Merge pull request #277 from HubbleStack/develop

Merge to master (prep for v2016.10.2)
hubblestack · Nov 1, 2016 · 5ffb7a2 · 5ffb7a2
2 parents cee2c75 + 957ba22
commit 5ffb7a2
Show file tree

Hide file tree

Showing 12 changed files with 1,488 additions and 577 deletions.
diff --git a/FORMULA b/FORMULA
@@ -1,8 +1,7 @@
-top_level_dir: hubblestack_nova
 name: hubblestack_nova
 os: RedHat, CentOS, Debian, Ubuntu
 os_family: RedHat, Debian
-version: 2016.9.2
+version: 2016.10.1
 release: 1
 summary: HubbleStack Nova
 description: HubbleStack Nova
diff --git a/README.rst b/README.rst
@@ -243,20 +243,15 @@ the purposes of compliance percentage.
 Schedule
 --------
 
-In order to run the audits once daily, you can use the following schedule:
+In order to run the audits once daily, you can use the following cron job:
+
+**/etc/cron.d/hubble**
 
 .. code-block:: yaml
 
-    schedule:
-      nova_day:
-        function: hubble.top
-        seconds: 86400
-        kwargs:
-          verbose: True
-          show_profile: True
-        returner: splunk_nova_return
-        return_job: False
-        run_on_start: False
+    MAILTO=""
+    SHELL=/bin/bash
+    @daily       root /usr/bin/salt '*' hubble.top verbose=True,show_profile=True --return splunk_nova_return
 
 .. _nova_configuration:
 

diff --git a/hubblestack_nova/win_secedit.py b/hubblestack_nova/win_secedit.py
@@ -264,11 +264,13 @@ def _secedit_import(inf_file):
 def _get_account_sid():
     '''This helper function will get all the users and groups on the computer
     and return a dictionary'''
-    win32 = __salt__['cmd.run']('Get-WmiObject win32_useraccount | Format-List -Property '
-                                'Name, SID', shell='powershell', python_shell=True)
+    win32 = __salt__['cmd.run']('Get-WmiObject win32_useraccount -Filter "localaccount=\'True\'"'
+                                ' | Format-List -Property Name, SID', shell='powershell', 
+                                python_shell=True)
     win32 += '\n'
-    win32 += __salt__['cmd.run']('Get-WmiObject win32_group | Format-List -Property Name, '
-                                 'SID', shell='powershell', python_shell=True)
+    win32 += __salt__['cmd.run']('Get-WmiObject win32_group -Filter "localaccount=\'True\'" | '
+                                 'Format-List -Property Name, SID', shell='powershell',
+                                 python_shell=True)
     if win32:
 
         dict_return = {}
@@ -278,7 +280,7 @@ def _get_account_sid():
             lines.remove('local:')
         for line in lines:
             line = line.strip()
-            if line != '':
+            if line != '' and ' : ' in line:
                 k, v = line.split(' : ')
                 if k.lower() == 'name':
                     key = v

diff --git a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-1-0.yaml b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2-1-0.yaml
@@ -46,7 +46,7 @@ grep:
             pattern: password
             tag: CIS-1.4.2
       description: Ensure bootloader password is set
-    chargen_diabled:
+    chargen_disabled:
       data:
         Red Hat Enterprise Server-7:
         - /etc/xinetd.d/chargen-dgram:
@@ -70,7 +70,7 @@ grep:
             match_output: yes
             tag: CIS-2.1.2
       description: Ensure daytime services are not enabled
-    discard_diabled:
+    discard_disabled:
       data:
         Red Hat Enterprise Server-7:
         - /etc/xinetd.d/discard-dgram:
@@ -82,7 +82,7 @@ grep:
             match_output: yes
             tag: CIS-2.1.3
       description: Ensure discard services are not enabled
-    echo_diabled:
+    echo_disabled:
       data:
         Red Hat Enterprise Server-7:
         - /etc/xinetd.d/echo-dgram:
@@ -94,7 +94,7 @@ grep:
             match_output: yes
             tag: CIS-2.1.4
       description: Ensure echo services are not enabled
-    time_diabled:
+    time_disabled:
       data:
         Red Hat Enterprise Server-7:
         - /etc/xinetd.d/time-dgram:
@@ -155,7 +155,7 @@ grep:
               - '-r'
             tag: CIS-5.4.4
       description: Ensure default user umask is 027 or more restrictive
-    disble_mount_cramfs:
+    disable_mount_cramfs:
       data:
         CentOS Linux-7:
         - /etc/modprobe.d:
@@ -165,7 +165,7 @@ grep:
               - '-r'
             tag: CIS-1.1.1.1
       description: Ensure mounting of cramfs filesystems is disabled
-    disble_mount_freevxfs:
+    disable_mount_freevxfs:
       data:
         CentOS Linux-7:
         - /etc/modprobe.d:
@@ -175,7 +175,7 @@ grep:
               - '-r'
             tag: CIS-1.1.1.2
       description: Ensure mounting of freevxfs filesystems is disabled
-    disble_mount_jffs2:
+    disable_mount_jffs2:
       data:
         CentOS Linux-7:
         - /etc/modprobe.d:
@@ -185,7 +185,7 @@ grep:
               - '-r'
             tag: CIS-1.1.1.3
       description: Ensure mounting of jffs2 filesystems is disabled
-    disble_mount_hfs:
+    disable_mount_hfs:
       data:
         CentOS Linux-7:
         - /etc/modprobe.d:
@@ -195,7 +195,7 @@ grep:
               - '-r'
             tag: CIS-1.1.1.4
       description: Ensure mounting of hfs filesystems is disabled
-    disble_mount_hfsplus:
+    disable_mount_hfsplus:
       data:
         CentOS Linux-7:
         - /etc/modprobe.d:
@@ -205,7 +205,7 @@ grep:
               - '-r'
             tag: CIS-1.1.1.5
       description: Ensure mounting of hfsplus filesystems is disabled
-    disble_mount_squashfs:
+    disable_mount_squashfs:
       data:
         CentOS Linux-7:
         - /etc/modprobe.d:
@@ -215,7 +215,7 @@ grep:
               - '-r'
             tag: CIS-1.1.1.6
       description: Ensure mounting of squashfs filesystems is disabled
-    disble_mount_udf:
+    disable_mount_udf:
       data:
         CentOS Linux-7:
         - /etc/modprobe.d:
@@ -225,7 +225,7 @@ grep:
               - '-r'
             tag: CIS-1.1.1.7
       description: Ensure mounting of udf filesystems is disabled
-    disble_mount_far:
+    disable_mount_fat:
       data:
         CentOS Linux-7:
         - /etc/modprobe.d:

diff --git a/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2.yaml b/hubblestack_nova_profiles/cis/centos-7-level-1-scored-v2.yaml
@@ -46,7 +46,7 @@ grep:
             pattern: password
             tag: CIS-1.4.2
       description: Set Boot Loader Password (Scored)
-    chargen_diabled:
+    chargen_disabled:
       data:
         Red Hat Enterprise Server-7:
         - /etc/xinetd.d/chargen-dgram:
@@ -70,7 +70,7 @@ grep:
             match_output: yes
             tag: CIS-2.1.2
       description: Ensure that daytime service in not enabled (Scored)
-    discard_diabled:
+    discard_disabled:
       data:
         Red Hat Enterprise Server-7:
         - /etc/xinetd.d/discard-dgram:
@@ -82,7 +82,7 @@ grep:
             match_output: yes
             tag: CIS-2.1.3
       description: Ensure that discard service in not enabled (Scored)
-    echo_diabled:
+    echo_disabled:
       data:
         Red Hat Enterprise Server-7:
         - /etc/xinetd.d/echo-dgram:
@@ -94,7 +94,7 @@ grep:
             match_output: yes
             tag: CIS-2.1.4
       description: Ensure that echo service in not enabled (Scored)
-    time_diabled:
+    time_disabled:
       data:
         Red Hat Enterprise Server-7:
         - /etc/xinetd.d/time-dgram:
@@ -155,7 +155,7 @@ grep:
               - '-r'
             tag: CIS-5.4.4
       description: Set Default umask for Users (Scored)
-    disble_mount_cramfs:
+    disable_mount_cramfs:
       data:
         CentOS Linux-7:
         - /etc/modprobe.d:
@@ -165,7 +165,7 @@ grep:
               - '-r'
             tag: CIS-1.1.1.1
       description: Disable mounting cramfs filesystems (Scored).
-    disble_mount_freevxfs:
+    disable_mount_freevxfs:
       data:
         CentOS Linux-7:
         - /etc/modprobe.d:
@@ -175,7 +175,7 @@ grep:
               - '-r'
             tag: CIS-1.1.1.2
       description: Disable mounting freevxfs filesystems (Scored).
-    disble_mount_jffs2:
+    disable_mount_jffs2:
       data:
         CentOS Linux-7:
         - /etc/modprobe.d:
@@ -185,7 +185,7 @@ grep:
               - '-r'
             tag: CIS-1.1.1.3
       description: Disable mounting jffs2 filesystems (Scored).
-    disble_mount_hfs:
+    disable_mount_hfs:
       data:
         CentOS Linux-7:
         - /etc/modprobe.d:
@@ -195,7 +195,7 @@ grep:
               - '-r'
             tag: CIS-1.1.1.4
       description: Disable mounting hfs filesystems (Scored).
-    disble_mount_hfsplus:
+    disable_mount_hfsplus:
       data:
         CentOS Linux-7:
         - /etc/modprobe.d:
@@ -205,7 +205,7 @@ grep:
               - '-r'
             tag: CIS-1.1.1.5
       description: Disable mounting hfsplus filesystems (Scored).
-    disble_mount_squashfs:
+    disable_mount_squashfs:
       data:
         CentOS Linux-7:
         - /etc/modprobe.d:
@@ -215,7 +215,7 @@ grep:
               - '-r'
             tag: CIS-1.1.1.6
       description: Disable mounting squashfs filesystems (Scored).
-    disble_mount_udf:
+    disable_mount_udf:
       data:
         CentOS Linux-7:
         - /etc/modprobe.d:
@@ -225,7 +225,7 @@ grep:
               - '-r'
             tag: CIS-1.1.1.7
       description: Disable mounting udf filesystems (Scored).
-    disble_mount_far:
+    disable_mount_fat:
       data:
         CentOS Linux-7:
         - /etc/modprobe.d:
@@ -905,7 +905,9 @@ stat:
     data:
       CentOS Linux-7:
       - /etc/passwd:
+          gid: 0
           group: root
+          mode: 644
           tag: CIS-6.1.2
           uid: 0
           user: root
@@ -947,7 +949,9 @@ stat:
     data:
       CentOS Linux-7:
       - /etc/passwd-:
+          gid: 0
           group: root
+          mode: 644
           tag: CIS-6.1.6
           uid: 0
           user: root