diff --git a/README.rst b/README.rst index 146ae2f..a3afd90 100644 --- a/README.rst +++ b/README.rst @@ -79,7 +79,8 @@ it to the minions. cd hubblestack-nova.git mkdir -p /srv/salt/_modules/ cp _modules/hubble.py /srv/salt/_modules/ - cp -a hubblestack_nova /srv/salt/ + cp -a hubblestack_nova_profiles /srv/salt/ + cp -a hubblestack_nova_modules /srv/salt/ salt \* saltutil.sync_modules salt \* hubble.sync @@ -93,15 +94,15 @@ Usage There are four primary functions in the hubble.py module: -1. ``hubble.sync`` will sync the ``hubblestack_nova/`` directory to the minion(s). +1. ``hubble.sync`` will sync the ``hubblestack_nova_profiles/`` and ``hubblestack_nova_modules/`` directories to the minion(s). 2. ``hubble.load`` will load the synced audit modules and their yaml configuration files. 3. ``hubble.audit`` will audit the minion(s) using the YAML profile(s) you provide as comma-separated arguments 4. ``hubble.top`` will audit the minion(s) using the ``top.nova`` configuration. ``hubble.audit`` takes two optional arguments. The first is a comma-separated list of paths. These paths can be files or directories within the -``hubblestack_nova`` directory. The second argument allows for toggling Nova -configuration, such as verbosity, level of detail, etc. +``hubblestack_nova_profiles`` directory. The second argument allows for +toggling Nova configuration, such as verbosity, level of detail, etc. If ``hubble.audit`` is run without targeting any audit configs or directories, it will instead run ``hubble.top`` with no arguments. @@ -119,9 +120,9 @@ Here are some example calls: # Run hubble.top with the default topfile (top.nova) salt \* hubble.top - # Run all yaml configs and tags under salt://hubblestack_nova/foo/ and - # salt://hubblestack_nova/bar, but only run audits with tags starting - # with "CIS" + # Run all yaml configs and tags under salt://hubblestack_nova_profiles/foo/ + # and salt://hubblestack_nova_profiles/bar, but only run audits with tags + # starting with "CIS" salt \* hubble.audit foo,bar tags='CIS*' .. _nova_usage_topfile: @@ -222,6 +223,7 @@ In order to run the audits once daily, you can use the following schedule: show_profile: True returner: splunk_nova_return return_job: False + run_on_start: False .. _nova_configuration: @@ -241,7 +243,8 @@ configurable via pillar. The defaults are shown below: hubblestack: nova: saltenv: base - dir: salt://hubblestack_nova + module_dir: salt://hubblestack_nova_modules + profile_dir: salt://hubblestack_nova_profiles 2. By default, ``hubble.audit`` will call ``hubble.load`` (which in turn calls ``hubble.sync``) in order to ensure that it is auditing with the most up-to-date diff --git a/_modules/hubble.py b/_modules/hubble.py index cbf134d..e4a059a 100644 --- a/_modules/hubble.py +++ b/_modules/hubble.py @@ -10,7 +10,8 @@ See README for documentation Configuration: - - hubblestack:nova:dir + - hubblestack:nova:module_dir + - hubblestack:nova:profile_dir - hubblestack:nova:saltenv - hubblestack:nova:autoload - hubblestack:nova:autosync @@ -299,7 +300,8 @@ def top(topfile='top.nova', Arguments: topfile - The path of the topfile, relative to your hubblestack_nova directory. + The path of the topfile, relative to your hubblestack_nova_profiles + directory. verbose Whether to show additional information about audits, including @@ -413,21 +415,27 @@ def top(topfile='top.nova', return results -def sync(): +def sync(clean=False): ''' - Sync the nova audit modules from the saltstack fileserver. + Sync the nova audit modules and profiles from the saltstack fileserver. The modules should be stored in the salt fileserver. By default nova will - search the base environment for a top level ``hubblestack_nova`` directory, - unless otherwise specified via pillar or minion config - (``hubblestack:nova:dir``) + search the base environment for a top level ``hubblestack_nova_modules`` + directory, unless otherwise specified via pillar or minion config + (``hubblestack:nova:module_dir``) - Modules will just be cached in the normal minion cachedir + The profiles should be stored in the salt fileserver. By default nova will + search the base environment for a top level ``hubblestack_nova_profiles`` + directory, unless otherwise specified via pillar or minion config + (``hubblestack:nova:profile_dir``) - Returns the minion's path to the cached directory + Modules and profiles will be cached in the normal minion cachedir - NOTE: This function will also clean out existing files at the cached - location, as cp.cache_dir doesn't clean out old files + Returns a boolean representing success + + NOTE: This function will optionally clean out existing files at the cached + location, as cp.cache_dir doesn't clean out old files. Pass ``clean=True`` + to enable this behavior CLI Examples: @@ -437,35 +445,44 @@ def sync(): salt '*' nova.sync saltenv=hubble ''' log.debug('syncing nova modules') - nova_dir = __salt__['config.get']('hubblestack:nova:dir', 'salt://hubblestack_nova') + nova_profile_dir = __salt__['config.get']('hubblestack:nova:profile_dir', + 'salt://hubblestack_nova_profiles') + nova_module_dir = __salt__['config.get']('hubblestack:nova:module_dir', + 'salt://hubblestack_nova_modules') saltenv = __salt__['config.get']('hubblestack:nova:saltenv', 'base') - # Support optional salt:// in config - if 'salt://' in nova_dir: - path = nova_dir - _, _, nova_dir = nova_dir.partition('salt://') - else: - path = 'salt://{0}'.format(nova_dir) - # Clean previously synced files - __salt__['file.remove'](_hubble_dir()) - # Sync the files - cached = __salt__['cp.cache_dir'](path, saltenv=saltenv) - - if cached and isinstance(cached, list): - # Success! Trim the paths - cachedir = _hubble_dir() - ret = [relative.partition(cachedir)[2] for relative in cached] - return ret - else: - if isinstance(cached, list): - # Nothing was found - return cached + if clean: + for nova_dir in _hubble_dir(): + __salt__['file.remove'](nova_dir) + + synced = [] + for i, nova_dir in enumerate((nova_module_dir, nova_profile_dir)): + # Support optional salt:// in config + if 'salt://' in nova_dir: + path = nova_dir + _, _, nova_dir = nova_dir.partition('salt://') + else: + path = 'salt://{0}'.format(nova_dir) + + # Sync the files + cached = __salt__['cp.cache_dir'](path, saltenv=saltenv) + + if cached and isinstance(cached, list): + # Success! Trim the paths + cachedir = os.path.dirname(_hubble_dir()[i]) + ret = [relative.partition(cachedir)[2] for relative in cached] + synced.extend(ret) else: - # Something went wrong, there's likely a stacktrace in the output - # of cache_dir - raise CommandExecutionError('An error occurred while syncing: {0}' - .format(cached)) + if isinstance(cached, list): + # Nothing was found + synced.extend(cached) + else: + # Something went wrong, there's likely a stacktrace in the output + # of cache_dir + raise CommandExecutionError('An error occurred while syncing: {0}' + .format(cached)) + return synced def load(): @@ -474,8 +491,10 @@ def load(): ''' if __salt__['config.get']('hubblestack:nova:autosync', True): sync() - if not os.path.isdir(_hubble_dir()): - return False, 'No synced nova modules found' + + for nova_dir in _hubble_dir(): + if not os.path.isdir(nova_dir): + return False, 'No synced nova modules/profiles found' log.debug('loading nova modules') @@ -491,18 +510,28 @@ def load(): def _hubble_dir(): ''' - Generate the local minion directory to which nova modules are synced + Generate the local minion directories to which nova modules and profiles + are synced + + Returns a tuple of two paths, the first for nova modules, the second for + nova profiles ''' - nova_dir = __salt__['config.get']('hubblestack:nova:dir', 'hubblestack_nova') + nova_profile_dir = __salt__['config.get']('hubblestack:nova:profile_dir', + 'salt://hubblestack_nova_profiles') + nova_module_dir = __salt__['config.get']('hubblestack:nova:module_dir', + 'salt://hubblestack_nova_modules') + dirs = [] # Support optional salt:// in config - if 'salt://' in nova_dir: - _, _, nova_dir = nova_dir.partition('salt://') - saltenv = __salt__['config.get']('hubblestack:nova:saltenv', 'base') - cachedir = os.path.join(__opts__.get('cachedir'), - 'files', - saltenv, - nova_dir) - return cachedir + for nova_dir in (nova_module_dir, nova_profile_dir): + if 'salt://' in nova_dir: + _, _, nova_dir = nova_dir.partition('salt://') + saltenv = __salt__['config.get']('hubblestack:nova:saltenv', 'base') + cachedir = os.path.join(__opts__.get('cachedir'), + 'files', + saltenv, + nova_dir) + dirs.append(cachedir) + return tuple(dirs) def _calculate_compliance(results): @@ -526,7 +555,7 @@ def _get_top_data(topfile): ''' Helper method to retrieve and parse the nova topfile ''' - topfile = os.path.join(_hubble_dir(), topfile) + topfile = os.path.join(_hubble_dir()[1], topfile) try: with open(topfile) as handle: @@ -558,7 +587,7 @@ class NovaLazyLoader(LazyLoader): ''' def __init__(self): - super(NovaLazyLoader, self).__init__([_hubble_dir()], + super(NovaLazyLoader, self).__init__(_hubble_dir(), opts=__opts__, tag='nova') self.__data__ = {} @@ -597,6 +626,14 @@ def refresh_file_mapping(self): # Nova only supports .py and .yaml if ext not in ['.py', '.yaml']: continue + # Python only in the modules directory, yaml only + # in the profiles directory. This is hacky but was a + # quick fix. + nova_module_cache, nova_profile_cache = _hubble_dir() + if ext == '.py' and fpath.startswith(nova_profile_cache): + continue + if ext == '.yaml' and fpath.startswith(nova_module_cache): + continue if f_withext in self.disabled: #log.trace( # 'Skipping {0}, it is disabled by configuration'.format( diff --git a/hubblestack_nova/modules/command.py b/hubblestack_nova_modules/command.py similarity index 93% rename from hubblestack_nova/modules/command.py rename to hubblestack_nova_modules/command.py index 90440a5..b52f7f2 100644 --- a/hubblestack_nova/modules/command.py +++ b/hubblestack_nova_modules/command.py @@ -3,6 +3,11 @@ Hubble Nova plugin for running arbitrary commands and checking the output of those commands +This module is deprecated, and must be explicitly enabled in pillar/minion +config via the hubblestack:nova:enable_command_module (should be set to True +to enable this module). This allows nova to run arbitrary commands via yaml +profiles. + :maintainer: HubbleStack / basepi :maturity: 2016.7.0 :platform: All @@ -101,6 +106,14 @@ def audit(data_list, tags, verbose=False, show_profile=False, debug=False): log.debug(__tags__) ret = {'Success': [], 'Failure': [], 'Controlled': []} + + if __tags__ and not __salt__['config.get']('hubblestack:nova:enable_command_module', + False): + ret['Error'] = ['command module has not been explicitly enabled in ' + 'config. Please set hubblestack:nova:enable_command_module ' + 'to True in pillar or minion config to allow this module.'] + return ret + for tag in __tags__: if fnmatch.fnmatch(tag, tags): for tag_data in __tags__[tag]: diff --git a/hubblestack_nova/modules/cve_scan.py b/hubblestack_nova_modules/cve_scan.py similarity index 100% rename from hubblestack_nova/modules/cve_scan.py rename to hubblestack_nova_modules/cve_scan.py diff --git a/hubblestack_nova/modules/cve_scan_v2.py b/hubblestack_nova_modules/cve_scan_v2.py similarity index 100% rename from hubblestack_nova/modules/cve_scan_v2.py rename to hubblestack_nova_modules/cve_scan_v2.py diff --git a/hubblestack_nova/modules/firewall.py b/hubblestack_nova_modules/firewall.py similarity index 100% rename from hubblestack_nova/modules/firewall.py rename to hubblestack_nova_modules/firewall.py diff --git a/hubblestack_nova/modules/grep.py b/hubblestack_nova_modules/grep.py similarity index 84% rename from hubblestack_nova/modules/grep.py rename to hubblestack_nova_modules/grep.py index 97eb718..75efd2a 100644 --- a/hubblestack_nova/modules/grep.py +++ b/hubblestack_nova_modules/grep.py @@ -113,9 +113,9 @@ def audit(data_list, tags, verbose=False, show_profile=False, debug=False): if isinstance(grep_args, str): grep_args = [grep_args] - grep_ret = __salt__['file.grep'](name, - tag_data['pattern'], - *grep_args).get('stdout') + grep_ret = _grep(name, + tag_data['pattern'], + *grep_args).get('stdout') found = False if grep_ret: @@ -278,3 +278,61 @@ def _get_tags(data): formatted_data.pop('data') ret[tag].append(formatted_data) return ret + + +def _grep(path, + pattern, + *opts): + ''' + Grep for a string in the specified file + + .. note:: + This function's return value is slated for refinement in future + versions of Salt + + path + Path to the file to be searched + + .. note:: + Globbing is supported (i.e. ``/var/log/foo/*.log``, but if globbing + is being used then the path should be quoted to keep the shell from + attempting to expand the glob expression. + + pattern + Pattern to match. For example: ``test``, or ``a[0-5]`` + + opts + Additional command-line flags to pass to the grep command. For example: + ``-v``, or ``-i -B2`` + + .. note:: + The options should come after a double-dash (as shown in the + examples below) to keep Salt's own argument parser from + interpreting them. + + CLI Example: + + .. code-block:: bash + + salt '*' file.grep /etc/passwd nobody + salt '*' file.grep /etc/sysconfig/network-scripts/ifcfg-eth0 ipaddr -- -i + salt '*' file.grep /etc/sysconfig/network-scripts/ifcfg-eth0 ipaddr -- -i -B2 + salt '*' file.grep "/etc/sysconfig/network-scripts/*" ipaddr -- -i -l + ''' + path = os.path.expanduser(path) + + split_opts = [] + for opt in opts: + try: + opt = salt.utils.shlex_split(opt) + except AttributeError: + opt = salt.utils.shlex_split(str(opt)) + split_opts.extend(opt) + + cmd = ['grep'] + split_opts + [pattern, path] + try: + ret = __salt__['cmd.run_all'](cmd, python_shell=False, ignore_retcode=True) + except (IOError, OSError) as exc: + raise CommandExecutionError(exc.strerror) + + return ret diff --git a/hubblestack_nova_modules/misc.py b/hubblestack_nova_modules/misc.py new file mode 100644 index 0000000..ea7c5cd --- /dev/null +++ b/hubblestack_nova_modules/misc.py @@ -0,0 +1,256 @@ +# -*- encoding: utf-8 -*- +''' +Hubble Nova plugin for running miscellaneous one-off python functions to +run more complex nova audits without allowing arbitrary command execution +from within the yaml profiles. + +:maintainer: HubbleStack / basepi +:maturity: 2016.7.2 +:platform: All +:requires: SaltStack + +Sample YAML data, with inline comments: + +# Top level key lets the module know it should look at this data +misc: + # Unique ID for this set of audits + nodev: + data: + # 'osfinger' grain, for multiplatform support + 'Red Hat Enterprise Linux Server-6': + # tag is required + tag: CIS-1.1.10 + function: misc_function_name + args: # optional + - first_arg + - second_arg + kwargs: # optional + first_kwarg: value + second_kwarg: value + + # Catch-all, if no other osfinger match was found + '*': + tag: generic_tag + function: misc_function_name + args: # optional + - first_arg + - second_arg + kwargs: # optional + first_kwarg: value + second_kwarg: value + # Description will be output with the results + description: '/home should be nodev' +''' +from __future__ import absolute_import +import logging + +import fnmatch +import yaml +import os +import copy +import re +import salt.utils +from salt.ext import six + +log = logging.getLogger(__name__) + + +def __virtual__(): + return True + + +def audit(data_list, tags, verbose=False, show_profile=False, debug=False): + ''' + Run the misc audits contained in the data_list + ''' + __data__ = {} + for profile, data in data_list: + if show_profile: + _merge_yaml(__data__, data, profile) + else: + _merge_yaml(__data__, data) + __tags__ = _get_tags(__data__) + + if debug: + log.debug('misc audit __data__:') + log.debug(__data__) + log.debug('misc audit __tags__:') + log.debug(__tags__) + + ret = {'Success': [], 'Failure': [], 'Controlled': []} + + for tag in __tags__: + if fnmatch.fnmatch(tag, tags): + for tag_data in __tags__[tag]: + if 'control' in tag_data: + ret['Controlled'].append(tag_data) + continue + if 'function' not in tag_data: + continue + + function = FUNCTION_MAP.get(tag_data['function']) + if not function: + if 'Error' not in ret: + ret['Error'] = [] + ret['Error'].append({tag: 'No function {0} found' + .format(tag_data['function'])}) + args = tag_data.get('args', []) + kwargs = tag_data.get('kwargs', {}) + + # Call the function + result = function(*args, **kwargs) + + if result is True: + ret['Success'].append(tag_data) + elif isinstance(result, six.string_types): + tag_data['failure_reason'] = result + ret['Failure'].append(tag_data) + else: + ret['Failure'].append(tag_data) + + failure = [] + success = [] + controlled = [] + + if not verbose: + # Pull out just the tag and description + tags_descriptions = set() + + for tag_data in ret['Failure']: + tag = tag_data['tag'] + description = tag_data.get('description') + if (tag, description) not in tags_descriptions: + failure.append({tag: description}) + tags_descriptions.add((tag, description)) + + tags_descriptions = set() + + for tag_data in ret['Success']: + tag = tag_data['tag'] + description = tag_data.get('description') + if (tag, description) not in tags_descriptions: + success.append({tag: description}) + tags_descriptions.add((tag, description)) + + control_reasons = set() + + for tag_data in ret['Controlled']: + tag = tag_data['tag'] + control_reason = tag_data.get('control', '') + description = tag_data.get('description') + if (tag, description, control_reason) not in control_reasons: + tag_dict = {'description': description, + 'control': control_reason} + controlled.append({tag: tag_dict}) + control_reasons.add((tag, description, control_reason)) + + else: + # Format verbose output as single-key dictionaries with tag as key + for tag_data in ret['Failure']: + tag = tag_data['tag'] + failure.append({tag: tag_data}) + + for tag_data in ret['Success']: + tag = tag_data['tag'] + success.append({tag: tag_data}) + + for tag_data in ret['Controlled']: + tag = tag_data['tag'] + controlled.append({tag: tag_data}) + + ret['Controlled'] = controlled + ret['Success'] = success + ret['Failure'] = failure + + if not ret['Controlled']: + ret.pop('Controlled') + + return ret + + +def _merge_yaml(ret, data, profile=None): + ''' + Merge two yaml dicts together at the misc level + ''' + if 'misc' not in ret: + ret['misc'] = [] + if 'misc' in data: + for key, val in data['misc'].iteritems(): + if profile and isinstance(val, dict): + val['nova_profile'] = profile + ret['misc'].append({key: val}) + return ret + + +def _get_tags(data): + ''' + Retrieve all the tags for this distro from the yaml + ''' + ret = {} + distro = __grains__.get('osfinger') + for audit_dict in data.get('misc', []): + # misc:0 + for audit_id, audit_data in audit_dict.iteritems(): + # misc:0:nodev + tags_dict = audit_data.get('data', {}) + # misc:0:nodev:data + tags = None + for osfinger in tags_dict: + if osfinger == '*': + continue + osfinger_list = [finger.strip() for finger in osfinger.split(',')] + for osfinger_glob in osfinger_list: + if fnmatch.fnmatch(distro, osfinger_glob): + tags = tags_dict.get(osfinger) + break + if tags is not None: + break + # If we didn't find a match, check for a '*' + if tags is None: + tags = tags_dict.get('*', {}) + # misc:0:nodev:data:Debian-8 + if 'tag' not in tags: + tags['tag'] = '' + tag = tags['tag'] + if tag not in ret: + ret[tag] = [] + formatted_data = {'tag': tag, + 'module': 'misc'} + formatted_data.update(audit_data) + formatted_data.update(tags) + formatted_data.pop('data') + ret[tag].append(formatted_data) + return ret + + +############################ +# Begin function definitions +############################ + + +def test_success(): + ''' + Automatically returns success + ''' + return True + + +def test_failure(): + ''' + Automatically returns failure, no reason + ''' + return False + + +def test_failure_reason(reason): + ''' + Automatically returns failure, with a reason (first arg) + ''' + return reason + + +FUNCTION_MAP = { + 'test_success': test_success, + 'test_failure': test_failure, + 'test_failure_reason': test_failure_reason, +} diff --git a/hubblestack_nova/modules/netstat.py b/hubblestack_nova_modules/netstat.py similarity index 