-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Improve formatting + checks in Mondoo Linux policy (#446)
### Some fixes for all policies - Remove the Overview headers that don't display correctly in the console - Remove remote scan sections that just tell the user to run help to see all the providers since this isn't really helpful - Remove Intended Audience sections from descriptions ### A pile of fixes for the Linux Security policy - Prevent weird 2 line displays like this: <img width="913" alt="image" src="https://github.com/user-attachments/assets/7d6f4d82-e685-4a07-9755-4fceae8f1d5a"> - Shorten some remediation steps by removing extra spacing - Add remediation steps for SLES/openSUSE - Be clear that debian/ubuntu steps include derivatives - Break out sensitive service checks into their own chapter - Use more consistent naming for chapters - Detect cyrus-imapd as a mail server to disable - Remove sendmail in a description since we don't check for it - Expand the FTP server check to include proftpd, and pure-ftpd - Rework some descriptions to better understand *why* it's important to secure things - Add support for Debian/Ubuntu to the DNS, NIS, and Talk server checks --------- Signed-off-by: Tim Smith <[email protected]>
- Loading branch information
Showing
31 changed files
with
239 additions
and
420 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,8 +14,6 @@ policies: | |
| email: [email protected] | ||
| docs: | ||
| desc: |- | ||
| ## Overview | ||
| Linux Server Operational Policy by Mondoo provides guidance for operational best practices on Linux hosts. | ||
| ## Local scan | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,8 +14,6 @@ policies: | |
| email: [email protected] | ||
| docs: | ||
| desc: | | ||
| ## Overview | ||
| Linux Server SNMP Policy by Mondoo provides guidance for vulnerable SNMP configurations on Linux hosts. | ||
| ## Local scan | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,8 +14,6 @@ policies: | |
| email: [email protected] | ||
| docs: | ||
| desc: | | ||
| ## Overview | ||
| The Mondoo AWS Security policy provides guidance for establishing minimum recommended security and operational best practices for Amazon Web Services (AWS). The checks in this policy bundle are based on AWS's Operational Best Practices recommendations as part of the [AWS Config conformance packs](https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html). | ||
| ## Remote scan | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,8 +14,6 @@ policies: | |
| email: [email protected] | ||
| docs: | ||
| desc: |- | ||
| ## Overview | ||
| The Mondoo Microsoft Azure Security policy provides guidance for establishing minimum recommended security and operational best practices for Microsoft Azure. | ||
| ## Getting Started | ||
|
|
@@ -35,7 +33,7 @@ policies: | |
| Step 2: Authentication to Azure | ||
| There are two primary methods to authenticate cnspec to your Azure environments: | ||
| **a. Azure CLI Login** | ||
| ``` | ||
|
|
@@ -122,14 +120,14 @@ queries: | |
| ```bash | ||
| az disk list --resource-group "yourResourceGroupName" --query "[].{Name:name, ResourceGroupName:resourceGroup, EncryptionSettings:encryptionSettingsCollection}" -o table | ||
| ``` | ||
| ``` | ||
| **Automated Audit with PowerShell:** | ||
| ```powershell | ||
| Get-AzDisk -ResourceGroupName "yourResourceGroupName" | Select-Object Name, ResourceGroupName, EncryptionSettingsCollection | ||
| ``` | ||
| Ensure the EncryptionType is set to EncryptionAtRestWithCustomerKey for OS disks. | ||
| remediation: | | ||
| ### Microsoft Azure Portal | ||
|
|
@@ -229,7 +227,7 @@ queries: | |
| desc: | | ||
| Restricting SSH access from the internet minimizes the risk of brute force and other unauthorized access attempts on Azure resources such as virtual machines. Public internet exposure of SSH, especially on the default port 22, significantly increases the attack surface. It's crucial to evaluate and restrict SSH access by configuring network security groups (NSGs) to allow only necessary connections, preferably from known, secure sources. Implementing stringent access controls for SSH enhances security by preventing attackers from using compromised VMs as a pivot point for broader network intrusions. | ||
| audit: | | ||
| **Manual Audit via Azure Portal:** | ||
