vjeffrey/remediation2.yaml Secret

## remediation2.yaml
---
provider: CIS
benchmark: CentOS Linux 7
provider_version: v.2.2.0
controls:
- id: CIS_CentOS_Linux_7_1_1_1_1
  enabled: false
- id: CIS_CentOS_Linux_7_1_1_1_2
  enabled: true
- id: CIS_CentOS_Linux_7_1_1_1_3
  enabled: true
  overlay_command:
  - local: echo "hello, this is an overlay command"
- id: CIS_CentOS_Linux_7_1_1_1_4
  enabled: true
  waiver:
    identifier: ticket_12345
    start_date_utc: "--- 2019-10-17 08:25:57.571436000 Z"
    expiration_date_utc: "--- 2029-10-14 08:25:57.571522000 Z"
    justification: This is a temp waiver for ticket_12345
results:
  CIS_CentOS_Linux_7_1_1_1_1:
    commands:
    - local: bash /hab/pkgs/effortless-premium/CIS_CentOS_Linux_7_v_2_2_0_remediation/2.2.0/20200219131600/src/scripts
/CIS_CentOS_Linux_7_1_1_1_1.sh
      order: 1 / 1
      exit_status: ''
      stdout: ''
      stderr: ''
      executed: false
      script_contents: |-
        #!/bin/bash
        modprobe -n -v cramfs | grep -q "^install /bin/true\s" || echo "install cramfs /bin/true" >> /etc/modprobe.d/C
IS.conf
        lsmod | egrep -q "^cramfs\s" && rmmod cramfs || echo 'cramfs module is not loaded'
    state: DISABLED
    provider_id: 1.1.1.1
    title: Ensure mounting of cramfs filesystems is disabled (Scored)
    description: "\n    \"1.1.1.1 Ensure mounting of cramfs filesystems is disabled
      (Scored)\\nProfile Applicability:\\n Level 1 - Server\\n Level 1 - Workstation
      Description:\\nThe cramfs filesystem type is a compressed read-only Linux filesystem
      embedded in small footprint systems. A cramfs image can be used without having
      to first decompress the image.\\nRationale:\\nRemoving support for unneeded
      filesystem types reduces the local attack surface of the server. If this filesystem
      type is not needed, disable it.\\nAudit:\\nRun the following commands and verify
      the output is as indicated:\\n      # modprobe -n -v cramfs\\ninstall /bin/true\\n\\n
      \  # lsmod | grep cramfs\\n<No output>\\n     Remediation:\\nEdit or create
      the file /etc/modprobe.d/CIS.conf and add the following line: install cramfs
      /bin/true\\nRun the following command to unload the cramfs module: # rmmod cramfs\\nCIS
      Controls:\\n13 Data Protection Data Protection\\n\\n\"\n    "
    scored: true
    level: 1
    overlay: false
  CIS_CentOS_Linux_7_1_1_1_2:
    commands:
    - local: bash /hab/pkgs/effortless-premium/CIS_CentOS_Linux_7_v_2_2_0_remediation/2.2.0/20200219131600/src/scripts
/CIS_CentOS_Linux_7_1_1_1_2.sh
      order: 1 / 1
      exit_status: 0
      stdout: 'freevxfs module is not loaded

'
      stderr: "modprobe: unrecognized option: n\nBusyBox v1.29.2 (2019-01-15 01:45:56
        UTC) multi-call binary.\n\nUsage: modprobe [-rq] MODULE [SYMBOL=VALUE]...\n\n\t-r\tRemove
        MODULE\n\t-q\tQuiet\n"
      executed: true
      script_contents: |-
        #!/bin/bash
        modprobe -n -v freevxfs | grep -q "^install /bin/true\s" || echo "install freevxfs /bin/true" >> /etc/modprobe
.d/CIS.conf
        lsmod | egrep -q "^freevxfs\s" && rmmod freevxfs || echo 'freevxfs module is not loaded'
    state: SUCCESS
    provider_id: 1.1.1.2
    title: Ensure mounting of freevxfs filesystems is disabled (Scored)
    description: "\n    \"1.1.1.2 Ensure mounting of freevxfs filesystems is disabled
      (Scored)\\nProfile Applicability:\\n Level 1 - Server\\n Level 1 - Workstation\\nDescription:\\nThe
      freevxfs filesystem type is a free version of the Veritas type filesystem. This
      is the primary filesystem type for HP-UX operating systems.\\nRationale:\\nRemoving
      support for unneeded filesystem types reduces the local attack surface of the
