Hi Atom,
Thanks for your reply. It gets kinda lonely when I write things and no
one replies ;-)
I plan on publishing /an/ implementation as part of the Assimilation
Project. But because of our architecture, it's unlikely to be directly
useful to others. The description of the test is in the JSON.
In the case of Assimilation, we collect all our configuration data /*as
JSON*/, and then we run the rules centrally against the JSON. This way
the rules don't have to be distributed to everyone, just the code to
collect the relevant configuration data. Changing a rule doesn't imply
touching every machine. Adding a new rule that depends on data we don't
currently collect /will/ require distributing new discovery scripts to
the machines.
So, this falls out to do it this way naturally from our discovery
architecture. In addition to this, you get to look at the configuration
in a central location and can look at it by hand as well.
You can see a (toy) implementation of a few rules here:
http://hg.linux-ha.org/assimilation/file/tip/cma/bestpractices.py
This code is not particularly helpful to anyone not using the
Assimilation discovery agents. I put a snippet from that file at the end
of this email.
As far as what other people do, that's up to them. In some cases (like
Lynis) they already have their own implementation of some rules. An
implementation that would be suitable for them would not fit our
architecture and vice versa.
I plan on looking at Lynis' rules and find those not covered by the NIST
rules and add those as well - so that we have a more comprehensive set
of rules available.
FWIW, the Lynis founder is well aware of this project, and that I'm
planning on harvesting his rules. We're friends, and he's a co-founder
of the IT Best practices project ;-)
On 07/09/2015 05:39 PM, Atom Powers wrote:
> This looks like it is something that I would find valuable and I
> expect any other organization with any semblance of a compliance team
> would as well.
I wrote a blog post on why this is cool - which should come out on
Tuesday. The basic idea of the blog post is "Don't make eating the
elephant an annual event" ;-).
The rules don't have to be security rules. For example, here's a rule
which detects buffer bloat:
'BPC-000014-1':
{'rule': 'IN($net.core.default_qdisc, fq_codel, codel)',
'id': 'BPC-00014-1',
'url': 'https://trello.com/c/EwPF4S9z' },
In fact, I think the real code to do this will be simpler. It will just
have an identifier and the rule part. The URL would be implied. And the
real code is just this: IN($net.core.default_qdisc, fq_codel,
codel).That's pretty simple - and much simpler than writing a shell
script to cat it out then do a case on the answer, and then distribute
it to all the machines every time you change your mind a little...
The JSON for this rule in the IT Best practices project is here:
https://github.com/IT-bestpractices/root/commit/9cb4ac987a99803691cddc6374efcfcfb3b2d546
>
> To be useful I think that the "mechanically verifiable" rules would
> need a method to be verified. I see that "it is not currently our
> intent to provide this code as part of this project."
>
> The obvious question arises, where/how do you expect that code to get
> created and published?
>
> Ostensibly the easiest thing to do would be to extend the xml to
> include the command to run and the expected output. Then it would be
> easy for Assimilation or any other project to consume the best
> practices rules and create code that can verify them.
I assume you meant JSON ;-)
In particular, here's the snippet of code that defines a number of
/proc/sys security rules:
'BPC-00001-1':
{'rule': 'EQ($kernel.core_setuid_ok, 0)',
'id': 'BPC-00001-1',
'url': 'https://trello.com/c/g9z9hDy8' },
'BPC-00002-1':
{'rule': 'OR(EQ($kernel.core_uses_pid, 1), NE($kernel.core_pattern,
""))',
'id': 'BPC-00002-1',
'url': 'https://trello.com/c/6LOXeyDD' },
'BPC-00003-1':
{'rule': 'EQ($kernel.ctrl-alt-del, 0)',
'id': 'BPC-00003-1',
'url': 'https://trello.com/c/aUmn4WFg' },
'BPC-00004-1':
{'rule': 'EQ($kernel.exec-shield, 1)',
'id': 'BPC-00004-1',
'url': 'https://trello.com/c/pBBZezUS' },
'BPC-00005-1':
{'rule': 'EQ($kernel.exec-shield-randomize, 1)',
'id': 'BPC-00005-1',
'url': 'https://trello.com/c/ddbaElZM' },
'BPC-00006-1':
{'rule': 'EQ($kernel.sysrq, 0)',
'id': 'BPC-00006-1',
'url': 'https://trello.com/c/QSovxhup' },
'BPC-00007-1':
{'rule': 'EQ($kernel.randomize_va_space, 2)',
'id': 'BPC-00007-1',
'url': 'https://trello.com/c/5d5o5TAi' },
'BPC-00008-1':
{'rule': 'EQ($kernel.use-nx, 2)',
'id': 'BPC-00008-1',
'url': 'https://trello.com/c/aBHWB70x' },
'BPC-00009-1':
{'rule': 'EQ($net.ipv4.icmp.bmcastecho, 2)',
'id': 'BPC-00009-1',
'url': 'https://trello.com/c/N3wHjSFb' },
'BPC-00010-1':
{'rule': 'EQ($net.ipv4.icmp.rediraccept, 0)',
'id': 'BPC-00010-1',
'url': 'https://trello.com/c/CZYlfHWv' },
'BPC-00011-1':
{'rule': 'EQ($net.inet.ip.accept_sourceroute, 0)',
'id': 'BPC-00011-1',
'url': 'https://trello.com/c/hKkKhNl1' },
'BPC-00012-1':
{'rule': 'EQ($net.net.ip6.rediraccept, 0)',
'id': 'BPC-00012-1',
'url': 'https://trello.com/c/CZYlfHWv' },
'BPC-00013-1':
{'rule': 'EQ($net.net.ip6.redirect, 0)',
'id': 'BPC-00013-1',
'url': 'https://trello.com/c/Zzk5HX4j' },
}
Does this help?
--
Alan Robertson / CTO
[email protected] <mailto:[email protected]>/ +1
303.947.7999
Assimilation Systems Limited
http://AssimilationSystems.com
Twitter <https://twitter.com/ossalanr> Linkedin
<https://www.linkedin.com/in/alanr> skype
<https://htmlsig.com/skype?username=alanr_unix.sh>
_______________________________________________
Assimilation mailing list - Discovery-Driven Monitoring
[email protected]
http://lists.community.tummy.com/cgi-bin/mailman/listinfo/assimilation
http://assimmon.org/
