2023-06-14 11:23:32 +02:00
|
|
|
START TRANSACTION;
|
|
|
|
|
|
|
|
CREATE TABLE IF NOT EXISTS `tdiscovery_apps` (
|
|
|
|
`id_app` int(10) auto_increment,
|
|
|
|
`short_name` varchar(250) NOT NULL DEFAULT '',
|
|
|
|
`name` varchar(250) NOT NULL DEFAULT '',
|
|
|
|
`section` varchar(250) NOT NULL DEFAULT 'custom',
|
|
|
|
`description` varchar(250) NOT NULL DEFAULT '',
|
|
|
|
`version` varchar(250) NOT NULL DEFAULT '',
|
|
|
|
PRIMARY KEY (`id_app`),
|
|
|
|
UNIQUE (`short_name`)
|
|
|
|
) ENGINE=InnoDB DEFAULT CHARSET=UTF8MB4;
|
|
|
|
|
|
|
|
CREATE TABLE IF NOT EXISTS `tdiscovery_apps_scripts` (
|
|
|
|
`id_app` int(10),
|
|
|
|
`macro` varchar(250) NOT NULL DEFAULT '',
|
|
|
|
`value` text NOT NULL DEFAULT '',
|
|
|
|
PRIMARY KEY (`id_app`, `macro`),
|
|
|
|
FOREIGN KEY (`id_app`) REFERENCES tdiscovery_apps(`id_app`) ON DELETE CASCADE ON UPDATE CASCADE
|
|
|
|
) ENGINE=InnoDB DEFAULT CHARSET=UTF8MB4;
|
|
|
|
|
|
|
|
CREATE TABLE IF NOT EXISTS `tdiscovery_apps_executions` (
|
|
|
|
`id` int(10) unsigned NOT NULL auto_increment,
|
|
|
|
`id_app` int(10),
|
|
|
|
`execution` text NOT NULL DEFAULT '',
|
2023-06-27 17:37:41 +02:00
|
|
|
PRIMARY KEY (`id`, `id_app`),
|
2023-06-14 11:23:32 +02:00
|
|
|
FOREIGN KEY (`id_app`) REFERENCES tdiscovery_apps(`id_app`) ON DELETE CASCADE ON UPDATE CASCADE
|
|
|
|
) ENGINE=InnoDB DEFAULT CHARSET=UTF8MB4;
|
|
|
|
|
|
|
|
CREATE TABLE IF NOT EXISTS `tdiscovery_apps_tasks_macros` (
|
|
|
|
`id_task` int(10) unsigned NOT NULL,
|
|
|
|
`macro` varchar(250) NOT NULL DEFAULT '',
|
|
|
|
`type` varchar(250) NOT NULL DEFAULT 'custom',
|
|
|
|
`value` text NOT NULL DEFAULT '',
|
|
|
|
`temp_conf` tinyint unsigned NOT NULL DEFAULT 0,
|
|
|
|
PRIMARY KEY (`id_task`, `macro`),
|
|
|
|
FOREIGN KEY (`id_task`) REFERENCES trecon_task(`id_rt`) ON DELETE CASCADE ON UPDATE CASCADE
|
|
|
|
) ENGINE=InnoDB DEFAULT CHARSET=UTF8MB4;
|
|
|
|
|
|
|
|
|
|
|
|
ALTER TABLE `trecon_task`
|
|
|
|
ADD COLUMN `id_app` int(10),
|
|
|
|
ADD COLUMN `setup_complete` tinyint unsigned NOT NULL DEFAULT 0,
|
|
|
|
ADD COLUMN `executions_timeout` int unsigned NOT NULL DEFAULT 60,
|
|
|
|
ADD FOREIGN KEY (`id_app`) REFERENCES tdiscovery_apps(`id_app`) ON DELETE CASCADE ON UPDATE CASCADE;
|
|
|
|
|
2023-06-19 16:14:21 +02:00
|
|
|
CREATE TABLE IF NOT EXISTS `tnetwork_explorer_filter` (
|
|
|
|
`id` INT NOT NULL,
|
|
|
|
`filter_name` VARCHAR(45) NULL,
|
|
|
|
`top` VARCHAR(45) NULL,
|
|
|
|
`action` VARCHAR(45) NULL,
|
|
|
|
`advanced_filter` TEXT NULL,
|
|
|
|
PRIMARY KEY (`id`)
|
|
|
|
) ENGINE=InnoDB DEFAULT CHARSET=UTF8MB4;
|
|
|
|
|
|
|
|
CREATE TABLE IF NOT EXISTS `tnetwork_usage_filter` (
|
|
|
|
`id` INT NOT NULL auto_increment,
|
|
|
|
`filter_name` VARCHAR(45) NULL,
|
|
|
|
`top` VARCHAR(45) NULL,
|
|
|
|
`action` VARCHAR(45) NULL,
|
|
|
|
`advanced_filter` TEXT NULL,
|
|
|
|
PRIMARY KEY (`id`)
|
|
|
|
) ENGINE=InnoDB DEFAULT CHARSET=UTF8MB4;
|
2023-07-18 09:27:14 +02:00
|
|
|
|
2023-06-08 13:54:05 +02:00
|
|
|
ALTER TABLE `tlayout`
|
2023-06-07 12:46:39 +02:00
|
|
|
ADD COLUMN `grid_color` VARCHAR(45) NOT NULL DEFAULT '#cccccc' AFTER `maintenance_mode`,
|
2023-06-08 13:54:05 +02:00
|
|
|
ADD COLUMN `grid_size` VARCHAR(45) NOT NULL DEFAULT '10' AFTER `grid_color`;
|
|
|
|
|
|
|
|
ALTER TABLE `tlayout_template`
|
|
|
|
ADD COLUMN `grid_color` VARCHAR(45) NOT NULL DEFAULT '#cccccc' AFTER `maintenance_mode`,
|
|
|
|
ADD COLUMN `grid_size` VARCHAR(45) NOT NULL DEFAULT '10' AFTER `grid_color`;
|
2023-06-07 12:46:39 +02:00
|
|
|
|
2023-08-07 17:03:25 +02:00
|
|
|
ALTER TABLE `tagente_modulo` ADD COLUMN `quiet_by_downtime` TINYINT NOT NULL DEFAULT 0;
|
|
|
|
ALTER TABLE `tagente_modulo` ADD COLUMN `disabled_by_downtime` TINYINT NOT NULL DEFAULT 0;
|
|
|
|
ALTER TABLE `talert_template_modules` ADD COLUMN `disabled_by_downtime` TINYINT NOT NULL DEFAULT 0;
|
|
|
|
ALTER TABLE `tagente` ADD COLUMN `disabled_by_downtime` TINYINT NOT NULL DEFAULT 0;
|
2023-07-18 09:27:14 +02:00
|
|
|
|
2023-06-21 10:54:07 +02:00
|
|
|
DELETE FROM tconfig WHERE token = 'refr';
|
|
|
|
|
2023-06-29 16:25:14 +02:00
|
|
|
INSERT INTO `tmodule_inventory` (`id_module_inventory`, `id_os`, `name`, `description`, `interpreter`, `data_format`, `code`, `block_mode`,`script_mode`) VALUES (37,2,'CPU','CPU','','Brand;Clock;Model','',0,2);
|
|
|
|
|
|
|
|
