Skip to content

Latest commit

 

History

History

baseline

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Baseline

English | 简体中文
The baseline plugin detects assets through existing or custom baseline policies to determine whether the baseline security configuration is risky. The baseline plugin scans regularly once a day, and can also be executed immediately through the front end.

Platform compatibility

  • centos 6,7,8
  • debian 8,9,10
  • ubuntu 14.04-20.04
    (The rest of the versions and distributions are theoretically compatible)

Build environment required

  • Go >= 1.18

Building

rm -rf output
mkdir output
# x86_64
go build -o baseline main.go
tar -zcvf baseline-linux-x86_64.tar.gz baseline config
mv baseline-linux-x86_64.tar.gz output/
# arch64
GOARCH=arm64 go build -o baseline main.go
tar -zcvf baseline-linux-x86_64.tar.gz baseline config
mv baseline-linux-x86_64.tar.gz output/

After the compilation is successful, you should see two plg files in the output directory of the root directory, which correspond to different system architectures.

Version Upgrade

  1. If no client component has been created, please create a new component in the Elkeid Console-Component Management page.
  2. On the Elkeid Console - Component Management page, find the "collector" entry, click "Release Version" on the right, fill in the version information and upload the files corresponding to the platform and architecture, and click OK.
  3. On the Elkeid Console - Component Policy page, delete the old "collector" version policy (if any), click "New Policy", select the version just released, and click OK. Subsequent newly installed Agents will be self-upgraded to the latest version.
  4. On the Elkeid Console - Task Management page, click "New Task", select all hosts, click Next, select the "Sync Configuration" task type, and click OK. Then, find the task you just created on this page, and click Run to upgrade the old version of the Agent.

Baseline configuration

General configuration

The rules of the baseline plugin are configured through yaml files, which mainly include the following fields (it is recommended to refer to the actual configuration under the config file):

check_id:
type: 
title: 
description:
solution:
security:
type_cn:
title_cn:
description_cn:
solution_cn:
check:
    rules:
    - type: "file_line_check"
        param:
        - "/etc/login.defs"
        filter: '\s*\t*PASS_MAX_DAYS\s*\t*(\d+)'
        result: '$(<=)90'

Custom rules

The "check.rules" field in each check item configuration is the matching rule, and each field is explained below:

rules.type

Checking type, the built-in detection rules currently adapted by the baseline plugin (src/check/rules.go) include:

Checking rule Meaning Parameters Return value
command_check Check commands to be executed 1:Command
2:Special parameter(e.g. ignore_exit suggests the check is passed with commands errors)
Command result
file_line_check Traverse file and check by line 1:File absolute path
2:Flag(For quick filtering lines, reducing the pressure of regular matching)
3:File comments(default:#)
true/false/Regex match value
file_permission Check whether file permissions meet the security configuration 1: File absolute path
2: File minimum permissions(octal based,e.g. 644)
true/false
if_file_exist Check whether file exists 1: File absolute path true/false
file_user_group Check file user group 1: File absolute path
2: User group id
true/false
file_md5_check Check whether file MD5 is consistent 1: File absolute path
2: MD5
true/false
func_check Check through special rules 1:The function true/false

rules.param

Array of rule parameters

rules.require

Rule Prerequisites: Some security baseline configurations may have detection prerequisites, and security risks will only exist if the prerequisites are met, such as:

rules:
  - type: "file_line_check"
    require: "allow_ssh_passwd"
    param:
        - "/etc/ssh/sshd_config"
    filter: '^\s*MaxAuthTries\s*\t*(\d+)'
    result: '$(<)5'

allow_ssh_passwd: Allow users to login through ssh passwords.

rules.result

Checking result,support int,string,bool, $() suggests special checking syntax, e.g.:

Checking syntax Description Example Example description
$(&&) AND ok$(&&)success The result is "ok" or "success"
$(<=) Common operators $(<=)4 Result<=4
$(not) INVERT $(not)error The result is not "error"

Complex example:

$(<)8$(&&)$(not)2  :  Result<8 and result is not 2

check.condition

Since there may be multiple rules for a rule, the relationship between the rule can be defined through the condition field.
all: Check passed if all the rules are matched. any: Check passed if any of the rules is matched. none: Check passed if none of the rules is matched.

Submit a task

Task issued

{
    "baseline_id": 1200,
    "check_id_list":[1,2,3]
}

Result return

{
    "baseline_id": 1200,
    "status": "success", 
    "msg": "",
    "check_list":[
        "check_id": 1,
        "type": "",
        "title": "",
        "description": "",
        "solution": "",
        "type_cn": "",
        "title_cn": "",
        "description_cn": "",
        "solution_cn": "",
        "result": "", 
        "msg": "",
    ]
}

Result:

SuccessCode 		= 1
FailCode 		= 2
ErrorCode 		= -1
ErrorConfigWrite	= -2
ErrorFile		= -3