      system. If this filesystem type is not needed, disable it.\\nAudit:\\nRun the
      following commands and verify the output is as indicated:\\nRemediation:\\nEdit
      or create the file /etc/modprobe.d/CIS.conf and add the following line: install
      freevxfs /bin/true\\nRun the following command to unload the freevxfs module:
      # rmmod freevxfs\\nCIS Controls:\\n13 Data Protection Data Protection\\n      #
      modprobe -n -v freevxfs\\ninstall /bin/true\\n# lsmod | grep freevxfs\\n<No
      output>\\n\\n\"\n    "
    scored: true
    level: 1
    overlay: false
  CIS_CentOS_Linux_7_1_1_1_3:
    commands:
    - local: bash /hab/pkgs/effortless-premium/CIS_CentOS_Linux_7_v_2_2_0_remediation/2.2.0/20200219131600/src/scripts
/CIS_CentOS_Linux_7_1_1_1_3.sh
      order: 1 / 1
      exit_status: 0
      stdout: 'jffs2 module is not loaded

'
      stderr: "modprobe: unrecognized option: n\nBusyBox v1.29.2 (2019-01-15 01:45:56
        UTC) multi-call binary.\n\nUsage: modprobe [-rq] MODULE [SYMBOL=VALUE]...\n\n\t-r\tRemove
        MODULE\n\t-q\tQuiet\n"
      executed: true
      script_contents: |-
        #!/bin/bash
        modprobe -n -v jffs2 | grep -q "^install /bin/true\s" || echo "install jffs2 /bin/true" >> /etc/modprobe.d/CIS
.conf
        lsmod | egrep -q "^jffs2\s" && rmmod jffs2 || echo 'jffs2 module is not loaded'
    state: SUCCESS
    provider_id: 1.1.1.3
    title: Ensure mounting of jffs2 filesystems is disabled (Scored)
    description: "\n    \"1.1.1.3 Ensure mounting of jffs2 filesystems is disabled
      (Scored)\\nProfile Applicability:\\n Level 1 - Server\\n Level 1 - Workstation\\nDescription:\\nThe
      jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem
      used in flash memory devices.\\nRationale:\\nRemoving support for unneeded filesystem
      types reduces the local attack surface of the system. If this filesystem type
      is not needed, disable it.\\nAudit:\\nRun the following commands and verify
      the output is as indicated:\\nRemediation:\\nEdit or create the file /etc/modprobe.d/CIS.conf
      and add the following line: install jffs2 /bin/true\\nRun the following command
      to unload the jffs2 module: # rmmod jffs2\\nCIS Controls:\\n13 Data Protection
      Data Protection\\n      # modprobe -n -v jffs2\\ninstall /bin/true\\n# lsmod
      | grep jffs2\\n<No output>\\n\\n\"\n    "
    scored: true
    level: 1
    overlay: false
  CIS_CentOS_Linux_7_1_1_1_4:
    commands:
    - local: bash /hab/pkgs/effortless-premium/CIS_CentOS_Linux_7_v_2_2_0_remediation/2.2.0/20200219131600/src/scripts
/CIS_CentOS_Linux_7_1_1_1_4.sh
      order: 1 / 1
      exit_status: ''
      stdout: ''
      stderr: ''
      executed: false
      script_contents: |-
        #!/bin/bash
        modprobe -n -v hfs | grep -q "^install /bin/true\s" || echo "install hfs /bin/true" >> /etc/modprobe.d/CIS.con
f
        lsmod | egrep -q "^hfs\s" && rmmod hfs || echo 'hfs module is not loaded'
    state: WAIVED
    provider_id: 1.1.1.4
    title: Ensure mounting of hfs filesystems is disabled (Scored)
    description: "\n    \"1.1.1.4 Ensure mounting of hfs filesystems is disabled (Scored)\\nProfile
      Applicability:\\n Level 1 - Server\\n Level 1 - Workstation\\nDescription:\\nThe
      hfs filesystem type is a hierarchical filesystem that allows you to mount Mac
      OS filesystems.\\nRationale:\\nRemoving support for unneeded filesystem types
      reduces the local attack surface of the system. If this filesystem type is not
      needed, disable it.\\nAudit:\\nRun the following commands and verify the output
      is as indicated:\\nRemediation:\\nEdit or create the file /etc/modprobe.d/CIS.conf
      and add the following line: install hfs /bin/true\\nRun the following command