INSERT INTO `tmodule_inventory` (`id_module_inventory`, `id_os`, `name`, `description`, `interpreter`, `data_format`, `code`, `block_mode`,`script_mode`) VALUES (38,2,'RAM','RAM','','Size','',0,2);
|
|
|
|
|
|
|
|
INSERT INTO `tmodule_inventory` (`id_module_inventory`, `id_os`, `name`, `description`, `interpreter`, `data_format`, `code`, `block_mode`,`script_mode`) VALUES (39,2,'NIC','NIC','','NIC;Mac;Speed','',0,2);
|
|
|
|
|
|
|
|
INSERT INTO `tmodule_inventory` (`id_module_inventory`, `id_os`, `name`, `description`, `interpreter`, `data_format`, `code`, `block_mode`,`script_mode`) VALUES (40,2,'Software','Software','','PKGINST;VERSION;NAME','',0,2);
|
2023-06-08 14:06:15 +02:00
|
|
|
|
2023-05-11 14:54:34 +02:00
|
|
|
ALTER TABLE `treport_content` ADD COLUMN `period_range` INT NULL DEFAULT 0 AFTER `period`;
|
|
|
|
|
2023-07-07 13:02:00 +02:00
|
|
|
CREATE TABLE IF NOT EXISTS `tevent_comment` (
|
|
|
|
`id` serial PRIMARY KEY,
|
|
|
|
`id_event` BIGINT UNSIGNED NOT NULL,
|
|
|
|
`utimestamp` BIGINT NOT NULL DEFAULT 0,
|
|
|
|
`comment` TEXT,
|
|
|
|
`id_user` VARCHAR(255) DEFAULT NULL,
|
|
|
|
`action` TEXT,
|
|
|
|
FOREIGN KEY (`id_event`) REFERENCES `tevento`(`id_evento`)
|
|
|
|
ON UPDATE CASCADE ON DELETE CASCADE,
|
|
|
|
FOREIGN KEY (`id_user`) REFERENCES tusuario(`id_user`)
|
|
|
|
ON DELETE SET NULL
|
|
|
|
) ENGINE=InnoDB DEFAULT CHARSET=UTF8MB4;
|
|
|
|
|
|
|
|
INSERT INTO `tevent_comment` (`id_event`, `utimestamp`, `comment`, `id_user`, `action`)
|
|
|
|
SELECT * FROM (
|
|
|
|
SELECT tevento.id_evento AS `id_event`,
|
|
|
|
JSON_UNQUOTE(JSON_EXTRACT(tevento.user_comment, CONCAT('$[',n.num,'].utimestamp'))) AS `utimestamp`,
|
|
|
|
JSON_UNQUOTE(JSON_EXTRACT(tevento.user_comment, CONCAT('$[',n.num,'].comment'))) AS `comment`,
|
|
|
|
JSON_UNQUOTE(JSON_EXTRACT(tevento.user_comment, CONCAT('$[',n.num,'].id_user'))) AS `id_user`,
|
|
|
|
JSON_UNQUOTE(JSON_EXTRACT(tevento.user_comment, CONCAT('$[',n.num,'].action'))) AS `action`
|
|
|
|
FROM tevento
|
|
|
|
INNER JOIN (SELECT 0 num UNION ALL SELECT 1 UNION ALL SELECT 2) n
|
|
|
|
ON n.num < JSON_LENGTH(tevento.user_comment)
|
|
|
|
WHERE tevento.user_comment != ""
|
|
|
|
) t order by utimestamp DESC;
|
|
|
|
|
|
|
|
ALTER TABLE tevento DROP COLUMN user_comment;
|
|
|
|
|
2023-08-09 10:15:48 +02:00
|
|
|
ALTER TABLE `tusuario` ADD COLUMN `session_max_time_expire` INT NOT NULL DEFAULT 0 AFTER `auth_token_secret`;
|
|
|
|
|
2023-08-09 15:01:14 +02:00
|
|
|
CREATE TABLE IF NOT EXISTS `tsca` (
|
|
|
|
`id` int NOT NULL,
|
|
|
|
`title` varchar(255) DEFAULT NULL,
|
|
|
|
`description` text DEFAULT NULL,
|
|
|
|
`rationale` text DEFAULT NULL,
|
|
|
|
`impact` text DEFAULT NULL,
|
|
|
|
`remediation` text DEFAULT NULL,
|
|
|
|
`compliance` text DEFAULT NULL,
|
|
|
|
PRIMARY KEY (`id`)
|
|
|
|
) ENGINE=InnoDB DEFAULT CHARSET=UTF8MB4;
|
|
|
|
|
2023-08-10 13:25:55 +02:00
|
|
|
|
|
|
|
INSERT INTO `tsca` VALUES (1000,'Create Separate Partition for /tmp','The /tmp directory is a world-writable directory used for temporary storage by all users and some applications.','Since the /tmp directory is intended to be world-writable, there is a risk of resource exhaustion if it is not bound to a separate partition. In addition, making /tmp its own file system allows an administrator to set the noexec option on the mount, making /tmp useless for an attacker to install executable code. It would also prevent an attacker from establishing a hardlink to a system setuid program and wait for it to be updated. Once the program was updated, the hardlink would be broken and the attacker would have his own copy of the program. If the program happened to have a security vulnerability, the attacker could continue to exploit the known flaw.','','Configure /etc/fstab as appropriate or Run the following commands to enable systemd /tmp mounting: systemctl umask tmp.mount; systemctl enable tmp.mount. Edit /etc/systemd/system/local-fs.target.wants/tmp.mount to configure the /tmp mount.','[{\"cis\": [\"2.1\"]}, {\"pci_dss\": [\"2.2.4\"]}, {\"nist_800_53\": [\"CM.1\"]}]'),(1001,'Set nodev option for /tmp Partition','The nodev mount option specifies that the filesystem cannot contain special devices.','Since the /tmp filesystem is not intended to support devices, set this option to ensure that users cannot attempt to create block or character special devices in /tmp.','','Edit the /etc/fstab file and add nodev to the fourth field (mounting options). See the fstab(5) manual page for more information.  # mount -o remount,nodev /tmp','[{\"cis\": [\"2.2\"]}, {\"pci_dss\": [\"2.2.4\"]}, {\"nist_800_53\": [\"CM.1\"]}, {\"tsc\": [\"CC5.2\"]}]'),(1002,'Set nosuid option for /tmp Partition','The nosuid mount option specifies that the filesystem cannot contain set userid files.','Since the /tmp filesystem is only intended for temporary file storage, set this option to ensure that users cannot create set userid files in /tmp.','','Edit the /etc/fstab file and add nosuid to the fourth field (mounting options). See the fstab(5) manual page for more information.  # mount -o remount,nosuid /tmp','[{\"cis\": [\"2.3\"]}, {\"pci_dss\": [\"2.2.4\"]}, {\"nist_800_53\": [\"CM.1\"]}, {\"tsc\": [\"CC5.2\"]}]'),(1003,'Set noexec option for /tmp partition','The noexec mount option specifies that the filesystem cannot contain executable binaries.','Since the /tmp filesystem is&
|
|
|
|
INSERT INTO `tsca` VALUES (3512,'Add noexec Option to /dev/shm Partition','Set noexec on the shared memory partition to prevent programs from executing from there.','Setting this option on a file system prevents users from executing programs from shared memory. This deters users from introducing potentially malicious software on the system.','','Edit the /etc/fstab file and add noexec to the fourth field (mounting options). Look for entries that have mount points that contain /dev/shm. # mount -o remount,noexec /dev/shm','[{\"cis\": [\"1.1.16\"]}, {\"pci_dss\": [\"2.2.4\"]}, {\"nist_800_53\": [\"CM.1\"]}]'),(3513,'Disable yum-updatesd','The yum-updatesd utility provides notification of updates that are available for your system.','The yum-updatesd service may introduce unnecessary overhead and prevent other programs from running. When possible, replace this service with a cron job that calls yum directly.','','Disable the yum-updatesd daemon by running the following command: # chkconfig yum-updatesd off','[{\"cis\": [\"1.2.5\"]}, {\"pci_dss\": [\"6.2\"]}, {\"nist_800_53\": [\"SI.2\"]}, {\"tsc\": [\"A1.2\", \"CC6.8\"]}]'),(3514,'Enable SELinux in /etc/grub.conf','Configure SELINUX to be enabled at boot time and verify that it has not been overwritten by the grub boot parameters','SELinux must be enabled at boot time in /etc/grub.conf to ensure that the controls it provides are not overwritten.','','Remove all instances of selinux=0 and enforcing=0 from /etc/grub.conf.','[{\"cis\": [\"1.4.1\"]}, {\"pci_dss\": [\"2.2.4\"]}, {\"nist_800_53\": [\"CM.1\"]}]'),(3515,'Set the SELinux State','Set SELinux to enable when the system is booted.','SELinux must be enabled at boot time in to ensure that the controls it provides are in effect at all times.','','Edit the /etc/selinux/config file to set the SELINUX parameter: SELINUX=enforcing','[{\"cis\": [\"1.4.2\"]}, {\"pci_dss\": [\"2.2.4\"]}, {\"nist_800_53\": [\"CM.1\"]}]'),(3516,'Set the SELinux Policy','Configure SELinux to meet or exceed the default targeted policy, which constrains daemons and system software only.','Security configuration requirements vary from site to site. Some sites may mandate a policy that is stricter than the default policy, which is perfectly acceptable. This item is intended to ensure that at least the default recommendations are met.','','Edit the /etc/selinux/config file to set the SELINUXTYPE parameter: SELINUXTYPE=targeted','[{\"cis\": [\"1.4.3\"]}, {\"pci_dss\": [\"2.2.4\"]}, {\"nist_800_53\": [\"CM.1\"]}]'),(3517,'Remove SETroubleshoot','The SETroubleshoot service notifies desktop users of SELinux denials through a user-friendly
|
|
|
|
INSERT INTO `tsca` VALUES (5641,'Ensure permissions on /etc/cron.monthly are configured','The /etc/cron.monthly directory contains system cron jobs that need to run on a monthly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory.','Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls.','','Run the following commands to set ownership and permissions on /etc/cron.monthly : chown root:root /etc/cron.monthly and chmod og-rwx /etc/cron.monthly','[{\"cis\": [\"5.1.6\"]}, {\"cis_csc\": [\"5.1\"]}, {\"pci_dss\": [\"2.2.4\"]}, {\"nist_800_53\": [\"CM.1\"]}, {\"tsc\": [\"CC5.2\"]}]'),(5642,'Ensure permissions on /etc/cron.d are configured','Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow , cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs.','On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files.','','Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow: rm /etc/cron.deny;rm /etc/at.deny;touch /etc/cron.allow; touch /etc/at.allow; chmod og-rwx /etc/cron.allow; chmod og-rwx /etc/at.allow; chown root:root /etc/cron.allow and chown root:root /etc/at.allow','[{\"cis\": [\"5.1.7\"]}, {\"cis_csc\": [\"5.1\"]}, {\"pci_dss\": [\"2.2.4\"]}, {\"nist_800_53\": [\"CM.1