| **Manual Audit via Azure Portal:** | ||
| **Checking via Network Security Groups (NSGs) for All Resources:** | ||
| 1. From the main Azure Portal menu, navigate to **Network security groups**. | ||
|
|
@@ -345,7 +343,7 @@ queries: | |
| desc: | | ||
| Restricting RDP access from the internet is crucial for protecting Azure resources against unauthorized access and potential security breaches. RDP, typically listening on TCP port 3389, is a common target for many Cyber attacks. By limiting RDP access to only trusted internal networks or through secure tunnels, the risk of these attacks is significantly reduced. This security measure is essential for maintaining the integrity and security of Azure environments, preventing attackers from using compromised VMs as launch points for further attacks within and beyond the Azure network. | ||
| audit: | | ||
| **Manual Audit via Azure Portal:** | ||
| **Manual Audit via Azure Portal:** | ||
| 1. Log into the Azure Portal. | ||
| 2. Navigate to **Network security groups** under the Networking or directly through the search bar. | ||
|
|
@@ -530,7 +528,7 @@ queries: | |
| ``` | ||
| az storage account show --name <yourStorageAccountName> --query allowBlobPublicAccess | ||
| ``` | ||
| ``` | ||
| remediation: | | ||
| ### Terraform | ||
|
|
@@ -557,7 +555,7 @@ queries: | |
| ``` | ||
| az storage account update --name <storage-account> --resource-group <resource-group> --public-network-access Disabled | ||
| ``` | ||
| - Set blob containers to private access: | ||
| ``` | ||
| az storage container set-permission --name <container_name> --public-access off --account-name <account_name> --account-key <account_key> | ||
|
|
@@ -1046,7 +1044,7 @@ queries: | |
| It is highly recommended to use the latest TLS version available with Azure App Services for all secure Web App connections. Currently Azure App Services supports TLS 1.2. | ||
| audit: | | ||
| **From Azure Portal:** | ||
| 1. Log in to the Azure Portal at https://portal.azure.com. | ||
| 2. Navigate to **App Services**. | ||
| 3. Select an app service and select **TLS/SSL settings** under **Settings**. | ||
|
|
@@ -1055,7 +1053,7 @@ queries: | |
| **From Azure CLI:** | ||
| Verify that the minimum TLS version is set to 1.2 for each App Service: | ||
| ```bash | ||
| az webapp config show --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --query minTlsVersion | ||
| ``` | ||
|
|
@@ -1076,7 +1074,7 @@ queries: | |
| b. Select **Configuration** and select the **General settings** tab. | ||
| c. Under **Minimum Inbound TLS Version**, select **1.2**. | ||
| d. Select **Save**. | ||
| **From Azure CLI:** | ||
| Set the minimum TLS version to 1.2 for an existing app service: | ||
|
|
@@ -1157,7 +1155,7 @@ queries: | |
| a. Select the key vault. | ||
| b. Select **Keys** or **Secrets**. | ||
| c. Make sure that the key/secret in the key vault has an expiration date. | ||
| **From Azure CLI:** | ||
| - For keys: | ||
|
|
@@ -2197,4 +2195,4 @@ queries: | |
| disallowedPortUDP = _ | ||
| disallowedPortUDP | ||
| allNsgUDP.all(securityRules.none(destinationPortRange.any(fromPort <= disallowedPortUDP && toPort >= disallowedPortUDP))) | ||
| } | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,8 +14,6 @@ policies: | |
| email: [email protected] | ||
| docs: | ||
| desc: | | ||
| ## Overview | ||
| The Mondoo DNS Security policy includes checks for assessing the configuration of DNS records. | ||
| ## Remote scan | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -13,8 +13,6 @@ policies: | |
| email: [email protected] | ||
| docs: | ||
| desc: |- | ||
| ## Overview | ||
| The Dockerfile Security policy by Mondoo provides guidance for establishing secure Docker container configurations and deployments by securing Dockerfiles used to build container images. | ||
| If you have questions, comments, or ways to improve this policy, please write us at [email protected], or reach out in GitHub Discussions. | ||
|
|
@@ -72,7 +70,7 @@ queries: | |
| desc: | | ||
| Management ports such as SSH (port 22), Docker Remote API (port 2375), Consul (port 8500), and Kubernetes API (port 6443) are commonly targeted by attackers. Exposing these ports in Docker containers increases the risk of unauthorized access and security vulnerabilities. This test ensures that these management ports are not exposed in Docker container configurations. | ||