      to unload the hfs module: # rmmod hfs\\nCIS Controls:\\n13 Data Protection Data
      Protection\\n      # modprobe -n -v hfs\\ninstall /bin/true\\n# lsmod | grep
      hfs\\n<No output>\\n\\n\"\n    "
    scored: true
    level: 1
    overlay: false
exceptions: {}
summary:
  DISABLED: 1
  SUCCESS: 2
  WAIVED: 1
	---
	provider: CIS
	benchmark: CentOS Linux 7
	provider_version: v.2.2.0
	controls:
	- id: CIS_CentOS_Linux_7_1_1_1_1
	enabled: false
	- id: CIS_CentOS_Linux_7_1_1_1_2
	enabled: true
	- id: CIS_CentOS_Linux_7_1_1_1_3
	enabled: true
	overlay_command:
	- local: echo "hello, this is an overlay command"
	- id: CIS_CentOS_Linux_7_1_1_1_4
	enabled: true
	waiver:
	identifier: ticket_12345
	start_date_utc: "--- 2019-10-17 08:25:57.571436000 Z"
	expiration_date_utc: "--- 2029-10-14 08:25:57.571522000 Z"
	justification: This is a temp waiver for ticket_12345
	results:
	CIS_CentOS_Linux_7_1_1_1_1:
	commands:
	- local: bash /hab/pkgs/effortless-premium/CIS_CentOS_Linux_7_v_2_2_0_remediation/2.2.0/20200219131600/src/scripts
	/CIS_CentOS_Linux_7_1_1_1_1.sh
	order: 1 / 1
	exit_status: ''
	stdout: ''
	stderr: ''
	executed: false
	script_contents: \|-
	#!/bin/bash
	modprobe -n -v cramfs \| grep -q "^install /bin/true\s" \|\| echo "install cramfs /bin/true" >> /etc/modprobe.d/C
	IS.conf
	lsmod \| egrep -q "^cramfs\s" && rmmod cramfs \|\| echo 'cramfs module is not loaded'
	state: DISABLED
	provider_id: 1.1.1.1
	title: Ensure mounting of cramfs filesystems is disabled (Scored)
	description: "\n \"1.1.1.1 Ensure mounting of cramfs filesystems is disabled
	(Scored)\\nProfile Applicability:\\n Level 1 - Server\\n Level 1 - Workstation
	Description:\\nThe cramfs filesystem type is a compressed read-only Linux filesystem
	embedded in small footprint systems. A cramfs image can be used without having
	to first decompress the image.\\nRationale:\\nRemoving support for unneeded
	filesystem types reduces the local attack surface of the server. If this filesystem
	type is not needed, disable it.\\nAudit:\\nRun the following commands and verify
	the output is as indicated:\\n # modprobe -n -v cramfs\\ninstall /bin/true\\n\\n
	\ # lsmod \| grep cramfs\\n<No output>\\n Remediation:\\nEdit or create
	the file /etc/modprobe.d/CIS.conf and add the following line: install cramfs
	/bin/true\\nRun the following command to unload the cramfs module: # rmmod cramfs\\nCIS
	Controls:\\n13 Data Protection Data Protection\\n\\n\"\n "
	scored: true
	level: 1
	overlay: false
	CIS_CentOS_Linux_7_1_1_1_2:
	commands:
	- local: bash /hab/pkgs/effortless-premium/CIS_CentOS_Linux_7_v_2_2_0_remediation/2.2.0/20200219131600/src/scripts
	/CIS_CentOS_Linux_7_1_1_1_2.sh
	order: 1 / 1
	exit_status: 0
	stdout: 'freevxfs module is not loaded

	'
	stderr: "modprobe: unrecognized option: n\nBusyBox v1.29.2 (2019-01-15 01:45:56
	UTC) multi-call binary.\n\nUsage: modprobe [-rq] MODULE [SYMBOL=VALUE]...\n\n\t-r\tRemove
	MODULE\n\t-q\tQuiet\n"
	executed: true
	script_contents: \|-
	#!/bin/bash
	modprobe -n -v freevxfs \| grep -q "^install /bin/true\s" \|\| echo "install freevxfs /bin/true" >> /etc/modprobe
	.d/CIS.conf
	lsmod \| egrep -q "^freevxfs\s" && rmmod freevxfs \|\| echo 'freevxfs module is not loaded'
	state: SUCCESS
	provider_id: 1.1.1.2
	title: Ensure mounting of freevxfs filesystems is disabled (Scored)
	description: "\n \"1.1.1.2 Ensure mounting of freevxfs filesystems is disabled
	(Scored)\\nProfile Applicability:\\n Level 1 - Server\\n Level 1 - Workstation\\nDescription:\\nThe
	freevxfs filesystem type is a free version of the Veritas type filesystem. This
	is the primary filesystem type for HP-UX operating systems.\\nRationale:\\nRemoving
	support for unneeded filesystem types reduces the local attack surface of the