|
|
|
|
INSERT INTO `tsca` VALUES (10513,'Ensure 'old_passwords' Is Not Set to '1' or 'ON'','This variable controls the password hashing method used by the PASSWORD() function and for the IDENTIFIED BY clause of the CREATE USER and GRANT statements.  Before 5.6.6, the value can be 0 (or OFF), or 1 (or ON). As of 5.6.6, the following value can be one of the following: 0 - authenticate with the mysql_native_password plugin; 1 - authenticate with the mysql_old_password plugin; 2 - authenticate with the sha256_password plugin','The mysql_old_password plugin leverages an algorithm that can be quickly brute forced using an offline dictionary attack. See CVE-2003-1480 for additional details.','','Configure mysql to leverage the mysql_native_password or sha256_password plugin.','[{\"cis\": [\"7.1\"]}]'),(10514,'Ensure 'secure_auth' is set to 'ON'','This option dictates whether the server will deny connections by clients that attempt to use accounts that have their password stored in the mysql_old_password format.','Enabling this option will prevent all use of passwords employing the old format (and hence insecure communication over the network).','','Add a line secure_auth=ON to the [mysqld] section of the MySQL option file.','[{\"cis\": [\"7.2\"]}]'),(10515,'Ensure Passwords Are Not Stored in the Global Configuration','The [client] section of the MySQL configuration file allows setting a user and password to be used. Verify the password option is not used in the global configuration file (my.cnf).','The use of the password parameter may negatively impact the confidentiality of the user's password.','','Use the mysql_config_editor to store authentication credentials in .mylogin.cnf in encrypted form. If not possible, use the user-specific options file, .my.cnf., and restricting file access permissions to the user identity. ','[{\"cis\": [\"7.3\"]}]'),(10516,'Ensure 'sql_mode' Contains 'NO_AUTO_CREATE_USER'','NO_AUTO_CREATE_USER is an option for sql_mode that prevents a GRANT statement from automatically creating a user when authentication information is not provided.','Blank passwords negate the benefits provided by authentication mechanisms. Without this setting an administrative user might accidentally create a user without a password.','','In the MySQL configuration file (my.cnf), find the sql_mode setting in the [mysqld] area, and add the NO_AUTO_CREATE_USER to the s
|
|
|
|
INSERT INTO `tsca` VALUES (15651,'Ensure 'Audit Account Lockout' is set to include 'Failure'.','This subcategory reports when a user's account is locked out as a result of too many failed logon attempts. Events for this subcategory include: - 4625: An account failed to log on. The recommended state for this setting is to include: Failure.','Auditing these events may be useful when investigating a security incident.','','To establish the recommended configuration via GP, set the following UI path to include Failure: Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit PoliciesLogon/LogoffAudit Account Lockout','[{\"cis\": [\"17.5.1\"]}, {\"cis_csc\": [\"8.5\"]}]'),(15652,'Ensure 'Audit Group Membership' is set to include 'Success'.','This policy allows you to audit the group membership information in the user’s logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource. The recommended state for this setting is to include: Success. Note: A Windows 10, Server 2016 or newer OS is required to access and set this value in Group Policy.','Auditing these events may be useful when investigating a security incident.','','To establish the recommended configuration via GP, set the following UI path to include Success: Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit PoliciesLogon/LogoffAudit Group Membership','[{\"cis\": [\"17.5.2\"]}, {\"cis_csc\": [\"8.5\"]}]'),(15653,'Ensure 'Audit Logoff' is set to include 'Success'.','This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. If you configure this setting to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers. Events for this subcategory include: - 4634: An account was&