100% rename from hubblestack_nova/modules/netstat.py rename to hubblestack_nova_modules/netstat.py diff --git a/hubblestack_nova/modules/openssl.py b/hubblestack_nova_modules/openssl.py similarity index 100% rename from hubblestack_nova/modules/openssl.py rename to hubblestack_nova_modules/openssl.py diff --git a/hubblestack_nova/modules/pkg.py b/hubblestack_nova_modules/pkg.py similarity index 100% rename from hubblestack_nova/modules/pkg.py rename to hubblestack_nova_modules/pkg.py diff --git a/hubblestack_nova/modules/pkgng_audit.py b/hubblestack_nova_modules/pkgng_audit.py similarity index 100% rename from hubblestack_nova/modules/pkgng_audit.py rename to hubblestack_nova_modules/pkgng_audit.py diff --git a/hubblestack_nova/modules/service.py b/hubblestack_nova_modules/service.py similarity index 100% rename from hubblestack_nova/modules/service.py rename to hubblestack_nova_modules/service.py diff --git a/hubblestack_nova/modules/stat.py b/hubblestack_nova_modules/stat.py similarity index 100% rename from hubblestack_nova/modules/stat.py rename to hubblestack_nova_modules/stat.py diff --git a/hubblestack_nova/modules/sysctl.py b/hubblestack_nova_modules/sysctl.py similarity index 100% rename from hubblestack_nova/modules/sysctl.py rename to hubblestack_nova_modules/sysctl.py diff --git a/hubblestack_nova/modules/win_auditpol.py b/hubblestack_nova_modules/win_auditpol.py similarity index 100% rename from hubblestack_nova/modules/win_auditpol.py rename to hubblestack_nova_modules/win_auditpol.py diff --git a/hubblestack_nova/modules/win_firewall.py b/hubblestack_nova_modules/win_firewall.py similarity index 100% rename from hubblestack_nova/modules/win_firewall.py rename to hubblestack_nova_modules/win_firewall.py diff --git a/hubblestack_nova/modules/win_gp.py b/hubblestack_nova_modules/win_gp.py similarity index 100% rename from hubblestack_nova/modules/win_gp.py rename to hubblestack_nova_modules/win_gp.py diff --git a/hubblestack_nova/modules/win_pkg.py b/hubblestack_nova_modules/win_pkg.py similarity index 100% rename from hubblestack_nova/modules/win_pkg.py rename to hubblestack_nova_modules/win_pkg.py diff --git a/hubblestack_nova/modules/win_reg.py b/hubblestack_nova_modules/win_reg.py similarity index 100% rename from hubblestack_nova/modules/win_reg.py rename to hubblestack_nova_modules/win_reg.py diff --git a/hubblestack_nova/modules/win_secedit.py b/hubblestack_nova_modules/win_secedit.py similarity index 100% rename from hubblestack_nova/modules/win_secedit.py rename to hubblestack_nova_modules/win_secedit.py diff --git a/hubblestack_nova/cis/centos-6-level-1-scored-v1.yaml b/hubblestack_nova_profiles/cis/centos-6-level-1-scored-v1.yaml similarity index 100% rename from hubblestack_nova/cis/centos-6-level-1-scored-v1.yaml rename to hubblestack_nova_profiles/cis/centos-6-level-1-scored-v1.yaml diff --git a/hubblestack_nova/cis/centos-6-level-1-scored-v2-0-1.yaml b/hubblestack_nova_profiles/cis/centos-6-level-1-scored-v2-0-1.yaml similarity index 100% rename from hubblestack_nova/cis/centos-6-level-1-scored-v2-0-1.yaml rename to hubblestack_nova_profiles/cis/centos-6-level-1-scored-v2-0-1.yaml diff --git a/hubblestack_nova/cis/centos-7-level-1-scored-v1.yaml b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v1.yaml similarity index 100% rename from hubblestack_nova/cis/centos-7-level-1-scored-v1.yaml rename to hubblestack_nova_profiles/cis/centos-7-level-1-scored-v1.yaml diff --git a/hubblestack_nova/cis/centos-7-level-1-scored-v2-1-0.yaml b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-1-0.yaml similarity index 100% rename from hubblestack_nova/cis/centos-7-level-1-scored-v2-1-0.yaml rename to hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-1-0.yaml diff --git a/hubblestack_nova/cis/centos-7-level-1-scored-v2.yaml b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2.yaml similarity index 100% rename from hubblestack_nova/cis/centos-7-level-1-scored-v2.yaml rename to hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2.yaml diff --git