| remediation: | | ||
| Review and update your Dockerfile to ensure that management ports (22 for SSH, 2375 for Docker Remote API, 8500 for Consul HTTP API, 6443 for Kubernetes API) are not exposed. | ||
| Review and update your Dockerfile to ensure that management ports (22 for SSH, 2375 for Docker Remote API, 8500 for Consul HTTP API, 6443 for Kubernetes API) are not exposed. | ||
| - Remove or restrict the exposure of these ports using the `EXPOSE` instruction in your Dockerfile. | ||
| - Use Docker's port mapping options (`-p` or `--publish`) cautiously to avoid exposing these ports. | ||
| - Ensure that any required management access is secured and appropriately managed. | ||
|
|
@@ -89,7 +87,7 @@ queries: | |
| Disabling certificate validation can expose the system to man-in-the-middle attacks and other security vulnerabilities. | ||
| remediation: | | ||
| - Review the Dockerfile and ensure that package managers are configured to use SSL certificate validation. | ||
| - Use secure practices for package installations to maintain system integrity: Remove any insecure options such as `--nogpgcheck`, `--no-check-certificate`, `--no-gpg-check`, and similar flags. | ||
| - Use secure practices for package installations to maintain system integrity: Remove any insecure options such as `--nogpgcheck`, `--no-check-certificate`, `--no-gpg-check`, and similar flags. | ||
| - uid: mondoo-docker-security-no-insecure-certificate-validation-apt | ||
| title: Don’t disable certificate validation in APT | ||
| impact: 100 | ||
|
|
@@ -114,7 +112,7 @@ queries: | |
| Disabling certificate validation can expose the container to man-in-the-middle attacks and other security risks. | ||
| remediation: | | ||
| - Review the `CMD` or `ENTRYPOINT` commands in your Dockerfile and any scripts executed within the container. | ||
| - Avoid using `curl` with `--insecure` or `-k` options. | ||
| - Avoid using `curl` with `--insecure` or `-k` options. | ||
| - Ensure that proper SSL certificate validation is enabled for all `curl` operations. | ||
| - uid: mondoo-docker-security-no-insecure-certificate-validation-wget | ||
| title: Don’t disable certificate validation in Wget | ||
|
|
@@ -139,7 +137,7 @@ queries: | |
| as it grants elevated permissions that can be exploited if not handled properly. | ||
| By avoiding `sudo`, you ensure that all commands run with the default user privileges, which enhances the security of the container. | ||
| remediation: | | ||
| - Review the Dockerfile and remove any instances of `sudo`. | ||
| - Review the Dockerfile and remove any instances of `sudo`. | ||
| - Ensure that all commands are executed with the least privileges required. | ||
| - Configure containers to operate with non-root users where possible, and avoid privilege escalation techniques. | ||
| - uid: mondoo-docker-security-no-gpg-skip-yum | ||
|
|
@@ -212,4 +210,4 @@ queries: | |
| desc: | | ||
| Ensure that Dockerfiles use the `apt-get` CLI instead of `apt`. The `apt-get` CLI provides more predictable behavior in scripting contexts and is generally preferred for use in Dockerfiles for its consistency and reliability. | ||
| remediation: | | ||
| Review the Dockerfile `RUN` instructions to replace any `apt` commands with `apt-get`. This ensures that package management operations are performed using the recommended and more stable CLI. | ||
| Review the Dockerfile `RUN` instructions to replace any `apt` commands with `apt-get`. This ensures that package management operations are performed using the recommended and more stable CLI. | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,8 +14,6 @@ policies: | |
| email: [email protected] | ||
| docs: | ||
| desc: | | ||
| ## Overview | ||
| This policy bundle verifies best practices for authenticating email messages using security protocols such as Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC). | ||
| ### Running the Policy | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,8 +14,6 @@ policies: | |
| email: [email protected] | ||
| docs: | ||
| desc: |- | ||
| ## Overview | ||
| The Mondoo Google Cloud Security policy provides guidance for establishing minimum recommended security and operational best practices for Google Cloud. | ||