|
|
|
|
INSERT INTO `tsca` VALUES (16223,'Ensure 'Configure local setting override for reporting to  Microsoft MAPS' is set to 'Disabled'','This policy setting configures a local override for the configuration to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to "Windows Defender Antivirus Cloud Protection Service". This setting can only be set by Group Policy. The recommended state for this setting is: Disabled .','The decision on whether or not to participate in Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service for malicious software reporting should be made centrally in an enterprise managed environment, so that all computers within it behave consistently in that regard. Configuring this setting to Disabled ensures that the decision remains centrally managed.','','To establish the recommended configuration via GP, set the following UI path to Disabled : Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsWindows Defender AntivirusMAPSConfigure local setting override for reporting to Microsoft MAPS Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsDefender.admx/adml that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).','[{\"cis\": [\"18.9.76.3.1\"]}, {\"cis_csc\": [\"8\"]}, {\"pci_dss\": [\"2.2.3\"]}, {\"nist_800_53\": [\"CM.1\"]}, {\"gpg_13\": [\"4.3\"]}, {\"gdpr_IV\": [\"35.7.d\"]}, {\"hipaa\": [\"164.312.b\"]}, {\"tsc\": [\"CC5.2\"]}]'),(16224,'Ensure 'Join Microsoft MAPS' is set to 'Disabled'','This policy setting allows you to join Microsoft Active Protection Service (MAPS), which Microsoft has now renamed to 'Windows Defender Antivirus Cloud Protection Service'. Microsoft MAPS / Windows Defender Antivirus Cloud Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new definitions and help it to protect your computer. Possible options are: - (0x0) Disabled (default) - (0x1) Basic membership - (0x2) Advanced membership   Basic membership will send basic information to Microsoft about software that has been detected including where the software came from the actions that y
|
|
|
|
INSERT INTO `tsca` VALUES (18619,'Ensure events that modify user/group information are collected.','Record events affecting the group , passwd (user IDs), shadow and gshadow (passwords) or /etc/security/opasswd (old passwords, based on remember parameter in the PAM configuration) files. The parameters in this section will watch the files to see if they have been opened for write or have had attribute changes (e.g. permissions) and tag them with the identifier "identity" in the audit log file.','Unexpected changes to these files could be an indication that the system has been compromised and that an unauthorized user is attempting to hide their activities or compromise additional accounts.','','edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add the following lines: -w /etc/group -p wa -k identity | -w /etc/passwd -p wa -k identity | -w /etc/gshadow -p wa -k identity | -w /etc/shadow -p wa -k identity | -w /etc/security/opasswd -p wa -k identity Notes: Reloading the auditd config to set active settings may require a system reboot.','[{\"cis\": [\"4.1.4\"]}, {\"cis_csc\": [\"4.8\"]}, {\"pci_dss\": [\"10.2.5\"]}, {\"hipaa\": [\"164.312.b\"]}, {\"nist_800_53\": [\"AU.14\", \"AC.7\"]}, {\"gpg_13\": [\"7.8\"]}, {\"gdpr_IV\": [\"35.7\", \"32.2\"]}, {\"tsc\": [\"CC6.1\", \"CC6.8\", \"CC7.2\", \"CC7.3\", \"CC7.4\"]}]'),(18620,'Ensure events that modify the system's network environment are collected.','Record changes to network environment files or system calls. The below parameters monitor the sethostname (set the systems host name) or setdomainname (set the systems domainname) system calls, and write an audit event on system call exit. The other parameters monitor the /etc/issue and /etc/issue.net files (messages displayed pre- login), /etc/hosts (file containing host names and associated IP addresses) and /etc/sysconfig/network (directory containing network interface scripts and configurations) files.','Monitoring sethostname and setdomainname will identify potential unauthorized changes to host and domainname of a system. The changing of these names could potentially break security parameters that are set based on those names. The /etc/hosts file is monitored for changes in the file that can indicate an unauthorized intruder is trying to change machine associations with IP addresses and trick users and processes into connecting to unintended machines. Monitoring /etc/issue and /etc/issue.n