	system. If this filesystem type is not needed, disable it.\\nAudit:\\nRun the
	following commands and verify the output is as indicated:\\nRemediation:\\nEdit
	or create the file /etc/modprobe.d/CIS.conf and add the following line: install
	freevxfs /bin/true\\nRun the following command to unload the freevxfs module:
	# rmmod freevxfs\\nCIS Controls:\\n13 Data Protection Data Protection\\n #
	modprobe -n -v freevxfs\\ninstall /bin/true\\n# lsmod \| grep freevxfs\\n<No
	output>\\n\\n\"\n "
	scored: true
	level: 1
	overlay: false
	CIS_CentOS_Linux_7_1_1_1_3:
	commands:
	- local: bash /hab/pkgs/effortless-premium/CIS_CentOS_Linux_7_v_2_2_0_remediation/2.2.0/20200219131600/src/scripts
	/CIS_CentOS_Linux_7_1_1_1_3.sh
	order: 1 / 1
	exit_status: 0
	stdout: 'jffs2 module is not loaded

	'
	stderr: "modprobe: unrecognized option: n\nBusyBox v1.29.2 (2019-01-15 01:45:56
	UTC) multi-call binary.\n\nUsage: modprobe [-rq] MODULE [SYMBOL=VALUE]...\n\n\t-r\tRemove
	MODULE\n\t-q\tQuiet\n"
	executed: true
	script_contents: \|-
	#!/bin/bash
	modprobe -n -v jffs2 \| grep -q "^install /bin/true\s" \|\| echo "install jffs2 /bin/true" >> /etc/modprobe.d/CIS
	.conf
	lsmod \| egrep -q "^jffs2\s" && rmmod jffs2 \|\| echo 'jffs2 module is not loaded'
	state: SUCCESS
	provider_id: 1.1.1.3
	title: Ensure mounting of jffs2 filesystems is disabled (Scored)
	description: "\n \"1.1.1.3 Ensure mounting of jffs2 filesystems is disabled
	(Scored)\\nProfile Applicability:\\n Level 1 - Server\\n Level 1 - Workstation\\nDescription:\\nThe
	jffs2 (journaling flash filesystem 2) filesystem type is a log-structured filesystem
	used in flash memory devices.\\nRationale:\\nRemoving support for unneeded filesystem
	types reduces the local attack surface of the system. If this filesystem type
	is not needed, disable it.\\nAudit:\\nRun the following commands and verify
	the output is as indicated:\\nRemediation:\\nEdit or create the file /etc/modprobe.d/CIS.conf
	and add the following line: install jffs2 /bin/true\\nRun the following command
	to unload the jffs2 module: # rmmod jffs2\\nCIS Controls:\\n13 Data Protection
	Data Protection\\n # modprobe -n -v jffs2\\ninstall /bin/true\\n# lsmod
	\| grep jffs2\\n<No output>\\n\\n\"\n "
	scored: true
	level: 1
	overlay: false
	CIS_CentOS_Linux_7_1_1_1_4:
	commands:
	- local: bash /hab/pkgs/effortless-premium/CIS_CentOS_Linux_7_v_2_2_0_remediation/2.2.0/20200219131600/src/scripts
	/CIS_CentOS_Linux_7_1_1_1_4.sh
	order: 1 / 1
	exit_status: ''
	stdout: ''
	stderr: ''
	executed: false
	script_contents: \|-
	#!/bin/bash
	modprobe -n -v hfs \| grep -q "^install /bin/true\s" \|\| echo "install hfs /bin/true" >> /etc/modprobe.d/CIS.con
	f
	lsmod \| egrep -q "^hfs\s" && rmmod hfs \|\| echo 'hfs module is not loaded'
	state: WAIVED
	provider_id: 1.1.1.4
	title: Ensure mounting of hfs filesystems is disabled (Scored)
	description: "\n \"1.1.1.4 Ensure mounting of hfs filesystems is disabled (Scored)\\nProfile
	Applicability:\\n Level 1 - Server\\n Level 1 - Workstation\\nDescription:\\nThe
	hfs filesystem type is a hierarchical filesystem that allows you to mount Mac
	OS filesystems.\\nRationale:\\nRemoving support for unneeded filesystem types
	reduces the local attack surface of the system. If this filesystem type is not
	needed, disable it.\\nAudit:\\nRun the following commands and verify the output
	is as indicated:\\nRemediation:\\nEdit or create the file /etc/modprobe.d/CIS.conf
	and add the following line: install hfs /bin/true\\nRun the following command
	to unload the hfs module: # rmmod hfs\\nCIS Controls:\\n13 Data Protection Data
	Protection\\n # modprobe -n -v hfs\\ninstall /bin/true\\n# lsmod \| grep
	hfs\\n<No output>\\n\\n\"\n "
	scored: true
	level: 1
	overlay: false
	exceptions: {}
	summary:
	DISABLED: 1
	SUCCESS: 2
	WAIVED: 1