a/hubblestack_nova/cis/debian-8-level-1-scored-v1-0-0.yaml b/hubblestack_nova_profiles/cis/debian-8-level-1-scored-v1-0-0.yaml similarity index 100% rename from hubblestack_nova/cis/debian-8-level-1-scored-v1-0-0.yaml rename to hubblestack_nova_profiles/cis/debian-8-level-1-scored-v1-0-0.yaml diff --git a/hubblestack_nova/cis/debian-8-level-1-scored-v1.yaml b/hubblestack_nova_profiles/cis/debian-8-level-1-scored-v1.yaml similarity index 99% rename from hubblestack_nova/cis/debian-8-level-1-scored-v1.yaml rename to hubblestack_nova_profiles/cis/debian-8-level-1-scored-v1.yaml index e2479a2..1183b33 100644 --- a/hubblestack_nova/cis/debian-8-level-1-scored-v1.yaml +++ b/hubblestack_nova_profiles/cis/debian-8-level-1-scored-v1.yaml @@ -41,7 +41,7 @@ grep: - '/etc/fstab': tag: 'CIS-2.4' pattern: '/tmp' - match_output: 'nosuid' + match_output: 'noexec' description: 'Set noexec option for /tmp Partition (Scored)' fstab_var_partition: diff --git a/hubblestack_nova/cis/rhels-6-level-1-scored-v1.yaml b/hubblestack_nova_profiles/cis/rhels-6-level-1-scored-v1.yaml similarity index 100% rename from hubblestack_nova/cis/rhels-6-level-1-scored-v1.yaml rename to hubblestack_nova_profiles/cis/rhels-6-level-1-scored-v1.yaml diff --git a/hubblestack_nova/cis/rhels-6-level-1-scored-v2-0-1.yaml b/hubblestack_nova_profiles/cis/rhels-6-level-1-scored-v2-0-1.yaml similarity index 100% rename from hubblestack_nova/cis/rhels-6-level-1-scored-v2-0-1.yaml rename to hubblestack_nova_profiles/cis/rhels-6-level-1-scored-v2-0-1.yaml diff --git a/hubblestack_nova/cis/rhels-7-level-1-scored-v1.yaml b/hubblestack_nova_profiles/cis/rhels-7-level-1-scored-v1.yaml similarity index 100% rename from hubblestack_nova/cis/rhels-7-level-1-scored-v1.yaml rename to hubblestack_nova_profiles/cis/rhels-7-level-1-scored-v1.yaml diff --git a/hubblestack_nova/cis/rhels-7-level-1-scored-v2-1-0.yaml b/hubblestack_nova_profiles/cis/rhels-7-level-1-scored-v2-1-0.yaml similarity index 100% rename from hubblestack_nova/cis/rhels-7-level-1-scored-v2-1-0.yaml rename to hubblestack_nova_profiles/cis/rhels-7-level-1-scored-v2-1-0.yaml diff --git a/hubblestack_nova/cis/rhelw-7-level-1-scored-v1.yaml b/hubblestack_nova_profiles/cis/rhelw-7-level-1-scored-v1.yaml similarity index 100% rename from hubblestack_nova/cis/rhelw-7-level-1-scored-v1.yaml rename to hubblestack_nova_profiles/cis/rhelw-7-level-1-scored-v1.yaml diff --git a/hubblestack_nova/cis/rhelw-7-level-1-scored-v2-1-0.yaml b/hubblestack_nova_profiles/cis/rhelw-7-level-1-scored-v2-1-0.yaml similarity index 100% rename from hubblestack_nova/cis/rhelw-7-level-1-scored-v2-1-0.yaml rename to hubblestack_nova_profiles/cis/rhelw-7-level-1-scored-v2-1-0.yaml diff --git a/hubblestack_nova/cis/ubuntu-1404-level-1-scored-v1-0-0.yaml b/hubblestack_nova_profiles/cis/ubuntu-1404-level-1-scored-v1-0-0.yaml similarity index 100% rename from hubblestack_nova/cis/ubuntu-1404-level-1-scored-v1-0-0.yaml rename to hubblestack_nova_profiles/cis/ubuntu-1404-level-1-scored-v1-0-0.yaml diff --git a/hubblestack_nova/cis/ubuntu-1404-level-1-scored-v1.yaml b/hubblestack_nova_profiles/cis/ubuntu-1404-level-1-scored-v1.yaml similarity index 100% rename from hubblestack_nova/cis/ubuntu-1404-level-1-scored-v1.yaml rename to hubblestack_nova_profiles/cis/ubuntu-1404-level-1-scored-v1.yaml diff --git a/hubblestack_nova/cis/windows-2008r2-level-1-scored-v1.yaml b/hubblestack_nova_profiles/cis/windows-2008r2-level-1-scored-v1.yaml similarity index 100% rename from hubblestack_nova/cis/windows-2008r2-level-1-scored-v1.yaml rename to hubblestack_nova_profiles/cis/windows-2008r2-level-1-scored-v1.yaml diff --git a/hubblestack_nova/cis/windows-2008r2-level-1-scored-v3-0-0.yaml b/hubblestack_nova_profiles/cis/windows-2008r2-level-1-scored-v3-0-0.yaml similarity index 100% rename from hubblestack_nova/cis/windows-2008r2-level-1-scored-v3-0-0.yaml rename to hubblestack_nova_profiles/cis/windows-2008r2-level-1-scored-v3-0-0.yaml diff --git a/hubblestack_nova/cis/windows-2012r2-level-1-scored-v1.yaml