|
|
|
|
INSERT INTO `tsca` VALUES (20164,'Ensure default user shell timeout is 900 seconds or less.','The default TMOUT determines the shell timeout for users. The TMOUT value is measured in seconds.','Having no timeout value associated with a shell could allow an unauthorized user access to another user's shell session (e.g. user walks away from their computer and doesn't lock the screen). Setting a timeout value at least reduces the risk of this happening.','','Edit the /etc/bashrc and /etc/profile files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows: TMOUT=600','[{\"cis\": [\"5.4.5\"]}, {\"cis_csc\": [\"16.11\"]}, {\"pci_dss\": [\"12.3.8\"]}]'),(20165,'Ensure access to the su command is restricted..','The su command allows a user to run a command or shell as another user. The program has been superseded by sudo , which allows for more granular control over privileged access. Normally, the su command can be executed by any user. By uncommenting the pam_wheel.so statement in /etc/pam.d/su , the su command will only allow users in the wheel group to execute su .','Restricting the use of su , and using sudo in its place, provides system administrators better control of the escalation of user privileges to execute privileged commands. The sudo utility also provides a better logging and audit mechanism, as it can log each command executed via sudo , whereas su can only record that a user executed the su program.','','Add the following line to the /etc/pam.d/su file: auth required pam_wheel.so use_uid','[{\"cis\": [\"5.6\"]}, {\"cis_csc\": [\"5.1\"]}, {\"pci_dss\": [\"10.2.5\"]}, {\"hipaa\": [\"164.312.b\"]}, {\"nist_800_53\": [\"AU.14\", \"AC.7\"]}, {\"gpg_13\": [\"7.8\"]}, {\"gdpr_IV\": [\"35.7\", \"32.2\"]}, {\"tsc\": [\"CC6.1\", \"CC6.8\", \"CC7.2\", \"CC7.3\", \"CC7.4\"]}]'),(20166,'Ensure permissions on /etc/passwd are configured.','The /etc/passwd file contains user account information that is used by many system utilities and therefore must be readable for these utilities to operate.','It is critical to ensure that the /etc/passwd file is protected from unauthorized write access. Although it is protected by default, the file permissions could be changed either inadvertently or through malicious actions.','','Run the following command to set permissions on /etc/passwd: # chown root:root /etc/passwd # chmod 644 /etc/passwd','[{\"cis\": [\"6.1.2\"]}, {\"cis_csc\": [\"16.44\"]}, {\"pci_dss\": [\"2.2.4\"]}, {\"
|
|
|
|
INSERT INTO `tsca` VALUES (24022,'Ensure 'log_statement' is set correctly','The log_statement setting specifies the types of SQL statements that are logged. It is recommended this be set to ddl unless otherwise directed by your organization's logging policy.
','Setting log_statement to align with your organization's security and logging policies facilitates later auditing and review of database activities.
','','Execute the following SQL statement(s) as superuser to remediate this setting:
postgres=# alter system set log_statement='ddl';
ALTER SYSTEM
postgres=# select pg_reload_conf();
pg_reload_conf
----------------
t
(1 row)
','[{\"cis\": [\"3.1.23\"]}, {\"cis_csc\": [\"6\", \"6.3\"]}]'),(24023,'Ensure 'log_timezone' is set correctly','The log_timezone setting specifies the time zone to use in timestamps within log messages. This value is cluster-wide, so that all sessions will report timestamps consistently. Unless directed otherwise by your organization's logging policy, set this to either GMT or UTC.
','Log entry timestamps should be configured for an appropriate time zone as defined by your organization's logging policy to ensure a lack of confusion around when a logged event occurred.
Note that this setting affects only the timestamps present in the logs. It does not affect the time zone in use by the database itself (for example, select now()), nor does it affect the host's time zone.