| ## Remote scan | ||
|
|
@@ -712,4 +710,4 @@ queries: | |
| ) | ||
| - uid: gcp-storage-cloud-storage-buckets-uniform-bucket-level-access-enabled-single | ||
| filters: asset.platform == "gcp-storage-bucket" | ||
| mql: gcp.storage.bucket.iamConfiguration.UniformBucketLevelAccess.enabled == true | ||
| mql: gcp.storage.bucket.iamConfiguration.UniformBucketLevelAccess.enabled == true | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,20 +14,8 @@ policies: | |
| email: [email protected] | ||
| docs: | ||
| desc: | | ||
| ## Overview | ||
| The Mondoo GitHub Organization Security policy provides guidance for establishing minimum recommended security and operational best practices for GitHub organizations. | ||
| ## About remote scanning | ||
| Remote scans with cnspec provide on demand security assessments of infrastructure and services without installing any agents or integrations. cnspec comes with a growing list of providers to connect and scan local and remote targets. | ||
| A complete list of providers can be found by running this command: | ||
| ```bash | ||
| cnspec scan --help | ||
| ``` | ||
| ### cnspec GitHub provider | ||
| This policy uses the `github` provider to authenticate with GitHub's API in order to remotely scan GitHub organizations. Additional information on the `github` provider can be found by running this command: | ||
|
|
@@ -105,16 +93,6 @@ policies: | |
| GitHub Repository Security by Mondoo provides security assessments of public and private GitHub repositories to ensure minimum recommended security and operational best practices. This policy is also designed to assess public repositories and open source projects your team depends on to evaluate the risk a project poses to your business. Open source projects that do not adhere to GitHub's recommended security best practices pose a higher risk of malicious code making its way into your environments. | ||
| ## About remote scanning | ||
| Remote scans with cnspec provide on demand security assessments of infrastructure and services without installing any agents or integrations. cnspec comes with a growing list of providers to connect and scan local and remote targets. | ||
| A complete list of providers can be found by running this command: | ||
| ```bash | ||
| cnspec scan --help | ||
| ``` | ||
| ### cnspec GitHub Provider | ||
| This policy uses the `github` provider to authenticate with GitHub's API in order to remotely scan GitHub repositories. Additional information on the `github` provider can be found by running this command: | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,20 +14,8 @@ policies: | |
| email: [email protected] | ||
| docs: | ||
| desc: | | ||
| ## Overview | ||
| The Mondoo GitLab Security policy offers guidance on establishing minimum recommended security best practices for GitLab groups and projects. | ||
| ## Remote scan | ||
| Remote scans use cnspec providers to retrieve on-demand scan results without having to install any agents. | ||
| A complete list of providers can be found by running this command: | ||
| ```bash | ||
| cnspec scan --help | ||
| ``` | ||
| ### Prerequisites | ||
| Remote scans of GitLab require a [personal access token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html) with access to the group and projects you plan to scan. | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,8 +14,6 @@ policies: | |
| email: [email protected] | ||
| docs: | ||
| desc: | | ||
| ## Overview | ||
| The Mondoo HTTP Security policy includes checks for ensuring the security of HTTP headers. | ||
| ## Remote scan | ||
|
|
@@ -131,4 +129,4 @@ queries: | |
| The Public-Key-Pins header is deprecated and should not be used anymore. | ||
| refs: | ||
| - url: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#public-key-pins-hpkp | ||
| title: OWASP HTTP Security Response Headers Cheat Sheet | ||
| title: OWASP HTTP Security Response Headers Cheat Sheet | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -14,8 +14,6 @@ policies: | |
| email: [email protected] | ||
| docs: | ||
| desc: |- | ||
| ## Overview | ||
| The Mondoo Kubernetes Best Practices policy bundle provides guidance for establishing reliable Kubernetes clusters by encouraging the adoption of best practices. | ||
| ## Remote scan | ||
|
|
||
Oops, something went wrong.