
type: String
value: "You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. \
By using this IS (which includes any device attached to this IS), you consent to the following conditions: \
-The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. \
-At any time, the USG may inspect and seize data stored on this IS. \
-Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. \
-This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. \
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details."
- name: sudo_accounts
description: Array of users who need access to security functions are part of the sudo group.
type: Array
value: [ "ubuntu" ]
- name: tmout
description: Inactivity timeouts, in seconds, after which operating system automatically terminates a user session.
type: numeric
value: 600
- name: action_mail_acct
description: Email to be notified when allocated audit record storage volume reaches
type: string
value: root
- name: audit_tools
description: Audit tools
type: Array
value: [
'/sbin/auditctl',
'/sbin/aureport',
'/sbin/ausearch',
'/sbin/autrace',
'/sbin/auditd',
'/sbin/audispd',
'/sbin/augenrules'
]
- name: standard_audit_log_size
description: Set audit log size in bytes (default:1073741824 per control specification)
type: Numeric
value: 8894028
- name: aide_conf_path
description: Path to aide.conf
type: String
value: '/etc/aide/aide.conf'
- name: action_mail_acct
description: Email to be notified when allocated audit record storage volume reaches
type: string
value: root
- name: maxlogins
description: Maximum number of concurrent sessions
type: Numeric
value: 10
- name: is_kdump_required
description: Is kdump service required? (check with SA and documented with ISSO)
type: Boolean
value: false
- name: is_system_networked
description: Set to true if the system is networked for NTP check
type: Boolean
value: true
- name: sssd_conf_path
description: Path to sssd.conf
type: String
value: '/etc/sssd/sssd.conf'
- name: allowed_ca_fingerprints_regex
description: Certificate fingerprint regex for DoD PKI-established certificate authorities
type: string
value: (9676F287356C89A12683D65234098CB77C4F1C18F23C0E541DE0E196725B7EBE|B107B33F453E5510F68E513110C6F6944BACC263DF0137F821C1B3C2F8F863D2|559A5189452B13F8233F0022363C06F26E3C517C1D4B77445035959DF3244F74|1F4EDE9DC2A241F6521BF518424ACD49EBE84420E69DAF5BAC57AF1F8EE294A9)
- name: allowed_network_interfaces
description: Array of allowed network interfaces (wired & wireless)
type: Array
value: [
'lo',
'eth0'
]
- name: audit_sp_remote_server
description: Address of the remote server receiving the audit log
type: String
value: '192.0.0.1'
- name: approved_wireless_interfaces
description: List of approved wireless interfaces
type: array
value: []
- name: fips_config_file
description: Location of fips_enabled config file
type: String
value: '/proc/sys/crypto/fips_enabled'
- name: chrony_config_file
description: Location of chrony config file
type: String
value: '/etc/chrony/chrony.conf'
- name: useradd_config_file
description: Location of useradd config file
type: String
value: '/etc/default/useradd'
- name: rsyslog_config_file
description: Location of rsyslog config file
type: String
value: '/etc/rsyslog.d/50-default.conf'
- name: auditoffload_config_file
description: Location of audit offload config file
type: String
value: '/etc/cron.weekly/audit-offload'
- name: audispremote_config_file
description: Location of audisp-remote plugin config file
type: String
value: '/etc/audisp/plugins.d/au-remote.conf'
- name: gdm3_config_file
description: Location of gdm3 config file
type: String
value: '/etc/gdm3/greeter.dconf-defaults'
- name: disable_fips
description: Is fips disabled or enabled due to FIPS 140 image
type: boolean
value: false
- name: pki_disabled
description: Is PKI authentication used for this system
type: boolean
value: false
- name: admin_groups
description: Array of groups that have administrative privileges
type: Array
value: ['root']