','','Execute the following SQL statement(s) to remediate this setting:
postgres=# alter system set log_timezone = 'GMT';
ALTER SYSTEM
postgres=# select pg_reload_conf();
pg_reload_conf
----------------
72 | Page
t
(1 row)
','[{\"cis\": [\"3.1.24\"]}, {\"cis_csc\": [\"6\", \"6.3\"]}]'),(24024,'Ensure the PostgreSQL Audit Extension (pgAudit) is enabled','The PostgreSQL Audit Extension (pgAudit) provides detailed session and/or object audit logging via the standard PostgreSQL logging facility. The goal of pgAudit is to provide PostgreSQL users with the capability to produce audit logs often required to comply with government, financial, or ISO certifications.
','Basic statement logging can be provided by the standard logging facility with log_statement = all. This is acceptable for monitoring and other uses but does not provide the level of detail generally required for an audit. It is not enough to have a list of all the operations perf
|
|
|
|
INSERT INTO `tsca` VALUES (26339,'Ensure 'Do not allow COM port redirection' is set to 'Enabled'.','This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. The recommended state for this setting is: Enabled.','In a more security-sensitive environment, it is desirable to reduce the possible attack surface. The need for COM port redirection within a Remote Desktop session is very rare, so makes sense to reduce the number of unexpected avenues for data exfiltration and/or malicious code transfer.','','To establish the recommended configuration via GP, set the following UI path to Enabled: Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostDevice and Resource RedirectionDo not allow COM port redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.','[{\"cis\": [\"18.9.65.3.3.2\"]}, {\"pci_dss\": [\"2.2.5\"]}, {\"tsc\": [\"CC6.3\"]}]'),(26340,'Ensure 'Do not allow drive redirection' is set to 'Enabled'.','This policy setting prevents users from sharing the local drives on their client computers to Remote Desktop Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \TSClient<driveletter>$ If local drives are shared they are left vulnerable to intruders who want to exploit the data that is stored on them. The recommended state for this setting is: Enabled.','Data could be forwarded from the user's Remote Desktop Services session to the user's local computer without any direct user interaction. Malicious software already present on a compromised server would have direct and stealthy disk access to the user's local computer during the Remote Desktop session.','','To establish the recommended configuration via GP, set the following UI path to Enabled: Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsRemote Desktop ServicesRemote Desktop Session HostDevice and Resource RedirectionDo not allow drive redirection. Note: This Group Policy path is provided by the Group Policy template TerminalServer.admx/adml that is included with all versions of the Microsoft Windows Administrative Templates.','[{\"cis\": [\"18.9.65.3.3.3\"]}, {\"pci_dss
|
|
|
|
INSERT INTO `tsca` VALUES (28058,'Ensure VSFTP Server is not installed.','FTP (File Transfer Protocol) is a traditional and widely used standard tool for transferring files between a server and clients over a network, especially where no authentication is necessary (permits anonymous users to connect to a server).','Unless there is a need to run the system as a FTP server, it is recommended that the package be removed to reduce the potential attack surface.','','Run the following command to remove vsftpd: # dnf remove vsftpd.','[{\"cis\": [\"2.2.6\"]}, {\"cis_csc_v8\": [\"4.8\"]}, {\"cis_csc_v7\": [\"9.2\"]}, {\"nist_sp_800-53\": [\"CM-7\"]}, {\"cmmc_v2.0\": [\"CM.L2-3.4.7\", \"CM.L2-3.4.8\", \"SC.L2-3.13.6\"]}, {\"pci_dss_3.2.1\": [\"1.1.6\", \"1.2.1\", \"2.2.2\", \"2.2.5\"]}, {\"pci_dss_4.0\": [\"1.2.5\", \"2.2.4\", \"6.4.1\"]}, {\"soc_2\": [\"CC6.3\", \"CC6.6\"]}, {\"iso_27001-2013\": [\"A.13.1.3\"]}, {\"mitre_techniques\": [\"T1203\", \"T1210\", \"T1543\", \"T1543.002\"]}, {\"mitre_tactics\": [\"TA0008\"]}, {\"mitre_mitigations\": [\"M1042\"]}]'),(28059,'Ensure TFTP Server is not installed.','Trivial File Transfer Protocol (TFTP) is a simple protocol for exchanging files between two TCP/IP machines. TFTP servers allow connections from a TFTP Client for sending and receiving files.','Unless there is a need to run the system as a TFTP