b/hubblestack_nova_profiles/cis/windows-2012r2-level-1-scored-v1.yaml similarity index 100% rename from hubblestack_nova/cis/windows-2012r2-level-1-scored-v1.yaml rename to hubblestack_nova_profiles/cis/windows-2012r2-level-1-scored-v1.yaml diff --git a/hubblestack_nova/cis/windows-2012r2-level-1-scored-v2-0-0.yaml b/hubblestack_nova_profiles/cis/windows-2012r2-level-1-scored-v2-0-0.yaml similarity index 100% rename from hubblestack_nova/cis/windows-2012r2-level-1-scored-v2-0-0.yaml rename to hubblestack_nova_profiles/cis/windows-2012r2-level-1-scored-v2-0-0.yaml diff --git a/hubblestack_nova/cve/scan-v1.yaml b/hubblestack_nova_profiles/cve/scan-v1.yaml similarity index 100% rename from hubblestack_nova/cve/scan-v1.yaml rename to hubblestack_nova_profiles/cve/scan-v1.yaml diff --git a/hubblestack_nova/cve/scan-v2-salt.yaml b/hubblestack_nova_profiles/cve/scan-v2-salt.yaml similarity index 100% rename from hubblestack_nova/cve/scan-v2-salt.yaml rename to hubblestack_nova_profiles/cve/scan-v2-salt.yaml diff --git a/hubblestack_nova/cve/scan-v2.yaml b/hubblestack_nova_profiles/cve/scan-v2.yaml similarity index 100% rename from hubblestack_nova/cve/scan-v2.yaml rename to hubblestack_nova_profiles/cve/scan-v2.yaml diff --git a/hubblestack_nova/firewall/ssh.yaml b/hubblestack_nova_profiles/firewall/ssh.yaml similarity index 100% rename from hubblestack_nova/firewall/ssh.yaml rename to hubblestack_nova_profiles/firewall/ssh.yaml diff --git a/hubblestack_nova/misc.yaml b/hubblestack_nova_profiles/misc.yaml similarity index 100% rename from hubblestack_nova/misc.yaml rename to hubblestack_nova_profiles/misc.yaml diff --git a/hubblestack_nova/network/smtp.yaml b/hubblestack_nova_profiles/network/smtp.yaml similarity index 100% rename from hubblestack_nova/network/smtp.yaml rename to hubblestack_nova_profiles/network/smtp.yaml diff --git a/hubblestack_nova/network/ssh.yaml b/hubblestack_nova_profiles/network/ssh.yaml similarity index 100% rename from hubblestack_nova/network/ssh.yaml rename to hubblestack_nova_profiles/network/ssh.yaml diff --git a/hubblestack_nova/samples/dont_blame_nrpe.yaml b/hubblestack_nova_profiles/samples/dont_blame_nrpe.yaml similarity index 100% rename from hubblestack_nova/samples/dont_blame_nrpe.yaml rename to hubblestack_nova_profiles/samples/dont_blame_nrpe.yaml diff --git a/hubblestack_nova/samples/sample_cis.yaml b/hubblestack_nova_profiles/samples/sample_cis.yaml similarity index 100% rename from hubblestack_nova/samples/sample_cis.yaml rename to hubblestack_nova_profiles/samples/sample_cis.yaml diff --git a/hubblestack_nova/samples/sample_command.yaml b/hubblestack_nova_profiles/samples/sample_command.yaml similarity index 100% rename from hubblestack_nova/samples/sample_command.yaml rename to hubblestack_nova_profiles/samples/sample_command.yaml diff --git a/hubblestack_nova/samples/sample_control.yaml b/hubblestack_nova_profiles/samples/sample_control.yaml similarity index 100% rename from hubblestack_nova/samples/sample_control.yaml rename to hubblestack_nova_profiles/samples/sample_control.yaml diff --git a/hubblestack_nova/samples/sample_firewall.yaml b/hubblestack_nova_profiles/samples/sample_firewall.yaml similarity index 100% rename from hubblestack_nova/samples/sample_firewall.yaml rename to hubblestack_nova_profiles/samples/sample_firewall.yaml diff --git a/hubblestack_nova/samples/sample_openssl.yaml b/hubblestack_nova_profiles/samples/sample_openssl.yaml similarity index 100% rename from hubblestack_nova/samples/sample_openssl.yaml rename to hubblestack_nova_profiles/samples/sample_openssl.yaml diff --git a/hubblestack_nova/stig/rhel-6-mac-1-classified.yaml b/hubblestack_nova_profiles/stig/rhel-6-mac-1-classified.yaml similarity index 100% rename from hubblestack_nova/stig/rhel-6-mac-1-classified.yaml rename to hubblestack_nova_profiles/stig/rhel-6-mac-1-classified.yaml diff --git a/hubblestack_nova/top.nova b/hubblestack_nova_profiles/top.nova similarity index 100% rename from hubblestack_nova/top.nova rename to hubblestack_nova_profiles/top.nova