server, it is recommended that the package be removed to reduce the potential attack surface. TFTP does not have built-in encryption, access control or authentication. This makes it very easy for an attacker to exploit TFTP to gain access to files.','TFTP is often used to provide files for network booting such as for PXE based installation of servers.','Run the following command to remove tftp-server: # dnf remove tftp-server.','[{\"cis\": [\"2.2.7\"]}, {\"cis_csc_v8\": [\"4.8\"]}, {\"cis_csc_v7\": [\"9.2\"]}, {\"nist_sp_800-53\": [\"CM-7\"]}, {\"cmmc_v2.0\": [\"CM.L2-3.4.7\", \"CM.L2-3.4.8\", \"SC.L2-3.13.6\"]}, {\"pci_dss_3.2.1\": [\"1.1.6\", \"1.2.1\", \"2.2.2\", \"2.2.5\"]}, {\"pci_dss_4.0\": [\"1.2.5\", \"2.2.4\", \"6.4.1\"]}, {\"soc_2\": [\"CC6.3\", \"CC6.6\"]}, {\"iso_27001-2013\": [\"A.13.1.3\"]}, {\"mitre_techniques\": [\"T1203\", \"T1210\", \"T1543\", \"T1543.002\"]}, {\"mitre_tactics\": [\"TA0008\"]}, {\"mitre_mitigations\": [\"M1042\"]}]'),(28060,'Ensure a web server is not installed.','Web servers provide the ability to host web site content.','Unless there is a need to run the system as a web server, it is recommended that the packages be removed to reduce the potential attack surface. Note: Several http servers exist. They should also be audited, and removed, if not required.','','Run the following command to remove httpd and nginx: # dnf remove httpd nginx.','[{\"cis\": [\"2.2.8\"]},
|
|
|
|
INSERT INTO `tsca` VALUES (29673,'Ensure sudo log file exists.','sudo can use a custom log file.','A sudo log file simplifies auditing of sudo commands.','WARNING: Editing the sudo configuration incorrectly can cause sudo to stop functioning. Always use visudo to modify sudo configuration files.','Edit the file /etc/sudoers or a file in /etc/sudoers.d/ with visudo or visudo -f <PATH TO FILE> and add the following line: Example: Defaults logfile="/var/log/sudo.log".','[{\"cis\": [\"5.3.3\"]}, {\"cis_csc_v8\": [\"8.5\"]}, {\"cis_csc_v7\": [\"6.3\"]}, {\"cmmc_v2.0\": [\"AU.L2-3.3.1\"]}, {\"pci_dss_3.2.1\": [\"10.1\", \"10.2.2\", \"10.2.4\", \"10.2.5\", \"10.3\"]}, {\"pci_dss_4.0\": [\"9.4.5\", \"10.2\", \"10.2.1\", \"10.2.1.2\", \"10.2.1.5\"]}, {\"nist_sp_800-53\": [\"AU-3(1)\", \"AU-7\"]}, {\"soc_2\": [\"CC5.2\", \"CC7.2\"]}, {\"iso_27001-2013\": [\"A.12.4.1\"]}, {\"mitre_techniques\": [\"T1562\", \"T1562.006\"]}, {\"mitre_tactics\": [\"TA0004\"]}]'),(29674,'Ensure users must provide password for privilege escalation.','The operating system must be configured so that users must provide a password for privilege escalation.','Without (re-)authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user (re-)authenticate.','This will prevent automated processes from being able to elevate privileges.','Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any line with occurrences of NOPASSWD tags in the file.','[{\"cis\": [\"5.3.4\"]}, {\"cis_csc_v8\": [\"5.4\"]}, {\"cis_csc_v7\": [\"4.3\"]}, {\"cmmc_v2.0\": [\"AC.L2-3.1.5\", \"AC.L2-3.1.6\", \"AC.L2-3.1.7\", \"SC.L2-3.13.3\"]}, {\"pci_dss_3.2.1\": [\"7.1\", \"7.1.1\", \"7.1.2\", \"7.1.3\"]}, {\"nist_sp_800-53\": [\"AC-6(2)\", \"AC-6(5)\"]}, {\"soc_2\": [\"CC6.1\", \"CC6.3\"]}, {\"iso_27001-2013\": [\"A.9.2.3\"]}]'),(29675,'Ensure re-authentication for privilege escalation is not disabled globally.','The operating system must be configured so that users must re-authenticate for privilege escalation.','Without re-authentication, users may access resources or perform tasks for which they do not have authorization. When operating systems provide the capability to escalate a functional capability, it is critical the user re-authenticate.','','Configure the operating system to require users to reauthenticate for privilege escalation. Based on the outcome of the audit procedure, use visudo -f <PATH TO FILE> to edit the relevant sudoers file. Remove any occurrences of !authenticate tags in the file(s).','[{\"cis\": [\"5.3.5\"]}, {\"cis_csc_v8\": [\"5.4\"]}, {\"cis_csc_v7\": [\"4.3\"]}, {\"cmmc_v2.0\": [\"AC.L2-3.
|
2023-08-09 13:27:21 +02:00
|
|
|
|
2023-08-10 12:26:24 +02:00
|
|
|
INSERT INTO `tmodule_inventory` (`id_module_inventory`, `id_os`, `name`, `description`, `interpreter`, `data_format`, `code`, `block_mode`,`script_mode`) VALUES (41,1,'security','Hardening plugin for security compliance analysis','','ID;STATUS','',0,2);
|
|
|
|
|
2023-06-21 10:54:07 +02:00
|
|
|
COMMIT;
|